--- /dev/null
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
+package githttpd
+
+import (
+ "errors"
+ "log"
+ "net/http"
+ "os"
+ "regexp"
+ "strings"
+ "time"
+
+ "git.arvados.org/arvados.git/sdk/go/arvados"
+ "git.arvados.org/arvados.git/sdk/go/arvadosclient"
+ "git.arvados.org/arvados.git/sdk/go/auth"
+ "git.arvados.org/arvados.git/sdk/go/httpserver"
+ "github.com/sirupsen/logrus"
+)
+
+type authHandler struct {
+ handler http.Handler
+ clientPool *arvadosclient.ClientPool
+ cluster *arvados.Cluster
+}
+
+func (h *authHandler) CheckHealth() error {
+ return nil
+}
+
+func (h *authHandler) Done() <-chan struct{} {
+ return nil
+}
+
+func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
+ var statusCode int
+ var statusText string
+ var apiToken string
+
+ w := httpserver.WrapResponseWriter(wOrig)
+
+ if r.Method == "OPTIONS" {
+ method := r.Header.Get("Access-Control-Request-Method")
+ if method != "GET" && method != "POST" {
+ w.WriteHeader(http.StatusMethodNotAllowed)
+ return
+ }
+ w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
+ w.Header().Set("Access-Control-Allow-Methods", "GET, POST")
+ w.Header().Set("Access-Control-Allow-Origin", "*")
+ w.Header().Set("Access-Control-Max-Age", "86400")
+ w.WriteHeader(http.StatusOK)
+ return
+ }
+
+ if r.Header.Get("Origin") != "" {
+ // Allow simple cross-origin requests without user
+ // credentials ("user credentials" as defined by CORS,
+ // i.e., cookies, HTTP authentication, and client-side
+ // SSL certificates. See
+ // http://www.w3.org/TR/cors/#user-credentials).
+ w.Header().Set("Access-Control-Allow-Origin", "*")
+ }
+
+ defer func() {
+ if w.WroteStatus() == 0 {
+ // Nobody has called WriteHeader yet: that
+ // must be our job.
+ w.WriteHeader(statusCode)
+ if statusCode >= 400 {
+ w.Write([]byte(statusText))
+ }
+ }
+ }()
+
+ creds := auth.CredentialsFromRequest(r)
+ if len(creds.Tokens) == 0 {
+ statusCode, statusText = http.StatusUnauthorized, "no credentials provided"
+ w.Header().Add("WWW-Authenticate", "Basic realm=\"git\"")
+ return
+ }
+ apiToken = creds.Tokens[0]
+
+ // Access to paths "/foo/bar.git/*" and "/foo/bar/.git/*" are
+ // protected by the permissions on the repository named
+ // "foo/bar".
+ pathParts := strings.SplitN(r.URL.Path[1:], ".git/", 2)
+ if len(pathParts) != 2 {
+ statusCode, statusText = http.StatusNotFound, "not found"
+ return
+ }
+ repoName := pathParts[0]
+ repoName = strings.TrimRight(repoName, "/")
+ httpserver.SetResponseLogFields(r.Context(), logrus.Fields{
+ "repoName": repoName,
+ })
+
+ arv := h.clientPool.Get()
+ if arv == nil {
+ statusCode, statusText = http.StatusInternalServerError, "connection pool failed: "+h.clientPool.Err().Error()
+ return
+ }
+ defer h.clientPool.Put(arv)
+
+ // Log the UUID if the supplied token is a v2 token, otherwise
+ // just the last five characters.
+ httpserver.SetResponseLogFields(r.Context(), logrus.Fields{
+ "tokenUUID": func() string {
+ if strings.HasPrefix(apiToken, "v2/") && strings.IndexRune(apiToken[3:], '/') == 27 {
+ // UUID part of v2 token
+ return apiToken[3:30]
+ } else if len(apiToken) > 5 {
+ return "[...]" + apiToken[len(apiToken)-5:]
+ } else {
+ return apiToken
+ }
+ }(),
+ })
+
+ // Ask API server whether the repository is readable using
+ // this token (by trying to read it!)
+ arv.ApiToken = apiToken
+ repoUUID, err := h.lookupRepo(arv, repoName)
+ if err != nil {
+ statusCode, statusText = http.StatusInternalServerError, err.Error()
+ return
+ }
+ if repoUUID == "" {
+ statusCode, statusText = http.StatusNotFound, "not found"
+ return
+ }
+
+ isWrite := strings.HasSuffix(r.URL.Path, "/git-receive-pack")
+ if !isWrite {
+ statusText = "read"
+ } else {
+ err := arv.Update("repositories", repoUUID, arvadosclient.Dict{
+ "repository": arvadosclient.Dict{
+ "modified_at": time.Now().String(),
+ },
+ }, &arvadosclient.Dict{})
+ if err != nil {
+ statusCode, statusText = http.StatusForbidden, err.Error()
+ return
+ }
+ statusText = "write"
+ }
+
+ // Regardless of whether the client asked for "/foo.git" or
+ // "/foo/.git", we choose whichever variant exists in our repo
+ // root, and we try {uuid}.git and {uuid}/.git first. If none
+ // of these exist, we 404 even though the API told us the repo
+ // _should_ exist (presumably this means the repo was just
+ // created, and gitolite sync hasn't run yet).
+ rewrittenPath := ""
+ tryDirs := []string{
+ "/" + repoUUID + ".git",
+ "/" + repoUUID + "/.git",
+ "/" + repoName + ".git",
+ "/" + repoName + "/.git",
+ }
+ for _, dir := range tryDirs {
+ if fileInfo, err := os.Stat(h.cluster.Git.Repositories + dir); err != nil {
+ if !os.IsNotExist(err) {
+ statusCode, statusText = http.StatusInternalServerError, err.Error()
+ return
+ }
+ } else if fileInfo.IsDir() {
+ rewrittenPath = dir + "/" + pathParts[1]
+ break
+ }
+ }
+ if rewrittenPath == "" {
+ log.Println("WARNING:", repoUUID,
+ "git directory not found in", h.cluster.Git.Repositories, tryDirs)
+ // We say "content not found" to disambiguate from the
+ // earlier "API says that repo does not exist" error.
+ statusCode, statusText = http.StatusNotFound, "content not found"
+ return
+ }
+ r.URL.Path = rewrittenPath
+
+ h.handler.ServeHTTP(w, r)
+}
+
+var uuidRegexp = regexp.MustCompile(`^[0-9a-z]{5}-s0uqq-[0-9a-z]{15}$`)
+
+func (h *authHandler) lookupRepo(arv *arvadosclient.ArvadosClient, repoName string) (string, error) {
+ reposFound := arvadosclient.Dict{}
+ var column string
+ if uuidRegexp.MatchString(repoName) {
+ column = "uuid"
+ } else {
+ column = "name"
+ }
+ err := arv.List("repositories", arvadosclient.Dict{
+ "filters": [][]string{{column, "=", repoName}},
+ }, &reposFound)
+ if err != nil {
+ return "", err
+ } else if avail, ok := reposFound["items_available"].(float64); !ok {
+ return "", errors.New("bad list response from API")
+ } else if avail < 1 {
+ return "", nil
+ } else if avail > 1 {
+ return "", errors.New("name collision")
+ }
+ return reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string), nil
+}