diff options
Diffstat (limited to 'lib/gitlab/git_access.rb')
| -rw-r--r-- | lib/gitlab/git_access.rb | 51 |
1 files changed, 41 insertions, 10 deletions
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 0576d1dd9db..e0b145f69aa 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -43,7 +43,7 @@ module Gitlab ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS attr_reader :actor, :protocol, :authentication_abilities, - :namespace_path, :redirected_path, :auth_result_type, + :repository_path, :redirected_path, :auth_result_type, :cmd, :changes attr_accessor :container @@ -57,21 +57,16 @@ module Gitlab raise ArgumentError, "No error message defined for #{key}" end - def initialize(actor, container, protocol, authentication_abilities:, namespace_path: nil, repository_path: nil, redirected_path: nil, auth_result_type: nil) + def initialize(actor, container, protocol, authentication_abilities:, repository_path: nil, redirected_path: nil, auth_result_type: nil) @actor = actor @container = container @protocol = protocol @authentication_abilities = Array(authentication_abilities) - @namespace_path = namespace_path @repository_path = repository_path @redirected_path = redirected_path @auth_result_type = auth_result_type end - def repository_path - @repository_path ||= project&.path - end - def check(cmd, changes) @changes = changes @cmd = cmd @@ -82,6 +77,7 @@ module Gitlab check_authentication_abilities! check_command_disabled! check_command_existence! + check_otp_session! custom_action = check_custom_action return custom_action if custom_action @@ -259,6 +255,31 @@ module Gitlab end end + def check_otp_session! + return unless ssh? + return if !key? || deploy_key? + return unless Feature.enabled?(:two_factor_for_cli) + return unless user.two_factor_enabled? + + if ::Gitlab::Auth::Otp::SessionEnforcer.new(actor).access_restricted? + message = "OTP verification is required to access the repository.\n\n"\ + " Use: #{build_ssh_otp_verify_command}" + + raise ForbiddenError, message + end + end + + def build_ssh_otp_verify_command + user = "#{Gitlab.config.gitlab_shell.ssh_user}@" unless Gitlab.config.gitlab_shell.ssh_user.empty? + user_host = "#{user}#{Gitlab.config.gitlab_shell.ssh_host}" + + if Gitlab.config.gitlab_shell.ssh_port != 22 + "ssh #{user_host} -p #{Gitlab.config.gitlab_shell.ssh_port} 2fa_verify" + else + "ssh #{user_host} 2fa_verify" + end + end + def check_db_accessibility! return unless receive_pack? @@ -324,11 +345,11 @@ module Gitlab end def check_change_access! - # Deploy keys with write access can push anything - return if deploy_key? + return if deploy_key? && !deploy_keys_on_protected_branches_enabled? if changes == ANY - can_push = user_can_push? || + can_push = (deploy_key? && deploy_keys_on_protected_branches_enabled?) || + user_can_push? || project&.any_branch_allows_collaboration?(user_access.user) unless can_push @@ -404,6 +425,10 @@ module Gitlab protocol == 'http' end + def ssh? + protocol == 'ssh' + end + def upload_pack? cmd == 'git-upload-pack' end @@ -454,6 +479,8 @@ module Gitlab CiAccess.new elsif user && request_from_ci_build? BuildAccess.new(user, container: container) + elsif deploy_key? && deploy_keys_on_protected_branches_enabled? + DeployKeyAccess.new(deploy_key, container: container) else UserAccess.new(user, container: container) end @@ -531,6 +558,10 @@ module Gitlab def size_checker container.repository_size_checker end + + def deploy_keys_on_protected_branches_enabled? + Feature.enabled?(:deploy_keys_on_protected_branches, project) + end end end |