Merge branch 'gitlab-shell' of dev.gitlabhq.com:gitlab/gitlabhq

12 files changed, 135 insertions, 394 deletions

diff --git a/lib/api.rb b/lib/api.rb
index 81a5919f1d3..d9dce7c70cc 100644
--- a/lib/api.rb
+++ b/lib/api.rb
@@ -20,5 +20,6 @@ module Gitlab
     mount Session
     mount MergeRequests
     mount Notes
+    mount Internal
   end
 end
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
new file mode 100644
index 00000000000..3e5e3a478ba
--- /dev/null
+++ b/lib/api/internal.rb
@@ -0,0 +1,49 @@
+module Gitlab
+  # Internal access API
+  class Internal < Grape::API
+    namespace 'internal' do
+      #
+      # Check if ssh key has access to project code
+      #
+      get "/allowed" do
+        key = Key.find(params[:key_id])
+        project = Project.find_with_namespace(params[:project])
+        git_cmd = params[:action]
+
+        if key.is_deploy_key
+          project == key.project && git_cmd == 'git-upload-pack'
+        else
+          user = key.user
+          action = case git_cmd
+                   when 'git-upload-pack'
+                     then :download_code
+                   when 'git-receive-pack'
+                     then
+                     if project.protected_branch?(params[:ref])
+                       :push_code_to_protected_branches
+                     else
+                       :push_code
+                     end
+                   end
+
+          user.can?(action, project)
+        end
+      end
+
+      #
+      # Discover user by ssh key
+      #
+      get "/discover" do
+        key = Key.find(params[:key_id])
+        present key.user, with: Entities::User
+      end
+
+      get "/check" do
+        {
+          api_version: '3'
+        }
+      end
+    end
+  end
+end
+
diff --git a/lib/gitlab/backend/gitolite.rb b/lib/gitlab/backend/gitolite.rb
deleted file mode 100644
index cd9ac1554d6..00000000000
--- a/lib/gitlab/backend/gitolite.rb
+++ /dev/null
@@ -1,90 +0,0 @@
-require_relative 'gitolite_config'
-
-module Gitlab
-  class Gitolite
-    class AccessDenied < StandardError; end
-
-    def config
-      Gitlab::GitoliteConfig.new
-    end
-
-    # Update gitolite config with new key
-    #
-    # Ex.
-    #   set_key("m_gitlab_com_12343", "sha-rsa ...", [2, 3, 6])
-    #
-    def set_key(key_id, key_content, project_ids)
-      projects = Project.where(id: project_ids)
-
-      config.apply do |config|
-        config.write_key(key_id, key_content)
-        config.update_projects(projects)
-      end
-    end
-
-    # Remove ssh key from gitolite config
-    #
-    # Ex.
-    #   remove_key("m_gitlab_com_12343", [2, 3, 6])
-    #
-    def remove_key(key_id, project_ids)
-      projects = Project.where(id: project_ids)
-
-      config.apply do |config|
-        config.rm_key(key_id)
-        config.update_projects(projects)
-      end
-    end
-
-    # Update project config in gitolite by project id
-    #
-    # Ex.
-    #   update_repository(23)
-    #
-    def update_repository(project_id)
-      project = Project.find(project_id)
-      config.update_project!(project)
-    end
-
-    def move_repository(old_repo, project)
-      config.apply do |config|
-        config.clean_repo(old_repo)
-        config.update_project(project)
-      end
-    end
-
-    # Remove repository from gitolite
-    #
-    # name - project path with namespace
-    #
-    # Ex.
-    #   remove_repository("gitlab/gitlab-ci")
-    #
-    def remove_repository(name)
-      config.destroy_project!(name)
-    end
-
-    # Update projects configs in gitolite by project ids
-    #
-    # Ex.
-    #   update_repositories([1, 4, 6])
-    #
-    def update_repositories(project_ids)
-      projects = Project.where(id: project_ids)
-
-      config.apply do |config|
-        config.update_projects(projects)
-      end
-    end
-
-    def url_to_repo path
-      Gitlab.config.gitolite.ssh_path_prefix + "#{path}.git"
-    end
-
-    def enable_automerge
-      config.admin_all_repo!
-    end
-
-    alias_method :create_repository, :update_repository
-  end
-end
diff --git a/lib/gitlab/backend/gitolite_config.rb b/lib/gitlab/backend/gitolite_config.rb
deleted file mode 100644
index 748f9d74390..00000000000
--- a/lib/gitlab/backend/gitolite_config.rb
+++ /dev/null
@@ -1,241 +0,0 @@
-require 'gitolite'
-require 'timeout'
-require 'fileutils'
-
-module Gitlab
-  class GitoliteConfig
-    include Gitlab::Popen
-
-    class PullError < StandardError; end
-    class PushError < StandardError; end
-    class BrokenGitolite < StandardError; end
-
-    attr_reader :config_tmp_dir, :tmp_dir, :ga_repo, :conf
-
-    def initialize
-      @tmp_dir = Rails.root.join("tmp").to_s
-      @config_tmp_dir = File.join(@tmp_dir,"gitlabhq-gitolite-#{Time.now.to_i}")
-    end
-
-    def ga_repo
-      @ga_repo ||= ::Gitolite::GitoliteAdmin.new(
-        File.join(config_tmp_dir,'gitolite'),
-        conf: Gitlab.config.gitolite.config_file
-      )
-    end
-
-    def apply
-      Timeout::timeout(30) do
-        File.open(File.join(tmp_dir, "gitlabhq-gitolite.lock"), "w+") do |f|
-          begin
-            # Set exclusive lock
-            # to prevent race condition
-            f.flock(File::LOCK_EX)
-
-            # Pull gitolite-admin repo
-            # in tmp dir before do any changes
-            pull
-
-            # Build ga_repo object and @conf
-            # to access gitolite-admin configuration
-            @conf = ga_repo.config
-
-            # Do any changes
-            # in gitolite-admin
-            # config here
-            yield(self)
-
-            # Save changes in
-            # gitolite-admin repo
-            # before push it
-            ga_repo.save
-
-            # Push gitolite-admin repo
-            # to apply all changes
-            push
-          ensure
-            # Remove tmp dir
-            # removing the gitolite folder first is important to avoid
-            # NFS issues.
-            FileUtils.rm_rf(File.join(config_tmp_dir, 'gitolite'))
-
-            # Remove parent tmp dir
-            FileUtils.rm_rf(config_tmp_dir)
-
-            # Unlock so other task can access
-            # gitolite configuration
-            f.flock(File::LOCK_UN)
-          end
-        end
-      end
-    rescue PullError => ex
-      log("Pull error ->  " + ex.message)
-      raise Gitolite::AccessDenied, ex.message
-
-    rescue PushError => ex
-      log("Push error ->  " + " " + ex.message)
-      raise Gitolite::AccessDenied, ex.message
-
-    rescue BrokenGitolite => ex
-      log("Gitolite error ->  " + " " + ex.message)
-      raise Gitolite::AccessDenied, ex.message
-
-    rescue Exception => ex
-      log(ex.class.name + " " + ex.message)
-      raise Gitolite::AccessDenied.new("gitolite timeout")
-    end
-
-    def log message
-      Gitlab::GitLogger.error(message)
-    end
-
-    def path_to_repo(name)
-      File.join(Gitlab.config.gitolite.repos_path, "#{name}.git")
-    end
-
-    def destroy_project(name)
-      full_path = path_to_repo(name)
-      FileUtils.rm_rf(full_path) if File.exists?(full_path)
-      conf.rm_repo(name)
-    end
-
-    def clean_repo repo_name
-      conf.rm_repo(repo_name)
-    end
-
-    def destroy_project!(project)
-      apply do |config|
-        config.destroy_project(project)
-      end
-    end
-
-    def write_key(id, key)
-      File.open(File.join(config_tmp_dir, 'gitolite/keydir',"#{id}.pub"), 'w') do |f|
-        f.write(key.gsub(/\n/,''))
-      end
-    end
-
-    def rm_key(user)
-      key_path = File.join(config_tmp_dir, 'gitolite/keydir', "#{user}.pub")
-      ga_key = ::Gitolite::SSHKey.from_file(key_path)
-      ga_repo.rm_key(ga_key)
-    end
-
-    # update or create
-    def update_project(project)
-      repo = update_project_config(project, conf)
-      conf.add_repo(repo, true)
-    end
-
-    def update_project!( project)
-      apply do |config|
-        config.update_project(project)
-      end
-    end
-
-    # Updates many projects and uses project.path_with_namespace as the repo path
-    # An order of magnitude faster than update_project
-    def update_projects(projects)
-      projects.each do |project|
-        repo = update_project_config(project, conf)
-        conf.add_repo(repo, true)
-      end
-    end
-
-    def update_project_config(project, conf)
-      repo_name = project.path_with_namespace
-
-      repo = if conf.has_repo?(repo_name)
-               conf.get_repo(repo_name)
-             else
-               ::Gitolite::Config::Repo.new(repo_name)
-             end
-
-      name_readers = project.team.repository_readers
-      name_writers = project.team.repository_writers
-      name_masters = project.team.repository_masters
-
-      pr_br = project.protected_branches.map(&:name).join("$ ")
-
-      repo.clean_permissions
-
-      # Deny access to protected branches for writers
-      unless name_writers.blank? || pr_br.blank?
-        repo.add_permission("-", pr_br.strip + "$ ", name_writers)
-      end
-
-      # Add read permissions
-      repo.add_permission("R", "", name_readers) unless name_readers.blank?
-
-      # Add write permissions
-      repo.add_permission("RW+", "", name_writers) unless name_writers.blank?
-      repo.add_permission("RW+", "", name_masters) unless name_masters.blank?
-
-      # Add sharedRepository config
-      repo.set_git_config("core.sharedRepository", "0660")
-
-      repo
-    end
-
-    # Enable access to all repos for gitolite admin.
-    # We use it for accept merge request feature
-    def admin_all_repo
-      owner_name = Gitlab.config.gitolite.admin_key
-
-      # @ALL repos premission for gitolite owner
-      repo_name = "@all"
-      repo = if conf.has_repo?(repo_name)
-               conf.get_repo(repo_name)
-             else
-               ::Gitolite::Config::Repo.new(repo_name)
-             end
-
-      repo.add_permission("RW+", "", owner_name)
-      conf.add_repo(repo, true)
-    end
-
-    def admin_all_repo!
-      apply { |config| config.admin_all_repo }
-    end
-
-    private
-
-    def pull
-      # Create config tmp dir like "RAILS_ROOT/tmp/gitlabhq-gitolite-132545"
-      Dir.mkdir config_tmp_dir
-
-      # Clone gitolite-admin repo into tmp dir
-      popen("git clone #{Gitlab.config.gitolite.admin_uri} #{config_tmp_dir}/gitolite", tmp_dir)
-
-      # Ensure file with config presents after cloning
-      unless File.exists?(File.join(config_tmp_dir, 'gitolite', 'conf', 'gitolite.conf'))
-        raise PullError, "unable to clone gitolite-admin repo"
-      end
-    end
-
-    def push
-      output, status = popen('git add -A', tmp_conf_path)
-      raise "Git add failed." unless status.zero?
-
-      # git commit returns 0 on success, and 1 if there is nothing to commit
-      output, status = popen('git commit -m "GitLab"', tmp_conf_path)
-      raise "Git add failed." unless [0,1].include?(status)
-
-      output, status = popen('git push', tmp_conf_path)
-
-      if output =~ /remote\: FATAL/
-        raise BrokenGitolite, output
-      end
-
-      if status.zero? || output =~ /Everything up\-to\-date/
-        return true
-      else
-        raise PushError, "unable to push gitolite-admin repo"
-      end
-    end
-
-    def tmp_conf_path
-      File.join(config_tmp_dir,'gitolite')
-    end
-  end
-end
diff --git a/lib/gitlab/backend/shell.rb b/lib/gitlab/backend/shell.rb
new file mode 100644
index 00000000000..50ebfc5b07c
--- /dev/null
+++ b/lib/gitlab/backend/shell.rb
@@ -0,0 +1,50 @@
+module Gitlab
+  class Shell
+    class AccessDenied < StandardError; end
+
+    # Init new repository
+    #
+    # name - project path with namespace
+    #
+    # Ex.
+    #   add_repository("gitlab/gitlab-ci")
+    #
+    def add_repository(name)
+      system("/home/git/gitlab-shell/bin/gitlab-projects add-project #{name}.git")
+    end
+
+    # Remove repository from file system
+    #
+    # name - project path with namespace
+    #
+    # Ex.
+    #   remove_repository("gitlab/gitlab-ci")
+    #
+    def remove_repository(name)
+      system("/home/git/gitlab-shell/bin/gitlab-projects rm-project #{name}.git")
+    end
+
+    # Add new key to gitlab-shell
+    #
+    # Ex.
+    #   add_key("key-42", "sha-rsa ...")
+    #
+    def add_key(key_id, key_content)
+      system("/home/git/gitlab-shell/bin/gitlab-keys add-key #{key_id} \"#{key_content}\"")
+    end
+
+    # Remove ssh key from gitlab shell
+    #
+    # Ex.
+    #   remove_key("key-342", "sha-rsa ...")
+    #
+    def remove_key(key_id, key_content)
+      system("/home/git/gitlab-shell/bin/gitlab-keys rm-key #{key_id} \"#{key_content}\"")
+    end
+
+
+    def url_to_repo path
+      Gitlab.config.gitolite.ssh_path_prefix + "#{path}.git"
+    end
+  end
+end
diff --git a/lib/gitlab/satellite/satellite.rb b/lib/gitlab/satellite/satellite.rb
index 95273a6d208..e7f7a7673b5 100644
--- a/lib/gitlab/satellite/satellite.rb
+++ b/lib/gitlab/satellite/satellite.rb
@@ -30,10 +30,10 @@ module Gitlab
       end
 
       def create
-        output, status = popen("git clone #{project.url_to_repo} #{path}",
+        output, status = popen("git clone #{project.repository.path_to_repo} #{path}",
                                Gitlab.config.satellites.path)
 
-        log("PID: #{project.id}: git clone #{project.url_to_repo} #{path}")
+        log("PID: #{project.id}: git clone #{project.repository.path_to_repo} #{path}")
         log("PID: #{project.id}: -> #{output}")
 
         if status.zero?
diff --git a/lib/gitolited.rb b/lib/gitolited.rb
index 68b9b625525..4911a473f05 100644
--- a/lib/gitolited.rb
+++ b/lib/gitolited.rb
@@ -6,6 +6,6 @@
 #
 module Gitolited
   def gitolite
-    Gitlab::Gitolite.new
+    Gitlab::Shell.new
   end
 end
diff --git a/lib/hooks/post-receive b/lib/hooks/post-receive
deleted file mode 100755
index 6944d3e3f72..00000000000
--- a/lib/hooks/post-receive
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-
-# Version 4.1
-# This file was placed here by GitLab. It makes sure that your pushed commits
-# will be processed properly.
-
-while read oldrev newrev ref
-do
-  # For every branch or tag that was pushed, create a Resque job in redis.
-  repo_path=`pwd`
-  env -i redis-cli rpush "resque:gitlab:queue:post_receive" "{\"class\":\"PostReceive\",\"args\":[\"$repo_path\",\"$oldrev\",\"$newrev\",\"$ref\",\"$GL_USER\"]}" > /dev/null 2>&1
-done
diff --git a/lib/support/rewrite-hooks.sh b/lib/support/rewrite-hooks.sh
deleted file mode 100755
index b8fd36b9a1e..00000000000
--- a/lib/support/rewrite-hooks.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/bash
-
-src="/home/git/repositories"
-
-for dir in `ls "$src/"`
-do
-  if [ -d "$src/$dir" ]; then
-
-    if [ "$dir" = "gitolite-admin.git" ]
-    then
-      continue 
-    fi
-
-    if [[ "$dir" =~ ^.*.git$ ]]
-    then
-      project_hook="$src/$dir/hooks/post-receive"
-      gitolite_hook="/home/git/.gitolite/hooks/common/post-receive"
-
-      ln -s -f $gitolite_hook $project_hook
-    else
-      for subdir in `ls "$src/$dir/"`
-      do
-        if [ -d "$src/$dir/$subdir" ] && [[ "$subdir" =~ ^.*.git$ ]]; then
-          project_hook="$src/$dir/$subdir/hooks/post-receive"
-          gitolite_hook="/home/git/.gitolite/hooks/common/post-receive"
-
-          ln -s -f $gitolite_hook $project_hook
-        fi
-      done
-    fi
-  fi
-done
diff --git a/lib/support/truncate_repositories.sh b/lib/support/truncate_repositories.sh
deleted file mode 100755
index 3b14e2ee362..00000000000
--- a/lib/support/truncate_repositories.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-echo "Danger!!! Data Loss"
-while true; do
-  read -p "Do you wish to all directories except gitolite-admin.git from /home/git/repositories/ (y/n) ?:  " yn
-  case $yn in
-    [Yy]* ) sh -c "find /home/git/repositories/. -maxdepth 1  -not -name 'gitolite-admin.git' -not -name '.' | xargs sudo rm -rf"; break;;
-    [Nn]* ) exit;;
-    * ) echo "Please answer yes or no.";;
-  esac
-done
diff --git a/lib/tasks/gitlab/enable_automerge.rake b/lib/tasks/gitlab/enable_automerge.rake
index e92da81021f..a89c6eaa5c4 100644
--- a/lib/tasks/gitlab/enable_automerge.rake
+++ b/lib/tasks/gitlab/enable_automerge.rake
@@ -3,11 +3,6 @@ namespace :gitlab do
   task :enable_automerge => :environment do
     warn_user_is_not_gitlab
 
-    puts "Updating repo permissions ..."
-    Gitlab::Gitolite.new.enable_automerge
-    puts "... #{"done".green}"
-    puts ""
-
     print "Creating satellites for ..."
     unless Project.count > 0
       puts "skipping, because you have no projects".magenta
diff --git a/lib/tasks/gitlab/shell.rake b/lib/tasks/gitlab/shell.rake
new file mode 100644
index 00000000000..25713482ed8
--- /dev/null
+++ b/lib/tasks/gitlab/shell.rake
@@ -0,0 +1,32 @@
+namespace :gitlab do
+  namespace :shell do
+    desc "GITLAB | Setup gitlab-shell"
+    task :setup => :environment do
+      setup
+    end
+  end
+
+  def setup
+    warn_user_is_not_gitlab
+
+    puts "This will rebuild an authorized_keys file."
+    puts "You will lose any data stored in /home/git/.ssh/authorized_keys."
+    ask_to_continue
+    puts ""
+
+    system("echo '# Managed by gitlab-shell' > /home/git/.ssh/authorized_keys")
+
+    Key.find_each(:batch_size => 1000) do |key|
+      if Gitlab::Shell.new.add_key(key.shell_id, key.key)
+        print '.'
+      else
+        print 'F'
+      end
+    end
+
+  rescue Gitlab::TaskAbortedByUserError
+    puts "Quitting...".red
+    exit 1
+  end
+end
+