mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
18003 Commits
17 Branches
Tree: c4feb3d355
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c4feb3d355'
${ noResults }
gitea/routers/api/packages/maven/maven.go

maven.go 11KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428 
  1. // Copyright 2021 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package maven

  5. 

  6. import (

  7. 	"crypto/md5"

  8. 	"crypto/sha1"

  9. 	"crypto/sha256"

  10. 	"crypto/sha512"

  11. 	"encoding/hex"

  12. 	"encoding/xml"

  13. 	"errors"

  14. 	"io"

  15. 	"net/http"

  16. 	"path/filepath"

  17. 	"regexp"

  18. 	"sort"

  19. 	"strconv"

  20. 	"strings"

  21. 

  22. 	packages_model "code.gitea.io/gitea/models/packages"

  23. 	"code.gitea.io/gitea/modules/json"

  24. 	"code.gitea.io/gitea/modules/log"

  25. 	packages_module "code.gitea.io/gitea/modules/packages"

  26. 	maven_module "code.gitea.io/gitea/modules/packages/maven"

  27. 	"code.gitea.io/gitea/routers/api/packages/helper"

  28. 	"code.gitea.io/gitea/services/context"

  29. 	packages_service "code.gitea.io/gitea/services/packages"

  30. )

  31. 

  32. const (

  33. 	mavenMetadataFile = "maven-metadata.xml"

  34. 	extensionMD5      = ".md5"

  35. 	extensionSHA1     = ".sha1"

  36. 	extensionSHA256   = ".sha256"

  37. 	extensionSHA512   = ".sha512"

  38. 	extensionPom      = ".pom"

  39. 	extensionJar      = ".jar"

  40. 	contentTypeJar    = "application/java-archive"

  41. 	contentTypeXML    = "text/xml"

  42. )

  43. 

  44. var (

  45. 	errInvalidParameters = errors.New("request parameters are invalid")

  46. 	illegalCharacters    = regexp.MustCompile(`[\\/:"<>|?\*]`)

  47. )

  48. 

  49. func apiError(ctx *context.Context, status int, obj any) {

  50. 	helper.LogAndProcessError(ctx, status, obj, func(message string) {

  51. 		// The maven client does not present the error message to the user. Log it for users with access to server logs.

  52. 		if status == http.StatusBadRequest || status == http.StatusInternalServerError {

  53. 			log.Error(message)

  54. 		}

  55. 

  56. 		ctx.PlainText(status, message)

  57. 	})

  58. }

  59. 

  60. // DownloadPackageFile serves the content of a package

  61. func DownloadPackageFile(ctx *context.Context) {

  62. 	handlePackageFile(ctx, true)

  63. }

  64. 

  65. // ProvidePackageFileHeader provides only the headers describing a package

  66. func ProvidePackageFileHeader(ctx *context.Context) {

  67. 	handlePackageFile(ctx, false)

  68. }

  69. 

  70. func handlePackageFile(ctx *context.Context, serveContent bool) {

  71. 	params, err := extractPathParameters(ctx)

  72. 	if err != nil {

  73. 		apiError(ctx, http.StatusBadRequest, err)

  74. 		return

  75. 	}

  76. 

  77. 	if params.IsMeta && params.Version == "" {

  78. 		serveMavenMetadata(ctx, params)

  79. 	} else {

  80. 		servePackageFile(ctx, params, serveContent)

  81. 	}

  82. }

  83. 

  84. func serveMavenMetadata(ctx *context.Context, params parameters) {

  85. 	// /com/foo/project/maven-metadata.xml[.md5/.sha1/.sha256/.sha512]

  86. 

  87. 	packageName := params.GroupID + "-" + params.ArtifactID

  88. 	pvs, err := packages_model.GetVersionsByPackageName(ctx, ctx.Package.Owner.ID, packages_model.TypeMaven, packageName)

  89. 	if err != nil {

  90. 		apiError(ctx, http.StatusInternalServerError, err)

  91. 		return

  92. 	}

  93. 	if len(pvs) == 0 {

  94. 		apiError(ctx, http.StatusNotFound, packages_model.ErrPackageNotExist)

  95. 		return

  96. 	}

  97. 

  98. 	pds, err := packages_model.GetPackageDescriptors(ctx, pvs)

  99. 	if err != nil {

  100. 		apiError(ctx, http.StatusInternalServerError, err)

  101. 		return

  102. 	}

  103. 

  104. 	sort.Slice(pds, func(i, j int) bool {

  105. 		// Maven and Gradle order packages by their creation timestamp and not by their version string

  106. 		return pds[i].Version.CreatedUnix < pds[j].Version.CreatedUnix

  107. 	})

  108. 

  109. 	xmlMetadata, err := xml.Marshal(createMetadataResponse(pds))

  110. 	if err != nil {

  111. 		apiError(ctx, http.StatusInternalServerError, err)

  112. 		return

  113. 	}

  114. 	xmlMetadataWithHeader := append([]byte(xml.Header), xmlMetadata...)

  115. 

  116. 	latest := pds[len(pds)-1]

  117. 	ctx.Resp.Header().Set("Last-Modified", latest.Version.CreatedUnix.Format(http.TimeFormat))

  118. 

  119. 	ext := strings.ToLower(filepath.Ext(params.Filename))

  120. 	if isChecksumExtension(ext) {

  121. 		var hash []byte

  122. 		switch ext {

  123. 		case extensionMD5:

  124. 			tmp := md5.Sum(xmlMetadataWithHeader)

  125. 			hash = tmp[:]

  126. 		case extensionSHA1:

  127. 			tmp := sha1.Sum(xmlMetadataWithHeader)

  128. 			hash = tmp[:]

  129. 		case extensionSHA256:

  130. 			tmp := sha256.Sum256(xmlMetadataWithHeader)

  131. 			hash = tmp[:]

  132. 		case extensionSHA512:

  133. 			tmp := sha512.Sum512(xmlMetadataWithHeader)

  134. 			hash = tmp[:]

  135. 		}

  136. 		ctx.PlainText(http.StatusOK, hex.EncodeToString(hash))

  137. 		return

  138. 	}

  139. 

  140. 	ctx.Resp.Header().Set("Content-Length", strconv.Itoa(len(xmlMetadataWithHeader)))

  141. 	ctx.Resp.Header().Set("Content-Type", contentTypeXML)

  142. 

  143. 	_, _ = ctx.Resp.Write(xmlMetadataWithHeader)

  144. }

  145. 

  146. func servePackageFile(ctx *context.Context, params parameters, serveContent bool) {

  147. 	packageName := params.GroupID + "-" + params.ArtifactID

  148. 

  149. 	pv, err := packages_model.GetVersionByNameAndVersion(ctx, ctx.Package.Owner.ID, packages_model.TypeMaven, packageName, params.Version)

  150. 	if err != nil {

  151. 		if err == packages_model.ErrPackageNotExist {

  152. 			apiError(ctx, http.StatusNotFound, err)

  153. 		} else {

  154. 			apiError(ctx, http.StatusInternalServerError, err)

  155. 		}

  156. 		return

  157. 	}

  158. 

  159. 	filename := params.Filename

  160. 

  161. 	ext := strings.ToLower(filepath.Ext(filename))

  162. 	if isChecksumExtension(ext) {

  163. 		filename = filename[:len(filename)-len(ext)]

  164. 	}

  165. 

  166. 	pf, err := packages_model.GetFileForVersionByName(ctx, pv.ID, filename, packages_model.EmptyFileKey)

  167. 	if err != nil {

  168. 		if err == packages_model.ErrPackageFileNotExist {

  169. 			apiError(ctx, http.StatusNotFound, err)

  170. 		} else {

  171. 			apiError(ctx, http.StatusInternalServerError, err)

  172. 		}

  173. 		return

  174. 	}

  175. 

  176. 	pb, err := packages_model.GetBlobByID(ctx, pf.BlobID)

  177. 	if err != nil {

  178. 		apiError(ctx, http.StatusInternalServerError, err)

  179. 		return

  180. 	}

  181. 

  182. 	if isChecksumExtension(ext) {

  183. 		var hash string

  184. 		switch ext {

  185. 		case extensionMD5:

  186. 			hash = pb.HashMD5

  187. 		case extensionSHA1:

  188. 			hash = pb.HashSHA1

  189. 		case extensionSHA256:

  190. 			hash = pb.HashSHA256

  191. 		case extensionSHA512:

  192. 			hash = pb.HashSHA512

  193. 		}

  194. 		ctx.PlainText(http.StatusOK, hash)

  195. 		return

  196. 	}

  197. 

  198. 	opts := &context.ServeHeaderOptions{

  199. 		ContentLength: &pb.Size,

  200. 		LastModified:  pf.CreatedUnix.AsLocalTime(),

  201. 	}

  202. 	switch ext {

  203. 	case extensionJar:

  204. 		opts.ContentType = contentTypeJar

  205. 	case extensionPom:

  206. 		opts.ContentType = contentTypeXML

  207. 	}

  208. 

  209. 	if !serveContent {

  210. 		ctx.SetServeHeaders(opts)

  211. 		ctx.Status(http.StatusOK)

  212. 		return

  213. 	}

  214. 

  215. 	s, u, _, err := packages_service.GetPackageBlobStream(ctx, pf, pb)

  216. 	if err != nil {

  217. 		apiError(ctx, http.StatusInternalServerError, err)

  218. 		return

  219. 	}

  220. 

  221. 	opts.Filename = pf.Name

  222. 

  223. 	helper.ServePackageFile(ctx, s, u, pf, opts)

  224. }

  225. 

  226. // UploadPackageFile adds a file to the package. If the package does not exist, it gets created.

  227. func UploadPackageFile(ctx *context.Context) {

  228. 	params, err := extractPathParameters(ctx)

  229. 	if err != nil {

  230. 		apiError(ctx, http.StatusBadRequest, err)

  231. 		return

  232. 	}

  233. 

  234. 	log.Trace("Parameters: %+v", params)

  235. 

  236. 	// Ignore the package index /<name>/maven-metadata.xml

  237. 	if params.IsMeta && params.Version == "" {

  238. 		ctx.Status(http.StatusOK)

  239. 		return

  240. 	}

  241. 

  242. 	packageName := params.GroupID + "-" + params.ArtifactID

  243. 

  244. 	buf, err := packages_module.CreateHashedBufferFromReader(ctx.Req.Body)

  245. 	if err != nil {

  246. 		apiError(ctx, http.StatusInternalServerError, err)

  247. 		return

  248. 	}

  249. 	defer buf.Close()

  250. 

  251. 	pvci := &packages_service.PackageCreationInfo{

  252. 		PackageInfo: packages_service.PackageInfo{

  253. 			Owner:       ctx.Package.Owner,

  254. 			PackageType: packages_model.TypeMaven,

  255. 			Name:        packageName,

  256. 			Version:     params.Version,

  257. 		},

  258. 		SemverCompatible: false,

  259. 		Creator:          ctx.Doer,

  260. 	}

  261. 

  262. 	ext := filepath.Ext(params.Filename)

  263. 

  264. 	// Do not upload checksum files but compare the hashes.

  265. 	if isChecksumExtension(ext) {

  266. 		pv, err := packages_model.GetVersionByNameAndVersion(ctx, pvci.Owner.ID, pvci.PackageType, pvci.Name, pvci.Version)

  267. 		if err != nil {

  268. 			if err == packages_model.ErrPackageNotExist {

  269. 				apiError(ctx, http.StatusNotFound, err)

  270. 				return

  271. 			}

  272. 			apiError(ctx, http.StatusInternalServerError, err)

  273. 			return

  274. 		}

  275. 		pf, err := packages_model.GetFileForVersionByName(ctx, pv.ID, params.Filename[:len(params.Filename)-len(ext)], packages_model.EmptyFileKey)

  276. 		if err != nil {

  277. 			if err == packages_model.ErrPackageFileNotExist {

  278. 				apiError(ctx, http.StatusNotFound, err)

  279. 				return

  280. 			}

  281. 			apiError(ctx, http.StatusInternalServerError, err)

  282. 			return

  283. 		}

  284. 		pb, err := packages_model.GetBlobByID(ctx, pf.BlobID)

  285. 		if err != nil {

  286. 			apiError(ctx, http.StatusInternalServerError, err)

  287. 			return

  288. 		}

  289. 

  290. 		hash, err := io.ReadAll(buf)

  291. 		if err != nil {

  292. 			apiError(ctx, http.StatusInternalServerError, err)

  293. 			return

  294. 		}

  295. 

  296. 		if (ext == extensionMD5 && pb.HashMD5 != string(hash)) ||

  297. 			(ext == extensionSHA1 && pb.HashSHA1 != string(hash)) ||

  298. 			(ext == extensionSHA256 && pb.HashSHA256 != string(hash)) ||

  299. 			(ext == extensionSHA512 && pb.HashSHA512 != string(hash)) {

  300. 			apiError(ctx, http.StatusBadRequest, "hash mismatch")

  301. 			return

  302. 		}

  303. 

  304. 		ctx.Status(http.StatusOK)

  305. 		return

  306. 	}

  307. 

  308. 	pfci := &packages_service.PackageFileCreationInfo{

  309. 		PackageFileInfo: packages_service.PackageFileInfo{

  310. 			Filename: params.Filename,

  311. 		},

  312. 		Creator:           ctx.Doer,

  313. 		Data:              buf,

  314. 		IsLead:            false,

  315. 		OverwriteExisting: params.IsMeta,

  316. 	}

  317. 

  318. 	// If it's the package pom file extract the metadata

  319. 	if ext == extensionPom {

  320. 		pfci.IsLead = true

  321. 

  322. 		var err error

  323. 		pvci.Metadata, err = maven_module.ParsePackageMetaData(buf)

  324. 		if err != nil {

  325. 			apiError(ctx, http.StatusBadRequest, err)

  326. 			return

  327. 		}

  328. 

  329. 		if pvci.Metadata != nil {

  330. 			pv, err := packages_model.GetVersionByNameAndVersion(ctx, pvci.Owner.ID, pvci.PackageType, pvci.Name, pvci.Version)

  331. 			if err != nil && err != packages_model.ErrPackageNotExist {

  332. 				apiError(ctx, http.StatusInternalServerError, err)

  333. 				return

  334. 			}

  335. 			if pv != nil {

  336. 				raw, err := json.Marshal(pvci.Metadata)

  337. 				if err != nil {

  338. 					apiError(ctx, http.StatusInternalServerError, err)

  339. 					return

  340. 				}

  341. 				pv.MetadataJSON = string(raw)

  342. 				if err := packages_model.UpdateVersion(ctx, pv); err != nil {

  343. 					apiError(ctx, http.StatusInternalServerError, err)

  344. 					return

  345. 				}

  346. 			}

  347. 		}

  348. 

  349. 		if _, err := buf.Seek(0, io.SeekStart); err != nil {

  350. 			apiError(ctx, http.StatusInternalServerError, err)

  351. 			return

  352. 		}

  353. 	}

  354. 

  355. 	_, _, err = packages_service.CreatePackageOrAddFileToExisting(

  356. 		ctx,

  357. 		pvci,

  358. 		pfci,

  359. 	)

  360. 	if err != nil {

  361. 		switch err {

  362. 		case packages_model.ErrDuplicatePackageFile:

  363. 			apiError(ctx, http.StatusConflict, err)

  364. 		case packages_service.ErrQuotaTotalCount, packages_service.ErrQuotaTypeSize, packages_service.ErrQuotaTotalSize:

  365. 			apiError(ctx, http.StatusForbidden, err)

  366. 		default:

  367. 			apiError(ctx, http.StatusInternalServerError, err)

  368. 		}

  369. 		return

  370. 	}

  371. 

  372. 	ctx.Status(http.StatusCreated)

  373. }

  374. 

  375. func isChecksumExtension(ext string) bool {

  376. 	return ext == extensionMD5 || ext == extensionSHA1 || ext == extensionSHA256 || ext == extensionSHA512

  377. }

  378. 

  379. type parameters struct {

  380. 	GroupID    string

  381. 	ArtifactID string

  382. 	Version    string

  383. 	Filename   string

  384. 	IsMeta     bool

  385. }

  386. 

  387. func extractPathParameters(ctx *context.Context) (parameters, error) {

  388. 	parts := strings.Split(ctx.Params("*"), "/")

  389. 

  390. 	p := parameters{

  391. 		Filename: parts[len(parts)-1],

  392. 	}

  393. 

  394. 	p.IsMeta = p.Filename == mavenMetadataFile ||

  395. 		p.Filename == mavenMetadataFile+extensionMD5 ||

  396. 		p.Filename == mavenMetadataFile+extensionSHA1 ||

  397. 		p.Filename == mavenMetadataFile+extensionSHA256 ||

  398. 		p.Filename == mavenMetadataFile+extensionSHA512

  399. 

  400. 	parts = parts[:len(parts)-1]

  401. 	if len(parts) == 0 {

  402. 		return p, errInvalidParameters

  403. 	}

  404. 

  405. 	p.Version = parts[len(parts)-1]

  406. 	if p.IsMeta && !strings.HasSuffix(p.Version, "-SNAPSHOT") {

  407. 		p.Version = ""

  408. 	} else {

  409. 		parts = parts[:len(parts)-1]

  410. 	}

  411. 

  412. 	if illegalCharacters.MatchString(p.Version) {

  413. 		return p, errInvalidParameters

  414. 	}

  415. 

  416. 	if len(parts) < 2 {

  417. 		return p, errInvalidParameters

  418. 	}

  419. 

  420. 	p.ArtifactID = parts[len(parts)-1]

  421. 	p.GroupID = strings.Join(parts[:len(parts)-1], ".")

  422. 

  423. 	if illegalCharacters.MatchString(p.GroupID) || illegalCharacters.MatchString(p.ArtifactID) {

  424. 		return p, errInvalidParameters

  425. 	}

  426. 

  427. 	return p, nil

  428. }