debian-mirror-gitlab/app/controllers/concerns/lfs_request.rb

# frozen_string_literal: true

# This concern assumes:
# - a `#project` accessor
# - a `#user` accessor
# - a `#authentication_result` accessor
# - a `#can?(object, action, subject)` method
# - a `#ci?` method
# - a `#download_request?` method
# - a `#upload_request?` method
# - a `#has_authentication_ability?(ability)` method
module LfsRequest
  extend ActiveSupport::Concern

  CONTENT_TYPE = 'application/vnd.git-lfs+json'

  included do
    before_action :require_lfs_enabled!
    before_action :lfs_check_access!
  end

  private

  def require_lfs_enabled!
    return if Gitlab.config.lfs.enabled

    render(
      json: {
        message: _('Git LFS is not enabled on this GitLab server, contact your admin.'),
        documentation_url: help_url
      },
      status: :not_implemented
    )
  end

  def lfs_check_access!
    return render_lfs_not_found unless project
    return if download_request? && lfs_download_access?
    return if upload_request? && lfs_upload_access?

    if project.public? || can?(user, :read_project, project)
      lfs_forbidden!
    else
      render_lfs_not_found
    end
  end

  def lfs_forbidden!
    render_lfs_forbidden
  end

  def render_lfs_forbidden
    render(
      json: {
        message: _('Access forbidden. Check your access level.'),
        documentation_url: help_url
      },
      content_type: CONTENT_TYPE,
      status: 403
    )
  end

  def render_lfs_not_found
    render(
      json: {
        message: _('Not found.'),
        documentation_url: help_url
      },
      content_type: CONTENT_TYPE,
      status: 404
    )
  end

  def lfs_download_access?
    return false unless project.lfs_enabled?

    ci? || lfs_deploy_token? || user_can_download_code? || build_can_download_code? || deploy_token_can_download_code?
  end

  def deploy_token_can_download_code?
    deploy_token_present? &&
      deploy_token.project == project &&
      deploy_token.active? &&
      deploy_token.read_repository?
  end

  def deploy_token_present?
    user && user.is_a?(DeployToken)
  end

  def deploy_token
    user
  end

  def lfs_upload_access?
    return false unless project.lfs_enabled?
    return false unless has_authentication_ability?(:push_code)
    return false if limit_exceeded?

    lfs_deploy_token? || can?(user, :push_code, project)
  end

  def lfs_deploy_token?
    authentication_result.lfs_deploy_token?(project)
  end

  def user_can_download_code?
    has_authentication_ability?(:download_code) && can?(user, :download_code, project) && !deploy_token_present?
  end

  def build_can_download_code?
    has_authentication_ability?(:build_download_code) && can?(user, :build_download_code, project)
  end

  def storage_project
    @storage_project ||= project.lfs_storage_project
  end

  def objects
    @objects ||= (params[:objects] || []).to_a
  end

  def has_authentication_ability?(capability)
    (authentication_abilities || []).include?(capability)
  end

  # Overridden in EE
  def limit_exceeded?
    false
  end
end

LfsRequest.prepend_if_ee('EE::LfsRequest')
New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`# frozen_string_literal: true`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`# This concern assumes:`
			# - a `#project` accessor
			# - a `#user` accessor
			# - a `#authentication_result` accessor
			# - a `#can?(object, action, subject)` method
			# - a `#ci?` method
			# - a `#download_request?` method
			# - a `#upload_request?` method
			# - a `#has_authentication_ability?(ability)` method
			`module LfsRequest`
			`extend ActiveSupport::Concern`

New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`CONTENT_TYPE = 'application/vnd.git-lfs+json'`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`included do`
			`before_action :require_lfs_enabled!`
			`before_action :lfs_check_access!`
			`end`

			`private`
New upstream version 8.13.6+dfsg1 2016-11-24 13:41:30 +05:30
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`def require_lfs_enabled!`
			`return if Gitlab.config.lfs.enabled`

			`render(`
			`json: {`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`message: _('Git LFS is not enabled on this GitLab server, contact your admin.'),`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`documentation_url: help_url`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`},`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`status: :not_implemented`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`)`
			`end`

			`def lfs_check_access!`
New upstream version 12.2.9 2019-10-31 01:37:42 +05:30			`return render_lfs_not_found unless project`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`return if download_request? && lfs_download_access?`
			`return if upload_request? && lfs_upload_access?`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`if project.public? \|\| can?(user, :read_project, project)`
			`lfs_forbidden!`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`else`
			`render_lfs_not_found`
			`end`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`def lfs_forbidden!`
			`render_lfs_forbidden`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`

			`def render_lfs_forbidden`
			`render(`
			`json: {`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`message: _('Access forbidden. Check your access level.'),`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`documentation_url: help_url`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`},`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`content_type: CONTENT_TYPE,`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`status: 403`
			`)`
			`end`

			`def render_lfs_not_found`
			`render(`
			`json: {`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`message: _('Not found.'),`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`documentation_url: help_url`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`},`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`content_type: CONTENT_TYPE,`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`status: 404`
			`)`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`def lfs_download_access?`
			`return false unless project.lfs_enabled?`

New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`ci? \|\| lfs_deploy_token? \|\| user_can_download_code? \|\| build_can_download_code? \|\| deploy_token_can_download_code?`
			`end`

			`def deploy_token_can_download_code?`
			`deploy_token_present? &&`
			`deploy_token.project == project &&`
			`deploy_token.active? &&`
			`deploy_token.read_repository?`
			`end`

			`def deploy_token_present?`
			`user && user.is_a?(DeployToken)`
			`end`

			`def deploy_token`
			`user`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`end`

			`def lfs_upload_access?`
			`return false unless project.lfs_enabled?`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`return false unless has_authentication_ability?(:push_code)`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`return false if limit_exceeded?`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`lfs_deploy_token? \|\| can?(user, :push_code, project)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`end`

			`def lfs_deploy_token?`
			`authentication_result.lfs_deploy_token?(project)`
			`end`

			`def user_can_download_code?`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`has_authentication_ability?(:download_code) && can?(user, :download_code, project) && !deploy_token_present?`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`end`

			`def build_can_download_code?`
			`has_authentication_ability?(:build_download_code) && can?(user, :build_download_code, project)`
			`end`

New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`def storage_project`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`@storage_project \|\|= project.lfs_storage_project`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
			`def objects`
			`@objects \|\|= (params[:objects] \|\| []).to_a`
			`end`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
			`def has_authentication_ability?(capability)`
			`(authentication_abilities \|\| []).include?(capability)`
			`end`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`# Overridden in EE`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`def limit_exceeded?`
			`false`
			`end`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30
			`LfsRequest.prepend_if_ee('EE::LfsRequest')`