| | |
|---|
| | | * The GitFilter is an AccessRestrictionFilter which ensures that Git client
|
|---|
| | | * requests for push, clone, or view restricted repositories are authenticated
|
|---|
| | | * and authorized.
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | * @author James Moger
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | */
|
|---|
| | | public class GitFilter extends AccessRestrictionFilter {
|
|---|
| | |
|
|---|
| | |
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Extract the repository name from the url.
|
|---|
| | | * |
|---|
| | | * @param url
|
|---|
| | | *
|
|---|
| | | * @param cloneUrl
|
|---|
| | | * @return repository name
|
|---|
| | | */
|
|---|
| | | public static String getRepositoryName(String value) {
|
|---|
| | |
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Extract the repository name from the url.
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | * @param url
|
|---|
| | | * @return repository name
|
|---|
| | | */
|
|---|
| | |
|---|
| | | /**
|
|---|
| | | * Analyze the url and returns the action of the request. Return values are
|
|---|
| | | * either "/git-receive-pack" or "/git-upload-pack".
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | * @param serverUrl
|
|---|
| | | * @return action of the request
|
|---|
| | | */
|
|---|
| | |
|---|
| | | }
|
|---|
| | | return null;
|
|---|
| | | }
|
|---|
| | | |
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Determine if a non-existing repository can be created using this filter.
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | * @return true if the server allows repository creation on-push
|
|---|
| | | */
|
|---|
| | | @Override
|
|---|
| | | protected boolean isCreationAllowed() {
|
|---|
| | | return GitBlit.getBoolean(Keys.git.allowCreateOnPush, true);
|
|---|
| | | }
|
|---|
| | | |
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Determine if the repository can receive pushes.
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | * @param repository
|
|---|
| | | * @param action
|
|---|
| | | * @return true if the action may be performed
|
|---|
| | | */
|
|---|
| | | @Override
|
|---|
| | | protected boolean isActionAllowed(RepositoryModel repository, String action) {
|
|---|
| | | if (!StringUtils.isEmpty(action)) {
|
|---|
| | | if (action.equals(gitReceivePack)) {
|
|---|
| | | // Push request
|
|---|
| | | if (!repository.isBare) {
|
|---|
| | | logger.warn("Gitblit does not allow pushes to repositories with a working copy");
|
|---|
| | | return false;
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | // the log here has been moved into ReceiveHook to provide clients with
|
|---|
| | | // error messages
|
|---|
| | | return true;
|
|---|
| | | }
|
|---|
| | |
|
|---|
| | |
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * Determine if the repository requires authentication.
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | * @param repository
|
|---|
| | | * @param action
|
|---|
| | | * @return true if authentication required
|
|---|
| | |
|---|
| | | protected boolean requiresAuthentication(RepositoryModel repository, String action) {
|
|---|
| | | if (gitUploadPack.equals(action)) {
|
|---|
| | | // send to client
|
|---|
| | | return repository.accessRestriction.atLeast(AccessRestrictionType.CLONE); |
|---|
| | | return repository.accessRestriction.atLeast(AccessRestrictionType.CLONE);
|
|---|
| | | } else if (gitReceivePack.equals(action)) {
|
|---|
| | | // receive from client
|
|---|
| | | return repository.accessRestriction.atLeast(AccessRestrictionType.PUSH);
|
|---|
| | |
|---|
| | | /**
|
|---|
| | | * Determine if the user can access the repository and perform the specified
|
|---|
| | | * action.
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | * @param repository
|
|---|
| | | * @param user
|
|---|
| | | * @param action
|
|---|
| | |
|---|
| | | if (!GitBlit.getBoolean(Keys.git.enableGitServlet, true)) {
|
|---|
| | | // Git Servlet disabled
|
|---|
| | | return false;
|
|---|
| | | } |
|---|
| | | }
|
|---|
| | | if (action.equals(gitReceivePack)) {
|
|---|
| | | // Push request
|
|---|
| | | if (user.canPush(repository)) {
|
|---|
| | |
|---|
| | | }
|
|---|
| | | return true;
|
|---|
| | | }
|
|---|
| | | |
|---|
| | |
|
|---|
| | | /**
|
|---|
| | | * An authenticated user with the CREATE role can create a repository on
|
|---|
| | | * push.
|
|---|
| | | * |
|---|
| | | *
|
|---|
| | | * @param user
|
|---|
| | | * @param repository
|
|---|
| | | * @param action
|
|---|
| | |
|---|
| | | if (repository.contains("/../")) {
|
|---|
| | | logger.error(MessageFormat.format("Illegal relative path in repository name! {0}", repository));
|
|---|
| | | return null;
|
|---|
| | | } |
|---|
| | | }
|
|---|
| | |
|
|---|
| | | // confirm valid characters in repository name
|
|---|
| | | Character c = StringUtils.findInvalidCharacter(repository);
|
|---|
| | |
|---|
| | | } else {
|
|---|
| | | // common repository, user default server settings
|
|---|
| | | model.authorizationControl = AuthorizationControl.fromName(GitBlit.getString(Keys.git.defaultAuthorizationControl, ""));
|
|---|
| | | model.accessRestriction = AccessRestrictionType.fromName(GitBlit.getString(Keys.git.defaultAccessRestriction, ""));
|
|---|
| | | model.accessRestriction = AccessRestrictionType.fromName(GitBlit.getString(Keys.git.defaultAccessRestriction, "PUSH"));
|
|---|
| | | }
|
|---|
| | |
|
|---|
| | | // create the repository
|
|---|
| | |
|---|
| | | logger.warn(MessageFormat.format("{0} is not permitted to create repository {1} ON-PUSH!", user.username, repository));
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | |
|---|
| | |
|
|---|
| | | // repository could not be created or action was not a push
|
|---|
| | | return null;
|
|---|
| | | }
|
|---|
