GitLab 如何检查 Grack HTTPS 推送权限? [英] How does GitLab check for Grack HTTPS push permissions?

问题描述

我想为 GitLab 开发一些功能并将其添加到开源存储库中.

I want develop some feature for GitLab and add it to open source repo.

说明:当用户进行推送时，GitLab 会检查所有来自提交的电子邮件是否应该存在于数据库中.

DESCRIPTION: When user make push, GitLab checks that all emails from commits should be present in database.

我想添加一些验证方法到 https://github.com/gitlabhq/gitlabhq/blob/master/lib/gitlab/git_access.rb 这个类，但是当用户推送一些更改(例如git push origin master)时，这个验证不会调用.

I think to add some validation method to https://github.com/gitlabhq/gitlabhq/blob/master/lib/gitlab/git_access.rb this class, but this validation doesn't call when user push some changes (e.g. git push origin master).

我研究了路由并发现了下一个:https://github.com/gitlabhq/gitlabhq/blob/master/config/routes.rb#L24

I've researched routing and found next: https://github.com/gitlabhq/gitlabhq/blob/master/config/routes.rb#L24

mount Grack::Bundle.new({
  git_path:     Gitlab.config.git.bin_path,
  project_root: Gitlab.config.gitlab_shell.repos_path,
  upload_pack:  Gitlab.config.gitlab_shell.upload_pack,
  receive_pack: Gitlab.config.gitlab_shell.receive_pack
}), at: '/', constraints: lambda { |request| /[-/w.]+.git//.match(request.path_info) }, via: [:get, :post]

安装 Grack 以提供对 git http 协议的访问.并且 Gitlab 具有用于 Grack/lib/gitlab/backend/grack_auth.rb#L79 的身份验证的钩子

Grack mounted to provide access for git http protocol. And Gitlab has hook for authenticate for Grack /lib/gitlab/backend/grack_auth.rb#L79

但是我调试了方法 authorized_request? 并且发现这个验证也不会调用.

But I debugged method authorized_request? and have got that this validation doesn't call too.

问题:GitLab 中的哪个类验证推送?或者这个功能可能无法实现?

QUESTION: what class in GitLab validates pushes? Or probably this feature impossible to implement?

推荐答案

你遇到了 GitLab 架构最难理解的地方:gitlab-shell.

You are stumbling on the hardest point of the GitLab architecture to understand: gitlab-shell.

• GitLab 自动将您的存储库挂钩 repositories/user/project.git/hooks 符号链接到:https://github.com/gitlabhq/gitlab-shell/tree/master/hooks

只要有一个 Git 推送到 repo，就会调用钩子.这包括 HTTP、SSH 和 web 编辑，它是 pre-receive hook https://github.com/gitlabhq/gitlab-shell/blob/master/hooks/pre-receive 检查权限 (man githooks) 并中止推送，如果你没有.

Whenever there would be a Git push to the repo, hooks are called. This includes HTTP, SSH and web editing, and it is the pre-receive hook https://github.com/gitlabhq/gitlab-shell/blob/master/hooks/pre-receive that checks the permission (man githooks) and aborts the push if you don't have it.

预接收挂钩对 https://github.com/gitlabhq/gitlabhq/blob/ab2db486b8014e509455b624dfd1719f77e27ede/lib/api/internal.rb，它只是调用通常的能力系统并返回一个带有 true 或 false 确定钩子是否成功.

the pre receive hooks makes an API call to https://github.com/gitlabhq/gitlabhq/blob/ab2db486b8014e509455b624dfd1719f77e27ede/lib/api/internal.rb, which just calls on the usual Abilities system and returns an HTTP request with either true or false which determines if the hook succeeds.

这就是评论的意思 https://github.com/gitlabhq/gitlabhq/blob/31de763e816cd5f8f80efc06cb4526ad8dc87eee/lib/gitlab/backend/grack_auth.rb#L92:

# Skip user authorization on upload request.
# It will be serverd by update hook in repository

这个复杂系统的基本原理:允许 SSH 推送.SSH 推送通过 OpenSSH 服务器，与 GitLab 进行通信的唯一方法是通过 .ssh/authorized_keys 系统，该系统必须调用需要 API 与之通信的可执行文件(GitLab shell)GitLab(内部 API).

Rationale for this complicated system: allowing SSH pushes. SSH pushes pass through the OpenSSH server, and the only way to make that communicate with GitLab is through the .ssh/authorized_keys system, which must call an executable (GitLab shell) which needs an API to talk to GitLab (the internal API).

如果我们有一个纯 Ruby 中的 OpenSSH 实现，它可以像 Grack 一样为 HTTP 调用的库(替换 git 内置服务器)，我们将能够删除系统中那个可怕的部分.https://github.com/net-ssh/net-ssh 可能有些用天.

If only we had an OpenSSH implementation in pure Ruby that could be called as a library like Grack does for HTTP (replacing the git built-in server), we would be able to remove that horrible part of the system. https://github.com/net-ssh/net-ssh might be usable some day.

但说真的:首先在 http://feedback.gitlab.com 并在实施之前等待它被接受，否则您可能会浪费大量时间在不会合并的东西上.

But seriously: first make a crystal clear feature request with motivation at: http://feedback.gitlab.com and wait for it to be accepted before implementing, or you might just waste a lot of time on something that will not get merged.

这篇关于GitLab 如何检查 Grack HTTPS 推送权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！