Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
26bea578
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
26bea578
编写于
6月 13, 2018
作者:
A
Ash McKenzie
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Better route matching for read-only detection
上级
3cf68362
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
43 addition
and
25 deletion
+43
-25
lib/gitlab/middleware/read_only/controller.rb
lib/gitlab/middleware/read_only/controller.rb
+24
-9
spec/lib/gitlab/middleware/read_only_spec.rb
spec/lib/gitlab/middleware/read_only_spec.rb
+19
-16
未找到文件。
lib/gitlab/middleware/read_only/controller.rb
浏览文件 @
26bea578
...
...
@@ -4,8 +4,18 @@ module Gitlab
class
Controller
DISALLOWED_METHODS
=
%w(POST PATCH PUT DELETE)
.
freeze
APPLICATION_JSON
=
'application/json'
.
freeze
APPLICATION_JSON_TYPES
=
%W{
#{
APPLICATION_JSON
}
application/vnd.git-lfs+json}
.
freeze
ERROR_MESSAGE
=
'You cannot perform write operations on a read-only instance'
.
freeze
WHITELISTED_GIT_ROUTES
=
{
'projects/git_http'
=>
%w{git_upload_pack git_receive_pack}
}.
freeze
WHITELISTED_GIT_LFS_ROUTES
=
{
'projects/lfs_api'
=>
%w{batch}
,
'projects/lfs_locks_api'
=>
%w{verify create unlock}
}.
freeze
def
initialize
(
app
,
env
)
@app
=
app
@env
=
env
...
...
@@ -36,7 +46,7 @@ module Gitlab
end
def
json_request?
request
.
media_type
==
APPLICATION_JSON
APPLICATION_JSON_TYPES
.
include?
(
request
.
media_type
)
end
def
rack_flash
...
...
@@ -63,22 +73,27 @@ module Gitlab
grack_route
||
ReadOnly
.
internal_routes
.
any?
{
|
path
|
request
.
path
.
include?
(
path
)
}
||
lfs_route
||
sidekiq_route
end
def
sidekiq_route
request
.
path
.
start_with?
(
'/admin/sidekiq'
)
end
def
grack_route
# Calling route_hash may be expensive. Only do it if we think there's a possible match
return
false
unless
request
.
path
.
end_with?
(
'.git/git-upload-pack'
)
return
false
unless
request
.
path
.
end_with?
(
'.git/git-upload-pack'
,
'.git/git-receive-pack'
)
route_hash
[
:controller
]
==
'projects/git_http'
&&
route_hash
[
:action
]
==
'git_upload_pack'
WHITELISTED_GIT_ROUTES
[
route_hash
[
:controller
]]
&
.
include?
(
route_hash
[
:action
])
end
def
lfs_route
# Calling route_hash may be expensive. Only do it if we think there's a possible match
return
false
unless
request
.
path
.
end_with?
(
'/info/lfs/objects/batch'
)
unless
request
.
path
.
end_with?
(
'/info/lfs/objects/batch'
,
'/info/lfs/locks'
,
'/info/lfs/locks/verify'
)
||
%r{/info/lfs/locks/
\d
+/unlock
\z
}
.
match?
(
request
.
path
)
return
false
end
WHITELISTED_GIT_LFS_ROUTES
[
route_hash
[
:controller
]]
&
.
include?
(
route_hash
[
:action
])
end
route_hash
[
:controller
]
==
'projects/lfs_api'
&&
route_hash
[
:action
]
==
'batch'
def
sidekiq_route
request
.
path
.
start_with?
(
'/admin/sidekiq'
)
end
end
end
...
...
spec/lib/gitlab/middleware/read_only_spec.rb
浏览文件 @
26bea578
...
...
@@ -2,6 +2,7 @@ require 'spec_helper'
describe
Gitlab
::
Middleware
::
ReadOnly
do
include
Rack
::
Test
::
Methods
using
RSpec
::
Parameterized
::
TableSyntax
RSpec
::
Matchers
.
define
:be_a_redirect
do
match
do
|
response
|
...
...
@@ -117,39 +118,41 @@ describe Gitlab::Middleware::ReadOnly do
context
'whitelisted requests'
do
it
'expects a POST internal request to be allowed'
do
expect
(
Rails
.
application
.
routes
).
not_to
receive
(
:recognize_path
)
response
=
request
.
post
(
"/api/
#{
API
::
API
.
version
}
/internal"
)
expect
(
response
).
not_to
be_a_redirect
expect
(
subject
).
not_to
disallow_request
end
it
'expects a POST LFS request to batch URL to be allowed'
do
expect
(
Rails
.
application
.
routes
).
to
receive
(
:recognize_path
).
and_call_original
response
=
request
.
post
(
'/root/rouge.git/info/lfs/objects/batch'
)
it
'expects requests to sidekiq admin to be allowed'
do
response
=
request
.
post
(
'/admin/sidekiq'
)
expect
(
response
).
not_to
be_a_redirect
expect
(
subject
).
not_to
disallow_request
end
it
'expects a POST request to git-upload-pack URL to be allowed'
do
expect
(
Rails
.
application
.
routes
).
to
receive
(
:recognize_path
).
and_call_original
response
=
request
.
post
(
'/root/rouge.git/git-upload-pack'
)
response
=
request
.
get
(
'/admin/sidekiq'
)
expect
(
response
).
not_to
be_a_redirect
expect
(
subject
).
not_to
disallow_request
end
it
'expects requests to sidekiq admin to be allowed'
do
response
=
request
.
post
(
'/admin/sidekiq'
)
expect
(
response
).
not_to
be_a_redirect
expect
(
subject
).
not_to
disallow_request
where
(
:description
,
:path
)
do
'LFS request to batch'
|
'/root/rouge.git/info/lfs/objects/batch'
'LFS request to locks verify'
|
'/root/rouge.git/info/lfs/locks/verify'
'LFS request to locks create'
|
'/root/rouge.git/info/lfs/locks'
'LFS request to locks unlock'
|
'/root/rouge.git/info/lfs/locks/1/unlock'
'request to git-upload-pack'
|
'/root/rouge.git/git-upload-pack'
'request to git-receive-pack'
|
'/root/rouge.git/git-receive-pack'
end
response
=
request
.
get
(
'/admin/sidekiq'
)
with_them
do
it
"expects a POST
#{
description
}
URL to be allowed"
do
expect
(
Rails
.
application
.
routes
).
to
receive
(
:recognize_path
).
and_call_original
response
=
request
.
post
(
path
)
expect
(
response
).
not_to
be_a_redirect
expect
(
subject
).
not_to
disallow_request
expect
(
response
).
not_to
be_a_redirect
expect
(
subject
).
not_to
disallow_request
end
end
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录