diff options
| -rwxr-xr-x | bin/gitlab-shell | 7 | ||||
| -rwxr-xr-x | hooks/pre-receive | 3 | ||||
| -rw-r--r-- | lib/gitlab_access.rb | 21 | ||||
| -rw-r--r-- | lib/gitlab_shell.rb | 48 | ||||
| -rw-r--r-- | spec/gitlab_shell_spec.rb | 2 |
5 files changed, 49 insertions, 32 deletions
diff --git a/bin/gitlab-shell b/bin/gitlab-shell index 4b3dc16..8154029 100755 --- a/bin/gitlab-shell +++ b/bin/gitlab-shell @@ -13,6 +13,9 @@ require_relative '../lib/gitlab_init' # # require File.join(ROOT_PATH, 'lib', 'gitlab_shell') -GitlabShell.new.exec -exit +if GitlabShell.new.exec + exit 0 +else + exit 1 +end diff --git a/hooks/pre-receive b/hooks/pre-receive index 7f9c0c0..7e23974 100755 --- a/hooks/pre-receive +++ b/hooks/pre-receive @@ -14,5 +14,8 @@ if GitlabAccess.new(repo_path, key_id, refs).exec && GitlabCustomHook.new.pre_receive(refs, repo_path) exit 0 else + # reset GL_ID env since we stop git push here + ENV['GL_ID'] = nil + exit 1 end diff --git a/lib/gitlab_access.rb b/lib/gitlab_access.rb index 22343fd..5816969 100644 --- a/lib/gitlab_access.rb +++ b/lib/gitlab_access.rb @@ -5,6 +5,8 @@ require_relative 'names_helper' require 'json' class GitlabAccess + class AccessDeniedError < StandardError; end + include NamesHelper attr_reader :config, :repo_path, :repo_name, :changes @@ -18,19 +20,16 @@ class GitlabAccess end def exec - begin - status = api.check_access('git-receive-pack', @repo_name, @actor, @changes) - - return true if status.allowed? + status = api.check_access('git-receive-pack', @repo_name, @actor, @changes) - message = status.message - rescue GitlabNet::ApiUnreachableError - message = "Failed to authorize your Git request: internal API unreachable" - end + raise AccessDeniedError, status.message unless status.allowed? - # reset GL_ID env since we stop git push here - ENV['GL_ID'] = nil - puts "GitLab: #{message}" + true + rescue GitlabNet::ApiUnreachableError + $stderr.puts "GitLab: Failed to authorize your Git request: internal API unreachable" + false + rescue AccessDeniedError => ex + $stderr.puts "GitLab: #{ex.message}" false end diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb index 806e016..d075048 100644 --- a/lib/gitlab_shell.rb +++ b/lib/gitlab_shell.rb @@ -3,7 +3,9 @@ require 'shellwords' require_relative 'gitlab_net' class GitlabShell + class AccessDeniedError < StandardError; end class DisallowedCommandError < StandardError; end + class InvalidRepositoryPathError < StandardError; end attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name @@ -15,31 +17,41 @@ class GitlabShell end def exec - if @origin_cmd - parse_cmd + unless @origin_cmd + puts "Welcome to GitLab, #{username}!" + return true + end - raise DisallowedCommandError unless git_cmds.include?(@git_cmd) + parse_cmd - ENV['GL_ID'] = @key_id + raise DisallowedCommandError unless git_cmds.include?(@git_cmd) - access = api.check_access(@git_cmd, @repo_name, @key_id, '_any') + ENV['GL_ID'] = @key_id + status = api.check_access(@git_cmd, @repo_name, @key_id, '_any') - if access.allowed? - process_cmd - else - message = "gitlab-shell: Access denied for git command <#{@origin_cmd}> by #{log_username}." - $logger.warn message - puts access.message - end - else - puts "Welcome to GitLab, #{username}!" - end + raise AccessDeniedError, status.message unless status.allowed? + + process_cmd + + true rescue GitlabNet::ApiUnreachableError => ex - puts "Failed to authorize your Git request: internal API unreachable" + $stderr.puts "GitLab: Failed to authorize your Git request: internal API unreachable" + false + rescue AccessDeniedError => ex + message = "gitlab-shell: Access denied for git command <#{@origin_cmd}> by #{log_username}." + $logger.warn message + + $stderr.puts "GitLab: #{ex.message}" + false rescue DisallowedCommandError => ex message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}." $logger.warn message - puts 'Disallowed command' + + $stderr.puts "GitLab: Disallowed command" + false + rescue InvalidRepositoryPathError => ex + $stderr.puts "GitLab: Invalid repository path" + false end protected @@ -125,7 +137,7 @@ class GitlabShell if File.absolute_path(full_repo_path) == full_repo_path path else - abort "Wrong repository path" + raise InvalidRepositoryPathError end end diff --git a/spec/gitlab_shell_spec.rb b/spec/gitlab_shell_spec.rb index 5abeeb9..6bb4db4 100644 --- a/spec/gitlab_shell_spec.rb +++ b/spec/gitlab_shell_spec.rb @@ -241,7 +241,7 @@ describe GitlabShell do before { File.stub(:absolute_path) { 'y' } } subject { -> { shell.send(:escape_path, 'z') } } - it { should raise_error(SystemExit, "Wrong repository path") } + it { should raise_error(GitlabShell::InvalidRepositoryPathError) } end def ssh_cmd(cmd) |