manuelcillero/suitepro
manuelcillero/suitepro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Elimina el plugin Redmine Git Hosting

Browse source 
Finalmente se descarta por los problemas de configuración y potencial
brecha de seguridad al requerir acceso global al puerto ssh.
This commit is contained in:
Manuel Cillero 2020-12-06 11:46:44 +01:00
parent bdd66d941f
commit 0edadcfed8
494 changed files with 0 additions and 36768 deletions
Download patch file Download diff file Expand all files Collapse all files

16
plugins/redmine_git_hosting/app/controllers/archived_repositories_controller.rb
View file

@ -1,16 +0,0 @@
class ArchivedRepositoriesController < RepositoriesController
skip_before_action :authorize
skip_before_action :find_project_repository, only: :index
before_action :can_view_archived_projects
def index
@archived_projects = Project.where("status = #{Project::STATUS_ARCHIVED}").includes(:repositories)
end
private
def can_view_archived_projects
render_403 unless User.current.admin?
end
end

31
plugins/redmine_git_hosting/app/controllers/concerns/xitolite_repository_finder.rb
View file

@ -1,31 +0,0 @@
module XitoliteRepositoryFinder
extend ActiveSupport::Concern
def find_xitolite_repository
begin
@repository = Repository::Xitolite.find(find_repository_param)
rescue ActiveRecord::RecordNotFound => e
render_404
else
@project = @repository.project
render_404 if @project.nil?
end
end
def find_xitolite_repository_by_path
repo_path = params[:repo_path] + '.git'
repository = Repository::Xitolite.find_by_path(repo_path, loose: true)
if repository.nil?
RedmineGitHosting.logger.error("GoRedirector : repository not found at path : '#{repo_path}', exiting !")
render_404
elsif !repository.go_access_available?
RedmineGitHosting.logger.error("GoRedirector : GoAccess is disabled for this repository '#{repository.gitolite_repository_name}', exiting !")
render_403
else
RedmineGitHosting.logger.info("GoRedirector : access granted for repository '#{repository.gitolite_repository_name}'")
@repository = repository
end
end
end

57
plugins/redmine_git_hosting/app/controllers/download_git_revision_controller.rb
View file

@ -1,57 +0,0 @@
class DownloadGitRevisionController < ApplicationController
include XitoliteRepositoryFinder
before_action :find_xitolite_repository
before_action :can_download_git_revision
before_action :set_download
before_action :validate_download
helper :bootstrap_kit
def index
begin
send_data(@download.content, filename: @download.filename, type: @download.content_type)
rescue => e
flash.now[:error] = l(:git_archive_timeout, timeout: e.output)
render_404
end
end
private
def find_repository_param
params[:id]
end
def can_download_git_revision
render_403 unless User.current.allowed_to_download?(@repository)
end
def set_download
@download = Repositories::DownloadRevision.new(@repository, download_revision, download_format)
end
def download_revision
@download_revision ||= (params[:rev] || 'master')
end
def download_format
@download_format ||= (params[:download_format] || 'tar')
end
def validate_download
if !@download.valid_commit?
flash.now[:error] = l(:error_download_revision_no_such_commit, commit: download_revision)
render_404
end
end
end

88
plugins/redmine_git_hosting/app/controllers/gitolite_public_keys_controller.rb
View file

@ -1,88 +0,0 @@
class GitolitePublicKeysController < ApplicationController
include RedmineGitHosting::GitoliteAccessor::Methods
before_action :require_login
before_action :find_user
before_action :find_gitolite_public_key, only: [:destroy]
helper :gitolite_public_keys
helper :bootstrap_kit
def index
@gitolite_user_keys = @user.gitolite_public_keys.user_key.order('title ASC, created_at ASC')
@gitolite_deploy_keys = @user.gitolite_public_keys.deploy_key.order('title ASC, created_at ASC')
end
def create
if params[:create_button]
@gitolite_public_key = @user.gitolite_public_keys.new
@gitolite_public_key.safe_attributes = params[:gitolite_public_key]
if @gitolite_public_key.save
create_ssh_key(@gitolite_public_key)
flash[:notice] = l(:notice_public_key_created, title: view_context.keylabel(@gitolite_public_key))
else
flash[:error] = @gitolite_public_key.errors.full_messages.to_sentence
end
redirect_to @redirect_url
else
redirect_to @cancel_url
end
end
def destroy
return unless request.delete?
if @gitolite_public_key.user == @user || @user.admin?
if @gitolite_public_key.destroy
destroy_ssh_key(@gitolite_public_key)
flash[:notice] = l(:notice_public_key_deleted, title: view_context.keylabel(@gitolite_public_key))
end
redirect_to @redirect_url
else
render_403
end
end
private
def find_user
if params[:user_id]
set_user_from_params
else
set_user_from_current_user
end
end
def set_user_from_params
@user = params[:user_id] == 'current' ? User.current : User.find_by(id: params[:user_id])
if @user
@cancel_url = @redirect_url = url_for(controller: 'users', action: 'edit', id: params[:user_id], tab: 'keys')
else
render_404
end
end
def set_user_from_current_user
if User.current.allowed_to_create_ssh_keys?
@user = User.current
@redirect_url = url_for(controller: 'gitolite_public_keys', action: 'index')
@cancel_url = url_for(controller: 'my', action: 'account')
else
render_403
end
end
def find_gitolite_public_key
@gitolite_public_key = @user.gitolite_public_keys.find(params[:id])
rescue ActiveRecord::RecordNotFound
render_404
end
def create_ssh_key(ssh_key)
gitolite_accessor.create_ssh_key(ssh_key)
end
def destroy_ssh_key(ssh_key)
gitolite_accessor.destroy_ssh_key(ssh_key)
end
end

14
plugins/redmine_git_hosting/app/controllers/go_redirector_controller.rb
View file

@ -1,14 +0,0 @@
class GoRedirectorController < ApplicationController
include XitoliteRepositoryFinder
# prevents login action to be filtered by check_if_login_required application scope filter
skip_before_action :check_if_login_required, :verify_authenticity_token
before_action :find_xitolite_repository_by_path
def index
end
end

72
plugins/redmine_git_hosting/app/controllers/redmine_git_hosting_controller.rb
View file

@ -1,72 +0,0 @@
class RedmineGitHostingController < ApplicationController
include XitoliteRepositoryFinder
before_action :require_login
before_action :find_xitolite_repository
before_action :check_required_permissions
before_action :set_current_tab
layout(proc { |controller| controller.request.xhr? ? false : 'base' })
helper :bootstrap_kit
def show
respond_to do |format|
format.api
end
end
def edit; end
private
def find_repository_param
params[:repository_id]
end
def check_required_permissions
return render_403 unless @project.module_enabled?(:repository)
return true if User.current.admin?
return render_403 unless User.current.allowed_to_manage_repository?(@repository)
end
def check_xitolite_permissions
case action_name
when 'index', 'show'
perm = "view_#{controller_name}".to_sym
render_403 unless User.current.git_allowed_to?(perm, @repository)
when 'new', 'create'
perm = "create_#{controller_name}".to_sym
render_403 unless User.current.git_allowed_to?(perm, @repository)
when 'edit', 'update', 'destroy'
perm = "edit_#{controller_name}".to_sym
render_403 unless User.current.git_allowed_to?(perm, @repository)
end
end
def render_with_api
respond_to do |format|
format.html { render layout: false }
format.api
end
end
def render_js_redirect
respond_to do |format|
format.js { render js: "window.location = #{success_url.to_json};" }
format.html do
redirect_to success_url
end
end
end
def success_url
url_for(controller: 'repositories', action: 'edit', id: @repository.id, tab: @tab)
end
def call_use_case_and_redirect(opts = {})
# Update Gitolite repository
call_use_case(opts)
render_js_redirect
end
end

123
plugins/redmine_git_hosting/app/controllers/repository_deployment_credentials_controller.rb
View file

@ -1,123 +0,0 @@
class RepositoryDeploymentCredentialsController < RedmineGitHostingController
include RedmineGitHosting::GitoliteAccessor::Methods
before_action :check_xitolite_permissions
before_action :find_deployment_credential, only: %i[edit update destroy]
before_action :find_key, only: %i[edit update destroy]
before_action :find_all_keys, only: %i[index new create]
helper :gitolite_public_keys
def index
@repository_deployment_credentials = @repository.deployment_credentials.all
render layout: false
end
def edit; end
def show
render_404
end
def new
@credential = @repository.deployment_credentials.new
end
def create
@credential = build_new_credential
return unless @credential.save
flash[:notice] = l(:notice_deployment_credential_created)
call_use_case_and_redirect
end
def update
@credential.safe_attributes = params[:repository_deployment_credential]
return unless @credential.save
flash[:notice] = l(:notice_deployment_credential_updated)
call_use_case_and_redirect
end
def destroy
will_delete_key = @key.deploy_key? && @key.delete_when_unused && @key.repository_deployment_credentials.count == 1
@credential.destroy
if will_delete_key && @key.repository_deployment_credentials.empty?
# Key no longer used -- delete it!
@key.destroy
flash[:notice] = l(:notice_deployment_credential_deleted_with_key)
else
flash[:notice] = l(:notice_deployment_credential_deleted)
end
call_use_case_and_redirect
end
private
def set_current_tab
@tab = 'repository_deployment_credentials'
end
def find_deployment_credential
credential = @repository.deployment_credentials.find(params[:id])
rescue ActiveRecord::RecordNotFound
render_404
else
if credential.user && (User.current.admin? || credential.user == User.current)
@credential = credential
else
render_403
end
end
def find_key
key = @credential.gitolite_public_key
if key&.user && (User.current.admin? || key.user == User.current)
@key = key
elsif key
render_403
else
render_404
end
end
def find_all_keys
# display create_with_key view. Find preexisting keys to offer to user
@user_keys = User.current.gitolite_public_keys.deploy_key.order('title ASC')
@disabled_keys = @repository.deployment_credentials.map(&:gitolite_public_key)
@other_keys = []
# Admin can use other's deploy keys as well
@other_keys = other_deployment_keys if User.current.admin?
end
def other_deployment_keys
users_allowed_to_create_deployment_keys.map { |user| user.gitolite_public_keys.deploy_key.order('title ASC') }.flatten
end
def users_allowed_to_create_deployment_keys
@project.users.select { |user| user != User.current && user.git_allowed_to?(:create_repository_deployment_credentials, @repository) }
end
def call_use_case(opts = {})
options = opts.merge(message: "Update deploy keys for repository : '#{@repository.gitolite_repository_name}'")
gitolite_accessor.update_repository(@repository, options)
end
def build_new_credential
credential = @repository.deployment_credentials.new
credential.safe_attributes = params[:repository_deployment_credential]
key = GitolitePublicKey.find_by(id: params[:repository_deployment_credential][:gitolite_public_key_id])
credential.gitolite_public_key = key unless key.nil?
# If admin, let credential be owned by owner of key...
if User.current.admin?
credential.user = key.user unless key.nil?
else
credential.user = User.current
end
credential
end
end

73
plugins/redmine_git_hosting/app/controllers/repository_git_config_keys_controller.rb
View file

@ -1,73 +0,0 @@
class RepositoryGitConfigKeysController < RedmineGitHostingController
include RedmineGitHosting::GitoliteAccessor::Methods
before_action :check_xitolite_permissions
before_action :find_repository_git_config_key, except: %i[index new create]
accept_api_auth :index, :show
def index
@repository_git_config_keys = @repository.git_config_keys.all
@repository_git_option_keys = @repository.git_option_keys.all
render_with_api
end
def new
@git_config_key = @repository.send(key_type).new
end
def create
@git_config_key = @repository.send(key_type).new
@git_config_key.safe_attributes = params[:repository_git_config_key]
return unless @git_config_key.save
flash[:notice] = l(:notice_git_config_key_created)
call_use_case_and_redirect
end
def update
@git_config_key.safe_attributes = params[:repository_git_config_key]
return unless @git_config_key.save
flash[:notice] = l(:notice_git_config_key_updated)
options = @git_config_key.key_has_changed? ? { delete_git_config_key: @git_config_key.old_key } : {}
call_use_case_and_redirect(options)
end
def destroy
return unless @git_config_key.destroy
flash[:notice] = l(:notice_git_config_key_deleted)
options = { delete_git_config_key: @git_config_key.key }
call_use_case_and_redirect(options)
end
private
def key_type
type = params[:type] || params[:repository_git_config_key][:type]
case type
when 'RepositoryGitConfigKey::GitConfig', 'git_config'
:git_config_keys
when 'RepositoryGitConfigKey::Option', 'git_option'
:git_option_keys
else
:git_keys
end
end
def set_current_tab
@tab = 'repository_git_config_keys'
end
def find_repository_git_config_key
@git_config_key = @repository.git_keys.find(params[:id])
rescue ActiveRecord::RecordNotFound
render_404
end
def call_use_case(opts = {})
options = opts.merge(message: "Rebuild Git config keys respository : '#{@repository.gitolite_repository_name}'")
gitolite_accessor.update_repository(@repository, options)
end
end

47
plugins/redmine_git_hosting/app/controllers/repository_git_extras_controller.rb
View file

@ -1,47 +0,0 @@
class RepositoryGitExtrasController < RedmineGitHostingController
include RedmineGitHosting::GitoliteAccessor::Methods
skip_before_action :set_current_tab
helper :extend_repositories
def update
@git_extra = @repository.extra
@git_extra.safe_attributes = params[:repository_git_extra]
if @git_extra.save
flash.now[:notice] = l(:notice_gitolite_extra_updated)
gitolite_accessor.update_repository(@repository, update_default_branch: @git_extra.default_branch_has_changed?)
else
flash.now[:error] = l(:notice_gitolite_extra_update_failed)
end
end
def sort_urls
@git_extra = @repository.extra
return unless request.post?
if @git_extra.update(urls_order: params[:repository_git_extra])
flash.now[:notice] = l(:notice_gitolite_extra_updated)
else
flash.now[:error] = l(:notice_gitolite_extra_update_failed)
end
end
def move
@move_repository_form = MoveRepositoryForm.new(@repository)
return unless request.post?
@move_repository_form = MoveRepositoryForm.new(@repository)
return unless @move_repository_form.submit(params[:repository_mover])
redirect_to settings_project_path(@repository.project, tab: 'repositories')
end
private
def set_git_extra
@git_extra = @repository.extra
end
end

66
plugins/redmine_git_hosting/app/controllers/repository_mirrors_controller.rb
View file

@ -1,66 +0,0 @@
class RepositoryMirrorsController < RedmineGitHostingController
before_action :check_xitolite_permissions
before_action :find_repository_mirror, except: %i[index new create]
accept_api_auth :index, :show
helper :additionals_clipboardjs
def index
@repository_mirrors = @repository.mirrors.all
render_with_api
end
def new
@mirror = @repository.mirrors.new
end
def create
@mirror = @repository.mirrors.new
@mirror.safe_attributes = params[:repository_mirror]
return unless @mirror.save
flash[:notice] = l(:notice_mirror_created)
render_js_redirect
end
def update
@mirror.safe_attributes = params[:repository_mirror]
return unless @mirror.save
flash[:notice] = l(:notice_mirror_updated)
render_js_redirect
end
def destroy
return unless @mirror.destroy
flash[:notice] = l(:notice_mirror_deleted)
render_js_redirect
end
def push
@push_failed, @shellout = RepositoryMirrors::Push.call(@mirror)
render layout: false
end
private
def set_current_tab
@tab = 'repository_mirrors'
end
def find_repository_mirror
@mirror = @repository.mirrors.find(params[:id])
rescue ActiveRecord::RecordNotFound
render_404
end
def check_xitolite_permissions
if action_name == 'push'
render_403 unless User.current.git_allowed_to?(:push_repository_mirrors, @repository)
else
super
end
end
end

51
plugins/redmine_git_hosting/app/controllers/repository_post_receive_urls_controller.rb
View file

@ -1,51 +0,0 @@
class RepositoryPostReceiveUrlsController < RedmineGitHostingController
before_action :check_xitolite_permissions
before_action :find_repository_post_receive_url, except: %i[index new create]
accept_api_auth :index, :show
def index
@repository_post_receive_urls = @repository.post_receive_urls.all
render_with_api
end
def new
@post_receive_url = @repository.post_receive_urls.new
end
def create
@post_receive_url = @repository.post_receive_urls.new
@post_receive_url.safe_attributes = params[:repository_post_receive_url]
return unless @post_receive_url.save
flash[:notice] = l(:notice_post_receive_url_created)
render_js_redirect
end
def update
@post_receive_url.safe_attributes = params[:repository_post_receive_url]
return unless @post_receive_url.save
flash[:notice] = l(:notice_post_receive_url_updated)
render_js_redirect
end
def destroy
return unless @post_receive_url.destroy
flash[:notice] = l(:notice_post_receive_url_deleted)
render_js_redirect
end
private
def set_current_tab
@tab = 'repository_post_receive_urls'
end
def find_repository_post_receive_url
@post_receive_url = @repository.post_receive_urls.find(params[:id])
rescue ActiveRecord::RecordNotFound
render_404
end
end

80
plugins/redmine_git_hosting/app/controllers/repository_protected_branches_controller.rb
View file

@ -1,80 +0,0 @@
class RepositoryProtectedBranchesController < RedmineGitHostingController
include RedmineGitHosting::GitoliteAccessor::Methods
before_action :check_xitolite_permissions
before_action :find_repository_protected_branch, except: %i[index new create sort]
accept_api_auth :index, :show
def index
@repository_protected_branches = @repository.protected_branches.all
render_with_api
end
def new
@protected_branch = @repository.protected_branches.new
end
def create
@protected_branch = @repository.protected_branches.new
@protected_branch.safe_attributes = params[:repository_protected_branche]
return unless @protected_branch.save
check_members
flash[:notice] = l(:notice_protected_branch_created)
call_use_case_and_redirect
end
def update
@protected_branch.safe_attributes = params[:repository_protected_branche]
return unless @protected_branch.save
check_members
flash[:notice] = l(:notice_protected_branch_updated)
call_use_case_and_redirect
end
def destroy
return unless @protected_branch.destroy
flash[:notice] = l(:notice_protected_branch_deleted)
call_use_case_and_redirect
end
def clone
@protected_branch = RepositoryProtectedBranche.clone_from(params[:id])
render 'new'
end
def sort
params[:protected_branch].each_with_index do |id, index|
@repository.protected_branches.where(id: id).update_all(position: index + 1)
end
# Update Gitolite repository
call_use_case
head :ok
end
private
def set_current_tab
@tab = 'repository_protected_branches'
end
def find_repository_protected_branch
@protected_branch = @repository.protected_branches.find(params[:id])
rescue ActiveRecord::RecordNotFound
render_404
end
def call_use_case(opts = {})
options = opts.merge(message: "Update branch permissions for repository : '#{@repository.gitolite_repository_name}'")
gitolite_accessor.update_repository(@repository, options)
end
def check_members
member_manager = RepositoryProtectedBranches::MemberManager.new(@protected_branch)
member_manager.add_users(params[:user_ids])
member_manager.add_groups(params[:group_ids])
end
end