Commit ab2db486 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'security-api-internal-publicity' into 'master'

Gitlab-shell identification

Part of gitlab/gitlabhq#1528

See merge request !1185
parents d4bc1255 2e485af7
......@@ -39,3 +39,4 @@ public/assets/
.envrc
dump.rdb
tags
.gitlab_shell_secret
# Be sure to restart your server when you modify this file.
require 'securerandom'
# Your secret key for verifying the gitlab_shell.
secret_file = Rails.root.join('.gitlab_shell_secret')
gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
unless File.exist? secret_file
# Generate a new token of 16 random hexadecimal characters and store it in secret_file.
token = SecureRandom.hex(16)
File.write(secret_file, token)
end
if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
FileUtils.symlink(secret_file, gitlab_shell_symlink)
end
\ No newline at end of file
......@@ -67,6 +67,10 @@ def authenticate!
unauthorized! unless current_user
end
def authenticate_by_gitlab_shell_token!
unauthorized! unless secret_token == params['secret_token']
end
def authenticated_as_admin!
forbidden! unless current_user.is_admin?
end
......@@ -193,5 +197,9 @@ def abilities
abilities
end
end
def secret_token
File.read(Rails.root.join('.gitlab_shell_secret'))
end
end
end
module API
# Internal access API
class Internal < Grape::API
before {
authenticate_by_gitlab_shell_token!
}
namespace 'internal' do
# Check if git command is allowed to project
#
......
......@@ -5,10 +5,11 @@
let(:user) { create(:user) }
let(:key) { create(:key, user: user) }
let(:project) { create(:project) }
let(:secret_token) { File.read Rails.root.join('.gitlab_shell_secret') }
describe "GET /internal/check", no_db: true do
it do
get api("/internal/check")
get api("/internal/check"), secret_token: secret_token
response.status.should == 200
json_response['api_version'].should == API::API.version
......@@ -17,7 +18,7 @@
describe "GET /internal/discover" do
it do
get(api("/internal/discover"), key_id: key.id)
get(api("/internal/discover"), key_id: key.id, secret_token: secret_token)
response.status.should == 200
......@@ -159,7 +160,8 @@ def pull(key, project)
api("/internal/allowed"),
key_id: key.id,
project: project.path_with_namespace,
action: 'git-upload-pack'
action: 'git-upload-pack',
secret_token: secret_token
)
end
......@@ -169,7 +171,8 @@ def push(key, project)
changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
key_id: key.id,
project: project.path_with_namespace,
action: 'git-receive-pack'
action: 'git-receive-pack',
secret_token: secret_token
)
end
......@@ -179,7 +182,8 @@ def archive(key, project)
ref: 'master',
key_id: key.id,
project: project.path_with_namespace,
action: 'git-upload-archive'
action: 'git-upload-archive',
secret_token: secret_token
)
end
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment