debian-mirror-gitlab/app/controllers/projects/git_http_client_controller.rb

# frozen_string_literal: true

# This file should be identical in GitLab Community Edition and Enterprise Edition

class Projects::GitHttpClientController < Projects::ApplicationController
  include ActionController::HttpAuthentication::Basic
  include KerberosSpnegoHelper

  attr_reader :authentication_result, :redirected_path

  delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true
  delegate :type, to: :authentication_result, allow_nil: true, prefix: :auth_result

  alias_method :user, :actor
  alias_method :authenticated_user, :actor

  # Git clients will not know what authenticity token to send along
  skip_around_action :set_session_storage
  skip_before_action :verify_authenticity_token
  skip_before_action :repository
  before_action :authenticate_user

  private

  def download_request?
    raise NotImplementedError
  end

  def upload_request?
    raise NotImplementedError
  end

  def authenticate_user
    @authentication_result = Gitlab::Auth::Result.new

    if allow_basic_auth? && basic_auth_provided?
      login, password = user_name_and_password(request)

      if handle_basic_authentication(login, password)
        return # Allow access
      end
    elsif allow_kerberos_spnego_auth? && spnego_provided?
      kerberos_user = find_kerberos_user

      if kerberos_user
        @authentication_result = Gitlab::Auth::Result.new(
          kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)

        send_final_spnego_response
        return # Allow access
      end
    elsif project && download_request? && http_allowed? && Guest.can?(:download_code, project)

      @authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])

      return # Allow access
    end

    send_challenges
    render plain: "HTTP Basic: Access denied\n", status: :unauthorized
  rescue Gitlab::Auth::MissingPersonalAccessTokenError
    render_missing_personal_access_token
  end

  def basic_auth_provided?
    has_basic_credentials?(request)
  end

  def send_challenges
    challenges = []
    challenges << 'Basic realm="GitLab"' if allow_basic_auth?
    challenges << spnego_challenge if allow_kerberos_spnego_auth?
    headers['Www-Authenticate'] = challenges.join("\n") if challenges.any?
  end

  def project
    parse_repo_path unless defined?(@project)

    @project
  end

  def parse_repo_path
    @project, @repo_type, @redirected_path = Gitlab::RepoPath.parse("#{params[:namespace_id]}/#{params[:project_id]}")
  end

  def render_missing_personal_access_token
    render plain: "HTTP Basic: Access denied\n" \
                  "You must use a personal access token with 'read_repository' or 'write_repository' scope for Git over HTTP.\n" \
                  "You can generate one at #{profile_personal_access_tokens_url}",
           status: :unauthorized
  end

  def repository
    repo_type.repository_for(project)
  end

  def wiki?
    repo_type.wiki?
  end

  def repo_type
    parse_repo_path unless defined?(@repo_type)

    @repo_type
  end

  def handle_basic_authentication(login, password)
    @authentication_result = Gitlab::Auth.find_for_git_client(
      login, password, project: project, ip: request.ip)

    @authentication_result.success?
  end

  def ci?
    authentication_result.ci?(project)
  end

  def http_allowed?
    Gitlab::ProtocolAccess.allowed?('http')
  end
end

Projects::GitHttpClientController.prepend_if_ee('EE::Projects::GitHttpClientController')
New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`# frozen_string_literal: true`

New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`# This file should be identical in GitLab Community Edition and Enterprise Edition`

			`class Projects::GitHttpClientController < Projects::ApplicationController`
			`include ActionController::HttpAuthentication::Basic`
			`include KerberosSpnegoHelper`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`attr_reader :authentication_result, :redirected_path`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
			`delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true`
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`delegate :type, to: :authentication_result, allow_nil: true, prefix: :auth_result`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
			`alias_method :user, :actor`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`alias_method :authenticated_user, :actor`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30
			`# Git clients will not know what authenticity token to send along`
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`skip_around_action :set_session_storage`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`skip_before_action :verify_authenticity_token`
			`skip_before_action :repository`
			`before_action :authenticate_user`

			`private`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`def download_request?`
			`raise NotImplementedError`
			`end`

			`def upload_request?`
			`raise NotImplementedError`
			`end`

New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`def authenticate_user`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`@authentication_result = Gitlab::Auth::Result.new`

New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`if allow_basic_auth? && basic_auth_provided?`
			`login, password = user_name_and_password(request)`

New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`if handle_basic_authentication(login, password)`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`return # Allow access`
			`end`
			`elsif allow_kerberos_spnego_auth? && spnego_provided?`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`kerberos_user = find_kerberos_user`

			`if kerberos_user`
			`@authentication_result = Gitlab::Auth::Result.new(`
			`kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30
			`send_final_spnego_response`
			`return # Allow access`
			`end`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`elsif project && download_request? && http_allowed? && Guest.can?(:download_code, project)`

New upstream version 8.13.6+dfsg1 2016-11-24 13:41:30 +05:30			`@authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])`

			`return # Allow access`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`

			`send_challenges`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`render plain: "HTTP Basic: Access denied\n", status: :unauthorized`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`rescue Gitlab::Auth::MissingPersonalAccessTokenError`
			`render_missing_personal_access_token`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`

			`def basic_auth_provided?`
			`has_basic_credentials?(request)`
			`end`

			`def send_challenges`
			`challenges = []`
			`challenges << 'Basic realm="GitLab"' if allow_basic_auth?`
			`challenges << spnego_challenge if allow_kerberos_spnego_auth?`
			`headers['Www-Authenticate'] = challenges.join("\n") if challenges.any?`
			`end`

			`def project`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`parse_repo_path unless defined?(@project)`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`@project`
			`end`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`def parse_repo_path`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`@project, @repo_type, @redirected_path = Gitlab::RepoPath.parse("#{params[:namespace_id]}/#{params[:project_id]}")`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`def render_missing_personal_access_token`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`render plain: "HTTP Basic: Access denied\n" \`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`"You must use a personal access token with 'read_repository' or 'write_repository' scope for Git over HTTP.\n" \`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`"You can generate one at #{profile_personal_access_tokens_url}",`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`status: :unauthorized`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`

			`def repository`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`repo_type.repository_for(project)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`end`

			`def wiki?`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`repo_type.wiki?`
			`end`

			`def repo_type`
			`parse_repo_path unless defined?(@repo_type)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`@repo_type`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`

New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`def handle_basic_authentication(login, password)`
			`@authentication_result = Gitlab::Auth.find_for_git_client(`
			`login, password, project: project, ip: request.ip)`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`@authentication_result.success?`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`end`

New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`def ci?`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`authentication_result.ci?(project)`
			`end`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30
			`def http_allowed?`
			`Gitlab::ProtocolAccess.allowed?('http')`
			`end`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30
			`Projects::GitHttpClientController.prepend_if_ee('EE::Projects::GitHttpClientController')`