git_access.rb 11.5 KB
Newer Older
1 2
# frozen_string_literal: true

3 4
# Check a user's access to perform a git action. All public methods in this
# class return an instance of `GitlabAccessStatus`
5 6
module Gitlab
  class GitAccess
7 8
    include Gitlab::Utils::StrongMemoize

9
    UnauthorizedError = Class.new(StandardError)
10
    NotFoundError = Class.new(StandardError)
11
    ProjectCreationError = Class.new(StandardError)
12
    TimeoutError = Class.new(StandardError)
13
    ProjectMovedError = Class.new(NotFoundError)
14

15 16 17 18
    # Use the magic string '_any' to indicate we do not know what the
    # changes are. This is also what gitlab-shell does.
    ANY = '_any'

19 20 21
    ERROR_MESSAGES = {
      upload: 'You are not allowed to upload code for this project.',
      download: 'You are not allowed to download code from this project.',
22 23 24
      auth_upload: 'You are not allowed to upload code.',
      auth_download: 'You are not allowed to download code.',
      deploy_key_upload: 'This deploy key does not have write access to this project.',
Michael Kozono's avatar
Michael Kozono committed
25 26
      no_repo: 'A repository for this project does not exist yet.',
      project_not_found: 'The project you were looking for could not be found.',
27
      command_not_allowed: "The command you're trying to execute is not allowed.",
Michael Kozono's avatar
Michael Kozono committed
28
      upload_pack_disabled_over_http: 'Pulling over HTTP is not allowed.',
29
      receive_pack_disabled_over_http: 'Pushing over HTTP is not allowed.',
30
      read_only: 'The repository is temporarily read-only. Please try again later.',
31 32
      cannot_push_to_read_only: "You can't push code to a read-only GitLab instance.",
      push_code: 'You are not allowed to push code to this project.'
33
    }.freeze
34

35
    INTERNAL_TIMEOUT = 50.seconds.freeze
36 37 38 39 40 41
    LOG_HEADER = <<~MESSAGE
      Push operation timed out

      Timing information for debugging purposes:
    MESSAGE

42 43
    DOWNLOAD_COMMANDS = %w{git-upload-pack git-upload-archive}.freeze
    PUSH_COMMANDS = %w{git-receive-pack}.freeze
44
    ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS
45

46
    attr_reader :actor, :project, :protocol, :authentication_abilities, :namespace_path, :project_path, :redirected_path, :auth_result_type, :changes, :logger
47

48
    def initialize(actor, project, protocol, authentication_abilities:, namespace_path: nil, project_path: nil, redirected_path: nil, auth_result_type: nil)
49 50
      @actor    = actor
      @project  = project
51
      @protocol = protocol
52
      @authentication_abilities = authentication_abilities
53 54 55
      @namespace_path = namespace_path
      @project_path = project_path
      @redirected_path = redirected_path
56
      @auth_result_type = auth_result_type
57 58
    end

59
    def check(cmd, changes)
60
      @logger = Checks::TimedLogger.new(timeout: INTERNAL_TIMEOUT, header: LOG_HEADER)
61 62
      @changes = changes

63
      check_protocol!
Nick Thomas's avatar
Nick Thomas committed
64
      check_valid_actor!
65
      check_active_user!
66
      check_authentication_abilities!(cmd)
67
      check_command_disabled!(cmd)
68
      check_command_existence!(cmd)
69

Ash McKenzie's avatar
Ash McKenzie committed
70
      custom_action = check_custom_action(cmd)
71 72
      return custom_action if custom_action

73 74 75 76 77
      check_db_accessibility!(cmd)

      ensure_project_on_push!(cmd, changes)

      check_project_accessibility!
78
      add_project_moved_message!
79
      check_repository_existence!
80

81 82
      case cmd
      when *DOWNLOAD_COMMANDS
83
        check_download_access!
84
      when *PUSH_COMMANDS
85
        check_push_access!
86
      end
87

88
      success_result(cmd)
89 90
    end

91
    def guest_can_download_code?
92 93 94
      Guest.can?(:download_code, project)
    end

95
    def user_can_download_code?
96
      authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_code)
97 98
    end

99
    def build_can_download_code?
100
      authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
101 102
    end

103 104 105 106 107 108
    def request_from_ci_build?
      return false unless protocol == 'http'

      auth_result_type == :build || auth_result_type == :ci
    end

109 110 111 112
    def protocol_allowed?
      Gitlab::ProtocolAccess.allowed?(protocol)
    end

113 114
    private

Ash McKenzie's avatar
Ash McKenzie committed
115 116
    def check_custom_action(cmd)
      nil
117 118
    end

119 120 121 122
    def check_for_console_messages(cmd)
      []
    end

123 124 125 126 127 128 129 130
    def check_valid_actor!
      return unless actor.is_a?(Key)

      unless actor.valid?
        raise UnauthorizedError, "Your SSH key #{actor.errors[:key].first}."
      end
    end

131
    def check_protocol!
132 133
      return if request_from_ci_build?

134 135 136 137 138 139
      unless protocol_allowed?
        raise UnauthorizedError, "Git access over #{protocol.upcase} is not allowed"
      end
    end

    def check_active_user!
140 141 142
      return unless user

      unless user_access.allowed?
143 144
        message = Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message
        raise UnauthorizedError, message
145 146 147
      end
    end

148 149 150 151 152 153 154 155 156 157 158 159 160
    def check_authentication_abilities!(cmd)
      case cmd
      when *DOWNLOAD_COMMANDS
        unless authentication_abilities.include?(:download_code) || authentication_abilities.include?(:build_download_code)
          raise UnauthorizedError, ERROR_MESSAGES[:auth_download]
        end
      when *PUSH_COMMANDS
        unless authentication_abilities.include?(:push_code)
          raise UnauthorizedError, ERROR_MESSAGES[:auth_upload]
        end
      end
    end

161 162
    def check_project_accessibility!
      if project.blank? || !can_read_project?
163
        raise NotFoundError, ERROR_MESSAGES[:project_not_found]
164 165 166
      end
    end

167
    def add_project_moved_message!
168
      return if redirected_path.nil?
169

170
      project_moved = Checks::ProjectMoved.new(project, user, protocol, redirected_path)
171

172
      project_moved.add_message
173 174
    end

175
    def check_command_disabled!(cmd)
Michael Kozono's avatar
Michael Kozono committed
176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191
      if upload_pack?(cmd)
        check_upload_pack_disabled!
      elsif receive_pack?(cmd)
        check_receive_pack_disabled!
      end
    end

    def check_upload_pack_disabled!
      if http? && upload_pack_disabled_over_http?
        raise UnauthorizedError, ERROR_MESSAGES[:upload_pack_disabled_over_http]
      end
    end

    def check_receive_pack_disabled!
      if http? && receive_pack_disabled_over_http?
        raise UnauthorizedError, ERROR_MESSAGES[:receive_pack_disabled_over_http]
192 193 194
      end
    end

195 196
    def check_command_existence!(cmd)
      unless ALL_COMMANDS.include?(cmd)
Michael Kozono's avatar
Michael Kozono committed
197
        raise UnauthorizedError, ERROR_MESSAGES[:command_not_allowed]
198 199 200
      end
    end

201 202 203 204 205 206 207 208 209 210
    def check_db_accessibility!(cmd)
      return unless receive_pack?(cmd)

      if Gitlab::Database.read_only?
        raise UnauthorizedError, push_to_read_only_message
      end
    end

    def ensure_project_on_push!(cmd, changes)
      return if project || deploy_key?
211
      return unless receive_pack?(cmd) && changes == ANY && authentication_abilities.include?(:push_code)
212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235

      namespace = Namespace.find_by_full_path(namespace_path)

      return unless user&.can?(:create_projects, namespace)

      project_params = {
        path: project_path,
        namespace_id: namespace.id,
        visibility_level: Gitlab::VisibilityLevel::PRIVATE
      }

      project = Projects::CreateService.new(user, project_params).execute

      unless project.saved?
        raise ProjectCreationError, "Could not create project: #{project.errors.full_messages.join(', ')}"
      end

      @project = project
      user_access.project = @project

      Checks::ProjectCreated.new(project, user, protocol).add_message
    end

    def check_repository_existence!
236
      unless repository.exists?
237
        raise NotFoundError, ERROR_MESSAGES[:no_repo]
238 239 240
      end
    end

241
    def check_download_access!
242
      passed = deploy_key? ||
243
        deploy_token? ||
244
        user_can_download_code? ||
245 246
        build_can_download_code? ||
        guest_can_download_code?
247 248 249 250 251 252

      unless passed
        raise UnauthorizedError, ERROR_MESSAGES[:download]
      end
    end

253
    def check_push_access!
254
      if project.repository_read_only?
255 256 257
        raise UnauthorizedError, ERROR_MESSAGES[:read_only]
      end

258
      if deploy_key?
259 260 261
        unless deploy_key.can_push_to?(project)
          raise UnauthorizedError, ERROR_MESSAGES[:deploy_key_upload]
        end
262
      elsif user
263
        # User access is verified in check_change_access!
264 265 266 267
      else
        raise UnauthorizedError, ERROR_MESSAGES[:upload]
      end

268
      check_change_access!
269 270
    end

271
    def check_change_access!
272 273 274
      # Deploy keys with write access can push anything
      return if deploy_key?

275 276 277
      if changes == ANY
        can_push = user_access.can_do_action?(:push_code) ||
          project.any_branch_allows_collaboration?(user_access.user)
278

279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295
        unless can_push
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:push_code]
        end
      else
        # If there are worktrees with a HEAD pointing to a non-existent object,
        # calls to `git rev-list --all` will fail in git 2.15+. This should also
        # clear stale lock files.
        project.repository.clean_stale_repository_files

        # Iterate over all changes to find if user allowed all of them to be applied
        changes_list.each.with_index do |change, index|
          first_change = index == 0

          # If user does not have access to make at least one change, cancel all
          # push by allowing the exception to bubble up
          check_single_change_access(change, skip_lfs_integrity_check: !first_change)
        end
296 297 298
      end
    end

299
    def check_single_change_access(change, skip_lfs_integrity_check: false)
300
      change_access = Checks::ChangeAccess.new(
301 302 303
        change,
        user_access: user_access,
        project: project,
304
        skip_lfs_integrity_check: skip_lfs_integrity_check,
305 306 307 308 309 310
        protocol: protocol,
        logger: logger
      )

      change_access.exec
    rescue Checks::TimedLogger::TimeoutError
311
      raise TimeoutError, logger.full_message
312 313
    end

314
    def deploy_key
315 316 317 318 319
      actor if deploy_key?
    end

    def deploy_key?
      actor.is_a?(DeployKey)
320
    end
321

322 323 324 325 326 327 328 329
    def deploy_token
      actor if deploy_token?
    end

    def deploy_token?
      actor.is_a?(DeployToken)
    end

330 331 332 333
    def ci?
      actor == :ci
    end

334
    def can_read_project?
335
      if deploy_key?
336
        deploy_key.has_access_to?(project)
337 338
      elsif deploy_token?
        deploy_token.has_access_to?(project)
339
      elsif user
340
        user.can?(:read_project, project)
341 342
      elsif ci?
        true # allow CI (build without a user) for backwards compatibility
343
      end || Guest.can?(:read_project, project)
344 345
    end

346 347 348 349 350 351 352 353 354 355 356 357
    def http?
      protocol == 'http'
    end

    def upload_pack?(command)
      command == 'git-upload-pack'
    end

    def receive_pack?(command)
      command == 'git-receive-pack'
    end

Michael Kozono's avatar
Michael Kozono committed
358 359 360 361 362 363 364 365
    def upload_pack_disabled_over_http?
      !Gitlab.config.gitlab_shell.upload_pack
    end

    def receive_pack_disabled_over_http?
      !Gitlab.config.gitlab_shell.receive_pack
    end

366 367
    protected

368 369 370 371
    def success_result(cmd)
      ::Gitlab::GitAccessResult::Success.new(console_messages: check_for_console_messages(cmd))
    end

372
    def changes_list
373
      @changes_list ||= Gitlab::ChangesList.new(changes == ANY ? [] : changes)
374 375
    end

376 377 378 379 380 381 382
    def user
      return @user if defined?(@user)

      @user =
        case actor
        when User
          actor
383 384
        when DeployKey
          nil
385
        when Key
386
          actor.user
387 388
        when :ci
          nil
389 390
        end
    end
391 392 393 394

    def user_access
      @user_access ||= if ci?
                         CiAccess.new
395 396
                       elsif user && request_from_ci_build?
                         BuildAccess.new(user, project: project)
397 398 399 400
                       else
                         UserAccess.new(user, project: project)
                       end
    end
401 402 403 404

    def push_to_read_only_message
      ERROR_MESSAGES[:cannot_push_to_read_only]
    end
405 406 407 408

    def repository
      project.repository
    end
409 410
  end
end