Merge branch '26388-push-to-create-a-new-project' into 'master'

Resolve "Push to create a new project" Closes #26388 See merge request gitlab-org/gitlab-ce!16547
author: Douwe Maan <douwe@gitlab.com> 2018-02-06 22:40:58 +0300
committer: Douwe Maan <douwe@gitlab.com> 2018-02-06 22:40:58 +0300
commit: b0f0ad050b106e7cfcae350ca299f505a992ef7a (patch)
tree: 16bcdb6c961354a995fb9e4cb00cefb9270f70cd /lib
parent: bc59a5d0a52d7ccf6e61468ec72346b57e6f4265 (diff)
parent: c51eb79bbe62a7f02a2fd0c826b7af0b7573fa4c (diff)
8 files changed, 188 insertions, 67 deletions
diff --git a/lib/api/helpers/internal_helpers.rb b/lib/api/helpers/internal_helpers.rb
index eb67de81a0d..cd59da6fc70 100644
--- a/lib/api/helpers/internal_helpers.rb
+++ b/lib/api/helpers/internal_helpers.rb
@@ -60,8 +60,20 @@ module API
         false
       end
 
+      def project_path
+        project&.path || project_path_match[:project_path]
+      end
+
+      def namespace_path
+        project&.namespace&.full_path || project_path_match[:namespace_path]
+      end
+
       private
 
+      def project_path_match
+        @project_path_match ||= params[:project].match(Gitlab::PathRegex.full_project_git_path_regex) || {}
+      end
+
       # rubocop:disable Gitlab/ModuleWithInstanceVariables
       def set_project
         if params[:gl_repository]
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 063f0d6599c..9285fb90cdc 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -42,11 +42,14 @@ module API
           end
 
         access_checker_klass = wiki? ? Gitlab::GitAccessWiki : Gitlab::GitAccess
-        access_checker = access_checker_klass
-          .new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities, redirected_path: redirected_path)
+        access_checker = access_checker_klass.new(actor, project,
+          protocol, authentication_abilities: ssh_authentication_abilities,
+                    namespace_path: namespace_path, project_path: project_path,
+                    redirected_path: redirected_path)
 
         begin
           access_checker.check(params[:action], params[:changes])
+          @project ||= access_checker.project
         rescue Gitlab::GitAccess::UnauthorizedError, Gitlab::GitAccess::NotFoundError => e
           return { status: false, message: e.message }
         end
@@ -207,8 +210,11 @@ module API
         # A user is not guaranteed to be returned; an orphaned write deploy
         # key could be used
         if user
-          redirect_message = Gitlab::Checks::ProjectMoved.fetch_redirect_message(user.id, project.id)
+          redirect_message = Gitlab::Checks::ProjectMoved.fetch_message(user.id, project.id)
+          project_created_message = Gitlab::Checks::ProjectCreated.fetch_message(user.id, project.id)
+
           output[:redirected_message] = redirect_message if redirect_message
+          output[:project_created_message] = project_created_message if project_created_message
         end
 
         output
diff --git a/lib/gitlab/checks/post_push_message.rb b/lib/gitlab/checks/post_push_message.rb
new file mode 100644
index 00000000000..473c0385b34
--- /dev/null
+++ b/lib/gitlab/checks/post_push_message.rb
@@ -0,0 +1,46 @@
+module Gitlab
+  module Checks
+    class PostPushMessage
+      def initialize(project, user, protocol)
+        @project = project
+        @user = user
+        @protocol = protocol
+      end
+
+      def self.fetch_message(user_id, project_id)
+        key = message_key(user_id, project_id)
+
+        Gitlab::Redis::SharedState.with do |redis|
+          message = redis.get(key)
+          redis.del(key)
+          message
+        end
+      end
+
+      def add_message
+        return unless user.present? && project.present?
+
+        Gitlab::Redis::SharedState.with do |redis|
+          key = self.class.message_key(user.id, project.id)
+          redis.setex(key, 5.minutes, message)
+        end
+      end
+
+      def message
+        raise NotImplementedError
+      end
+
+      protected
+
+      attr_reader :project, :user, :protocol
+
+      def self.message_key(user_id, project_id)
+        raise NotImplementedError
+      end
+
+      def url_to_repo
+        protocol == 'ssh' ? project.ssh_url_to_repo : project.http_url_to_repo
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/checks/project_created.rb b/lib/gitlab/checks/project_created.rb
new file mode 100644
index 00000000000..cec270d6a58
--- /dev/null
+++ b/lib/gitlab/checks/project_created.rb
@@ -0,0 +1,31 @@
+module Gitlab
+  module Checks
+    class ProjectCreated < PostPushMessage
+      PROJECT_CREATED = "project_created".freeze
+
+      def message
+        <<~MESSAGE
+
+        The private project #{project.full_path} was successfully created.
+
+        To configure the remote, run:
+          git remote add origin #{url_to_repo}
+
+        To view the project, visit:
+          #{project_url}
+
+        MESSAGE
+      end
+
+      private
+
+      def self.message_key(user_id, project_id)
+        "#{PROJECT_CREATED}:#{user_id}:#{project_id}"
+      end
+
+      def project_url
+        Gitlab::Routing.url_helpers.project_url(project)
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/checks/project_moved.rb b/lib/gitlab/checks/project_moved.rb
index dfb2f4d4054..3263790a876 100644
--- a/lib/gitlab/checks/project_moved.rb
+++ b/lib/gitlab/checks/project_moved.rb
@@ -1,38 +1,16 @@
 module Gitlab
   module Checks
-    class ProjectMoved
+    class ProjectMoved < PostPushMessage
       REDIRECT_NAMESPACE = "redirect_namespace".freeze
 
-      def initialize(project, user, redirected_path, protocol)
-        @project = project
-        @user = user
+      def initialize(project, user, protocol, redirected_path)
         @redirected_path = redirected_path
-        @protocol = protocol
-      end
-
-      def self.fetch_redirect_message(user_id, project_id)
-        redirect_key = redirect_message_key(user_id, project_id)
 
-        Gitlab::Redis::SharedState.with do |redis|
-          message = redis.get(redirect_key)
-          redis.del(redirect_key)
-          message
-        end
-      end
-
-      def add_redirect_message
-        # Don't bother with sending a redirect message for anonymous clones
-        # because they never see it via the `/internal/post_receive` endpoint
-        return unless user.present? && project.present?
-
-        Gitlab::Redis::SharedState.with do |redis|
-          key = self.class.redirect_message_key(user.id, project.id)
-          redis.setex(key, 5.minutes, redirect_message)
-        end
+        super(project, user, protocol)
       end
 
-      def redirect_message(rejected: false)
-        <<~MESSAGE.strip_heredoc
+      def message(rejected: false)
+        <<~MESSAGE
         Project '#{redirected_path}' was moved to '#{project.full_path}'.
 
         Please update your Git remote:
@@ -47,17 +25,17 @@ module Gitlab
 
       private
 
-      attr_reader :project, :redirected_path, :protocol, :user
+      attr_reader :redirected_path
 
-      def self.redirect_message_key(user_id, project_id)
+      def self.message_key(user_id, project_id)
         "#{REDIRECT_NAMESPACE}:#{user_id}:#{project_id}"
       end
 
       def remote_url_message(rejected)
         if rejected
-          "git remote set-url origin #{url} and try again."
+          "git remote set-url origin #{url_to_repo} and try again."
         else
-          "git remote set-url origin #{url}"
+          "git remote set-url origin #{url_to_repo}"
         end
       end
 
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 56f6febe86d..8ec3386184a 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -2,15 +2,19 @@
 # class return an instance of `GitlabAccessStatus`
 module Gitlab
   class GitAccess
+    include Gitlab::Utils::StrongMemoize
+
     UnauthorizedError = Class.new(StandardError)
     NotFoundError = Class.new(StandardError)
+    ProjectCreationError = Class.new(StandardError)
     ProjectMovedError = Class.new(NotFoundError)
 
     ERROR_MESSAGES = {
       upload: 'You are not allowed to upload code for this project.',
       download: 'You are not allowed to download code from this project.',
-      deploy_key_upload:
-        'This deploy key does not have write access to this project.',
+      auth_upload: 'You are not allowed to upload code.',
+      auth_download: 'You are not allowed to download code.',
+      deploy_key_upload: 'This deploy key does not have write access to this project.',
       no_repo: 'A repository for this project does not exist yet.',
       project_not_found: 'The project you were looking for could not be found.',
       account_blocked: 'Your account has been blocked.',
@@ -25,24 +29,31 @@ module Gitlab
     PUSH_COMMANDS = %w{ git-receive-pack }.freeze
     ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS
 
-    attr_reader :actor, :project, :protocol, :authentication_abilities, :redirected_path
+    attr_reader :actor, :project, :protocol, :authentication_abilities, :namespace_path, :project_path, :redirected_path
 
-    def initialize(actor, project, protocol, authentication_abilities:, redirected_path: nil)
+    def initialize(actor, project, protocol, authentication_abilities:, namespace_path: nil, project_path: nil, redirected_path: nil)
       @actor    = actor
       @project  = project
       @protocol = protocol
-      @redirected_path = redirected_path
       @authentication_abilities = authentication_abilities
+      @namespace_path = namespace_path
+      @project_path = project_path
+      @redirected_path = redirected_path
     end
 
     def check(cmd, changes)
       check_protocol!
       check_valid_actor!
       check_active_user!
-      check_project_accessibility!
-      check_project_moved!
+      check_authentication_abilities!(cmd)
       check_command_disabled!(cmd)
       check_command_existence!(cmd)
+      check_db_accessibility!(cmd)
+
+      ensure_project_on_push!(cmd, changes)
+
+      check_project_accessibility!
+      check_project_moved!
       check_repository_existence!
 
       case cmd
@@ -95,6 +106,19 @@ module Gitlab
       end
     end
 
+    def check_authentication_abilities!(cmd)
+      case cmd
+      when *DOWNLOAD_COMMANDS
+        unless authentication_abilities.include?(:download_code) || authentication_abilities.include?(:build_download_code)
+          raise UnauthorizedError, ERROR_MESSAGES[:auth_download]
+        end
+      when *PUSH_COMMANDS
+        unless authentication_abilities.include?(:push_code)
+          raise UnauthorizedError, ERROR_MESSAGES[:auth_upload]
+        end
+      end
+    end
+
     def check_project_accessibility!
       if project.blank? || !can_read_project?
         raise NotFoundError, ERROR_MESSAGES[:project_not_found]
@@ -104,12 +128,12 @@ module Gitlab
     def check_project_moved!
       return if redirected_path.nil?
 
-      project_moved = Checks::ProjectMoved.new(project, user, redirected_path, protocol)
+      project_moved = Checks::ProjectMoved.new(project, user, protocol, redirected_path)
 
       if project_moved.permanent_redirect?
-        project_moved.add_redirect_message
+        project_moved.add_message
       else
-        raise ProjectMovedError, project_moved.redirect_message(rejected: true)
+        raise ProjectMovedError, project_moved.message(rejected: true)
       end
     end
 
@@ -139,6 +163,40 @@ module Gitlab
       end
     end
 
+    def check_db_accessibility!(cmd)
+      return unless receive_pack?(cmd)
+
+      if Gitlab::Database.read_only?
+        raise UnauthorizedError, push_to_read_only_message
+      end
+    end
+
+    def ensure_project_on_push!(cmd, changes)
+      return if project || deploy_key?
+      return unless receive_pack?(cmd) && changes == '_any' && authentication_abilities.include?(:push_code)
+
+      namespace = Namespace.find_by_full_path(namespace_path)
+
+      return unless user&.can?(:create_projects, namespace)
+
+      project_params = {
+        path: project_path,
+        namespace_id: namespace.id,
+        visibility_level: Gitlab::VisibilityLevel::PRIVATE
+      }
+
+      project = Projects::CreateService.new(user, project_params).execute
+
+      unless project.saved?
+        raise ProjectCreationError, "Could not create project: #{project.errors.full_messages.join(', ')}"
+      end
+
+      @project = project
+      user_access.project = @project
+
+      Checks::ProjectCreated.new(project, user, protocol).add_message
+    end
+
     def check_repository_existence!
       unless project.repository.exists?
         raise UnauthorizedError, ERROR_MESSAGES[:no_repo]
@@ -146,9 +204,8 @@ module Gitlab
     end
 
     def check_download_access!
-      return if deploy_key?
-
-      passed = user_can_download_code? ||
+      passed = deploy_key? ||
+        user_can_download_code? ||
         build_can_download_code? ||
         guest_can_download_code?
 
@@ -162,35 +219,21 @@ module Gitlab
         raise UnauthorizedError, ERROR_MESSAGES[:read_only]
       end
 
-      if Gitlab::Database.read_only?
-        raise UnauthorizedError, push_to_read_only_message
-      end
-
       if deploy_key
-        check_deploy_key_push_access!
+        unless deploy_key.can_push_to?(project)
+          raise UnauthorizedError, ERROR_MESSAGES[:deploy_key_upload]
+        end
       elsif user
-        check_user_push_access!
+        # User access is verified in check_change_access!
       else
         raise UnauthorizedError, ERROR_MESSAGES[:upload]
       end
 
-      return if changes.blank? # Allow access.
+      return if changes.blank? # Allow access this is needed for EE.
 
       check_change_access!(changes)
     end
 
-    def check_user_push_access!
-      unless authentication_abilities.include?(:push_code)
-        raise UnauthorizedError, ERROR_MESSAGES[:upload]
-      end
-    end
-
-    def check_deploy_key_push_access!
-      unless deploy_key.can_push_to?(project)
-        raise UnauthorizedError, ERROR_MESSAGES[:deploy_key_upload]
-      end
-    end
-
     def check_change_access!(changes)
       changes_list = Gitlab::ChangesList.new(changes)
 
diff --git a/lib/gitlab/path_regex.rb b/lib/gitlab/path_regex.rb
index ef3f786686a..4dc38aae61e 100644
--- a/lib/gitlab/path_regex.rb
+++ b/lib/gitlab/path_regex.rb
@@ -179,6 +179,10 @@ module Gitlab
       @full_project_path_regex ||= %r{\A#{full_namespace_route_regex}/#{project_route_regex}/\z}
     end
 
+    def full_project_git_path_regex
+      @full_project_git_path_regex ||= %r{\A\/?(?<namespace_path>#{full_namespace_route_regex})\/(?<project_path>#{project_route_regex})\.git\z}
+    end
+
     def namespace_format_regex
       @namespace_format_regex ||= /\A#{NAMESPACE_FORMAT_REGEX}\z/.freeze
     end
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index f357488ac61..15eb1c41213 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -6,7 +6,8 @@ module Gitlab
       [user&.id, project&.id]
     end
 
-    attr_reader :user, :project
+    attr_reader :user
+    attr_accessor :project
 
     def initialize(user, project: nil)
       @user = user
author	Douwe Maan <douwe@gitlab.com>	2018-02-06 22:40:58 +0300
committer	Douwe Maan <douwe@gitlab.com>	2018-02-06 22:40:58 +0300
commit	b0f0ad050b106e7cfcae350ca299f505a992ef7a (patch)
tree	16bcdb6c961354a995fb9e4cb00cefb9270f70cd /lib
parent	bc59a5d0a52d7ccf6e61468ec72346b57e6f4265 (diff)
parent	c51eb79bbe62a7f02a2fd0c826b7af0b7573fa4c (diff)