summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/gitlab_access_status.rb6
-rw-r--r--lib/gitlab_keys.rb26
-rw-r--r--lib/gitlab_net.rb62
-rw-r--r--lib/gitlab_shell.rb39
4 files changed, 100 insertions, 33 deletions
diff --git a/lib/gitlab_access_status.rb b/lib/gitlab_access_status.rb
index 783bc0c..44225aa 100644
--- a/lib/gitlab_access_status.rb
+++ b/lib/gitlab_access_status.rb
@@ -1,12 +1,13 @@
require 'json'
class GitAccessStatus
- attr_reader :message, :gl_repository, :gl_username, :repository_path, :gitaly
+ attr_reader :message, :gl_repository, :gl_id, :gl_username, :repository_path, :gitaly
- def initialize(status, message, gl_repository:, gl_username:, repository_path:, gitaly:)
+ def initialize(status, message, gl_repository:, gl_id:, gl_username:, repository_path:, gitaly:)
@status = status
@message = message
@gl_repository = gl_repository
+ @gl_id = gl_id
@gl_username = gl_username
@repository_path = repository_path
@gitaly = gitaly
@@ -17,6 +18,7 @@ class GitAccessStatus
new(values["status"],
values["message"],
gl_repository: values["gl_repository"],
+ gl_id: values["gl_id"],
gl_username: values["gl_username"],
repository_path: values["repository_path"],
gitaly: values["gitaly"])
diff --git a/lib/gitlab_keys.rb b/lib/gitlab_keys.rb
index 30444c3..3ee2882 100644
--- a/lib/gitlab_keys.rb
+++ b/lib/gitlab_keys.rb
@@ -9,12 +9,20 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength
attr_accessor :auth_file, :key
- def self.command(key_id)
+ def self.command(whatever)
+ "#{ROOT_PATH}/bin/gitlab-shell #{whatever}"
+ end
+
+ def self.command_key(key_id)
unless /\A[a-z0-9-]+\z/ =~ key_id
raise KeyError, "Invalid key_id: #{key_id.inspect}"
end
- "#{ROOT_PATH}/bin/gitlab-shell #{key_id}"
+ command(key_id)
+ end
+
+ def self.whatever_line(command, trailer)
+ "command=\"#{command}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{trailer}"
end
def self.key_line(key_id, public_key)
@@ -24,7 +32,17 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength
raise KeyError, "Invalid public_key: #{public_key.inspect}"
end
- "command=\"#{command(key_id)}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{public_key}"
+ whatever_line(command_key(key_id), public_key)
+ end
+
+ def self.principal_line(username_key_id, principal)
+ principal.chomp!
+
+ if principal.include?("\n")
+ raise KeyError, "Invalid principal: #{principal.inspect}"
+ end
+
+ whatever_line(command_key(username_key_id), principal)
end
def initialize
@@ -119,7 +137,7 @@ class GitlabKeys # rubocop:disable Metrics/ClassLength
$logger.info('Removing key', key_id: @key_id)
open_auth_file('r+') do |f|
while line = f.gets # rubocop:disable Style/AssignmentInCondition
- next unless line.start_with?("command=\"#{self.class.command(@key_id)}\"")
+ next unless line.start_with?("command=\"#{self.class.command_key(@key_id)}\"")
f.seek(-line.length, IO::SEEK_CUR)
# Overwrite the line with #'s. Because the 'line' variable contains
# a terminating '\n', we write line.length - 1 '#' characters.
diff --git a/lib/gitlab_net.rb b/lib/gitlab_net.rb
index 584dd93..7013d79 100644
--- a/lib/gitlab_net.rb
+++ b/lib/gitlab_net.rb
@@ -17,7 +17,7 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
CHECK_TIMEOUT = 5
- def check_access(cmd, gl_repository, repo, actor, changes, protocol, env: {})
+ def check_access(cmd, gl_repository, repo, who, changes, protocol, env: {})
changes = changes.join("\n") unless changes.is_a?(String)
params = {
@@ -29,11 +29,8 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
env: env
}
- if actor =~ /\Akey\-\d+\Z/
- params[:key_id] = actor.gsub("key-", "")
- elsif actor =~ /\Auser\-\d+\Z/
- params[:user_id] = actor.gsub("user-", "")
- end
+ who_sym, _, who_v = self.class.parse_who(who)
+ params[who_sym] = who_v
url = "#{internal_api_endpoint}/allowed"
resp = post(url, params)
@@ -44,23 +41,37 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
GitAccessStatus.new(false,
'API is not accessible',
gl_repository: nil,
+ gl_id: nil,
gl_username: nil,
repository_path: nil,
gitaly: nil)
end
end
- def discover(key)
- key_id = key.gsub("key-", "")
- resp = get("#{internal_api_endpoint}/discover?key_id=#{key_id}")
+ def discover(who)
+ _, who_k, who_v = self.class.parse_who(who)
+
+ resp = get("#{internal_api_endpoint}/discover?#{who_k}=#{who_v}")
+
JSON.parse(resp.body) rescue nil
end
- def lfs_authenticate(key, repo)
- params = {
- project: sanitize_path(repo),
- key_id: key.gsub('key-', '')
- }
+ def lfs_authenticate(gl_id, repo)
+ id_sym, _, id = self.class.parse_who(gl_id)
+
+ if id_sym == :key_id
+ params = {
+ project: sanitize_path(repo),
+ key_id: id
+ }
+ elsif id_sym == :user_id
+ params = {
+ project: sanitize_path(repo),
+ user_id: id
+ }
+ else
+ raise ArgumentError, "lfs_authenticate() got unsupported GL_ID='#{gl_id}'!"
+ end
resp = post("#{internal_api_endpoint}/lfs_authenticate", params)
@@ -101,9 +112,10 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
nil
end
- def two_factor_recovery_codes(key)
- key_id = key.gsub('key-', '')
- resp = post("#{internal_api_endpoint}/two_factor_recovery_codes", key_id: key_id)
+ def two_factor_recovery_codes(gl_id)
+ id_sym, _, id = self.class.parse_who(gl_id)
+
+ resp = post("#{internal_api_endpoint}/two_factor_recovery_codes", id_sym => id)
JSON.parse(resp.body) if resp.code == '200'
rescue
@@ -140,6 +152,22 @@ class GitlabNet # rubocop:disable Metrics/ClassLength
JSON.parse(resp.body) if resp.code == '200'
end
+ def self.parse_who(who)
+ if who.start_with?("key-")
+ value = who.gsub("key-", "")
+ raise ArgumentError, "who='#{who}' is invalid!" unless value =~ /\A[0-9]+\z/
+ [:key_id, 'key_id', value]
+ elsif who.start_with?("user-")
+ value = who.gsub("user-", "")
+ raise ArgumentError, "who='#{who}' is invalid!" unless value =~ /\A[0-9]+\z/
+ [:user_id, 'user_id', value]
+ elsif who.start_with?("username-")
+ [:username, 'username', who.gsub("username-", "")]
+ else
+ raise ArgumentError, "who='#{who}' is invalid!"
+ end
+ end
+
protected
def sanitize_path(repo)
diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb
index 9644cf4..9f05004 100644
--- a/lib/gitlab_shell.rb
+++ b/lib/gitlab_shell.rb
@@ -18,11 +18,16 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
API_COMMANDS = %w(2fa_recovery_codes).freeze
GL_PROTOCOL = 'ssh'.freeze
- attr_accessor :key_id, :gl_repository, :repo_name, :command, :git_access
+ attr_accessor :gl_id, :gl_repository, :repo_name, :command, :git_access
attr_reader :repo_path
- def initialize(key_id)
- @key_id = key_id
+ def initialize(who)
+ who_sym, = GitlabNet.parse_who(who)
+ if who_sym == :username
+ @who = who
+ else
+ @gl_id = who
+ end
@config = GitlabConfig.new
end
@@ -40,6 +45,12 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
if GIT_COMMANDS.include?(args.first)
GitlabMetrics.measure('verify-access') { verify_access }
+ elsif !defined?(@gl_id)
+ # We're processing an API command like 2fa_recovery_codes, but
+ # don't have a @gl_id yet, that means we're in the "username"
+ # mode and need to materialize it, calling the "user" method
+ # will do that and call the /discover method.
+ user
end
process_cmd(args)
@@ -101,7 +112,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
end
def verify_access
- status = api.check_access(@git_access, nil, @repo_name, @key_id, '_any', GL_PROTOCOL)
+ status = api.check_access(@git_access, nil, @repo_name, @who || @gl_id, '_any', GL_PROTOCOL)
raise AccessDeniedError, status.message unless status.allowed?
@@ -109,6 +120,9 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
@gl_repository = status.gl_repository
@gitaly = status.gitaly
@username = status.gl_username
+ if defined?(@who)
+ @gl_id = status.gl_id
+ end
end
def process_cmd(args)
@@ -135,7 +149,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
gitaly_request = {
'repository' => @gitaly['repository'],
'gl_repository' => @gl_repository,
- 'gl_id' => @key_id,
+ 'gl_id' => @gl_id,
'gl_username' => @username
}
@@ -161,7 +175,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
'PATH' => ENV['PATH'],
'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'],
'LANG' => ENV['LANG'],
- 'GL_ID' => @key_id,
+ 'GL_ID' => @gl_id,
'GL_PROTOCOL' => GL_PROTOCOL,
'GL_REPOSITORY' => @gl_repository,
'GL_USERNAME' => @username
@@ -190,7 +204,12 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
return @user if defined?(@user)
begin
- @user = api.discover(@key_id)
+ if defined?(@who)
+ @user = api.discover(@who)
+ @gl_id = "user-#{@user['id']}"
+ else
+ @user = api.discover(@gl_id)
+ end
rescue GitlabNet::ApiUnreachableError
@user = nil
end
@@ -208,11 +227,11 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
# User identifier to be used in log messages.
def log_username
- @config.audit_usernames ? username : "user with key #{@key_id}"
+ @config.audit_usernames ? username : "user with id #{@gl_id}"
end
def lfs_authenticate
- lfs_access = api.lfs_authenticate(@key_id, @repo_name)
+ lfs_access = api.lfs_authenticate(@gl_id, @repo_name)
return unless lfs_access
@@ -240,7 +259,7 @@ class GitlabShell # rubocop:disable Metrics/ClassLength
return
end
- resp = api.two_factor_recovery_codes(key_id)
+ resp = api.two_factor_recovery_codes(@gl_id)
if resp['success']
codes = resp['recovery_codes'].join("\n")
puts "Your two-factor authentication recovery codes are:\n\n" \
View Lorry Controller Status