summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rw-r--r--GITLAB_SHELL_VERSION2
-rw-r--r--config/initializers/gitlab_shell_secret_token.rb19
-rw-r--r--lib/api/helpers.rb8
-rw-r--r--lib/api/internal.rb4
-rw-r--r--spec/requests/api/internal_spec.rb14
6 files changed, 42 insertions, 6 deletions
diff --git a/.gitignore b/.gitignore
index 4f778371512..2c6b65b7b7d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,4 @@ public/assets/
.envrc
dump.rdb
tags
+.gitlab_shell_secret
diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION
index 38f77a65b30..e9307ca5751 100644
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
@@ -1 +1 @@
-2.0.1
+2.0.2
diff --git a/config/initializers/gitlab_shell_secret_token.rb b/config/initializers/gitlab_shell_secret_token.rb
new file mode 100644
index 00000000000..8d2b771e535
--- /dev/null
+++ b/config/initializers/gitlab_shell_secret_token.rb
@@ -0,0 +1,19 @@
+# Be sure to restart your server when you modify this file.
+
+require 'securerandom'
+
+# Your secret key for verifying the gitlab_shell.
+
+
+secret_file = Rails.root.join('.gitlab_shell_secret')
+gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
+
+unless File.exist? secret_file
+ # Generate a new token of 16 random hexadecimal characters and store it in secret_file.
+ token = SecureRandom.hex(16)
+ File.write(secret_file, token)
+end
+
+if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
+ FileUtils.symlink(secret_file, gitlab_shell_symlink)
+end \ No newline at end of file
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 3262884f6d3..027fb20ec46 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -67,6 +67,10 @@ module API
unauthorized! unless current_user
end
+ def authenticate_by_gitlab_shell_token!
+ unauthorized! unless secret_token == params['secret_token']
+ end
+
def authenticated_as_admin!
forbidden! unless current_user.is_admin?
end
@@ -193,5 +197,9 @@ module API
abilities
end
end
+
+ def secret_token
+ File.read(Rails.root.join('.gitlab_shell_secret'))
+ end
end
end
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 9ac659f50fd..ebf2296097d 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -1,6 +1,10 @@
module API
# Internal access API
class Internal < Grape::API
+ before {
+ authenticate_by_gitlab_shell_token!
+ }
+
namespace 'internal' do
# Check if git command is allowed to project
#
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index 6df5ef38961..677b1494041 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -5,10 +5,11 @@ describe API::API, api: true do
let(:user) { create(:user) }
let(:key) { create(:key, user: user) }
let(:project) { create(:project) }
+ let(:secret_token) { File.read Rails.root.join('.gitlab_shell_secret') }
describe "GET /internal/check", no_db: true do
it do
- get api("/internal/check")
+ get api("/internal/check"), secret_token: secret_token
response.status.should == 200
json_response['api_version'].should == API::API.version
@@ -17,7 +18,7 @@ describe API::API, api: true do
describe "GET /internal/discover" do
it do
- get(api("/internal/discover"), key_id: key.id)
+ get(api("/internal/discover"), key_id: key.id, secret_token: secret_token)
response.status.should == 200
@@ -159,7 +160,8 @@ describe API::API, api: true do
api("/internal/allowed"),
key_id: key.id,
project: project.path_with_namespace,
- action: 'git-upload-pack'
+ action: 'git-upload-pack',
+ secret_token: secret_token
)
end
@@ -169,7 +171,8 @@ describe API::API, api: true do
changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
key_id: key.id,
project: project.path_with_namespace,
- action: 'git-receive-pack'
+ action: 'git-receive-pack',
+ secret_token: secret_token
)
end
@@ -179,7 +182,8 @@ describe API::API, api: true do
ref: 'master',
key_id: key.id,
project: project.path_with_namespace,
- action: 'git-upload-archive'
+ action: 'git-upload-archive',
+ secret_token: secret_token
)
end
end