diff options
| -rw-r--r-- | config.yml.example | 5 | ||||
| -rw-r--r-- | lib/gitlab_config.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab_shell.rb | 34 | ||||
| -rw-r--r-- | spec/gitlab_shell_spec.rb | 11 |
4 files changed, 44 insertions, 10 deletions
diff --git a/config.yml.example b/config.yml.example index 5bc866d..c3411d1 100644 --- a/config.yml.example +++ b/config.yml.example @@ -29,3 +29,8 @@ log_file: "/home/git/gitlab-shell/gitlab-shell.log" # Log level. INFO by default log_level: INFO + +# Audit usernames. +# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but +# incurs an extra API call on every gitlab-shell command. +audit_usernames: false diff --git a/lib/gitlab_config.rb b/lib/gitlab_config.rb index 2bc2b50..9dc5c66 100644 --- a/lib/gitlab_config.rb +++ b/lib/gitlab_config.rb @@ -39,6 +39,10 @@ class GitlabConfig @config['log_level'] ||= 'INFO' end + def audit_usernames + @config['audit_usernames'] ||= false + end + # Build redis command to write update event in gitlab queue def redis_command if redis.empty? diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb index 496f3a1..aeea0da 100644 --- a/lib/gitlab_shell.rb +++ b/lib/gitlab_shell.rb @@ -8,7 +8,9 @@ class GitlabShell def initialize @key_id = ARGV.shift @origin_cmd = ENV['SSH_ORIGINAL_COMMAND'] - @repos_path = GitlabConfig.new.repos_path + @config = GitlabConfig.new + @repos_path = @config.repos_path + @user_tried = false end def exec @@ -21,19 +23,16 @@ class GitlabShell if validate_access process_cmd else - message = "gitlab-shell: Access denied for git command <#{@origin_cmd}>" - message << " by user with key #{@key_id}." + message = "gitlab-shell: Access denied for git command <#{@origin_cmd}> by #{log_username}." $logger.warn message end else - message = "gitlab-shell: Attempt to execute disallowed command " - message << "<#{@origin_cmd}> by user with key #{@key_id}." + message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}." $logger.warn message puts 'Not allowed command' end else - user = api.discover(@key_id) - puts "Welcome to GitLab, #{user && user['name'] || 'Anonymous'}!" + puts "Welcome to GitLab, #{username}!" end end @@ -52,7 +51,7 @@ class GitlabShell def process_cmd repo_full_path = File.join(repos_path, repo_name) cmd = "#{@git_cmd} #{repo_full_path}" - $logger.info "gitlab-shell: executing git command <#{cmd}> for user with key #{@key_id}." + $logger.info "gitlab-shell: executing git command <#{cmd}> for #{log_username}." exec_cmd(cmd) end @@ -67,4 +66,23 @@ class GitlabShell def api GitlabNet.new end + + def user + # Can't use "@user ||=" because that will keep hitting the API when @user is really nil! + if @user_tried + @user + else + @user_tried = true + @user = api.discover(@key_id) + end + end + + def username + user && user['name'] || 'Anonymous' + end + + # User identifier to be used in log messages. + def log_username + @config.audit_usernames ? username : "user with key #{@key_id}" + end end diff --git a/spec/gitlab_shell_spec.rb b/spec/gitlab_shell_spec.rb index 0367675..44dca6d 100644 --- a/spec/gitlab_shell_spec.rb +++ b/spec/gitlab_shell_spec.rb @@ -11,13 +11,15 @@ describe GitlabShell do end let(:api) do double(GitlabNet).tap do |api| - api.stub(discover: 'John Doe') + api.stub(discover: { 'name' => 'John Doe' }) api.stub(allowed?: true) end end let(:key_id) { "key-#{rand(100) + 100}" } let(:repository_path) { "/home/git#{rand(100)}/repos" } - before { GitlabConfig.any_instance.stub(:repos_path).and_return(repository_path) } + before do + GitlabConfig.any_instance.stub(repos_path: repository_path, audit_usernames: false) + end describe :initialize do before { ssh_cmd 'git-receive-pack' } @@ -71,6 +73,11 @@ describe GitlabShell do message << "for user with key #{key_id}." $logger.should_receive(:info).with(message) end + + it "should use usernames if configured to do so" do + GitlabConfig.any_instance.stub(audit_usernames: true) + $logger.should_receive(:info) { |msg| msg.should =~ /for John Doe/ } + end end context 'git-receive-pack' do |