Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token

# Conflicts:
#	app/controllers/projects/git_http_client_controller.rb
#	app/helpers/lfs_helper.rb
#	lib/gitlab/auth.rb
#	spec/requests/lfs_http_spec.rb

4 files changed, 93 insertions, 19 deletions

diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 2610fd329d6..865379c51c4 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -82,6 +82,19 @@ module API
         response
       end
 
+      post "/lfs_authenticate" do
+        status 200
+
+        key = Key.find(params[:key_id])
+        token_handler = Gitlab::LfsToken.new(key)
+
+        {
+          username: token_handler.actor_name,
+          lfs_token: token_handler.generate,
+          repository_http_path: project.http_url_to_repo
+        }
+      end
+
       get "/merge_request_urls" do
         ::MergeRequests::GetUrlsService.new(project).execute(params[:changes])
       end
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index b1427f412b0..b14c4e565d5 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -1,23 +1,28 @@
 module Gitlab
   module Auth
-    Result = Struct.new(:user, :project, :type, :capabilities) do
-      def succeeded?
-        user.present? || [:ci].include?(type)
+    Result = Struct.new(:actor, :project, :type, :capabilities) do
+      def success?
+        actor.present? || type == :ci
       end
     end
 
+    class MissingPersonalTokenError < StandardError; end
+
     class << self
       def find_for_git_client(login, password, project:, ip:)
         raise "Must provide an IP for rate limiting" if ip.nil?
 
-        result = service_access_token_check(login, password, project) ||
+        result =
+          service_request_check(login, password, project) ||
           build_access_token_check(login, password) ||
           user_with_password_for_git(login, password) ||
           oauth_access_token_check(login, password) ||
+          lfs_token_check(login, password) ||
           personal_access_token_check(login, password) ||
           Result.new
 
-        rate_limit!(ip, success: result.succeeded?, login: login)
+        rate_limit!(ip, success: result.success?, login: login)
+
         result
       end
 
@@ -59,7 +64,7 @@ module Gitlab
 
       private
 
-      def service_access_token_check(login, password, project)
+      def service_request_check(login, password, project)
         matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
 
         return unless project && matched_login.present?
@@ -81,14 +86,9 @@ module Gitlab
         user = find_with_user_password(login, password)
         return unless user
 
-        type =
-          if user.two_factor_enabled?
-            :missing_personal_token
-          else
-            :gitlab_or_ldap
-          end
+        raise Gitlab::Auth::MissingPersonalTokenError if user.two_factor_enabled?
 
-        Result.new(user, nil, type, full_capabilities)
+        Result.new(user, nil, :gitlab_or_ldap, full_capabilities)
       end
 
       def oauth_access_token_check(login, password)
@@ -105,9 +105,24 @@ module Gitlab
         if login && password
           user = User.find_by_personal_access_token(password)
           validation = User.by_login(login)
-          if user && user == validation
-            Result.new(user, nil, :personal_token, full_capabilities)
+          Result.new(user, nil, :personal_token, full_capabilities) if user.present? && user == validation
+        end
+      end
+
+      def lfs_token_check(login, password)
+        deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)
+
+        actor =
+          if deploy_key_matches
+            DeployKey.find(deploy_key_matches[1])
+          else
+            User.by_login(login)
           end
+
+        if actor
+          token_handler = Gitlab::LfsToken.new(actor)
+
+          Result.new(actor, nil, token_handler.type, read_capabilities) if Devise.secure_compare(token_handler.value, password)
         end
       end
 
diff --git a/lib/gitlab/import_export/repo_restorer.rb b/lib/gitlab/import_export/repo_restorer.rb
index 6d9379acf25..d1e33ea8678 100644
--- a/lib/gitlab/import_export/repo_restorer.rb
+++ b/lib/gitlab/import_export/repo_restorer.rb
@@ -22,10 +22,6 @@ module Gitlab
 
       private
 
-      def repos_path
-        Gitlab.config.gitlab_shell.repos_path
-      end
-
       def path_to_repo
         @project.repository.path_to_repo
       end
diff --git a/lib/gitlab/lfs_token.rb b/lib/gitlab/lfs_token.rb
new file mode 100644
index 00000000000..f492754b1c8
--- /dev/null
+++ b/lib/gitlab/lfs_token.rb
@@ -0,0 +1,50 @@
+module Gitlab
+  class LfsToken
+    attr_accessor :actor
+
+    TOKEN_LENGTH = 50
+    EXPIRY_TIME = 1800
+
+    def initialize(actor)
+      @actor =
+        case actor
+        when DeployKey, User
+          actor
+        when Key
+          actor.user
+        else
+          raise 'Bad Actor'
+        end
+    end
+
+    def generate
+      token = Devise.friendly_token(TOKEN_LENGTH)
+
+      Gitlab::Redis.with do |redis|
+        redis.set(redis_key, token, ex: EXPIRY_TIME)
+      end
+
+      token
+    end
+
+    def value
+      Gitlab::Redis.with do |redis|
+        redis.get(redis_key)
+      end
+    end
+
+    def type
+      actor.is_a?(User) ? :lfs_token : :lfs_deploy_token
+    end
+
+    def actor_name
+      actor.is_a?(User) ? actor.username : "lfs+deploy-key-#{actor.id}"
+    end
+
+    private
+
+    def redis_key
+      "gitlab:lfs_token:#{actor.class.name.underscore}_#{actor.id}" if actor
+    end
+  end
+end