Merge pull request gitlabhq#230 from bozaro/git-lfs-authenticate

Add git-lfs-authenticate to command white list

Author: dzaporozhets

README.md

@@ -139,3 +139,32 @@ List all keys:
 Remove all keys from authorized_keys file:
 
  ./bin/gitlab-keys clear
+
+## Git LFS remark
+
+If you want to play with git-lfs (https://git-lfs.github.com/) on GitLab, you should do the following:
+
+ * Install LFS-server (no production-ready implementation yet, but you can use https://github.com/github/lfs-test-server) on any host;
+ * Add some user on LFS-server (for example: user ```foo``` with password ```bar```);
+ * Add ```git-lfs-authenticate``` script in any PATH-available directory on GIT-server like this:
+```
+#!/bin/sh
+echo "{
+ \"href\": \"http://lfs.test.local:9999/test/test\",
+ \"header\": {
+ \"Authorization\": \"Basic `echo -n foo:bar | base64`\"
+ }
+}"
+ ```
+
+After that you can play with git-lfs (git-lfs feature will be available via ssh protocol).
+
+This design will work without a script git-lfs-authenticate, but with the following limitations:
+
+ * You will need to manually configure lfs-server URL for every user working copy;
+ * SSO don't work and you need to manually add lfs-server credentials for every user working copy (otherwise, git-lfs will ask for the password for each file).
+
+Usefull links:
+
+ * https://github.com/github/git-lfs/tree/master/docs/api - Git LFS API, also contains more information about ```git-lfs-authenticate```;
+ * https://github.com/github/git-lfs/wiki/Implementations - Git LFS-server implementations.

lib/gitlab_shell.rb

@@ -7,7 +7,7 @@ class AccessDeniedError < StandardError; end
  class DisallowedCommandError < StandardError; end
  class InvalidRepositoryPathError < StandardError; end
 
- GIT_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive git-annex-shell).freeze
+ GIT_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive git-annex-shell git-lfs-authenticate).freeze
 
  attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name
 
@@ -56,24 +56,37 @@ def exec
  def parse_cmd
  args = Shellwords.shellwords(@origin_cmd)
  @git_cmd = args.first
+ @git_access = @git_cmd
 
  raise DisallowedCommandError unless GIT_COMMANDS.include?(@git_cmd)
 
- if @git_cmd == 'git-annex-shell'
+ case @git_cmd
+ when 'git-annex-shell'
  raise DisallowedCommandError unless @config.git_annex_enabled?
 
  @repo_name = escape_path(args[2].sub(/\A\/~\//, ''))
 
  # Make sure repository has git-annex enabled
  init_git_annex(@repo_name)
+ when 'git-lfs-authenticate'
+ raise DisallowedCommandError unless args.count >= 2
+ @repo_name = escape_path(args[1])
+ case args[2]
+ when 'download'
+ @git_access = 'git-upload-pack'
+ when 'upload'
+ @git_access = 'git-receive-pack'
+ else
+ raise DisallowedCommandError
+ end
  else
  raise DisallowedCommandError unless args.count == 2
  @repo_name = escape_path(args.last)
  end
  end
 
  def verify_access
- status = api.check_access(@git_cmd, @repo_name, @key_id, '_any')
+ status = api.check_access(@git_access, @repo_name, @key_id, '_any')
 
  raise AccessDeniedError, status.message unless status.allowed?
  end