diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2015-07-06 12:27:40 +0200 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2015-07-06 12:27:40 +0200 |
commit | 64996dbb6dc869d9aeb7032bad29c2775cfd8297 (patch) | |
tree | bf787e38bee885662de19532fb18e5e2cad23889 | |
parent | 4d30c0c5d3d0f23a221ee507b6bd110a539b8570 (diff) | |
parent | 0bd7699570cf6d7546500d7cce1ed8f8abab326d (diff) | |
download | gitlab-shell-64996dbb6dc869d9aeb7032bad29c2775cfd8297.tar.gz |
Merge pull request #230 from bozaro/git-lfs-authenticate
Add git-lfs-authenticate to command white list
-rw-r--r-- | README.md | 29 | ||||
-rw-r--r-- | lib/gitlab_shell.rb | 19 |
2 files changed, 45 insertions, 3 deletions
@@ -139,3 +139,32 @@ List all keys: Remove all keys from authorized_keys file: ./bin/gitlab-keys clear + +## Git LFS remark + +If you want to play with git-lfs (https://git-lfs.github.com/) on GitLab, you should do the following: + + * Install LFS-server (no production-ready implementation yet, but you can use https://github.com/github/lfs-test-server) on any host; + * Add some user on LFS-server (for example: user ```foo``` with password ```bar```); + * Add ```git-lfs-authenticate``` script in any PATH-available directory on GIT-server like this: +``` +#!/bin/sh +echo "{ + \"href\": \"http://lfs.test.local:9999/test/test\", + \"header\": { + \"Authorization\": \"Basic `echo -n foo:bar | base64`\" + } +}" + ``` + +After that you can play with git-lfs (git-lfs feature will be available via ssh protocol). + +This design will work without a script git-lfs-authenticate, but with the following limitations: + + * You will need to manually configure lfs-server URL for every user working copy; + * SSO don't work and you need to manually add lfs-server credentials for every user working copy (otherwise, git-lfs will ask for the password for each file). + +Usefull links: + + * https://github.com/github/git-lfs/tree/master/docs/api - Git LFS API, also contains more information about ```git-lfs-authenticate```; + * https://github.com/github/git-lfs/wiki/Implementations - Git LFS-server implementations. diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb index 7249836..7c75910 100644 --- a/lib/gitlab_shell.rb +++ b/lib/gitlab_shell.rb @@ -7,7 +7,7 @@ class GitlabShell class DisallowedCommandError < StandardError; end class InvalidRepositoryPathError < StandardError; end - GIT_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive git-annex-shell).freeze + GIT_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive git-annex-shell git-lfs-authenticate).freeze attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name @@ -56,16 +56,29 @@ class GitlabShell def parse_cmd args = Shellwords.shellwords(@origin_cmd) @git_cmd = args.first + @git_access = @git_cmd raise DisallowedCommandError unless GIT_COMMANDS.include?(@git_cmd) - if @git_cmd == 'git-annex-shell' + case @git_cmd + when 'git-annex-shell' raise DisallowedCommandError unless @config.git_annex_enabled? @repo_name = escape_path(args[2].sub(/\A\/~\//, '')) # Make sure repository has git-annex enabled init_git_annex(@repo_name) + when 'git-lfs-authenticate' + raise DisallowedCommandError unless args.count >= 2 + @repo_name = escape_path(args[1]) + case args[2] + when 'download' + @git_access = 'git-upload-pack' + when 'upload' + @git_access = 'git-receive-pack' + else + raise DisallowedCommandError + end else raise DisallowedCommandError unless args.count == 2 @repo_name = escape_path(args.last) @@ -73,7 +86,7 @@ class GitlabShell end def verify_access - status = api.check_access(@git_cmd, @repo_name, @key_id, '_any') + status = api.check_access(@git_access, @repo_name, @key_id, '_any') raise AccessDeniedError, status.message unless status.allowed? end |