2013-10-26 19:46:09 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
abstract class DiffusionSSHWorkflow extends PhabricatorSSHWorkflow {
|
|
|
|
|
|
|
|
private $args;
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
private $repository;
|
|
|
|
private $hasWriteAccess;
|
|
|
|
|
|
|
|
public function getRepository() {
|
2013-11-11 21:19:06 +01:00
|
|
|
if (!$this->repository) {
|
|
|
|
throw new Exception("Call loadRepository() before getRepository()!");
|
|
|
|
}
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
return $this->repository;
|
|
|
|
}
|
2013-10-26 19:46:09 +02:00
|
|
|
|
|
|
|
public function getArgs() {
|
|
|
|
return $this->args;
|
2013-12-03 00:45:36 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
public function getEnvironment() {
|
2013-12-05 20:59:22 +01:00
|
|
|
$env = array(
|
|
|
|
DiffusionCommitHookEngine::ENV_USER => $this->getUser()->getUsername(),
|
|
|
|
DiffusionCommitHookEngine::ENV_REMOTE_PROTOCOL => 'ssh',
|
2013-12-03 00:45:36 +01:00
|
|
|
);
|
2013-12-05 20:59:22 +01:00
|
|
|
|
|
|
|
$ssh_client = getenv('SSH_CLIENT');
|
|
|
|
if ($ssh_client) {
|
|
|
|
// This has the format "<ip> <remote-port> <local-port>". Grab the IP.
|
|
|
|
$remote_address = head(explode(' ', $ssh_client));
|
|
|
|
$env[DiffusionCommitHookEngine::ENV_REMOTE_ADDRESS] = $remote_address;
|
|
|
|
}
|
|
|
|
|
|
|
|
return $env;
|
2013-10-26 19:46:09 +02:00
|
|
|
}
|
|
|
|
|
2013-11-11 21:19:06 +01:00
|
|
|
abstract protected function executeRepositoryOperations();
|
2013-10-26 21:18:54 +02:00
|
|
|
|
2013-10-26 19:46:09 +02:00
|
|
|
protected function writeError($message) {
|
|
|
|
$this->getErrorChannel()->write($message);
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
final public function execute(PhutilArgumentParser $args) {
|
|
|
|
$this->args = $args;
|
|
|
|
|
|
|
|
try {
|
2013-11-11 21:19:06 +01:00
|
|
|
return $this->executeRepositoryOperations();
|
2013-10-26 19:46:09 +02:00
|
|
|
} catch (Exception $ex) {
|
|
|
|
$this->writeError(get_class($ex).': '.$ex->getMessage());
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-11-11 21:19:06 +01:00
|
|
|
protected function loadRepository($path) {
|
2013-10-26 19:46:09 +02:00
|
|
|
$viewer = $this->getUser();
|
|
|
|
|
|
|
|
$regex = '@^/?diffusion/(?P<callsign>[A-Z]+)(?:/|$)@';
|
|
|
|
$matches = null;
|
|
|
|
if (!preg_match($regex, $path, $matches)) {
|
|
|
|
throw new Exception(
|
|
|
|
pht(
|
|
|
|
'Unrecognized repository path "%s". Expected a path like '.
|
|
|
|
'"%s".',
|
|
|
|
$path,
|
|
|
|
"/diffusion/X/"));
|
|
|
|
}
|
|
|
|
|
|
|
|
$callsign = $matches[1];
|
|
|
|
$repository = id(new PhabricatorRepositoryQuery())
|
|
|
|
->setViewer($viewer)
|
|
|
|
->withCallsigns(array($callsign))
|
|
|
|
->executeOne();
|
|
|
|
|
|
|
|
if (!$repository) {
|
|
|
|
throw new Exception(
|
|
|
|
pht('No repository "%s" exists!', $callsign));
|
|
|
|
}
|
|
|
|
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
switch ($repository->getServeOverSSH()) {
|
|
|
|
case PhabricatorRepository::SERVE_READONLY:
|
|
|
|
case PhabricatorRepository::SERVE_READWRITE:
|
|
|
|
// If we have read or read/write access, proceed for now. We will
|
|
|
|
// check write access when the user actually issues a write command.
|
|
|
|
break;
|
|
|
|
case PhabricatorRepository::SERVE_OFF:
|
|
|
|
default:
|
|
|
|
throw new Exception(
|
|
|
|
pht('This repository is not available over SSH.'));
|
|
|
|
}
|
|
|
|
|
2013-11-11 21:19:06 +01:00
|
|
|
$this->repository = $repository;
|
|
|
|
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
return $repository;
|
|
|
|
}
|
|
|
|
|
2013-11-11 21:19:06 +01:00
|
|
|
protected function requireWriteAccess($protocol_command = null) {
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
if ($this->hasWriteAccess === true) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
$repository = $this->getRepository();
|
|
|
|
$viewer = $this->getUser();
|
2013-10-26 19:46:09 +02:00
|
|
|
|
|
|
|
switch ($repository->getServeOverSSH()) {
|
|
|
|
case PhabricatorRepository::SERVE_READONLY:
|
2013-11-11 21:19:06 +01:00
|
|
|
if ($protocol_command !== null) {
|
|
|
|
throw new Exception(
|
|
|
|
pht(
|
|
|
|
'This repository is read-only over SSH (tried to execute '.
|
|
|
|
'protocol command "%s").',
|
|
|
|
$protocol_command));
|
|
|
|
} else {
|
|
|
|
throw new Exception(
|
|
|
|
pht('This repository is read-only over SSH.'));
|
|
|
|
}
|
2013-10-26 19:46:09 +02:00
|
|
|
break;
|
|
|
|
case PhabricatorRepository::SERVE_READWRITE:
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
$can_push = PhabricatorPolicyFilter::hasCapability(
|
|
|
|
$viewer,
|
|
|
|
$repository,
|
|
|
|
DiffusionCapabilityPush::CAPABILITY);
|
|
|
|
if (!$can_push) {
|
|
|
|
throw new Exception(
|
|
|
|
pht('You do not have permission to push to this repository.'));
|
2013-10-26 19:46:09 +02:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
case PhabricatorRepository::SERVE_OFF:
|
|
|
|
default:
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
// This shouldn't be reachable because we don't get this far if the
|
|
|
|
// repository isn't enabled, but kick them out anyway.
|
2013-10-26 19:46:09 +02:00
|
|
|
throw new Exception(
|
|
|
|
pht('This repository is not available over SSH.'));
|
|
|
|
}
|
|
|
|
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
$this->hasWriteAccess = true;
|
|
|
|
return $this->hasWriteAccess;
|
2013-10-26 19:46:09 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|