diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-27 15:09:24 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-27 15:09:24 +0000 |
commit | f8d15ca65390475e356b06dedc51e10ccd179f86 (patch) | |
tree | ef916d4e8e11c9e00d809e5cdcf63814e86d6e89 /lib/gitlab | |
parent | 3ab4feda4dce9c9f0672375ae27c2f7c2ba6f4ad (diff) | |
download | gitlab-ce-f8d15ca65390475e356b06dedc51e10ccd179f86.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab')
-rw-r--r-- | lib/gitlab/checks/snippet_check.rb | 34 | ||||
-rw-r--r-- | lib/gitlab/git_access.rb | 14 | ||||
-rw-r--r-- | lib/gitlab/git_access_snippet.rb | 98 | ||||
-rw-r--r-- | lib/gitlab/user_access.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/user_access_snippet.rb | 49 |
5 files changed, 182 insertions, 15 deletions
diff --git a/lib/gitlab/checks/snippet_check.rb b/lib/gitlab/checks/snippet_check.rb new file mode 100644 index 00000000000..26dd772764a --- /dev/null +++ b/lib/gitlab/checks/snippet_check.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +module Gitlab + module Checks + class SnippetCheck < BaseChecker + ERROR_MESSAGES = { + create_delete_branch: 'You can not create or delete branches.' + }.freeze + + ATTRIBUTES = %i[oldrev newrev ref branch_name tag_name logger].freeze + attr_reader(*ATTRIBUTES) + + def initialize(change, logger:) + @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref) + @branch_name = Gitlab::Git.branch_name(@ref) + @tag_name = Gitlab::Git.tag_name(@ref) + + @logger = logger + @logger.append_message("Running checks for ref: #{@branch_name || @tag_name}") + end + + def exec + if creation? || deletion? + raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_delete_branch] + end + + # TODO: https://gitlab.com/gitlab-org/gitlab/issues/205628 + # Check operation will not result in more than one file in the repository + + true + end + end + end +end diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index d6c87b858a8..45db423187c 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -60,7 +60,6 @@ module Gitlab @logger = Checks::TimedLogger.new(timeout: INTERNAL_TIMEOUT, header: LOG_HEADER) @changes = changes - check_namespace! check_protocol! check_valid_actor! check_active_user! @@ -72,11 +71,7 @@ module Gitlab return custom_action if custom_action check_db_accessibility!(cmd) - - ensure_project_on_push!(cmd, changes) - - check_project_accessibility! - add_project_moved_message! + check_project!(changes, cmd) check_repository_existence! case cmd @@ -113,6 +108,13 @@ module Gitlab private + def check_project!(changes, cmd) + check_namespace! + ensure_project_on_push!(cmd, changes) + check_project_accessibility! + add_project_moved_message! + end + def check_custom_action(cmd) nil end diff --git a/lib/gitlab/git_access_snippet.rb b/lib/gitlab/git_access_snippet.rb index d99b9c3fe89..ff1af9bede4 100644 --- a/lib/gitlab/git_access_snippet.rb +++ b/lib/gitlab/git_access_snippet.rb @@ -2,7 +2,13 @@ module Gitlab class GitAccessSnippet < GitAccess + extend ::Gitlab::Utils::Override + ERROR_MESSAGES = { + authentication_mechanism: 'The authentication mechanism is not supported.', + read_snippet: 'You are not allowed to read this snippet.', + update_snippet: 'You are not allowed to update this snippet.', + project_not_found: 'The project you were looking for could not be found.', snippet_not_found: 'The snippet you were looking for could not be found.', repository_not_found: 'The snippet repository you were looking for could not be found.' }.freeze @@ -12,25 +18,47 @@ module Gitlab def initialize(actor, snippet, protocol, **kwargs) @snippet = snippet - super(actor, project, protocol, **kwargs) + super(actor, snippet&.project, protocol, **kwargs) + + @auth_result_type = nil + @authentication_abilities &= [:download_code, :push_code] end - def check(cmd, _changes) + def check(cmd, changes) + # TODO: Investigate if expanding actor/authentication types are needed. + # https://gitlab.com/gitlab-org/gitlab/issues/202190 + if actor && !actor.is_a?(User) && !actor.instance_of?(Key) + raise UnauthorizedError, ERROR_MESSAGES[:authentication_mechanism] + end + unless Feature.enabled?(:version_snippets, user) - raise NotFoundError, ERROR_MESSAGES[:snippet_not_found] + raise NotFoundError, ERROR_MESSAGES[:project_not_found] end check_snippet_accessibility! - success_result(cmd) + super end - def project - snippet&.project + private + + override :check_project! + def check_project!(cmd, changes) + if snippet.is_a?(ProjectSnippet) + check_namespace! + check_project_accessibility! + # TODO add add_project_moved_message! to handle non-project repo https://gitlab.com/gitlab-org/gitlab/issues/205646 + end end - private + override :check_push_access! + def check_push_access! + raise UnauthorizedError, ERROR_MESSAGES[:update_snippet] unless user + + check_change_access! + end + override :repository def repository snippet&.repository end @@ -39,10 +67,64 @@ module Gitlab if snippet.blank? raise NotFoundError, ERROR_MESSAGES[:snippet_not_found] end + end + + override :check_download_access! + def check_download_access! + passed = guest_can_download_code? || user_can_download_code? + + unless passed + raise UnauthorizedError, ERROR_MESSAGES[:read_snippet] + end + end + + override :guest_can_download_code? + def guest_can_download_code? + Guest.can?(:read_snippet, snippet) + end + + override :user_can_download_code? + def user_can_download_code? + authentication_abilities.include?(:download_code) && user_access.can_do_action?(:read_snippet) + end + + override :check_change_access! + def check_change_access! + unless user_access.can_do_action?(:update_snippet) + raise UnauthorizedError, ERROR_MESSAGES[:update_snippet] + end + + changes_list.each do |change| + # If user does not have access to make at least one change, cancel all + # push by allowing the exception to bubble up + check_single_change_access(change) + end + end + + def check_single_change_access(change) + change_access = Checks::SnippetCheck.new(change, logger: logger) + + change_access.exec + rescue Checks::TimedLogger::TimeoutError + raise TimeoutError, logger.full_message + end - unless repository&.exists? + override :check_repository_existence! + def check_repository_existence! + unless repository.exists? raise NotFoundError, ERROR_MESSAGES[:repository_not_found] end end + + override :user_access + def user_access + @user_access ||= UserAccessSnippet.new(user, snippet: snippet) + end + + # TODO: Implement EE/Geo https://gitlab.com/gitlab-org/gitlab/issues/205629 + override :check_custom_action + def check_custom_action(cmd) + nil + end end end diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb index 097b502316e..ae4c77255c5 100644 --- a/lib/gitlab/user_access.rb +++ b/lib/gitlab/user_access.rb @@ -98,7 +98,7 @@ module Gitlab @permission_cache ||= {} end - def can_access_git? + request_cache def can_access_git? user && user.can?(:access_git) end diff --git a/lib/gitlab/user_access_snippet.rb b/lib/gitlab/user_access_snippet.rb new file mode 100644 index 00000000000..bfed86c4df4 --- /dev/null +++ b/lib/gitlab/user_access_snippet.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: true + +module Gitlab + class UserAccessSnippet < UserAccess + extend ::Gitlab::Cache::RequestCache + # TODO: apply override check https://gitlab.com/gitlab-org/gitlab/issues/205677 + + request_cache_key do + [user&.id, snippet&.id] + end + + attr_reader :snippet + + def initialize(user, snippet: nil) + @user = user + @snippet = snippet + @project = snippet&.project + end + + def can_do_action?(action) + return false unless can_access_git? + + permission_cache[action] = + permission_cache.fetch(action) do + Ability.allowed?(user, action, snippet) + end + end + + def can_create_tag?(ref) + false + end + + def can_delete_branch?(ref) + false + end + + def can_push_to_branch?(ref) + super + return false unless snippet + return false unless can_do_action?(:update_snippet) + + true + end + + def can_merge_to_branch?(ref) + false + end + end +end |