123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531 |
- // Copyright 2022 The Gitea Authors. All rights reserved.
- // SPDX-License-Identifier: MIT
-
- package packages
-
- import (
- gocontext "context"
- "net/http"
- "regexp"
- "strings"
-
- "code.gitea.io/gitea/models/perm"
- "code.gitea.io/gitea/modules/context"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/web"
- "code.gitea.io/gitea/routers/api/packages/composer"
- "code.gitea.io/gitea/routers/api/packages/conan"
- "code.gitea.io/gitea/routers/api/packages/conda"
- "code.gitea.io/gitea/routers/api/packages/container"
- "code.gitea.io/gitea/routers/api/packages/generic"
- "code.gitea.io/gitea/routers/api/packages/helm"
- "code.gitea.io/gitea/routers/api/packages/maven"
- "code.gitea.io/gitea/routers/api/packages/npm"
- "code.gitea.io/gitea/routers/api/packages/nuget"
- "code.gitea.io/gitea/routers/api/packages/pub"
- "code.gitea.io/gitea/routers/api/packages/pypi"
- "code.gitea.io/gitea/routers/api/packages/rubygems"
- "code.gitea.io/gitea/routers/api/packages/vagrant"
- "code.gitea.io/gitea/services/auth"
- context_service "code.gitea.io/gitea/services/context"
- )
-
- func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
- return func(ctx *context.Context) {
- if ctx.Package.AccessMode < accessMode && !ctx.IsUserSiteAdmin() {
- ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea Package API"`)
- ctx.Error(http.StatusUnauthorized, "reqPackageAccess", "user should have specific permission or be a site admin")
- return
- }
- }
- }
-
- // CommonRoutes provide endpoints for most package managers (except containers - see below)
- // These are mounted on `/api/packages` (not `/api/v1/packages`)
- func CommonRoutes(ctx gocontext.Context) *web.Route {
- r := web.NewRoute()
-
- r.Use(context.PackageContexter(ctx))
-
- authMethods := []auth.Method{
- &auth.OAuth2{},
- &auth.Basic{},
- &nuget.Auth{},
- &conan.Auth{},
- }
- if setting.Service.EnableReverseProxyAuth {
- authMethods = append(authMethods, &auth.ReverseProxy{})
- }
-
- authGroup := auth.NewGroup(authMethods...)
- r.Use(func(ctx *context.Context) {
- var err error
- ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
- if err != nil {
- log.Error("Verify: %v", err)
- ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
- return
- }
- ctx.IsSigned = ctx.Doer != nil
- })
-
- r.Group("/{username}", func() {
- r.Group("/composer", func() {
- r.Get("/packages.json", composer.ServiceIndex)
- r.Get("/search.json", composer.SearchPackages)
- r.Get("/list.json", composer.EnumeratePackages)
- r.Get("/p2/{vendorname}/{projectname}~dev.json", composer.PackageMetadata)
- r.Get("/p2/{vendorname}/{projectname}.json", composer.PackageMetadata)
- r.Get("/files/{package}/{version}/{filename}", composer.DownloadPackageFile)
- r.Put("", reqPackageAccess(perm.AccessModeWrite), composer.UploadPackage)
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/conan", func() {
- r.Group("/v1", func() {
- r.Get("/ping", conan.Ping)
- r.Group("/users", func() {
- r.Get("/authenticate", conan.Authenticate)
- r.Get("/check_credentials", conan.CheckCredentials)
- })
- r.Group("/conans", func() {
- r.Get("/search", conan.SearchRecipes)
- r.Group("/{name}/{version}/{user}/{channel}", func() {
- r.Get("", conan.RecipeSnapshot)
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), conan.DeleteRecipeV1)
- r.Get("/search", conan.SearchPackagesV1)
- r.Get("/digest", conan.RecipeDownloadURLs)
- r.Post("/upload_urls", reqPackageAccess(perm.AccessModeWrite), conan.RecipeUploadURLs)
- r.Get("/download_urls", conan.RecipeDownloadURLs)
- r.Group("/packages", func() {
- r.Post("/delete", reqPackageAccess(perm.AccessModeWrite), conan.DeletePackageV1)
- r.Group("/{package_reference}", func() {
- r.Get("", conan.PackageSnapshot)
- r.Get("/digest", conan.PackageDownloadURLs)
- r.Post("/upload_urls", reqPackageAccess(perm.AccessModeWrite), conan.PackageUploadURLs)
- r.Get("/download_urls", conan.PackageDownloadURLs)
- })
- })
- }, conan.ExtractPathParameters)
- })
- r.Group("/files/{name}/{version}/{user}/{channel}/{recipe_revision}", func() {
- r.Group("/recipe/{filename}", func() {
- r.Get("", conan.DownloadRecipeFile)
- r.Put("", reqPackageAccess(perm.AccessModeWrite), conan.UploadRecipeFile)
- })
- r.Group("/package/{package_reference}/{package_revision}/{filename}", func() {
- r.Get("", conan.DownloadPackageFile)
- r.Put("", reqPackageAccess(perm.AccessModeWrite), conan.UploadPackageFile)
- })
- }, conan.ExtractPathParameters)
- })
- r.Group("/v2", func() {
- r.Get("/ping", conan.Ping)
- r.Group("/users", func() {
- r.Get("/authenticate", conan.Authenticate)
- r.Get("/check_credentials", conan.CheckCredentials)
- })
- r.Group("/conans", func() {
- r.Get("/search", conan.SearchRecipes)
- r.Group("/{name}/{version}/{user}/{channel}", func() {
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), conan.DeleteRecipeV2)
- r.Get("/search", conan.SearchPackagesV2)
- r.Get("/latest", conan.LatestRecipeRevision)
- r.Group("/revisions", func() {
- r.Get("", conan.ListRecipeRevisions)
- r.Group("/{recipe_revision}", func() {
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), conan.DeleteRecipeV2)
- r.Get("/search", conan.SearchPackagesV2)
- r.Group("/files", func() {
- r.Get("", conan.ListRecipeRevisionFiles)
- r.Group("/{filename}", func() {
- r.Get("", conan.DownloadRecipeFile)
- r.Put("", reqPackageAccess(perm.AccessModeWrite), conan.UploadRecipeFile)
- })
- })
- r.Group("/packages", func() {
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), conan.DeletePackageV2)
- r.Group("/{package_reference}", func() {
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), conan.DeletePackageV2)
- r.Get("/latest", conan.LatestPackageRevision)
- r.Group("/revisions", func() {
- r.Get("", conan.ListPackageRevisions)
- r.Group("/{package_revision}", func() {
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), conan.DeletePackageV2)
- r.Group("/files", func() {
- r.Get("", conan.ListPackageRevisionFiles)
- r.Group("/{filename}", func() {
- r.Get("", conan.DownloadPackageFile)
- r.Put("", reqPackageAccess(perm.AccessModeWrite), conan.UploadPackageFile)
- })
- })
- })
- })
- })
- })
- })
- })
- }, conan.ExtractPathParameters)
- })
- })
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/conda", func() {
- var (
- downloadPattern = regexp.MustCompile(`\A(.+/)?(.+)/((?:[^/]+(?:\.tar\.bz2|\.conda))|(?:current_)?repodata\.json(?:\.bz2)?)\z`)
- uploadPattern = regexp.MustCompile(`\A(.+/)?([^/]+(?:\.tar\.bz2|\.conda))\z`)
- )
-
- r.Get("/*", func(ctx *context.Context) {
- m := downloadPattern.FindStringSubmatch(ctx.Params("*"))
- if len(m) == 0 {
- ctx.Status(http.StatusNotFound)
- return
- }
-
- ctx.SetParams("channel", strings.TrimSuffix(m[1], "/"))
- ctx.SetParams("architecture", m[2])
- ctx.SetParams("filename", m[3])
-
- switch m[3] {
- case "repodata.json", "repodata.json.bz2", "current_repodata.json", "current_repodata.json.bz2":
- conda.EnumeratePackages(ctx)
- default:
- conda.DownloadPackageFile(ctx)
- }
- })
- r.Put("/*", reqPackageAccess(perm.AccessModeWrite), func(ctx *context.Context) {
- m := uploadPattern.FindStringSubmatch(ctx.Params("*"))
- if len(m) == 0 {
- ctx.Status(http.StatusNotFound)
- return
- }
-
- ctx.SetParams("channel", strings.TrimSuffix(m[1], "/"))
- ctx.SetParams("filename", m[2])
-
- conda.UploadPackageFile(ctx)
- })
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/generic", func() {
- r.Group("/{packagename}/{packageversion}", func() {
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), generic.DeletePackage)
- r.Group("/{filename}", func() {
- r.Get("", generic.DownloadPackageFile)
- r.Group("", func() {
- r.Put("", generic.UploadPackage)
- r.Delete("", generic.DeletePackageFile)
- }, reqPackageAccess(perm.AccessModeWrite))
- })
- })
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/helm", func() {
- r.Get("/index.yaml", helm.Index)
- r.Get("/{filename}", helm.DownloadPackageFile)
- r.Post("/api/charts", reqPackageAccess(perm.AccessModeWrite), helm.UploadPackage)
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/maven", func() {
- r.Put("/*", reqPackageAccess(perm.AccessModeWrite), maven.UploadPackageFile)
- r.Get("/*", maven.DownloadPackageFile)
- r.Head("/*", maven.ProvidePackageFileHeader)
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/nuget", func() {
- r.Group("", func() { // Needs to be unauthenticated for the NuGet client.
- r.Get("/", nuget.ServiceIndexV2)
- r.Get("/index.json", nuget.ServiceIndexV3)
- r.Get("/$metadata", nuget.FeedCapabilityResource)
- })
- r.Group("", func() {
- r.Get("/query", nuget.SearchServiceV3)
- r.Group("/registration/{id}", func() {
- r.Get("/index.json", nuget.RegistrationIndex)
- r.Get("/{version}", nuget.RegistrationLeafV3)
- })
- r.Group("/package/{id}", func() {
- r.Get("/index.json", nuget.EnumeratePackageVersionsV3)
- r.Get("/{version}/{filename}", nuget.DownloadPackageFile)
- })
- r.Group("", func() {
- r.Put("/", nuget.UploadPackage)
- r.Put("/symbolpackage", nuget.UploadSymbolPackage)
- r.Delete("/{id}/{version}", nuget.DeletePackage)
- }, reqPackageAccess(perm.AccessModeWrite))
- r.Get("/symbols/{filename}/{guid:[0-9a-fA-F]{32}[fF]{8}}/{filename2}", nuget.DownloadSymbolFile)
- r.Get("/Packages(Id='{id:[^']+}',Version='{version:[^']+}')", nuget.RegistrationLeafV2)
- r.Get("/Packages()", nuget.SearchServiceV2)
- r.Get("/FindPackagesById()", nuget.EnumeratePackageVersionsV2)
- r.Get("/Search()", nuget.SearchServiceV2)
- }, reqPackageAccess(perm.AccessModeRead))
- })
- r.Group("/npm", func() {
- r.Group("/@{scope}/{id}", func() {
- r.Get("", npm.PackageMetadata)
- r.Put("", reqPackageAccess(perm.AccessModeWrite), npm.UploadPackage)
- r.Group("/-/{version}/{filename}", func() {
- r.Get("", npm.DownloadPackageFile)
- r.Delete("/-rev/{revision}", reqPackageAccess(perm.AccessModeWrite), npm.DeletePackageVersion)
- })
- r.Get("/-/{filename}", npm.DownloadPackageFileByName)
- r.Group("/-rev/{revision}", func() {
- r.Delete("", npm.DeletePackage)
- r.Put("", npm.DeletePreview)
- }, reqPackageAccess(perm.AccessModeWrite))
- })
- r.Group("/{id}", func() {
- r.Get("", npm.PackageMetadata)
- r.Put("", reqPackageAccess(perm.AccessModeWrite), npm.UploadPackage)
- r.Group("/-/{version}/{filename}", func() {
- r.Get("", npm.DownloadPackageFile)
- r.Delete("/-rev/{revision}", reqPackageAccess(perm.AccessModeWrite), npm.DeletePackageVersion)
- })
- r.Get("/-/{filename}", npm.DownloadPackageFileByName)
- r.Group("/-rev/{revision}", func() {
- r.Delete("", npm.DeletePackage)
- r.Put("", npm.DeletePreview)
- }, reqPackageAccess(perm.AccessModeWrite))
- })
- r.Group("/-/package/@{scope}/{id}/dist-tags", func() {
- r.Get("", npm.ListPackageTags)
- r.Group("/{tag}", func() {
- r.Put("", npm.AddPackageTag)
- r.Delete("", npm.DeletePackageTag)
- }, reqPackageAccess(perm.AccessModeWrite))
- })
- r.Group("/-/package/{id}/dist-tags", func() {
- r.Get("", npm.ListPackageTags)
- r.Group("/{tag}", func() {
- r.Put("", npm.AddPackageTag)
- r.Delete("", npm.DeletePackageTag)
- }, reqPackageAccess(perm.AccessModeWrite))
- })
- r.Group("/-/v1/search", func() {
- r.Get("", npm.PackageSearch)
- })
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/pub", func() {
- r.Group("/api/packages", func() {
- r.Group("/versions/new", func() {
- r.Get("", pub.RequestUpload)
- r.Post("/upload", pub.UploadPackageFile)
- r.Get("/finalize/{id}/{version}", pub.FinalizePackage)
- }, reqPackageAccess(perm.AccessModeWrite))
- r.Group("/{id}", func() {
- r.Get("", pub.EnumeratePackageVersions)
- r.Get("/files/{version}", pub.DownloadPackageFile)
- r.Get("/{version}", pub.PackageVersionMetadata)
- })
- })
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/pypi", func() {
- r.Post("/", reqPackageAccess(perm.AccessModeWrite), pypi.UploadPackageFile)
- r.Get("/files/{id}/{version}/{filename}", pypi.DownloadPackageFile)
- r.Get("/simple/{id}", pypi.PackageMetadata)
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/rubygems", func() {
- r.Get("/specs.4.8.gz", rubygems.EnumeratePackages)
- r.Get("/latest_specs.4.8.gz", rubygems.EnumeratePackagesLatest)
- r.Get("/prerelease_specs.4.8.gz", rubygems.EnumeratePackagesPreRelease)
- r.Get("/quick/Marshal.4.8/{filename}", rubygems.ServePackageSpecification)
- r.Get("/gems/{filename}", rubygems.DownloadPackageFile)
- r.Group("/api/v1/gems", func() {
- r.Post("/", rubygems.UploadPackageFile)
- r.Delete("/yank", rubygems.DeletePackage)
- }, reqPackageAccess(perm.AccessModeWrite))
- }, reqPackageAccess(perm.AccessModeRead))
- r.Group("/vagrant", func() {
- r.Group("/authenticate", func() {
- r.Get("", vagrant.CheckAuthenticate)
- })
- r.Group("/{name}", func() {
- r.Head("", vagrant.CheckBoxAvailable)
- r.Get("", vagrant.EnumeratePackageVersions)
- r.Group("/{version}/{provider}", func() {
- r.Get("", vagrant.DownloadPackageFile)
- r.Put("", reqPackageAccess(perm.AccessModeWrite), vagrant.UploadPackageFile)
- })
- })
- }, reqPackageAccess(perm.AccessModeRead))
- }, context_service.UserAssignmentWeb(), context.PackageAssignment())
-
- return r
- }
-
- // ContainerRoutes provides endpoints that implement the OCI API to serve containers
- // These have to be mounted on `/v2/...` to comply with the OCI spec:
- // https://github.com/opencontainers/distribution-spec/blob/main/spec.md
- func ContainerRoutes(ctx gocontext.Context) *web.Route {
- r := web.NewRoute()
-
- r.Use(context.PackageContexter(ctx))
-
- authMethods := []auth.Method{
- &auth.Basic{},
- &container.Auth{},
- }
- if setting.Service.EnableReverseProxyAuth {
- authMethods = append(authMethods, &auth.ReverseProxy{})
- }
-
- authGroup := auth.NewGroup(authMethods...)
- r.Use(func(ctx *context.Context) {
- var err error
- ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
- if err != nil {
- log.Error("Failed to verify user: %v", err)
- ctx.Error(http.StatusUnauthorized, "Verify")
- return
- }
- ctx.IsSigned = ctx.Doer != nil
- })
-
- r.Get("", container.ReqContainerAccess, container.DetermineSupport)
- r.Get("/token", container.Authenticate)
- r.Get("/_catalog", container.ReqContainerAccess, container.GetRepositoryList)
- r.Group("/{username}", func() {
- r.Group("/{image}", func() {
- r.Group("/blobs/uploads", func() {
- r.Post("", container.InitiateUploadBlob)
- r.Group("/{uuid}", func() {
- r.Get("", container.GetUploadBlob)
- r.Patch("", container.UploadBlob)
- r.Put("", container.EndUploadBlob)
- r.Delete("", container.CancelUploadBlob)
- })
- }, reqPackageAccess(perm.AccessModeWrite))
- r.Group("/blobs/{digest}", func() {
- r.Head("", container.HeadBlob)
- r.Get("", container.GetBlob)
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), container.DeleteBlob)
- })
- r.Group("/manifests/{reference}", func() {
- r.Put("", reqPackageAccess(perm.AccessModeWrite), container.UploadManifest)
- r.Head("", container.HeadManifest)
- r.Get("", container.GetManifest)
- r.Delete("", reqPackageAccess(perm.AccessModeWrite), container.DeleteManifest)
- })
- r.Get("/tags/list", container.GetTagList)
- }, container.VerifyImageName)
-
- var (
- blobsUploadsPattern = regexp.MustCompile(`\A(.+)/blobs/uploads/([a-zA-Z0-9-_.=]+)\z`)
- blobsPattern = regexp.MustCompile(`\A(.+)/blobs/([^/]+)\z`)
- manifestsPattern = regexp.MustCompile(`\A(.+)/manifests/([^/]+)\z`)
- )
-
- // Manual mapping of routes because {image} can contain slashes which chi does not support
- r.Route("/*", "HEAD,GET,POST,PUT,PATCH,DELETE", func(ctx *context.Context) {
- path := ctx.Params("*")
- isHead := ctx.Req.Method == "HEAD"
- isGet := ctx.Req.Method == "GET"
- isPost := ctx.Req.Method == "POST"
- isPut := ctx.Req.Method == "PUT"
- isPatch := ctx.Req.Method == "PATCH"
- isDelete := ctx.Req.Method == "DELETE"
-
- if isPost && strings.HasSuffix(path, "/blobs/uploads") {
- reqPackageAccess(perm.AccessModeWrite)(ctx)
- if ctx.Written() {
- return
- }
-
- ctx.SetParams("image", path[:len(path)-14])
- container.VerifyImageName(ctx)
- if ctx.Written() {
- return
- }
-
- container.InitiateUploadBlob(ctx)
- return
- }
- if isGet && strings.HasSuffix(path, "/tags/list") {
- ctx.SetParams("image", path[:len(path)-10])
- container.VerifyImageName(ctx)
- if ctx.Written() {
- return
- }
-
- container.GetTagList(ctx)
- return
- }
-
- m := blobsUploadsPattern.FindStringSubmatch(path)
- if len(m) == 3 && (isGet || isPut || isPatch || isDelete) {
- reqPackageAccess(perm.AccessModeWrite)(ctx)
- if ctx.Written() {
- return
- }
-
- ctx.SetParams("image", m[1])
- container.VerifyImageName(ctx)
- if ctx.Written() {
- return
- }
-
- ctx.SetParams("uuid", m[2])
-
- if isGet {
- container.GetUploadBlob(ctx)
- } else if isPatch {
- container.UploadBlob(ctx)
- } else if isPut {
- container.EndUploadBlob(ctx)
- } else {
- container.CancelUploadBlob(ctx)
- }
- return
- }
- m = blobsPattern.FindStringSubmatch(path)
- if len(m) == 3 && (isHead || isGet || isDelete) {
- ctx.SetParams("image", m[1])
- container.VerifyImageName(ctx)
- if ctx.Written() {
- return
- }
-
- ctx.SetParams("digest", m[2])
-
- if isHead {
- container.HeadBlob(ctx)
- } else if isGet {
- container.GetBlob(ctx)
- } else {
- reqPackageAccess(perm.AccessModeWrite)(ctx)
- if ctx.Written() {
- return
- }
- container.DeleteBlob(ctx)
- }
- return
- }
- m = manifestsPattern.FindStringSubmatch(path)
- if len(m) == 3 && (isHead || isGet || isPut || isDelete) {
- ctx.SetParams("image", m[1])
- container.VerifyImageName(ctx)
- if ctx.Written() {
- return
- }
-
- ctx.SetParams("reference", m[2])
-
- if isHead {
- container.HeadManifest(ctx)
- } else if isGet {
- container.GetManifest(ctx)
- } else {
- reqPackageAccess(perm.AccessModeWrite)(ctx)
- if ctx.Written() {
- return
- }
- if isPut {
- container.UploadManifest(ctx)
- } else {
- container.DeleteManifest(ctx)
- }
- }
- return
- }
-
- ctx.Status(http.StatusNotFound)
- })
- }, container.ReqContainerAccess, context_service.UserAssignmentWeb(), context.PackageAssignment(), reqPackageAccess(perm.AccessModeRead))
-
- return r
- }
|