rhodecode-enterprise-ce Files · rhodecode/apps/ssh_support/lib/backends/base.py

feat(configs): deprecared old hooks protocol and ssh wrapper....

feat(configs): deprecared old hooks protocol and ssh wrapper. New defaults are now set on v2 keys, so previous installation are automatically set to new keys. Fallback mode is still available.

super-admin - - Load All Authors

File last commit:

r5496:cab50adf default


                r5496:cab50adf

default

Download file

             base.py
        
                    175 lines
            
             | 6.2 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / rhodecode / apps / ssh_support / lib / backends / base.py
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        super-admin
    
copyrights: updated for 2023

              r5088
            
      # Copyright (C) 2016-2023 RhodeCode GmbH

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
      #

      # This program is free software: you can redistribute it and/or modify

      # it under the terms of the GNU Affero General Public License, version 3

      # (only), as published by the Free Software Foundation.

      #

      # This program is distributed in the hope that it will be useful,

      # but WITHOUT ANY WARRANTY; without even the implied warranty of

      # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

      # GNU General Public License for more details.

      #

      # You should have received a copy of the GNU Affero General Public License

      # along with this program.  If not, see <http://www.gnu.org/licenses/>.

      #

      # This program is dual-licensed. If you wish to learn more about the

      # RhodeCode Enterprise Edition, including its added features, Support services,

      # and proprietary license terms, please see https://rhodecode.com/licenses/

      import os

      import sys

      import logging

        super-admin
    
feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...

              r5325
            
      from rhodecode.lib.hook_daemon.base import prepare_callback_daemon

        super-admin
    
core: multiple fixes to unicode vs str usage...

              r5065
            
      from rhodecode.lib.ext_json import sjson as json

        marcink
    
ssh: use proper way of extracting the HOOK_PROTOCOL out of vcssettings....

              r2212
            
      from rhodecode.lib.vcs.conf import settings as vcs_settings

        super-admin
    
feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...

              r5325
            
      from rhodecode.lib.api_utils import call_service_api

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
      log = logging.getLogger(__name__)

        ilin.s
    
refactor(ssh-wrapper): changed SSHVcsServer to SshVcsServer, updated call_service_api method.

              r5326
            
      class SshVcsServer(object):

        super-admin
    
statsd/audit-logs: cleanup push/pull user agent code....

              r4858
            
          repo_user_agent = None  # set in child classes

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
          _path = None  # set executable path for hg/git/svn binary

          backend = None  # set in child classes

          tunnel = None  # subprocess handling tunnel

        super-admin
    
feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...

              r5325
            
          settings = None  # parsed settings module

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
          write_perms = ['repository.admin', 'repository.write']

          read_perms = ['repository.read', 'repository.admin', 'repository.write']

        super-admin
    
feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...

              r5325
            
          def __init__(self, user, user_permissions, settings, env):

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              self.user = user

              self.user_permissions = user_permissions

        super-admin
    
feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...

              r5325
            
              self.settings = settings

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              self.env = env

              self.stdin = sys.stdin

              self.repo_name = None

              self.repo_mode = None

              self.store = ''

              self.ini_path = ''

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
              self.hooks_protocol = None

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
          def _invalidate_cache(self, repo_name):

              """

              Set's cache for this repository for invalidation on next access

              :param repo_name: full repo name, also a cache key

              """

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
              # Todo: Leave only "celery" case after transition.

              match self.hooks_protocol:

                  case 'http':

        super-admin
    
feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...

              r5325
            
                      from rhodecode.model.scm import ScmModel

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
                      ScmModel().mark_for_invalidation(repo_name)

                  case 'celery':

        ilin.s
    
refactor(ssh-wrapper): changed SSHVcsServer to SshVcsServer, updated call_service_api method.

              r5326
            
                      call_service_api(self.settings, {

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
                          "method": "service_mark_for_invalidation",

                          "args": {"repo_name": repo_name}

                      })

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
          def has_write_perm(self):

              permission = self.user_permissions.get(self.repo_name)

              if permission in ['repository.write', 'repository.admin']:

                  return True

              return False

          def _check_permissions(self, action):

              permission = self.user_permissions.get(self.repo_name)

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
              user_info = f'{self.user["user_id"]}:{self.user["username"]}'

        dan
    
svn: fixed case of wrong extracted repository name for SSH backend. In cases...

              r4281
            
              log.debug('permission for %s on %s are: %s',

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
                        user_info, self.repo_name, permission)

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
        marcink
    
ssh: improve logging, and make the UI show last accessed date for key.

              r2973
            
              if not permission:

                  log.error('user `%s` permissions to repo:%s are empty. Forbidding access.',

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
                            user_info, self.repo_name)

        marcink
    
ssh: improve logging, and make the UI show last accessed date for key.

              r2973
            
                  return -2

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              if action == 'pull':

                  if permission in self.read_perms:

                      log.info(

                          'READ Permissions for User "%s" detected to repo "%s"!',

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
                          user_info, self.repo_name)

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
                      return 0

              else:

                  if permission in self.write_perms:

                      log.info(

        marcink
    
permissions: rename write+ to write or higher for more explicit meaning.

              r4462
            
                          'WRITE, or Higher Permissions for User "%s" detected to repo "%s"!',

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
                          user_info, self.repo_name)

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
                      return 0

        marcink
    
ssh: improve logging, and make the UI show last accessed date for key.

              r2973
            
              log.error('Cannot properly fetch or verify user `%s` permissions. '

                        'Permissions: %s, vcs action: %s',

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
                        user_info, permission, action)

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              return -2

          def update_environment(self, action, extras=None):

              scm_data = {

                  'ip': os.environ['SSH_CLIENT'].split()[0],

                  'username': self.user.username,

        marcink
    
vcs-ops: store user_id inside the extras for vcs context operations....

              r2411
            
                  'user_id': self.user.user_id,

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
                  'action': action,

                  'repository': self.repo_name,

                  'scm': self.backend,

                  'config': self.ini_path,

        marcink
    
hooks: pass in store_path into env for hooks.

              r3094
            
                  'repo_store': self.store,

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
                  'make_lock': None,

                  'locked_by': [None, None],

                  'server_url': None,

        super-admin
    
apps: modernize for python3

              r5093
            
                  'user_agent': f'{self.repo_user_agent}/ssh-user-agent',

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
                  'hooks': ['push', 'pull'],

        super-admin
    
feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...

              r5325
            
                  'hooks_module': 'rhodecode.lib.hook_daemon.hook_module',

        marcink
    
branch-permissions: enabled branch permissions checks for SSH backend.

              r2982
            
                  'is_shadow_repo': False,

                  'detect_force_push': False,

                  'check_branch_perms': False,

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
                  'SSH': True,

        marcink
    
branch-permissions: enabled branch permissions checks for SSH backend.

              r2982
            
                  'SSH_PERMISSIONS': self.user_permissions.get(self.repo_name),

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              }

              if extras:

                  scm_data.update(extras)

              os.putenv("RC_SCM_DATA", json.dumps(scm_data))

        super-admin
    
feat(ssh-wrapper): added pre/post pull hooks on top of git for ssh backend....

              r5302
            
              return scm_data

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
          def get_root_store(self):

              root_store = self.store

              if not root_store.endswith('/'):

                  # always append trailing slash

                  root_store = root_store + '/'

              return root_store

          def _handle_tunnel(self, extras):

              # pre-auth

              action = 'pull'

              exit_code = self._check_permissions(action)

              if exit_code:

                  return exit_code, False

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
              req = self.env.get('request')

              if req:

                  server_url = req.host_url + req.script_name

                  extras['server_url'] = server_url

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              log.debug('Using %s binaries from path %s', self.backend, self._path)

              exit_code = self.tunnel.run(extras)

              return exit_code, action == "push"

        marcink
    
branch-permissions: enabled branch permissions checks for SSH backend.

              r2982
            
          def run(self, tunnel_extras=None):

        super-admin
    
feat(configs): deprecared old hooks protocol and ssh wrapper....

              r5496
            
              self.hooks_protocol = self.settings['vcs.hooks.protocol.v2']

        marcink
    
branch-permissions: enabled branch permissions checks for SSH backend.

              r2982
            
              tunnel_extras = tunnel_extras or {}

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              extras = {}

        marcink
    
branch-permissions: enabled branch permissions checks for SSH backend.

              r2982
            
              extras.update(tunnel_extras)

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              callback_daemon, extras = prepare_callback_daemon(

        ilin.s
    
fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6

              r5314
            
                  extras, protocol=self.hooks_protocol,

        ilin.s
    
feat(celery-hooks): added all needed changes to support new celery backend, removed DummyHooksCallbackDaemon, updated tests. Fixes:  RCCE-55

              r5298
            
                  host=vcs_settings.HOOKS_HOST)

        marcink
    
ssh-support: enabled full handling of all backends via SSH....

              r2187
            
              with callback_daemon:

                  try:

                      return self._handle_tunnel(extras)

                  finally:

                      log.debug('Running cleanup with cache invalidation')

                      if self.repo_name:

                          self._invalidate_cache(self.repo_name)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

super-admin copyrights: updated for 2023	r5088	# Copyright (C) 2016-2023 RhodeCode GmbH
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	#
		# This program is free software: you can redistribute it and/or modify
		# it under the terms of the GNU Affero General Public License, version 3
		# (only), as published by the Free Software Foundation.
		#
		# This program is distributed in the hope that it will be useful,
		# but WITHOUT ANY WARRANTY; without even the implied warranty of
		# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		# GNU General Public License for more details.
		#
		# You should have received a copy of the GNU Affero General Public License
		# along with this program. If not, see <http://www.gnu.org/licenses/>.
		#
		# This program is dual-licensed. If you wish to learn more about the
		# RhodeCode Enterprise Edition, including its added features, Support services,
		# and proprietary license terms, please see https://rhodecode.com/licenses/

		import os
		import sys
		import logging

super-admin feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...	r5325	from rhodecode.lib.hook_daemon.base import prepare_callback_daemon
super-admin core: multiple fixes to unicode vs str usage...	r5065	from rhodecode.lib.ext_json import sjson as json
marcink ssh: use proper way of extracting the HOOK_PROTOCOL out of vcssettings....	r2212	from rhodecode.lib.vcs.conf import settings as vcs_settings
super-admin feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...	r5325	from rhodecode.lib.api_utils import call_service_api
marcink ssh-support: enabled full handling of all backends via SSH....	r2187
		log = logging.getLogger(__name__)


ilin.s refactor(ssh-wrapper): changed SSHVcsServer to SshVcsServer, updated call_service_api method.	r5326	class SshVcsServer(object):
super-admin statsd/audit-logs: cleanup push/pull user agent code....	r4858	repo_user_agent = None # set in child classes
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	_path = None # set executable path for hg/git/svn binary
		backend = None # set in child classes
		tunnel = None # subprocess handling tunnel
super-admin feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...	r5325	settings = None # parsed settings module
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	write_perms = ['repository.admin', 'repository.write']
		read_perms = ['repository.read', 'repository.admin', 'repository.write']

super-admin feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...	r5325	def __init__(self, user, user_permissions, settings, env):
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	self.user = user
		self.user_permissions = user_permissions
super-admin feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...	r5325	self.settings = settings
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	self.env = env
		self.stdin = sys.stdin

		self.repo_name = None
		self.repo_mode = None
		self.store = ''
		self.ini_path = ''
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	self.hooks_protocol = None
marcink ssh-support: enabled full handling of all backends via SSH....	r2187
		def _invalidate_cache(self, repo_name):
		"""
		Set's cache for this repository for invalidation on next access

		:param repo_name: full repo name, also a cache key
		"""
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	# Todo: Leave only "celery" case after transition.
		match self.hooks_protocol:
		case 'http':
super-admin feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...	r5325	from rhodecode.model.scm import ScmModel
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	ScmModel().mark_for_invalidation(repo_name)
		case 'celery':
ilin.s refactor(ssh-wrapper): changed SSHVcsServer to SshVcsServer, updated call_service_api method.	r5326	call_service_api(self.settings, {
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	"method": "service_mark_for_invalidation",
		"args": {"repo_name": repo_name}
		})
marcink ssh-support: enabled full handling of all backends via SSH....	r2187
		def has_write_perm(self):
		permission = self.user_permissions.get(self.repo_name)
		if permission in ['repository.write', 'repository.admin']:
		return True

		return False

		def _check_permissions(self, action):
		permission = self.user_permissions.get(self.repo_name)
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	user_info = f'{self.user["user_id"]}:{self.user["username"]}'
dan svn: fixed case of wrong extracted repository name for SSH backend. In cases...	r4281	log.debug('permission for %s on %s are: %s',
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	user_info, self.repo_name, permission)
marcink ssh-support: enabled full handling of all backends via SSH....	r2187
marcink ssh: improve logging, and make the UI show last accessed date for key.	r2973	if not permission:
		log.error('user `%s` permissions to repo:%s are empty. Forbidding access.',
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	user_info, self.repo_name)
marcink ssh: improve logging, and make the UI show last accessed date for key.	r2973	return -2

marcink ssh-support: enabled full handling of all backends via SSH....	r2187	if action == 'pull':
		if permission in self.read_perms:
		log.info(
		'READ Permissions for User "%s" detected to repo "%s"!',
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	user_info, self.repo_name)
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	return 0
		else:
		if permission in self.write_perms:
		log.info(
marcink permissions: rename write+ to write or higher for more explicit meaning.	r4462	'WRITE, or Higher Permissions for User "%s" detected to repo "%s"!',
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	user_info, self.repo_name)
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	return 0

marcink ssh: improve logging, and make the UI show last accessed date for key.	r2973	log.error('Cannot properly fetch or verify user `%s` permissions. '
		'Permissions: %s, vcs action: %s',
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	user_info, permission, action)
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	return -2

		def update_environment(self, action, extras=None):

		scm_data = {
		'ip': os.environ['SSH_CLIENT'].split()[0],
		'username': self.user.username,
marcink vcs-ops: store user_id inside the extras for vcs context operations....	r2411	'user_id': self.user.user_id,
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	'action': action,
		'repository': self.repo_name,
		'scm': self.backend,
		'config': self.ini_path,
marcink hooks: pass in store_path into env for hooks.	r3094	'repo_store': self.store,
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	'make_lock': None,
		'locked_by': [None, None],
		'server_url': None,
super-admin apps: modernize for python3	r5093	'user_agent': f'{self.repo_user_agent}/ssh-user-agent',
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	'hooks': ['push', 'pull'],
super-admin feat(ssh-wrapper-speedup): major rewrite of code to address imports problem with ssh-wrapper-v2...	r5325	'hooks_module': 'rhodecode.lib.hook_daemon.hook_module',
marcink branch-permissions: enabled branch permissions checks for SSH backend.	r2982	'is_shadow_repo': False,
		'detect_force_push': False,
		'check_branch_perms': False,

marcink ssh-support: enabled full handling of all backends via SSH....	r2187	'SSH': True,
marcink branch-permissions: enabled branch permissions checks for SSH backend.	r2982	'SSH_PERMISSIONS': self.user_permissions.get(self.repo_name),
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	}
		if extras:
		scm_data.update(extras)
		os.putenv("RC_SCM_DATA", json.dumps(scm_data))
super-admin feat(ssh-wrapper): added pre/post pull hooks on top of git for ssh backend....	r5302	return scm_data
marcink ssh-support: enabled full handling of all backends via SSH....	r2187
		def get_root_store(self):
		root_store = self.store
		if not root_store.endswith('/'):
		# always append trailing slash
		root_store = root_store + '/'
		return root_store

		def _handle_tunnel(self, extras):
		# pre-auth
		action = 'pull'
		exit_code = self._check_permissions(action)
		if exit_code:
		return exit_code, False

ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	req = self.env.get('request')
		if req:
		server_url = req.host_url + req.script_name
		extras['server_url'] = server_url
marcink ssh-support: enabled full handling of all backends via SSH....	r2187
		log.debug('Using %s binaries from path %s', self.backend, self._path)
		exit_code = self.tunnel.run(extras)

		return exit_code, action == "push"

marcink branch-permissions: enabled branch permissions checks for SSH backend.	r2982	def run(self, tunnel_extras=None):
super-admin feat(configs): deprecared old hooks protocol and ssh wrapper....	r5496	self.hooks_protocol = self.settings['vcs.hooks.protocol.v2']
marcink branch-permissions: enabled branch permissions checks for SSH backend.	r2982	tunnel_extras = tunnel_extras or {}
marcink ssh-support: enabled full handling of all backends via SSH....	r2187	extras = {}
marcink branch-permissions: enabled branch permissions checks for SSH backend.	r2982	extras.update(tunnel_extras)
marcink ssh-support: enabled full handling of all backends via SSH....	r2187
		callback_daemon, extras = prepare_callback_daemon(
ilin.s fix(ssh): Added alternative SshWrapper and changes needed to support it + service api. Fixes: RCCE-6	r5314	extras, protocol=self.hooks_protocol,
ilin.s feat(celery-hooks): added all needed changes to support new celery backend, removed DummyHooksCallbackDaemon, updated tests. Fixes: RCCE-55	r5298	host=vcs_settings.HOOKS_HOST)
marcink ssh-support: enabled full handling of all backends via SSH....	r2187
		with callback_daemon:
		try:
		return self._handle_tunnel(extras)
		finally:
		log.debug('Running cleanup with cache invalidation')
		if self.repo_name:
		self._invalidate_cache(self.repo_name)