internal/gitlabnet/accessverifier/client.go
// Package accessverifier provides functionality for verifying access to GitLab resources
package accessverifier
import (
"context"
"fmt"
"net/http"
pb "gitlab.com/gitlab-org/gitaly/v16/proto/go/gitalypb"
"gitlab.com/gitlab-org/gitlab-shell/v14/client"
"gitlab.com/gitlab-org/gitlab-shell/v14/internal/command/commandargs"
"gitlab.com/gitlab-org/gitlab-shell/v14/internal/config"
"gitlab.com/gitlab-org/gitlab-shell/v14/internal/gitlabnet"
)
const (
sshProtocol = "ssh"
anyChanges = "_any"
)
// Client is a client for accessing resources
type Client struct {
client *client.GitlabNetClient
}
// Request represents a request for accessing resources
type Request struct {
Action commandargs.CommandType `json:"action"`
Repo string `json:"project"`
Changes string `json:"changes"`
Protocol string `json:"protocol"`
KeyID string `json:"key_id,omitempty"`
Username string `json:"username,omitempty"`
Krb5Principal string `json:"krb5principal,omitempty"`
CheckIP string `json:"check_ip,omitempty"`
// NamespacePath is the full path of the namespace in which the authenticated
// user is allowed to perform operation.
NamespacePath string `json:"namespace_path,omitempty"`
}
// Gitaly represents Gitaly server information
type Gitaly struct {
Repo pb.Repository `json:"repository"`
Address string `json:"address"`
Token string `json:"token"`
Features map[string]string `json:"features"`
}
// CustomPayloadData represents custom payload data
type CustomPayloadData struct {
APIEndpoints []string `json:"api_endpoints"`
Username string `json:"gl_username"`
PrimaryRepo string `json:"primary_repo"`
UserID string `json:"gl_id,omitempty"`
RequestHeaders map[string]string `json:"request_headers"`
GeoProxyDirectToPrimary bool `json:"geo_proxy_direct_to_primary"`
GeoProxyFetchDirectToPrimary bool `json:"geo_proxy_fetch_direct_to_primary"`
GeoProxyFetchDirectToPrimaryWithOptions bool `json:"geo_proxy_fetch_direct_to_primary_with_options"`
}
// CustomPayload represents a custom payload
type CustomPayload struct {
Action string `json:"action"`
Data CustomPayloadData `json:"data"`
}
// Response represents a response from GitLab
type Response struct {
Success bool `json:"status"`
Message string `json:"message"`
Repo string `json:"gl_repository"`
UserID string `json:"gl_id"`
KeyType string `json:"gl_key_type"`
KeyID int `json:"gl_key_id"`
ProjectID int `json:"gl_project_id"`
RootNamespaceID int `json:"gl_root_namespace_id"`
Username string `json:"gl_username"`
GitConfigOptions []string `json:"git_config_options"`
Gitaly Gitaly `json:"gitaly"`
GitProtocol string `json:"git_protocol"`
Payload CustomPayload `json:"payload"`
ConsoleMessages []string `json:"gl_console_messages"`
Who string
StatusCode int
// NeedAudit indicates whether git event should be audited to rails.
NeedAudit bool `json:"need_audit"`
}
// NewClient creates a new instance of Client
func NewClient(config *config.Config) (*Client, error) {
client, err := gitlabnet.GetClient(config)
if err != nil {
return nil, fmt.Errorf("error creating http client: %v", err)
}
return &Client{client: client}, nil
}
// Verify verifies access to a GitLab resource
func (c *Client) Verify(ctx context.Context, args *commandargs.Shell, action commandargs.CommandType, repo string) (*Response, error) {
request := &Request{
Action: action,
Repo: repo,
Changes: anyChanges,
Protocol: sshProtocol,
NamespacePath: args.Env.NamespacePath,
}
switch {
case args.GitlabUsername != "":
request.Username = args.GitlabUsername
case args.GitlabKrb5Principal != "":
request.Krb5Principal = args.GitlabKrb5Principal
default:
request.KeyID = args.GitlabKeyId
}
request.CheckIP = gitlabnet.ParseIP(args.Env.RemoteAddr)
response, err := c.client.Post(ctx, "/allowed", request)
if err != nil {
return nil, err
}
defer func() { _ = response.Body.Close() }()
return parse(response, args)
}
func parse(hr *http.Response, args *commandargs.Shell) (*Response, error) {
response := &Response{}
if err := gitlabnet.ParseJSON(hr, response); err != nil {
return nil, err
}
if args.GitlabKeyId != "" {
response.Who = "key-" + args.GitlabKeyId
} else {
response.Who = response.UserID
}
response.StatusCode = hr.StatusCode
return response, nil
}
// IsCustomAction checks if the response indicates a custom action
func (r *Response) IsCustomAction() bool {
return r.StatusCode == http.StatusMultipleChoices
}