debian-mirror-gitlab/lib/api/internal.rb

module API
  # Internal access API
  class Internal < Grape::API
    before { authenticate_by_gitlab_shell_token! }

    helpers ::API::Helpers::InternalHelpers
    helpers ::Gitlab::Identifier

    namespace 'internal' do
      # Check if git command is allowed to project
      #
      # Params:
      #   key_id - ssh key id for Git over SSH
      #   user_id - user id for Git over HTTP
      #   protocol - Git access protocol being used, e.g. HTTP or SSH
      #   project - project full_path (not path on disk)
      #   action - git action (git-upload-pack or git-receive-pack)
      #   changes - changes as "oldrev newrev ref", see Gitlab::ChangesList
      post "/allowed" do
        status 200

        # Stores some Git-specific env thread-safely
        env = parse_env
        env = fix_git_env_repository_paths(env, repository_path) if project
        Gitlab::Git::Env.set(env)

        actor =
          if params[:key_id]
            Key.find_by(id: params[:key_id])
          elsif params[:user_id]
            User.find_by(id: params[:user_id])
          end

        protocol = params[:protocol]

        actor.update_last_used_at if actor.is_a?(Key)
        user =
          if actor.is_a?(Key)
            actor.user
          else
            actor
          end

        access_checker_klass = wiki? ? Gitlab::GitAccessWiki : Gitlab::GitAccess
        access_checker = access_checker_klass.new(actor, project,
          protocol, authentication_abilities: ssh_authentication_abilities,
                    namespace_path: namespace_path, project_path: project_path,
                    redirected_path: redirected_path)

        begin
          access_checker.check(params[:action], params[:changes])
          @project ||= access_checker.project
        rescue Gitlab::GitAccess::UnauthorizedError, Gitlab::GitAccess::NotFoundError => e
          return { status: false, message: e.message }
        end

        log_user_activity(actor)

        {
          status: true,
          gl_repository: gl_repository,
          gl_username: user&.username,
          repository_path: repository_path,
          gitaly: gitaly_payload(params[:action])
        }
      end

      post "/lfs_authenticate" do
        status 200

        key = Key.find(params[:key_id])
        key.update_last_used_at

        token_handler = Gitlab::LfsToken.new(key)

        {
          username: token_handler.actor_name,
          lfs_token: token_handler.token,
          repository_http_path: project.http_url_to_repo
        }
      end

      get "/merge_request_urls" do
        merge_request_urls
      end

      #
      # Get a ssh key using the fingerprint
      #
      get "/authorized_keys" do
        fingerprint = params.fetch(:fingerprint) do
          Gitlab::InsecureKeyFingerprint.new(params.fetch(:key)).fingerprint
        end
        key = Key.find_by(fingerprint: fingerprint)
        not_found!("Key") if key.nil?
        present key, with: Entities::SSHKey
      end

      #
      # Discover user by ssh key or user id
      #
      get "/discover" do
        if params[:key_id]
          key = Key.find(params[:key_id])
          user = key.user
        elsif params[:user_id]
          user = User.find_by(id: params[:user_id])
        end

        present user, with: Entities::UserSafe
      end

      get "/check" do
        {
          api_version: API.version,
          gitlab_version: Gitlab::VERSION,
          gitlab_rev: Gitlab::REVISION,
          redis: redis_ping
        }
      end

      get "/broadcast_messages" do
        if messages = BroadcastMessage.current
          present messages, with: Entities::BroadcastMessage
        else
          []
        end
      end

      get "/broadcast_message" do
        if message = BroadcastMessage.current&.last
          present message, with: Entities::BroadcastMessage
        else
          {}
        end
      end

      post '/two_factor_recovery_codes' do
        status 200

        key = Key.find_by(id: params[:key_id])

        if key
          key.update_last_used_at
        else
          return { 'success' => false, 'message' => 'Could not find the given key' }
        end

        if key.is_a?(DeployKey)
          return { success: false, message: 'Deploy keys cannot be used to retrieve recovery codes' }
        end

        user = key.user

        unless user
          return { success: false, message: 'Could not find a user for the given key' }
        end

        unless user.two_factor_enabled?
          return { success: false, message: 'Two-factor authentication is not enabled for this user' }
        end

        codes = nil

        ::Users::UpdateService.new(current_user, user: user).execute! do |user|
          codes = user.generate_otp_backup_codes!
        end

        { success: true, recovery_codes: codes }
      end

      post '/pre_receive' do
        status 200

        reference_counter_increased = Gitlab::ReferenceCounter.new(params[:gl_repository]).increase

        { reference_counter_increased: reference_counter_increased }
      end

      post "/notify_post_receive" do
        status 200

        # TODO: Re-enable when Gitaly is processing the post-receive notification
        # return unless Gitlab::GitalyClient.enabled?
        #
        # begin
        #   repository = wiki? ? project.wiki.repository : project.repository
        #   Gitlab::GitalyClient::NotificationService.new(repository.raw_repository).post_receive
        # rescue GRPC::Unavailable => e
        #   render_api_error!(e, 500)
        # end
      end

      post '/post_receive' do
        status 200
        PostReceive.perform_async(params[:gl_repository], params[:identifier],
          params[:changes])
        broadcast_message = BroadcastMessage.current&.last&.message
        reference_counter_decreased = Gitlab::ReferenceCounter.new(params[:gl_repository]).decrease

        output = {
          merge_request_urls: merge_request_urls,
          broadcast_message: broadcast_message,
          reference_counter_decreased: reference_counter_decreased
        }

        project = Gitlab::GlRepository.parse(params[:gl_repository]).first
        user = identify(params[:identifier])

        # A user is not guaranteed to be returned; an orphaned write deploy
        # key could be used
        if user
          redirect_message = Gitlab::Checks::ProjectMoved.fetch_message(user.id, project.id)
          project_created_message = Gitlab::Checks::ProjectCreated.fetch_message(user.id, project.id)

          output[:redirected_message] = redirect_message if redirect_message
          output[:project_created_message] = project_created_message if project_created_message
        end

        output
      end
    end
  end
end
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`module API`
			`# Internal access API`
			`class Internal < Grape::API`
Imported Upstream version 7.10.0 2015-04-26 12:48:37 +05:30			`before { authenticate_by_gitlab_shell_token! }`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`helpers ::API::Helpers::InternalHelpers`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`helpers ::Gitlab::Identifier`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`namespace 'internal' do`
			`# Check if git command is allowed to project`
			`#`
			`# Params:`
			`# key_id - ssh key id for Git over SSH`
			`# user_id - user id for Git over HTTP`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`# protocol - Git access protocol being used, e.g. HTTP or SSH`
New upstream version 10.6.0+dfsg 2018-03-27 19:54:05 +05:30			`# project - project full_path (not path on disk)`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`# action - git action (git-upload-pack or git-receive-pack)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`# changes - changes as "oldrev newrev ref", see Gitlab::ChangesList`
Imported Upstream version 7.10.0 2015-04-26 12:48:37 +05:30			`post "/allowed" do`
			`status 200`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`# Stores some Git-specific env thread-safely`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`env = parse_env`
			`env = fix_git_env_repository_paths(env, repository_path) if project`
			`Gitlab::Git::Env.set(env)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`actor =`
Imported Upstream version 7.10.0 2015-04-26 12:48:37 +05:30			`if params[:key_id]`
			`Key.find_by(id: params[:key_id])`
			`elsif params[:user_id]`
			`User.find_by(id: params[:user_id])`
			`end`

Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`protocol = params[:protocol]`
Imported Upstream version 7.10.0 2015-04-26 12:48:37 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`actor.update_last_used_at if actor.is_a?(Key)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`user =`
			`if actor.is_a?(Key)`
			`actor.user`
			`else`
			`actor`
			`end`
Imported Upstream version 7.10.0 2015-04-26 12:48:37 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`access_checker_klass = wiki? ? Gitlab::GitAccessWiki : Gitlab::GitAccess`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`access_checker = access_checker_klass.new(actor, project,`
			`protocol, authentication_abilities: ssh_authentication_abilities,`
			`namespace_path: namespace_path, project_path: project_path,`
			`redirected_path: redirected_path)`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
			`begin`
			`access_checker.check(params[:action], params[:changes])`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`@project \|\|= access_checker.project`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`rescue Gitlab::GitAccess::UnauthorizedError, Gitlab::GitAccess::NotFoundError => e`
			`return { status: false, message: e.message }`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`log_user_activity(actor)`

			`{`
			`status: true,`
			`gl_repository: gl_repository,`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`gl_username: user&.username,`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`repository_path: repository_path,`
			`gitaly: gitaly_payload(params[:action])`
			`}`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`

New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`post "/lfs_authenticate" do`
			`status 200`

			`key = Key.find(params[:key_id])`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`key.update_last_used_at`

New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`token_handler = Gitlab::LfsToken.new(key)`

			`{`
			`username: token_handler.actor_name,`
New upstream version 8.12.3+dfsg1 2016-10-01 15:18:49 +05:30			`lfs_token: token_handler.token,`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`repository_http_path: project.http_url_to_repo`
			`}`
			`end`

New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`get "/merge_request_urls" do`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`merge_request_urls`
			`end`

			`#`
			`# Get a ssh key using the fingerprint`
			`#`
			`get "/authorized_keys" do`
			`fingerprint = params.fetch(:fingerprint) do`
			`Gitlab::InsecureKeyFingerprint.new(params.fetch(:key)).fingerprint`
			`end`
			`key = Key.find_by(fingerprint: fingerprint)`
			`not_found!("Key") if key.nil?`
			`present key, with: Entities::SSHKey`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`end`

Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`#`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`# Discover user by ssh key or user id`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`#`
			`get "/discover" do`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`if params[:key_id]`
			`key = Key.find(params[:key_id])`
			`user = key.user`
			`elsif params[:user_id]`
			`user = User.find_by(id: params[:user_id])`
			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`present user, with: Entities::UserSafe`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`

			`get "/check" do`
			`{`
			`api_version: API.version,`
			`gitlab_version: Gitlab::VERSION,`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`gitlab_rev: Gitlab::REVISION,`
			`redis: redis_ping`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`}`
			`end`
Imported Upstream version 7.10.0 2015-04-26 12:48:37 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`get "/broadcast_messages" do`
			`if messages = BroadcastMessage.current`
			`present messages, with: Entities::BroadcastMessage`
			`else`
			`[]`
			`end`
			`end`

Imported Upstream version 7.10.0 2015-04-26 12:48:37 +05:30			`get "/broadcast_message" do`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`if message = BroadcastMessage.current&.last`
Imported Upstream version 7.10.0 2015-04-26 12:48:37 +05:30			`present message, with: Entities::BroadcastMessage`
			`else`
			`{}`
			`end`
			`end`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
			`post '/two_factor_recovery_codes' do`
			`status 200`

			`key = Key.find_by(id: params[:key_id])`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`if key`
			`key.update_last_used_at`
			`else`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`return { 'success' => false, 'message' => 'Could not find the given key' }`
			`end`

			`if key.is_a?(DeployKey)`
			`return { success: false, message: 'Deploy keys cannot be used to retrieve recovery codes' }`
			`end`

			`user = key.user`

			`unless user`
			`return { success: false, message: 'Could not find a user for the given key' }`
			`end`

			`unless user.two_factor_enabled?`
			`return { success: false, message: 'Two-factor authentication is not enabled for this user' }`
			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`codes = nil`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`::Users::UpdateService.new(current_user, user: user).execute! do \|user\|`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`codes = user.generate_otp_backup_codes!`
			`end`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
			`{ success: true, recovery_codes: codes }`
			`end`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`post '/pre_receive' do`
			`status 200`

			`reference_counter_increased = Gitlab::ReferenceCounter.new(params[:gl_repository]).increase`

			`{ reference_counter_increased: reference_counter_increased }`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`post "/notify_post_receive" do`
			`status 200`

			`# TODO: Re-enable when Gitaly is processing the post-receive notification`
			`# return unless Gitlab::GitalyClient.enabled?`
			`#`
			`# begin`
			`# repository = wiki? ? project.wiki.repository : project.repository`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`# Gitlab::GitalyClient::NotificationService.new(repository.raw_repository).post_receive`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`# rescue GRPC::Unavailable => e`
			`# render_api_error!(e, 500)`
			`# end`
			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
			`post '/post_receive' do`
			`status 200`
			`PostReceive.perform_async(params[:gl_repository], params[:identifier],`
			`params[:changes])`
			`broadcast_message = BroadcastMessage.current&.last&.message`
			`reference_counter_decreased = Gitlab::ReferenceCounter.new(params[:gl_repository]).decrease`

			`output = {`
			`merge_request_urls: merge_request_urls,`
			`broadcast_message: broadcast_message,`
			`reference_counter_decreased: reference_counter_decreased`
			`}`

			`project = Gitlab::GlRepository.parse(params[:gl_repository]).first`
			`user = identify(params[:identifier])`

			`# A user is not guaranteed to be returned; an orphaned write deploy`
			`# key could be used`
			`if user`
			`redirect_message = Gitlab::Checks::ProjectMoved.fetch_message(user.id, project.id)`
			`project_created_message = Gitlab::Checks::ProjectCreated.fetch_message(user.id, project.id)`

			`output[:redirected_message] = redirect_message if redirect_message`
			`output[:project_created_message] = project_created_message if project_created_message`
			`end`

			`output`
			`end`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`
			`end`
			`end`