mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5566 Commits
17 Branches
Tree: ced50e0ec1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ced50e0ec1'
${ noResults }
gitea/routers/repo/http.go

http.go 15KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package repo

  6. 

  7. import (

  8. 	"bytes"

  9. 	"compress/gzip"

  10. 	"fmt"

  11. 	"net/http"

  12. 	"os"

  13. 	"os/exec"

  14. 	"path"

  15. 	"regexp"

  16. 	"strconv"

  17. 	"strings"

  18. 	"time"

  19. 

  20. 	"code.gitea.io/gitea/models"

  21. 	"code.gitea.io/gitea/modules/base"

  22. 	"code.gitea.io/gitea/modules/context"

  23. 	"code.gitea.io/gitea/modules/log"

  24. 	"code.gitea.io/gitea/modules/setting"

  25. 

  26. 	"github.com/Unknwon/com"

  27. )

  28. 

  29. func composeGoGetImport(owner, repo, sub string) string {

  30. 	return path.Join(setting.Domain, setting.AppSubURL, owner, repo, sub)

  31. }

  32. 

  33. // earlyResponseForGoGetMeta responses appropriate go-get meta with status 200

  34. // if user does not have actual access to the requested repository,

  35. // or the owner or repository does not exist at all.

  36. // This is particular a workaround for "go get" command which does not respect

  37. // .netrc file.

  38. func earlyResponseForGoGetMeta(ctx *context.Context, username, reponame, subpath string) {

  39. 	ctx.PlainText(200, []byte(com.Expand(`<meta name="go-import" content="{GoGetImport} git {CloneLink}">`,

  40. 		map[string]string{

  41. 			"GoGetImport": composeGoGetImport(username, reponame, subpath),

  42. 			"CloneLink":   models.ComposeHTTPSCloneURL(username, reponame),

  43. 		})))

  44. }

  45. 

  46. // HTTP implmentation git smart HTTP protocol

  47. func HTTP(ctx *context.Context) {

  48. 	username := ctx.Params(":username")

  49. 	reponame := strings.TrimSuffix(ctx.Params(":reponame"), ".git")

  50. 	subpath := ctx.Params("*")

  51. 

  52. 	if ctx.Query("go-get") == "1" {

  53. 		earlyResponseForGoGetMeta(ctx, username, reponame, subpath)

  54. 		return

  55. 	}

  56. 

  57. 	var isPull bool

  58. 	service := ctx.Query("service")

  59. 	if service == "git-receive-pack" ||

  60. 		strings.HasSuffix(ctx.Req.URL.Path, "git-receive-pack") {

  61. 		isPull = false

  62. 	} else if service == "git-upload-pack" ||

  63. 		strings.HasSuffix(ctx.Req.URL.Path, "git-upload-pack") {

  64. 		isPull = true

  65. 	} else if service == "git-upload-archive" ||

  66. 		strings.HasSuffix(ctx.Req.URL.Path, "git-upload-archive") {

  67. 		isPull = true

  68. 	} else {

  69. 		isPull = (ctx.Req.Method == "GET")

  70. 	}

  71. 

  72. 	var accessMode models.AccessMode

  73. 	if isPull {

  74. 		accessMode = models.AccessModeRead

  75. 	} else {

  76. 		accessMode = models.AccessModeWrite

  77. 	}

  78. 

  79. 	isWiki := false

  80. 	var unitType = models.UnitTypeCode

  81. 	if strings.HasSuffix(reponame, ".wiki") {

  82. 		isWiki = true

  83. 		unitType = models.UnitTypeWiki

  84. 		reponame = reponame[:len(reponame)-5]

  85. 	}

  86. 

  87. 	repoUser, err := models.GetUserByName(username)

  88. 	if err != nil {

  89. 		if models.IsErrUserNotExist(err) {

  90. 			ctx.Handle(http.StatusNotFound, "GetUserByName", nil)

  91. 		} else {

  92. 			ctx.Handle(http.StatusInternalServerError, "GetUserByName", err)

  93. 		}

  94. 		return

  95. 	}

  96. 

  97. 	repo, err := models.GetRepositoryByName(repoUser.ID, reponame)

  98. 	if err != nil {

  99. 		if models.IsErrRepoNotExist(err) {

  100. 			ctx.Handle(http.StatusNotFound, "GetRepositoryByName", nil)

  101. 		} else {

  102. 			ctx.Handle(http.StatusInternalServerError, "GetRepositoryByName", err)

  103. 		}

  104. 		return

  105. 	}

  106. 

  107. 	// Only public pull don't need auth.

  108. 	isPublicPull := !repo.IsPrivate && isPull

  109. 	var (

  110. 		askAuth      = !isPublicPull || setting.Service.RequireSignInView

  111. 		authUser     *models.User

  112. 		authUsername string

  113. 		authPasswd   string

  114. 		environ      []string

  115. 	)

  116. 

  117. 	// check access

  118. 	if askAuth {

  119. 		if setting.Service.EnableReverseProxyAuth {

  120. 			authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)

  121. 			if len(authUsername) == 0 {

  122. 				ctx.HandleText(401, "reverse proxy login error. authUsername empty")

  123. 				return

  124. 			}

  125. 			authUser, err = models.GetUserByName(authUsername)

  126. 			if err != nil {

  127. 				ctx.HandleText(401, "reverse proxy login error, got error while running GetUserByName")

  128. 				return

  129. 			}

  130. 		} else {

  131. 			authHead := ctx.Req.Header.Get("Authorization")

  132. 			if len(authHead) == 0 {

  133. 				ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"")

  134. 				ctx.Error(http.StatusUnauthorized)

  135. 				return

  136. 			}

  137. 

  138. 			auths := strings.Fields(authHead)

  139. 			// currently check basic auth

  140. 			// TODO: support digit auth

  141. 			// FIXME: middlewares/context.go did basic auth check already,

  142. 			// maybe could use that one.

  143. 			if len(auths) != 2 || auths[0] != "Basic" {

  144. 				ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")

  145. 				return

  146. 			}

  147. 			authUsername, authPasswd, err = base.BasicAuthDecode(auths[1])

  148. 			if err != nil {

  149. 				ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")

  150. 				return

  151. 			}

  152. 

  153. 			authUser, err = models.UserSignIn(authUsername, authPasswd)

  154. 			if err != nil {

  155. 				if !models.IsErrUserNotExist(err) {

  156. 					ctx.Handle(http.StatusInternalServerError, "UserSignIn error: %v", err)

  157. 					return

  158. 				}

  159. 			}

  160. 

  161. 			if authUser == nil {

  162. 				authUser, err = models.GetUserByName(authUsername)

  163. 

  164. 				if err != nil {

  165. 					if models.IsErrUserNotExist(err) {

  166. 						ctx.HandleText(http.StatusUnauthorized, "invalid credentials")

  167. 					} else {

  168. 						ctx.Handle(http.StatusInternalServerError, "GetUserByName", err)

  169. 					}

  170. 					return

  171. 				}

  172. 

  173. 				// Assume password is a token.

  174. 				token, err := models.GetAccessTokenBySHA(authPasswd)

  175. 				if err != nil {

  176. 					if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {

  177. 						ctx.HandleText(http.StatusUnauthorized, "invalid credentials")

  178. 					} else {

  179. 						ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySha", err)

  180. 					}

  181. 					return

  182. 				}

  183. 

  184. 				if authUser.ID != token.UID {

  185. 					ctx.HandleText(http.StatusUnauthorized, "invalid credentials")

  186. 					return

  187. 				}

  188. 

  189. 				token.Updated = time.Now()

  190. 				if err = models.UpdateAccessToken(token); err != nil {

  191. 					ctx.Handle(http.StatusInternalServerError, "UpdateAccessToken", err)

  192. 				}

  193. 

  194. 			} else {

  195. 				_, err = models.GetTwoFactorByUID(authUser.ID)

  196. 

  197. 				if err == nil {

  198. 					// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented

  199. 					ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")

  200. 					return

  201. 				} else if !models.IsErrTwoFactorNotEnrolled(err) {

  202. 					ctx.Handle(http.StatusInternalServerError, "IsErrTwoFactorNotEnrolled", err)

  203. 					return

  204. 				}

  205. 			}

  206. 

  207. 			if !isPublicPull {

  208. 				has, err := models.HasAccess(authUser.ID, repo, accessMode)

  209. 				if err != nil {

  210. 					ctx.Handle(http.StatusInternalServerError, "HasAccess", err)

  211. 					return

  212. 				} else if !has {

  213. 					if accessMode == models.AccessModeRead {

  214. 						has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite)

  215. 						if err != nil {

  216. 							ctx.Handle(http.StatusInternalServerError, "HasAccess2", err)

  217. 							return

  218. 						} else if !has {

  219. 							ctx.HandleText(http.StatusForbidden, "User permission denied")

  220. 							return

  221. 						}

  222. 					} else {

  223. 						ctx.HandleText(http.StatusForbidden, "User permission denied")

  224. 						return

  225. 					}

  226. 				}

  227. 

  228. 				if !isPull && repo.IsMirror {

  229. 					ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")

  230. 					return

  231. 				}

  232. 			}

  233. 		}

  234. 

  235. 		if !repo.CheckUnitUser(authUser.ID, authUser.IsAdmin, unitType) {

  236. 			ctx.HandleText(http.StatusForbidden, fmt.Sprintf("User %s does not have allowed access to repository %s 's code",

  237. 				authUser.Name, repo.RepoPath()))

  238. 			return

  239. 		}

  240. 

  241. 		environ = []string{

  242. 			models.EnvRepoUsername + "=" + username,

  243. 			models.EnvRepoName + "=" + reponame,

  244. 			models.EnvPusherName + "=" + authUser.Name,

  245. 			models.EnvPusherID + fmt.Sprintf("=%d", authUser.ID),

  246. 			models.ProtectedBranchRepoID + fmt.Sprintf("=%d", repo.ID),

  247. 		}

  248. 		if isWiki {

  249. 			environ = append(environ, models.EnvRepoIsWiki+"=true")

  250. 		} else {

  251. 			environ = append(environ, models.EnvRepoIsWiki+"=false")

  252. 		}

  253. 	}

  254. 

  255. 	HTTPBackend(ctx, &serviceConfig{

  256. 		UploadPack:  true,

  257. 		ReceivePack: true,

  258. 		Env:         environ,

  259. 	})(ctx.Resp, ctx.Req.Request)

  260. }

  261. 

  262. type serviceConfig struct {

  263. 	UploadPack  bool

  264. 	ReceivePack bool

  265. 	Env         []string

  266. }

  267. 

  268. type serviceHandler struct {

  269. 	cfg     *serviceConfig

  270. 	w       http.ResponseWriter

  271. 	r       *http.Request

  272. 	dir     string

  273. 	file    string

  274. 	environ []string

  275. }

  276. 

  277. func (h *serviceHandler) setHeaderNoCache() {

  278. 	h.w.Header().Set("Expires", "Fri, 01 Jan 1980 00:00:00 GMT")

  279. 	h.w.Header().Set("Pragma", "no-cache")

  280. 	h.w.Header().Set("Cache-Control", "no-cache, max-age=0, must-revalidate")

  281. }

  282. 

  283. func (h *serviceHandler) setHeaderCacheForever() {

  284. 	now := time.Now().Unix()

  285. 	expires := now + 31536000

  286. 	h.w.Header().Set("Date", fmt.Sprintf("%d", now))

  287. 	h.w.Header().Set("Expires", fmt.Sprintf("%d", expires))

  288. 	h.w.Header().Set("Cache-Control", "public, max-age=31536000")

  289. }

  290. 

  291. func (h *serviceHandler) sendFile(contentType string) {

  292. 	reqFile := path.Join(h.dir, h.file)

  293. 

  294. 	fi, err := os.Stat(reqFile)

  295. 	if os.IsNotExist(err) {

  296. 		h.w.WriteHeader(http.StatusNotFound)

  297. 		return

  298. 	}

  299. 

  300. 	h.w.Header().Set("Content-Type", contentType)

  301. 	h.w.Header().Set("Content-Length", fmt.Sprintf("%d", fi.Size()))

  302. 	h.w.Header().Set("Last-Modified", fi.ModTime().Format(http.TimeFormat))

  303. 	http.ServeFile(h.w, h.r, reqFile)

  304. }

  305. 

  306. type route struct {

  307. 	reg     *regexp.Regexp

  308. 	method  string

  309. 	handler func(serviceHandler)

  310. }

  311. 

  312. var routes = []route{

  313. 	{regexp.MustCompile("(.*?)/git-upload-pack$"), "POST", serviceUploadPack},

  314. 	{regexp.MustCompile("(.*?)/git-receive-pack$"), "POST", serviceReceivePack},

  315. 	{regexp.MustCompile("(.*?)/info/refs$"), "GET", getInfoRefs},

  316. 	{regexp.MustCompile("(.*?)/HEAD$"), "GET", getTextFile},

  317. 	{regexp.MustCompile("(.*?)/objects/info/alternates$"), "GET", getTextFile},

  318. 	{regexp.MustCompile("(.*?)/objects/info/http-alternates$"), "GET", getTextFile},

  319. 	{regexp.MustCompile("(.*?)/objects/info/packs$"), "GET", getInfoPacks},

  320. 	{regexp.MustCompile("(.*?)/objects/info/[^/]*$"), "GET", getTextFile},

  321. 	{regexp.MustCompile("(.*?)/objects/[0-9a-f]{2}/[0-9a-f]{38}$"), "GET", getLooseObject},

  322. 	{regexp.MustCompile("(.*?)/objects/pack/pack-[0-9a-f]{40}\\.pack$"), "GET", getPackFile},

  323. 	{regexp.MustCompile("(.*?)/objects/pack/pack-[0-9a-f]{40}\\.idx$"), "GET", getIdxFile},

  324. }

  325. 

  326. // FIXME: use process module

  327. func gitCommand(dir string, args ...string) []byte {

  328. 	cmd := exec.Command("git", args...)

  329. 	cmd.Dir = dir

  330. 	out, err := cmd.Output()

  331. 	if err != nil {

  332. 		log.GitLogger.Error(4, fmt.Sprintf("%v - %s", err, out))

  333. 	}

  334. 	return out

  335. }

  336. 

  337. func getGitConfig(option, dir string) string {

  338. 	out := string(gitCommand(dir, "config", option))

  339. 	return out[0 : len(out)-1]

  340. }

  341. 

  342. func getConfigSetting(service, dir string) bool {

  343. 	service = strings.Replace(service, "-", "", -1)

  344. 	setting := getGitConfig("http."+service, dir)

  345. 

  346. 	if service == "uploadpack" {

  347. 		return setting != "false"

  348. 	}

  349. 

  350. 	return setting == "true"

  351. }

  352. 

  353. func hasAccess(service string, h serviceHandler, checkContentType bool) bool {

  354. 	if checkContentType {

  355. 		if h.r.Header.Get("Content-Type") != fmt.Sprintf("application/x-git-%s-request", service) {

  356. 			return false

  357. 		}

  358. 	}

  359. 

  360. 	if !(service == "upload-pack" || service == "receive-pack") {

  361. 		return false

  362. 	}

  363. 	if service == "receive-pack" {

  364. 		return h.cfg.ReceivePack

  365. 	}

  366. 	if service == "upload-pack" {

  367. 		return h.cfg.UploadPack

  368. 	}

  369. 

  370. 	return getConfigSetting(service, h.dir)

  371. }

  372. 

  373. func serviceRPC(h serviceHandler, service string) {

  374. 	defer h.r.Body.Close()

  375. 

  376. 	if !hasAccess(service, h, true) {

  377. 		h.w.WriteHeader(http.StatusUnauthorized)

  378. 		return

  379. 	}

  380. 

  381. 	h.w.Header().Set("Content-Type", fmt.Sprintf("application/x-git-%s-result", service))

  382. 

  383. 	var err error

  384. 	var reqBody = h.r.Body

  385. 

  386. 	// Handle GZIP.

  387. 	if h.r.Header.Get("Content-Encoding") == "gzip" {

  388. 		reqBody, err = gzip.NewReader(reqBody)

  389. 		if err != nil {

  390. 			log.GitLogger.Error(2, "fail to create gzip reader: %v", err)

  391. 			h.w.WriteHeader(http.StatusInternalServerError)

  392. 			return

  393. 		}

  394. 	}

  395. 

  396. 	// set this for allow pre-receive and post-receive execute

  397. 	h.environ = append(h.environ, "SSH_ORIGINAL_COMMAND="+service)

  398. 

  399. 	var stderr bytes.Buffer

  400. 	cmd := exec.Command("git", service, "--stateless-rpc", h.dir)

  401. 	cmd.Dir = h.dir

  402. 	if service == "receive-pack" {

  403. 		cmd.Env = append(os.Environ(), h.environ...)

  404. 	}

  405. 	cmd.Stdout = h.w

  406. 	cmd.Stdin = reqBody

  407. 	cmd.Stderr = &stderr

  408. 	if err := cmd.Run(); err != nil {

  409. 		log.GitLogger.Error(2, "fail to serve RPC(%s): %v - %v", service, err, stderr)

  410. 		return

  411. 	}

  412. }

  413. 

  414. func serviceUploadPack(h serviceHandler) {

  415. 	serviceRPC(h, "upload-pack")

  416. }

  417. 

  418. func serviceReceivePack(h serviceHandler) {

  419. 	serviceRPC(h, "receive-pack")

  420. }

  421. 

  422. func getServiceType(r *http.Request) string {

  423. 	serviceType := r.FormValue("service")

  424. 	if !strings.HasPrefix(serviceType, "git-") {

  425. 		return ""

  426. 	}

  427. 	return strings.Replace(serviceType, "git-", "", 1)

  428. }

  429. 

  430. func updateServerInfo(dir string) []byte {

  431. 	return gitCommand(dir, "update-server-info")

  432. }

  433. 

  434. func packetWrite(str string) []byte {

  435. 	s := strconv.FormatInt(int64(len(str)+4), 16)

  436. 	if len(s)%4 != 0 {

  437. 		s = strings.Repeat("0", 4-len(s)%4) + s

  438. 	}

  439. 	return []byte(s + str)

  440. }

  441. 

  442. func getInfoRefs(h serviceHandler) {

  443. 	h.setHeaderNoCache()

  444. 	if hasAccess(getServiceType(h.r), h, false) {

  445. 		service := getServiceType(h.r)

  446. 		refs := gitCommand(h.dir, service, "--stateless-rpc", "--advertise-refs", ".")

  447. 

  448. 		h.w.Header().Set("Content-Type", fmt.Sprintf("application/x-git-%s-advertisement", service))

  449. 		h.w.WriteHeader(http.StatusOK)

  450. 		h.w.Write(packetWrite("# service=git-" + service + "\n"))

  451. 		h.w.Write([]byte("0000"))

  452. 		h.w.Write(refs)

  453. 	} else {

  454. 		updateServerInfo(h.dir)

  455. 		h.sendFile("text/plain; charset=utf-8")

  456. 	}

  457. }

  458. 

  459. func getTextFile(h serviceHandler) {

  460. 	h.setHeaderNoCache()

  461. 	h.sendFile("text/plain")

  462. }

  463. 

  464. func getInfoPacks(h serviceHandler) {

  465. 	h.setHeaderCacheForever()

  466. 	h.sendFile("text/plain; charset=utf-8")

  467. }

  468. 

  469. func getLooseObject(h serviceHandler) {

  470. 	h.setHeaderCacheForever()

  471. 	h.sendFile("application/x-git-loose-object")

  472. }

  473. 

  474. func getPackFile(h serviceHandler) {

  475. 	h.setHeaderCacheForever()

  476. 	h.sendFile("application/x-git-packed-objects")

  477. }

  478. 

  479. func getIdxFile(h serviceHandler) {

  480. 	h.setHeaderCacheForever()

  481. 	h.sendFile("application/x-git-packed-objects-toc")

  482. }

  483. 

  484. func getGitRepoPath(subdir string) (string, error) {

  485. 	if !strings.HasSuffix(subdir, ".git") {

  486. 		subdir += ".git"

  487. 	}

  488. 

  489. 	fpath := path.Join(setting.RepoRootPath, subdir)

  490. 	if _, err := os.Stat(fpath); os.IsNotExist(err) {

  491. 		return "", err

  492. 	}

  493. 

  494. 	return fpath, nil

  495. }

  496. 

  497. // HTTPBackend middleware for git smart HTTP protocol

  498. func HTTPBackend(ctx *context.Context, cfg *serviceConfig) http.HandlerFunc {

  499. 	return func(w http.ResponseWriter, r *http.Request) {

  500. 		for _, route := range routes {

  501. 			r.URL.Path = strings.ToLower(r.URL.Path) // blue: In case some repo name has upper case name

  502. 			if m := route.reg.FindStringSubmatch(r.URL.Path); m != nil {

  503. 				if setting.Repository.DisableHTTPGit {

  504. 					w.WriteHeader(http.StatusForbidden)

  505. 					w.Write([]byte("Interacting with repositories by HTTP protocol is not allowed"))

  506. 					return

  507. 				}

  508. 				if route.method != r.Method {

  509. 					if r.Proto == "HTTP/1.1" {

  510. 						w.WriteHeader(http.StatusMethodNotAllowed)

  511. 						w.Write([]byte("Method Not Allowed"))

  512. 					} else {

  513. 						w.WriteHeader(http.StatusBadRequest)

  514. 						w.Write([]byte("Bad Request"))

  515. 					}

  516. 					return

  517. 				}

  518. 

  519. 				file := strings.Replace(r.URL.Path, m[1]+"/", "", 1)

  520. 				dir, err := getGitRepoPath(m[1])

  521. 				if err != nil {

  522. 					log.GitLogger.Error(4, err.Error())

  523. 					ctx.Handle(http.StatusNotFound, "HTTPBackend", err)

  524. 					return

  525. 				}

  526. 

  527. 				route.handler(serviceHandler{cfg, w, r, dir, file, cfg.Env})

  528. 				return

  529. 			}

  530. 		}

  531. 

  532. 		ctx.Handle(http.StatusNotFound, "HTTPBackend", nil)

  533. 		return

  534. 	}

  535. }