GitLab如何检查Grack HTTPS推送权限? [英] How does GitLab check for Grack HTTPS push permissions?

问题描述

我想为GitLab开发一些功能并将其添加到开源存储库中.

说明: 当用户进行推送时，GitLab会检查来自提交的所有电子邮件是否应存在于数据库中.

我想向 https://添加验证方法github.com/gitlabhq/gitlabhq/blob/master/lib/gitlab/git_access.rb 此类，但是当用户推送某些更改(例如git push origin master)时，不会调用此验证.

我研究了路由，然后发现以下内容: https://github.com/gitlabhq/gitlabhq/blob/master /config/routes.rb#L24

mount Grack::Bundle.new({
  git_path:     Gitlab.config.git.bin_path,
  project_root: Gitlab.config.gitlab_shell.repos_path,
  upload_pack:  Gitlab.config.gitlab_shell.upload_pack,
  receive_pack: Gitlab.config.gitlab_shell.receive_pack
}), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post]

已安装Grack以提供对git http协议的访问.而且，Gitlab具有用于Grack的身份验证的钩子/lib/gitlab/backend/grack_auth.rb#L79

但是我调试了方法authorized_request?，但也没有调用此验证.

问题:GitLab中的哪个类可以验证推送?还是可能无法实现此功能?

解决方案

您正在尝试在GitLab体系结构的最难理解的地方绊倒:gitlab-shell.

• GitLab自动将您的存储库挂钩repositories/user/project.git/hooks符号链接到: https: //github.com/gitlabhq/gitlab-shell/tree/master/hooks

• 只要将Git推送到存储库，就会调用钩子.这包括HTTP，SSH和Web编辑，它是预接收钩子进行API调用https://github.com/gitlabhq/gitlabhq/blob/ab2db486b8014e509455b624dfd1719f77e27ede/lib/api/internal.rb ，它仅调用普通的Abilities系统并返回带有true或false的HTTP请求确定挂钩是否成功.

这是评论的意思 https://github.com/gitlabhq/gitlabhq/blob/31de763e816cd5f8f80efc06cb4526ad8dc87eee/lib/gitlab/backend/grack_auth.rb#L92 :

# Skip user authorization on upload request.
# It will be serverd by update hook in repository

此复杂系统的参考价格:允许SSH推送. SSH推送通过OpenSSH服务器传递，并且与GitLab进行通信的唯一方法是通过.ssh/authorized_keys系统，该系统必须调用一个可执行文件(GitLab外壳)，该可执行文件需要一个API才能与GitLab进行通信(内部API). /p>

如果只有纯Ruby中的OpenSSH实现(可以像Grack一样为HTTP调用库(替换git内置服务器))来调用，我们将能够删除该系统的可怕部分. https://github.com/net-ssh/net-ssh 一天.

但是请认真对待:首先在以下网址提出明确的功能请求: http://feedback.gitlab.com 并等待其被接受再实施，否则您可能会在无法合并的内容上浪费很多时间.

I want develop some feature for GitLab and add it to open source repo.

DESCRIPTION: When user make push, GitLab checks that all emails from commits should be present in database.

I think to add some validation method to https://github.com/gitlabhq/gitlabhq/blob/master/lib/gitlab/git_access.rb this class, but this validation doesn't call when user push some changes (e.g. git push origin master).

I've researched routing and found next: https://github.com/gitlabhq/gitlabhq/blob/master/config/routes.rb#L24

mount Grack::Bundle.new({
  git_path:     Gitlab.config.git.bin_path,
  project_root: Gitlab.config.gitlab_shell.repos_path,
  upload_pack:  Gitlab.config.gitlab_shell.upload_pack,
  receive_pack: Gitlab.config.gitlab_shell.receive_pack
}), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post]

Grack mounted to provide access for git http protocol. And Gitlab has hook for authenticate for Grack /lib/gitlab/backend/grack_auth.rb#L79

But I debugged method authorized_request? and have got that this validation doesn't call too.

QUESTION: what class in GitLab validates pushes? Or probably this feature impossible to implement?

解决方案

You are stumbling on the hardest point of the GitLab architecture to understand: gitlab-shell.

• GitLab automatically symlinks your repository hooks repositories/user/project.git/hooks to: https://github.com/gitlabhq/gitlab-shell/tree/master/hooks

• Whenever there would be a Git push to the repo, hooks are called. This includes HTTP, SSH and web editing, and it is the pre-receive hook https://github.com/gitlabhq/gitlab-shell/blob/master/hooks/pre-receive that checks the permission (man githooks) and aborts the push if you don't have it.

• the pre receive hooks makes an API call to https://github.com/gitlabhq/gitlabhq/blob/ab2db486b8014e509455b624dfd1719f77e27ede/lib/api/internal.rb, which just calls on the usual Abilities system and returns an HTTP request with either true or false which determines if the hook succeeds.

This is what is meant by the comment https://github.com/gitlabhq/gitlabhq/blob/31de763e816cd5f8f80efc06cb4526ad8dc87eee/lib/gitlab/backend/grack_auth.rb#L92:

# Skip user authorization on upload request.
# It will be serverd by update hook in repository

Rationale for this complicated system: allowing SSH pushes. SSH pushes pass through the OpenSSH server, and the only way to make that communicate with GitLab is through the .ssh/authorized_keys system, which must call an executable (GitLab shell) which needs an API to talk to GitLab (the internal API).

If only we had an OpenSSH implementation in pure Ruby that could be called as a library like Grack does for HTTP (replacing the git built-in server), we would be able to remove that horrible part of the system. https://github.com/net-ssh/net-ssh might be usable some day.

But seriously: first make a crystal clear feature request with motivation at: http://feedback.gitlab.com and wait for it to be accepted before implementing, or you might just waste a lot of time on something that will not get merged.

这篇关于GitLab如何检查Grack HTTPS推送权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！