// Copyright 2019 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. // Package private includes all internal routes. The package name internal is ideal but Golang is not allowed, so we use private as package name instead. package private import ( "fmt" "net/http" "strings" "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/private" "code.gitea.io/gitea/modules/setting" repo_service "code.gitea.io/gitea/services/repository" wiki_service "code.gitea.io/gitea/services/wiki" ) // ServNoCommand returns information about the provided keyid func ServNoCommand(ctx *context.PrivateContext) { keyID := ctx.ParamsInt64(":keyid") if keyID <= 0 { ctx.JSON(http.StatusBadRequest, map[string]interface{}{ "err": fmt.Sprintf("Bad key id: %d", keyID), }) } results := private.KeyAndOwner{} key, err := models.GetPublicKeyByID(keyID) if err != nil { if models.IsErrKeyNotExist(err) { ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "err": fmt.Sprintf("Cannot find key: %d", keyID), }) return } log.Error("Unable to get public key: %d Error: %v", keyID, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "err": err.Error(), }) return } results.Key = key if key.Type == models.KeyTypeUser || key.Type == models.KeyTypePrincipal { user, err := models.GetUserByID(key.OwnerID) if err != nil { if models.IsErrUserNotExist(err) { ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "err": fmt.Sprintf("Cannot find owner with id: %d for key: %d", key.OwnerID, keyID), }) return } log.Error("Unable to get owner with id: %d for public key: %d Error: %v", key.OwnerID, keyID, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "err": err.Error(), }) return } if !user.IsActive || user.ProhibitLogin { ctx.JSON(http.StatusForbidden, map[string]interface{}{ "err": "Your account is disabled.", }) return } results.Owner = user } ctx.JSON(http.StatusOK, &results) } // ServCommand returns information about the provided keyid func ServCommand(ctx *context.PrivateContext) { keyID := ctx.ParamsInt64(":keyid") ownerName := ctx.Params(":owner") repoName := ctx.Params(":repo") mode := models.AccessMode(ctx.QueryInt("mode")) // Set the basic parts of the results to return results := private.ServCommandResults{ RepoName: repoName, OwnerName: ownerName, KeyID: keyID, } // Now because we're not translating things properly let's just default some English strings here modeString := "read" if mode > models.AccessModeRead { modeString = "write to" } // The default unit we're trying to look at is code unitType := models.UnitTypeCode // Unless we're a wiki... if strings.HasSuffix(repoName, ".wiki") { // in which case we need to look at the wiki unitType = models.UnitTypeWiki // And we'd better munge the reponame and tell downstream we're looking at a wiki results.IsWiki = true results.RepoName = repoName[:len(repoName)-5] } owner, err := models.GetUserByName(results.OwnerName) if err != nil { log.Error("Unable to get repository owner: %s/%s Error: %v", results.OwnerName, results.RepoName, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Unable to get repository owner: %s/%s %v", results.OwnerName, results.RepoName, err), }) return } if !owner.IsOrganization() && !owner.IsActive { ctx.JSON(http.StatusForbidden, map[string]interface{}{ "results": results, "type": "ForbiddenError", "err": "Repository cannot be accessed, you could retry it later", }) return } // Now get the Repository and set the results section repoExist := true repo, err := models.GetRepositoryByName(owner.ID, results.RepoName) if err != nil { if models.IsErrRepoNotExist(err) { repoExist = false for _, verb := range ctx.QueryStrings("verb") { if "git-upload-pack" == verb { // User is fetching/cloning a non-existent repository log.Error("Failed authentication attempt (cannot find repository: %s/%s) from %s", results.OwnerName, results.RepoName, ctx.RemoteAddr()) ctx.JSON(http.StatusNotFound, map[string]interface{}{ "results": results, "type": "ErrRepoNotExist", "err": fmt.Sprintf("Cannot find repository: %s/%s", results.OwnerName, results.RepoName), }) return } } } else { log.Error("Unable to get repository: %s/%s Error: %v", results.OwnerName, results.RepoName, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Unable to get repository: %s/%s %v", results.OwnerName, results.RepoName, err), }) return } } if repoExist { repo.Owner = owner repo.OwnerName = ownerName results.RepoID = repo.ID if repo.IsBeingCreated() { ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": "Repository is being created, you could retry after it finished", }) return } // We can shortcut at this point if the repo is a mirror if mode > models.AccessModeRead && repo.IsMirror { ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "results": results, "type": "ErrMirrorReadOnly", "err": fmt.Sprintf("Mirror Repository %s/%s is read-only", results.OwnerName, results.RepoName), }) return } } // Get the Public Key represented by the keyID key, err := models.GetPublicKeyByID(keyID) if err != nil { if models.IsErrKeyNotExist(err) { ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "results": results, "type": "ErrKeyNotExist", "err": fmt.Sprintf("Cannot find key: %d", keyID), }) return } log.Error("Unable to get public key: %d Error: %v", keyID, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Unable to get key: %d Error: %v", keyID, err), }) return } results.KeyName = key.Name results.KeyID = key.ID results.UserID = key.OwnerID // If repo doesn't exist, deploy key doesn't make sense if !repoExist && key.Type == models.KeyTypeDeploy { ctx.JSON(http.StatusNotFound, map[string]interface{}{ "results": results, "type": "ErrRepoNotExist", "err": fmt.Sprintf("Cannot find repository %s/%s", results.OwnerName, results.RepoName), }) return } // Deploy Keys have ownerID set to 0 therefore we can't use the owner // So now we need to check if the key is a deploy key // We'll keep hold of the deploy key here for permissions checking var deployKey *models.DeployKey var user *models.User if key.Type == models.KeyTypeDeploy { results.IsDeployKey = true var err error deployKey, err = models.GetDeployKeyByRepo(key.ID, repo.ID) if err != nil { if models.IsErrDeployKeyNotExist(err) { ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "results": results, "type": "ErrDeployKeyNotExist", "err": fmt.Sprintf("Public (Deploy) Key: %d:%s is not authorized to %s %s/%s.", key.ID, key.Name, modeString, results.OwnerName, results.RepoName), }) return } log.Error("Unable to get deploy for public (deploy) key: %d in %-v Error: %v", key.ID, repo, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Unable to get Deploy Key for Public Key: %d:%s in %s/%s.", key.ID, key.Name, results.OwnerName, results.RepoName), }) return } results.KeyName = deployKey.Name // FIXME: Deploy keys aren't really the owner of the repo pushing changes // however we don't have good way of representing deploy keys in hook.go // so for now use the owner of the repository results.UserName = results.OwnerName results.UserID = repo.OwnerID if !repo.Owner.KeepEmailPrivate { results.UserEmail = repo.Owner.Email } } else { // Get the user represented by the Key var err error user, err = models.GetUserByID(key.OwnerID) if err != nil { if models.IsErrUserNotExist(err) { ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "results": results, "type": "ErrUserNotExist", "err": fmt.Sprintf("Public Key: %d:%s owner %d does not exist.", key.ID, key.Name, key.OwnerID), }) return } log.Error("Unable to get owner: %d for public key: %d:%s Error: %v", key.OwnerID, key.ID, key.Name, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Unable to get Owner: %d for Deploy Key: %d:%s in %s/%s.", key.OwnerID, key.ID, key.Name, ownerName, repoName), }) return } if !user.IsActive || user.ProhibitLogin { ctx.JSON(http.StatusForbidden, map[string]interface{}{ "err": "Your account is disabled.", }) return } results.UserName = user.Name if !user.KeepEmailPrivate { results.UserEmail = user.Email } } // Don't allow pushing if the repo is archived if repoExist && mode > models.AccessModeRead && repo.IsArchived { ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "results": results, "type": "ErrRepoIsArchived", "err": fmt.Sprintf("Repo: %s/%s is archived.", results.OwnerName, results.RepoName), }) return } // Permissions checking: if repoExist && (mode > models.AccessModeRead || repo.IsPrivate || setting.Service.RequireSignInView) { if key.Type == models.KeyTypeDeploy { if deployKey.Mode < mode { ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "results": results, "type": "ErrUnauthorized", "err": fmt.Sprintf("Deploy Key: %d:%s is not authorized to %s %s/%s.", key.ID, key.Name, modeString, results.OwnerName, results.RepoName), }) return } } else { perm, err := models.GetUserRepoPermission(repo, user) if err != nil { log.Error("Unable to get permissions for %-v with key %d in %-v Error: %v", user, key.ID, repo, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Unable to get permissions for user %d:%s with key %d in %s/%s Error: %v", user.ID, user.Name, key.ID, results.OwnerName, results.RepoName, err), }) return } userMode := perm.UnitAccessMode(unitType) if userMode < mode { log.Error("Failed authentication attempt for %s with key %s (not authorized to %s %s/%s) from %s", user.Name, key.Name, modeString, ownerName, repoName, ctx.RemoteAddr()) ctx.JSON(http.StatusUnauthorized, map[string]interface{}{ "results": results, "type": "ErrUnauthorized", "err": fmt.Sprintf("User: %d:%s with Key: %d:%s is not authorized to %s %s/%s.", user.ID, user.Name, key.ID, key.Name, modeString, ownerName, repoName), }) return } } } // We already know we aren't using a deploy key if !repoExist { owner, err := models.GetUserByName(ownerName) if err != nil { ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Unable to get owner: %s %v", results.OwnerName, err), }) return } if owner.IsOrganization() && !setting.Repository.EnablePushCreateOrg { ctx.JSON(http.StatusForbidden, map[string]interface{}{ "results": results, "type": "ErrForbidden", "err": "Push to create is not enabled for organizations.", }) return } if !owner.IsOrganization() && !setting.Repository.EnablePushCreateUser { ctx.JSON(http.StatusForbidden, map[string]interface{}{ "results": results, "type": "ErrForbidden", "err": "Push to create is not enabled for users.", }) return } repo, err = repo_service.PushCreateRepo(user, owner, results.RepoName) if err != nil { log.Error("pushCreateRepo: %v", err) ctx.JSON(http.StatusNotFound, map[string]interface{}{ "results": results, "type": "ErrRepoNotExist", "err": fmt.Sprintf("Cannot find repository: %s/%s", results.OwnerName, results.RepoName), }) return } results.RepoID = repo.ID } if results.IsWiki { // Ensure the wiki is enabled before we allow access to it if _, err := repo.GetUnit(models.UnitTypeWiki); err != nil { if models.IsErrUnitTypeNotExist(err) { ctx.JSON(http.StatusForbidden, map[string]interface{}{ "results": results, "type": "ErrForbidden", "err": "repository wiki is disabled", }) return } log.Error("Failed to get the wiki unit in %-v Error: %v", repo, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Failed to get the wiki unit in %s/%s Error: %v", ownerName, repoName, err), }) return } // Finally if we're trying to touch the wiki we should init it if err = wiki_service.InitWiki(repo); err != nil { log.Error("Failed to initialize the wiki in %-v Error: %v", repo, err) ctx.JSON(http.StatusInternalServerError, map[string]interface{}{ "results": results, "type": "InternalServerError", "err": fmt.Sprintf("Failed to initialize the wiki in %s/%s Error: %v", ownerName, repoName, err), }) return } } log.Debug("Serv Results:\nIsWiki: %t\nIsDeployKey: %t\nKeyID: %d\tKeyName: %s\nUserName: %s\nUserID: %d\nOwnerName: %s\nRepoName: %s\nRepoID: %d", results.IsWiki, results.IsDeployKey, results.KeyID, results.KeyName, results.UserName, results.UserID, results.OwnerName, results.RepoName, results.RepoID) ctx.JSON(http.StatusOK, results) // We will update the keys in a different call. }