Gitblit devel
view | history | commit | commitdiff
James Moger
2011-10-02 f762b160efd5cafd919a6fd7f9587f578eceb454
commit | author | age
8c9a20 1 /*
JM 2  * Copyright 2011 gitblit.com.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 package com.gitblit;
17
18 import java.text.MessageFormat;
19
20 import com.gitblit.Constants.AccessRestrictionType;
21 import com.gitblit.models.RepositoryModel;
22 import com.gitblit.models.UserModel;
23 import com.gitblit.utils.StringUtils;
24
892570 25 /**
JM 26  * The GitFilter is an AccessRestrictionFilter which ensures that Git client
27  * requests for push, clone, or view restricted repositories are authenticated
28  * and authorized.
29  * 
30  * @author James Moger
31  * 
32  */
8c9a20 33 public class GitFilter extends AccessRestrictionFilter {
JM 34
35     protected final String gitReceivePack = "/git-receive-pack";
36
37     protected final String gitUploadPack = "/git-upload-pack";
38
39     protected final String[] suffixes = { gitReceivePack, gitUploadPack, "/info/refs", "/HEAD",
40             "/objects" };
41
892570 42     /**
JM 43      * Extract the repository name from the url.
44      * 
45      * @param url
46      * @return repository name
47      */
8c9a20 48     @Override
JM 49     protected String extractRepositoryName(String url) {
50         String repository = url;
892570 51         // get the repository name from the url by finding a known url suffix
8c9a20 52         for (String urlSuffix : suffixes) {
JM 53             if (repository.indexOf(urlSuffix) > -1) {
54                 repository = repository.substring(0, repository.indexOf(urlSuffix));
55             }
56         }
57         return repository;
58     }
59
892570 60     /**
JM 61      * Analyze the url and returns the action of the request. Return values are
62      * either "/git-receive-pack" or "/git-upload-pack".
63      * 
831469 64      * @param serverUrl
892570 65      * @return action of the request
JM 66      */
8c9a20 67     @Override
892570 68     protected String getUrlRequestAction(String suffix) {
8c9a20 69         if (!StringUtils.isEmpty(suffix)) {
JM 70             if (suffix.startsWith(gitReceivePack)) {
71                 return gitReceivePack;
72             } else if (suffix.startsWith(gitUploadPack)) {
73                 return gitUploadPack;
74             } else if (suffix.contains("?service=git-receive-pack")) {
75                 return gitReceivePack;
76             } else if (suffix.contains("?service=git-upload-pack")) {
77                 return gitUploadPack;
78             }
79         }
80         return null;
81     }
82
892570 83     /**
JM 84      * Determine if the repository requires authentication.
85      * 
86      * @param repository
87      * @return true if authentication required
88      */
8c9a20 89     @Override
JM 90     protected boolean requiresAuthentication(RepositoryModel repository) {
91         return repository.accessRestriction.atLeast(AccessRestrictionType.PUSH);
92     }
93
892570 94     /**
JM 95      * Determine if the user can access the repository and perform the specified
96      * action.
97      * 
98      * @param repository
99      * @param user
100      * @param action
101      * @return true if user may execute the action on the repository
102      */
8c9a20 103     @Override
892570 104     protected boolean canAccess(RepositoryModel repository, UserModel user, String action) {
5450d0 105         if (!GitBlit.getBoolean(Keys.git.enableGitServlet, true)) {
JM 106             // Git Servlet disabled
107             return false;
108         }
831469 109         boolean readOnly = repository.isFrozen;
JM 110         if (readOnly || repository.accessRestriction.atLeast(AccessRestrictionType.PUSH)) {
8c9a20 111             boolean authorizedUser = user.canAccessRepository(repository.name);
892570 112             if (action.equals(gitReceivePack)) {
8c9a20 113                 // Push request
831469 114                 if (!readOnly && authorizedUser) {
8c9a20 115                     // clone-restricted or push-authorized
JM 116                     return true;
117                 } else {
118                     // user is unauthorized to push to this repository
119                     logger.warn(MessageFormat.format("user {0} is not authorized to push to {1}",
120                             user.username, repository));
121                     return false;
122                 }
892570 123             } else if (action.equals(gitUploadPack)) {
8c9a20 124                 // Clone request
JM 125                 boolean cloneRestricted = repository.accessRestriction
126                         .atLeast(AccessRestrictionType.CLONE);
127                 if (!cloneRestricted || (cloneRestricted && authorizedUser)) {
128                     // push-restricted or clone-authorized
129                     return true;
130                 } else {
131                     // user is unauthorized to clone this repository
132                     logger.warn(MessageFormat.format("user {0} is not authorized to clone {1}",
133                             user.username, repository));
134                     return false;
135                 }
136             }
137         }
138         return true;
139     }
140 }