1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
# frozen_string_literal: true
module API
module Internal
class Shellhorse < ::API::Base
before { authenticate_by_gitlab_shell_or_workhorse_token! }
helpers ::API::Helpers::InternalHelpers
COMMANDS_TO_AUDIT = %w[git-upload-pack git-receive-pack].freeze
helpers do
def check_clone_or_pull_or_push_verb(params)
return 'push' if params[:action] == 'git-receive-pack'
# we must set the default value for wants/haves because
# gitlab shell/workhorse will trim the whole posted params
# json key if its value is 0
wants = haves = 0
if params.key?(:packfile_stats)
wants = Integer(params[:packfile_stats][:wants]) if params[:packfile_stats][:wants].present?
haves = Integer(params[:packfile_stats][:haves]) if params[:packfile_stats][:haves].present?
end
wants > 0 && haves == 0 ? 'clone' : 'pull'
end
end
namespace 'internal' do
namespace 'shellhorse' do
params do
requires :action, type: String
requires :protocol, type: String
requires :gl_repository, type: String # repository identifier, such as project-7
optional :packfile_stats, type: Hash do
# wants is the number of objects the client announced it wants.
optional :wants, type: Integer
# haves is the number of objects the client announced it has.
optional :haves, type: Integer
end
end
post '/git_audit_event', feature_category: :source_code_management do
unless COMMANDS_TO_AUDIT.include?(params[:action])
break response_with_status(code: 400, success: false, message: "No valid action specified")
end
check_result = access_check_result
break check_result if unsuccessful_response?(check_result)
unless need_git_audit_event?
break response_with_status(code: 200, success: false, message: "No git audit event needed")
end
unless check_result.is_a?(::Gitlab::GitAccessResult::Success)
break response_with_status(code: 500, success: false,
message: ::API::Helpers::InternalHelpers::UNKNOWN_CHECK_RESULT_ERROR)
end
msg = {
protocol: params[:protocol],
action: params[:action],
verb: check_clone_or_pull_or_push_verb(params)
}
send_git_audit_streaming_event(msg)
response_with_status(message: msg)
end
end
end
end
end
end
API::Internal::Shellhorse.prepend_mod_with('API::Internal::Shellhorse')
|