afan
/
gitea
ウォッチ 1
お気に入りに登録 0
フォーク 0
コード 課題 0 プルリクエスト 0 リリース 0 Wiki アクティビティ
gitea源码
3 コミット
2 ブランチ
ブランチ: master
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'master' から
${ noResults }
gitea/routers/private/serv.go

serv.go 15KB
パーマリンク 履歴 Raw形式

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package private

  5. 

  6. import (

  7. 	"fmt"

  8. 	"net/http"

  9. 	"strings"

  10. 

  11. 	asymkey_model "code.gitea.io/gitea/models/asymkey"

  12. 	"code.gitea.io/gitea/models/perm"

  13. 	access_model "code.gitea.io/gitea/models/perm/access"

  14. 	repo_model "code.gitea.io/gitea/models/repo"

  15. 	"code.gitea.io/gitea/models/unit"

  16. 	user_model "code.gitea.io/gitea/models/user"

  17. 	"code.gitea.io/gitea/modules/git"

  18. 	"code.gitea.io/gitea/modules/log"

  19. 	"code.gitea.io/gitea/modules/private"

  20. 	"code.gitea.io/gitea/modules/setting"

  21. 	"code.gitea.io/gitea/services/context"

  22. 	repo_service "code.gitea.io/gitea/services/repository"

  23. 	wiki_service "code.gitea.io/gitea/services/wiki"

  24. )

  25. 

  26. // ServNoCommand returns information about the provided keyid

  27. func ServNoCommand(ctx *context.PrivateContext) {

  28. 	keyID := ctx.PathParamInt64("keyid")

  29. 	if keyID <= 0 {

  30. 		ctx.JSON(http.StatusBadRequest, private.Response{

  31. 			UserMsg: fmt.Sprintf("Bad key id: %d", keyID),

  32. 		})

  33. 	}

  34. 	results := private.KeyAndOwner{}

  35. 

  36. 	key, err := asymkey_model.GetPublicKeyByID(ctx, keyID)

  37. 	if err != nil {

  38. 		if asymkey_model.IsErrKeyNotExist(err) {

  39. 			ctx.JSON(http.StatusUnauthorized, private.Response{

  40. 				UserMsg: fmt.Sprintf("Cannot find key: %d", keyID),

  41. 			})

  42. 			return

  43. 		}

  44. 		log.Error("Unable to get public key: %d Error: %v", keyID, err)

  45. 		ctx.JSON(http.StatusInternalServerError, private.Response{

  46. 			Err: err.Error(),

  47. 		})

  48. 		return

  49. 	}

  50. 	results.Key = key

  51. 

  52. 	if key.Type == asymkey_model.KeyTypeUser || key.Type == asymkey_model.KeyTypePrincipal {

  53. 		user, err := user_model.GetUserByID(ctx, key.OwnerID)

  54. 		if err != nil {

  55. 			if user_model.IsErrUserNotExist(err) {

  56. 				ctx.JSON(http.StatusUnauthorized, private.Response{

  57. 					UserMsg: fmt.Sprintf("Cannot find owner with id: %d for key: %d", key.OwnerID, keyID),

  58. 				})

  59. 				return

  60. 			}

  61. 			log.Error("Unable to get owner with id: %d for public key: %d Error: %v", key.OwnerID, keyID, err)

  62. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  63. 				Err: err.Error(),

  64. 			})

  65. 			return

  66. 		}

  67. 		if !user.IsActive || user.ProhibitLogin {

  68. 			ctx.JSON(http.StatusForbidden, private.Response{

  69. 				UserMsg: "Your account is disabled.",

  70. 			})

  71. 			return

  72. 		}

  73. 		results.Owner = user

  74. 	}

  75. 	ctx.JSON(http.StatusOK, &results)

  76. }

  77. 

  78. // ServCommand returns information about the provided keyid

  79. func ServCommand(ctx *context.PrivateContext) {

  80. 	keyID := ctx.PathParamInt64("keyid")

  81. 	ownerName := ctx.PathParam("owner")

  82. 	repoName := ctx.PathParam("repo")

  83. 	mode := perm.AccessMode(ctx.FormInt("mode"))

  84. 	verb := ctx.FormString("verb")

  85. 

  86. 	// Set the basic parts of the results to return

  87. 	results := private.ServCommandResults{

  88. 		RepoName:  repoName,

  89. 		OwnerName: ownerName,

  90. 		KeyID:     keyID,

  91. 	}

  92. 

  93. 	// Now because we're not translating things properly let's just default some English strings here

  94. 	modeString := "read"

  95. 	if mode > perm.AccessModeRead {

  96. 		modeString = "write to"

  97. 	}

  98. 

  99. 	// The default unit we're trying to look at is code

  100. 	unitType := unit.TypeCode

  101. 

  102. 	// Unless we're a wiki...

  103. 	if strings.HasSuffix(repoName, ".wiki") {

  104. 		// in which case we need to look at the wiki

  105. 		unitType = unit.TypeWiki

  106. 		// And we'd better munge the reponame and tell downstream we're looking at a wiki

  107. 		results.IsWiki = true

  108. 		results.RepoName = repoName[:len(repoName)-5]

  109. 	}

  110. 

  111. 	// Check if there is a user redirect for the requested owner

  112. 	redirectedUserID, err := user_model.LookupUserRedirect(ctx, results.OwnerName)

  113. 	if err == nil {

  114. 		owner, err := user_model.GetUserByID(ctx, redirectedUserID)

  115. 		if err == nil {

  116. 			log.Info("User %s has been redirected to %s", results.OwnerName, owner.Name)

  117. 			results.OwnerName = owner.Name

  118. 		} else {

  119. 			log.Warn("User %s has a redirect to user with ID %d, but no user with this ID could be found. Trying without redirect...", results.OwnerName, redirectedUserID)

  120. 		}

  121. 	}

  122. 

  123. 	owner, err := user_model.GetUserByName(ctx, results.OwnerName)

  124. 	if err != nil {

  125. 		if user_model.IsErrUserNotExist(err) {

  126. 			// User is fetching/cloning a non-existent repository

  127. 			log.Warn("Failed authentication attempt (cannot find repository: %s/%s) from %s", results.OwnerName, results.RepoName, ctx.RemoteAddr())

  128. 			ctx.JSON(http.StatusNotFound, private.Response{

  129. 				UserMsg: fmt.Sprintf("Cannot find repository: %s/%s", results.OwnerName, results.RepoName),

  130. 			})

  131. 			return

  132. 		}

  133. 		log.Error("Unable to get repository owner: %s/%s Error: %v", results.OwnerName, results.RepoName, err)

  134. 		ctx.JSON(http.StatusForbidden, private.Response{

  135. 			UserMsg: fmt.Sprintf("Unable to get repository owner: %s/%s %v", results.OwnerName, results.RepoName, err),

  136. 		})

  137. 		return

  138. 	}

  139. 	if !owner.IsOrganization() && !owner.IsActive {

  140. 		ctx.JSON(http.StatusForbidden, private.Response{

  141. 			UserMsg: "Repository cannot be accessed, you could retry it later",

  142. 		})

  143. 		return

  144. 	}

  145. 

  146. 	redirectedRepoID, err := repo_model.LookupRedirect(ctx, owner.ID, results.RepoName)

  147. 	if err == nil {

  148. 		redirectedRepo, err := repo_model.GetRepositoryByID(ctx, redirectedRepoID)

  149. 		if err == nil {

  150. 			log.Info("Repository %s/%s has been redirected to %s/%s", results.OwnerName, results.RepoName, redirectedRepo.OwnerName, redirectedRepo.Name)

  151. 			results.RepoName = redirectedRepo.Name

  152. 			results.OwnerName = redirectedRepo.OwnerName

  153. 			owner.ID = redirectedRepo.OwnerID

  154. 		} else {

  155. 			log.Warn("Repo %s/%s has a redirect to repo with ID %d, but no repo with this ID could be found. Trying without redirect...", results.OwnerName, results.RepoName, redirectedRepoID)

  156. 		}

  157. 	}

  158. 

  159. 	// Now get the Repository and set the results section

  160. 	repoExist := true

  161. 	repo, err := repo_model.GetRepositoryByName(ctx, owner.ID, results.RepoName)

  162. 	if err != nil {

  163. 		if repo_model.IsErrRepoNotExist(err) {

  164. 			repoExist = false

  165. 			if mode == perm.AccessModeRead {

  166. 				// User is fetching/cloning a non-existent repository

  167. 				log.Warn("Failed authentication attempt (cannot find repository: %s/%s) from %s", results.OwnerName, results.RepoName, ctx.RemoteAddr())

  168. 				ctx.JSON(http.StatusNotFound, private.Response{

  169. 					UserMsg: fmt.Sprintf("Cannot find repository: %s/%s", results.OwnerName, results.RepoName),

  170. 				})

  171. 				return

  172. 			}

  173. 			// else fallthrough (push-to-create may kick in below)

  174. 		} else {

  175. 			log.Error("Unable to get repository: %s/%s Error: %v", results.OwnerName, results.RepoName, err)

  176. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  177. 				Err: fmt.Sprintf("Unable to get repository: %s/%s %v", results.OwnerName, results.RepoName, err),

  178. 			})

  179. 			return

  180. 		}

  181. 	}

  182. 

  183. 	if repoExist {

  184. 		repo.Owner = owner

  185. 		repo.OwnerName = ownerName

  186. 		results.RepoID = repo.ID

  187. 

  188. 		if repo.IsBeingCreated() {

  189. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  190. 				Err: "Repository is being created, you could retry after it finished",

  191. 			})

  192. 			return

  193. 		}

  194. 

  195. 		if repo.IsBroken() {

  196. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  197. 				Err: "Repository is in a broken state",

  198. 			})

  199. 			return

  200. 		}

  201. 

  202. 		// We can shortcut at this point if the repo is a mirror

  203. 		if mode > perm.AccessModeRead && repo.IsMirror {

  204. 			ctx.JSON(http.StatusForbidden, private.Response{

  205. 				UserMsg: fmt.Sprintf("Mirror Repository %s/%s is read-only", results.OwnerName, results.RepoName),

  206. 			})

  207. 			return

  208. 		}

  209. 	}

  210. 

  211. 	// Get the Public Key represented by the keyID

  212. 	key, err := asymkey_model.GetPublicKeyByID(ctx, keyID)

  213. 	if err != nil {

  214. 		if asymkey_model.IsErrKeyNotExist(err) {

  215. 			ctx.JSON(http.StatusNotFound, private.Response{

  216. 				UserMsg: fmt.Sprintf("Cannot find key: %d", keyID),

  217. 			})

  218. 			return

  219. 		}

  220. 		log.Error("Unable to get public key: %d Error: %v", keyID, err)

  221. 		ctx.JSON(http.StatusInternalServerError, private.Response{

  222. 			Err: fmt.Sprintf("Unable to get key: %d  Error: %v", keyID, err),

  223. 		})

  224. 		return

  225. 	}

  226. 	results.KeyName = key.Name

  227. 	results.KeyID = key.ID

  228. 	results.UserID = key.OwnerID

  229. 

  230. 	// If repo doesn't exist, deploy key doesn't make sense

  231. 	if !repoExist && key.Type == asymkey_model.KeyTypeDeploy {

  232. 		ctx.JSON(http.StatusNotFound, private.Response{

  233. 			UserMsg: fmt.Sprintf("Cannot find repository %s/%s", results.OwnerName, results.RepoName),

  234. 		})

  235. 		return

  236. 	}

  237. 

  238. 	// Deploy Keys have ownerID set to 0 therefore we can't use the owner

  239. 	// So now we need to check if the key is a deploy key

  240. 	// We'll keep hold of the deploy key here for permissions checking

  241. 	var deployKey *asymkey_model.DeployKey

  242. 	var user *user_model.User

  243. 	if key.Type == asymkey_model.KeyTypeDeploy {

  244. 		var err error

  245. 		deployKey, err = asymkey_model.GetDeployKeyByRepo(ctx, key.ID, repo.ID)

  246. 		if err != nil {

  247. 			if asymkey_model.IsErrDeployKeyNotExist(err) {

  248. 				ctx.JSON(http.StatusNotFound, private.Response{

  249. 					UserMsg: fmt.Sprintf("Public (Deploy) Key: %d:%s is not authorized to %s %s/%s.", key.ID, key.Name, modeString, results.OwnerName, results.RepoName),

  250. 				})

  251. 				return

  252. 			}

  253. 			log.Error("Unable to get deploy for public (deploy) key: %d in %-v Error: %v", key.ID, repo, err)

  254. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  255. 				Err: fmt.Sprintf("Unable to get Deploy Key for Public Key: %d:%s in %s/%s.", key.ID, key.Name, results.OwnerName, results.RepoName),

  256. 			})

  257. 			return

  258. 		}

  259. 		results.DeployKeyID = deployKey.ID

  260. 		results.KeyName = deployKey.Name

  261. 

  262. 		// FIXME: Deploy keys aren't really the owner of the repo pushing changes

  263. 		// however we don't have good way of representing deploy keys in hook.go

  264. 		// so for now use the owner of the repository

  265. 		results.UserName = results.OwnerName

  266. 		results.UserID = repo.OwnerID

  267. 		if !repo.Owner.KeepEmailPrivate {

  268. 			results.UserEmail = repo.Owner.Email

  269. 		}

  270. 	} else {

  271. 		// Get the user represented by the Key

  272. 		var err error

  273. 		user, err = user_model.GetUserByID(ctx, key.OwnerID)

  274. 		if err != nil {

  275. 			if user_model.IsErrUserNotExist(err) {

  276. 				ctx.JSON(http.StatusUnauthorized, private.Response{

  277. 					UserMsg: fmt.Sprintf("Public Key: %d:%s owner %d does not exist.", key.ID, key.Name, key.OwnerID),

  278. 				})

  279. 				return

  280. 			}

  281. 			log.Error("Unable to get owner: %d for public key: %d:%s Error: %v", key.OwnerID, key.ID, key.Name, err)

  282. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  283. 				Err: fmt.Sprintf("Unable to get Owner: %d for Deploy Key: %d:%s in %s/%s.", key.OwnerID, key.ID, key.Name, ownerName, repoName),

  284. 			})

  285. 			return

  286. 		}

  287. 

  288. 		if !user.IsActive || user.ProhibitLogin {

  289. 			ctx.JSON(http.StatusForbidden, private.Response{

  290. 				UserMsg: "Your account is disabled.",

  291. 			})

  292. 			return

  293. 		}

  294. 

  295. 		results.UserName = user.Name

  296. 		if !user.KeepEmailPrivate {

  297. 			results.UserEmail = user.Email

  298. 		}

  299. 	}

  300. 

  301. 	// Don't allow pushing if the repo is archived

  302. 	if repoExist && mode > perm.AccessModeRead && repo.IsArchived {

  303. 		ctx.JSON(http.StatusUnauthorized, private.Response{

  304. 			UserMsg: fmt.Sprintf("Repo: %s/%s is archived.", results.OwnerName, results.RepoName),

  305. 		})

  306. 		return

  307. 	}

  308. 

  309. 	// Permissions checking:

  310. 	if repoExist &&

  311. 		(mode > perm.AccessModeRead ||

  312. 			repo.IsPrivate ||

  313. 			owner.Visibility.IsPrivate() ||

  314. 			(user != nil && user.IsRestricted) || // user will be nil if the key is a deploykey

  315. 			setting.Service.RequireSignInViewStrict) {

  316. 		if key.Type == asymkey_model.KeyTypeDeploy {

  317. 			if deployKey.Mode < mode {

  318. 				ctx.JSON(http.StatusUnauthorized, private.Response{

  319. 					UserMsg: fmt.Sprintf("Deploy Key: %d:%s is not authorized to %s %s/%s.", key.ID, key.Name, modeString, results.OwnerName, results.RepoName),

  320. 				})

  321. 				return

  322. 			}

  323. 		} else {

  324. 			// Because of the special ref "refs/for" (AGit) we will need to delay write permission check,

  325. 			// AGit flow needs to write its own ref when the doer has "reader" permission (allowing to create PR).

  326. 			// The real permission check is done in HookPreReceive (routers/private/hook_pre_receive.go).

  327. 			// Here it should relax the permission check for "git push (git-receive-pack)", but not for others like LFS operations.

  328. 			if git.DefaultFeatures().SupportProcReceive && unitType == unit.TypeCode && verb == git.CmdVerbReceivePack {

  329. 				mode = perm.AccessModeRead

  330. 			}

  331. 

  332. 			perm, err := access_model.GetUserRepoPermission(ctx, repo, user)

  333. 			if err != nil {

  334. 				log.Error("Unable to get permissions for %-v with key %d in %-v Error: %v", user, key.ID, repo, err)

  335. 				ctx.JSON(http.StatusInternalServerError, private.Response{

  336. 					Err: fmt.Sprintf("Unable to get permissions for user %d:%s with key %d in %s/%s Error: %v", user.ID, user.Name, key.ID, results.OwnerName, results.RepoName, err),

  337. 				})

  338. 				return

  339. 			}

  340. 

  341. 			userMode := perm.UnitAccessMode(unitType)

  342. 

  343. 			if userMode < mode {

  344. 				log.Warn("Failed authentication attempt for %s with key %s (not authorized to %s %s/%s) from %s", user.Name, key.Name, modeString, ownerName, repoName, ctx.RemoteAddr())

  345. 				ctx.JSON(http.StatusUnauthorized, private.Response{

  346. 					UserMsg: fmt.Sprintf("User: %d:%s with Key: %d:%s is not authorized to %s %s/%s.", user.ID, user.Name, key.ID, key.Name, modeString, ownerName, repoName),

  347. 				})

  348. 				return

  349. 			}

  350. 		}

  351. 	}

  352. 

  353. 	// We already know we aren't using a deploy key

  354. 	if !repoExist {

  355. 		owner, err := user_model.GetUserByName(ctx, ownerName)

  356. 		if err != nil {

  357. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  358. 				Err: fmt.Sprintf("Unable to get owner: %s %v", results.OwnerName, err),

  359. 			})

  360. 			return

  361. 		}

  362. 

  363. 		if owner.IsOrganization() && !setting.Repository.EnablePushCreateOrg {

  364. 			ctx.JSON(http.StatusForbidden, private.Response{

  365. 				UserMsg: "Push to create is not enabled for organizations.",

  366. 			})

  367. 			return

  368. 		}

  369. 		if !owner.IsOrganization() && !setting.Repository.EnablePushCreateUser {

  370. 			ctx.JSON(http.StatusForbidden, private.Response{

  371. 				UserMsg: "Push to create is not enabled for users.",

  372. 			})

  373. 			return

  374. 		}

  375. 

  376. 		repo, err = repo_service.PushCreateRepo(ctx, user, owner, results.RepoName)

  377. 		if err != nil {

  378. 			log.Error("pushCreateRepo: %v", err)

  379. 			ctx.JSON(http.StatusNotFound, private.Response{

  380. 				UserMsg: fmt.Sprintf("Cannot find repository: %s/%s", results.OwnerName, results.RepoName),

  381. 			})

  382. 			return

  383. 		}

  384. 		results.RepoID = repo.ID

  385. 	}

  386. 

  387. 	if results.IsWiki {

  388. 		// Ensure the wiki is enabled before we allow access to it

  389. 		if _, err := repo.GetUnit(ctx, unit.TypeWiki); err != nil {

  390. 			if repo_model.IsErrUnitTypeNotExist(err) {

  391. 				ctx.JSON(http.StatusForbidden, private.Response{

  392. 					UserMsg: "repository wiki is disabled",

  393. 				})

  394. 				return

  395. 			}

  396. 			log.Error("Failed to get the wiki unit in %-v Error: %v", repo, err)

  397. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  398. 				Err: fmt.Sprintf("Failed to get the wiki unit in %s/%s Error: %v", ownerName, repoName, err),

  399. 			})

  400. 			return

  401. 		}

  402. 

  403. 		// Finally if we're trying to touch the wiki we should init it

  404. 		if err = wiki_service.InitWiki(ctx, repo); err != nil {

  405. 			log.Error("Failed to initialize the wiki in %-v Error: %v", repo, err)

  406. 			ctx.JSON(http.StatusInternalServerError, private.Response{

  407. 				Err: fmt.Sprintf("Failed to initialize the wiki in %s/%s Error: %v", ownerName, repoName, err),

  408. 			})

  409. 			return

  410. 		}

  411. 	}

  412. 	log.Debug("Serv Results:\nIsWiki: %t\nDeployKeyID: %d\nKeyID: %d\tKeyName: %s\nUserName: %s\nUserID: %d\nOwnerName: %s\nRepoName: %s\nRepoID: %d",

  413. 		results.IsWiki,

  414. 		results.DeployKeyID,

  415. 		results.KeyID,

  416. 		results.KeyName,

  417. 		results.UserName,

  418. 		results.UserID,

  419. 		results.OwnerName,

  420. 		results.RepoName,

  421. 		results.RepoID)

  422. 

  423. 	ctx.JSON(http.StatusOK, results)

  424. 	// We will update the keys in a different call.

  425. }