diff options
Diffstat (limited to 'lib/api/internal/base.rb')
-rw-r--r-- | lib/api/internal/base.rb | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/lib/api/internal/base.rb b/lib/api/internal/base.rb index f9dc888fbeb..87b3838fb85 100644 --- a/lib/api/internal/base.rb +++ b/lib/api/internal/base.rb @@ -4,12 +4,18 @@ module API # Internal access API module Internal class Base < ::API::Base + include Gitlab::RackLoadBalancingHelpers + before { authenticate_by_gitlab_shell_token! } before do api_endpoint = env['api.endpoint'] feature_category = api_endpoint.options[:for].try(:feature_category_for_app, api_endpoint).to_s + if actor.user + load_balancer_stick_request(::User, :user, actor.user.id) + end + Gitlab::ApplicationContext.push( user: -> { actor&.user }, project: -> { project }, @@ -49,6 +55,11 @@ module API env = parse_env Gitlab::Git::HookEnv.set(gl_repository, env) if container + # Snapshot repositories have different relative path than the main repository. For access + # checks that need quarantined objects the relative path in also sent with Gitaly RPCs + # calls as a header. + populate_relative_path(params[:relative_path]) + actor.update_last_used_at! check_result = access_check_result @@ -66,7 +77,8 @@ module API git_config_options: ["uploadpack.allowFilter=true", "uploadpack.allowAnySHA1InWant=true"], gitaly: gitaly_payload(params[:action]), - gl_console_messages: check_result.console_messages + gl_console_messages: check_result.console_messages, + need_audit: need_git_audit_event? }.merge!(actor.key_details) # Custom option for git-receive-pack command @@ -77,7 +89,9 @@ module API payload[:git_config_options] << "receive.maxInputSize=#{receive_max_input_size.megabytes}" end - send_git_audit_streaming_event(protocol: params[:protocol], action: params[:action]) + unless Feature.enabled?(:log_git_streaming_audit_events, project) + send_git_audit_streaming_event(protocol: params[:protocol], action: params[:action]) + end response_with_status(**payload) when ::Gitlab::GitAccessResult::CustomAction @@ -88,6 +102,12 @@ module API end # rubocop: enable Metrics/AbcSize + def populate_relative_path(relative_path) + return unless Gitlab::SafeRequestStore.active? + + Gitlab::SafeRequestStore[:gitlab_git_relative_path] = relative_path + end + def validate_actor(actor) return 'Could not find the given key' unless actor.key @@ -112,6 +132,7 @@ module API # username - user name for Git over SSH in keyless SSH cert mode # protocol - Git access protocol being used, e.g. HTTP or SSH # project - project full_path (not path on disk) + # relative_path - relative path of repository having access checks performed. # action - git action (git-upload-pack or git-receive-pack) # changes - changes as "oldrev newrev ref", see Gitlab::ChangesList # check_ip - optional, only in EE version, may limit access to |