Home Explore Help
Register Sign In
NotABug.org
/
gogs
Watch 4
Star 1
Fork 0
Files Issues 1 Pull Requests 0 Wiki
Branch: master
Branches Tags
gogs
/
cmd
/
serv.go

serv.go 7.4 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.
    2. 

  2. // Use of this source code is governed by a MIT-style
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. package cmd
    6. 

  6. 

  7. import (
    8. 

  8. 	"fmt"
    9. 

  9. 	"os"
    10. 

  10. 	"os/exec"
    11. 

  11. 	"path/filepath"
    12. 

  12. 	"strings"
    13. 

  13. 	"time"
    14. 

  14. 

  15. 	"github.com/Unknwon/com"
    16. 

  16. 	"github.com/urfave/cli"
    17. 

  17. 	log "gopkg.in/clog.v1"
    18. 

  18. 

  19. 	"github.com/gogits/gogs/models"
    20. 

  20. 	"github.com/gogits/gogs/modules/setting"
    21. 

  21. 	http "github.com/gogits/gogs/routers/repo"
    22. 

  22. )
    23. 

  23. 

  24. const (
    25. 

  25. 	_ACCESS_DENIED_MESSAGE = "Repository does not exist or you do not have access"
    26. 

  26. )
    27. 

  27. 

  28. var Serv = cli.Command{
    29. 

  29. 	Name:        "serv",
    30. 

  30. 	Usage:       "This command should only be called by SSH shell",
    31. 

  31. 	Description: `Serv provide access auth for repositories`,
    32. 

  32. 	Action:      runServ,
    33. 

  33. 	Flags: []cli.Flag{
    34. 

  34. 		stringFlag("config, c", "custom/conf/app.ini", "Custom configuration file path"),
    35. 

  35. 	},
    36. 

  36. }
    37. 

  37. 

  38. func fail(userMessage, logMessage string, args ...interface{}) {
    39. 

  39. 	fmt.Fprintln(os.Stderr, "Gogs:", userMessage)
    40. 

  40. 

  41. 	if len(logMessage) > 0 {
    42. 

  42. 		if !setting.ProdMode {
    43. 

  43. 			fmt.Fprintf(os.Stderr, logMessage+"\n", args...)
    44. 

  44. 		}
    45. 

  45. 		log.Fatal(3, logMessage, args...)
    46. 

  46. 	}
    47. 

  47. 

  48. 	os.Exit(1)
    49. 

  49. }
    50. 

  50. 

  51. func setup(c *cli.Context, logPath string, connectDB bool) {
    52. 

  52. 	if c.IsSet("config") {
    53. 

  53. 		setting.CustomConf = c.String("config")
    54. 

  54. 	} else if c.GlobalIsSet("config") {
    55. 

  55. 		setting.CustomConf = c.GlobalString("config")
    56. 

  56. 	}
    57. 

  57. 

  58. 	setting.NewContext()
    59. 

  59. 

  60. 	level := log.TRACE
    61. 

  61. 	if setting.ProdMode {
    62. 

  62. 		level = log.ERROR
    63. 

  63. 	}
    64. 

  64. 	log.New(log.FILE, log.FileConfig{
    65. 

  65. 		Level:    level,
    66. 

  66. 		Filename: filepath.Join(setting.LogRootPath, logPath),
    67. 

  67. 		FileRotationConfig: log.FileRotationConfig{
    68. 

  68. 			Rotate:  true,
    69. 

  69. 			Daily:   true,
    70. 

  70. 			MaxDays: 3,
    71. 

  71. 		},
    72. 

  72. 	})
    73. 

  73. 	log.Delete(log.CONSOLE) // Remove primary logger
    74. 

  74. 

  75. 	if !connectDB {
    76. 

  76. 		return
    77. 

  77. 	}
    78. 

  78. 

  79. 	models.LoadConfigs()
    80. 

  80. 

  81. 	if setting.UseSQLite3 {
    82. 

  82. 		workDir, _ := setting.WorkDir()
    83. 

  83. 		os.Chdir(workDir)
    84. 

  84. 	}
    85. 

  85. 

  86. 	if err := models.SetEngine(); err != nil {
    87. 

  87. 		fail("Internal error", "SetEngine: %v", err)
    88. 

  88. 	}
    89. 

  89. }
    90. 

  90. 

  91. func parseSSHCmd(cmd string) (string, string) {
    92. 

  92. 	ss := strings.SplitN(cmd, " ", 2)
    93. 

  93. 	if len(ss) != 2 {
    94. 

  94. 		return "", ""
    95. 

  95. 	}
    96. 

  96. 	return ss[0], strings.Replace(ss[1], "'/", "'", 1)
    97. 

  97. }
    98. 

  98. 

  99. func checkDeployKey(key *models.PublicKey, repo *models.Repository) {
    100. 

  100. 	// Check if this deploy key belongs to current repository.
    101. 

  101. 	if !models.HasDeployKey(key.ID, repo.ID) {
    102. 

  102. 		fail("Key access denied", "Deploy key access denied: [key_id: %d, repo_id: %d]", key.ID, repo.ID)
    103. 

  103. 	}
    104. 

  104. 

  105. 	// Update deploy key activity.
    106. 

  106. 	deployKey, err := models.GetDeployKeyByRepo(key.ID, repo.ID)
    107. 

  107. 	if err != nil {
    108. 

  108. 		fail("Internal error", "GetDeployKey: %v", err)
    109. 

  109. 	}
    110. 

  110. 

  111. 	deployKey.Updated = time.Now()
    112. 

  112. 	if err = models.UpdateDeployKey(deployKey); err != nil {
    113. 

  113. 		fail("Internal error", "UpdateDeployKey: %v", err)
    114. 

  114. 	}
    115. 

  115. }
    116. 

  116. 

  117. var (
    118. 

  118. 	allowedCommands = map[string]models.AccessMode{
    119. 

  119. 		"git-upload-pack":    models.ACCESS_MODE_READ,
    120. 

  120. 		"git-upload-archive": models.ACCESS_MODE_READ,
    121. 

  121. 		"git-receive-pack":   models.ACCESS_MODE_WRITE,
    122. 

  122. 	}
    123. 

  123. )
    124. 

  124. 

  125. func runServ(c *cli.Context) error {
    126. 

  126. 	setup(c, "serv.log", true)
    127. 

  127. 

  128. 	if setting.SSH.Disabled {
    129. 

  129. 		println("Gogs: SSH has been disabled")
    130. 

  130. 		return nil
    131. 

  131. 	}
    132. 

  132. 

  133. 	if len(c.Args()) < 1 {
    134. 

  134. 		fail("Not enough arguments", "Not enough arguments")
    135. 

  135. 	}
    136. 

  136. 

  137. 	sshCmd := os.Getenv("SSH_ORIGINAL_COMMAND")
    138. 

  138. 	if len(sshCmd) == 0 {
    139. 

  139. 		println("Hi there, You've successfully authenticated, but Gogs does not provide shell access.")
    140. 

  140. 		println("If this is unexpected, please log in with password and setup Gogs under another user.")
    141. 

  141. 		return nil
    142. 

  142. 	}
    143. 

  143. 

  144. 	verb, args := parseSSHCmd(sshCmd)
    145. 

  145. 	repoFullName := strings.ToLower(strings.Trim(args, "'"))
    146. 

  146. 	repoFields := strings.SplitN(repoFullName, "/", 2)
    147. 

  147. 	if len(repoFields) != 2 {
    148. 

  148. 		fail("Invalid repository path", "Invalid repository path: %v", args)
    149. 

  149. 	}
    150. 

  150. 	ownerName := strings.ToLower(repoFields[0])
    151. 

  151. 	repoName := strings.TrimSuffix(strings.ToLower(repoFields[1]), ".git")
    152. 

  152. 	repoName = strings.TrimSuffix(repoName, ".wiki")
    153. 

  153. 

  154. 	owner, err := models.GetUserByName(ownerName)
    155. 

  155. 	if err != nil {
    156. 

  156. 		if models.IsErrUserNotExist(err) {
    157. 

  157. 			fail("Repository owner does not exist", "Unregistered owner: %s", ownerName)
    158. 

  158. 		}
    159. 

  159. 		fail("Internal error", "Fail to get repository owner '%s': %v", ownerName, err)
    160. 

  160. 	}
    161. 

  161. 

  162. 	repo, err := models.GetRepositoryByName(owner.ID, repoName)
    163. 

  163. 	if err != nil {
    164. 

  164. 		if models.IsErrRepoNotExist(err) {
    165. 

  165. 			fail(_ACCESS_DENIED_MESSAGE, "Repository does not exist: %s/%s", owner.Name, repoName)
    166. 

  166. 		}
    167. 

  167. 		fail("Internal error", "Fail to get repository: %v", err)
    168. 

  168. 	}
    169. 

  169. 	repo.Owner = owner
    170. 

  170. 

  171. 	requestMode, ok := allowedCommands[verb]
    172. 

  172. 	if !ok {
    173. 

  173. 		fail("Unknown git command", "Unknown git command '%s'", verb)
    174. 

  174. 	}
    175. 

  175. 

  176. 	// Prohibit push to mirror repositories.
    177. 

  177. 	if requestMode > models.ACCESS_MODE_READ && repo.IsMirror {
    178. 

  178. 		fail("Mirror repository is read-only", "")
    179. 

  179. 	}
    180. 

  180. 

  181. 	// Allow anonymous (user is nil) clone for public repositories.
    182. 

  182. 	var user *models.User
    183. 

  183. 

  184. 	key, err := models.GetPublicKeyByID(com.StrTo(strings.TrimPrefix(c.Args()[0], "key-")).MustInt64())
    185. 

  185. 	if err != nil {
    186. 

  186. 		fail("Invalid key ID", "Invalid key ID '%s': %v", c.Args()[0], err)
    187. 

  187. 	}
    188. 

  188. 

  189. 	if requestMode == models.ACCESS_MODE_WRITE || repo.IsPrivate {
    190. 

  190. 		// Check deploy key or user key.
    191. 

  191. 		if key.IsDeployKey() {
    192. 

  192. 			if key.Mode < requestMode {
    193. 

  193. 				fail("Key permission denied", "Cannot push with deployment key: %d", key.ID)
    194. 

  194. 			}
    195. 

  195. 			checkDeployKey(key, repo)
    196. 

  196. 		} else {
    197. 

  197. 			user, err = models.GetUserByKeyID(key.ID)
    198. 

  198. 			if err != nil {
    199. 

  199. 				fail("Internal error", "Fail to get user by key ID '%d': %v", key.ID, err)
    200. 

  200. 			}
    201. 

  201. 

  202. 			mode, err := models.AccessLevel(user.ID, repo)
    203. 

  203. 			if err != nil {
    204. 

  204. 				fail("Internal error", "Fail to check access: %v", err)
    205. 

  205. 			}
    206. 

  206. 

  207. 			if mode < requestMode {
    208. 

  208. 				clientMessage := _ACCESS_DENIED_MESSAGE
    209. 

  209. 				if mode >= models.ACCESS_MODE_READ {
    210. 

  210. 					clientMessage = "You do not have sufficient authorization for this action"
    211. 

  211. 				}
    212. 

  212. 				fail(clientMessage,
    213. 

  213. 					"User '%s' does not have level '%v' access to repository '%s'",
    214. 

  214. 					user.Name, requestMode, repoFullName)
    215. 

  215. 			}
    216. 

  216. 		}
    217. 

  217. 	} else {
    218. 

  218. 		setting.NewService()
    219. 

  219. 		// Check if the key can access to the repository in case of it is a deploy key (a deploy keys != user key).
    220. 

  220. 		// A deploy key doesn't represent a signed in user, so in a site with Service.RequireSignInView activated
    221. 

  221. 		// we should give read access only in repositories where this deploy key is in use. In other case, a server
    222. 

  222. 		// or system using an active deploy key can get read access to all the repositories in a Gogs service.
    223. 

  223. 		if key.IsDeployKey() && setting.Service.RequireSignInView {
    224. 

  224. 			checkDeployKey(key, repo)
    225. 

  225. 		}
    226. 

  226. 	}
    227. 

  227. 

  228. 	// Update user key activity.
    229. 

  229. 	if key.ID > 0 {
    230. 

  230. 		key, err := models.GetPublicKeyByID(key.ID)
    231. 

  231. 		if err != nil {
    232. 

  232. 			fail("Internal error", "GetPublicKeyByID: %v", err)
    233. 

  233. 		}
    234. 

  234. 

  235. 		key.Updated = time.Now()
    236. 

  236. 		if err = models.UpdatePublicKey(key); err != nil {
    237. 

  237. 			fail("Internal error", "UpdatePublicKey: %v", err)
    238. 

  238. 		}
    239. 

  239. 	}
    240. 

  240. 

  241. 	// Special handle for Windows.
    242. 

  242. 	if setting.IsWindows {
    243. 

  243. 		verb = strings.Replace(verb, "-", " ", 1)
    244. 

  244. 	}
    245. 

  245. 

  246. 	var gitCmd *exec.Cmd
    247. 

  247. 	verbs := strings.Split(verb, " ")
    248. 

  248. 	if len(verbs) == 2 {
    249. 

  249. 		gitCmd = exec.Command(verbs[0], verbs[1], repoFullName)
    250. 

  250. 	} else {
    251. 

  251. 		gitCmd = exec.Command(verb, repoFullName)
    252. 

  252. 	}
    253. 

  253. 	if requestMode == models.ACCESS_MODE_WRITE {
    254. 

  254. 		gitCmd.Env = append(os.Environ(), http.ComposeHookEnvs(http.ComposeHookEnvsOptions{
    255. 

  255. 			AuthUser:  user,
    256. 

  256. 			OwnerName: owner.Name,
    257. 

  257. 			OwnerSalt: owner.Salt,
    258. 

  258. 			RepoID:    repo.ID,
    259. 

  259. 			RepoName:  repo.Name,
    260. 

  260. 			RepoPath:  repo.RepoPath(),
    261. 

  261. 		})...)
    262. 

  262. 	}
    263. 

  263. 	gitCmd.Dir = setting.RepoRootPath
    264. 

  264. 	gitCmd.Stdout = os.Stdout
    265. 

  265. 	gitCmd.Stdin = os.Stdin
    266. 

  266. 	gitCmd.Stderr = os.Stderr
    267. 

  267. 	if err = gitCmd.Run(); err != nil {
    268. 

  268. 		fail("Internal error", "Fail to execute git command: %v", err)
    269. 

  269. 	}
    270. 

  270. 

  271. 	return nil
    272. 

  272. }
    273. 

  273.