Class: Gitlab::Workhorse

Inherits:
Object
  • Object
show all
Includes:
JwtAuthenticatable
Defined in:
lib/gitlab/workhorse.rb

Constant Summary collapse

SEND_DATA_HEADER =
'Gitlab-Workhorse-Send-Data'
SEND_DEPENDENCY_CONTENT_TYPE_HEADER =
'Workhorse-Proxy-Content-Type'
VERSION_FILE =
'GITLAB_WORKHORSE_VERSION'
INTERNAL_API_CONTENT_TYPE =
'application/vnd.gitlab-workhorse+json'
INTERNAL_API_REQUEST_HEADER =
'Gitlab-Workhorse-Api-Request'
NOTIFICATION_PREFIX =
'workhorse:notifications:'
ALLOWED_GIT_HTTP_ACTIONS =
%w[git_receive_pack git_upload_pack info_refs].freeze
DETECT_HEADER =
'Gitlab-Workhorse-Detect-Content-Type'
ARCHIVE_FORMATS =
%w[zip tar.gz tar.bz2 tar].freeze

Constants included from JwtAuthenticatable

JwtAuthenticatable::SECRET_LENGTH

Class Method Summary collapse

Methods included from JwtAuthenticatable

included

Class Method Details

.channel_websocket(channel) ⇒ Object



257
258
259
260
261
262
263
264
265
266
267
268
269
# File 'lib/gitlab/workhorse.rb', line 257

def channel_websocket(channel)
  details = {
    'Channel' => {
      'Subprotocols' => channel[:subprotocols],
      'Url' => channel[:url],
      'Header' => channel[:headers],
      'MaxSessionTime' => channel[:max_session_time]
    }
  }
  details['Channel']['CAPem'] = channel[:ca_pem] if channel.key?(:ca_pem)

  details
end

.cleanup_key(key) ⇒ Object



288
289
290
# File 'lib/gitlab/workhorse.rb', line 288

def cleanup_key(key)
  with_redis { |redis| redis.del(key) }
end

.decode_jwt_with_issuer(encoded_message) ⇒ Object



280
281
282
# File 'lib/gitlab/workhorse.rb', line 280

def decode_jwt_with_issuer(encoded_message)
  decode_jwt(encoded_message, issuer: 'gitlab-workhorse')
end

.detect_content_typeObject



305
306
307
308
309
310
# File 'lib/gitlab/workhorse.rb', line 305

def detect_content_type
  [
    Gitlab::Workhorse::DETECT_HEADER,
    'true'
  ]
end

.git_http_ok(repository, repo_type, user, action, show_all_refs: false, need_audit: false) ⇒ Object



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/gitlab/workhorse.rb', line 23

def git_http_ok(repository, repo_type, user, action, show_all_refs: false, need_audit: false)
  raise "Unsupported action: #{action}" unless ALLOWED_GIT_HTTP_ACTIONS.include?(action.to_s)

  attrs = {
    GL_ID: Gitlab::GlId.gl_id(user),
    GL_REPOSITORY: repo_type.identifier_for_container(repository.container),
    GL_USERNAME: user&.username,
    ShowAllRefs: show_all_refs,
    NeedAudit: need_audit,
    Repository: repository.gitaly_repository.to_h,
    GitConfigOptions: [],
    GitalyServer: {
      address: Gitlab::GitalyClient.address(repository.storage),
      token: Gitlab::GitalyClient.token(repository.storage),
      call_metadata: Feature::Gitaly.server_feature_flags(
        user: ::Feature::Gitaly.user_actor(user),
        repository: repository,
        project: ::Feature::Gitaly.project_actor(repository.container),
        group: ::Feature::Gitaly.group_actor(repository.container)
      )
    }
  }

  # Custom option for git-receive-pack command
  receive_max_input_size = Gitlab::CurrentSettings.receive_max_input_size.to_i
  if receive_max_input_size > 0
    attrs[:GitConfigOptions] << "receive.maxInputSize=#{receive_max_input_size.megabytes}"
  end

  attrs[:GitalyServer][:call_metadata].merge!(
    'user_id' => attrs[:GL_ID].presence,
    'username' => attrs[:GL_USERNAME].presence,
    'remote_ip' => Gitlab::ApplicationContext.current_context_attribute(:remote_ip).presence
  ).compact!

  attrs
end

.secret_pathObject



284
285
286
# File 'lib/gitlab/workhorse.rb', line 284

def secret_path
  Gitlab.config.workhorse.secret_file
end

.send_artifacts_entry(file, entry) ⇒ Object



146
147
148
149
150
151
152
153
154
155
156
157
158
# File 'lib/gitlab/workhorse.rb', line 146

def send_artifacts_entry(file, entry)
  archive = file.file_storage? ? file.path : file.url

  params = {
    'Archive' => archive,
    'Entry' => Base64.encode64(entry.to_s)
  }

  [
    SEND_DATA_HEADER,
    "artifacts-entry:#{encode(params)}"
  ]
end

.send_dependency(headers, url, allow_localhost: true, upload_config: {}, response_headers: {}, ssrf_filter: false, allowed_uris: []) ⇒ Object



227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
# File 'lib/gitlab/workhorse.rb', line 227

def send_dependency(
  headers,
  url,
  allow_localhost: true,
  upload_config: {},
  response_headers: {},
  ssrf_filter: false,
  allowed_uris: [])
  params = {
    'AllowLocalhost' => allow_localhost,
    'AllowedURIs' => allowed_uris,
    'Headers' => headers.transform_values { |v| Array.wrap(v) },
    'ResponseHeaders' => response_headers.transform_values { |v| Array.wrap(v) },
    'SSRFFilter' => ssrf_filter,
    'Url' => url,
    'UploadConfig' => {
      'Method' => upload_config[:method],
      'Url' => upload_config[:url],
      'Headers' => (upload_config[:headers] || {}).transform_values { |v| Array.wrap(v) },
      'AuthorizedUploadResponse' => upload_config[:authorized_upload_response] || {}
    }.compact_blank!
  }
  params.compact_blank!

  [
    SEND_DATA_HEADER,
    "send-dependency:#{encode(params)}"
  ]
end

.send_git_archive(repository, ref:, format:, append_sha:, path: nil) ⇒ Object



77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# File 'lib/gitlab/workhorse.rb', line 77

def send_git_archive(repository, ref:, format:, append_sha:, path: nil)
  format ||= 'tar.gz'
  format = format.downcase

   = repository.(
    ref,
    Gitlab.config.gitlab.repository_downloads_path,
    format,
    append_sha: append_sha,
    path: path
  )

  raise "Repository or ref not found" if .empty?

  params = send_git_archive_params(repository, , path, archive_format(format))

  # If present, DisableCache must be a Boolean. Otherwise
  # workhorse ignores it.
  params['DisableCache'] = true if git_archive_cache_disabled?
  params['GitalyServer'] = gitaly_server_hash(repository)

  [
    SEND_DATA_HEADER,
    "git-archive:#{encode(params)}"
  ]
end

.send_git_blob(repository, blob) ⇒ Object



61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/gitlab/workhorse.rb', line 61

def send_git_blob(repository, blob)
  params = {
    'GitalyServer' => gitaly_server_hash(repository),
    'GetBlobRequest' => {
      repository: repository.gitaly_repository.to_h,
      oid: blob.id,
      limit: -1
    }
  }

  [
    SEND_DATA_HEADER,
    "git-blob:#{encode(params)}"
  ]
end

.send_git_diff(repository, diff_refs) ⇒ Object



118
119
120
121
122
123
124
125
126
127
128
129
130
# File 'lib/gitlab/workhorse.rb', line 118

def send_git_diff(repository, diff_refs)
  params = {
    'GitalyServer' => gitaly_server_hash(repository),
    'RawDiffRequest' => Gitaly::RawDiffRequest.new(
      gitaly_diff_or_patch_hash(repository, diff_refs)
    ).to_json
  }

  [
    SEND_DATA_HEADER,
    "git-diff:#{encode(params)}"
  ]
end

.send_git_patch(repository, diff_refs) ⇒ Object



132
133
134
135
136
137
138
139
140
141
142
143
144
# File 'lib/gitlab/workhorse.rb', line 132

def send_git_patch(repository, diff_refs)
  params = {
    'GitalyServer' => gitaly_server_hash(repository),
    'RawPatchRequest' => Gitaly::RawPatchRequest.new(
      gitaly_diff_or_patch_hash(repository, diff_refs)
    ).to_json
  }

  [
    SEND_DATA_HEADER,
    "git-format-patch:#{encode(params)}"
  ]
end

.send_git_snapshot(repository) ⇒ Object



104
105
106
107
108
109
110
111
112
113
114
115
116
# File 'lib/gitlab/workhorse.rb', line 104

def send_git_snapshot(repository)
  params = {
    'GitalyServer' => gitaly_server_hash(repository),
    'GetSnapshotRequest' => Gitaly::GetSnapshotRequest.new(
      repository: repository.gitaly_repository
    ).to_json
  }

  [
    SEND_DATA_HEADER,
    "git-snapshot:#{encode(params)}"
  ]
end

.send_scaled_image(location, width, content_type) ⇒ Object

rubocop:enable Metrics/ParameterLists



214
215
216
217
218
219
220
221
222
223
224
225
# File 'lib/gitlab/workhorse.rb', line 214

def send_scaled_image(location, width, content_type)
  params = {
    'Location' => location,
    'Width' => width,
    'ContentType' => content_type
  }

  [
    SEND_DATA_HEADER,
    "send-scaled-img:#{encode(params)}"
  ]
end

.send_url(url, allow_localhost: true, allow_redirects: false, method: 'GET', body: nil, ssrf_filter: false, headers: {}, timeouts: {}, response_statuses: {}, response_headers: {}, allowed_uris: []) ⇒ Object

response_statuses can be set for ‘error’ and ‘timeout’. They are optional. Their values must be a symbol accepted by Rack::Utils::SYMBOL_TO_STATUS_CODE. Example: response_statuses : { error: :internal_server_error, timeout: :bad_request } timeouts can be given for the opening the connection and reading the response headers. Their values must be given in seconds. Example: timeouts: { open: 5, read: 5 } rubocop:disable Metrics/ParameterLists – all arguments needed



167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
# File 'lib/gitlab/workhorse.rb', line 167

def send_url(
  url,
  allow_localhost: true,
  allow_redirects: false,
  method: 'GET',
  body: nil,
  ssrf_filter: false,
  headers: {},
  timeouts: {},
  response_statuses: {},
  response_headers: {},
  allowed_uris: []
)
  params = {
    'URL' => url,
    'AllowRedirects' => allow_redirects,
    'AllowLocalhost' => allow_localhost,
    'AllowedURIs' => allowed_uris,
    'SSRFFilter' => ssrf_filter,
    'Body' => body.to_s,
    'Header' => headers.transform_values { |v| Array.wrap(v) },
    'ResponseHeaders' => response_headers.transform_values { |v| Array.wrap(v) },
    'Method' => method
  }.compact

  if timeouts.present?
    params['DialTimeout'] = "#{timeouts[:open]}s" if timeouts[:open]
    params['ResponseHeaderTimeout'] = "#{timeouts[:read]}s" if timeouts[:read]
  end

  if response_statuses.present?
    if response_statuses[:error]
      params['ErrorResponseStatus'] = Rack::Utils::SYMBOL_TO_STATUS_CODE[response_statuses[:error]]
    end

    if response_statuses[:timeout]
      params['TimeoutResponseStatus'] = Rack::Utils::SYMBOL_TO_STATUS_CODE[response_statuses[:timeout]]
    end
  end

  [
    SEND_DATA_HEADER,
    "send-url:#{encode(params.compact)}"
  ]
end

.set_key_and_notify(key, value, expire: nil, overwrite: true) ⇒ Object



292
293
294
295
296
297
298
299
300
301
302
303
# File 'lib/gitlab/workhorse.rb', line 292

def set_key_and_notify(key, value, expire: nil, overwrite: true)
  with_redis do |redis|
    result = redis.set(key, value, ex: expire, nx: !overwrite)
    if result
      redis.publish(NOTIFICATION_PREFIX + key, value)

      value
    else
      redis.get(key)
    end
  end
end

.verify_api_request!(request_headers) ⇒ Object



276
277
278
# File 'lib/gitlab/workhorse.rb', line 276

def verify_api_request!(request_headers)
  decode_jwt_with_issuer(request_headers[INTERNAL_API_REQUEST_HEADER])
end

.versionObject



271
272
273
274
# File 'lib/gitlab/workhorse.rb', line 271

def version
  path = Rails.root.join(VERSION_FILE)
  path.readable? ? path.read.chomp : 'unknown'
end