simplegit.py
291 lines
| 11.1 KiB
| text/x-python
|
PythonLexer
r903 | # -*- coding: utf-8 -*- | |||
""" | ||||
rhodecode.lib.middleware.simplegit | ||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||
SimpleGit middleware for handling git protocol request (push/clone etc.) | ||||
r1203 | It's implemented with basic auth function | |||
r903 | :created_on: Apr 28, 2010 | |||
:author: marcink | ||||
r1203 | :copyright: (C) 2009-2010 Marcin Kuzminski <marcin@python-works.com> | |||
r903 | :license: GPLv3, see COPYING for more details. | |||
""" | ||||
r1206 | # This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | ||||
# the Free Software Foundation, either version 3 of the License, or | ||||
# (at your option) any later version. | ||||
r1203 | # | |||
r620 | # This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||||
# GNU General Public License for more details. | ||||
r1203 | # | |||
r620 | # You should have received a copy of the GNU General Public License | |||
r1206 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
r635 | ||||
r903 | import os | |||
import logging | ||||
import traceback | ||||
r635 | ||||
r625 | from dulwich import server as dulserver | |||
r1275 | ||||
r625 | class SimpleGitUploadPackHandler(dulserver.UploadPackHandler): | |||
def handle(self): | ||||
write = lambda x: self.proto.write_sideband(1, x) | ||||
r1275 | graph_walker = dulserver.ProtocolGraphWalker(self, | |||
self.repo.object_store, | ||||
self.repo.get_peeled) | ||||
r625 | objects_iter = self.repo.fetch_objects( | |||
graph_walker.determine_wants, graph_walker, self.progress, | ||||
get_tagged=self.get_tagged) | ||||
# Do they want any objects? | ||||
r1496 | if objects_iter is None or len(objects_iter) == 0: | |||
r625 | return | |||
self.progress("counting objects: %d, done.\n" % len(objects_iter)) | ||||
r1496 | dulserver.write_pack_objects(dulserver.ProtocolFile(None, write), | |||
r1275 | objects_iter, len(objects_iter)) | |||
r625 | messages = [] | |||
messages.append('thank you for using rhodecode') | ||||
for msg in messages: | ||||
self.progress(msg + "\n") | ||||
# we are done | ||||
self.proto.write("0000") | ||||
dulserver.DEFAULT_HANDLERS = { | ||||
'git-upload-pack': SimpleGitUploadPackHandler, | ||||
'git-receive-pack': dulserver.ReceivePackHandler, | ||||
} | ||||
r620 | from dulwich.repo import Repo | |||
from dulwich.web import HTTPGitApplication | ||||
r903 | ||||
r620 | from paste.auth.basic import AuthBasicAuthenticator | |||
from paste.httpheaders import REMOTE_USER, AUTH_TYPE | ||||
r903 | ||||
r1401 | from rhodecode.lib import safe_str | |||
Liad Shani
|
r1619 | from rhodecode.lib.auth import authfunc, HasPermissionAnyMiddleware, get_container_username | ||
r1507 | from rhodecode.lib.utils import invalidate_cache, is_valid_repo | |||
r1497 | from rhodecode.model.db import User | |||
r903 | ||||
r620 | from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError | |||
log = logging.getLogger(__name__) | ||||
r1275 | ||||
r756 | def is_git(environ): | |||
r1203 | """Returns True if request's target is git server. | |||
r918 | ``HTTP_USER_AGENT`` would then have git client version given. | |||
r1203 | ||||
r756 | :param environ: | |||
""" | ||||
http_user_agent = environ.get('HTTP_USER_AGENT') | ||||
if http_user_agent and http_user_agent.startswith('git'): | ||||
return True | ||||
return False | ||||
r1275 | ||||
r620 | class SimpleGit(object): | |||
def __init__(self, application, config): | ||||
self.application = application | ||||
self.config = config | ||||
r1496 | # base path of repo locations | |||
self.basepath = self.config['base_path'] | ||||
#authenticate this mercurial request using authfunc | ||||
r620 | self.authenticate = AuthBasicAuthenticator('', authfunc) | |||
r665 | ||||
r620 | def __call__(self, environ, start_response): | |||
if not is_git(environ): | ||||
return self.application(environ, start_response) | ||||
r665 | ||||
r655 | proxy_key = 'HTTP_X_REAL_IP' | |||
def_key = 'REMOTE_ADDR' | ||||
r1496 | ipaddr = environ.get(proxy_key, environ.get(def_key, '0.0.0.0')) | |||
username = None | ||||
r898 | # skip passing error to error controller | |||
environ['pylons.status_code_redirect'] = True | ||||
r665 | ||||
r918 | #====================================================================== | |||
r1496 | # EXTRACT REPOSITORY NAME FROM ENV | |||
#====================================================================== | ||||
try: | ||||
repo_name = self.__get_repository(environ) | ||||
log.debug('Extracted repo name is %s' % repo_name) | ||||
except: | ||||
return HTTPInternalServerError()(environ, start_response) | ||||
#====================================================================== | ||||
r918 | # GET ACTION PULL or PUSH | |||
#====================================================================== | ||||
r1496 | action = self.__get_action(environ) | |||
r620 | ||||
r918 | #====================================================================== | |||
# CHECK ANONYMOUS PERMISSION | ||||
#====================================================================== | ||||
r1496 | if action in ['pull', 'push']: | |||
r918 | anonymous_user = self.__get_user('default') | |||
r1496 | username = anonymous_user.username | |||
anonymous_perm = self.__check_permission(action, | ||||
r1275 | anonymous_user, | |||
r1496 | repo_name) | |||
r918 | ||||
if anonymous_perm is not True or anonymous_user.active is False: | ||||
if anonymous_perm is not True: | ||||
r1275 | log.debug('Not enough credentials to access this ' | |||
'repository as anonymous user') | ||||
r918 | if anonymous_user.active is False: | |||
log.debug('Anonymous access is disabled, running ' | ||||
'authentication') | ||||
#============================================================== | ||||
r1203 | # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE | |||
r918 | # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS | |||
#============================================================== | ||||
r620 | ||||
Liad Shani
|
r1619 | if not get_container_username(environ, self.config): | ||
r1401 | self.authenticate.realm = \ | |||
safe_str(self.config['rhodecode_realm']) | ||||
r918 | result = self.authenticate(environ) | |||
if isinstance(result, str): | ||||
AUTH_TYPE.update(environ, 'basic') | ||||
REMOTE_USER.update(environ, result) | ||||
else: | ||||
return result.wsgi_application(environ, start_response) | ||||
#============================================================== | ||||
# CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME FROM | ||||
# BASIC AUTH | ||||
#============================================================== | ||||
r620 | ||||
r1496 | if action in ['pull', 'push']: | |||
Liad Shani
|
r1619 | username = get_container_username(environ, self.config) | ||
r918 | try: | |||
user = self.__get_user(username) | ||||
Liad Shani
|
r1620 | if user is None or not user.active: | ||
r1595 | return HTTPForbidden()(environ, start_response) | |||
r1496 | username = user.username | |||
r918 | except: | |||
log.error(traceback.format_exc()) | ||||
r1275 | return HTTPInternalServerError()(environ, | |||
start_response) | ||||
r918 | ||||
#check permissions for this repository | ||||
r1496 | perm = self.__check_permission(action, user, | |||
repo_name) | ||||
r918 | if perm is not True: | |||
return HTTPForbidden()(environ, start_response) | ||||
r620 | ||||
r1496 | extras = {'ip': ipaddr, | |||
'username': username, | ||||
'action': action, | ||||
'repository': repo_name} | ||||
r620 | ||||
#=================================================================== | ||||
# GIT REQUEST HANDLING | ||||
#=================================================================== | ||||
r1496 | ||||
repo_path = safe_str(os.path.join(self.basepath, repo_name)) | ||||
log.debug('Repository path is %s' % repo_path) | ||||
# quick check if that dir exists... | ||||
r1507 | if is_valid_repo(repo_name, self.basepath) is False: | |||
r620 | return HTTPNotFound()(environ, start_response) | |||
r1496 | ||||
r620 | try: | |||
r1496 | #invalidate cache on push | |||
if action == 'push': | ||||
self.__invalidate_cache(repo_name) | ||||
app = self.__make_app(repo_name, repo_path) | ||||
return app(environ, start_response) | ||||
except Exception: | ||||
r620 | log.error(traceback.format_exc()) | |||
return HTTPInternalServerError()(environ, start_response) | ||||
r1496 | def __make_app(self, repo_name, repo_path): | |||
""" | ||||
Make an wsgi application using dulserver | ||||
:param repo_name: name of the repository | ||||
:param repo_path: full path to the repository | ||||
""" | ||||
r1283 | ||||
r1496 | _d = {'/' + repo_name: Repo(repo_path)} | |||
r1275 | backend = dulserver.DictBackend(_d) | |||
r620 | gitserve = HTTPGitApplication(backend) | |||
return gitserve | ||||
r918 | def __check_permission(self, action, user, repo_name): | |||
r1496 | """ | |||
Checks permissions using action (push/pull) user and repository | ||||
r918 | name | |||
r1203 | ||||
r918 | :param action: push or pull action | |||
:param user: user instance | ||||
:param repo_name: repository name | ||||
""" | ||||
if action == 'push': | ||||
if not HasPermissionAnyMiddleware('repository.write', | ||||
r1275 | 'repository.admin')(user, | |||
repo_name): | ||||
r918 | return False | |||
else: | ||||
#any other action need at least read permission | ||||
if not HasPermissionAnyMiddleware('repository.read', | ||||
'repository.write', | ||||
r1275 | 'repository.admin')(user, | |||
repo_name): | ||||
r918 | return False | |||
return True | ||||
def __get_repository(self, environ): | ||||
r1496 | """ | |||
Get's repository name out of PATH_INFO header | ||||
r1203 | ||||
r918 | :param environ: environ where PATH_INFO is stored | |||
""" | ||||
try: | ||||
repo_name = '/'.join(environ['PATH_INFO'].split('/')[1:]) | ||||
if repo_name.endswith('/'): | ||||
repo_name = repo_name.rstrip('/') | ||||
except: | ||||
log.error(traceback.format_exc()) | ||||
raise | ||||
repo_name = repo_name.split('/')[0] | ||||
return repo_name | ||||
r620 | def __get_user(self, username): | |||
r1530 | return User.get_by_username(username) | |||
r620 | ||||
def __get_action(self, environ): | ||||
r903 | """Maps git request commands into a pull or push command. | |||
r1203 | ||||
r620 | :param environ: | |||
""" | ||||
service = environ['QUERY_STRING'].split('=') | ||||
if len(service) > 1: | ||||
service_cmd = service[1] | ||||
r625 | mapping = {'git-receive-pack': 'push', | |||
'git-upload-pack': 'pull', | ||||
r620 | } | |||
r1275 | return mapping.get(service_cmd, | |||
service_cmd if service_cmd else 'other') | ||||
r625 | else: | |||
return 'other' | ||||
r620 | ||||
def __invalidate_cache(self, repo_name): | ||||
"""we know that some change was made to repositories and we should | ||||
invalidate the cache to see the changes right away but only for | ||||
push requests""" | ||||
r665 | invalidate_cache('get_repo_cached_%s' % repo_name) | |||
r1496 | ||||