wireprotov2server.py
535 lines
| 18.7 KiB
| text/x-python
|
PythonLexer
/ mercurial / wireprotov2server.py
Gregory Szorc
|
r37563 | # Copyright 21 May 2005 - (c) 2005 Jake Edge <jake@edge2.net> | ||
# Copyright 2005-2007 Matt Mackall <mpm@selenic.com> | ||||
# | ||||
# This software may be used and distributed according to the terms of the | ||||
# GNU General Public License version 2 or any later version. | ||||
from __future__ import absolute_import | ||||
import contextlib | ||||
from .i18n import _ | ||||
from . import ( | ||||
Gregory Szorc
|
r37564 | encoding, | ||
Gregory Szorc
|
r37563 | error, | ||
pycompat, | ||||
Gregory Szorc
|
r37675 | streamclone, | ||
Gregory Szorc
|
r37564 | util, | ||
Gregory Szorc
|
r37563 | wireprotoframing, | ||
wireprototypes, | ||||
) | ||||
Gregory Szorc
|
r37828 | from .utils import ( | ||
Gregory Szorc
|
r39479 | cborutil, | ||
Gregory Szorc
|
r37828 | interfaceutil, | ||
) | ||||
Gregory Szorc
|
r37563 | |||
Gregory Szorc
|
r37743 | FRAMINGTYPE = b'application/mercurial-exp-framing-0005' | ||
Gregory Szorc
|
r37563 | |||
Gregory Szorc
|
r37662 | HTTP_WIREPROTO_V2 = wireprototypes.HTTP_WIREPROTO_V2 | ||
Gregory Szorc
|
r37563 | |||
Gregory Szorc
|
r37802 | COMMANDS = wireprototypes.commanddict() | ||
Gregory Szorc
|
r37563 | def handlehttpv2request(rctx, req, res, checkperm, urlparts): | ||
from .hgweb import common as hgwebcommon | ||||
# URL space looks like: <permissions>/<command>, where <permission> can | ||||
# be ``ro`` or ``rw`` to signal read-only or read-write, respectively. | ||||
# Root URL does nothing meaningful... yet. | ||||
if not urlparts: | ||||
res.status = b'200 OK' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('HTTP version 2 API handler')) | ||||
return | ||||
if len(urlparts) == 1: | ||||
res.status = b'404 Not Found' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('do not know how to process %s\n') % | ||||
req.dispatchpath) | ||||
return | ||||
permission, command = urlparts[0:2] | ||||
if permission not in (b'ro', b'rw'): | ||||
res.status = b'404 Not Found' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('unknown permission: %s') % permission) | ||||
return | ||||
if req.method != 'POST': | ||||
res.status = b'405 Method Not Allowed' | ||||
res.headers[b'Allow'] = b'POST' | ||||
res.setbodybytes(_('commands require POST requests')) | ||||
return | ||||
# At some point we'll want to use our own API instead of recycling the | ||||
# behavior of version 1 of the wire protocol... | ||||
# TODO return reasonable responses - not responses that overload the | ||||
# HTTP status line message for error reporting. | ||||
try: | ||||
checkperm(rctx, req, 'pull' if permission == b'ro' else 'push') | ||||
except hgwebcommon.ErrorResponse as e: | ||||
res.status = hgwebcommon.statusmessage(e.code, pycompat.bytestr(e)) | ||||
for k, v in e.headers: | ||||
res.headers[k] = v | ||||
res.setbodybytes('permission denied') | ||||
return | ||||
# We have a special endpoint to reflect the request back at the client. | ||||
if command == b'debugreflect': | ||||
_processhttpv2reflectrequest(rctx.repo.ui, rctx.repo, req, res) | ||||
return | ||||
# Extra commands that we handle that aren't really wire protocol | ||||
# commands. Think extra hard before making this hackery available to | ||||
# extension. | ||||
extracommands = {'multirequest'} | ||||
Gregory Szorc
|
r37802 | if command not in COMMANDS and command not in extracommands: | ||
Gregory Szorc
|
r37563 | res.status = b'404 Not Found' | ||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('unknown wire protocol command: %s\n') % command) | ||||
return | ||||
repo = rctx.repo | ||||
ui = repo.ui | ||||
proto = httpv2protocolhandler(req, ui) | ||||
Gregory Szorc
|
r37802 | if (not COMMANDS.commandavailable(command, proto) | ||
Gregory Szorc
|
r37563 | and command not in extracommands): | ||
res.status = b'404 Not Found' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('invalid wire protocol command: %s') % command) | ||||
return | ||||
# TODO consider cases where proxies may add additional Accept headers. | ||||
if req.headers.get(b'Accept') != FRAMINGTYPE: | ||||
res.status = b'406 Not Acceptable' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('client MUST specify Accept header with value: %s\n') | ||||
% FRAMINGTYPE) | ||||
return | ||||
if req.headers.get(b'Content-Type') != FRAMINGTYPE: | ||||
res.status = b'415 Unsupported Media Type' | ||||
# TODO we should send a response with appropriate media type, | ||||
# since client does Accept it. | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('client MUST send Content-Type header with ' | ||||
'value: %s\n') % FRAMINGTYPE) | ||||
return | ||||
_processhttpv2request(ui, repo, req, res, permission, command, proto) | ||||
def _processhttpv2reflectrequest(ui, repo, req, res): | ||||
"""Reads unified frame protocol request and dumps out state to client. | ||||
This special endpoint can be used to help debug the wire protocol. | ||||
Instead of routing the request through the normal dispatch mechanism, | ||||
we instead read all frames, decode them, and feed them into our state | ||||
tracker. We then dump the log of all that activity back out to the | ||||
client. | ||||
""" | ||||
import json | ||||
# Reflection APIs have a history of being abused, accidentally disclosing | ||||
# sensitive data, etc. So we have a config knob. | ||||
if not ui.configbool('experimental', 'web.api.debugreflect'): | ||||
res.status = b'404 Not Found' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('debugreflect service not available')) | ||||
return | ||||
# We assume we have a unified framing protocol request body. | ||||
reactor = wireprotoframing.serverreactor() | ||||
states = [] | ||||
while True: | ||||
frame = wireprotoframing.readframe(req.bodyfh) | ||||
if not frame: | ||||
states.append(b'received: <no frame>') | ||||
break | ||||
states.append(b'received: %d %d %d %s' % (frame.typeid, frame.flags, | ||||
frame.requestid, | ||||
frame.payload)) | ||||
action, meta = reactor.onframerecv(frame) | ||||
states.append(json.dumps((action, meta), sort_keys=True, | ||||
separators=(', ', ': '))) | ||||
action, meta = reactor.oninputeof() | ||||
meta['action'] = action | ||||
states.append(json.dumps(meta, sort_keys=True, separators=(', ',': '))) | ||||
res.status = b'200 OK' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(b'\n'.join(states)) | ||||
def _processhttpv2request(ui, repo, req, res, authedperm, reqcommand, proto): | ||||
"""Post-validation handler for HTTPv2 requests. | ||||
Called when the HTTP request contains unified frame-based protocol | ||||
frames for evaluation. | ||||
""" | ||||
# TODO Some HTTP clients are full duplex and can receive data before | ||||
# the entire request is transmitted. Figure out a way to indicate support | ||||
# for that so we can opt into full duplex mode. | ||||
reactor = wireprotoframing.serverreactor(deferoutput=True) | ||||
seencommand = False | ||||
outstream = reactor.makeoutputstream() | ||||
while True: | ||||
frame = wireprotoframing.readframe(req.bodyfh) | ||||
if not frame: | ||||
break | ||||
action, meta = reactor.onframerecv(frame) | ||||
if action == 'wantframe': | ||||
# Need more data before we can do anything. | ||||
continue | ||||
elif action == 'runcommand': | ||||
sentoutput = _httpv2runcommand(ui, repo, req, res, authedperm, | ||||
reqcommand, reactor, outstream, | ||||
meta, issubsequent=seencommand) | ||||
if sentoutput: | ||||
return | ||||
seencommand = True | ||||
elif action == 'error': | ||||
# TODO define proper error mechanism. | ||||
res.status = b'200 OK' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(meta['message'] + b'\n') | ||||
return | ||||
else: | ||||
raise error.ProgrammingError( | ||||
'unhandled action from frame processor: %s' % action) | ||||
action, meta = reactor.oninputeof() | ||||
if action == 'sendframes': | ||||
# We assume we haven't started sending the response yet. If we're | ||||
# wrong, the response type will raise an exception. | ||||
res.status = b'200 OK' | ||||
res.headers[b'Content-Type'] = FRAMINGTYPE | ||||
res.setbodygen(meta['framegen']) | ||||
elif action == 'noop': | ||||
pass | ||||
else: | ||||
raise error.ProgrammingError('unhandled action from frame processor: %s' | ||||
% action) | ||||
def _httpv2runcommand(ui, repo, req, res, authedperm, reqcommand, reactor, | ||||
outstream, command, issubsequent): | ||||
"""Dispatch a wire protocol command made from HTTPv2 requests. | ||||
The authenticated permission (``authedperm``) along with the original | ||||
command from the URL (``reqcommand``) are passed in. | ||||
""" | ||||
# We already validated that the session has permissions to perform the | ||||
# actions in ``authedperm``. In the unified frame protocol, the canonical | ||||
# command to run is expressed in a frame. However, the URL also requested | ||||
# to run a specific command. We need to be careful that the command we | ||||
# run doesn't have permissions requirements greater than what was granted | ||||
# by ``authedperm``. | ||||
# | ||||
# Our rule for this is we only allow one command per HTTP request and | ||||
# that command must match the command in the URL. However, we make | ||||
# an exception for the ``multirequest`` URL. This URL is allowed to | ||||
# execute multiple commands. We double check permissions of each command | ||||
# as it is invoked to ensure there is no privilege escalation. | ||||
# TODO consider allowing multiple commands to regular command URLs | ||||
# iff each command is the same. | ||||
proto = httpv2protocolhandler(req, ui, args=command['args']) | ||||
if reqcommand == b'multirequest': | ||||
Gregory Szorc
|
r37802 | if not COMMANDS.commandavailable(command['command'], proto): | ||
Gregory Szorc
|
r37563 | # TODO proper error mechanism | ||
res.status = b'200 OK' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('wire protocol command not available: %s') % | ||||
command['command']) | ||||
return True | ||||
# TODO don't use assert here, since it may be elided by -O. | ||||
assert authedperm in (b'ro', b'rw') | ||||
Gregory Szorc
|
r37802 | wirecommand = COMMANDS[command['command']] | ||
Gregory Szorc
|
r37563 | assert wirecommand.permission in ('push', 'pull') | ||
if authedperm == b'ro' and wirecommand.permission != 'pull': | ||||
# TODO proper error mechanism | ||||
res.status = b'403 Forbidden' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('insufficient permissions to execute ' | ||||
'command: %s') % command['command']) | ||||
return True | ||||
# TODO should we also call checkperm() here? Maybe not if we're going | ||||
# to overhaul that API. The granted scope from the URL check should | ||||
# be good enough. | ||||
else: | ||||
# Don't allow multiple commands outside of ``multirequest`` URL. | ||||
if issubsequent: | ||||
# TODO proper error mechanism | ||||
res.status = b'200 OK' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('multiple commands cannot be issued to this ' | ||||
'URL')) | ||||
return True | ||||
if reqcommand != command['command']: | ||||
# TODO define proper error mechanism | ||||
res.status = b'200 OK' | ||||
res.headers[b'Content-Type'] = b'text/plain' | ||||
res.setbodybytes(_('command in frame must match command in URL')) | ||||
return True | ||||
Gregory Szorc
|
r37800 | rsp = dispatch(repo, proto, command['command']) | ||
Gregory Szorc
|
r37563 | |||
res.status = b'200 OK' | ||||
res.headers[b'Content-Type'] = FRAMINGTYPE | ||||
Gregory Szorc
|
r39479 | # TODO consider adding a type to represent an iterable of values to | ||
# be CBOR encoded. | ||||
Gregory Szorc
|
r37745 | if isinstance(rsp, wireprototypes.cborresponse): | ||
Gregory Szorc
|
r39479 | # TODO consider calling oncommandresponsereadygen(). | ||
encoded = b''.join(cborutil.streamencode(rsp.value)) | ||||
Gregory Szorc
|
r37742 | action, meta = reactor.oncommandresponseready(outstream, | ||
command['requestid'], | ||||
encoded) | ||||
Gregory Szorc
|
r37746 | elif isinstance(rsp, wireprototypes.v2streamingresponse): | ||
action, meta = reactor.oncommandresponsereadygen(outstream, | ||||
command['requestid'], | ||||
rsp.gen) | ||||
elif isinstance(rsp, wireprototypes.v2errorresponse): | ||||
action, meta = reactor.oncommanderror(outstream, | ||||
command['requestid'], | ||||
rsp.message, | ||||
rsp.args) | ||||
Gregory Szorc
|
r37563 | else: | ||
Gregory Szorc
|
r37744 | action, meta = reactor.onservererror( | ||
Gregory Szorc
|
r37563 | _('unhandled response type from wire proto command')) | ||
if action == 'sendframes': | ||||
res.setbodygen(meta['framegen']) | ||||
return True | ||||
elif action == 'noop': | ||||
return False | ||||
else: | ||||
raise error.ProgrammingError('unhandled event from reactor: %s' % | ||||
action) | ||||
Gregory Szorc
|
r37800 | def getdispatchrepo(repo, proto, command): | ||
return repo.filtered('served') | ||||
def dispatch(repo, proto, command): | ||||
repo = getdispatchrepo(repo, proto, command) | ||||
Gregory Szorc
|
r37802 | func, spec = COMMANDS[command] | ||
Gregory Szorc
|
r37800 | args = proto.getargs(spec) | ||
return func(repo, proto, **args) | ||||
Gregory Szorc
|
r37828 | @interfaceutil.implementer(wireprototypes.baseprotocolhandler) | ||
Gregory Szorc
|
r37563 | class httpv2protocolhandler(object): | ||
def __init__(self, req, ui, args=None): | ||||
self._req = req | ||||
self._ui = ui | ||||
self._args = args | ||||
@property | ||||
def name(self): | ||||
Gregory Szorc
|
r37662 | return HTTP_WIREPROTO_V2 | ||
Gregory Szorc
|
r37563 | |||
def getargs(self, args): | ||||
data = {} | ||||
for k, typ in args.items(): | ||||
if k == '*': | ||||
raise NotImplementedError('do not support * args') | ||||
elif k in self._args: | ||||
# TODO consider validating value types. | ||||
data[k] = self._args[k] | ||||
return data | ||||
def getprotocaps(self): | ||||
# Protocol capabilities are currently not implemented for HTTP V2. | ||||
return set() | ||||
def getpayload(self): | ||||
raise NotImplementedError | ||||
@contextlib.contextmanager | ||||
def mayberedirectstdio(self): | ||||
raise NotImplementedError | ||||
def client(self): | ||||
raise NotImplementedError | ||||
def addcapabilities(self, repo, caps): | ||||
return caps | ||||
def checkperm(self, perm): | ||||
raise NotImplementedError | ||||
Gregory Szorc
|
r37564 | |||
Gregory Szorc
|
r37575 | def httpv2apidescriptor(req, repo): | ||
proto = httpv2protocolhandler(req, repo.ui) | ||||
return _capabilitiesv2(repo, proto) | ||||
Gregory Szorc
|
r37564 | def _capabilitiesv2(repo, proto): | ||
"""Obtain the set of capabilities for version 2 transports. | ||||
These capabilities are distinct from the capabilities for version 1 | ||||
transports. | ||||
""" | ||||
compression = [] | ||||
Gregory Szorc
|
r37801 | for engine in wireprototypes.supportedcompengines(repo.ui, util.SERVERROLE): | ||
Gregory Szorc
|
r37564 | compression.append({ | ||
b'name': engine.wireprotosupport().name, | ||||
}) | ||||
caps = { | ||||
'commands': {}, | ||||
'compression': compression, | ||||
Gregory Szorc
|
r37671 | 'framingmediatypes': [FRAMINGTYPE], | ||
Gregory Szorc
|
r37564 | } | ||
Gregory Szorc
|
r37802 | for command, entry in COMMANDS.items(): | ||
Gregory Szorc
|
r37564 | caps['commands'][command] = { | ||
'args': entry.args, | ||||
'permissions': [entry.permission], | ||||
} | ||||
Gregory Szorc
|
r37675 | if streamclone.allowservergeneration(repo): | ||
caps['rawrepoformats'] = sorted(repo.requirements & | ||||
repo.supportedformats) | ||||
Gregory Szorc
|
r37564 | return proto.addcapabilities(repo, caps) | ||
Gregory Szorc
|
r37798 | def wireprotocommand(name, args=None, permission='push'): | ||
"""Decorator to declare a wire protocol command. | ||||
``name`` is the name of the wire protocol command being provided. | ||||
``args`` is a dict of argument names to example values. | ||||
``permission`` defines the permission type needed to run this command. | ||||
Can be ``push`` or ``pull``. These roughly map to read-write and read-only, | ||||
respectively. Default is to assume command requires ``push`` permissions | ||||
because otherwise commands not declaring their permissions could modify | ||||
a repository that is supposed to be read-only. | ||||
""" | ||||
transports = {k for k, v in wireprototypes.TRANSPORTS.items() | ||||
if v['version'] == 2} | ||||
if permission not in ('push', 'pull'): | ||||
raise error.ProgrammingError('invalid wire protocol permission; ' | ||||
'got %s; expected "push" or "pull"' % | ||||
permission) | ||||
if args is None: | ||||
args = {} | ||||
if not isinstance(args, dict): | ||||
raise error.ProgrammingError('arguments for version 2 commands ' | ||||
'must be declared as dicts') | ||||
Gregory Szorc
|
r37564 | def register(func): | ||
Gregory Szorc
|
r37802 | if name in COMMANDS: | ||
Gregory Szorc
|
r37798 | raise error.ProgrammingError('%s command already registered ' | ||
'for version 2' % name) | ||||
Gregory Szorc
|
r37802 | COMMANDS[name] = wireprototypes.commandentry( | ||
Gregory Szorc
|
r37798 | func, args=args, transports=transports, permission=permission) | ||
return func | ||||
Gregory Szorc
|
r37564 | |||
return register | ||||
@wireprotocommand('branchmap', permission='pull') | ||||
def branchmapv2(repo, proto): | ||||
branchmap = {encoding.fromlocal(k): v | ||||
for k, v in repo.branchmap().iteritems()} | ||||
return wireprototypes.cborresponse(branchmap) | ||||
@wireprotocommand('capabilities', permission='pull') | ||||
def capabilitiesv2(repo, proto): | ||||
caps = _capabilitiesv2(repo, proto) | ||||
return wireprototypes.cborresponse(caps) | ||||
@wireprotocommand('heads', | ||||
args={ | ||||
'publiconly': False, | ||||
}, | ||||
permission='pull') | ||||
def headsv2(repo, proto, publiconly=False): | ||||
if publiconly: | ||||
repo = repo.filtered('immutable') | ||||
return wireprototypes.cborresponse(repo.heads()) | ||||
@wireprotocommand('known', | ||||
args={ | ||||
'nodes': [b'deadbeef'], | ||||
}, | ||||
permission='pull') | ||||
def knownv2(repo, proto, nodes=None): | ||||
nodes = nodes or [] | ||||
result = b''.join(b'1' if n else b'0' for n in repo.known(nodes)) | ||||
return wireprototypes.cborresponse(result) | ||||
@wireprotocommand('listkeys', | ||||
args={ | ||||
'namespace': b'ns', | ||||
}, | ||||
permission='pull') | ||||
def listkeysv2(repo, proto, namespace=None): | ||||
keys = repo.listkeys(encoding.tolocal(namespace)) | ||||
keys = {encoding.fromlocal(k): encoding.fromlocal(v) | ||||
for k, v in keys.iteritems()} | ||||
return wireprototypes.cborresponse(keys) | ||||
@wireprotocommand('lookup', | ||||
args={ | ||||
'key': b'foo', | ||||
}, | ||||
permission='pull') | ||||
def lookupv2(repo, proto, key): | ||||
key = encoding.tolocal(key) | ||||
# TODO handle exception. | ||||
node = repo.lookup(key) | ||||
return wireprototypes.cborresponse(node) | ||||
@wireprotocommand('pushkey', | ||||
args={ | ||||
'namespace': b'ns', | ||||
'key': b'key', | ||||
'old': b'old', | ||||
'new': b'new', | ||||
}, | ||||
permission='push') | ||||
def pushkeyv2(repo, proto, namespace, key, old, new): | ||||
# TODO handle ui output redirection | ||||
r = repo.pushkey(encoding.tolocal(namespace), | ||||
encoding.tolocal(key), | ||||
encoding.tolocal(old), | ||||
encoding.tolocal(new)) | ||||
return wireprototypes.cborresponse(r) | ||||