diff options
author | Ash McKenzie <amckenzie@gitlab.com> | 2018-08-17 13:56:24 +1000 |
---|---|---|
committer | Ash McKenzie <amckenzie@gitlab.com> | 2018-08-17 14:40:47 +1000 |
commit | 88f12c8a4f8cce7627e4f1f4a7bc0634885be8cb (patch) | |
tree | b7e09a2ad1315773b375763059087820b359bcaa | |
parent | bb7c8a7f45126e0e4c383ae96eb3109327c016ae (diff) | |
download | gitlab-shell-88f12c8a4f8cce7627e4f1f4a7bc0634885be8cb.tar.gz |
Custom Action support
-rw-r--r-- | lib/action.rb | 4 | ||||
-rw-r--r-- | lib/action/custom.rb | 109 | ||||
-rw-r--r-- | lib/gitlab_access_status.rb | 15 | ||||
-rw-r--r-- | lib/gitlab_net.rb | 2 | ||||
-rw-r--r-- | lib/gitlab_shell.rb | 16 | ||||
-rw-r--r-- | spec/action/custom_spec.rb | 130 | ||||
-rw-r--r-- | spec/gitlab_shell_spec.rb | 23 | ||||
-rw-r--r-- | spec/vcr_cassettes/custom-action-not-ok-json.yml | 40 | ||||
-rw-r--r-- | spec/vcr_cassettes/custom-action-not-ok-not-json.yml | 40 | ||||
-rw-r--r-- | spec/vcr_cassettes/custom-action-ok.yml | 99 |
10 files changed, 473 insertions, 5 deletions
diff --git a/lib/action.rb b/lib/action.rb new file mode 100644 index 0000000..28c1c14 --- /dev/null +++ b/lib/action.rb @@ -0,0 +1,4 @@ +require_relative 'action/custom' + +module Action +end diff --git a/lib/action/custom.rb b/lib/action/custom.rb new file mode 100644 index 0000000..9d238be --- /dev/null +++ b/lib/action/custom.rb @@ -0,0 +1,109 @@ +require 'cgi' + +require_relative '../http_helper' + +module Action + class Custom + include HTTPHelper + + class MissingPayloadError < StandardError; end + class MissingAPIEndpointsError < StandardError; end + class MissingDataError < StandardError; end + class UnsuccessfulError < StandardError; end + + DEFAULT_HEADERS = { 'Content-Type' => 'application/json' }.freeze + + def initialize(gl_id, payload) + @gl_id = gl_id + @payload = payload + end + + def execute + result = process_api_endpoints + + if result && HTTP_SUCCESS_CODES.include?(result.code) + result + else + raise_unsuccessful!(result) + end + end + + private + + attr_reader :gl_id, :payload + + def process_api_endpoints + validate! + + output = '' + resp = nil + + api_endpoints.each do |endpoint| + url = "#{base_api_endpoint}/#{endpoint}" + json = { 'data' => data.merge('gl_id' => gl_id), 'output' => output } + + resp = post(url, {}, headers: DEFAULT_HEADERS, options: { json: json }) + return resp unless HTTP_SUCCESS_CODES.include?(resp.code) + + body = JSON.parse(resp.body) + print_flush(body['result']) + + # In the context of the git push sequence of events, it's necessary to read + # stdin in order to capture output to pass onto subsequent commands + output = read_stdin + end + + resp + end + + def api_endpoints + @api_endpoints ||= payload['api_endpoints'] + end + + def data + @data ||= payload['data'] + end + + def config + @config ||= GitlabConfig.new + end + + def api + @api ||= GitlabNet.new + end + + def read_stdin + CGI.escape($stdin.read) + end + + def print_flush(str) + return false unless str + print(CGI.unescape(str)) + STDOUT.flush + end + + def validate! + validate_payload! + validate_api_endpoints! + validate_data! + end + + def validate_payload! + raise MissingPayloadError if !payload.is_a?(Hash) || payload.empty? + end + + def validate_api_endpoints! + raise MissingAPIEndpointsError if !api_endpoints.is_a?(Array) || + api_endpoints.empty? + end + + def validate_data! + raise MissingDataError unless data.is_a?(Hash) + end + + def raise_unsuccessful!(result) + message = JSON.parse(result.body)['message'] rescue 'No message' + raise UnsuccessfulError, "#{message} (#{result.code})" + end + end +end diff --git a/lib/gitlab_access_status.rb b/lib/gitlab_access_status.rb index 9c66ca5..8bb4fbb 100644 --- a/lib/gitlab_access_status.rb +++ b/lib/gitlab_access_status.rb @@ -1,11 +1,14 @@ require 'json' +require_relative 'http_codes' class GitAccessStatus - attr_reader :message, :gl_repository, :gl_id, :gl_username, :repository_path, :gitaly, :git_protocol, :git_config_options + include HTTPCodes + + attr_reader :message, :gl_repository, :gl_id, :gl_username, :repository_path, :gitaly, :git_protocol, :git_config_options, :payload def initialize(status, status_code, message, gl_repository: nil, gl_id: nil, gl_username: nil, repository_path: nil, gitaly: nil, - git_protocol: nil, git_config_options: nil) + git_protocol: nil, git_config_options: nil, payload: nil) @status = status @status_code = status_code @message = message @@ -16,6 +19,7 @@ class GitAccessStatus @repository_path = repository_path @gitaly = gitaly @git_protocol = git_protocol + @payload = payload end def self.create_from_json(json, status_code) @@ -29,10 +33,15 @@ class GitAccessStatus git_config_options: values["git_config_options"], repository_path: values["repository_path"], gitaly: values["gitaly"], - git_protocol: values["git_protocol"]) + git_protocol: values["git_protocol"], + payload: values["payload"]) end def allowed? @status end + + def custom_action? + @status_code == HTTP_MULTIPLE_CHOICES + end end diff --git a/lib/gitlab_net.rb b/lib/gitlab_net.rb index eb4284d..24f8c32 100644 --- a/lib/gitlab_net.rb +++ b/lib/gitlab_net.rb @@ -33,7 +33,7 @@ class GitlabNet # rubocop:disable Metrics/ClassLength url = "#{internal_api_endpoint}/allowed" resp = post(url, params) - if resp.code == '200' + if [HTTP_SUCCESS, HTTP_MULTIPLE_CHOICES].include?(resp.code) GitAccessStatus.create_from_json(resp.body, resp.code) else GitAccessStatus.new(false, resp.code, 'API is not accessible') diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb index 7ab71b1..b0169fb 100644 --- a/lib/gitlab_shell.rb +++ b/lib/gitlab_shell.rb @@ -3,6 +3,7 @@ require 'pathname' require_relative 'gitlab_net' require_relative 'gitlab_metrics' +require_relative 'action' class GitlabShell # rubocop:disable Metrics/ClassLength class AccessDeniedError < StandardError; end @@ -49,8 +50,10 @@ class GitlabShell # rubocop:disable Metrics/ClassLength args = Shellwords.shellwords(origin_cmd) args = parse_cmd(args) + access_status = nil + if GIT_COMMANDS.include?(args.first) - GitlabMetrics.measure('verify-access') { verify_access } + access_status = GitlabMetrics.measure('verify-access') { verify_access } elsif !defined?(@gl_id) # We're processing an API command like 2fa_recovery_codes, but # don't have a @gl_id yet, that means we're in the "username" @@ -59,6 +62,10 @@ class GitlabShell # rubocop:disable Metrics/ClassLength user end + if @command == GIT_RECEIVE_PACK_COMMAND && access_status.custom_action? + return process_custom_action(access_status) + end + process_cmd(args) true @@ -121,6 +128,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength status = api.check_access(@git_access, nil, @repo_name, @who || @gl_id, '_any', GL_PROTOCOL) raise AccessDeniedError, status.message unless status.allowed? + return status if status.custom_action? self.repo_path = status.repository_path @gl_repository = status.gl_repository @@ -131,6 +139,12 @@ class GitlabShell # rubocop:disable Metrics/ClassLength if defined?(@who) @gl_id = status.gl_id end + + status + end + + def process_custom_action(access_status) + Action::Custom.new(@gl_id, access_status.payload).execute end def process_cmd(args) diff --git a/spec/action/custom_spec.rb b/spec/action/custom_spec.rb new file mode 100644 index 0000000..d06d1d3 --- /dev/null +++ b/spec/action/custom_spec.rb @@ -0,0 +1,130 @@ +require_relative '../spec_helper' +require_relative '../../lib/action/custom' + +describe Action::Custom, vcr: true do + let(:repo_name) { 'gitlab-ci.git' } + let(:gl_id) { 'key-1' } + let(:secret) { "0a3938d9d95d807e94d937af3a4fbbea" } + let(:base_api_endpoint) { 'http://localhost:3000/api/v4' } + let(:json_valid) do + { + 'api_endpoints' => %w{fake/info_refs fake/push}, + 'data' => { + 'gl_username' => 'user1', + 'primary_repo' => 'http://localhost:3001/user1/repo1.git' + } + } + end + let(:json_missing_api_endpoints) do + { + 'data' => { + 'gl_username' => 'user1', + 'primary_repo' => 'http://localhost:3001/user1/repo1.git' + } + } + end + let(:json_empty_api_endpoints) do + { + 'api_endpoints' => [], + 'data' => { + 'gl_username' => 'user1', + 'primary_repo' => 'http://localhost:3001/user1/repo1.git' + } + } + end + let(:json_missing_data) do + { + 'api_endpoints' => %w{fake/info_refs fake/push} + } + end + let(:json_invalid_api_endpoints) do + { + 'api_endpoints' => %w{fake/info_refs_bad fake/push_bad}, + 'data' => { + 'gl_username' => 'user1', + 'primary_repo' => 'http://localhost:3001/user1/repo1.git' + } + } + end + let(:json_empty) { {} } + + subject { described_class.new(gl_id, payload) } + + describe '#execute' do + context 'with an empty payload' do + let(:payload) { json_empty } + + it 'returns nil' do + expect { subject.execute }.to raise_error(Action::Custom::MissingPayloadError) + end + end + + context 'with api_endpoints defined' do + before do + allow(subject).to receive(:base_api_endpoint).and_return(base_api_endpoint) + allow(subject).to receive(:secret_token).and_return(secret) + allow($stdin).to receive(:read).and_return('') + end + + context 'that are valid' do + let(:payload) { json_valid } + + it 'HTTP posts data to defined api_endpoints' do + VCR.use_cassette("custom-action-ok") do + expect(subject.execute).to be_instance_of(Net::HTTPCreated) + end + end + end + + context 'that are invalid' do + context 'where api_endpoints gl_id is missing' do + let(:payload) { json_missing_api_endpoints } + + it 'raises a MissingAPIEndpointsError exception' do + expect { subject.execute }.to raise_error(Action::Custom::MissingAPIEndpointsError) + end + end + + context 'where api_endpoints is empty' do + let(:payload) { json_empty_api_endpoints } + + it 'raises a MissingAPIEndpointsError exception' do + expect { subject.execute }.to raise_error(Action::Custom::MissingAPIEndpointsError) + end + end + + context 'where data gl_id is missing' do + let(:payload) { json_missing_data } + + it 'raises a MissingDataError exception' do + expect { subject.execute }.to raise_error(Action::Custom::MissingDataError) + end + end + + context 'where API endpoints are bad' do + let(:payload) { json_invalid_api_endpoints } + + context 'and response is JSON' do + it 'HTTP posts data to defined api_endpoints' do + VCR.use_cassette("custom-action-not-ok-json") do + expect { + subject.execute + }.to raise_error(Action::Custom::UnsuccessfulError, 'You cannot perform write operations on a read-only instance (403)') + end + end + end + + context 'and response is not JSON' do + it 'HTTP posts data to defined api_endpoints' do + VCR.use_cassette("custom-action-not-ok-not-json") do + expect { + subject.execute + }.to raise_error(Action::Custom::UnsuccessfulError, 'No message (403)') + end + end + end + end + end + end + end +end diff --git a/spec/gitlab_shell_spec.rb b/spec/gitlab_shell_spec.rb index 570e9f8..26ae957 100644 --- a/spec/gitlab_shell_spec.rb +++ b/spec/gitlab_shell_spec.rb @@ -258,6 +258,29 @@ describe GitlabShell do user_string = "user with id #{gl_id}" expect($logger).to receive(:info).with(message, command: "git-receive-pack #{repo_path}", user: user_string) end + + context 'with a custom action' do + let(:fake_payload) { { 'api_endpoints' => [ '/fake/api/endpoint' ], 'data' => {} } } + let(:custom_action_gitlab_access_status) do + GitAccessStatus.new( + true, + HTTPCodes::HTTP_MULTIPLE_CHOICES, + 'Multiple Choices', + payload: fake_payload + ) + end + let(:action_custom) { double(Action::Custom) } + + before do + allow(api).to receive(:check_access).and_return(custom_action_gitlab_access_status) + end + + it "should not process the command" do + expect(subject).to_not receive(:process_cmd).with(%w(git-receive-pack gitlab-ci.git)) + expect(Action::Custom).to receive(:new).with(gl_id, fake_payload).and_return(action_custom) + expect(action_custom).to receive(:execute) + end + end end context 'gitaly-receive-pack' do diff --git a/spec/vcr_cassettes/custom-action-not-ok-json.yml b/spec/vcr_cassettes/custom-action-not-ok-json.yml new file mode 100644 index 0000000..e50719d --- /dev/null +++ b/spec/vcr_cassettes/custom-action-not-ok-json.yml @@ -0,0 +1,40 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/fake/info_refs_bad + body: + encoding: UTF-8 + string: '{"data":{"gl_username":"user1","primary_repo":"http://localhost:3001/user1/repo1.git","gl_id":"key-11"},"output":"","secret_token":"0a3938d9d95d807e94d937af3a4fbbea\n"}' + headers: + Content-Type: + - application/json + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Host: + - localhost + response: + status: + code: 403 + message: Forbidden + headers: + Date: + - Fri, 20 Jul 2018 06:54:21 GMT + Connection: + - close + Content-Type: + - application/json + X-Request-Id: + - ea0644ac-e1ad-45f6-aa72-cc7910274318 + X-Runtime: + - '1.236672' + body: + encoding: UTF-8 + string: '{"message":"You cannot perform write operations on a read-only instance"}' + http_version: + recorded_at: Fri, 20 Jul 2018 06:54:21 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/custom-action-not-ok-not-json.yml b/spec/vcr_cassettes/custom-action-not-ok-not-json.yml new file mode 100644 index 0000000..b60a93a --- /dev/null +++ b/spec/vcr_cassettes/custom-action-not-ok-not-json.yml @@ -0,0 +1,40 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/fake/info_refs_bad + body: + encoding: UTF-8 + string: '{"data":{"gl_username":"user1","primary_repo":"http://localhost:3001/user1/repo1.git","gl_id":"key-11"},"output":"","secret_token":"0a3938d9d95d807e94d937af3a4fbbea\n"}' + headers: + Content-Type: + - application/json + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Host: + - localhost + response: + status: + code: 403 + message: Forbidden + headers: + Date: + - Fri, 20 Jul 2018 06:54:21 GMT + Connection: + - close + Content-Type: + - application/json + X-Request-Id: + - ea0644ac-e1ad-45f6-aa72-cc7910274318 + X-Runtime: + - '1.236672' + body: + encoding: UTF-8 + string: '""' + http_version: + recorded_at: Fri, 20 Jul 2018 06:54:21 GMT +recorded_with: VCR 2.4.0 diff --git a/spec/vcr_cassettes/custom-action-ok.yml b/spec/vcr_cassettes/custom-action-ok.yml new file mode 100644 index 0000000..a057441 --- /dev/null +++ b/spec/vcr_cassettes/custom-action-ok.yml @@ -0,0 +1,99 @@ +--- +http_interactions: +- request: + method: post + uri: http://localhost:3000/api/v4/fake/info_refs + body: + encoding: UTF-8 + string: '{"data":{"gl_username":"user1","primary_repo":"http://localhost:3001/user1/repo1.git","gl_id":"key-1"},"output":"","secret_token":"0a3938d9d95d807e94d937af3a4fbbea"}' + headers: + Content-Type: + - application/json + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Host: + - localhost + response: + status: + code: 200 + message: OK + headers: + Date: + - Fri, 20 Jul 2018 06:18:58 GMT + Connection: + - close + X-Frame-Options: + - SAMEORIGIN + X-Content-Type-Options: + - nosniff + Content-Type: + - application/json + Content-Length: + - '172' + Vary: + - Origin + Etag: + - W/"7d01e1e3dbcbe7cca9607461352f8244" + Cache-Control: + - max-age=0, private, must-revalidate + X-Request-Id: + - 03afa234-b6be-49ab-9392-4aa35c5dee25 + X-Runtime: + - '1.436040' + body: + encoding: UTF-8 + string: '{"result":"info_refs-result"}' + http_version: + recorded_at: Fri, 20 Jul 2018 06:18:58 GMT +- request: + method: post + uri: http://localhost:3000/api/v4/fake/push + body: + encoding: UTF-8 + string: '{"data":{"gl_username":"user1","primary_repo":"http://localhost:3001/user1/repo1.git","gl_id":"key-1"},"output":"info_refs-result","secret_token":"0a3938d9d95d807e94d937af3a4fbbea"}' + headers: + Content-Type: + - application/json + Accept-Encoding: + - gzip;q=1.0,deflate;q=0.6,identity;q=0.3 + Accept: + - "*/*" + User-Agent: + - Ruby + Host: + - localhost + response: + status: + code: 201 + message: Created + headers: + Date: + - Fri, 20 Jul 2018 06:19:08 GMT + Connection: + - close + X-Frame-Options: + - SAMEORIGIN + X-Content-Type-Options: + - nosniff + Content-Type: + - application/json + Content-Length: + - '13' + Vary: + - Origin + Cache-Control: + - no-cache + X-Request-Id: + - 0c6894ac-7f8e-4cdb-871f-4cb64d3731ca + X-Runtime: + - '0.786754' + body: + encoding: UTF-8 + string: '{"result":"push-result"}' + http_version: + recorded_at: Fri, 20 Jul 2018 06:19:08 GMT +recorded_with: VCR 2.4.0 |