Authorize Git LFS HTTP requests
According to [1] Git LFS client uses HTTP Basic Auth to authorize
requests. Change adds logic to verify that the user has permission to
perform requested operation.
Notes:
1. in order to authorize requests
auth.gitBasicAuth = true
needs to be set in gerrit.config.
2. SSH Auth gets broken with this change. It will be fixed in the follow
up change.
[1]
https://github.com/git-lfs/git-lfs/blob/master/docs/api/authentication.md
Change-Id: I28864fdaaf701e06fa9f60e7e913bc4a15da7b1d
Signed-off-by: Jacek Centkowski <jcentkowski@collab.net>
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java
index dfc7f58..b4aae73 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsApiServlet.java
@@ -18,9 +18,13 @@
import static com.google.gerrit.extensions.client.ProjectState.READ_ONLY;
import static com.google.gerrit.httpd.plugins.LfsPluginServlet.URL_REGEX;
+import com.google.common.base.Strings;
import com.google.gerrit.common.ProjectUtil;
+import com.google.gerrit.common.data.Capable;
import com.google.gerrit.reviewdb.client.Project;
+import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.project.ProjectCache;
+import com.google.gerrit.server.project.ProjectControl;
import com.google.gerrit.server.project.ProjectState;
import com.google.inject.Inject;
import com.google.inject.Singleton;
@@ -28,36 +32,43 @@
import org.eclipse.jgit.lfs.errors.LfsException;
import org.eclipse.jgit.lfs.errors.LfsRepositoryNotFound;
import org.eclipse.jgit.lfs.errors.LfsRepositoryReadOnly;
+import org.eclipse.jgit.lfs.errors.LfsUnauthorized;
import org.eclipse.jgit.lfs.errors.LfsUnavailable;
import org.eclipse.jgit.lfs.errors.LfsValidationError;
import org.eclipse.jgit.lfs.server.LargeFileRepository;
+import org.eclipse.jgit.lfs.server.LfsGerritProtocolServlet;
import org.eclipse.jgit.lfs.server.LfsObject;
-import org.eclipse.jgit.lfs.server.LfsProtocolServlet;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@Singleton
-public class LfsApiServlet extends LfsProtocolServlet {
+public class LfsApiServlet extends LfsGerritProtocolServlet {
private static final long serialVersionUID = 1L;
private static final Pattern URL_PATTERN = Pattern.compile(URL_REGEX);
+ private static final String DOWNLOAD = "download";
+ private static final String UPLOAD = "upload";
private final ProjectCache projectCache;
private final LfsConfigurationFactory lfsConfigFactory;
private final LfsRepositoryResolver repoResolver;
+ private final LfsAuthUserProvider userProvider;
@Inject
LfsApiServlet(ProjectCache projectCache,
LfsConfigurationFactory lfsConfigFactory,
- LfsRepositoryResolver repoResolver) {
+ LfsRepositoryResolver repoResolver,
+ LfsAuthUserProvider userProvider) {
this.projectCache = projectCache;
this.lfsConfigFactory = lfsConfigFactory;
this.repoResolver = repoResolver;
+ this.userProvider = userProvider;
}
@Override
protected LargeFileRepository getLargeFileRepository(
- LfsRequest request, String path) throws LfsException {
+ LfsRequest request, String path, String auth)
+ throws LfsException {
String pathInfo = path.startsWith("/") ? path : "/" + path;
Matcher matcher = URL_PATTERN.matcher(pathInfo);
if (!matcher.matches()) {
@@ -66,12 +77,12 @@
Project.NameKey project = Project.NameKey.parse(
ProjectUtil.stripGitSuffix(matcher.group(1)));
ProjectState state = projectCache.get(project);
-
if (state == null || state.getProject().getState() == HIDDEN) {
throw new LfsRepositoryNotFound(project.get());
}
+ authorizeUser(userProvider.getUser(auth), state, request.getOperation());
- if (request.getOperation().equals("upload")
+ if (request.getOperation().equals(UPLOAD)
&& state.getProject().getState() == READ_ONLY) {
throw new LfsRepositoryReadOnly(project.get());
}
@@ -82,7 +93,7 @@
// No config means we default to "not enabled".
if (config != null && config.isEnabled()) {
// For uploads, check object sizes against limit if configured
- if (request.getOperation().equals("upload")) {
+ if (request.getOperation().equals(UPLOAD)) {
if (config.isReadOnly()) {
throw new LfsRepositoryReadOnly(project.get());
}
@@ -104,4 +115,17 @@
throw new LfsUnavailable(project.get());
}
+
+ private void authorizeUser(CurrentUser user, ProjectState state,
+ String operation) throws LfsUnauthorized {
+ ProjectControl control = state.controlFor(user);
+ if ((operation.equals(DOWNLOAD) && !control.isReadable()) ||
+ (operation.equals(UPLOAD) && Capable.OK != control.canPushToAtLeastOneRef())) {
+ throw new LfsUnauthorized(
+ String.format("User %s is not authorized to perform %s operation",
+ Strings.isNullOrEmpty(user.getUserName())
+ ? "anonymous" : user.getUserName(),
+ operation.toLowerCase()));
+ }
+ }
}
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsAuthUserProvider.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsAuthUserProvider.java
new file mode 100644
index 0000000..0c548c9
--- /dev/null
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsAuthUserProvider.java
@@ -0,0 +1,50 @@
+// Copyright (C) 2017 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.googlesource.gerrit.plugins.lfs;
+
+import com.google.common.base.Strings;
+import com.google.gerrit.server.AnonymousUser;
+import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.config.AuthConfig;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+
+@Singleton
+class LfsAuthUserProvider {
+ private static final String BASIC_AUTH_PREFIX = "Basic ";
+
+ private final Provider<AnonymousUser> anonymous;
+ private final Provider<CurrentUser> user;
+ private final AuthConfig authCfg;
+
+ @Inject
+ LfsAuthUserProvider(Provider<AnonymousUser> anonymous,
+ Provider<CurrentUser> user,
+ AuthConfig authCfg) {
+ this.anonymous = anonymous;
+ this.user = user;
+ this.authCfg = authCfg;
+ }
+
+ CurrentUser getUser(String auth) {
+ if (!Strings.isNullOrEmpty(auth)
+ && auth.startsWith(BASIC_AUTH_PREFIX)
+ && authCfg.isGitBasicAuth()) {
+ return user.get();
+ }
+ return anonymous.get();
+ }
+}
diff --git a/src/main/java/org/eclipse/jgit/lfs/errors/LfsUnauthorized.java b/src/main/java/org/eclipse/jgit/lfs/errors/LfsUnauthorized.java
new file mode 100644
index 0000000..896eb9f
--- /dev/null
+++ b/src/main/java/org/eclipse/jgit/lfs/errors/LfsUnauthorized.java
@@ -0,0 +1,24 @@
+// Copyright (C) 2017 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.eclipse.jgit.lfs.errors;
+
+
+public class LfsUnauthorized extends LfsException {
+ private static final long serialVersionUID = 1L;
+
+ public LfsUnauthorized(String message) {
+ super(message);
+ }
+}
diff --git a/src/main/java/org/eclipse/jgit/lfs/server/LfsGerritProtocolServlet.java b/src/main/java/org/eclipse/jgit/lfs/server/LfsGerritProtocolServlet.java
new file mode 100644
index 0000000..849d789
--- /dev/null
+++ b/src/main/java/org/eclipse/jgit/lfs/server/LfsGerritProtocolServlet.java
@@ -0,0 +1,243 @@
+/*
+ * Copyright (C) 2015, Sasa Zivkov <sasa.zivkov@sap.com>
+ * and other copyright owners as documented in the project's IP log.
+ *
+ * This program and the accompanying materials are made available
+ * under the terms of the Eclipse Distribution License v1.0 which
+ * accompanies this distribution, is reproduced below, and is
+ * available at http://www.eclipse.org/org/documents/edl-v10.php
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or
+ * without modification, are permitted provided that the following
+ * conditions are met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * - Neither the name of the Eclipse Foundation, Inc. nor the
+ * names of its contributors may be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
+ * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.eclipse.jgit.lfs.server;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.apache.http.HttpStatus.SC_FORBIDDEN;
+import static org.apache.http.HttpStatus.SC_INSUFFICIENT_STORAGE;
+import static org.apache.http.HttpStatus.SC_INTERNAL_SERVER_ERROR;
+import static org.apache.http.HttpStatus.SC_NOT_FOUND;
+import static org.apache.http.HttpStatus.SC_OK;
+import static org.apache.http.HttpStatus.SC_SERVICE_UNAVAILABLE;
+import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
+import static org.apache.http.HttpStatus.SC_UNPROCESSABLE_ENTITY;
+import static org.eclipse.jgit.util.HttpSupport.HDR_AUTHORIZATION;
+
+import com.google.gson.FieldNamingPolicy;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+
+import org.eclipse.jgit.lfs.errors.LfsBandwidthLimitExceeded;
+import org.eclipse.jgit.lfs.errors.LfsException;
+import org.eclipse.jgit.lfs.errors.LfsInsufficientStorage;
+import org.eclipse.jgit.lfs.errors.LfsRateLimitExceeded;
+import org.eclipse.jgit.lfs.errors.LfsRepositoryNotFound;
+import org.eclipse.jgit.lfs.errors.LfsRepositoryReadOnly;
+import org.eclipse.jgit.lfs.errors.LfsUnauthorized;
+import org.eclipse.jgit.lfs.errors.LfsUnavailable;
+import org.eclipse.jgit.lfs.errors.LfsValidationError;
+
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.io.Reader;
+import java.io.Writer;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * LFS protocol handler implementing the LFS batch API [1]
+ *
+ * [1] https://github.com/github/git-lfs/blob/master/docs/api/v1/http-v1-batch.md
+ *
+ * @since 4.3
+ */
+// TODO this is copy of org.eclipse.jgit.lfs.server.LfsProtocolServlet with small improvements
+// that allows user's auth - donate it back to JGit and get rid of it once Gerrit moves to it
+public abstract class LfsGerritProtocolServlet extends HttpServlet {
+
+ private static final long serialVersionUID = 1L;
+
+ private static final String CONTENTTYPE_VND_GIT_LFS_JSON =
+ "application/vnd.git-lfs+json; charset=utf-8"; //$NON-NLS-1$
+
+ private static final int SC_RATE_LIMIT_EXCEEDED = 429;
+
+ private static final int SC_BANDWIDTH_LIMIT_EXCEEDED = 509;
+
+ private Gson gson = createGson();
+
+ /**
+ * Get the large file repository for the given request and path.
+ *
+ * @param request
+ * the request
+ * @param path
+ * the path
+ * @param auth
+ * the authorization info
+ *
+ * @return the large file repository storing large files.
+ * @throws LfsException
+ * implementations should throw more specific exceptions to
+ * signal which type of error occurred:
+ * <dl>
+ * <dt>{@link LfsValidationError}</dt>
+ * <dd>when there is a validation error with one or more of the
+ * objects in the request</dd>
+ * <dt>{@link LfsRepositoryNotFound}</dt>
+ * <dd>when the repository does not exist for the user</dd>
+ * <dt>{@link LfsRepositoryReadOnly}</dt>
+ * <dd>when the user has read, but not write access. Only
+ * applicable when the operation in the request is "upload"</dd>
+ * <dt>{@link LfsRateLimitExceeded}</dt>
+ * <dd>when the user has hit a rate limit with the server</dd>
+ * <dt>{@link LfsBandwidthLimitExceeded}</dt>
+ * <dd>when the bandwidth limit for the user or repository has
+ * been exceeded</dd>
+ * <dt>{@link LfsInsufficientStorage}</dt>
+ * <dd>when there is insufficient storage on the server</dd>
+ * <dt>{@link LfsUnauthorized}</dt>
+ * <dd>when user is not authorized to perform LFS operation</dd>
+ * <dt>{@link LfsUnavailable}</dt>
+ * <dd>when LFS is not available</dd>
+ * <dt>{@link LfsException}</dt>
+ * <dd>when an unexpected internal server error occurred</dd>
+ * </dl>
+ * @since 4.5
+ */
+ protected abstract LargeFileRepository getLargeFileRepository(
+ LfsRequest request, String path, String auth) throws LfsException;
+
+ /**
+ * LFS request.
+ *
+ * @since 4.5
+ */
+ protected static class LfsRequest {
+ private String operation;
+
+ private List<LfsObject> objects;
+
+ /**
+ * Get the LFS operation.
+ *
+ * @return the operation
+ */
+ public String getOperation() {
+ return operation;
+ }
+
+ /**
+ * Get the LFS objects.
+ *
+ * @return the objects
+ */
+ public List<LfsObject> getObjects() {
+ return objects;
+ }
+ }
+
+ @Override
+ protected void doPost(HttpServletRequest req, HttpServletResponse res)
+ throws ServletException, IOException {
+ Writer w = new BufferedWriter(
+ new OutputStreamWriter(res.getOutputStream(), UTF_8));
+
+ Reader r = new BufferedReader(
+ new InputStreamReader(req.getInputStream(), UTF_8));
+ LfsRequest request = gson.fromJson(r, LfsRequest.class);
+ String path = req.getPathInfo();
+
+ res.setContentType(CONTENTTYPE_VND_GIT_LFS_JSON);
+ LargeFileRepository repo = null;
+ try {
+ repo = getLargeFileRepository(request, path,
+ req.getHeader(HDR_AUTHORIZATION));
+ if (repo == null) {
+ throw new LfsException("unexpected error"); //$NON-NLS-1$
+ }
+ res.setStatus(SC_OK);
+ TransferHandler handler = TransferHandler
+ .forOperation(request.operation, repo, request.objects);
+ gson.toJson(handler.process(), w);
+ } catch (LfsValidationError e) {
+ sendError(res, w, SC_UNPROCESSABLE_ENTITY, e.getMessage());
+ } catch (LfsRepositoryNotFound e) {
+ sendError(res, w, SC_NOT_FOUND, e.getMessage());
+ } catch (LfsRepositoryReadOnly e) {
+ sendError(res, w, SC_FORBIDDEN, e.getMessage());
+ } catch (LfsRateLimitExceeded e) {
+ sendError(res, w, SC_RATE_LIMIT_EXCEEDED, e.getMessage());
+ } catch (LfsBandwidthLimitExceeded e) {
+ sendError(res, w, SC_BANDWIDTH_LIMIT_EXCEEDED, e.getMessage());
+ } catch (LfsInsufficientStorage e) {
+ sendError(res, w, SC_INSUFFICIENT_STORAGE, e.getMessage());
+ } catch (LfsUnavailable e) {
+ sendError(res, w, SC_SERVICE_UNAVAILABLE, e.getMessage());
+ } catch (LfsUnauthorized e) {
+ sendError(res, w, SC_UNAUTHORIZED, e.getMessage());
+ } catch (LfsException e) {
+ sendError(res, w, SC_INTERNAL_SERVER_ERROR, e.getMessage());
+ } finally {
+ w.flush();
+ }
+ }
+
+ static class Error {
+ String message;
+
+ Error(String m) {
+ this.message = m;
+ }
+ }
+
+ private void sendError(HttpServletResponse rsp, Writer writer, int status,
+ String message) {
+ rsp.setStatus(status);
+ gson.toJson(new Error(message), writer);
+ }
+
+ private Gson createGson() {
+ return new GsonBuilder()
+ .setFieldNamingPolicy(FieldNamingPolicy.LOWER_CASE_WITH_UNDERSCORES)
+ .disableHtmlEscaping()
+ .create();
+ }
+}
diff --git a/src/main/resources/Documentation/config.md b/src/main/resources/Documentation/config.md
index 79065d9..4d4ae5d 100644
--- a/src/main/resources/Documentation/config.md
+++ b/src/main/resources/Documentation/config.md
@@ -2,13 +2,21 @@
## Core Gerrit Settings
-The following option must be set in `$GERRIT_SITE/etc/gerrit.config`.
+The following options must be set in `$GERRIT_SITE/etc/gerrit.config`.
### Section `lfs`
lfs.plugin = @PLUGIN@
: With this option set LFS requests are forwarded to the @PLUGIN@ plugin.
+### Section `auth`
+
+auth.gitBasicAuth = true
+: Git LFS client uses Basic HTTP auth with LFS requests. When this option
+is not enabled (not set or equals to `false`) Git LFS HTTP requests are treated
+as anonymous requests. Therefore requests will be successfully authorized only
+for projects that allows anonymous to perform requested operation.
+
## Per Project Settings
The following options can be configured in `@PLUGIN@.config` on the