Rewrite GitAccess for gitlab-shell v2

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

3 files changed, 33 insertions, 13 deletions

diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION
index fee0a2788b2..227cea21564 100644
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
@@ -1 +1 @@
-1.9.7
+2.0.0
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 5850892df07..86fa149d050 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -34,10 +34,7 @@ module API
           actor,
           params[:action],
           project,
-          params[:ref],
-          params[:oldrev],
-          params[:newrev],
-          params[:forced_push]
+          params[:changes]
         )
       end
 
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 38b3d82e2f4..e75a5a1d62e 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -5,7 +5,7 @@ module Gitlab
 
     attr_reader :params, :project, :git_cmd, :user
 
-    def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil, forced_push = false)
+    def allowed?(actor, cmd, project, changes = nil)
       case cmd
       when *DOWNLOAD_COMMANDS
         if actor.is_a? User
@@ -19,12 +19,12 @@ module Gitlab
         end
       when *PUSH_COMMANDS
         if actor.is_a? User
-          push_allowed?(actor, project, ref, oldrev, newrev, forced_push)
+          push_allowed?(actor, project, changes)
         elsif actor.is_a? DeployKey
           # Deploy key not allowed to push
           return false
         elsif actor.is_a? Key
-          push_allowed?(actor.user, project, ref, oldrev, newrev, forced_push)
+          push_allowed?(actor.user, project, changes)
         else
           raise 'Wrong actor'
         end
@@ -41,13 +41,21 @@ module Gitlab
       end
     end
 
-    def push_allowed?(user, project, ref, oldrev, newrev, forced_push)
-      if user && user_allowed?(user)
+    def push_allowed?(user, project, changes)
+      return false unless user && user_allowed?(user)
+      return true if changes.blank?
+
+      changes = changes.lines if changes.kind_of?(String)
+
+      # Iterate over all changes to find if user allowed all of them to be applied
+      changes.each do |change|
+        oldrev, newrev, ref = changes.split('')
+
         action = if project.protected_branch?(ref)
                    # we dont allow force push to protected branch
-                   if forced_push.to_s == 'true'
+                   if forced_push?(oldrev, newrev)
                      :force_push_code_to_protected_branches
-                   # and we dont allow remove of protected branch
+                     # and we dont allow remove of protected branch
                    elsif newrev =~ /0000000/
                      :remove_protected_branches
                    else
@@ -59,7 +67,22 @@ module Gitlab
                  else
                    :push_code
                  end
-        user.can?(action, project)
+        unless user.can?(action, project)
+          # If user does not have access to make at least one change - cancel all push
+          return false
+        end
+      end
+
+      # If user has access to make all changes
+      true
+    end
+
+    def forced_push?(oldrev, newrev)
+      return false if project.empty_repo?
+
+      if oldrev !~ /00000000/ && newrev !~ /00000000/
+        missed_refs = IO.popen(%W(git --git-dir=#{project.repository.path_to_repo} rev-list #{oldrev} ^#{newrev})).read
+        missed_refs.split("\n").size > 0
       else
         false
       end