Merge branch 'bvl-external-auth-port' into 'master'

Port `read_cross_project` ability from EE See merge request gitlab-org/gitlab-ce!17208
author: Douwe Maan <douwe@gitlab.com> 2018-02-23 09:14:14 +0000
committer: Douwe Maan <douwe@gitlab.com> 2018-02-23 09:14:14 +0000
commit: f4bc6ec92e2af0b6cfd64f9ff0ca683bf62820d1 (patch)
tree: 9e34a9a071d0c0c5900c0ba37927de4590fa23f9 /lib/gitlab
parent: 0a8aebcb550b705ec5987c6f905eaf5c5abb1cc1 (diff)
parent: 08266ba0a14ec296b51cda6b54d1648985a11adf (diff)
download: gitlab-ce-f4bc6ec92e2af0b6cfd64f9ff0ca683bf62820d1.tar.gz
6 files changed, 235 insertions, 1 deletions
diff --git a/lib/gitlab/contributions_calendar.rb b/lib/gitlab/contributions_calendar.rb
index 0735243e021..9576d5a3fd8 100644
--- a/lib/gitlab/contributions_calendar.rb
+++ b/lib/gitlab/contributions_calendar.rb
@@ -34,6 +34,8 @@ module Gitlab
     end
 
     def events_by_date(date)
+      return Event.none unless can_read_cross_project?
+
       events = Event.contributions.where(author_id: contributor.id)
         .where(created_at: date.beginning_of_day..date.end_of_day)
         .where(project_id: projects)
@@ -53,6 +55,10 @@ module Gitlab
 
     private
 
+    def can_read_cross_project?
+      Ability.allowed?(current_user, :read_cross_project)
+    end
+
     def event_counts(date_from, feature)
       t = Event.arel_table
 
diff --git a/lib/gitlab/cross_project_access.rb b/lib/gitlab/cross_project_access.rb
new file mode 100644
index 00000000000..6eaed51b64c
--- /dev/null
+++ b/lib/gitlab/cross_project_access.rb
@@ -0,0 +1,67 @@
+module Gitlab
+  class CrossProjectAccess
+    class << self
+      delegate :add_check, :find_check, :checks,
+               to: :instance
+    end
+
+    def self.instance
+      @instance ||= new
+    end
+
+    attr_reader :checks
+
+    def initialize
+      @checks = {}
+    end
+
+    def add_check(
+          klass,
+          actions: {},
+          positive_condition: nil,
+          negative_condition: nil,
+          skip: false)
+
+      new_check = CheckInfo.new(actions,
+                                positive_condition,
+                                negative_condition,
+                                skip
+                               )
+
+      @checks[klass] ||= Gitlab::CrossProjectAccess::CheckCollection.new
+      @checks[klass].add_check(new_check)
+      recalculate_checks_for_class(klass)
+
+      @checks[klass]
+    end
+
+    def find_check(object)
+      @cached_checks ||= Hash.new do |cache, new_class|
+        parent_classes = @checks.keys.select { |existing_class| new_class <= existing_class }
+        closest_class = closest_parent(parent_classes, new_class)
+        cache[new_class] = @checks[closest_class]
+      end
+
+      @cached_checks[object.class]
+    end
+
+    private
+
+    def recalculate_checks_for_class(klass)
+      new_collection = @checks[klass]
+
+      @checks.each do |existing_class, existing_check_collection|
+        if existing_class < klass
+          existing_check_collection.add_collection(new_collection)
+        elsif klass < existing_class
+          new_collection.add_collection(existing_check_collection)
+        end
+      end
+    end
+
+    def closest_parent(classes, subject)
+      relevant_ancestors = subject.ancestors & classes
+      relevant_ancestors.first
+    end
+  end
+end
diff --git a/lib/gitlab/cross_project_access/check_collection.rb b/lib/gitlab/cross_project_access/check_collection.rb
new file mode 100644
index 00000000000..88376232065
--- /dev/null
+++ b/lib/gitlab/cross_project_access/check_collection.rb
@@ -0,0 +1,47 @@
+module Gitlab
+  class CrossProjectAccess
+    class CheckCollection
+      attr_reader :checks
+
+      def initialize
+        @checks = []
+      end
+
+      def add_collection(collection)
+        @checks |= collection.checks
+      end
+
+      def add_check(check)
+        @checks << check
+      end
+
+      def should_run?(object)
+        skips, runs = arranged_checks
+
+        # If one rule tells us to skip, we skip the cross project check
+        return false if skips.any? { |check| check.should_skip?(object) }
+
+        # If the rule isn't skipped, we run it if any of the checks says we
+        # should run
+        runs.any? { |check| check.should_run?(object) }
+      end
+
+      def arranged_checks
+        return [@skips, @runs] if @skips && @runs
+
+        @skips = []
+        @runs = []
+
+        @checks.each do |check|
+          if check.skip
+            @skips << check
+          else
+            @runs << check
+          end
+        end
+
+        [@skips, @runs]
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/cross_project_access/check_info.rb b/lib/gitlab/cross_project_access/check_info.rb
new file mode 100644
index 00000000000..e8a845c7f1e
--- /dev/null
+++ b/lib/gitlab/cross_project_access/check_info.rb
@@ -0,0 +1,66 @@
+module Gitlab
+  class CrossProjectAccess
+    class CheckInfo
+      attr_accessor :actions, :positive_condition, :negative_condition, :skip
+
+      def initialize(actions, positive_condition, negative_condition, skip)
+        @actions = actions
+        @positive_condition = positive_condition
+        @negative_condition = negative_condition
+        @skip = skip
+      end
+
+      def should_skip?(object)
+        return !should_run?(object) unless @skip
+
+        skip_for_action = @actions[current_action(object)]
+        skip_for_action = false if @actions[current_action(object)].nil?
+
+        # We need to do the opposite of what was defined in the following cases:
+        # - skip_cross_project_access_check index: true, if: -> { false }
+        # - skip_cross_project_access_check index: true, unless: -> { true }
+        if positive_condition_is_false?(object)
+          skip_for_action = !skip_for_action
+        end
+
+        if negative_condition_is_true?(object)
+          skip_for_action = !skip_for_action
+        end
+
+        skip_for_action
+      end
+
+      def should_run?(object)
+        return !should_skip?(object) if @skip
+
+        run_for_action = @actions[current_action(object)]
+        run_for_action = true if @actions[current_action(object)].nil?
+
+        # We need to do the opposite of what was defined in the following cases:
+        # - requires_cross_project_access index: true, if: -> { false }
+        # - requires_cross_project_access index: true, unless: -> { true }
+        if positive_condition_is_false?(object)
+          run_for_action = !run_for_action
+        end
+
+        if negative_condition_is_true?(object)
+          run_for_action = !run_for_action
+        end
+
+        run_for_action
+      end
+
+      def positive_condition_is_false?(object)
+        @positive_condition && !object.instance_exec(&@positive_condition)
+      end
+
+      def negative_condition_is_true?(object)
+        @negative_condition && object.instance_exec(&@negative_condition)
+      end
+
+      def current_action(object)
+        object.respond_to?(:action_name) ? object.action_name.to_sym : nil
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/cross_project_access/class_methods.rb b/lib/gitlab/cross_project_access/class_methods.rb
new file mode 100644
index 00000000000..90eac94800c
--- /dev/null
+++ b/lib/gitlab/cross_project_access/class_methods.rb
@@ -0,0 +1,48 @@
+module Gitlab
+  class CrossProjectAccess
+    module ClassMethods
+      def requires_cross_project_access(*args)
+        positive_condition, negative_condition, actions = extract_params(args)
+
+        Gitlab::CrossProjectAccess.add_check(
+          self,
+          actions: actions,
+          positive_condition: positive_condition,
+          negative_condition: negative_condition
+        )
+      end
+
+      def skip_cross_project_access_check(*args)
+        positive_condition, negative_condition, actions = extract_params(args)
+
+        Gitlab::CrossProjectAccess.add_check(
+          self,
+          actions: actions,
+          positive_condition: positive_condition,
+          negative_condition: negative_condition,
+          skip: true
+        )
+      end
+
+      private
+
+      def extract_params(args)
+        actions = {}
+        positive_condition = nil
+        negative_condition = nil
+
+        args.each do |argument|
+          if argument.is_a?(Hash)
+            positive_condition = argument.delete(:if)
+            negative_condition = argument.delete(:unless)
+            actions.merge!(argument)
+          else
+            actions[argument] = true
+          end
+        end
+
+        [positive_condition, negative_condition, actions]
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 15eb1c41213..ff4dc29efea 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -65,7 +65,7 @@ module Gitlab
       return false unless can_access_git?
 
       if protected?(ProtectedBranch, project, ref)
-        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
+        return true if project.user_can_push_to_empty_repo?(user)
 
         protected_branch_accessible_to?(ref, action: :push)
       else
author	Douwe Maan <douwe@gitlab.com>	2018-02-23 09:14:14 +0000
committer	Douwe Maan <douwe@gitlab.com>	2018-02-23 09:14:14 +0000
commit	f4bc6ec92e2af0b6cfd64f9ff0ca683bf62820d1 (patch)
tree	9e34a9a071d0c0c5900c0ba37927de4590fa23f9 /lib/gitlab
parent	0a8aebcb550b705ec5987c6f905eaf5c5abb1cc1 (diff)
parent	08266ba0a14ec296b51cda6b54d1648985a11adf (diff)
download	gitlab-ce-f4bc6ec92e2af0b6cfd64f9ff0ca683bf62820d1.tar.gz