Class: Gitlab::Workhorse
- Inherits:
-
Object
- Object
- Gitlab::Workhorse
- Includes:
- JwtAuthenticatable
- Defined in:
- lib/gitlab/workhorse.rb
Constant Summary collapse
- SEND_DATA_HEADER =
'Gitlab-Workhorse-Send-Data'
- SEND_DEPENDENCY_CONTENT_TYPE_HEADER =
'Workhorse-Proxy-Content-Type'
- VERSION_FILE =
'GITLAB_WORKHORSE_VERSION'
- INTERNAL_API_CONTENT_TYPE =
'application/vnd.gitlab-workhorse+json'
- INTERNAL_API_REQUEST_HEADER =
'Gitlab-Workhorse-Api-Request'
- NOTIFICATION_PREFIX =
'workhorse:notifications:'
- ALLOWED_GIT_HTTP_ACTIONS =
%w[git_receive_pack git_upload_pack info_refs].freeze
- DETECT_HEADER =
'Gitlab-Workhorse-Detect-Content-Type'
- ARCHIVE_FORMATS =
%w[zip tar.gz tar.bz2 tar].freeze
Constants included from JwtAuthenticatable
JwtAuthenticatable::SECRET_LENGTH
Class Method Summary collapse
- .channel_websocket(channel) ⇒ Object
- .cleanup_key(key) ⇒ Object
- .decode_jwt_with_issuer(encoded_message) ⇒ Object
- .detect_content_type ⇒ Object
- .git_http_ok(repository, repo_type, user, action, show_all_refs: false, need_audit: false) ⇒ Object
- .secret_path ⇒ Object
- .send_artifacts_entry(file, entry) ⇒ Object
- .send_dependency(headers, url, allow_localhost: true, upload_config: {}, response_headers: {}, ssrf_filter: false, allowed_uris: []) ⇒ Object
- .send_git_archive(repository, ref:, format:, append_sha:, path: nil) ⇒ Object
- .send_git_blob(repository, blob) ⇒ Object
- .send_git_diff(repository, diff_refs) ⇒ Object
- .send_git_patch(repository, diff_refs) ⇒ Object
- .send_git_snapshot(repository) ⇒ Object
-
.send_scaled_image(location, width, content_type) ⇒ Object
rubocop:enable Metrics/ParameterLists.
-
.send_url(url, allow_localhost: true, allow_redirects: false, method: 'GET', body: nil, ssrf_filter: false, headers: {}, timeouts: {}, response_statuses: {}, response_headers: {}, allowed_uris: []) ⇒ Object
response_statuses can be set for ‘error’ and ‘timeout’.
- .set_key_and_notify(key, value, expire: nil, overwrite: true) ⇒ Object
- .verify_api_request!(request_headers) ⇒ Object
- .version ⇒ Object
Methods included from JwtAuthenticatable
Class Method Details
.channel_websocket(channel) ⇒ Object
257 258 259 260 261 262 263 264 265 266 267 268 269 |
# File 'lib/gitlab/workhorse.rb', line 257 def channel_websocket(channel) details = { 'Channel' => { 'Subprotocols' => channel[:subprotocols], 'Url' => channel[:url], 'Header' => channel[:headers], 'MaxSessionTime' => channel[:max_session_time] } } details['Channel']['CAPem'] = channel[:ca_pem] if channel.key?(:ca_pem) details end |
.cleanup_key(key) ⇒ Object
288 289 290 |
# File 'lib/gitlab/workhorse.rb', line 288 def cleanup_key(key) with_redis { |redis| redis.del(key) } end |
.decode_jwt_with_issuer(encoded_message) ⇒ Object
280 281 282 |
# File 'lib/gitlab/workhorse.rb', line 280 def decode_jwt_with_issuer() decode_jwt(, issuer: 'gitlab-workhorse') end |
.detect_content_type ⇒ Object
305 306 307 308 309 310 |
# File 'lib/gitlab/workhorse.rb', line 305 def detect_content_type [ Gitlab::Workhorse::DETECT_HEADER, 'true' ] end |
.git_http_ok(repository, repo_type, user, action, show_all_refs: false, need_audit: false) ⇒ Object
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# File 'lib/gitlab/workhorse.rb', line 23 def git_http_ok(repository, repo_type, user, action, show_all_refs: false, need_audit: false) raise "Unsupported action: #{action}" unless ALLOWED_GIT_HTTP_ACTIONS.include?(action.to_s) attrs = { GL_ID: Gitlab::GlId.gl_id(user), GL_REPOSITORY: repo_type.identifier_for_container(repository.container), GL_USERNAME: user&.username, ShowAllRefs: show_all_refs, NeedAudit: need_audit, Repository: repository.gitaly_repository.to_h, GitConfigOptions: [], GitalyServer: { address: Gitlab::GitalyClient.address(repository.storage), token: Gitlab::GitalyClient.token(repository.storage), call_metadata: Feature::Gitaly.server_feature_flags( user: ::Feature::Gitaly.user_actor(user), repository: repository, project: ::Feature::Gitaly.project_actor(repository.container), group: ::Feature::Gitaly.group_actor(repository.container) ) } } # Custom option for git-receive-pack command receive_max_input_size = Gitlab::CurrentSettings.receive_max_input_size.to_i if receive_max_input_size > 0 attrs[:GitConfigOptions] << "receive.maxInputSize=#{receive_max_input_size.megabytes}" end attrs[:GitalyServer][:call_metadata].merge!( 'user_id' => attrs[:GL_ID].presence, 'username' => attrs[:GL_USERNAME].presence, 'remote_ip' => Gitlab::ApplicationContext.current_context_attribute(:remote_ip).presence ).compact! attrs end |
.secret_path ⇒ Object
284 285 286 |
# File 'lib/gitlab/workhorse.rb', line 284 def secret_path Gitlab.config.workhorse.secret_file end |
.send_artifacts_entry(file, entry) ⇒ Object
146 147 148 149 150 151 152 153 154 155 156 157 158 |
# File 'lib/gitlab/workhorse.rb', line 146 def send_artifacts_entry(file, entry) archive = file.file_storage? ? file.path : file.url params = { 'Archive' => archive, 'Entry' => Base64.encode64(entry.to_s) } [ SEND_DATA_HEADER, "artifacts-entry:#{encode(params)}" ] end |
.send_dependency(headers, url, allow_localhost: true, upload_config: {}, response_headers: {}, ssrf_filter: false, allowed_uris: []) ⇒ Object
227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 |
# File 'lib/gitlab/workhorse.rb', line 227 def send_dependency( headers, url, allow_localhost: true, upload_config: {}, response_headers: {}, ssrf_filter: false, allowed_uris: []) params = { 'AllowLocalhost' => allow_localhost, 'AllowedURIs' => allowed_uris, 'Headers' => headers.transform_values { |v| Array.wrap(v) }, 'ResponseHeaders' => response_headers.transform_values { |v| Array.wrap(v) }, 'SSRFFilter' => ssrf_filter, 'Url' => url, 'UploadConfig' => { 'Method' => upload_config[:method], 'Url' => upload_config[:url], 'Headers' => (upload_config[:headers] || {}).transform_values { |v| Array.wrap(v) }, 'AuthorizedUploadResponse' => upload_config[:authorized_upload_response] || {} }.compact_blank! } params.compact_blank! [ SEND_DATA_HEADER, "send-dependency:#{encode(params)}" ] end |
.send_git_archive(repository, ref:, format:, append_sha:, path: nil) ⇒ Object
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# File 'lib/gitlab/workhorse.rb', line 77 def send_git_archive(repository, ref:, format:, append_sha:, path: nil) format ||= 'tar.gz' format = format.downcase = repository.( ref, Gitlab.config.gitlab.repository_downloads_path, format, append_sha: append_sha, path: path ) raise "Repository or ref not found" if .empty? params = send_git_archive_params(repository, , path, archive_format(format)) # If present, DisableCache must be a Boolean. Otherwise # workhorse ignores it. params['DisableCache'] = true if git_archive_cache_disabled? params['GitalyServer'] = gitaly_server_hash(repository) [ SEND_DATA_HEADER, "git-archive:#{encode(params)}" ] end |
.send_git_blob(repository, blob) ⇒ Object
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
# File 'lib/gitlab/workhorse.rb', line 61 def send_git_blob(repository, blob) params = { 'GitalyServer' => gitaly_server_hash(repository), 'GetBlobRequest' => { repository: repository.gitaly_repository.to_h, oid: blob.id, limit: -1 } } [ SEND_DATA_HEADER, "git-blob:#{encode(params)}" ] end |
.send_git_diff(repository, diff_refs) ⇒ Object
118 119 120 121 122 123 124 125 126 127 128 129 130 |
# File 'lib/gitlab/workhorse.rb', line 118 def send_git_diff(repository, diff_refs) params = { 'GitalyServer' => gitaly_server_hash(repository), 'RawDiffRequest' => Gitaly::RawDiffRequest.new( gitaly_diff_or_patch_hash(repository, diff_refs) ).to_json } [ SEND_DATA_HEADER, "git-diff:#{encode(params)}" ] end |
.send_git_patch(repository, diff_refs) ⇒ Object
132 133 134 135 136 137 138 139 140 141 142 143 144 |
# File 'lib/gitlab/workhorse.rb', line 132 def send_git_patch(repository, diff_refs) params = { 'GitalyServer' => gitaly_server_hash(repository), 'RawPatchRequest' => Gitaly::RawPatchRequest.new( gitaly_diff_or_patch_hash(repository, diff_refs) ).to_json } [ SEND_DATA_HEADER, "git-format-patch:#{encode(params)}" ] end |
.send_git_snapshot(repository) ⇒ Object
104 105 106 107 108 109 110 111 112 113 114 115 116 |
# File 'lib/gitlab/workhorse.rb', line 104 def send_git_snapshot(repository) params = { 'GitalyServer' => gitaly_server_hash(repository), 'GetSnapshotRequest' => Gitaly::GetSnapshotRequest.new( repository: repository.gitaly_repository ).to_json } [ SEND_DATA_HEADER, "git-snapshot:#{encode(params)}" ] end |
.send_scaled_image(location, width, content_type) ⇒ Object
rubocop:enable Metrics/ParameterLists
214 215 216 217 218 219 220 221 222 223 224 225 |
# File 'lib/gitlab/workhorse.rb', line 214 def send_scaled_image(location, width, content_type) params = { 'Location' => location, 'Width' => width, 'ContentType' => content_type } [ SEND_DATA_HEADER, "send-scaled-img:#{encode(params)}" ] end |
.send_url(url, allow_localhost: true, allow_redirects: false, method: 'GET', body: nil, ssrf_filter: false, headers: {}, timeouts: {}, response_statuses: {}, response_headers: {}, allowed_uris: []) ⇒ Object
response_statuses can be set for ‘error’ and ‘timeout’. They are optional. Their values must be a symbol accepted by Rack::Utils::SYMBOL_TO_STATUS_CODE. Example: response_statuses : { error: :internal_server_error, timeout: :bad_request } timeouts can be given for the opening the connection and reading the response headers. Their values must be given in seconds. Example: timeouts: { open: 5, read: 5 } rubocop:disable Metrics/ParameterLists – all arguments needed
167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 |
# File 'lib/gitlab/workhorse.rb', line 167 def send_url( url, allow_localhost: true, allow_redirects: false, method: 'GET', body: nil, ssrf_filter: false, headers: {}, timeouts: {}, response_statuses: {}, response_headers: {}, allowed_uris: [] ) params = { 'URL' => url, 'AllowRedirects' => allow_redirects, 'AllowLocalhost' => allow_localhost, 'AllowedURIs' => allowed_uris, 'SSRFFilter' => ssrf_filter, 'Body' => body.to_s, 'Header' => headers.transform_values { |v| Array.wrap(v) }, 'ResponseHeaders' => response_headers.transform_values { |v| Array.wrap(v) }, 'Method' => method }.compact if timeouts.present? params['DialTimeout'] = "#{timeouts[:open]}s" if timeouts[:open] params['ResponseHeaderTimeout'] = "#{timeouts[:read]}s" if timeouts[:read] end if response_statuses.present? if response_statuses[:error] params['ErrorResponseStatus'] = Rack::Utils::SYMBOL_TO_STATUS_CODE[response_statuses[:error]] end if response_statuses[:timeout] params['TimeoutResponseStatus'] = Rack::Utils::SYMBOL_TO_STATUS_CODE[response_statuses[:timeout]] end end [ SEND_DATA_HEADER, "send-url:#{encode(params.compact)}" ] end |
.set_key_and_notify(key, value, expire: nil, overwrite: true) ⇒ Object
292 293 294 295 296 297 298 299 300 301 302 303 |
# File 'lib/gitlab/workhorse.rb', line 292 def set_key_and_notify(key, value, expire: nil, overwrite: true) with_redis do |redis| result = redis.set(key, value, ex: expire, nx: !overwrite) if result redis.publish(NOTIFICATION_PREFIX + key, value) value else redis.get(key) end end end |
.verify_api_request!(request_headers) ⇒ Object
276 277 278 |
# File 'lib/gitlab/workhorse.rb', line 276 def verify_api_request!(request_headers) decode_jwt_with_issuer(request_headers[INTERNAL_API_REQUEST_HEADER]) end |
.version ⇒ Object
271 272 273 274 |
# File 'lib/gitlab/workhorse.rb', line 271 def version path = Rails.root.join(VERSION_FILE) path.readable? ? path.read.chomp : 'unknown' end |