本站源代码
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

573 lines
16KB

  1. // Copyright 2014 The Gogs Authors. All rights reserved.
  2. // Copyright 2019 The Gitea Authors. All rights reserved.
  3. // Use of this source code is governed by a MIT-style
  4. // license that can be found in the LICENSE file.
  5. package repo
  6. import (
  7. "bytes"
  8. "compress/gzip"
  9. "fmt"
  10. "net/http"
  11. "os"
  12. "os/exec"
  13. "path"
  14. "regexp"
  15. "strconv"
  16. "strings"
  17. "time"
  18. "code.gitea.io/gitea/models"
  19. "code.gitea.io/gitea/modules/auth"
  20. "code.gitea.io/gitea/modules/base"
  21. "code.gitea.io/gitea/modules/context"
  22. "code.gitea.io/gitea/modules/git"
  23. "code.gitea.io/gitea/modules/log"
  24. "code.gitea.io/gitea/modules/setting"
  25. "code.gitea.io/gitea/modules/timeutil"
  26. )
  27. // HTTP implmentation git smart HTTP protocol
  28. func HTTP(ctx *context.Context) {
  29. if len(setting.Repository.AccessControlAllowOrigin) > 0 {
  30. allowedOrigin := setting.Repository.AccessControlAllowOrigin
  31. // Set CORS headers for browser-based git clients
  32. ctx.Resp.Header().Set("Access-Control-Allow-Origin", allowedOrigin)
  33. ctx.Resp.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, User-Agent")
  34. // Handle preflight OPTIONS request
  35. if ctx.Req.Method == "OPTIONS" {
  36. if allowedOrigin == "*" {
  37. ctx.Status(http.StatusOK)
  38. } else if allowedOrigin == "null" {
  39. ctx.Status(http.StatusForbidden)
  40. } else {
  41. origin := ctx.Req.Header.Get("Origin")
  42. if len(origin) > 0 && origin == allowedOrigin {
  43. ctx.Status(http.StatusOK)
  44. } else {
  45. ctx.Status(http.StatusForbidden)
  46. }
  47. }
  48. return
  49. }
  50. }
  51. username := ctx.Params(":username")
  52. reponame := strings.TrimSuffix(ctx.Params(":reponame"), ".git")
  53. if ctx.Query("go-get") == "1" {
  54. context.EarlyResponseForGoGetMeta(ctx)
  55. return
  56. }
  57. var isPull bool
  58. service := ctx.Query("service")
  59. if service == "git-receive-pack" ||
  60. strings.HasSuffix(ctx.Req.URL.Path, "git-receive-pack") {
  61. isPull = false
  62. } else if service == "git-upload-pack" ||
  63. strings.HasSuffix(ctx.Req.URL.Path, "git-upload-pack") {
  64. isPull = true
  65. } else if service == "git-upload-archive" ||
  66. strings.HasSuffix(ctx.Req.URL.Path, "git-upload-archive") {
  67. isPull = true
  68. } else {
  69. isPull = (ctx.Req.Method == "GET")
  70. }
  71. var accessMode models.AccessMode
  72. if isPull {
  73. accessMode = models.AccessModeRead
  74. } else {
  75. accessMode = models.AccessModeWrite
  76. }
  77. isWiki := false
  78. var unitType = models.UnitTypeCode
  79. if strings.HasSuffix(reponame, ".wiki") {
  80. isWiki = true
  81. unitType = models.UnitTypeWiki
  82. reponame = reponame[:len(reponame)-5]
  83. }
  84. owner, err := models.GetUserByName(username)
  85. if err != nil {
  86. ctx.NotFoundOrServerError("GetUserByName", models.IsErrUserNotExist, err)
  87. return
  88. }
  89. repo, err := models.GetRepositoryByName(owner.ID, reponame)
  90. if err != nil {
  91. if models.IsErrRepoNotExist(err) {
  92. redirectRepoID, err := models.LookupRepoRedirect(owner.ID, reponame)
  93. if err == nil {
  94. context.RedirectToRepo(ctx, redirectRepoID)
  95. } else {
  96. ctx.NotFoundOrServerError("GetRepositoryByName", models.IsErrRepoRedirectNotExist, err)
  97. }
  98. } else {
  99. ctx.ServerError("GetRepositoryByName", err)
  100. }
  101. return
  102. }
  103. // Don't allow pushing if the repo is archived
  104. if repo.IsArchived && !isPull {
  105. ctx.HandleText(http.StatusForbidden, "This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.")
  106. return
  107. }
  108. // Only public pull don't need auth.
  109. isPublicPull := !repo.IsPrivate && isPull
  110. var (
  111. askAuth = !isPublicPull || setting.Service.RequireSignInView
  112. authUser *models.User
  113. authUsername string
  114. authPasswd string
  115. environ []string
  116. )
  117. // check access
  118. if askAuth {
  119. authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
  120. if setting.Service.EnableReverseProxyAuth && len(authUsername) > 0 {
  121. authUser, err = models.GetUserByName(authUsername)
  122. if err != nil {
  123. ctx.HandleText(401, "reverse proxy login error, got error while running GetUserByName")
  124. return
  125. }
  126. } else {
  127. authHead := ctx.Req.Header.Get("Authorization")
  128. if len(authHead) == 0 {
  129. ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"")
  130. ctx.Error(http.StatusUnauthorized)
  131. return
  132. }
  133. auths := strings.Fields(authHead)
  134. // currently check basic auth
  135. // TODO: support digit auth
  136. // FIXME: middlewares/context.go did basic auth check already,
  137. // maybe could use that one.
  138. if len(auths) != 2 || auths[0] != "Basic" {
  139. ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")
  140. return
  141. }
  142. authUsername, authPasswd, err = base.BasicAuthDecode(auths[1])
  143. if err != nil {
  144. ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")
  145. return
  146. }
  147. // Check if username or password is a token
  148. isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
  149. // Assume username is token
  150. authToken := authUsername
  151. if !isUsernameToken {
  152. // Assume password is token
  153. authToken = authPasswd
  154. }
  155. uid := auth.CheckOAuthAccessToken(authToken)
  156. if uid != 0 {
  157. ctx.Data["IsApiToken"] = true
  158. authUser, err = models.GetUserByID(uid)
  159. if err != nil {
  160. ctx.ServerError("GetUserByID", err)
  161. return
  162. }
  163. }
  164. // Assume password is a token.
  165. token, err := models.GetAccessTokenBySHA(authToken)
  166. if err == nil {
  167. if isUsernameToken {
  168. authUser, err = models.GetUserByID(token.UID)
  169. if err != nil {
  170. ctx.ServerError("GetUserByID", err)
  171. return
  172. }
  173. } else {
  174. authUser, err = models.GetUserByName(authUsername)
  175. if err != nil {
  176. if models.IsErrUserNotExist(err) {
  177. ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
  178. } else {
  179. ctx.ServerError("GetUserByName", err)
  180. }
  181. return
  182. }
  183. if authUser.ID != token.UID {
  184. ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
  185. return
  186. }
  187. }
  188. token.UpdatedUnix = timeutil.TimeStampNow()
  189. if err = models.UpdateAccessToken(token); err != nil {
  190. ctx.ServerError("UpdateAccessToken", err)
  191. }
  192. } else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
  193. log.Error("GetAccessTokenBySha: %v", err)
  194. }
  195. if authUser == nil {
  196. // Check username and password
  197. authUser, err = models.UserSignIn(authUsername, authPasswd)
  198. if err != nil {
  199. if models.IsErrUserProhibitLogin(err) {
  200. ctx.HandleText(http.StatusForbidden, "User is not permitted to login")
  201. return
  202. } else if !models.IsErrUserNotExist(err) {
  203. ctx.ServerError("UserSignIn error: %v", err)
  204. return
  205. }
  206. }
  207. if authUser == nil {
  208. ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
  209. return
  210. }
  211. _, err = models.GetTwoFactorByUID(authUser.ID)
  212. if err == nil {
  213. // TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
  214. ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")
  215. return
  216. } else if !models.IsErrTwoFactorNotEnrolled(err) {
  217. ctx.ServerError("IsErrTwoFactorNotEnrolled", err)
  218. return
  219. }
  220. }
  221. }
  222. perm, err := models.GetUserRepoPermission(repo, authUser)
  223. if err != nil {
  224. ctx.ServerError("GetUserRepoPermission", err)
  225. return
  226. }
  227. if !perm.CanAccess(accessMode, unitType) {
  228. ctx.HandleText(http.StatusForbidden, "User permission denied")
  229. return
  230. }
  231. if !isPull && repo.IsMirror {
  232. ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
  233. return
  234. }
  235. environ = []string{
  236. models.EnvRepoUsername + "=" + username,
  237. models.EnvRepoName + "=" + reponame,
  238. models.EnvPusherName + "=" + authUser.Name,
  239. models.EnvPusherID + fmt.Sprintf("=%d", authUser.ID),
  240. models.ProtectedBranchRepoID + fmt.Sprintf("=%d", repo.ID),
  241. models.EnvIsDeployKey + "=false",
  242. }
  243. if !authUser.KeepEmailPrivate {
  244. environ = append(environ, models.EnvPusherEmail+"="+authUser.Email)
  245. }
  246. if isWiki {
  247. environ = append(environ, models.EnvRepoIsWiki+"=true")
  248. } else {
  249. environ = append(environ, models.EnvRepoIsWiki+"=false")
  250. }
  251. }
  252. HTTPBackend(ctx, &serviceConfig{
  253. UploadPack: true,
  254. ReceivePack: true,
  255. Env: environ,
  256. })(ctx.Resp, ctx.Req.Request)
  257. }
  258. type serviceConfig struct {
  259. UploadPack bool
  260. ReceivePack bool
  261. Env []string
  262. }
  263. type serviceHandler struct {
  264. cfg *serviceConfig
  265. w http.ResponseWriter
  266. r *http.Request
  267. dir string
  268. file string
  269. environ []string
  270. }
  271. func (h *serviceHandler) setHeaderNoCache() {
  272. h.w.Header().Set("Expires", "Fri, 01 Jan 1980 00:00:00 GMT")
  273. h.w.Header().Set("Pragma", "no-cache")
  274. h.w.Header().Set("Cache-Control", "no-cache, max-age=0, must-revalidate")
  275. }
  276. func (h *serviceHandler) setHeaderCacheForever() {
  277. now := time.Now().Unix()
  278. expires := now + 31536000
  279. h.w.Header().Set("Date", fmt.Sprintf("%d", now))
  280. h.w.Header().Set("Expires", fmt.Sprintf("%d", expires))
  281. h.w.Header().Set("Cache-Control", "public, max-age=31536000")
  282. }
  283. func (h *serviceHandler) sendFile(contentType string) {
  284. reqFile := path.Join(h.dir, h.file)
  285. fi, err := os.Stat(reqFile)
  286. if os.IsNotExist(err) {
  287. h.w.WriteHeader(http.StatusNotFound)
  288. return
  289. }
  290. h.w.Header().Set("Content-Type", contentType)
  291. h.w.Header().Set("Content-Length", fmt.Sprintf("%d", fi.Size()))
  292. h.w.Header().Set("Last-Modified", fi.ModTime().Format(http.TimeFormat))
  293. http.ServeFile(h.w, h.r, reqFile)
  294. }
  295. type route struct {
  296. reg *regexp.Regexp
  297. method string
  298. handler func(serviceHandler)
  299. }
  300. var routes = []route{
  301. {regexp.MustCompile(`(.*?)/git-upload-pack$`), "POST", serviceUploadPack},
  302. {regexp.MustCompile(`(.*?)/git-receive-pack$`), "POST", serviceReceivePack},
  303. {regexp.MustCompile(`(.*?)/info/refs$`), "GET", getInfoRefs},
  304. {regexp.MustCompile(`(.*?)/HEAD$`), "GET", getTextFile},
  305. {regexp.MustCompile(`(.*?)/objects/info/alternates$`), "GET", getTextFile},
  306. {regexp.MustCompile(`(.*?)/objects/info/http-alternates$`), "GET", getTextFile},
  307. {regexp.MustCompile(`(.*?)/objects/info/packs$`), "GET", getInfoPacks},
  308. {regexp.MustCompile(`(.*?)/objects/info/[^/]*$`), "GET", getTextFile},
  309. {regexp.MustCompile(`(.*?)/objects/[0-9a-f]{2}/[0-9a-f]{38}$`), "GET", getLooseObject},
  310. {regexp.MustCompile(`(.*?)/objects/pack/pack-[0-9a-f]{40}\.pack$`), "GET", getPackFile},
  311. {regexp.MustCompile(`(.*?)/objects/pack/pack-[0-9a-f]{40}\.idx$`), "GET", getIdxFile},
  312. }
  313. func getGitConfig(option, dir string) string {
  314. out, err := git.NewCommand("config", option).RunInDir(dir)
  315. if err != nil {
  316. log.Error("%v - %s", err, out)
  317. }
  318. return out[0 : len(out)-1]
  319. }
  320. func getConfigSetting(service, dir string) bool {
  321. service = strings.Replace(service, "-", "", -1)
  322. setting := getGitConfig("http."+service, dir)
  323. if service == "uploadpack" {
  324. return setting != "false"
  325. }
  326. return setting == "true"
  327. }
  328. func hasAccess(service string, h serviceHandler, checkContentType bool) bool {
  329. if checkContentType {
  330. if h.r.Header.Get("Content-Type") != fmt.Sprintf("application/x-git-%s-request", service) {
  331. return false
  332. }
  333. }
  334. if !(service == "upload-pack" || service == "receive-pack") {
  335. return false
  336. }
  337. if service == "receive-pack" {
  338. return h.cfg.ReceivePack
  339. }
  340. if service == "upload-pack" {
  341. return h.cfg.UploadPack
  342. }
  343. return getConfigSetting(service, h.dir)
  344. }
  345. func serviceRPC(h serviceHandler, service string) {
  346. defer func() {
  347. if err := h.r.Body.Close(); err != nil {
  348. log.Error("serviceRPC: Close: %v", err)
  349. }
  350. }()
  351. if !hasAccess(service, h, true) {
  352. h.w.WriteHeader(http.StatusUnauthorized)
  353. return
  354. }
  355. h.w.Header().Set("Content-Type", fmt.Sprintf("application/x-git-%s-result", service))
  356. var err error
  357. var reqBody = h.r.Body
  358. // Handle GZIP.
  359. if h.r.Header.Get("Content-Encoding") == "gzip" {
  360. reqBody, err = gzip.NewReader(reqBody)
  361. if err != nil {
  362. log.Error("Fail to create gzip reader: %v", err)
  363. h.w.WriteHeader(http.StatusInternalServerError)
  364. return
  365. }
  366. }
  367. // set this for allow pre-receive and post-receive execute
  368. h.environ = append(h.environ, "SSH_ORIGINAL_COMMAND="+service)
  369. var stderr bytes.Buffer
  370. cmd := exec.Command(git.GitExecutable, service, "--stateless-rpc", h.dir)
  371. cmd.Dir = h.dir
  372. if service == "receive-pack" {
  373. cmd.Env = append(os.Environ(), h.environ...)
  374. }
  375. cmd.Stdout = h.w
  376. cmd.Stdin = reqBody
  377. cmd.Stderr = &stderr
  378. if err := cmd.Run(); err != nil {
  379. log.Error("Fail to serve RPC(%s): %v - %s", service, err, stderr.String())
  380. return
  381. }
  382. }
  383. func serviceUploadPack(h serviceHandler) {
  384. serviceRPC(h, "upload-pack")
  385. }
  386. func serviceReceivePack(h serviceHandler) {
  387. serviceRPC(h, "receive-pack")
  388. }
  389. func getServiceType(r *http.Request) string {
  390. serviceType := r.FormValue("service")
  391. if !strings.HasPrefix(serviceType, "git-") {
  392. return ""
  393. }
  394. return strings.Replace(serviceType, "git-", "", 1)
  395. }
  396. func updateServerInfo(dir string) []byte {
  397. out, err := git.NewCommand("update-server-info").RunInDirBytes(dir)
  398. if err != nil {
  399. log.Error(fmt.Sprintf("%v - %s", err, string(out)))
  400. }
  401. return out
  402. }
  403. func packetWrite(str string) []byte {
  404. s := strconv.FormatInt(int64(len(str)+4), 16)
  405. if len(s)%4 != 0 {
  406. s = strings.Repeat("0", 4-len(s)%4) + s
  407. }
  408. return []byte(s + str)
  409. }
  410. func getInfoRefs(h serviceHandler) {
  411. h.setHeaderNoCache()
  412. if hasAccess(getServiceType(h.r), h, false) {
  413. service := getServiceType(h.r)
  414. refs, err := git.NewCommand(service, "--stateless-rpc", "--advertise-refs", ".").RunInDirBytes(h.dir)
  415. if err != nil {
  416. log.Error(fmt.Sprintf("%v - %s", err, string(refs)))
  417. }
  418. h.w.Header().Set("Content-Type", fmt.Sprintf("application/x-git-%s-advertisement", service))
  419. h.w.WriteHeader(http.StatusOK)
  420. _, _ = h.w.Write(packetWrite("# service=git-" + service + "\n"))
  421. _, _ = h.w.Write([]byte("0000"))
  422. _, _ = h.w.Write(refs)
  423. } else {
  424. updateServerInfo(h.dir)
  425. h.sendFile("text/plain; charset=utf-8")
  426. }
  427. }
  428. func getTextFile(h serviceHandler) {
  429. h.setHeaderNoCache()
  430. h.sendFile("text/plain")
  431. }
  432. func getInfoPacks(h serviceHandler) {
  433. h.setHeaderCacheForever()
  434. h.sendFile("text/plain; charset=utf-8")
  435. }
  436. func getLooseObject(h serviceHandler) {
  437. h.setHeaderCacheForever()
  438. h.sendFile("application/x-git-loose-object")
  439. }
  440. func getPackFile(h serviceHandler) {
  441. h.setHeaderCacheForever()
  442. h.sendFile("application/x-git-packed-objects")
  443. }
  444. func getIdxFile(h serviceHandler) {
  445. h.setHeaderCacheForever()
  446. h.sendFile("application/x-git-packed-objects-toc")
  447. }
  448. func getGitRepoPath(subdir string) (string, error) {
  449. if !strings.HasSuffix(subdir, ".git") {
  450. subdir += ".git"
  451. }
  452. fpath := path.Join(setting.RepoRootPath, subdir)
  453. if _, err := os.Stat(fpath); os.IsNotExist(err) {
  454. return "", err
  455. }
  456. return fpath, nil
  457. }
  458. // HTTPBackend middleware for git smart HTTP protocol
  459. func HTTPBackend(ctx *context.Context, cfg *serviceConfig) http.HandlerFunc {
  460. return func(w http.ResponseWriter, r *http.Request) {
  461. for _, route := range routes {
  462. r.URL.Path = strings.ToLower(r.URL.Path) // blue: In case some repo name has upper case name
  463. if m := route.reg.FindStringSubmatch(r.URL.Path); m != nil {
  464. if setting.Repository.DisableHTTPGit {
  465. w.WriteHeader(http.StatusForbidden)
  466. _, err := w.Write([]byte("Interacting with repositories by HTTP protocol is not allowed"))
  467. if err != nil {
  468. log.Error(err.Error())
  469. }
  470. return
  471. }
  472. if route.method != r.Method {
  473. if r.Proto == "HTTP/1.1" {
  474. w.WriteHeader(http.StatusMethodNotAllowed)
  475. _, err := w.Write([]byte("Method Not Allowed"))
  476. if err != nil {
  477. log.Error(err.Error())
  478. }
  479. } else {
  480. w.WriteHeader(http.StatusBadRequest)
  481. _, err := w.Write([]byte("Bad Request"))
  482. if err != nil {
  483. log.Error(err.Error())
  484. }
  485. }
  486. return
  487. }
  488. file := strings.Replace(r.URL.Path, m[1]+"/", "", 1)
  489. dir, err := getGitRepoPath(m[1])
  490. if err != nil {
  491. log.Error(err.Error())
  492. ctx.NotFound("HTTPBackend", err)
  493. return
  494. }
  495. route.handler(serviceHandler{cfg, w, r, dir, file, cfg.Env})
  496. return
  497. }
  498. }
  499. ctx.NotFound("HTTPBackend", nil)
  500. }
  501. }
上海开阖软件有限公司 沪ICP备12045867号-1