add gitlab-shell identification

author: Valery Sizov <valery@gitlab.com> 2014-10-15 18:26:15 +0300
committer: Valery Sizov <valery@gitlab.com> 2014-10-15 20:03:25 +0300
commit: b5763e91cdeaba55b3c426129ba3c4f9638c5eb1 (patch)
tree: 942dddd23f2e8f4738b27aeb25bfe72ea928e852
parent: f7342ce56764aaf6465bca74239955778c25107b (diff)
download: gitlab-ce-b5763e91cdeaba55b3c426129ba3c4f9638c5eb1.tar.gz
6 files changed, 42 insertions, 6 deletions
diff --git a/.gitignore b/.gitignore
index 4f778371512..2c6b65b7b7d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,4 @@ public/assets/
 .envrc
 dump.rdb
 tags
+.gitlab_shell_secret
diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION
index 38f77a65b30..e9307ca5751 100644
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
@@ -1 +1 @@
-2.0.1
+2.0.2
diff --git a/config/initializers/gitlab_shell_secret_token.rb b/config/initializers/gitlab_shell_secret_token.rb
new file mode 100644
index 00000000000..8d2b771e535
--- /dev/null
+++ b/config/initializers/gitlab_shell_secret_token.rb
@@ -0,0 +1,19 @@
+# Be sure to restart your server when you modify this file.
+
+require 'securerandom'
+
+# Your secret key for verifying the gitlab_shell.
+
+
+secret_file = Rails.root.join('.gitlab_shell_secret')
+gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
+
+unless File.exist? secret_file
+  # Generate a new token of 16 random hexadecimal characters and store it in secret_file.
+  token = SecureRandom.hex(16)
+  File.write(secret_file, token)
+end
+
+if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
+  FileUtils.symlink(secret_file, gitlab_shell_symlink)
+end
+\ No newline at end of file
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 3262884f6d3..027fb20ec46 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -67,6 +67,10 @@ module API
       unauthorized! unless current_user
     end
 
+    def authenticate_by_gitlab_shell_token!
+      unauthorized! unless secret_token == params['secret_token']
+    end
+
     def authenticated_as_admin!
       forbidden! unless current_user.is_admin?
     end
@@ -193,5 +197,9 @@ module API
                        abilities
                      end
     end
+
+    def secret_token
+      File.read(Rails.root.join('.gitlab_shell_secret'))
+    end
   end
 end
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 9ac659f50fd..ebf2296097d 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -1,6 +1,10 @@
 module API
   # Internal access API
   class Internal < Grape::API
+    before {
+      authenticate_by_gitlab_shell_token!
+    }
+
     namespace 'internal' do
       # Check if git command is allowed to project
       #
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index 6df5ef38961..677b1494041 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -5,10 +5,11 @@ describe API::API, api: true  do
   let(:user) { create(:user) }
   let(:key) { create(:key, user: user) }
   let(:project) { create(:project) }
+  let(:secret_token) { File.read Rails.root.join('.gitlab_shell_secret') }
 
   describe "GET /internal/check", no_db: true do
     it do
-      get api("/internal/check")
+      get api("/internal/check"), secret_token: secret_token
 
       response.status.should == 200
       json_response['api_version'].should == API::API.version
@@ -17,7 +18,7 @@ describe API::API, api: true  do
 
   describe "GET /internal/discover" do
     it do
-      get(api("/internal/discover"), key_id: key.id)
+      get(api("/internal/discover"), key_id: key.id, secret_token: secret_token)
 
       response.status.should == 200
 
@@ -159,7 +160,8 @@ describe API::API, api: true  do
       api("/internal/allowed"),
       key_id: key.id,
       project: project.path_with_namespace,
-      action: 'git-upload-pack'
+      action: 'git-upload-pack',
+      secret_token: secret_token
     )
   end
 
@@ -169,7 +171,8 @@ describe API::API, api: true  do
       changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
       key_id: key.id,
       project: project.path_with_namespace,
-      action: 'git-receive-pack'
+      action: 'git-receive-pack',
+      secret_token: secret_token
     )
   end
 
@@ -179,7 +182,8 @@ describe API::API, api: true  do
       ref: 'master',
       key_id: key.id,
       project: project.path_with_namespace,
-      action: 'git-upload-archive'
+      action: 'git-upload-archive',
+      secret_token: secret_token
     )
   end
 end
author	Valery Sizov <valery@gitlab.com>	2014-10-15 18:26:15 +0300
committer	Valery Sizov <valery@gitlab.com>	2014-10-15 20:03:25 +0300
commit	b5763e91cdeaba55b3c426129ba3c4f9638c5eb1 (patch)
tree	942dddd23f2e8f4738b27aeb25bfe72ea928e852
parent	f7342ce56764aaf6465bca74239955778c25107b (diff)
download	gitlab-ce-b5763e91cdeaba55b3c426129ba3c4f9638c5eb1.tar.gz