| | |
|---|
| | | import java.text.MessageFormat;
|
|---|
| | |
|
|---|
| | | import com.gitblit.Constants.AccessRestrictionType;
|
|---|
| | | import com.gitblit.Constants.AuthorizationControl;
|
|---|
| | | import com.gitblit.models.RepositoryModel;
|
|---|
| | | import com.gitblit.models.UserModel;
|
|---|
| | | import com.gitblit.utils.StringUtils;
|
|---|
| | |
|---|
| | | */
|
|---|
| | | public class GitFilter extends AccessRestrictionFilter {
|
|---|
| | |
|
|---|
| | | protected final String gitReceivePack = "/git-receive-pack";
|
|---|
| | | protected static final String gitReceivePack = "/git-receive-pack";
|
|---|
| | |
|
|---|
| | | protected final String gitUploadPack = "/git-upload-pack";
|
|---|
| | | protected static final String gitUploadPack = "/git-upload-pack";
|
|---|
| | |
|
|---|
| | | protected final String[] suffixes = { gitReceivePack, gitUploadPack, "/info/refs", "/HEAD",
|
|---|
| | | protected static final String[] suffixes = { gitReceivePack, gitUploadPack, "/info/refs", "/HEAD",
|
|---|
| | | "/objects" };
|
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Extract the repository name from the url.
|
|---|
| | | * |
|---|
| | | * @param url
|
|---|
| | | * @return repository name
|
|---|
| | | */
|
|---|
| | | public static String getRepositoryName(String value) {
|
|---|
| | | String repository = value;
|
|---|
| | | // get the repository name from the url by finding a known url suffix
|
|---|
| | | for (String urlSuffix : suffixes) {
|
|---|
| | | if (repository.indexOf(urlSuffix) > -1) {
|
|---|
| | | repository = repository.substring(0, repository.indexOf(urlSuffix));
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | return repository;
|
|---|
| | | }
|
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Extract the repository name from the url.
|
|---|
| | |
|---|
| | | */
|
|---|
| | | @Override
|
|---|
| | | protected String extractRepositoryName(String url) {
|
|---|
| | | String repository = url;
|
|---|
| | | // get the repository name from the url by finding a known url suffix
|
|---|
| | | for (String urlSuffix : suffixes) {
|
|---|
| | | if (repository.indexOf(urlSuffix) > -1) {
|
|---|
| | | repository = repository.substring(0, repository.indexOf(urlSuffix));
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | return repository;
|
|---|
| | | return GitFilter.getRepositoryName(url);
|
|---|
| | | }
|
|---|
| | |
|
|---|
| | | /**
|
|---|
| | |
|---|
| | | }
|
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Determine if a non-existing repository can be created using this filter.
|
|---|
| | | * |
|---|
| | | * @return true if the server allows repository creation on-push
|
|---|
| | | */
|
|---|
| | | @Override
|
|---|
| | | protected boolean isCreationAllowed() {
|
|---|
| | | return GitBlit.getBoolean(Keys.git.allowCreateOnPush, true);
|
|---|
| | | }
|
|---|
| | | |
|---|
| | | /**
|
|---|
| | | * Determine if the repository can receive pushes.
|
|---|
| | | *
|
|---|
| | | * @param repository
|
|---|
| | |
|---|
| | | */
|
|---|
| | | @Override
|
|---|
| | | protected boolean isActionAllowed(RepositoryModel repository, String action) {
|
|---|
| | | if (action.equals(gitReceivePack)) {
|
|---|
| | | // Push request
|
|---|
| | | if (!repository.isBare) {
|
|---|
| | | logger.warn("Gitblit does not allow pushes to repositories with a working copy");
|
|---|
| | | return false;
|
|---|
| | | if (!StringUtils.isEmpty(action)) {
|
|---|
| | | if (action.equals(gitReceivePack)) {
|
|---|
| | | // Push request
|
|---|
| | | if (!repository.isBare) {
|
|---|
| | | logger.warn("Gitblit does not allow pushes to repositories with a working copy");
|
|---|
| | | return false;
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | return true;
|
|---|
| | |
|---|
| | | // Git Servlet disabled
|
|---|
| | | return false;
|
|---|
| | | }
|
|---|
| | | boolean readOnly = repository.isFrozen; |
|---|
| | | if (readOnly || repository.accessRestriction.atLeast(AccessRestrictionType.PUSH)) {
|
|---|
| | | boolean authorizedUser = user.canAccessRepository(repository);
|
|---|
| | | if (action.equals(gitReceivePack)) {
|
|---|
| | | // Push request
|
|---|
| | | if (!readOnly && authorizedUser) {
|
|---|
| | | // clone-restricted or push-authorized
|
|---|
| | | return true;
|
|---|
| | | } else {
|
|---|
| | | // user is unauthorized to push to this repository
|
|---|
| | | logger.warn(MessageFormat.format("user {0} is not authorized to push to {1}",
|
|---|
| | | user.username, repository));
|
|---|
| | | return false;
|
|---|
| | | }
|
|---|
| | | } else if (action.equals(gitUploadPack)) {
|
|---|
| | | // Clone request
|
|---|
| | | boolean cloneRestricted = repository.accessRestriction
|
|---|
| | | .atLeast(AccessRestrictionType.CLONE);
|
|---|
| | | if (!cloneRestricted || (cloneRestricted && authorizedUser)) {
|
|---|
| | | // push-restricted or clone-authorized
|
|---|
| | | return true;
|
|---|
| | | } else {
|
|---|
| | | // user is unauthorized to clone this repository
|
|---|
| | | logger.warn(MessageFormat.format("user {0} is not authorized to clone {1}",
|
|---|
| | | user.username, repository));
|
|---|
| | | return false;
|
|---|
| | | }
|
|---|
| | | if (action.equals(gitReceivePack)) {
|
|---|
| | | // Push request
|
|---|
| | | if (user.canPush(repository)) {
|
|---|
| | | return true;
|
|---|
| | | } else {
|
|---|
| | | // user is unauthorized to push to this repository
|
|---|
| | | logger.warn(MessageFormat.format("user {0} is not authorized to push to {1}",
|
|---|
| | | user.username, repository));
|
|---|
| | | return false;
|
|---|
| | | }
|
|---|
| | | } else if (action.equals(gitUploadPack)) {
|
|---|
| | | // Clone request
|
|---|
| | | if (user.canClone(repository)) {
|
|---|
| | | return true;
|
|---|
| | | } else {
|
|---|
| | | // user is unauthorized to clone this repository
|
|---|
| | | logger.warn(MessageFormat.format("user {0} is not authorized to clone {1}",
|
|---|
| | | user.username, repository));
|
|---|
| | | return false;
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | return true;
|
|---|
| | | }
|
|---|
| | | |
|---|
| | | /**
|
|---|
| | | * An authenticated user with the CREATE role can create a repository on
|
|---|
| | | * push.
|
|---|
| | | * |
|---|
| | | * @param user
|
|---|
| | | * @param repository
|
|---|
| | | * @param action
|
|---|
| | | * @return the repository model, if it is created, null otherwise
|
|---|
| | | */
|
|---|
| | | @Override
|
|---|
| | | protected RepositoryModel createRepository(UserModel user, String repository, String action) {
|
|---|
| | | boolean isPush = !StringUtils.isEmpty(action) && gitReceivePack.equals(action);
|
|---|
| | | if (isPush) {
|
|---|
| | | if (user.canCreate(repository)) {
|
|---|
| | | // user is pushing to a new repository
|
|---|
| | | // validate name
|
|---|
| | | if (repository.startsWith("../")) {
|
|---|
| | | logger.error(MessageFormat.format("Illegal relative path in repository name! {0}", repository));
|
|---|
| | | return null;
|
|---|
| | | }
|
|---|
| | | if (repository.contains("/../")) {
|
|---|
| | | logger.error(MessageFormat.format("Illegal relative path in repository name! {0}", repository));
|
|---|
| | | return null;
|
|---|
| | | } |
|---|
| | |
|
|---|
| | | // confirm valid characters in repository name
|
|---|
| | | Character c = StringUtils.findInvalidCharacter(repository);
|
|---|
| | | if (c != null) {
|
|---|
| | | logger.error(MessageFormat.format("Invalid character '{0}' in repository name {1}!", c, repository));
|
|---|
| | | return null;
|
|---|
| | | }
|
|---|
| | |
|
|---|
| | | // create repository
|
|---|
| | | RepositoryModel model = new RepositoryModel();
|
|---|
| | | model.name = repository;
|
|---|
| | | model.owner = user.username;
|
|---|
| | | model.projectPath = StringUtils.getFirstPathElement(repository);
|
|---|
| | | if (model.isUsersPersonalRepository(user.username)) {
|
|---|
| | | // personal repository, default to private for user
|
|---|
| | | model.authorizationControl = AuthorizationControl.NAMED;
|
|---|
| | | model.accessRestriction = AccessRestrictionType.VIEW;
|
|---|
| | | } else {
|
|---|
| | | // common repository, user default server settings
|
|---|
| | | model.authorizationControl = AuthorizationControl.fromName(GitBlit.getString(Keys.git.defaultAuthorizationControl, ""));
|
|---|
| | | model.accessRestriction = AccessRestrictionType.fromName(GitBlit.getString(Keys.git.defaultAccessRestriction, ""));
|
|---|
| | | }
|
|---|
| | |
|
|---|
| | | // create the repository
|
|---|
| | | try {
|
|---|
| | | GitBlit.self().updateRepositoryModel(model.name, model, true);
|
|---|
| | | logger.info(MessageFormat.format("{0} created {1} ON-PUSH", user.username, model.name));
|
|---|
| | | return GitBlit.self().getRepositoryModel(model.name);
|
|---|
| | | } catch (GitBlitException e) {
|
|---|
| | | logger.error(MessageFormat.format("{0} failed to create repository {1} ON-PUSH!", user.username, model.name), e);
|
|---|
| | | }
|
|---|
| | | } else {
|
|---|
| | | logger.warn(MessageFormat.format("{0} is not permitted to create repository {1} ON-PUSH!", user.username, repository));
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | |
|---|
| | | // repository could not be created or action was not a push
|
|---|
| | | return null;
|
|---|
| | | }
|
|---|
| | | }
|
|---|
