Use GitAccess in internal api

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Use GitAccess in internal api
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Dmitriy Zaporozhets
1 parent 19c28822
Showing 1 changed file with 19 additions and 41 deletions Show diff stats
lib/api/internal.rb
 module API
   # Internal access API
   class Internal < Grape::API
-
-    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
-    PUSH_COMMANDS = %w{ git-receive-pack }
-
     namespace 'internal' do
-      #
-      # Check if ssh key has access to project code
+      # Check if git command is allowed to project
       #
       # Params:
-      #   key_id - SSH Key id
+      #   key_id - ssh key id for Git over SSH
+      #   user_id - user id for Git over HTTP
       #   project - project path with namespace
       #   action - git action (git-upload-pack or git-receive-pack)
       #   ref - branch name
@@ -22,43 +18,25 @@ module API
         # the wiki repository as well.
         project_path = params[:project]
         project_path.gsub!(/\.wiki/,'') if project_path =~ /\.wiki/
-
-        key = Key.find(params[:key_id])
         project = Project.find_with_namespace(project_path)
-        git_cmd = params[:action]
         return false unless project
-
-        if key.is_a? DeployKey
-          key.projects.include?(project) && DOWNLOAD_COMMANDS.include?(git_cmd)
-        else
-          user = key.user
-
-          return false if user.blocked?
-
-          if Gitlab.config.ldap.enabled
-            if user.ldap_user?
-              # Check if LDAP user exists and match LDAP user_filter
-              unless Gitlab::LDAP::Access.new.allowed?(user)
-                return false
-              end
-            end
-          end
-
-          action = case git_cmd
-                   when *DOWNLOAD_COMMANDS
-                     then :download_code
-                   when *PUSH_COMMANDS
-                     then
-                     if project.protected_branch?(params[:ref])
-                       :push_code_to_protected_branches
-                     else
-                       :push_code
-                     end
-                   end
-
-          user.can?(action, project)
-        end
+        actor = if params[:key_id]
+                  Key.find(params[:key_id])
+                elsif params[:user_id]
+                  User.find(params[:user_id])
+                end
+
+        return false unless actor
+
+        Gitlab::GitAccess.new.allowed?(
+          actor,
+          params[:action],
+          project,
+          params[:ref],
+          params[:oldrev],
+          params[:newrev]
+        )
       end
       #
1	module API	1	module API
2	# Internal access API	2	# Internal access API
3	class Internal < Grape::API	3	class Internal < Grape::API
4	-
5	- DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
6	- PUSH_COMMANDS = %w{ git-receive-pack }
7	-
8	namespace 'internal' do	4	namespace 'internal' do
9	- #
10	- # Check if ssh key has access to project code	5	+ # Check if git command is allowed to project
11	#	6	#
12	# Params:	7	# Params:
13	- # key_id - SSH Key id	8	+ # key_id - ssh key id for Git over SSH
		9	+ # user_id - user id for Git over HTTP
14	# project - project path with namespace	10	# project - project path with namespace
15	# action - git action (git-upload-pack or git-receive-pack)	11	# action - git action (git-upload-pack or git-receive-pack)
16	# ref - branch name	12	# ref - branch name
	@@ -22,43 +18,25 @@ module API		@@ -22,43 +18,25 @@ module API
22	# the wiki repository as well.	18	# the wiki repository as well.
23	project_path = params[:project]	19	project_path = params[:project]
24	project_path.gsub!(/\.wiki/,'') if project_path =~ /\.wiki/	20	project_path.gsub!(/\.wiki/,'') if project_path =~ /\.wiki/
25	-
26	- key = Key.find(params[:key_id])
27	project = Project.find_with_namespace(project_path)	21	project = Project.find_with_namespace(project_path)
28	- git_cmd = params[:action]
29	return false unless project	22	return false unless project
30		23
31	-
32	- if key.is_a? DeployKey
33	- key.projects.include?(project) && DOWNLOAD_COMMANDS.include?(git_cmd)
34	- else
35	- user = key.user
36	-
37	- return false if user.blocked?
38	-
39	- if Gitlab.config.ldap.enabled
40	- if user.ldap_user?
41	- # Check if LDAP user exists and match LDAP user_filter
42	- unless Gitlab::LDAP::Access.new.allowed?(user)
43	- return false
44	- end
45	- end
46	- end
47	-
48	- action = case git_cmd
49	- when *DOWNLOAD_COMMANDS
50	- then :download_code
51	- when *PUSH_COMMANDS
52	- then
53	- if project.protected_branch?(params[:ref])
54	- :push_code_to_protected_branches
55	- else
56	- :push_code
57	- end
58	- end
59	-
60	- user.can?(action, project)
61	- end	24	+ actor = if params[:key_id]
		25	+ Key.find(params[:key_id])
		26	+ elsif params[:user_id]
		27	+ User.find(params[:user_id])
		28	+ end
		29	+
		30	+ return false unless actor
		31	+
		32	+ Gitlab::GitAccess.new.allowed?(
		33	+ actor,
		34	+ params[:action],
		35	+ project,
		36	+ params[:ref],
		37	+ params[:oldrev],
		38	+ params[:newrev]
		39	+ )
62	end	40	end
63		41
64	#	42	#