push + pull now works with reverse proxy + basic auth on apache 2.4

tokarchuk/v1.17
Gogs 8 years ago committed by Kim "BKC" Carlbäcker
parent 937b4b5aa1
commit 37eec6c9b7
  1. 137
      routers/repo/http.go

@ -83,85 +83,98 @@ func HTTP(ctx *context.Context) {
// check access // check access
if askAuth { if askAuth {
authHead := ctx.Req.Header.Get("Authorization") if setting.Service.EnableReverseProxyAuth {
if len(authHead) == 0 { authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"") if len(authUsername) == 0 {
ctx.Error(http.StatusUnauthorized) ctx.HandleText(401, "reverse proxy login error. authUsername empty")
return
}
auths := strings.Fields(authHead)
// currently check basic auth
// TODO: support digit auth
// FIXME: middlewares/context.go did basic auth check already,
// maybe could use that one.
if len(auths) != 2 || auths[0] != "Basic" {
ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")
return
}
authUsername, authPasswd, err = base.BasicAuthDecode(auths[1])
if err != nil {
ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")
return
}
authUser, err = models.UserSignIn(authUsername, authPasswd)
if err != nil {
if !models.IsErrUserNotExist(err) {
ctx.Handle(http.StatusInternalServerError, "UserSignIn error: %v", err)
return return
} }
authUser, err = models.GetUserByName(authUsername)
// Assume username now is a token.
token, err := models.GetAccessTokenBySHA(authUsername)
if err != nil { if err != nil {
if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) { ctx.HandleText(401, "reverse proxy login error, got error while running GetUserByName")
ctx.HandleText(http.StatusUnauthorized, "invalid token") return
} else { }
ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySha", err) }else{
} authHead := ctx.Req.Header.Get("Authorization")
if len(authHead) == 0 {
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"")
ctx.Error(http.StatusUnauthorized)
return return
} }
token.Updated = time.Now()
if err = models.UpdateAccessToken(token); err != nil { auths := strings.Fields(authHead)
ctx.Handle(http.StatusInternalServerError, "UpdateAccessToken", err) // currently check basic auth
// TODO: support digit auth
// FIXME: middlewares/context.go did basic auth check already,
// maybe could use that one.
if len(auths) != 2 || auths[0] != "Basic" {
ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")
return
} }
authUser, err = models.GetUserByID(token.UID) authUsername, authPasswd, err = base.BasicAuthDecode(auths[1])
if err != nil { if err != nil {
ctx.Handle(http.StatusInternalServerError, "GetUserByID", err) ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")
return return
} }
}
if !isPublicPull { authUser, err = models.UserSignIn(authUsername, authPasswd)
var tp = models.AccessModeWrite if err != nil {
if isPull { if !models.IsErrUserNotExist(err) {
tp = models.AccessModeRead ctx.Handle(http.StatusInternalServerError, "UserSignIn error: %v", err)
return
}
// Assume username now is a token.
token, err := models.GetAccessTokenBySHA(authUsername)
if err != nil {
if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
ctx.HandleText(http.StatusUnauthorized, "invalid token")
} else {
ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySha", err)
}
return
}
token.Updated = time.Now()
if err = models.UpdateAccessToken(token); err != nil {
ctx.Handle(http.StatusInternalServerError, "UpdateAccessToken", err)
}
authUser, err = models.GetUserByID(token.UID)
if err != nil {
ctx.Handle(http.StatusInternalServerError, "GetUserByID", err)
return
}
} }
has, err := models.HasAccess(authUser, repo, tp) if !isPublicPull {
if err != nil { var tp = models.AccessModeWrite
ctx.Handle(http.StatusInternalServerError, "HasAccess", err) if isPull {
return tp = models.AccessModeRead
} else if !has { }
if tp == models.AccessModeRead {
has, err = models.HasAccess(authUser, repo, models.AccessModeWrite) has, err := models.HasAccess(authUser, repo, tp)
if err != nil { if err != nil {
ctx.Handle(http.StatusInternalServerError, "HasAccess2", err) ctx.Handle(http.StatusInternalServerError, "HasAccess", err)
return return
} else if !has { } else if !has {
if tp == models.AccessModeRead {
has, err = models.HasAccess(authUser, repo, models.AccessModeWrite)
if err != nil {
ctx.Handle(http.StatusInternalServerError, "HasAccess2", err)
return
} else if !has {
ctx.HandleText(http.StatusForbidden, "User permission denied")
return
}
} else {
ctx.HandleText(http.StatusForbidden, "User permission denied") ctx.HandleText(http.StatusForbidden, "User permission denied")
return return
} }
} else {
ctx.HandleText(http.StatusForbidden, "User permission denied")
return
} }
}
if !isPull && repo.IsMirror { if !isPull && repo.IsMirror {
ctx.HandleText(http.StatusForbidden, "mirror repository is read-only") ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
return return
}
} }
} }
} }

Loading…
Cancel
Save