How does GitLab check for Grack HTTPS push permissions?

Question

I want develop some feature for GitLab and add it to open source repo.

DESCRIPTION: When user make push, GitLab checks that all emails from commits should be present in database.

I think to add some validation method to https://github.com/gitlabhq/gitlabhq/blob/master/lib/gitlab/git_access.rb this class, but this validation doesn't call when user push some changes (e.g. git push origin master).

I've researched routing and found next: https://github.com/gitlabhq/gitlabhq/blob/master/config/routes.rb#L24

mount Grack::Bundle.new({
  git_path:     Gitlab.config.git.bin_path,
  project_root: Gitlab.config.gitlab_shell.repos_path,
  upload_pack:  Gitlab.config.gitlab_shell.upload_pack,
  receive_pack: Gitlab.config.gitlab_shell.receive_pack
}), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post]

Grack mounted to provide access for git http protocol. And Gitlab has hook for authenticate for Grack /lib/gitlab/backend/grack_auth.rb#L79

But I debugged method authorized_request? and have got that this validation doesn't call too.

QUESTION: what class in GitLab validates pushes? Or probably this feature impossible to implement?

Ciro Santilli新疆棉花TRUMP BAN BAD · Accepted Answer · 2015-06-09T12:21:41.437

You are stumbling on the hardest point of the GitLab architecture to understand: gitlab-shell.

GitLab automatically symlinks your repository hooks repositories/user/project.git/hooks to: https://github.com/gitlabhq/gitlab-shell/tree/master/hooks
Whenever there would be a Git push to the repo, hooks are called. This includes HTTP, SSH and web editing, and it is the pre-receive hook https://github.com/gitlabhq/gitlab-shell/blob/master/hooks/pre-receive that checks the permission (man githooks) and aborts the push if you don't have it.
the pre receive hooks makes an API call to https://github.com/gitlabhq/gitlabhq/blob/ab2db486b8014e509455b624dfd1719f77e27ede/lib/api/internal.rb, which just calls on the usual Abilities system and returns an HTTP request with either true or false which determines if the hook succeeds.

This is what is meant by the comment https://github.com/gitlabhq/gitlabhq/blob/31de763e816cd5f8f80efc06cb4526ad8dc87eee/lib/gitlab/backend/grack_auth.rb#L92:

# Skip user authorization on upload request.
# It will be serverd by update hook in repository

Rationale for this complicated system: allowing SSH pushes. SSH pushes pass through the OpenSSH server, and the only way to make that communicate with GitLab is through the .ssh/authorized_keys system, which must call an executable (GitLab shell) which needs an API to talk to GitLab (the internal API).

If only we had an OpenSSH implementation in pure Ruby that could be called as a library like Grack does for HTTP (replacing the git built-in server), we would be able to remove that horrible part of the system. https://github.com/net-ssh/net-ssh might be usable some day.

But seriously: first make a crystal clear feature request with motivation at: http://feedback.gitlab.com and wait for it to be accepted before implementing, or you might just waste a lot of time on something that will not get merged.

Thank you alot! Your answer helped me to understand the principle of GitLab and its interaction with gitlab-shell. Thanks for the idea of giving feedback. — bondarenko.dev, Oct 21 '14 at 12:08
@ciro. I am working on something similar for my project. It would be really helpful if you could explain why gitlab is skipping auth of user during git push and instead doing it in a pre-receive hook? `Gitlab::GitAccess.new(user, project).push_access_check.allowed?` right in `authorized_request?` would have worked fine. — sonalkr132, Jun 13 '15 at 17:24
@sonalkr132 check out the SSH push part of the answer. I think it is the reason for this complication. — Ciro Santilli新疆棉花TRUMP BAN BAD, Jun 13 '15 at 19:23

How does GitLab check for Grack HTTPS push permissions?

1 Answers1

Linked