Class: Gitlab::GitAccess

Inherits:

Object

• Object
• Gitlab::GitAccess

Defined in:

lib/gitlab/git_access.rb

Direct Known Subclasses

GitAccessWiki

Constant Summary

DOWNLOAD_COMMANDS =

%w{ git-upload-pack git-upload-archive }

PUSH_COMMANDS =

%w{ git-receive-pack }

Instance Attribute Summary

• #actor ⇒ Object readonly

  Returns the value of attribute actor.

• #project ⇒ Object readonly

  Returns the value of attribute project.

Instance Method Summary

• #can_push_to_branch?(ref) ⇒ Boolean
• #can_read_project? ⇒ Boolean
• #can_user_do_action?(action) ⇒ Boolean
• #change_access_check(change) ⇒ Object
• #check(cmd, changes = nil) ⇒ Object
• #deploy_key ⇒ Object
• #download_access_check ⇒ Object
• #forced_push?(oldrev, newrev) ⇒ Boolean
• #initialize(actor, project) ⇒ GitAccess constructor

  A new instance of GitAccess.

• #push_access_check(changes) ⇒ Object
• #user ⇒ Object
• #user_download_access_check ⇒ Object
• #user_push_access_check(changes) ⇒ Object

Constructor Details

#initialize(actor, project) ⇒ GitAccess

Returns a new instance of GitAccess

# File 'lib/gitlab/git_access.rb', line 8

def initialize(actor, project)
  @actor    = actor
  @project  = project
end

Instance Attribute Details

#actor ⇒ Object (readonly)

Returns the value of attribute actor

# File 'lib/gitlab/git_access.rb', line 6

def actor
  @actor
end

#project ⇒ Object (readonly)

Returns the value of attribute project

# File 'lib/gitlab/git_access.rb', line 6

def project
  @project
end

Instance Method Details

#can_push_to_branch?(ref) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/git_access.rb', line 31

def can_push_to_branch?(ref)
  return false unless user

  if project.protected_branch?(ref) && !project.developers_can_push_to_protected_branch?(ref)
    user.can?(:push_code_to_protected_branches, project)
  else
    user.can?(:push_code, project)
  end
end

#can_read_project? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/git_access.rb', line 41

def can_read_project?
  if user
    user.can?(:read_project, project)
  elsif deploy_key
    deploy_key.projects.include?(project)
  else
    false
  end
end

#can_user_do_action?(action) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/git_access.rb', line 125

def can_user_do_action?(action)
  @permission_cache ||= {}
  @permission_cache[action] ||= user.can?(action, project)
end

#change_access_check(change) ⇒ Object

# File 'lib/gitlab/git_access.rb', line 130

def change_access_check(change)
  oldrev, newrev, ref = change.split(' ')

  action =
    if project.protected_branch?(branch_name(ref))
      protected_branch_action(oldrev, newrev, branch_name(ref))
    elsif (tag_ref = tag_name(ref)) && protected_tag?(tag_ref)
      # Prevent any changes to existing git tag unless user has permissions
      :admin_project
    else
      :push_code
    end

  unless can_user_do_action?(action)
    status =
      case action
      when :force_push_code_to_protected_branches
        build_status_object(false, "You are not allowed to force push code to a protected branch on this project.")
      when :remove_protected_branches
        build_status_object(false, "You are not allowed to deleted protected branches from this project.")
      when :push_code_to_protected_branches
        build_status_object(false, "You are not allowed to push code to protected branches on this project.")
      when :admin_project
        build_status_object(false, "You are not allowed to change existing tags on this project.")
      else # :push_code
        build_status_object(false, "You are not allowed to push code to this project.")
      end
    return status
  end

  build_status_object(true)
end

#check(cmd, changes = nil) ⇒ Object

# File 'lib/gitlab/git_access.rb', line 51

def check(cmd, changes = nil)
  unless actor
    return build_status_object(false, "No user or key was provided.")
  end

  if user && !user_allowed?
    return build_status_object(false, "Your account has been blocked.")
  end

  unless project && can_read_project?
    return build_status_object(false, 'The project you were looking for could not be found.')
  end

  case cmd
  when *DOWNLOAD_COMMANDS
    download_access_check
  when *PUSH_COMMANDS
    push_access_check(changes)
  else
    build_status_object(false, "The command you're trying to execute is not allowed.")
  end
end

#deploy_key ⇒ Object

# File 'lib/gitlab/git_access.rb', line 27

def deploy_key
  actor if actor.is_a?(DeployKey)
end

#download_access_check ⇒ Object

# File 'lib/gitlab/git_access.rb', line 74

def download_access_check
  if user
    user_download_access_check
  elsif deploy_key
    build_status_object(true)
  else
    raise 'Wrong actor'
  end
end

#forced_push?(oldrev, newrev) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/git_access.rb', line 163

def forced_push?(oldrev, newrev)
  Gitlab::ForcePushCheck.force_push?(project, oldrev, newrev)
end

#push_access_check(changes) ⇒ Object

# File 'lib/gitlab/git_access.rb', line 84

def push_access_check(changes)
  if user
    user_push_access_check(changes)
  elsif deploy_key
    build_status_object(false, "Deploy keys are not allowed to push code.")
  else
    raise 'Wrong actor'
  end
end

#user ⇒ Object

# File 'lib/gitlab/git_access.rb', line 13

def user
  return @user if defined?(@user)

  @user =
    case actor
    when User
      actor
    when DeployKey
      nil
    when Key
      actor.user
    end
end

#user_download_access_check ⇒ Object

# File 'lib/gitlab/git_access.rb', line 94

def user_download_access_check
  unless user.can?(:download_code, project)
    return build_status_object(false, "You are not allowed to download code from this project.")
  end

  build_status_object(true)
end

#user_push_access_check(changes) ⇒ Object

# File 'lib/gitlab/git_access.rb', line 102

def user_push_access_check(changes)
  if changes.blank?
    return build_status_object(true)
  end

  unless project.repository.exists?
    return build_status_object(false, "A repository for this project does not exist yet.")
  end

  changes = changes.lines if changes.kind_of?(String)

  # Iterate over all changes to find if user allowed all of them to be applied
  changes.map(&:strip).reject(&:blank?).each do |change|
    status = change_access_check(change)
    unless status.allowed?
      # If user does not have access to make at least one change - cancel all push
      return status
    end
  end

  build_status_object(true)
end