Allow administrators to log users by key id (faster) or by username (clearer).

90b9e113 · ash · ceb23a62 · 90b9e113 · 90b9e113 · 90b9e113
Commit 90b9e113 authored 11 years ago by ash
--- a/config.yml.example
+++ b/config.yml.example
@@ -29,3 +29,8 @@ log_file: "/home/git/gitlab-shell/gitlab-shell.log"

 # Log level. INFO by default
 log_level: INFO
+
+# Audit usernames.
+# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
+# incurs an extra API call on every gitlab-shell command.
+audit_usernames: false
--- a/lib/gitlab_config.rb
+++ b/lib/gitlab_config.rb
@@ -39,6 +39,10 @@ class GitlabConfig
    @config['log_level'] ||= 'INFO'
  end

+  def audit_usernames
+    @config['audit_usernames'] ||= false
+  end
+
  # Build redis command to write update event in gitlab queue
  def redis_command
    if redis.empty?

--- a/lib/gitlab_shell.rb
+++ b/lib/gitlab_shell.rb
@@ -8,7 +8,9 @@ class GitlabShell
  def initialize
    @key_id = ARGV.shift
    @origin_cmd = ENV['SSH_ORIGINAL_COMMAND']
-    @repos_path = GitlabConfig.new.repos_path
+    @config = GitlabConfig.new
+    @repos_path = @config.repos_path
+    @user_tried = false
  end

  def exec
@@ -21,19 +23,16 @@ class GitlabShell
        if validate_access
          process_cmd
        else
-          message = "gitlab-shell: Access denied for git command <#{@origin_cmd}>"
-          message << " by user with key #{@key_id}."
+          message = "gitlab-shell: Access denied for git command <#{@origin_cmd}> by #{log_username}."
          $logger.warn message
        end
      else
-        message = "gitlab-shell: Attempt to execute disallowed command "
-        message << "<#{@origin_cmd}> by user with key #{@key_id}."
+        message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}."
        $logger.warn message
        puts 'Not allowed command'
      end
    else
-      user = api.discover(@key_id)
-      puts "Welcome to GitLab, #{user && user['name'] || 'Anonymous'}!"
+      puts "Welcome to GitLab, #{username}!"
    end
  end

@@ -52,7 +51,7 @@ class GitlabShell
  def process_cmd
    repo_full_path = File.join(repos_path, repo_name)
    cmd = "#{@git_cmd} #{repo_full_path}"
-    $logger.info "gitlab-shell: executing git command <#{cmd}> for user with key #{@key_id}."
+    $logger.info "gitlab-shell: executing git command <#{cmd}> for #{log_username}."
    exec_cmd(cmd)
  end

@@ -67,4 +66,23 @@ class GitlabShell
  def api
    GitlabNet.new
  end
+
+  def user
+    # Can't use "@user ||=" because that will keep hitting the API when @user is really nil!
+    if @user_tried
+      @user
+    else
+      @user_tried = true
+      @user = api.discover(@key_id)
+    end
+  end
+
+  def username
+    user && user['name'] || 'Anonymous'
+  end
+
+  # User identifier to be used in log messages.
+  def log_username
+    @config.audit_usernames ? username : "user with key #{@key_id}"
+  end
 end
--- a/spec/gitlab_shell_spec.rb
+++ b/spec/gitlab_shell_spec.rb
@@ -11,13 +11,15 @@ describe GitlabShell do
  end
  let(:api) do
    double(GitlabNet).tap do |api|
-      api.stub(discover: 'John Doe')
+      api.stub(discover: { 'name' => 'John Doe' })
      api.stub(allowed?: true)
    end
  end
  let(:key_id) { "key-#{rand(100) + 100}" }
  let(:repository_path) { "/home/git#{rand(100)}/repos" }
-  before { GitlabConfig.any_instance.stub(:repos_path).and_return(repository_path) }
+  before do
+    GitlabConfig.any_instance.stub(repos_path: repository_path, audit_usernames: false)
+  end

  describe :initialize do
    before { ssh_cmd 'git-receive-pack' }
@@ -71,6 +73,11 @@ describe GitlabShell do
        message << "for user with key #{key_id}."
        $logger.should_receive(:info).with(message)
      end
+
+      it "should use usernames if configured to do so" do
+        GitlabConfig.any_instance.stub(audit_usernames: true)
+        $logger.should_receive(:info) { |msg| msg.should =~ /for John Doe/ }
+      end
    end

    context 'git-receive-pack' do