[DRE-commits] [gitlab-shell] 01/02: support git 2.11

[Praveen Arimbrathodiyil]

This is an automated email from the git hooks/post-receive script.

praveen pushed a commit to branch master
in repository gitlab-shell.

commit 995f7eb790575b88dd04b30d83c2026b7afcb2db
Author: Praveen Arimbrathodiyil <praveen at debian.org>
Date:   Wed Jan 18 13:03:52 2017 +0530

    support git 2.11
---
 debian/patches/git-env.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++
 debian/patches/series        |  1 +
 2 files changed, 70 insertions(+)

diff --git a/debian/patches/git-env.patch b/debian/patches/git-env.patch
new file mode 100644
index 0000000..ed124fb
--- /dev/null
+++ b/debian/patches/git-env.patch
@@ -0,0 +1,69 @@
+From fc2016484aacb82980c1c9082e195110f0eacb34 Mon Sep 17 00:00:00 2001
+From: Timothy Andrew <mail at timothyandrew.net>
+Date: Wed, 7 Dec 2016 13:09:47 +0530
+Subject: [PATCH 1/2] Pass relevant git environment variables while calling
+ `/allowed`
+
+1. Starting version 2.11, git changed the way the pre-receive flow works.
+
+  - Previously, the new potential objects would be added to the main repo. If the
+    pre-receive passes, the new objects stay in the repo but are linked up. If
+    the pre-receive fails, the new objects stay orphaned in the repo, and are
+    cleaned up during the next `git gc`.
+
+  - In 2.11, the new potential objects are added to a temporary "alternate object
+    directory", that git creates for this purpose. If the pre-receive passes, the
+    objects from the alternate object directory are migrated to the main repo. If
+    the pre-receive fails the alternate object directory is simply deleted.
+
+2. In our workflow, the pre-recieve script calls the `/allowed` endpoint on the
+   rails server. This `/allowed` endpoint calls out directly to git to perform
+   various checks. These direct calls to git do _not_ have the necessary
+   environment variables set which allow access to the "alternate object
+   directory" (explained above). Therefore these calls to git are not able to
+   access any of the new potential objects to be added during this push.
+
+3. We fix this by passing the relevant environment variables
+   (GIT_ALTERNATE_OBJECT_DIRECTORIES, GIT_OBJECT_DIRECTORY, and
+   GIT_QUARANTINE_PATH) to the `/allowed` endpoint, which will then include
+   these environment variables while calling out to git.
+---
+ lib/gitlab_access.rb | 7 ++++++-
+ lib/gitlab_net.rb    | 5 +++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/lib/gitlab_access.rb
++++ b/lib/gitlab_access.rb
+@@ -21,7 +21,11 @@
+   end
+ 
+   def exec
+-    status = api.check_access('git-receive-pack', @repo_name, @actor, @changes, @protocol)
++    env = {
++      "GIT_ALTERNATE_OBJECT_DIRECTORIES" => ENV["GIT_ALTERNATE_OBJECT_DIRECTORIES"],
++      "GIT_OBJECT_DIRECTORY" => ENV["GIT_OBJECT_DIRECTORY"]
++    }
++   status = api.check_access('git-receive-pack', @repo_path, @actor, @changes, @protocol, env: env.to_json)
+ 
+     raise AccessDeniedError, status.message unless status.allowed?
+ 
+--- a/lib/gitlab_net.rb
++++ b/lib/gitlab_net.rb
+@@ -15,14 +15,15 @@
+   CHECK_TIMEOUT = 5
+   READ_TIMEOUT = 300
+ 
+-  def check_access(cmd, repo, actor, changes, protocol)
++  def check_access(cmd, repo, actor, changes, protocol, env: {})
+     changes = changes.join("\n") unless changes.kind_of?(String)
+ 
+     params = {
+       action: cmd,
+       changes: changes,
+       project: project_name(repo),
+-      protocol: protocol
++      protocol: protocol,
++      env: env
+     }
+ 
+     if actor =~ /\Akey\-\d+\Z/
diff --git a/debian/patches/series b/debian/patches/series
index 982f34e..80c9cbd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 use-system-libs.patch
 set-root-path.patch
+git-env.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/gitlab-shell.git