diff options
author | James Moger <james.moger@gitblit.com> | 2012-02-03 18:16:16 -0500 |
---|---|---|
committer | James Moger <james.moger@gitblit.com> | 2012-02-03 18:16:16 -0500 |
commit | b7403152813c7fee783e3c999c7f7ae9fbaacce0 (patch) | |
tree | b30326dec98319aab292b3a160eb9f3e39db104c | |
parent | fe7c01a8bd76dff240e74bb770212911e227ba59 (diff) | |
download | gitblit-b7403152813c7fee783e3c999c7f7ae9fbaacce0.tar.gz gitblit-b7403152813c7fee783e3c999c7f7ae9fbaacce0.zip |
Block pushes to a repository with a working copy (issue 49)
-rw-r--r-- | docs/00_index.mkd | 5 | ||||
-rw-r--r-- | docs/04_releases.mkd | 1 | ||||
-rw-r--r-- | src/com/gitblit/AccessRestrictionFilter.java | 17 | ||||
-rw-r--r-- | src/com/gitblit/DownloadZipFilter.java | 12 | ||||
-rw-r--r-- | src/com/gitblit/GitBlit.java | 1 | ||||
-rw-r--r-- | src/com/gitblit/GitFilter.java | 23 | ||||
-rw-r--r-- | src/com/gitblit/PagesFilter.java | 12 | ||||
-rw-r--r-- | src/com/gitblit/SyndicationFilter.java | 12 | ||||
-rw-r--r-- | src/com/gitblit/models/RepositoryModel.java | 6 | ||||
-rw-r--r-- | test-gitblit.properties | 2 | ||||
-rw-r--r-- | tests/com/gitblit/tests/GitServletTest.java | 33 |
11 files changed, 114 insertions, 10 deletions
diff --git a/docs/00_index.mkd b/docs/00_index.mkd index e49750e1..a0438eef 100644 --- a/docs/00_index.mkd +++ b/docs/00_index.mkd @@ -30,10 +30,7 @@ Gitblit is an open-source, pure Java stack for managing, viewing, and serving [Git][git] repositories.
It's designed primarily as a tool for small workgroups who want to host centralized repositories.
-You can browse a live demo [here](http://demo-gitblit.rhcloud.com) hosted on [RedHat's OpenShift][rhcloud] cloud service.
-
-**NOTE:**
-The demo is a bit unstable due to a bug in JBossAS7/Tomcat when running in LOW_MEMORY mode which OpenShift mandates. RedHat engineers hope to have this issue resolved soon.
+You can browse a live demo [here](https://demo-gitblit.rhcloud.com) hosted on [RedHat's OpenShift][rhcloud] cloud service.
### GO: Single-Stack Solution
diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd index c8e9d197..e5113192 100644 --- a/docs/04_releases.mkd +++ b/docs/04_releases.mkd @@ -6,6 +6,7 @@ #### changes
+- block pushes to a repository with a working copy (i.e. non-bare repository) (issue-49)
- web.datetimestampLongFormat from *EEEE, MMMM d, yyyy h:mm a z* to *EEEE, MMMM d, yyyy HH:mm Z* (issue 50)
#### additions
diff --git a/src/com/gitblit/AccessRestrictionFilter.java b/src/com/gitblit/AccessRestrictionFilter.java index a8d50b8c..e9b6587b 100644 --- a/src/com/gitblit/AccessRestrictionFilter.java +++ b/src/com/gitblit/AccessRestrictionFilter.java @@ -62,6 +62,15 @@ public abstract class AccessRestrictionFilter extends AuthenticationFilter { protected abstract String getUrlRequestAction(String url);
/**
+ * Determine if the action may be executed on the repository.
+ *
+ * @param repository
+ * @param action
+ * @return true if the action may be performed
+ */
+ protected abstract boolean isActionAllowed(RepositoryModel repository, String action);
+
+ /**
* Determine if the repository requires authentication.
*
* @param repository
@@ -110,6 +119,14 @@ public abstract class AccessRestrictionFilter extends AuthenticationFilter { httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
return;
}
+
+ // Confirm that the action may be executed on the repository
+ if (!isActionAllowed(model, urlRequestType)) {
+ logger.info(MessageFormat.format("ARF: action {0} on {1} forbidden ({2})",
+ urlRequestType, model, HttpServletResponse.SC_FORBIDDEN));
+ httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
// Wrap the HttpServletRequest with the AccessRestrictionRequest which
// overrides the servlet container user principal methods.
diff --git a/src/com/gitblit/DownloadZipFilter.java b/src/com/gitblit/DownloadZipFilter.java index c308cbbb..d22649b5 100644 --- a/src/com/gitblit/DownloadZipFilter.java +++ b/src/com/gitblit/DownloadZipFilter.java @@ -57,6 +57,18 @@ public class DownloadZipFilter extends AccessRestrictionFilter { }
/**
+ * Determine if the action may be executed on the repository.
+ *
+ * @param repository
+ * @param action
+ * @return true if the action may be performed
+ */
+ @Override
+ protected boolean isActionAllowed(RepositoryModel repository, String action) {
+ return true;
+ }
+
+ /**
* Determine if the repository requires authentication.
*
* @param repository
diff --git a/src/com/gitblit/GitBlit.java b/src/com/gitblit/GitBlit.java index a689b48e..7a6411c4 100644 --- a/src/com/gitblit/GitBlit.java +++ b/src/com/gitblit/GitBlit.java @@ -760,6 +760,7 @@ public class GitBlit implements ServletContextListener { model.name = repositoryName;
model.hasCommits = JGitUtils.hasCommits(r);
model.lastChange = JGitUtils.getLastChange(r, null);
+ model.isBare = r.isBare();
StoredConfig config = JGitUtils.readConfig(r);
if (config != null) {
model.description = getConfig(config, "description", "");
diff --git a/src/com/gitblit/GitFilter.java b/src/com/gitblit/GitFilter.java index a7f0fe74..e76fd767 100644 --- a/src/com/gitblit/GitFilter.java +++ b/src/com/gitblit/GitFilter.java @@ -81,6 +81,25 @@ public class GitFilter extends AccessRestrictionFilter { }
return null;
}
+
+ /**
+ * Determine if the repository can receive pushes.
+ *
+ * @param repository
+ * @param action
+ * @return true if the action may be performed
+ */
+ @Override
+ protected boolean isActionAllowed(RepositoryModel repository, String action) {
+ if (action.equals(gitReceivePack)) {
+ // Push request
+ if (!repository.isBare) {
+ logger.warn("Gitblit does not allow pushes to repositories with a working copy");
+ return false;
+ }
+ }
+ return true;
+ }
/**
* Determine if the repository requires authentication.
@@ -107,8 +126,8 @@ public class GitFilter extends AccessRestrictionFilter { if (!GitBlit.getBoolean(Keys.git.enableGitServlet, true)) {
// Git Servlet disabled
return false;
- }
- boolean readOnly = repository.isFrozen;
+ }
+ boolean readOnly = repository.isFrozen;
if (readOnly || repository.accessRestriction.atLeast(AccessRestrictionType.PUSH)) {
boolean authorizedUser = user.canAccessRepository(repository);
if (action.equals(gitReceivePack)) {
diff --git a/src/com/gitblit/PagesFilter.java b/src/com/gitblit/PagesFilter.java index 87fef0d2..b29bede2 100644 --- a/src/com/gitblit/PagesFilter.java +++ b/src/com/gitblit/PagesFilter.java @@ -77,6 +77,18 @@ public class PagesFilter extends AccessRestrictionFilter { }
/**
+ * Determine if the action may be executed on the repository.
+ *
+ * @param repository
+ * @param action
+ * @return true if the action may be performed
+ */
+ @Override
+ protected boolean isActionAllowed(RepositoryModel repository, String action) {
+ return true;
+ }
+
+ /**
* Determine if the repository requires authentication.
*
* @param repository
diff --git a/src/com/gitblit/SyndicationFilter.java b/src/com/gitblit/SyndicationFilter.java index d6dd1f2d..7e2561b9 100644 --- a/src/com/gitblit/SyndicationFilter.java +++ b/src/com/gitblit/SyndicationFilter.java @@ -55,6 +55,18 @@ public class SyndicationFilter extends AccessRestrictionFilter { }
/**
+ * Determine if the action may be executed on the repository.
+ *
+ * @param repository
+ * @param action
+ * @return true if the action may be performed
+ */
+ @Override
+ protected boolean isActionAllowed(RepositoryModel repository, String action) {
+ return true;
+ }
+
+ /**
* Determine if the repository requires authentication.
*
* @param repository
diff --git a/src/com/gitblit/models/RepositoryModel.java b/src/com/gitblit/models/RepositoryModel.java index b633c69e..10dcbc68 100644 --- a/src/com/gitblit/models/RepositoryModel.java +++ b/src/com/gitblit/models/RepositoryModel.java @@ -53,14 +53,14 @@ public class RepositoryModel implements Serializable, Comparable<RepositoryModel public boolean skipSizeCalculation;
public boolean skipSummaryMetrics;
public String frequency;
+ public boolean isBare;
public String origin;
+ public String HEAD;
+ public List<String> availableRefs;
public String size;
public List<String> preReceiveScripts;
public List<String> postReceiveScripts;
public List<String> mailingLists;
- public String HEAD;
- public List<String> availableRefs;
-
private String displayName;
public RepositoryModel() {
diff --git a/test-gitblit.properties b/test-gitblit.properties index a815198b..9249bbd0 100644 --- a/test-gitblit.properties +++ b/test-gitblit.properties @@ -7,7 +7,7 @@ git.searchRepositoriesSubfolders = true git.enableGitServlet = true groovy.scriptsFolder = groovy groovy.preReceiveScripts = blockpush -groovy.postReceiveScripts = sendmail jenkins +groovy.postReceiveScripts = sendmail web.authenticateViewPages = false web.authenticateAdminPages = true web.allowCookieAuthentication = true diff --git a/tests/com/gitblit/tests/GitServletTest.java b/tests/com/gitblit/tests/GitServletTest.java index 88bbe917..38d7fa9f 100644 --- a/tests/com/gitblit/tests/GitServletTest.java +++ b/tests/com/gitblit/tests/GitServletTest.java @@ -30,6 +30,8 @@ public class GitServletTest { static File ticgit2Folder = new File(GitBlitSuite.REPOSITORIES, "working/ticgit2");
static File jgitFolder = new File(GitBlitSuite.REPOSITORIES, "working/jgit");
+
+ static File jgit2Folder = new File(GitBlitSuite.REPOSITORIES, "working/jgit2");
String url = GitBlitSuite.url;
String account = GitBlitSuite.account;
@@ -61,6 +63,9 @@ public class GitServletTest { if (jgitFolder.exists()) {
FileUtils.delete(jgitFolder, FileUtils.RECURSIVE);
}
+ if (jgit2Folder.exists()) {
+ FileUtils.delete(jgit2Folder, FileUtils.RECURSIVE);
+ }
}
@Test
@@ -141,6 +146,34 @@ public class GitServletTest { close(git);
}
+ @Test
+ public void testPushToNonBareRepository() throws Exception {
+ CloneCommand clone = Git.cloneRepository();
+ clone.setURI(MessageFormat.format("{0}/git/working/jgit", url));
+ clone.setDirectory(jgit2Folder);
+ clone.setBare(false);
+ clone.setCloneAllBranches(true);
+ clone.setCredentialsProvider(new UsernamePasswordCredentialsProvider(account, password));
+ close(clone.call());
+ assertTrue(true);
+
+ Git git = Git.open(jgit2Folder);
+ File file = new File(jgit2Folder, "NONBARE");
+ OutputStreamWriter os = new OutputStreamWriter(new FileOutputStream(file, true));
+ BufferedWriter w = new BufferedWriter(os);
+ w.write("// " + new Date().toString() + "\n");
+ w.close();
+ git.add().addFilepattern(file.getName()).call();
+ git.commit().setMessage("test commit followed by push to non-bare repository").call();
+ try {
+ git.push().setPushAll().call();
+ assertTrue(false);
+ } catch (Exception e) {
+ assertTrue(e.getCause().getMessage().contains("git-receive-pack not permitted"));
+ }
+ close(git);
+ }
+
private void close(Git git) {
// really close the repository
// decrement the use counter to 0
|