simplevcs.py
689 lines
| 28.1 KiB
| text/x-python
|
PythonLexer
| r5054 | ||||
| r1 | ||||
| r5088 | # Copyright (C) 2014-2023 RhodeCode GmbH | |||
| r1 | # | |||
| # This program is free software: you can redistribute it and/or modify | ||||
| # it under the terms of the GNU Affero General Public License, version 3 | ||||
| # (only), as published by the Free Software Foundation. | ||||
| # | ||||
| # This program is distributed in the hope that it will be useful, | ||||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
| # GNU General Public License for more details. | ||||
| # | ||||
| # You should have received a copy of the GNU Affero General Public License | ||||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | ||||
| # | ||||
| # This program is dual-licensed. If you wish to learn more about the | ||||
| # RhodeCode Enterprise Edition, including its added features, Support services, | ||||
| # and proprietary license terms, please see https://rhodecode.com/licenses/ | ||||
| """ | ||||
| SimpleVCS middleware for handling protocol request (push/clone etc.) | ||||
| It's implemented with basic auth function | ||||
| """ | ||||
| import os | ||||
| r2154 | import re | |||
| r4973 | import io | |||
| r1 | import logging | |||
| import importlib | ||||
| from functools import wraps | ||||
| r2677 | from lxml import etree | |||
| r1 | ||||
| r2154 | import time | |||
| r1 | from paste.httpheaders import REMOTE_USER, AUTH_TYPE | |||
| r2677 | ||||
| r2351 | from pyramid.httpexceptions import ( | |||
| r1 | HTTPNotFound, HTTPForbidden, HTTPNotAcceptable, HTTPInternalServerError) | |||
| r2404 | from zope.cachedescriptors.property import Lazy as LazyProperty | |||
| r1 | ||||
| import rhodecode | ||||
| r2845 | from rhodecode.authentication.base import authenticate, VCS_TYPE, loadplugin | |||
| r2932 | from rhodecode.lib import rc_cache | |||
| r1 | from rhodecode.lib.auth import AuthUser, HasPermissionAnyMiddleware | |||
| r1711 | from rhodecode.lib.base import ( | |||
| BasicAuth, get_ip_addr, get_user_agent, vcs_operation_context) | ||||
| r2677 | from rhodecode.lib.exceptions import (UserCreationError, NotAllowedToCreateUserError) | |||
| r1 | from rhodecode.lib.hooks_daemon import prepare_callback_daemon | |||
| from rhodecode.lib.middleware import appenlight | ||||
| r1409 | from rhodecode.lib.middleware.utils import scm_app_http | |||
| r5031 | from rhodecode.lib.str_utils import safe_bytes | |||
| r2154 | from rhodecode.lib.utils import is_valid_repo, SLUG_RE | |||
| r5065 | from rhodecode.lib.utils2 import safe_str, fix_PATH, str2bool | |||
Martin Bornhold
|
r590 | from rhodecode.lib.vcs.conf import settings as vcs_settings | ||
| r754 | from rhodecode.lib.vcs.backends import base | |||
| r2677 | ||||
| r1 | from rhodecode.model import meta | |||
|
Martin Bornhold
|
r894 | from rhodecode.model.db import User, Repository, PullRequest | ||
| r1 | from rhodecode.model.scm import ScmModel | |||
|
Martin Bornhold
|
r894 | from rhodecode.model.pull_request import PullRequestModel | ||
| r2351 | from rhodecode.model.settings import SettingsModel, VcsSettingsModel | |||
| r754 | ||||
| r1 | log = logging.getLogger(__name__) | |||
| r2677 | def extract_svn_txn_id(acl_repo_name, data): | |||
| """ | ||||
| r2970 | Helper method for extraction of svn txn_id from submitted XML data during | |||
| r2677 | POST operations | |||
| """ | ||||
| try: | ||||
| root = etree.fromstring(data) | ||||
| pat = re.compile(r'/txn/(?P<txn_id>.*)') | ||||
| for el in root: | ||||
| if el.tag == '{DAV:}source': | ||||
| for sub_el in el: | ||||
| if sub_el.tag == '{DAV:}href': | ||||
| match = pat.search(sub_el.text) | ||||
| if match: | ||||
| svn_tx_id = match.groupdict()['txn_id'] | ||||
| r2970 | txn_id = rc_cache.utils.compute_key_from_params( | |||
| r2677 | acl_repo_name, svn_tx_id) | |||
| return txn_id | ||||
| except Exception: | ||||
| log.exception('Failed to extract txn_id') | ||||
| r1 | def initialize_generator(factory): | |||
| """ | ||||
| Initializes the returned generator by draining its first element. | ||||
| This can be used to give a generator an initializer, which is the code | ||||
| up to the first yield statement. This decorator enforces that the first | ||||
| produced element has the value ``"__init__"`` to make its special | ||||
| purpose very explicit in the using code. | ||||
| """ | ||||
| @wraps(factory) | ||||
| def wrapper(*args, **kwargs): | ||||
| gen = factory(*args, **kwargs) | ||||
| try: | ||||
| r4936 | init = next(gen) | |||
| r1 | except StopIteration: | |||
| raise ValueError('Generator must yield at least one element.') | ||||
| if init != "__init__": | ||||
| raise ValueError('First yielded element must be "__init__".') | ||||
| return gen | ||||
| return wrapper | ||||
| class SimpleVCS(object): | ||||
| """Common functionality for SCM HTTP handlers.""" | ||||
| SCM = 'unknown' | ||||
| r887 | acl_repo_name = None | |||
| url_repo_name = None | ||||
| vcs_repo_name = None | ||||
| r2389 | rc_extras = {} | |||
| r887 | ||||
|
Martin Bornhold
|
r902 | # We have to handle requests to shadow repositories different than requests | ||
| # to normal repositories. Therefore we have to distinguish them. To do this | ||||
| # we use this regex which will match only on URLs pointing to shadow | ||||
| # repositories. | ||||
| shadow_repo_re = re.compile( | ||||
| r4973 | '(?P<groups>(?:{slug_pat}/)*)' # repo groups | |||
| '(?P<target>{slug_pat})/' # target repo | ||||
| 'pull-request/(?P<pr_id>\\d+)/' # pull request | ||||
| 'repository$' # shadow repo | ||||
|
Martin Bornhold
|
r902 | .format(slug_pat=SLUG_RE.pattern)) | ||
| r2351 | def __init__(self, config, registry): | |||
|
Martin Bornhold
|
r591 | self.registry = registry | ||
| r1 | self.config = config | |||
| r757 | # re-populated by specialized middleware | |||
| r754 | self.repo_vcs_config = base.Config() | |||
| r2351 | ||||
| r4220 | rc_settings = SettingsModel().get_all_settings(cache=True, from_request=False) | |||
| realm = rc_settings.get('rhodecode_realm') or 'RhodeCode AUTH' | ||||
| r1 | # authenticate this VCS request using authfunc | |||
| auth_ret_code_detection = \ | ||||
| str2bool(self.config.get('auth_ret_code_detection', False)) | ||||
|
Martin Bornhold
|
r591 | self.authenticate = BasicAuth( | ||
| '', authenticate, registry, config.get('auth_ret_code'), | ||||
| r4220 | auth_ret_code_detection, rc_realm=realm) | |||
| r1 | self.ip_addr = '0.0.0.0' | |||
| r2404 | @LazyProperty | |||
| def global_vcs_config(self): | ||||
| try: | ||||
| return VcsSettingsModel().get_ui_settings_as_config_obj() | ||||
| except Exception: | ||||
| return base.Config() | ||||
| r2351 | @property | |||
| def base_path(self): | ||||
| r3328 | settings_path = self.repo_vcs_config.get(*VcsSettingsModel.PATH_SETTING) | |||
| r2404 | ||||
| if not settings_path: | ||||
| r3328 | settings_path = self.global_vcs_config.get(*VcsSettingsModel.PATH_SETTING) | |||
| r2404 | ||||
| r2362 | if not settings_path: | |||
| # try, maybe we passed in explicitly as config option | ||||
| settings_path = self.config.get('base_path') | ||||
| r2404 | ||||
| if not settings_path: | ||||
| raise ValueError('FATAL: base_path is empty') | ||||
| r2362 | return settings_path | |||
| r2351 | ||||
|
Martin Bornhold
|
r889 | def set_repo_names(self, environ): | ||
| """ | ||||
|
Martin Bornhold
|
r892 | This will populate the attributes acl_repo_name, url_repo_name, | ||
|
Martin Bornhold
|
r904 | vcs_repo_name and is_shadow_repo. In case of requests to normal (non | ||
| shadow) repositories all names are equal. In case of requests to a | ||||
| shadow repository the acl-name points to the target repo of the pull | ||||
| request and the vcs-name points to the shadow repo file system path. | ||||
| The url-name is always the URL used by the vcs client program. | ||||
|
Martin Bornhold
|
r889 | |||
|
Martin Bornhold
|
r904 | Example in case of a shadow repo: | ||
| acl_repo_name = RepoGroup/MyRepo | ||||
| url_repo_name = RepoGroup/MyRepo/pull-request/3/repository | ||||
| vcs_repo_name = /repo/base/path/RepoGroup/.__shadow_MyRepo_pr-3' | ||||
| """ | ||||
| # First we set the repo name from URL for all attributes. This is the | ||||
| # default if handling normal (non shadow) repo requests. | ||||
| self.url_repo_name = self._get_repository_name(environ) | ||||
| self.acl_repo_name = self.vcs_repo_name = self.url_repo_name | ||||
| self.is_shadow_repo = False | ||||
| # Check if this is a request to a shadow repository. | ||||
|
Martin Bornhold
|
r902 | match = self.shadow_repo_re.match(self.url_repo_name) | ||
|
Martin Bornhold
|
r889 | if match: | ||
| match_dict = match.groupdict() | ||||
|
Martin Bornhold
|
r892 | |||
|
Martin Bornhold
|
r904 | # Build acl repo name from regex match. | ||
| r5065 | acl_repo_name = safe_str('{groups}{target}'.format( | |||
|
Martin Bornhold
|
r911 | groups=match_dict['groups'] or '', | ||
| target=match_dict['target'])) | ||||
|
Martin Bornhold
|
r904 | |||
| # Retrieve pull request instance by ID from regex match. | ||||
| pull_request = PullRequest.get(match_dict['pr_id']) | ||||
|
Martin Bornhold
|
r892 | |||
|
Martin Bornhold
|
r904 | # Only proceed if we got a pull request and if acl repo name from | ||
| # URL equals the target repo name of the pull request. | ||||
| r3931 | if pull_request and (acl_repo_name == pull_request.target_repo.repo_name): | |||
|
Martin Bornhold
|
r904 | # Get file system path to shadow repository. | ||
| workspace_id = PullRequestModel()._workspace_id(pull_request) | ||||
| r3931 | vcs_repo_name = pull_request.target_repo.get_shadow_repository_path(workspace_id) | |||
|
Martin Bornhold
|
r904 | |||
| # Store names for later usage. | ||||
| self.vcs_repo_name = vcs_repo_name | ||||
| self.acl_repo_name = acl_repo_name | ||||
| self.is_shadow_repo = True | ||||
| r1297 | log.debug('Setting all VCS repository names: %s', { | |||
|
Martin Bornhold
|
r904 | 'acl_repo_name': self.acl_repo_name, | ||
| 'url_repo_name': self.url_repo_name, | ||||
| 'vcs_repo_name': self.vcs_repo_name, | ||||
| }) | ||||
|
Martin Bornhold
|
r889 | |||
| r1 | @property | |||
| def scm_app(self): | ||||
|
Martin Bornhold
|
r962 | custom_implementation = self.config['vcs.scm_app_implementation'] | ||
| if custom_implementation == 'http': | ||||
| r3876 | log.debug('Using HTTP implementation of scm app.') | |||
|
Martin Bornhold
|
r962 | scm_app_impl = scm_app_http | ||
| else: | ||||
| r3876 | log.debug('Using custom implementation of scm_app: "{}"'.format( | |||
|
Martin Bornhold
|
r962 | custom_implementation)) | ||
| r1 | scm_app_impl = importlib.import_module(custom_implementation) | |||
| return scm_app_impl | ||||
| def _get_by_id(self, repo_name): | ||||
| """ | ||||
| Gets a special pattern _<ID> from clone url and tries to replace it | ||||
| r757 | with a repository_name for support of _<ID> non changeable urls | |||
| r1 | """ | |||
| data = repo_name.split('/') | ||||
| if len(data) >= 2: | ||||
| from rhodecode.model.repo import RepoModel | ||||
| by_id_match = RepoModel().get_repo_by_id(repo_name) | ||||
| if by_id_match: | ||||
| data[1] = by_id_match.repo_name | ||||
| r5031 | # Because PEP-3333-WSGI uses bytes-tunneled-in-latin-1 as PATH_INFO | |||
| # and we use this data | ||||
| maybe_new_path = '/'.join(data) | ||||
| return safe_bytes(maybe_new_path).decode('latin1') | ||||
| r1 | ||||
| def _invalidate_cache(self, repo_name): | ||||
| """ | ||||
| Set's cache for this repository for invalidation on next access | ||||
| :param repo_name: full repo name, also a cache key | ||||
| """ | ||||
| ScmModel().mark_for_invalidation(repo_name) | ||||
| def is_valid_and_existing_repo(self, repo_name, base_path, scm_type): | ||||
| db_repo = Repository.get_by_repo_name(repo_name) | ||||
| if not db_repo: | ||||
| r10 | log.debug('Repository `%s` not found inside the database.', | |||
| repo_name) | ||||
| r1 | return False | |||
| if db_repo.repo_type != scm_type: | ||||
| log.warning( | ||||
| 'Repository `%s` have incorrect scm_type, expected %s got %s', | ||||
| repo_name, db_repo.repo_type, scm_type) | ||||
| return False | ||||
| r2519 | config = db_repo._config | |||
| config.set('extensions', 'largefiles', '') | ||||
| return is_valid_repo( | ||||
| repo_name, base_path, | ||||
| explicit_scm=scm_type, expect_scm=scm_type, config=config) | ||||
| r1 | ||||
| def valid_and_active_user(self, user): | ||||
| """ | ||||
| Checks if that user is not empty, and if it's actually object it checks | ||||
| if he's active. | ||||
| :param user: user object or None | ||||
| :return: boolean | ||||
| """ | ||||
| if user is None: | ||||
| return False | ||||
| elif user.active: | ||||
| return True | ||||
| return False | ||||
| r2069 | @property | |||
| def is_shadow_repo_dir(self): | ||||
| return os.path.isdir(self.vcs_repo_name) | ||||
| r2979 | def _check_permission(self, action, user, auth_user, repo_name, ip_addr=None, | |||
| r2154 | plugin_id='', plugin_cache_active=False, cache_ttl=0): | |||
| r1 | """ | |||
| Checks permissions using action (push/pull) user and repository | ||||
| r2154 | name. If plugin_cache and ttl is set it will use the plugin which | |||
| authenticated the user to store the cached permissions result for N | ||||
| amount of seconds as in cache_ttl | ||||
| r1 | ||||
| :param action: push or pull action | ||||
| :param user: user instance | ||||
| :param repo_name: repository name | ||||
| """ | ||||
| r2154 | ||||
| log.debug('AUTH_CACHE_TTL for permissions `%s` active: %s (TTL: %s)', | ||||
| plugin_id, plugin_cache_active, cache_ttl) | ||||
| r2845 | user_id = user.user_id | |||
| r5106 | cache_namespace_uid = f'cache_user_auth.{rc_cache.PERMISSIONS_CACHE_VER}.{user_id}' | |||
| r2845 | region = rc_cache.get_or_create_region('cache_perms', cache_namespace_uid) | |||
| r1 | ||||
| r2892 | @region.conditional_cache_on_arguments(namespace=cache_namespace_uid, | |||
| expiration_time=cache_ttl, | ||||
| condition=plugin_cache_active) | ||||
| r2845 | def compute_perm_vcs( | |||
| cache_name, plugin_id, action, user_id, repo_name, ip_addr): | ||||
| r2154 | ||||
| log.debug('auth: calculating permission access now...') | ||||
| # check IP | ||||
| inherit = user.inherit_default_permissions | ||||
| ip_allowed = AuthUser.check_ip_allowed( | ||||
| r2845 | user_id, ip_addr, inherit_from_default=inherit) | |||
| r2154 | if ip_allowed: | |||
| log.info('Access for IP:%s allowed', ip_addr) | ||||
| else: | ||||
| r1 | return False | |||
| r2154 | if action == 'push': | |||
| perms = ('repository.write', 'repository.admin') | ||||
| r2979 | if not HasPermissionAnyMiddleware(*perms)(auth_user, repo_name): | |||
| r2154 | return False | |||
| else: | ||||
| # any other action need at least read permission | ||||
| perms = ( | ||||
| 'repository.read', 'repository.write', 'repository.admin') | ||||
| r2979 | if not HasPermissionAnyMiddleware(*perms)(auth_user, repo_name): | |||
| r2154 | return False | |||
| return True | ||||
| r2845 | start = time.time() | |||
| log.debug('Running plugin `%s` permissions check', plugin_id) | ||||
| # for environ based auth, password can be empty, but then the validation is | ||||
| # on the server that fills in the env data needed for authentication | ||||
| perm_result = compute_perm_vcs( | ||||
| 'vcs_permissions', plugin_id, action, user.user_id, repo_name, ip_addr) | ||||
| r1 | ||||
| r2154 | auth_time = time.time() - start | |||
| r3853 | log.debug('Permissions for plugin `%s` completed in %.4fs, ' | |||
| r2154 | 'expiration time of fetched cache %.1fs.', | |||
| plugin_id, auth_time, cache_ttl) | ||||
| return perm_result | ||||
| r1 | ||||
| r3781 | def _get_http_scheme(self, environ): | |||
| try: | ||||
| return environ['wsgi.url_scheme'] | ||||
| except Exception: | ||||
| log.exception('Failed to read http scheme') | ||||
| return 'http' | ||||
| r1 | def _check_ssl(self, environ, start_response): | |||
| """ | ||||
| Checks the SSL check flag and returns False if SSL is not present | ||||
| and required True otherwise | ||||
| """ | ||||
| org_proto = environ['wsgi._org_proto'] | ||||
| # check if we have SSL required ! if not it's a bad request ! | ||||
| r756 | require_ssl = str2bool(self.repo_vcs_config.get('web', 'push_ssl')) | |||
| r1 | if require_ssl and org_proto == 'http': | |||
| r2593 | log.debug( | |||
| 'Bad request: detected protocol is `%s` and ' | ||||
| 'SSL/HTTPS is required.', org_proto) | ||||
| r1 | return False | |||
| return True | ||||
| r2425 | def _get_default_cache_ttl(self): | |||
| # take AUTH_CACHE_TTL from the `rhodecode` auth plugin | ||||
| plugin = loadplugin('egg:rhodecode-enterprise-ce#rhodecode') | ||||
| plugin_settings = plugin.get_settings() | ||||
| plugin_cache_active, cache_ttl = plugin.get_ttl_cache( | ||||
| plugin_settings) or (False, 0) | ||||
| return plugin_cache_active, cache_ttl | ||||
| r1 | def __call__(self, environ, start_response): | |||
| try: | ||||
| return self._handle_request(environ, start_response) | ||||
| except Exception: | ||||
| log.exception("Exception while handling request") | ||||
| appenlight.track_exception(environ) | ||||
| return HTTPInternalServerError()(environ, start_response) | ||||
| finally: | ||||
| meta.Session.remove() | ||||
| def _handle_request(self, environ, start_response): | ||||
| if not self._check_ssl(environ, start_response): | ||||
| reason = ('SSL required, while RhodeCode was unable ' | ||||
| 'to detect this as SSL request') | ||||
| log.debug('User not allowed to proceed, %s', reason) | ||||
| return HTTPNotAcceptable(reason)(environ, start_response) | ||||
|
Martin Bornhold
|
r898 | if not self.url_repo_name: | ||
| log.warning('Repository name is empty: %s', self.url_repo_name) | ||||
| r757 | # failed to get repo name, we fail now | |||
| return HTTPNotFound()(environ, start_response) | ||||
|
Martin Bornhold
|
r898 | log.debug('Extracted repo name is %s', self.url_repo_name) | ||
| r757 | ||||
| r1 | ip_addr = get_ip_addr(environ) | |||
| r1711 | user_agent = get_user_agent(environ) | |||
| r1 | username = None | |||
| # skip passing error to error controller | ||||
| environ['pylons.status_code_redirect'] = True | ||||
| # ====================================================================== | ||||
| # GET ACTION PULL or PUSH | ||||
| # ====================================================================== | ||||
| action = self._get_action(environ) | ||||
| # ====================================================================== | ||||
|
Martin Bornhold
|
r891 | # Check if this is a request to a shadow repository of a pull request. | ||
| # In this case only pull action is allowed. | ||||
| # ====================================================================== | ||||
|
Martin Bornhold
|
r899 | if self.is_shadow_repo and action != 'pull': | ||
|
Martin Bornhold
|
r891 | reason = 'Only pull action is allowed for shadow repositories.' | ||
| log.debug('User not allowed to proceed, %s', reason) | ||||
| return HTTPNotAcceptable(reason)(environ, start_response) | ||||
| r2069 | # Check if the shadow repo actually exists, in case someone refers | |||
| # to it, and it has been deleted because of successful merge. | ||||
| if self.is_shadow_repo and not self.is_shadow_repo_dir: | ||||
| r2593 | log.debug( | |||
| 'Shadow repo detected, and shadow repo dir `%s` is missing', | ||||
| self.is_shadow_repo_dir) | ||||
| r2069 | return HTTPNotFound()(environ, start_response) | |||
|
Martin Bornhold
|
r891 | # ====================================================================== | ||
| r1 | # CHECK ANONYMOUS PERMISSION | |||
| # ====================================================================== | ||||
| r2979 | detect_force_push = False | |||
| check_branch_perms = False | ||||
| r1 | if action in ['pull', 'push']: | |||
| r2979 | user_obj = anonymous_user = User.get_default_user() | |||
| auth_user = user_obj.AuthUser() | ||||
| r1 | username = anonymous_user.username | |||
| if anonymous_user.active: | ||||
| r2425 | plugin_cache_active, cache_ttl = self._get_default_cache_ttl() | |||
| r1 | # ONLY check permissions if the user is activated | |||
| anonymous_perm = self._check_permission( | ||||
| r2979 | action, anonymous_user, auth_user, self.acl_repo_name, ip_addr, | |||
| r2425 | plugin_id='anonymous_access', | |||
| r2593 | plugin_cache_active=plugin_cache_active, | |||
| cache_ttl=cache_ttl, | ||||
| r2425 | ) | |||
| r1 | else: | |||
| anonymous_perm = False | ||||
| if not anonymous_user.active or not anonymous_perm: | ||||
| if not anonymous_user.active: | ||||
| log.debug('Anonymous access is disabled, running ' | ||||
| 'authentication') | ||||
| if not anonymous_perm: | ||||
| r5065 | log.debug('Not enough credentials to access repo: `%s` ' | |||
| 'repository as anonymous user', self.acl_repo_name) | ||||
| r1 | ||||
| username = None | ||||
| # ============================================================== | ||||
| # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE | ||||
| # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS | ||||
| # ============================================================== | ||||
| # try to auth based on environ, container auth methods | ||||
| r5065 | log.debug('Running PRE-AUTH for container|headers based authentication') | |||
| # headers auth, by just reading special headers and bypass the auth with user/passwd | ||||
|
Martin Bornhold
|
r591 | pre_auth = authenticate( | ||
| r1510 | '', '', environ, VCS_TYPE, registry=self.registry, | |||
| acl_repo_name=self.acl_repo_name) | ||||
| r5065 | ||||
| r1 | if pre_auth and pre_auth.get('username'): | |||
| username = pre_auth['username'] | ||||
| r5065 | log.debug('PRE-AUTH got `%s` as username', username) | |||
| r2154 | if pre_auth: | |||
| log.debug('PRE-AUTH successful from %s', | ||||
| pre_auth.get('auth_data', {}).get('_plugin')) | ||||
| r1 | ||||
| # If not authenticated by the container, running basic auth | ||||
| r1510 | # before inject the calling repo_name for special scope checks | |||
| self.authenticate.acl_repo_name = self.acl_repo_name | ||||
| r2154 | ||||
| plugin_cache_active, cache_ttl = False, 0 | ||||
| plugin = None | ||||
| r5065 | ||||
| # regular auth chain | ||||
| r1 | if not username: | |||
| r2140 | self.authenticate.realm = self.authenticate.get_rc_realm() | |||
| r1 | ||||
| try: | ||||
| r2154 | auth_result = self.authenticate(environ) | |||
| r1 | except (UserCreationError, NotAllowedToCreateUserError) as e: | |||
| log.error(e) | ||||
| reason = safe_str(e) | ||||
| return HTTPNotAcceptable(reason)(environ, start_response) | ||||
| r2154 | if isinstance(auth_result, dict): | |||
| r1 | AUTH_TYPE.update(environ, 'basic') | |||
| r2154 | REMOTE_USER.update(environ, auth_result['username']) | |||
| username = auth_result['username'] | ||||
| plugin = auth_result.get('auth_data', {}).get('_plugin') | ||||
| log.info( | ||||
| 'MAIN-AUTH successful for user `%s` from %s plugin', | ||||
| username, plugin) | ||||
| plugin_cache_active, cache_ttl = auth_result.get( | ||||
| 'auth_data', {}).get('_ttl_cache') or (False, 0) | ||||
| r1 | else: | |||
| r3328 | return auth_result.wsgi_application(environ, start_response) | |||
| r2154 | ||||
| r1 | # ============================================================== | |||
| # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME | ||||
| # ============================================================== | ||||
| user = User.get_by_username(username) | ||||
| if not self.valid_and_active_user(user): | ||||
| return HTTPForbidden()(environ, start_response) | ||||
| username = user.username | ||||
| r2930 | user_id = user.user_id | |||
| r1 | ||||
| # check user attributes for password change flag | ||||
| user_obj = user | ||||
| r2979 | auth_user = user_obj.AuthUser() | |||
| r1 | if user_obj and user_obj.username != User.DEFAULT_USER and \ | |||
| user_obj.user_data.get('force_password_change'): | ||||
| reason = 'password change required' | ||||
| log.debug('User not allowed to authenticate, %s', reason) | ||||
| return HTTPNotAcceptable(reason)(environ, start_response) | ||||
| # check permissions for this repository | ||||
| r757 | perm = self._check_permission( | |||
| r2979 | action, user, auth_user, self.acl_repo_name, ip_addr, | |||
| r2154 | plugin, plugin_cache_active, cache_ttl) | |||
| r1 | if not perm: | |||
| return HTTPForbidden()(environ, start_response) | ||||
| r5065 | environ['rc_auth_user_id'] = str(user_id) | |||
| r1 | ||||
| r2979 | if action == 'push': | |||
| perms = auth_user.get_branch_permissions(self.acl_repo_name) | ||||
| if perms: | ||||
| check_branch_perms = True | ||||
| detect_force_push = True | ||||
| r1 | # extras are injected into UI object and later available | |||
| r2154 | # in hooks executed by RhodeCode | |||
| r1 | check_locking = _should_check_locking(environ.get('QUERY_STRING')) | |||
| r2979 | ||||
| r1 | extras = vcs_operation_context( | |||
|
Martin Bornhold
|
r898 | environ, repo_name=self.acl_repo_name, username=username, | ||
|
Martin Bornhold
|
r899 | action=action, scm=self.SCM, check_locking=check_locking, | ||
| r2979 | is_shadow_repo=self.is_shadow_repo, check_branch_perms=check_branch_perms, | |||
| detect_force_push=detect_force_push | ||||
|
Martin Bornhold
|
r899 | ) | ||
| r1 | ||||
| # ====================================================================== | ||||
| # REQUEST HANDLING | ||||
| # ====================================================================== | ||||
| r887 | repo_path = os.path.join( | |||
| r2351 | safe_str(self.base_path), safe_str(self.vcs_repo_name)) | |||
| r1 | log.debug('Repository path is %s', repo_path) | |||
| fix_PATH() | ||||
| log.info( | ||||
| r1711 | '%s action on %s repo "%s" by "%s" from %s %s', | |||
|
Martin Bornhold
|
r905 | action, self.SCM, safe_str(self.url_repo_name), | ||
| r1711 | safe_str(username), ip_addr, user_agent) | |||
|
Martin Bornhold
|
r600 | |||
| r1 | return self._generate_vcs_response( | |||
|
Martin Bornhold
|
r905 | environ, start_response, repo_path, extras, action) | ||
| r1 | ||||
| @initialize_generator | ||||
| def _generate_vcs_response( | ||||
|
Martin Bornhold
|
r905 | self, environ, start_response, repo_path, extras, action): | ||
| r1 | """ | |||
| Returns a generator for the response content. | ||||
| This method is implemented as a generator, so that it can trigger | ||||
| the cache validation after all content sent back to the client. It | ||||
| also handles the locking exceptions which will be triggered when | ||||
| the first chunk is produced by the underlying WSGI application. | ||||
| """ | ||||
| r2677 | txn_id = '' | |||
| if 'CONTENT_LENGTH' in environ and environ['REQUEST_METHOD'] == 'MERGE': | ||||
| # case for SVN, we want to re-use the callback daemon port | ||||
| # so we use the txn_id, for this we peek the body, and still save | ||||
| # it as wsgi.input | ||||
| data = environ['wsgi.input'].read() | ||||
| r4973 | environ['wsgi.input'] = io.StringIO(data) | |||
| r2677 | txn_id = extract_svn_txn_id(self.acl_repo_name, data) | |||
| r1 | ||||
| r2677 | callback_daemon, extras = self._prepare_callback_daemon( | |||
| extras, environ, action, txn_id=txn_id) | ||||
| log.debug('HOOKS extras is %s', extras) | ||||
| r3781 | http_scheme = self._get_http_scheme(environ) | |||
| config = self._create_config(extras, self.acl_repo_name, scheme=http_scheme) | ||||
| r2677 | app = self._create_wsgi_app(repo_path, self.url_repo_name, config) | |||
| with callback_daemon: | ||||
| app.rc_extras = extras | ||||
| r1 | ||||
| r2677 | try: | |||
| response = app(environ, start_response) | ||||
| finally: | ||||
| # This statement works together with the decorator | ||||
| # "initialize_generator" above. The decorator ensures that | ||||
| # we hit the first yield statement before the generator is | ||||
| # returned back to the WSGI server. This is needed to | ||||
| # ensure that the call to "app" above triggers the | ||||
| # needed callback to "start_response" before the | ||||
| # generator is actually used. | ||||
| yield "__init__" | ||||
| r1 | ||||
| r2677 | # iter content | |||
| for chunk in response: | ||||
| r1 | yield chunk | |||
| r2677 | ||||
| r669 | try: | |||
| r2677 | # invalidate cache on push | |||
| r669 | if action == 'push': | |||
|
Martin Bornhold
|
r905 | self._invalidate_cache(self.url_repo_name) | ||
| r669 | finally: | |||
| meta.Session.remove() | ||||
| r1 | ||||
| def _get_repository_name(self, environ): | ||||
| """Get repository name out of the environmnent | ||||
| :param environ: WSGI environment | ||||
| """ | ||||
| raise NotImplementedError() | ||||
| def _get_action(self, environ): | ||||
| """Map request commands into a pull or push command. | ||||
| :param environ: WSGI environment | ||||
| """ | ||||
| raise NotImplementedError() | ||||
| def _create_wsgi_app(self, repo_path, repo_name, config): | ||||
| """Return the WSGI app that will finally handle the request.""" | ||||
| raise NotImplementedError() | ||||
| r3781 | def _create_config(self, extras, repo_name, scheme='http'): | |||
| r1409 | """Create a safe config representation.""" | |||
| r1 | raise NotImplementedError() | |||
| r2677 | def _should_use_callback_daemon(self, extras, environ, action): | |||
| r3932 | if extras.get('is_shadow_repo'): | |||
| # we don't want to execute hooks, and callback daemon for shadow repos | ||||
| return False | ||||
| r2677 | return True | |||
| def _prepare_callback_daemon(self, extras, environ, action, txn_id=None): | ||||
| direct_calls = vcs_settings.HOOKS_DIRECT_CALLS | ||||
| if not self._should_use_callback_daemon(extras, environ, action): | ||||
| # disable callback daemon for actions that don't require it | ||||
| direct_calls = True | ||||
| r1 | return prepare_callback_daemon( | |||
|
Martin Bornhold
|
r590 | extras, protocol=vcs_settings.HOOKS_PROTOCOL, | ||
| r2833 | host=vcs_settings.HOOKS_HOST, use_direct_calls=direct_calls, txn_id=txn_id) | |||
| r1 | ||||
| def _should_check_locking(query_string): | ||||
| # this is kind of hacky, but due to how mercurial handles client-server | ||||
| # server see all operation on commit; bookmarks, phases and | ||||
| # obsolescence marker in different transaction, we don't want to check | ||||
| # locking on those | ||||
| return query_string not in ['cmd=listkeys'] | ||||
