gitea/routers/private/internal.go

// Copyright 2017 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

// Package private includes all internal routes. The package name internal is ideal but Golang is not allowed, so we use private as package name instead.
package private

import (
	"strings"

	"code.gitea.io/gitea/models"
	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/private"
	"code.gitea.io/gitea/modules/setting"

	"gitea.com/macaron/binding"
	"gitea.com/macaron/macaron"
)

// CheckInternalToken check internal token is set
func CheckInternalToken(ctx *macaron.Context) {
	tokens := ctx.Req.Header.Get("Authorization")
	fields := strings.Fields(tokens)
	if len(fields) != 2 || fields[0] != "Bearer" || fields[1] != setting.InternalToken {
		log.Debug("Forbidden attempt to access internal url: Authorization header: %s", tokens)
		ctx.Error(403)
	}
}

//GetRepositoryByOwnerAndName chainload to models.GetRepositoryByOwnerAndName
func GetRepositoryByOwnerAndName(ctx *macaron.Context) {
	//TODO use repo.Get(ctx *context.APIContext) ?
	ownerName := ctx.Params(":owner")
	repoName := ctx.Params(":repo")
	repo, err := models.GetRepositoryByOwnerAndName(ownerName, repoName)
	if err != nil {
		ctx.JSON(500, map[string]interface{}{
			"err": err.Error(),
		})
		return
	}
	ctx.JSON(200, repo)
}

//CheckUnitUser chainload to models.CheckUnitUser
func CheckUnitUser(ctx *macaron.Context) {
	repoID := ctx.ParamsInt64(":repoid")
	userID := ctx.ParamsInt64(":userid")
	repo, err := models.GetRepositoryByID(repoID)
	if err != nil {
		ctx.JSON(500, map[string]interface{}{
			"err": err.Error(),
		})
		return
	}

	var user *models.User
	if userID > 0 {
		user, err = models.GetUserByID(userID)
		if err != nil {
			ctx.JSON(500, map[string]interface{}{
				"err": err.Error(),
			})
			return
		}
	}

	perm, err := models.GetUserRepoPermission(repo, user)
	if err != nil {
		ctx.JSON(500, map[string]interface{}{
			"err": err.Error(),
		})
		return
	}

	ctx.JSON(200, perm.UnitAccessMode(models.UnitType(ctx.QueryInt("unitType"))))
}

// RegisterRoutes registers all internal APIs routes to web application.
// These APIs will be invoked by internal commands for example `gitea serv` and etc.
func RegisterRoutes(m *macaron.Macaron) {
	bind := binding.Bind

	m.Group("/", func() {
		m.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent)
		m.Post("/ssh/:id/update/:repoid", UpdatePublicKeyInRepo)
		m.Post("/hook/pre-receive/:owner/:repo", bind(private.HookOptions{}), HookPreReceive)
		m.Post("/hook/post-receive/:owner/:repo", bind(private.HookOptions{}), HookPostReceive)
		m.Post("/hook/set-default-branch/:owner/:repo/:branch", SetDefaultBranch)
		m.Get("/serv/none/:keyid", ServNoCommand)
		m.Get("/serv/command/:keyid/:owner/:repo", ServCommand)
	}, CheckInternalToken)
}
Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00			`// Copyright 2017 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`// Package private includes all internal routes. The package name internal is ideal but Golang is not allowed, so we use private as package name instead.`
			`package private`

			`import (`
			`"strings"`

			`"code.gitea.io/gitea/models"`
Use Req.URL.RequestURI() to cope with FCGI urls (#9473) * Use Req.URL.RequestURI() to cope with FCGI urls * Add debug logging statement when forbidden in internal API. 2019-12-24 00:11:12 +00:00			`"code.gitea.io/gitea/modules/log"`
Batch hook pre- and post-receive calls (#8602) * make notifyWatchers work on multiple actions * more efficient multiple notifyWatchers * Make CommitRepoAction take advantage of multiple actions * Batch post and pre-receive results * Set batch to 30 * Auto adjust timeout & add logging * adjust processing message * Add some messages to pre-receive * Make any non-200 status code from pre-receive an error * Add missing hookPrintResults * Remove shortcut for single action * mistaken merge fix * oops * Move master branch to the front * If repo was empty and the master branch is pushed ensure that that is set as the default branch * fixup * fixup * Missed HookOptions in setdefaultbranch * Batch PushUpdateAddTag and PushUpdateDelTag Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2019-12-26 11:29:45 +00:00			`"code.gitea.io/gitea/modules/private"`
Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00			`"code.gitea.io/gitea/modules/setting"`
Drop db operations from hook commands (#1514) * move all database operations from hook command to web command and instead of internal routes * bug fixed * adjust the import path sequences * remove unused return value on hookSetup 2017-05-04 05:42:02 +00:00
Batch hook pre- and post-receive calls (#8602) * make notifyWatchers work on multiple actions * more efficient multiple notifyWatchers * Make CommitRepoAction take advantage of multiple actions * Batch post and pre-receive results * Set batch to 30 * Auto adjust timeout & add logging * adjust processing message * Add some messages to pre-receive * Make any non-200 status code from pre-receive an error * Add missing hookPrintResults * Remove shortcut for single action * mistaken merge fix * oops * Move master branch to the front * If repo was empty and the master branch is pushed ensure that that is set as the default branch * fixup * fixup * Missed HookOptions in setdefaultbranch * Batch PushUpdateAddTag and PushUpdateDelTag Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2019-12-26 11:29:45 +00:00			`"gitea.com/macaron/binding"`
Use gitea forked macaron (#7933) Signed-off-by: Tamal Saha <tamal@appscode.com> 2019-08-23 16:40:30 +00:00			`"gitea.com/macaron/macaron"`
Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00			`)`

			`// CheckInternalToken check internal token is set`
			`func CheckInternalToken(ctx *macaron.Context) {`
			`tokens := ctx.Req.Header.Get("Authorization")`
			`fields := strings.Fields(tokens)`
			`if len(fields) != 2 \|\| fields[0] != "Bearer" \|\| fields[1] != setting.InternalToken {`
Use Req.URL.RequestURI() to cope with FCGI urls (#9473) * Use Req.URL.RequestURI() to cope with FCGI urls * Add debug logging statement when forbidden in internal API. 2019-12-24 00:11:12 +00:00			`log.Debug("Forbidden attempt to access internal url: Authorization header: %s", tokens)`
Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00			`ctx.Error(403)`
			`}`
			`}`

Make gitea serv use api/internal (#4886) * Start to move to internal/private * Add GetPublicKeyByID * Add HasDeployKey * Add private.UpdateDeployKeyUpdated * Add private.GetUserByKeyID * Add private.AccessLevel * Add private.CheckUnitUser * Fix mistakes I made * Some cleaning + moving code to separate files * Fix error handling * Remove useless error handling for setup * lint: fix comment on exported func * fix copyright header * Fix order of args 2018-10-30 06:20:13 +00:00			`//GetRepositoryByOwnerAndName chainload to models.GetRepositoryByOwnerAndName`
			`func GetRepositoryByOwnerAndName(ctx *macaron.Context) {`
			`//TODO use repo.Get(ctx *context.APIContext) ?`
			`ownerName := ctx.Params(":owner")`
			`repoName := ctx.Params(":repo")`
			`repo, err := models.GetRepositoryByOwnerAndName(ownerName, repoName)`
			`if err != nil {`
Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00			`ctx.JSON(500, map[string]interface{}{`
			`"err": err.Error(),`
			`})`
			`return`
			`}`
Make gitea serv use api/internal (#4886) * Start to move to internal/private * Add GetPublicKeyByID * Add HasDeployKey * Add private.UpdateDeployKeyUpdated * Add private.GetUserByKeyID * Add private.AccessLevel * Add private.CheckUnitUser * Fix mistakes I made * Some cleaning + moving code to separate files * Fix error handling * Remove useless error handling for setup * lint: fix comment on exported func * fix copyright header * Fix order of args 2018-10-30 06:20:13 +00:00			`ctx.JSON(200, repo)`
			`}`

Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check 2018-11-28 11:26:14 +00:00			`//CheckUnitUser chainload to models.CheckUnitUser`
			`func CheckUnitUser(ctx *macaron.Context) {`
Make gitea serv use api/internal (#4886) * Start to move to internal/private * Add GetPublicKeyByID * Add HasDeployKey * Add private.UpdateDeployKeyUpdated * Add private.GetUserByKeyID * Add private.AccessLevel * Add private.CheckUnitUser * Fix mistakes I made * Some cleaning + moving code to separate files * Fix error handling * Remove useless error handling for setup * lint: fix comment on exported func * fix copyright header * Fix order of args 2018-10-30 06:20:13 +00:00			`repoID := ctx.ParamsInt64(":repoid")`
			`userID := ctx.ParamsInt64(":userid")`
			`repo, err := models.GetRepositoryByID(repoID)`
			`if err != nil {`
			`ctx.JSON(500, map[string]interface{}{`
			`"err": err.Error(),`
			`})`
			`return`
			`}`
Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check 2018-11-28 11:26:14 +00:00
			`var user *models.User`
			`if userID > 0 {`
			`user, err = models.GetUserByID(userID)`
			`if err != nil {`
			`ctx.JSON(500, map[string]interface{}{`
			`"err": err.Error(),`
			`})`
			`return`
			`}`
Make gitea serv use api/internal (#4886) * Start to move to internal/private * Add GetPublicKeyByID * Add HasDeployKey * Add private.UpdateDeployKeyUpdated * Add private.GetUserByKeyID * Add private.AccessLevel * Add private.CheckUnitUser * Fix mistakes I made * Some cleaning + moving code to separate files * Fix error handling * Remove useless error handling for setup * lint: fix comment on exported func * fix copyright header * Fix order of args 2018-10-30 06:20:13 +00:00			`}`
Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00
Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check 2018-11-28 11:26:14 +00:00			`perm, err := models.GetUserRepoPermission(repo, user)`
Make gitea serv use api/internal (#4886) * Start to move to internal/private * Add GetPublicKeyByID * Add HasDeployKey * Add private.UpdateDeployKeyUpdated * Add private.GetUserByKeyID * Add private.AccessLevel * Add private.CheckUnitUser * Fix mistakes I made * Some cleaning + moving code to separate files * Fix error handling * Remove useless error handling for setup * lint: fix comment on exported func * fix copyright header * Fix order of args 2018-10-30 06:20:13 +00:00			`if err != nil {`
			`ctx.JSON(500, map[string]interface{}{`
			`"err": err.Error(),`
			`})`
			`return`
			`}`
Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check 2018-11-28 11:26:14 +00:00
			`ctx.JSON(200, perm.UnitAccessMode(models.UnitType(ctx.QueryInt("unitType"))))`
Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00			`}`

			`// RegisterRoutes registers all internal APIs routes to web application.`
			// These APIs will be invoked by internal commands for example `gitea serv` and etc.
			`func RegisterRoutes(m *macaron.Macaron) {`
Batch hook pre- and post-receive calls (#8602) * make notifyWatchers work on multiple actions * more efficient multiple notifyWatchers * Make CommitRepoAction take advantage of multiple actions * Batch post and pre-receive results * Set batch to 30 * Auto adjust timeout & add logging * adjust processing message * Add some messages to pre-receive * Make any non-200 status code from pre-receive an error * Add missing hookPrintResults * Remove shortcut for single action * mistaken merge fix * oops * Move master branch to the front * If repo was empty and the master branch is pushed ensure that that is set as the default branch * fixup * fixup * Missed HookOptions in setdefaultbranch * Batch PushUpdateAddTag and PushUpdateDelTag Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2019-12-26 11:29:45 +00:00			`bind := binding.Bind`

Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00			`m.Group("/", func() {`
AuthorizedKeysCommand should not query db directly (#9371) * AuthorizedKeysCommand should not query db directly * Update routers/private/internal.go * Fix import order 2019-12-17 01:49:07 +00:00			`m.Post("/ssh/authorized_keys", AuthorizedPublicKeyByContent)`
Move serv hook functionality & drop GitLogger (#6993) * Move hook functionality internally * Internalise serv logic * Remove old internal paths * finally remove the gitlogger * Disallow push on archived repositories * fix lint error * Update modules/private/key.go * Update routers/private/hook.go * Update routers/private/hook.go * Update routers/private/hook.go * Updated routers/private/serv.go * Fix LFS Locks over SSH * rev-list needs to be run by the hook process * fixup * Improve git test * Ensure that the lfs files are created with a different prefix * Reduce the replication in git_test.go * slight refactor * Remove unnecessary "/" * Restore ensureAnonymousClone * Restore ensureAnonymousClone * Run rev-list on server side * Try passing in the alternative directories instead * Mark test as skipped * Improve git test * Ensure that the lfs files are created with a different prefix * Reduce the replication in git_test.go * Remove unnecessary "/" 2019-06-01 15:00:21 +00:00			`m.Post("/ssh/:id/update/:repoid", UpdatePublicKeyInRepo)`
Batch hook pre- and post-receive calls (#8602) * make notifyWatchers work on multiple actions * more efficient multiple notifyWatchers * Make CommitRepoAction take advantage of multiple actions * Batch post and pre-receive results * Set batch to 30 * Auto adjust timeout & add logging * adjust processing message * Add some messages to pre-receive * Make any non-200 status code from pre-receive an error * Add missing hookPrintResults * Remove shortcut for single action * mistaken merge fix * oops * Move master branch to the front * If repo was empty and the master branch is pushed ensure that that is set as the default branch * fixup * fixup * Missed HookOptions in setdefaultbranch * Batch PushUpdateAddTag and PushUpdateDelTag Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> 2019-12-26 11:29:45 +00:00			`m.Post("/hook/pre-receive/:owner/:repo", bind(private.HookOptions{}), HookPreReceive)`
			`m.Post("/hook/post-receive/:owner/:repo", bind(private.HookOptions{}), HookPostReceive)`
			`m.Post("/hook/set-default-branch/:owner/:repo/:branch", SetDefaultBranch)`
Move serv hook functionality & drop GitLogger (#6993) * Move hook functionality internally * Internalise serv logic * Remove old internal paths * finally remove the gitlogger * Disallow push on archived repositories * fix lint error * Update modules/private/key.go * Update routers/private/hook.go * Update routers/private/hook.go * Update routers/private/hook.go * Updated routers/private/serv.go * Fix LFS Locks over SSH * rev-list needs to be run by the hook process * fixup * Improve git test * Ensure that the lfs files are created with a different prefix * Reduce the replication in git_test.go * slight refactor * Remove unnecessary "/" * Restore ensureAnonymousClone * Restore ensureAnonymousClone * Run rev-list on server side * Try passing in the alternative directories instead * Mark test as skipped * Improve git test * Ensure that the lfs files are created with a different prefix * Reduce the replication in git_test.go * Remove unnecessary "/" 2019-06-01 15:00:21 +00:00			`m.Get("/serv/none/:keyid", ServNoCommand)`
			`m.Get("/serv/command/:keyid/:owner/:repo", ServCommand)`
Add internal routes for ssh hook comands (#1471) * add internal routes for ssh hook comands * fix lint * add comment on why package named private not internal but the route name is internal * add comment above package private why package named private not internal but the route name is internal * remove exp time on internal access * move routes from /internal to /api/internal * add comment and defer on UpdatePublicKeyUpdated 2017-04-19 03:45:01 +00:00			`}, CheckInternalToken)`
			`}`