mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5910 Commits
17 Branches
Tree: ef78309b65
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ef78309b65'
${ noResults }
gitea/modules/lfs/server.go

server.go 14KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570 
  1. package lfs

  2. 

  3. import (

  4. 	"encoding/base64"

  5. 	"encoding/json"

  6. 	"fmt"

  7. 	"io"

  8. 	"net/http"

  9. 	"path"

  10. 	"regexp"

  11. 	"strconv"

  12. 	"strings"

  13. 	"time"

  14. 

  15. 	"code.gitea.io/gitea/models"

  16. 	"code.gitea.io/gitea/modules/context"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 

  20. 	"github.com/dgrijalva/jwt-go"

  21. 	"gopkg.in/macaron.v1"

  22. )

  23. 

  24. const (

  25. 	contentMediaType = "application/vnd.git-lfs"

  26. 	metaMediaType    = contentMediaType + "+json"

  27. )

  28. 

  29. // RequestVars contain variables from the HTTP request. Variables from routing, json body decoding, and

  30. // some headers are stored.

  31. type RequestVars struct {

  32. 	Oid           string

  33. 	Size          int64

  34. 	User          string

  35. 	Password      string

  36. 	Repo          string

  37. 	Authorization string

  38. }

  39. 

  40. // BatchVars contains multiple RequestVars processed in one batch operation.

  41. // https://github.com/git-lfs/git-lfs/blob/master/docs/api/batch.md

  42. type BatchVars struct {

  43. 	Transfers []string       `json:"transfers,omitempty"`

  44. 	Operation string         `json:"operation"`

  45. 	Objects   []*RequestVars `json:"objects"`

  46. }

  47. 

  48. // BatchResponse contains multiple object metadata Representation structures

  49. // for use with the batch API.

  50. type BatchResponse struct {

  51. 	Transfer string            `json:"transfer,omitempty"`

  52. 	Objects  []*Representation `json:"objects"`

  53. }

  54. 

  55. // Representation is object metadata as seen by clients of the lfs server.

  56. type Representation struct {

  57. 	Oid     string           `json:"oid"`

  58. 	Size    int64            `json:"size"`

  59. 	Actions map[string]*link `json:"actions"`

  60. 	Error   *ObjectError     `json:"error,omitempty"`

  61. }

  62. 

  63. // ObjectError defines the JSON structure returned to the client in case of an error

  64. type ObjectError struct {

  65. 	Code    int    `json:"code"`

  66. 	Message string `json:"message"`

  67. }

  68. 

  69. // ObjectLink builds a URL linking to the object.

  70. func (v *RequestVars) ObjectLink() string {

  71. 	return setting.AppURL + path.Join(v.User, v.Repo+".git", "info/lfs/objects", v.Oid)

  72. }

  73. 

  74. // VerifyLink builds a URL for verifying the object.

  75. func (v *RequestVars) VerifyLink() string {

  76. 	return setting.AppURL + path.Join(v.User, v.Repo+".git", "info/lfs/verify")

  77. }

  78. 

  79. // link provides a structure used to build a hypermedia representation of an HTTP link.

  80. type link struct {

  81. 	Href      string            `json:"href"`

  82. 	Header    map[string]string `json:"header,omitempty"`

  83. 	ExpiresAt time.Time         `json:"expires_at,omitempty"`

  84. }

  85. 

  86. // ObjectOidHandler is the main request routing entry point into LFS server functions

  87. func ObjectOidHandler(ctx *context.Context) {

  88. 

  89. 	if !setting.LFS.StartServer {

  90. 		writeStatus(ctx, 404)

  91. 		return

  92. 	}

  93. 

  94. 	if ctx.Req.Method == "GET" || ctx.Req.Method == "HEAD" {

  95. 		if MetaMatcher(ctx.Req) {

  96. 			getMetaHandler(ctx)

  97. 			return

  98. 		}

  99. 		if ContentMatcher(ctx.Req) || len(ctx.Params("filename")) > 0 {

  100. 			getContentHandler(ctx)

  101. 			return

  102. 		}

  103. 	} else if ctx.Req.Method == "PUT" && ContentMatcher(ctx.Req) {

  104. 		PutHandler(ctx)

  105. 		return

  106. 	}

  107. 

  108. }

  109. 

  110. func getAuthenticatedRepoAndMeta(ctx *context.Context, rv *RequestVars, requireWrite bool) (*models.LFSMetaObject, *models.Repository) {

  111. 	repository, err := models.GetRepositoryByOwnerAndName(rv.User, rv.Repo)

  112. 	if err != nil {

  113. 		log.Debug("Could not find repository: %s/%s - %s", rv.User, rv.Repo, err)

  114. 		writeStatus(ctx, 404)

  115. 		return nil, nil

  116. 	}

  117. 

  118. 	if !authenticate(ctx, repository, rv.Authorization, requireWrite) {

  119. 		requireAuth(ctx)

  120. 		return nil, nil

  121. 	}

  122. 

  123. 	meta, err := repository.GetLFSMetaObjectByOid(rv.Oid)

  124. 	if err != nil {

  125. 		writeStatus(ctx, 404)

  126. 		return nil, nil

  127. 	}

  128. 

  129. 	return meta, repository

  130. }

  131. 

  132. // getContentHandler gets the content from the content store

  133. func getContentHandler(ctx *context.Context) {

  134. 	rv := unpack(ctx)

  135. 

  136. 	meta, _ := getAuthenticatedRepoAndMeta(ctx, rv, false)

  137. 	if meta == nil {

  138. 		return

  139. 	}

  140. 

  141. 	// Support resume download using Range header

  142. 	var fromByte int64

  143. 	statusCode := 200

  144. 	if rangeHdr := ctx.Req.Header.Get("Range"); rangeHdr != "" {

  145. 		regex := regexp.MustCompile(`bytes=(\d+)\-.*`)

  146. 		match := regex.FindStringSubmatch(rangeHdr)

  147. 		if match != nil && len(match) > 1 {

  148. 			statusCode = 206

  149. 			fromByte, _ = strconv.ParseInt(match[1], 10, 32)

  150. 			ctx.Resp.Header().Set("Content-Range", fmt.Sprintf("bytes %d-%d/%d", fromByte, meta.Size-1, meta.Size-fromByte))

  151. 		}

  152. 	}

  153. 

  154. 	contentStore := &ContentStore{BasePath: setting.LFS.ContentPath}

  155. 	content, err := contentStore.Get(meta, fromByte)

  156. 	if err != nil {

  157. 		writeStatus(ctx, 404)

  158. 		return

  159. 	}

  160. 

  161. 	ctx.Resp.Header().Set("Content-Length", strconv.FormatInt(meta.Size-fromByte, 10))

  162. 	ctx.Resp.Header().Set("Content-Type", "application/octet-stream")

  163. 

  164. 	filename := ctx.Params("filename")

  165. 	if len(filename) > 0 {

  166. 		decodedFilename, err := base64.RawURLEncoding.DecodeString(filename)

  167. 		if err == nil {

  168. 			ctx.Resp.Header().Set("Content-Disposition", "attachment; filename=\""+string(decodedFilename)+"\"")

  169. 		}

  170. 	}

  171. 

  172. 	ctx.Resp.WriteHeader(statusCode)

  173. 	io.Copy(ctx.Resp, content)

  174. 	content.Close()

  175. 	logRequest(ctx.Req, statusCode)

  176. }

  177. 

  178. // getMetaHandler retrieves metadata about the object

  179. func getMetaHandler(ctx *context.Context) {

  180. 	rv := unpack(ctx)

  181. 

  182. 	meta, _ := getAuthenticatedRepoAndMeta(ctx, rv, false)

  183. 	if meta == nil {

  184. 		return

  185. 	}

  186. 

  187. 	ctx.Resp.Header().Set("Content-Type", metaMediaType)

  188. 

  189. 	if ctx.Req.Method == "GET" {

  190. 		enc := json.NewEncoder(ctx.Resp)

  191. 		enc.Encode(Represent(rv, meta, true, false))

  192. 	}

  193. 

  194. 	logRequest(ctx.Req, 200)

  195. }

  196. 

  197. // PostHandler instructs the client how to upload data

  198. func PostHandler(ctx *context.Context) {

  199. 	if !setting.LFS.StartServer {

  200. 		writeStatus(ctx, 404)

  201. 		return

  202. 	}

  203. 

  204. 	if !MetaMatcher(ctx.Req) {

  205. 		writeStatus(ctx, 400)

  206. 		return

  207. 	}

  208. 

  209. 	rv := unpack(ctx)

  210. 

  211. 	repository, err := models.GetRepositoryByOwnerAndName(rv.User, rv.Repo)

  212. 	if err != nil {

  213. 		log.Debug("Could not find repository: %s/%s - %s", rv.User, rv.Repo, err)

  214. 		writeStatus(ctx, 404)

  215. 		return

  216. 	}

  217. 

  218. 	if !authenticate(ctx, repository, rv.Authorization, true) {

  219. 		requireAuth(ctx)

  220. 	}

  221. 

  222. 	meta, err := models.NewLFSMetaObject(&models.LFSMetaObject{Oid: rv.Oid, Size: rv.Size, RepositoryID: repository.ID})

  223. 	if err != nil {

  224. 		writeStatus(ctx, 404)

  225. 		return

  226. 	}

  227. 

  228. 	ctx.Resp.Header().Set("Content-Type", metaMediaType)

  229. 

  230. 	sentStatus := 202

  231. 	contentStore := &ContentStore{BasePath: setting.LFS.ContentPath}

  232. 	if meta.Existing && contentStore.Exists(meta) {

  233. 		sentStatus = 200

  234. 	}

  235. 	ctx.Resp.WriteHeader(sentStatus)

  236. 

  237. 	enc := json.NewEncoder(ctx.Resp)

  238. 	enc.Encode(Represent(rv, meta, meta.Existing, true))

  239. 	logRequest(ctx.Req, sentStatus)

  240. }

  241. 

  242. // BatchHandler provides the batch api

  243. func BatchHandler(ctx *context.Context) {

  244. 

  245. 	if !setting.LFS.StartServer {

  246. 		writeStatus(ctx, 404)

  247. 		return

  248. 	}

  249. 

  250. 	if !MetaMatcher(ctx.Req) {

  251. 		writeStatus(ctx, 400)

  252. 		return

  253. 	}

  254. 

  255. 	bv := unpackbatch(ctx)

  256. 

  257. 	var responseObjects []*Representation

  258. 

  259. 	// Create a response object

  260. 	for _, object := range bv.Objects {

  261. 		repository, err := models.GetRepositoryByOwnerAndName(object.User, object.Repo)

  262. 

  263. 		if err != nil {

  264. 			log.Debug("Could not find repository: %s/%s - %s", object.User, object.Repo, err)

  265. 			writeStatus(ctx, 404)

  266. 			return

  267. 		}

  268. 

  269. 		requireWrite := false

  270. 		if bv.Operation == "upload" {

  271. 			requireWrite = true

  272. 		}

  273. 

  274. 		if !authenticate(ctx, repository, object.Authorization, requireWrite) {

  275. 			requireAuth(ctx)

  276. 			return

  277. 		}

  278. 

  279. 		contentStore := &ContentStore{BasePath: setting.LFS.ContentPath}

  280. 

  281. 		meta, err := repository.GetLFSMetaObjectByOid(object.Oid)

  282. 		if err == nil && contentStore.Exists(meta) { // Object is found and exists

  283. 			responseObjects = append(responseObjects, Represent(object, meta, true, false))

  284. 			continue

  285. 		}

  286. 

  287. 		// Object is not found

  288. 		meta, err = models.NewLFSMetaObject(&models.LFSMetaObject{Oid: object.Oid, Size: object.Size, RepositoryID: repository.ID})

  289. 		if err == nil {

  290. 			responseObjects = append(responseObjects, Represent(object, meta, meta.Existing, !contentStore.Exists(meta)))

  291. 		}

  292. 	}

  293. 

  294. 	ctx.Resp.Header().Set("Content-Type", metaMediaType)

  295. 

  296. 	respobj := &BatchResponse{Objects: responseObjects}

  297. 

  298. 	enc := json.NewEncoder(ctx.Resp)

  299. 	enc.Encode(respobj)

  300. 	logRequest(ctx.Req, 200)

  301. }

  302. 

  303. // PutHandler receives data from the client and puts it into the content store

  304. func PutHandler(ctx *context.Context) {

  305. 	rv := unpack(ctx)

  306. 

  307. 	meta, repository := getAuthenticatedRepoAndMeta(ctx, rv, true)

  308. 	if meta == nil {

  309. 		return

  310. 	}

  311. 

  312. 	contentStore := &ContentStore{BasePath: setting.LFS.ContentPath}

  313. 	if err := contentStore.Put(meta, ctx.Req.Body().ReadCloser()); err != nil {

  314. 		ctx.Resp.WriteHeader(500)

  315. 		fmt.Fprintf(ctx.Resp, `{"message":"%s"}`, err)

  316. 		if err = repository.RemoveLFSMetaObjectByOid(rv.Oid); err != nil {

  317. 			log.Error(4, "RemoveLFSMetaObjectByOid: %v", err)

  318. 		}

  319. 		return

  320. 	}

  321. 

  322. 	logRequest(ctx.Req, 200)

  323. }

  324. 

  325. // VerifyHandler verify oid and its size from the content store

  326. func VerifyHandler(ctx *context.Context) {

  327. 	if !setting.LFS.StartServer {

  328. 		writeStatus(ctx, 404)

  329. 		return

  330. 	}

  331. 

  332. 	if !ContentMatcher(ctx.Req) {

  333. 		writeStatus(ctx, 400)

  334. 		return

  335. 	}

  336. 

  337. 	rv := unpack(ctx)

  338. 

  339. 	meta, _ := getAuthenticatedRepoAndMeta(ctx, rv, true)

  340. 	if meta == nil {

  341. 		return

  342. 	}

  343. 

  344. 	contentStore := &ContentStore{BasePath: setting.LFS.ContentPath}

  345. 	ok, err := contentStore.Verify(meta)

  346. 	if err != nil {

  347. 		ctx.Resp.WriteHeader(500)

  348. 		fmt.Fprintf(ctx.Resp, `{"message":"%s"}`, err)

  349. 		return

  350. 	}

  351. 	if !ok {

  352. 		writeStatus(ctx, 422)

  353. 		return

  354. 	}

  355. 

  356. 	logRequest(ctx.Req, 200)

  357. }

  358. 

  359. // Represent takes a RequestVars and Meta and turns it into a Representation suitable

  360. // for json encoding

  361. func Represent(rv *RequestVars, meta *models.LFSMetaObject, download, upload bool) *Representation {

  362. 	rep := &Representation{

  363. 		Oid:     meta.Oid,

  364. 		Size:    meta.Size,

  365. 		Actions: make(map[string]*link),

  366. 	}

  367. 

  368. 	header := make(map[string]string)

  369. 	header["Accept"] = contentMediaType

  370. 

  371. 	if rv.Authorization == "" {

  372. 		//https://github.com/github/git-lfs/issues/1088

  373. 		header["Authorization"] = "Authorization: Basic dummy"

  374. 	} else {

  375. 		header["Authorization"] = rv.Authorization

  376. 	}

  377. 

  378. 	if download {

  379. 		rep.Actions["download"] = &link{Href: rv.ObjectLink(), Header: header}

  380. 	}

  381. 

  382. 	if upload {

  383. 		rep.Actions["upload"] = &link{Href: rv.ObjectLink(), Header: header}

  384. 	}

  385. 

  386. 	if upload && !download {

  387. 		// Force client side verify action while gitea lacks proper server side verification

  388. 		rep.Actions["verify"] = &link{Href: rv.VerifyLink(), Header: header}

  389. 	}

  390. 

  391. 	return rep

  392. }

  393. 

  394. // ContentMatcher provides a mux.MatcherFunc that only allows requests that contain

  395. // an Accept header with the contentMediaType

  396. func ContentMatcher(r macaron.Request) bool {

  397. 	mediaParts := strings.Split(r.Header.Get("Accept"), ";")

  398. 	mt := mediaParts[0]

  399. 	return mt == contentMediaType

  400. }

  401. 

  402. // MetaMatcher provides a mux.MatcherFunc that only allows requests that contain

  403. // an Accept header with the metaMediaType

  404. func MetaMatcher(r macaron.Request) bool {

  405. 	mediaParts := strings.Split(r.Header.Get("Accept"), ";")

  406. 	mt := mediaParts[0]

  407. 	return mt == metaMediaType

  408. }

  409. 

  410. func unpack(ctx *context.Context) *RequestVars {

  411. 	r := ctx.Req

  412. 	rv := &RequestVars{

  413. 		User:          ctx.Params("username"),

  414. 		Repo:          strings.TrimSuffix(ctx.Params("reponame"), ".git"),

  415. 		Oid:           ctx.Params("oid"),

  416. 		Authorization: r.Header.Get("Authorization"),

  417. 	}

  418. 

  419. 	if r.Method == "POST" { // Maybe also check if +json

  420. 		var p RequestVars

  421. 		dec := json.NewDecoder(r.Body().ReadCloser())

  422. 		err := dec.Decode(&p)

  423. 		if err != nil {

  424. 			return rv

  425. 		}

  426. 

  427. 		rv.Oid = p.Oid

  428. 		rv.Size = p.Size

  429. 	}

  430. 

  431. 	return rv

  432. }

  433. 

  434. // TODO cheap hack, unify with unpack

  435. func unpackbatch(ctx *context.Context) *BatchVars {

  436. 

  437. 	r := ctx.Req

  438. 	var bv BatchVars

  439. 

  440. 	dec := json.NewDecoder(r.Body().ReadCloser())

  441. 	err := dec.Decode(&bv)

  442. 	if err != nil {

  443. 		return &bv

  444. 	}

  445. 

  446. 	for i := 0; i < len(bv.Objects); i++ {

  447. 		bv.Objects[i].User = ctx.Params("username")

  448. 		bv.Objects[i].Repo = strings.TrimSuffix(ctx.Params("reponame"), ".git")

  449. 		bv.Objects[i].Authorization = r.Header.Get("Authorization")

  450. 	}

  451. 

  452. 	return &bv

  453. }

  454. 

  455. func writeStatus(ctx *context.Context, status int) {

  456. 	message := http.StatusText(status)

  457. 

  458. 	mediaParts := strings.Split(ctx.Req.Header.Get("Accept"), ";")

  459. 	mt := mediaParts[0]

  460. 	if strings.HasSuffix(mt, "+json") {

  461. 		message = `{"message":"` + message + `"}`

  462. 	}

  463. 

  464. 	ctx.Resp.WriteHeader(status)

  465. 	fmt.Fprint(ctx.Resp, message)

  466. 	logRequest(ctx.Req, status)

  467. }

  468. 

  469. func logRequest(r macaron.Request, status int) {

  470. 	log.Debug("LFS request - Method: %s, URL: %s, Status %d", r.Method, r.URL, status)

  471. }

  472. 

  473. // authenticate uses the authorization string to determine whether

  474. // or not to proceed. This server assumes an HTTP Basic auth format.

  475. func authenticate(ctx *context.Context, repository *models.Repository, authorization string, requireWrite bool) bool {

  476. 

  477. 	accessMode := models.AccessModeRead

  478. 	if requireWrite {

  479. 		accessMode = models.AccessModeWrite

  480. 	}

  481. 

  482. 	if !repository.IsPrivate && !requireWrite {

  483. 		return true

  484. 	}

  485. 

  486. 	if ctx.IsSigned {

  487. 		accessCheck, _ := models.HasAccess(ctx.User.ID, repository, accessMode)

  488. 		return accessCheck

  489. 	}

  490. 

  491. 	if authorization == "" {

  492. 		return false

  493. 	}

  494. 

  495. 	if authenticateToken(repository, authorization, requireWrite) {

  496. 		return true

  497. 	}

  498. 

  499. 	if !strings.HasPrefix(authorization, "Basic ") {

  500. 		return false

  501. 	}

  502. 

  503. 	c, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(authorization, "Basic "))

  504. 	if err != nil {

  505. 		return false

  506. 	}

  507. 	cs := string(c)

  508. 	i := strings.IndexByte(cs, ':')

  509. 	if i < 0 {

  510. 		return false

  511. 	}

  512. 	user, password := cs[:i], cs[i+1:]

  513. 

  514. 	userModel, err := models.GetUserByName(user)

  515. 	if err != nil {

  516. 		return false

  517. 	}

  518. 

  519. 	if !userModel.ValidatePassword(password) {

  520. 		return false

  521. 	}

  522. 

  523. 	accessCheck, _ := models.HasAccess(userModel.ID, repository, accessMode)

  524. 	return accessCheck

  525. }

  526. 

  527. func authenticateToken(repository *models.Repository, authorization string, requireWrite bool) bool {

  528. 	if !strings.HasPrefix(authorization, "Bearer ") {

  529. 		return false

  530. 	}

  531. 

  532. 	token, err := jwt.Parse(authorization[7:], func(t *jwt.Token) (interface{}, error) {

  533. 		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {

  534. 			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])

  535. 		}

  536. 		return setting.LFS.JWTSecretBytes, nil

  537. 	})

  538. 	if err != nil {

  539. 		return false

  540. 	}

  541. 	claims, claimsOk := token.Claims.(jwt.MapClaims)

  542. 	if !token.Valid || !claimsOk {

  543. 		return false

  544. 	}

  545. 

  546. 	opStr, ok := claims["op"].(string)

  547. 	if !ok {

  548. 		return false

  549. 	}

  550. 

  551. 	if requireWrite && opStr != "upload" {

  552. 		return false

  553. 	}

  554. 

  555. 	repoID, ok := claims["repo"].(float64)

  556. 	if !ok {

  557. 		return false

  558. 	}

  559. 

  560. 	if repository.ID != int64(repoID) {

  561. 		return false

  562. 	}

  563. 

  564. 	return true

  565. }

  566. 

  567. func requireAuth(ctx *context.Context) {

  568. 	ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=gitea-lfs")

  569. 	writeStatus(ctx, 401)

  570. }