netlify · biilmann · Jun 4, 2018 · Jan 10, 2018 · Jan 10, 2018 · Jun 4, 2018
diff --git a/api/api.go b/api/api.go
@@ -76,6 +76,8 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 			r.Use(api.loadInstanceConfig)
 		}
 		r.With(api.requireAuthentication).Mount("/github", NewGitHubGateway())
+		r.With(api.requireAuthentication).Mount("/gitlab", NewGitLabGateway())
+		r.With(api.requireAuthentication).Get("/settings", api.Settings)
 	})
 
 	if globalConfig.MultiInstanceMode {

diff --git a/api/gitlab.go b/api/gitlab.go
@@ -0,0 +1,122 @@
+package api
+
+import (
+	"errors"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"regexp"
+)
+
+// GitLabGateway acts as a proxy to Gitlab
+type GitLabGateway struct {
+	proxy *httputil.ReverseProxy
+}
+
+var gitlabPathRegexp = regexp.MustCompile("^/gitlab/?")
+var gitlabAllowedRegexp = regexp.MustCompile("^/gitlab/repository/(files|commits|tree)/?")
+
+func NewGitLabGateway() *GitLabGateway {
+	return &GitLabGateway{
+		proxy: &httputil.ReverseProxy{
+			Director:  gitlabDirector,
+			Transport: &GitLabTransport{},
+		},
+	}
+}
+
+func gitlabDirector(r *http.Request) {
+	ctx := r.Context()
+	target := getProxyTarget(ctx)
+	accessToken := getAccessToken(ctx)
+
+	targetQuery := target.RawQuery
+	r.Host = target.Host
+	r.URL.Scheme = target.Scheme
+	r.URL.Host = target.Host
+	r.URL.Path = singleJoiningSlash(target.Path, gitlabPathRegexp.ReplaceAllString(r.URL.Path, "/"))
+	if targetQuery == "" || r.URL.RawQuery == "" {
+		r.URL.RawQuery = targetQuery + r.URL.RawQuery
+	} else {
+		r.URL.RawQuery = targetQuery + "&" + r.URL.RawQuery
+	}
+	if _, ok := r.Header["User-Agent"]; !ok {
+		// explicitly disable User-Agent so it's not set to default value
+		r.Header.Set("User-Agent", "")
+	}
+	if r.Method != http.MethodOptions {
+		r.Header.Set("Authorization", "Bearer "+accessToken)
+	}
+
+	log := getLogEntry(r)
+	log.Infof("Proxying to GitLab: %v", r.URL.String())
+}
+
+func (gl *GitLabGateway) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	config := getConfig(ctx)
+	if config == nil || config.GitLab.AccessToken == "" {
+		handleError(notFoundError("No GitLab Settings Configured"), w, r)
+		return
+	}
+
+	if err := gl.authenticate(w, r); err != nil {
+		handleError(unauthorizedError(err.Error()), w, r)
+		return
+	}
+
+	endpoint := config.GitLab.Endpoint
+	apiURL := singleJoiningSlash(endpoint, "/repos/"+config.GitLab.Repo)
+	target, err := url.Parse(apiURL)
+	if err != nil {
+		handleError(internalServerError("Unable to process GitLab endpoint"), w, r)
+		return
+	}
+	ctx = withProxyTarget(ctx, target)
+	ctx = withAccessToken(ctx, config.GitLab.AccessToken)
+	gl.proxy.ServeHTTP(w, r.WithContext(ctx))
+}
+
+func (gl *GitLabGateway) authenticate(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	claims := getClaims(ctx)
+	config := getConfig(ctx)
+
+	if claims == nil {
+		return errors.New("Access to endpoint not allowed: no claims found in Bearer token")
+	}
+
+	if !gitlabAllowedRegexp.MatchString(r.URL.Path) {
+		return errors.New("Access to endpoint not allowed: this part of GitLab's API has been restricted")
+	}
+
+	if len(config.Roles) == 0 {
+		return nil
+	}
+
+	roles, ok := claims.AppMetaData["roles"]
+	if ok {
+		roleStrings, _ := roles.([]interface{})
+		for _, data := range roleStrings {
+			role, _ := data.(string)
+			for _, adminRole := range config.Roles {
+				if role == adminRole {
+					return nil
+				}
+			}
+		}
+	}
+
+	return errors.New("Access to endpoint not allowed: your role doesn't allow access")
+}
+
+type GitLabTransport struct{}
+
+func (t *GitLabTransport) RoundTrip(r *http.Request) (*http.Response, error) {
+	resp, err := http.DefaultTransport.RoundTrip(r)
+	if err == nil {
+		// remove CORS headers from GitHub and use our own
+		resp.Header.Del("Access-Control-Allow-Origin")
+	}
+	return resp, err
+}
diff --git a/api/settings.go b/api/settings.go
@@ -0,0 +1,22 @@
+package api
+
+import "net/http"
+
+type Settings struct {
+	GitHub bool     `json:"github_enabled"`
+	GitLab bool     `json:"gitlab_enabled"`
+	Roles  []string `json:"roles"`
+}
+
+func (a *API) Settings(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	config := getConfig(ctx)
+
+	settings := Settings{
+		GitHub: config.GitHub.Repo != "",
+		GitLab: config.GitLab.Repo != "",
+		Roles:  config.Roles,
+	}
+
+	return sendJSON(w, http.StatusOK, &settings)
+}
diff --git a/conf/configuration.go b/conf/configuration.go
@@ -16,6 +16,12 @@ type GitHubConfig struct {
 	Repo        string `envconfig:"REPO" json:"repo"` // Should be "owner/repo" format
 }
 
+type GitLabConfig struct {
+	AccessToken string `envconfig:"ACCESS_TOKEN" json:"access_token,omitempty"`
+	Endpoint    string `envconfig:"ENDPOINT" json:"endpoint"`
+	Repo        string `envconfig:"REPO" json:"repo"` // Should be "owner/repo" format
+}
+
 // DBConfiguration holds all the database related configuration.
 type DBConfiguration struct {
 	Dialect     string `json:"dialect"`
@@ -47,6 +53,7 @@ type GlobalConfiguration struct {
 type Configuration struct {
 	JWT    JWTConfiguration `json:"jwt"`
 	GitHub GitHubConfig     `envconfig:"GITHUB" json:"github"`
+	GitLab GitLabConfig     `envconfig:"GITLAB" json:"gitlab"`
 	Roles  []string         `envconfig:"ROLES" json:"roles"`
 }