simplegit.py
275 lines
| 10.6 KiB
| text/x-python
|
PythonLexer
| r903 | # -*- coding: utf-8 -*- | |||
| """ | ||||
| rhodecode.lib.middleware.simplegit | ||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||
| SimpleGit middleware for handling git protocol request (push/clone etc.) | ||||
| It's implemented with basic auth function | ||||
| :created_on: Apr 28, 2010 | ||||
| :author: marcink | ||||
| :copyright: (C) 2009-2010 Marcin Kuzminski <marcin@python-works.com> | ||||
| :license: GPLv3, see COPYING for more details. | ||||
| """ | ||||
| r620 | # This program is free software; you can redistribute it and/or | |||
| # modify it under the terms of the GNU General Public License | ||||
| # as published by the Free Software Foundation; version 2 | ||||
| # of the License or (at your opinion) any later version of the license. | ||||
| # | ||||
| # This program is distributed in the hope that it will be useful, | ||||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
| # GNU General Public License for more details. | ||||
| # | ||||
| # You should have received a copy of the GNU General Public License | ||||
| # along with this program; if not, write to the Free Software | ||||
| # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, | ||||
| # MA 02110-1301, USA. | ||||
| r635 | ||||
| r903 | import os | |||
| import logging | ||||
| import traceback | ||||
| r635 | ||||
| r625 | from dulwich import server as dulserver | |||
| class SimpleGitUploadPackHandler(dulserver.UploadPackHandler): | ||||
| def handle(self): | ||||
| write = lambda x: self.proto.write_sideband(1, x) | ||||
| graph_walker = dulserver.ProtocolGraphWalker(self, self.repo.object_store, | ||||
| self.repo.get_peeled) | ||||
| objects_iter = self.repo.fetch_objects( | ||||
| graph_walker.determine_wants, graph_walker, self.progress, | ||||
| get_tagged=self.get_tagged) | ||||
| # Do they want any objects? | ||||
| if len(objects_iter) == 0: | ||||
| return | ||||
| self.progress("counting objects: %d, done.\n" % len(objects_iter)) | ||||
| dulserver.write_pack_data(dulserver.ProtocolFile(None, write), objects_iter, | ||||
| len(objects_iter)) | ||||
| messages = [] | ||||
| messages.append('thank you for using rhodecode') | ||||
| for msg in messages: | ||||
| self.progress(msg + "\n") | ||||
| # we are done | ||||
| self.proto.write("0000") | ||||
| dulserver.DEFAULT_HANDLERS = { | ||||
| 'git-upload-pack': SimpleGitUploadPackHandler, | ||||
| 'git-receive-pack': dulserver.ReceivePackHandler, | ||||
| } | ||||
| r620 | from dulwich.repo import Repo | |||
| from dulwich.web import HTTPGitApplication | ||||
| r903 | ||||
| r620 | from paste.auth.basic import AuthBasicAuthenticator | |||
| from paste.httpheaders import REMOTE_USER, AUTH_TYPE | ||||
| r903 | ||||
| r635 | from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware | |||
| r756 | from rhodecode.lib.utils import invalidate_cache, check_repo_fast | |||
| r635 | from rhodecode.model.user import UserModel | |||
| r903 | ||||
| r620 | from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError | |||
| log = logging.getLogger(__name__) | ||||
| r756 | def is_git(environ): | |||
| r918 | """Returns True if request's target is git server. | |||
| ``HTTP_USER_AGENT`` would then have git client version given. | ||||
| r756 | ||||
| :param environ: | ||||
| """ | ||||
| http_user_agent = environ.get('HTTP_USER_AGENT') | ||||
| if http_user_agent and http_user_agent.startswith('git'): | ||||
| return True | ||||
| return False | ||||
| r620 | class SimpleGit(object): | |||
| def __init__(self, application, config): | ||||
| self.application = application | ||||
| self.config = config | ||||
| r625 | #authenticate this git request using | |||
| r620 | self.authenticate = AuthBasicAuthenticator('', authfunc) | |||
| r655 | self.ipaddr = '0.0.0.0' | |||
| self.repository = None | ||||
| self.username = None | ||||
| self.action = None | ||||
| r665 | ||||
| r620 | def __call__(self, environ, start_response): | |||
| if not is_git(environ): | ||||
| return self.application(environ, start_response) | ||||
| r665 | ||||
| r655 | proxy_key = 'HTTP_X_REAL_IP' | |||
| def_key = 'REMOTE_ADDR' | ||||
| self.ipaddr = environ.get(proxy_key, environ.get(def_key, '0.0.0.0')) | ||||
| r898 | # skip passing error to error controller | |||
| environ['pylons.status_code_redirect'] = True | ||||
| r665 | ||||
| r918 | #====================================================================== | |||
| # GET ACTION PULL or PUSH | ||||
| #====================================================================== | ||||
| self.action = self.__get_action(environ) | ||||
| r620 | try: | |||
| r918 | #================================================================== | |||
| # GET REPOSITORY NAME | ||||
| #================================================================== | ||||
| self.repo_name = self.__get_repository(environ) | ||||
| r620 | except: | |||
| return HTTPInternalServerError()(environ, start_response) | ||||
| r918 | #====================================================================== | |||
| # CHECK ANONYMOUS PERMISSION | ||||
| #====================================================================== | ||||
| if self.action in ['pull', 'push'] or self.action: | ||||
| anonymous_user = self.__get_user('default') | ||||
| self.username = anonymous_user.username | ||||
| anonymous_perm = self.__check_permission(self.action, anonymous_user , | ||||
| self.repo_name) | ||||
| if anonymous_perm is not True or anonymous_user.active is False: | ||||
| if anonymous_perm is not True: | ||||
| log.debug('Not enough credentials to access this repository' | ||||
| 'as anonymous user') | ||||
| if anonymous_user.active is False: | ||||
| log.debug('Anonymous access is disabled, running ' | ||||
| 'authentication') | ||||
| #============================================================== | ||||
| # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE | ||||
| # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS | ||||
| #============================================================== | ||||
| r620 | ||||
| r918 | if not REMOTE_USER(environ): | |||
| self.authenticate.realm = str(self.config['rhodecode_realm']) | ||||
| result = self.authenticate(environ) | ||||
| if isinstance(result, str): | ||||
| AUTH_TYPE.update(environ, 'basic') | ||||
| REMOTE_USER.update(environ, result) | ||||
| else: | ||||
| return result.wsgi_application(environ, start_response) | ||||
| #============================================================== | ||||
| # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME FROM | ||||
| # BASIC AUTH | ||||
| #============================================================== | ||||
| r620 | ||||
| r918 | if self.action in ['pull', 'push'] or self.action: | |||
| r989 | username = REMOTE_USER(environ) | |||
| r918 | try: | |||
| user = self.__get_user(username) | ||||
| self.username = user.username | ||||
| except: | ||||
| log.error(traceback.format_exc()) | ||||
| return HTTPInternalServerError()(environ, start_response) | ||||
| #check permissions for this repository | ||||
| perm = self.__check_permission(self.action, user, self.repo_name) | ||||
| if perm is not True: | ||||
| print 'not allowed' | ||||
| return HTTPForbidden()(environ, start_response) | ||||
| r620 | ||||
| r655 | self.extras = {'ip':self.ipaddr, | |||
| 'username':self.username, | ||||
| 'action':self.action, | ||||
| r918 | 'repository':self.repo_name} | |||
| r620 | ||||
| #=================================================================== | ||||
| # GIT REQUEST HANDLING | ||||
| #=================================================================== | ||||
| self.basepath = self.config['base_path'] | ||||
| self.repo_path = os.path.join(self.basepath, self.repo_name) | ||||
| #quick check if that dir exists... | ||||
| if check_repo_fast(self.repo_name, self.basepath): | ||||
| return HTTPNotFound()(environ, start_response) | ||||
| try: | ||||
| app = self.__make_app() | ||||
| r643 | except: | |||
| r620 | log.error(traceback.format_exc()) | |||
| return HTTPInternalServerError()(environ, start_response) | ||||
| #invalidate cache on push | ||||
| r655 | if self.action == 'push': | |||
| r620 | self.__invalidate_cache(self.repo_name) | |||
| messages = [] | ||||
| messages.append('thank you for using rhodecode') | ||||
| return app(environ, start_response) | ||||
| else: | ||||
| return app(environ, start_response) | ||||
| def __make_app(self): | ||||
| r625 | backend = dulserver.DictBackend({'/' + self.repo_name: Repo(self.repo_path)}) | |||
| r620 | gitserve = HTTPGitApplication(backend) | |||
| return gitserve | ||||
| r918 | def __check_permission(self, action, user, repo_name): | |||
| """Checks permissions using action (push/pull) user and repository | ||||
| name | ||||
| :param action: push or pull action | ||||
| :param user: user instance | ||||
| :param repo_name: repository name | ||||
| """ | ||||
| if action == 'push': | ||||
| if not HasPermissionAnyMiddleware('repository.write', | ||||
| 'repository.admin')\ | ||||
| (user, repo_name): | ||||
| return False | ||||
| else: | ||||
| #any other action need at least read permission | ||||
| if not HasPermissionAnyMiddleware('repository.read', | ||||
| 'repository.write', | ||||
| 'repository.admin')\ | ||||
| (user, repo_name): | ||||
| return False | ||||
| return True | ||||
| def __get_repository(self, environ): | ||||
| """Get's repository name out of PATH_INFO header | ||||
| :param environ: environ where PATH_INFO is stored | ||||
| """ | ||||
| try: | ||||
| repo_name = '/'.join(environ['PATH_INFO'].split('/')[1:]) | ||||
| if repo_name.endswith('/'): | ||||
| repo_name = repo_name.rstrip('/') | ||||
| except: | ||||
| log.error(traceback.format_exc()) | ||||
| raise | ||||
| repo_name = repo_name.split('/')[0] | ||||
| return repo_name | ||||
| r620 | ||||
| def __get_user(self, username): | ||||
| r635 | return UserModel().get_by_username(username, cache=True) | |||
| r620 | ||||
| def __get_action(self, environ): | ||||
| r903 | """Maps git request commands into a pull or push command. | |||
| r620 | :param environ: | |||
| """ | ||||
| service = environ['QUERY_STRING'].split('=') | ||||
| if len(service) > 1: | ||||
| service_cmd = service[1] | ||||
| r625 | mapping = {'git-receive-pack': 'push', | |||
| 'git-upload-pack': 'pull', | ||||
| r620 | } | |||
| r625 | return mapping.get(service_cmd, service_cmd if service_cmd else 'other') | |||
| else: | ||||
| return 'other' | ||||
| r620 | ||||
| def __invalidate_cache(self, repo_name): | ||||
| """we know that some change was made to repositories and we should | ||||
| invalidate the cache to see the changes right away but only for | ||||
| push requests""" | ||||
| r665 | invalidate_cache('get_repo_cached_%s' % repo_name) | |||
