| /* |
| * Copyright (C) 2017, Markus Duft <markus.duft@ssi-schaefer.com> and others |
| * |
| * This program and the accompanying materials are made available under the |
| * terms of the Eclipse Distribution License v. 1.0 which is available at |
| * https://www.eclipse.org/org/documents/edl-v10.php. |
| * |
| * SPDX-License-Identifier: BSD-3-Clause |
| */ |
| package org.eclipse.jgit.lfs.internal; |
| |
| import static org.eclipse.jgit.util.HttpSupport.ENCODING_GZIP; |
| import static org.eclipse.jgit.util.HttpSupport.HDR_ACCEPT; |
| import static org.eclipse.jgit.util.HttpSupport.HDR_ACCEPT_ENCODING; |
| import static org.eclipse.jgit.util.HttpSupport.HDR_CONTENT_TYPE; |
| |
| import java.io.IOException; |
| import java.net.ProxySelector; |
| import java.net.URISyntaxException; |
| import java.net.URL; |
| import java.time.LocalDateTime; |
| import java.time.ZoneOffset; |
| import java.time.format.DateTimeFormatter; |
| import java.util.LinkedList; |
| import java.util.Map; |
| import java.util.TreeMap; |
| |
| import org.eclipse.jgit.annotations.NonNull; |
| import org.eclipse.jgit.errors.CommandFailedException; |
| import org.eclipse.jgit.lfs.LfsPointer; |
| import org.eclipse.jgit.lfs.Protocol; |
| import org.eclipse.jgit.lfs.errors.LfsConfigInvalidException; |
| import org.eclipse.jgit.lib.ConfigConstants; |
| import org.eclipse.jgit.lib.Repository; |
| import org.eclipse.jgit.lib.StoredConfig; |
| import org.eclipse.jgit.transport.HttpConfig; |
| import org.eclipse.jgit.transport.HttpTransport; |
| import org.eclipse.jgit.transport.URIish; |
| import org.eclipse.jgit.transport.http.HttpConnection; |
| import org.eclipse.jgit.util.HttpSupport; |
| import org.eclipse.jgit.util.SshSupport; |
| |
| /** |
| * Provides means to get a valid LFS connection for a given repository. |
| */ |
| public class LfsConnectionFactory { |
| |
| private static final int SSH_AUTH_TIMEOUT_SECONDS = 30; |
| private static final String SCHEME_HTTPS = "https"; //$NON-NLS-1$ |
| private static final String SCHEME_SSH = "ssh"; //$NON-NLS-1$ |
| private static final Map<String, AuthCache> sshAuthCache = new TreeMap<>(); |
| |
| /** |
| * Determine URL of LFS server by looking into config parameters lfs.url, |
| * lfs.[remote].url or remote.[remote].url. The LFS server URL is computed |
| * from remote.[remote].url by appending "/info/lfs". In case there is no |
| * URL configured, a SSH remote URI can be used to auto-detect the LFS URI |
| * by using the remote "git-lfs-authenticate" command. |
| * |
| * @param db |
| * the repository to work with |
| * @param method |
| * the method (GET,PUT,...) of the request this connection will |
| * be used for |
| * @param purpose |
| * the action, e.g. Protocol.OPERATION_DOWNLOAD |
| * @return the url for the lfs server. e.g. |
| * "https://github.com/github/git-lfs.git/info/lfs" |
| * @throws IOException |
| */ |
| public static HttpConnection getLfsConnection(Repository db, String method, |
| String purpose) throws IOException { |
| StoredConfig config = db.getConfig(); |
| Map<String, String> additionalHeaders = new TreeMap<>(); |
| String lfsUrl = getLfsUrl(db, purpose, additionalHeaders); |
| URL url = new URL(lfsUrl + Protocol.OBJECTS_LFS_ENDPOINT); |
| HttpConnection connection = HttpTransport.getConnectionFactory().create( |
| url, HttpSupport.proxyFor(ProxySelector.getDefault(), url)); |
| connection.setDoOutput(true); |
| if (url.getProtocol().equals(SCHEME_HTTPS) |
| && !config.getBoolean(HttpConfig.HTTP, |
| HttpConfig.SSL_VERIFY_KEY, true)) { |
| HttpSupport.disableSslVerify(connection); |
| } |
| connection.setRequestMethod(method); |
| connection.setRequestProperty(HDR_ACCEPT, |
| Protocol.CONTENTTYPE_VND_GIT_LFS_JSON); |
| connection.setRequestProperty(HDR_CONTENT_TYPE, |
| Protocol.CONTENTTYPE_VND_GIT_LFS_JSON); |
| additionalHeaders |
| .forEach((k, v) -> connection.setRequestProperty(k, v)); |
| return connection; |
| } |
| |
| private static String getLfsUrl(Repository db, String purpose, |
| Map<String, String> additionalHeaders) |
| throws LfsConfigInvalidException { |
| StoredConfig config = db.getConfig(); |
| String lfsUrl = config.getString(ConfigConstants.CONFIG_SECTION_LFS, |
| null, |
| ConfigConstants.CONFIG_KEY_URL); |
| Exception ex = null; |
| if (lfsUrl == null) { |
| String remoteUrl = null; |
| for (String remote : db.getRemoteNames()) { |
| lfsUrl = config.getString(ConfigConstants.CONFIG_SECTION_LFS, |
| remote, |
| ConfigConstants.CONFIG_KEY_URL); |
| // This could be done better (more precise logic), but according |
| // to https://github.com/git-lfs/git-lfs/issues/1759 git-lfs |
| // generally only supports 'origin' in an integrated workflow. |
| if (lfsUrl == null && (remote.equals( |
| org.eclipse.jgit.lib.Constants.DEFAULT_REMOTE_NAME))) { |
| remoteUrl = config.getString( |
| ConfigConstants.CONFIG_KEY_REMOTE, remote, |
| ConfigConstants.CONFIG_KEY_URL); |
| break; |
| } |
| } |
| if (lfsUrl == null && remoteUrl != null) { |
| try { |
| lfsUrl = discoverLfsUrl(db, purpose, additionalHeaders, |
| remoteUrl); |
| } catch (URISyntaxException | IOException |
| | CommandFailedException e) { |
| ex = e; |
| } |
| } else { |
| lfsUrl = lfsUrl + Protocol.INFO_LFS_ENDPOINT; |
| } |
| } |
| if (lfsUrl == null) { |
| if (ex != null) { |
| throw new LfsConfigInvalidException( |
| LfsText.get().lfsNoDownloadUrl, ex); |
| } |
| throw new LfsConfigInvalidException(LfsText.get().lfsNoDownloadUrl); |
| } |
| return lfsUrl; |
| } |
| |
| private static String discoverLfsUrl(Repository db, String purpose, |
| Map<String, String> additionalHeaders, String remoteUrl) |
| throws URISyntaxException, IOException, CommandFailedException { |
| URIish u = new URIish(remoteUrl); |
| if (u.getScheme() == null || SCHEME_SSH.equals(u.getScheme())) { |
| Protocol.ExpiringAction action = getSshAuthentication(db, purpose, |
| remoteUrl, u); |
| additionalHeaders.putAll(action.header); |
| return action.href; |
| } |
| return remoteUrl + Protocol.INFO_LFS_ENDPOINT; |
| } |
| |
| private static Protocol.ExpiringAction getSshAuthentication( |
| Repository db, String purpose, String remoteUrl, URIish u) |
| throws IOException, CommandFailedException { |
| AuthCache cached = sshAuthCache.get(remoteUrl); |
| Protocol.ExpiringAction action = null; |
| if (cached != null && cached.validUntil > System.currentTimeMillis()) { |
| action = cached.cachedAction; |
| } |
| |
| if (action == null) { |
| // discover and authenticate; git-lfs does "ssh |
| // -p <port> -- <host> git-lfs-authenticate |
| // <project> <upload/download>" |
| String json = SshSupport.runSshCommand(u.setPath(""), //$NON-NLS-1$ |
| null, db.getFS(), |
| "git-lfs-authenticate " + extractProjectName(u) + " " //$NON-NLS-1$//$NON-NLS-2$ |
| + purpose, |
| SSH_AUTH_TIMEOUT_SECONDS); |
| |
| action = Protocol.gson().fromJson(json, |
| Protocol.ExpiringAction.class); |
| |
| // cache the result as long as possible. |
| AuthCache c = new AuthCache(action); |
| sshAuthCache.put(remoteUrl, c); |
| } |
| return action; |
| } |
| |
| /** |
| * Create a connection for the specified |
| * {@link org.eclipse.jgit.lfs.Protocol.Action}. |
| * |
| * @param repo |
| * the repo to fetch required configuration from |
| * @param action |
| * the action for which to create a connection |
| * @param method |
| * the target method (GET or PUT) |
| * @return a connection. output mode is not set. |
| * @throws IOException |
| * in case of any error. |
| */ |
| @NonNull |
| public static HttpConnection getLfsContentConnection( |
| Repository repo, Protocol.Action action, String method) |
| throws IOException { |
| URL contentUrl = new URL(action.href); |
| HttpConnection contentServerConn = HttpTransport.getConnectionFactory() |
| .create(contentUrl, HttpSupport |
| .proxyFor(ProxySelector.getDefault(), contentUrl)); |
| contentServerConn.setRequestMethod(method); |
| if (action.header != null) { |
| action.header.forEach( |
| (k, v) -> contentServerConn.setRequestProperty(k, v)); |
| } |
| if (contentUrl.getProtocol().equals(SCHEME_HTTPS) |
| && !repo.getConfig().getBoolean(HttpConfig.HTTP, |
| HttpConfig.SSL_VERIFY_KEY, true)) { |
| HttpSupport.disableSslVerify(contentServerConn); |
| } |
| |
| contentServerConn.setRequestProperty(HDR_ACCEPT_ENCODING, |
| ENCODING_GZIP); |
| |
| return contentServerConn; |
| } |
| |
| private static String extractProjectName(URIish u) { |
| String path = u.getPath(); |
| |
| // begins with a slash if the url contains a port (gerrit vs. github). |
| if (path.startsWith("/")) { //$NON-NLS-1$ |
| path = path.substring(1); |
| } |
| |
| if (path.endsWith(org.eclipse.jgit.lib.Constants.DOT_GIT)) { |
| return path.substring(0, path.length() - 4); |
| } |
| return path; |
| } |
| |
| /** |
| * @param operation |
| * the operation to perform, e.g. Protocol.OPERATION_DOWNLOAD |
| * @param resources |
| * the LFS resources affected |
| * @return a request that can be serialized to JSON |
| */ |
| public static Protocol.Request toRequest(String operation, |
| LfsPointer... resources) { |
| Protocol.Request req = new Protocol.Request(); |
| req.operation = operation; |
| if (resources != null) { |
| req.objects = new LinkedList<>(); |
| for (LfsPointer res : resources) { |
| Protocol.ObjectSpec o = new Protocol.ObjectSpec(); |
| o.oid = res.getOid().getName(); |
| o.size = res.getSize(); |
| req.objects.add(o); |
| } |
| } |
| return req; |
| } |
| |
| private static final class AuthCache { |
| private static final long AUTH_CACHE_EAGER_TIMEOUT = 500; |
| |
| private static final DateTimeFormatter ISO_FORMAT = DateTimeFormatter |
| .ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSX"); //$NON-NLS-1$ |
| |
| /** |
| * Creates a cache entry for an authentication response. |
| * <p> |
| * The timeout of the cache token is extracted from the given action. If |
| * no timeout can be determined, the token will be used only once. |
| * |
| * @param action |
| */ |
| public AuthCache(Protocol.ExpiringAction action) { |
| this.cachedAction = action; |
| try { |
| if (action.expiresIn != null && !action.expiresIn.isEmpty()) { |
| this.validUntil = (System.currentTimeMillis() |
| + Long.parseLong(action.expiresIn)) |
| - AUTH_CACHE_EAGER_TIMEOUT; |
| } else if (action.expiresAt != null |
| && !action.expiresAt.isEmpty()) { |
| this.validUntil = LocalDateTime |
| .parse(action.expiresAt, ISO_FORMAT) |
| .atZone(ZoneOffset.UTC).toInstant().toEpochMilli() |
| - AUTH_CACHE_EAGER_TIMEOUT; |
| } else { |
| this.validUntil = System.currentTimeMillis(); |
| } |
| } catch (Exception e) { |
| this.validUntil = System.currentTimeMillis(); |
| } |
| } |
| |
| long validUntil; |
| |
| Protocol.ExpiringAction cachedAction; |
| } |
| |
| } |