1 files changed, 31 insertions, 18 deletions

diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
index 12292f614e9..0353b3b7ed3 100644
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -1,6 +1,14 @@
 require_relative 'shell_env'
 
 module Grack
+  class AuthSpawner
+    def self.call(env)
+      # Avoid issues with instance variables in Grack::Auth persisting across
+      # requests by creating a new instance for each request.
+      Auth.new({}).call(env)
+    end
+  end
+
   class Auth < Rack::Auth::Basic
 
     attr_accessor :user, :project, :env
@@ -10,7 +18,7 @@ module Grack
       @request = Rack::Request.new(env)
       @auth = Request.new(env)
 
-      @gitlab_ci = false
+      @ci = false
 
       # Need this patch due to the rails mount
       # Need this if under RELATIVE_URL_ROOT
@@ -26,13 +34,9 @@ module Grack
       auth!
 
       if project && authorized_request?
-        if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1'
-          # Tell gitlab-git-http-server the request is OK, and what the GL_ID is
-          render_grack_auth_ok
-        else
-          @app.call(env)
-        end
-      elsif @user.nil? && !@gitlab_ci
+        # Tell gitlab-git-http-server the request is OK, and what the GL_ID is
+        render_grack_auth_ok
+      elsif @user.nil? && !@ci
         unauthorized
       else
         render_not_found
@@ -51,8 +55,8 @@ module Grack
 
       # Allow authentication for GitLab CI service
       # if valid token passed
-      if gitlab_ci_request?(login, password)
-        @gitlab_ci = true
+      if ci_request?(login, password)
+        @ci = true
         return
       end
 
@@ -64,12 +68,17 @@ module Grack
       end
     end
 
-    def gitlab_ci_request?(login, password)
-      if login == "gitlab-ci-token" && project && project.gitlab_ci?
-        token = project.gitlab_ci_service.token
+    def ci_request?(login, password)
+      matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login)
+
+      if project && matched_login.present? && git_cmd == 'git-upload-pack'
+        underscored_service = matched_login['s'].underscore 
 
-        if token.present? && token == password && git_cmd == 'git-upload-pack'
-          return true
+        if Service.available_services_names.include?(underscored_service)
+          service_method = "#{underscored_service}_service"
+          service = project.send(service_method)
+
+          return service && service.activated? && service.valid_token?(password)
         end
       end
 
@@ -128,11 +137,13 @@ module Grack
     end
 
     def authorized_request?
-      return true if @gitlab_ci
+      return true if @ci
 
       case git_cmd
       when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
-        if user
+        if !Gitlab.config.gitlab_shell.upload_pack
+          false
+        elsif user
           Gitlab::GitAccess.new(user, project).download_access_check.allowed?
         elsif project.public?
           # Allow clone/fetch for public projects
@@ -141,7 +152,9 @@ module Grack
           false
         end
       when *Gitlab::GitAccess::PUSH_COMMANDS
-        if user
+        if !Gitlab.config.gitlab_shell.receive_pack
+          false
+        elsif user
           # Skip user authorization on upload request.
           # It will be done by the pre-receive hook in the repository.
           true