|
|
@ -83,85 +83,98 @@ func HTTP(ctx *context.Context) { |
|
|
|
|
|
|
|
|
|
|
|
// check access
|
|
|
|
// check access
|
|
|
|
if askAuth { |
|
|
|
if askAuth { |
|
|
|
authHead := ctx.Req.Header.Get("Authorization") |
|
|
|
if setting.Service.EnableReverseProxyAuth { |
|
|
|
if len(authHead) == 0 { |
|
|
|
authUsername = ctx.Req.Header.Get(setting.ReverseProxyAuthUser) |
|
|
|
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"") |
|
|
|
if len(authUsername) == 0 { |
|
|
|
ctx.Error(http.StatusUnauthorized) |
|
|
|
ctx.HandleText(401, "reverse proxy login error. authUsername empty") |
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
auths := strings.Fields(authHead) |
|
|
|
|
|
|
|
// currently check basic auth
|
|
|
|
|
|
|
|
// TODO: support digit auth
|
|
|
|
|
|
|
|
// FIXME: middlewares/context.go did basic auth check already,
|
|
|
|
|
|
|
|
// maybe could use that one.
|
|
|
|
|
|
|
|
if len(auths) != 2 || auths[0] != "Basic" { |
|
|
|
|
|
|
|
ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth") |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
authUsername, authPasswd, err = base.BasicAuthDecode(auths[1]) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth") |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
authUser, err = models.UserSignIn(authUsername, authPasswd) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
if !models.IsErrUserNotExist(err) { |
|
|
|
|
|
|
|
ctx.Handle(http.StatusInternalServerError, "UserSignIn error: %v", err) |
|
|
|
|
|
|
|
return |
|
|
|
return |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
authUser, err = models.GetUserByName(authUsername) |
|
|
|
// Assume username now is a token.
|
|
|
|
|
|
|
|
token, err := models.GetAccessTokenBySHA(authUsername) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) { |
|
|
|
ctx.HandleText(401, "reverse proxy login error, got error while running GetUserByName") |
|
|
|
ctx.HandleText(http.StatusUnauthorized, "invalid token") |
|
|
|
return |
|
|
|
} else { |
|
|
|
} |
|
|
|
ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySha", err) |
|
|
|
}else{ |
|
|
|
} |
|
|
|
authHead := ctx.Req.Header.Get("Authorization") |
|
|
|
|
|
|
|
if len(authHead) == 0 { |
|
|
|
|
|
|
|
ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"") |
|
|
|
|
|
|
|
ctx.Error(http.StatusUnauthorized) |
|
|
|
return |
|
|
|
return |
|
|
|
} |
|
|
|
} |
|
|
|
token.Updated = time.Now() |
|
|
|
|
|
|
|
if err = models.UpdateAccessToken(token); err != nil { |
|
|
|
auths := strings.Fields(authHead) |
|
|
|
ctx.Handle(http.StatusInternalServerError, "UpdateAccessToken", err) |
|
|
|
// currently check basic auth
|
|
|
|
|
|
|
|
// TODO: support digit auth
|
|
|
|
|
|
|
|
// FIXME: middlewares/context.go did basic auth check already,
|
|
|
|
|
|
|
|
// maybe could use that one.
|
|
|
|
|
|
|
|
if len(auths) != 2 || auths[0] != "Basic" { |
|
|
|
|
|
|
|
ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth") |
|
|
|
|
|
|
|
return |
|
|
|
} |
|
|
|
} |
|
|
|
authUser, err = models.GetUserByID(token.UID) |
|
|
|
authUsername, authPasswd, err = base.BasicAuthDecode(auths[1]) |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
ctx.Handle(http.StatusInternalServerError, "GetUserByID", err) |
|
|
|
ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth") |
|
|
|
return |
|
|
|
return |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if !isPublicPull { |
|
|
|
authUser, err = models.UserSignIn(authUsername, authPasswd) |
|
|
|
var tp = models.AccessModeWrite |
|
|
|
if err != nil { |
|
|
|
if isPull { |
|
|
|
if !models.IsErrUserNotExist(err) { |
|
|
|
tp = models.AccessModeRead |
|
|
|
ctx.Handle(http.StatusInternalServerError, "UserSignIn error: %v", err) |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Assume username now is a token.
|
|
|
|
|
|
|
|
token, err := models.GetAccessTokenBySHA(authUsername) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) { |
|
|
|
|
|
|
|
ctx.HandleText(http.StatusUnauthorized, "invalid token") |
|
|
|
|
|
|
|
} else { |
|
|
|
|
|
|
|
ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySha", err) |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
token.Updated = time.Now() |
|
|
|
|
|
|
|
if err = models.UpdateAccessToken(token); err != nil { |
|
|
|
|
|
|
|
ctx.Handle(http.StatusInternalServerError, "UpdateAccessToken", err) |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
authUser, err = models.GetUserByID(token.UID) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
ctx.Handle(http.StatusInternalServerError, "GetUserByID", err) |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
has, err := models.HasAccess(authUser, repo, tp) |
|
|
|
if !isPublicPull { |
|
|
|
if err != nil { |
|
|
|
var tp = models.AccessModeWrite |
|
|
|
ctx.Handle(http.StatusInternalServerError, "HasAccess", err) |
|
|
|
if isPull { |
|
|
|
return |
|
|
|
tp = models.AccessModeRead |
|
|
|
} else if !has { |
|
|
|
} |
|
|
|
if tp == models.AccessModeRead { |
|
|
|
|
|
|
|
has, err = models.HasAccess(authUser, repo, models.AccessModeWrite) |
|
|
|
has, err := models.HasAccess(authUser, repo, tp) |
|
|
|
if err != nil { |
|
|
|
if err != nil { |
|
|
|
ctx.Handle(http.StatusInternalServerError, "HasAccess2", err) |
|
|
|
ctx.Handle(http.StatusInternalServerError, "HasAccess", err) |
|
|
|
return |
|
|
|
return |
|
|
|
} else if !has { |
|
|
|
} else if !has { |
|
|
|
|
|
|
|
if tp == models.AccessModeRead { |
|
|
|
|
|
|
|
has, err = models.HasAccess(authUser, repo, models.AccessModeWrite) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
ctx.Handle(http.StatusInternalServerError, "HasAccess2", err) |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} else if !has { |
|
|
|
|
|
|
|
ctx.HandleText(http.StatusForbidden, "User permission denied") |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} else { |
|
|
|
ctx.HandleText(http.StatusForbidden, "User permission denied") |
|
|
|
ctx.HandleText(http.StatusForbidden, "User permission denied") |
|
|
|
return |
|
|
|
return |
|
|
|
} |
|
|
|
} |
|
|
|
} else { |
|
|
|
|
|
|
|
ctx.HandleText(http.StatusForbidden, "User permission denied") |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if !isPull && repo.IsMirror { |
|
|
|
if !isPull && repo.IsMirror { |
|
|
|
ctx.HandleText(http.StatusForbidden, "mirror repository is read-only") |
|
|
|
ctx.HandleText(http.StatusForbidden, "mirror repository is read-only") |
|
|
|
return |
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|