You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

api.go 11KB

  1. // Copyright 2016 The Gogs Authors. All rights reserved.
  2. // Copyright 2019 The Gitea Authors. All rights reserved.
  3. // Use of this source code is governed by a MIT-style
  4. // license that can be found in the LICENSE file.
  5. package context
  6. import (
  7. "context"
  8. "fmt"
  9. "html"
  10. "net/http"
  11. "net/url"
  12. "strings"
  13. ""
  14. ""
  15. ""
  16. ""
  17. ""
  18. ""
  19. ""
  20. )
  21. // APIContext is a specific context for API service
  22. type APIContext struct {
  23. *Context
  24. Org *APIOrganization
  25. }
  26. // APIError is error format response
  27. // swagger:response error
  28. type APIError struct {
  29. Message string `json:"message"`
  30. URL string `json:"url"`
  31. }
  32. // APIValidationError is error format response related to input validation
  33. // swagger:response validationError
  34. type APIValidationError struct {
  35. Message string `json:"message"`
  36. URL string `json:"url"`
  37. }
  38. // APIInvalidTopicsError is error format response to invalid topics
  39. // swagger:response invalidTopicsError
  40. type APIInvalidTopicsError struct {
  41. Topics []string `json:"invalidTopics"`
  42. Message string `json:"message"`
  43. }
  44. //APIEmpty is an empty response
  45. // swagger:response empty
  46. type APIEmpty struct{}
  47. //APIForbiddenError is a forbidden error response
  48. // swagger:response forbidden
  49. type APIForbiddenError struct {
  50. APIError
  51. }
  52. //APINotFound is a not found empty response
  53. // swagger:response notFound
  54. type APINotFound struct{}
  55. //APIConflict is a conflict empty response
  56. // swagger:response conflict
  57. type APIConflict struct{}
  58. //APIRedirect is a redirect response
  59. // swagger:response redirect
  60. type APIRedirect struct{}
  61. //APIString is a string response
  62. // swagger:response string
  63. type APIString string
  64. // ServerError responds with error message, status is 500
  65. func (ctx *APIContext) ServerError(title string, err error) {
  66. ctx.Error(http.StatusInternalServerError, title, err)
  67. }
  68. // Error responds with an error message to client with given obj as the message.
  69. // If status is 500, also it prints error to log.
  70. func (ctx *APIContext) Error(status int, title string, obj interface{}) {
  71. var message string
  72. if err, ok := obj.(error); ok {
  73. message = err.Error()
  74. } else {
  75. message = fmt.Sprintf("%s", obj)
  76. }
  77. if status == http.StatusInternalServerError {
  78. log.ErrorWithSkip(1, "%s: %s", title, message)
  79. if setting.IsProd() && !(ctx.User != nil && ctx.User.IsAdmin) {
  80. message = ""
  81. }
  82. }
  83. ctx.JSON(status, APIError{
  84. Message: message,
  85. URL: setting.API.SwaggerURL,
  86. })
  87. }
  88. // InternalServerError responds with an error message to the client with the error as a message
  89. // and the file and line of the caller.
  90. func (ctx *APIContext) InternalServerError(err error) {
  91. log.ErrorWithSkip(1, "InternalServerError: %v", err)
  92. var message string
  93. if !setting.IsProd() || (ctx.User != nil && ctx.User.IsAdmin) {
  94. message = err.Error()
  95. }
  96. ctx.JSON(http.StatusInternalServerError, APIError{
  97. Message: message,
  98. URL: setting.API.SwaggerURL,
  99. })
  100. }
  101. var (
  102. apiContextKey interface{} = "default_api_context"
  103. )
  104. // WithAPIContext set up api context in request
  105. func WithAPIContext(req *http.Request, ctx *APIContext) *http.Request {
  106. return req.WithContext(context.WithValue(req.Context(), apiContextKey, ctx))
  107. }
  108. // GetAPIContext returns a context for API routes
  109. func GetAPIContext(req *http.Request) *APIContext {
  110. return req.Context().Value(apiContextKey).(*APIContext)
  111. }
  112. func genAPILinks(curURL *url.URL, total, pageSize, curPage int) []string {
  113. page := NewPagination(total, pageSize, curPage, 0)
  114. paginater := page.Paginater
  115. links := make([]string, 0, 4)
  116. if paginater.HasNext() {
  117. u := *curURL
  118. queries := u.Query()
  119. queries.Set("page", fmt.Sprintf("%d", paginater.Next()))
  120. u.RawQuery = queries.Encode()
  121. links = append(links, fmt.Sprintf("<%s%s>; rel=\"next\"", setting.AppURL, u.RequestURI()[1:]))
  122. }
  123. if !paginater.IsLast() {
  124. u := *curURL
  125. queries := u.Query()
  126. queries.Set("page", fmt.Sprintf("%d", paginater.TotalPages()))
  127. u.RawQuery = queries.Encode()
  128. links = append(links, fmt.Sprintf("<%s%s>; rel=\"last\"", setting.AppURL, u.RequestURI()[1:]))
  129. }
  130. if !paginater.IsFirst() {
  131. u := *curURL
  132. queries := u.Query()
  133. queries.Set("page", "1")
  134. u.RawQuery = queries.Encode()
  135. links = append(links, fmt.Sprintf("<%s%s>; rel=\"first\"", setting.AppURL, u.RequestURI()[1:]))
  136. }
  137. if paginater.HasPrevious() {
  138. u := *curURL
  139. queries := u.Query()
  140. queries.Set("page", fmt.Sprintf("%d", paginater.Previous()))
  141. u.RawQuery = queries.Encode()
  142. links = append(links, fmt.Sprintf("<%s%s>; rel=\"prev\"", setting.AppURL, u.RequestURI()[1:]))
  143. }
  144. return links
  145. }
  146. // SetLinkHeader sets pagination link header by given total number and page size.
  147. func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
  148. links := genAPILinks(ctx.Req.URL, total, pageSize, ctx.QueryInt("page"))
  149. if len(links) > 0 {
  150. ctx.Header().Set("Link", strings.Join(links, ","))
  151. }
  152. }
  153. // RequireCSRF requires a validated a CSRF token
  154. func (ctx *APIContext) RequireCSRF() {
  155. headerToken := ctx.Req.Header.Get(ctx.csrf.GetHeaderName())
  156. formValueToken := ctx.Req.FormValue(ctx.csrf.GetFormName())
  157. if len(headerToken) > 0 || len(formValueToken) > 0 {
  158. Validate(ctx.Context, ctx.csrf)
  159. } else {
  160. ctx.Context.Error(401, "Missing CSRF token.")
  161. }
  162. }
  163. // CheckForOTP validates OTP
  164. func (ctx *APIContext) CheckForOTP() {
  165. otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
  166. twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
  167. if err != nil {
  168. if models.IsErrTwoFactorNotEnrolled(err) {
  169. return // No 2FA enrollment for this user
  170. }
  171. ctx.Context.Error(http.StatusInternalServerError)
  172. return
  173. }
  174. ok, err := twofa.ValidateTOTP(otpHeader)
  175. if err != nil {
  176. ctx.Context.Error(http.StatusInternalServerError)
  177. return
  178. }
  179. if !ok {
  180. ctx.Context.Error(401)
  181. return
  182. }
  183. }
  184. // APIContexter returns apicontext as middleware
  185. func APIContexter() func(http.Handler) http.Handler {
  186. var csrfOpts = getCsrfOpts()
  187. return func(next http.Handler) http.Handler {
  188. return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
  189. var locale = middleware.Locale(w, req)
  190. var ctx = APIContext{
  191. Context: &Context{
  192. Resp: NewResponse(w),
  193. Data: map[string]interface{}{},
  194. Locale: locale,
  195. Session: session.GetSession(req),
  196. Repo: &Repository{
  197. PullRequest: &PullRequest{},
  198. },
  199. Org: &Organization{},
  200. },
  201. Org: &APIOrganization{},
  202. }
  203. ctx.Req = WithAPIContext(WithContext(req, ctx.Context), &ctx)
  204. ctx.csrf = Csrfer(csrfOpts, ctx.Context)
  205. // If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
  206. if ctx.Req.Method == "POST" && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
  207. if err := ctx.Req.ParseMultipartForm(setting.Attachment.MaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
  208. ctx.InternalServerError(err)
  209. return
  210. }
  211. }
  212. // Get user from session if logged in.
  213. ctx.User, ctx.IsBasicAuth = sso.SignedInUser(ctx.Req, ctx.Resp, &ctx, ctx.Session)
  214. if ctx.User != nil {
  215. ctx.IsSigned = true
  216. ctx.Data["IsSigned"] = ctx.IsSigned
  217. ctx.Data["SignedUser"] = ctx.User
  218. ctx.Data["SignedUserID"] = ctx.User.ID
  219. ctx.Data["SignedUserName"] = ctx.User.Name
  220. ctx.Data["IsAdmin"] = ctx.User.IsAdmin
  221. } else {
  222. ctx.Data["SignedUserID"] = int64(0)
  223. ctx.Data["SignedUserName"] = ""
  224. }
  225. ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
  226. ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
  227. next.ServeHTTP(ctx.Resp, ctx.Req)
  228. })
  229. }
  230. }
  231. // ReferencesGitRepo injects the GitRepo into the Context
  232. func ReferencesGitRepo(allowEmpty bool) func(http.Handler) http.Handler {
  233. return func(next http.Handler) http.Handler {
  234. return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
  235. ctx := GetAPIContext(req)
  236. // Empty repository does not have reference information.
  237. if !allowEmpty && ctx.Repo.Repository.IsEmpty {
  238. return
  239. }
  240. // For API calls.
  241. if ctx.Repo.GitRepo == nil {
  242. repoPath := models.RepoPath(ctx.Repo.Owner.Name, ctx.Repo.Repository.Name)
  243. gitRepo, err := git.OpenRepository(repoPath)
  244. if err != nil {
  245. ctx.Error(http.StatusInternalServerError, "RepoRef Invalid repo "+repoPath, err)
  246. return
  247. }
  248. ctx.Repo.GitRepo = gitRepo
  249. // We opened it, we should close it
  250. defer func() {
  251. // If it's been set to nil then assume someone else has closed it.
  252. if ctx.Repo.GitRepo != nil {
  253. ctx.Repo.GitRepo.Close()
  254. }
  255. }()
  256. }
  257. next.ServeHTTP(w, req)
  258. })
  259. }
  260. }
  261. // NotFound handles 404s for APIContext
  262. // String will replace message, errors will be added to a slice
  263. func (ctx *APIContext) NotFound(objs ...interface{}) {
  264. var message = "Not Found"
  265. var errors []string
  266. for _, obj := range objs {
  267. // Ignore nil
  268. if obj == nil {
  269. continue
  270. }
  271. if err, ok := obj.(error); ok {
  272. errors = append(errors, err.Error())
  273. } else {
  274. message = obj.(string)
  275. }
  276. }
  277. ctx.JSON(http.StatusNotFound, map[string]interface{}{
  278. "message": message,
  279. "documentation_url": setting.API.SwaggerURL,
  280. "errors": errors,
  281. })
  282. }
  283. // RepoRefForAPI handles repository reference names when the ref name is not explicitly given
  284. func RepoRefForAPI(next http.Handler) http.Handler {
  285. return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
  286. ctx := GetAPIContext(req)
  287. // Empty repository does not have reference information.
  288. if ctx.Repo.Repository.IsEmpty {
  289. return
  290. }
  291. var err error
  292. if ctx.Repo.GitRepo == nil {
  293. repoPath := models.RepoPath(ctx.Repo.Owner.Name, ctx.Repo.Repository.Name)
  294. ctx.Repo.GitRepo, err = git.OpenRepository(repoPath)
  295. if err != nil {
  296. ctx.InternalServerError(err)
  297. return
  298. }
  299. // We opened it, we should close it
  300. defer func() {
  301. // If it's been set to nil then assume someone else has closed it.
  302. if ctx.Repo.GitRepo != nil {
  303. ctx.Repo.GitRepo.Close()
  304. }
  305. }()
  306. }
  307. refName := getRefName(ctx.Context, RepoRefAny)
  308. if ctx.Repo.GitRepo.IsBranchExist(refName) {
  309. ctx.Repo.Commit, err = ctx.Repo.GitRepo.GetBranchCommit(refName)
  310. if err != nil {
  311. ctx.InternalServerError(err)
  312. return
  313. }
  314. ctx.Repo.CommitID = ctx.Repo.Commit.ID.String()
  315. } else if ctx.Repo.GitRepo.IsTagExist(refName) {
  316. ctx.Repo.Commit, err = ctx.Repo.GitRepo.GetTagCommit(refName)
  317. if err != nil {
  318. ctx.InternalServerError(err)
  319. return
  320. }
  321. ctx.Repo.CommitID = ctx.Repo.Commit.ID.String()
  322. } else if len(refName) == 40 {
  323. ctx.Repo.CommitID = refName
  324. ctx.Repo.Commit, err = ctx.Repo.GitRepo.GetCommit(refName)
  325. if err != nil {
  326. ctx.NotFound("GetCommit", err)
  327. return
  328. }
  329. } else {
  330. ctx.NotFound(fmt.Errorf("not exist: '%s'", ctx.Params("*")))
  331. return
  332. }
  333. next.ServeHTTP(w, req)
  334. })
  335. }