debian-mirror-gitlab/app/controllers/projects/git_http_client_controller.rb

122 lines
3.3 KiB
Ruby
Raw Normal View History

2018-12-05 23:21:45 +05:30
# frozen_string_literal: true
2016-09-13 17:45:13 +05:30
# This file should be identical in GitLab Community Edition and Enterprise Edition
class Projects::GitHttpClientController < Projects::ApplicationController
include ActionController::HttpAuthentication::Basic
include KerberosSpnegoHelper
2017-09-10 17:25:29 +05:30
attr_reader :authentication_result, :redirected_path
2016-09-29 09:46:39 +05:30
delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true
2018-05-09 12:01:36 +05:30
delegate :type, to: :authentication_result, allow_nil: true, prefix: :auth_result
2016-09-29 09:46:39 +05:30
alias_method :user, :actor
2018-03-17 18:26:18 +05:30
alias_method :authenticated_user, :actor
2016-09-13 17:45:13 +05:30
# Git clients will not know what authenticity token to send along
2019-09-04 21:01:54 +05:30
skip_around_action :set_session_storage
2016-09-13 17:45:13 +05:30
skip_before_action :verify_authenticity_token
skip_before_action :repository
before_action :authenticate_user
private
2017-08-17 22:00:37 +05:30
def download_request?
raise NotImplementedError
end
def upload_request?
raise NotImplementedError
end
2016-09-13 17:45:13 +05:30
def authenticate_user
2016-09-29 09:46:39 +05:30
@authentication_result = Gitlab::Auth::Result.new
2016-09-13 17:45:13 +05:30
if allow_basic_auth? && basic_auth_provided?
login, password = user_name_and_password(request)
2016-09-29 09:46:39 +05:30
if handle_basic_authentication(login, password)
2016-09-13 17:45:13 +05:30
return # Allow access
end
elsif allow_kerberos_spnego_auth? && spnego_provided?
2016-09-29 09:46:39 +05:30
kerberos_user = find_kerberos_user
if kerberos_user
@authentication_result = Gitlab::Auth::Result.new(
kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
2016-09-13 17:45:13 +05:30
send_final_spnego_response
return # Allow access
end
2019-10-12 21:52:04 +05:30
elsif project && download_request? && http_allowed? && Guest.can?(:download_code, project)
2016-11-24 13:41:30 +05:30
@authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])
return # Allow access
2016-09-13 17:45:13 +05:30
end
send_challenges
2018-11-18 11:00:15 +05:30
render plain: "HTTP Basic: Access denied\n", status: :unauthorized
2018-03-17 18:26:18 +05:30
rescue Gitlab::Auth::MissingPersonalAccessTokenError
render_missing_personal_access_token
2016-09-13 17:45:13 +05:30
end
def basic_auth_provided?
has_basic_credentials?(request)
end
def send_challenges
challenges = []
challenges << 'Basic realm="GitLab"' if allow_basic_auth?
challenges << spnego_challenge if allow_kerberos_spnego_auth?
headers['Www-Authenticate'] = challenges.join("\n") if challenges.any?
end
def project
2017-09-10 17:25:29 +05:30
parse_repo_path unless defined?(@project)
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
@project
end
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
def parse_repo_path
2019-07-07 11:18:12 +05:30
@project, @repo_type, @redirected_path = Gitlab::RepoPath.parse("#{params[:namespace_id]}/#{params[:project_id]}")
2016-09-13 17:45:13 +05:30
end
2018-03-17 18:26:18 +05:30
def render_missing_personal_access_token
2016-09-13 17:45:13 +05:30
render plain: "HTTP Basic: Access denied\n" \
2019-07-31 22:56:46 +05:30
"You must use a personal access token with 'read_repository' or 'write_repository' scope for Git over HTTP.\n" \
2016-09-13 17:45:13 +05:30
"You can generate one at #{profile_personal_access_tokens_url}",
2018-11-18 11:00:15 +05:30
status: :unauthorized
2016-09-13 17:45:13 +05:30
end
def repository
2019-07-07 11:18:12 +05:30
repo_type.repository_for(project)
2017-08-17 22:00:37 +05:30
end
def wiki?
2019-07-07 11:18:12 +05:30
repo_type.wiki?
end
def repo_type
parse_repo_path unless defined?(@repo_type)
2017-08-17 22:00:37 +05:30
2019-07-07 11:18:12 +05:30
@repo_type
2016-09-13 17:45:13 +05:30
end
2016-09-29 09:46:39 +05:30
def handle_basic_authentication(login, password)
@authentication_result = Gitlab::Auth.find_for_git_client(
login, password, project: project, ip: request.ip)
2017-09-10 17:25:29 +05:30
@authentication_result.success?
2016-09-29 09:46:39 +05:30
end
2016-09-13 17:45:13 +05:30
def ci?
2016-09-29 09:46:39 +05:30
authentication_result.ci?(project)
end
2019-10-12 21:52:04 +05:30
def http_allowed?
Gitlab::ProtocolAccess.allowed?('http')
end
2016-09-13 17:45:13 +05:30
end