blaggard 1.0.0

data/lib/blaggard/auth.rb

@@ -0,0 +1,37 @@
+require 'rack/auth/basic'
+require 'rack/auth/abstract/handler'
+require 'rack/auth/abstract/request'
+
+module Blaggard
+  class Auth < Rack::Auth::Basic
+    def call(env)
+      @env = env
+      @request = Rack::Request.new(env)
+      @auth = Request.new(env)
+
+      if not @auth.provided?
+        unauthorized
+      elsif not @auth.basic?
+        bad_request
+      else
+        result = if (access = valid? and access == true)
+                   @env['REMOTE_USER'] = @auth.username
+                   @app.call(env)
+                 else
+                   if access == '404'
+                     render_not_found
+                   elsif access == '403'
+                     render_no_access
+                   else
+                     unauthorized
+                   end
+                 end
+        result
+      end
+    end# method call
+
+    def valid?
+      false
+    end
+  end# class Auth
+end

data/lib/blaggard/bundle.rb

@@ -0,0 +1,20 @@
+require 'rack/builder'
+require 'blaggard/auth'
+require 'blaggard/server'
+
+module Blaggard
+  module Bundle
+    extend self
+
+    def new(config)
+      Rack::Builder.new do
+        use Blaggard::Auth do |username, password|
+          false
+        end
+
+        run Blaggard::Server.new(config)
+      end
+    end
+
+  end
+end

data/lib/blaggard/console.rb

@@ -0,0 +1,3 @@
+Pry.config.prompt = lambda do |context, nesting, pry|
+  "[blaggard] #{context}> "
+end

data/lib/blaggard/git.rb

@@ -0,0 +1,82 @@
+module Blaggard
+
+  class Git
+    attr_accessor :git_path, :repo
+
+    def initialize(repo, path = nil)
+      @repo = repo
+      @git_path = path ? path : 'git'
+    end
+
+    def execute(cmd)
+      cmd = command(cmd)
+      if block_given?
+        IO.popen(popen_env, cmd, File::RDWR, popen_options) do |pipe|
+          yield(pipe)
+        end
+      else
+        capture(cmd).chomp
+      end
+    end
+
+    def time_ordered_refs
+      opts = %W(--sort=-committerdate refs/heads/ --format=%(refname))
+      return execute(['for-each-ref', opts]).split("\n")
+    end
+
+    def tags_on_branch(commitish)
+      opts = %W(--simplify-by-decoration --decorate --pretty=oneline)
+      return execute(['log', opts, commitish]).scan(/tag: (.*?)(\,|\))/).map{ |match| match.first}
+    rescue => e
+      []
+    end
+
+    def command(cmd)
+      [git_path || 'git'] + cmd.flatten
+    end
+
+    def capture(command)
+      IO.popen(popen_env, command, popen_options).read
+    end
+
+    def popen_options
+      {chdir: repo, unsetenv_others: true}
+    end
+
+    def popen_env
+      {'PATH' => ENV['PATH'], 'GL_ID' => ENV['GL_ID']}
+    end
+
+    def get_config_setting(service_name)
+      service_name = service_name.gsub('-', '')
+      setting = get_git_config("http.#{service_name}")
+      if service_name == 'uploadpack'
+        return setting != 'false'
+      else
+        return setting == 'true'
+      end
+    end
+
+    def get_git_config(config_name)
+      execute(%W(config #{config_name}))
+    end
+
+    def valid_repo?
+      return false unless File.exists?(repo) &&
+        File.realpath(repo) == repo
+      match = execute(%W(rev-parse --git-dir)).match(/\.$|\.git$/)
+
+      if match.to_s == '.git'
+        # Since the parent could be a git repo, we want to make sure the actual repo contains a git dir.
+        return false unless Dir.entries(repo).include?('.git')
+      end
+
+      !!match
+    end
+
+    def update_server_info
+      # TODO: Update this for use with ACL
+      execute(%W(update-server-info))
+    end
+  end
+end

data/lib/blaggard/group_config.rb

@@ -0,0 +1,123 @@
+module Blaggard
+  class GroupConfigError < StandardError; end
+  class GroupConfig
+    # groups is an object like this:
+    # {
+    #     # group: { 'read': [refs]
+    #     #          'write': [refs]}
+    #     "admin_users" => {
+    #         'read' => ['refs/heads/*'],
+    #         'write' => ['refs/heads/haacked', 'refs/heads/master']
+    #     },
+    #     "normal_users" => {
+    #         'read' => ['refs/heads/*'],
+    #         'write' => []
+    #     }
+    # }
+    attr_accessor :groups, :git
+    def initialize( repo_path )
+      @repo_path = repo_path
+      @git = Blaggard::Git.new(repo_path)
+      @config_path = File.join(@repo_path, 'refs/meta')
+      unless File.directory?(@config_path)
+        FileUtils.mkdir_p(File.join(@repo_path, 'refs/meta'))
+      end
+      @config_file = File.join(@config_path, 'config')
+      read_from_git
+    end
+
+    def write_to_git
+      tmp_file = File.absolute_path File.join(@config_path, 'tmp')
+      if File.exist? tmp_file
+        # tmp acts like a lock file to prevent multiple writes at the same time.
+        raise Blaggard::GroupConfigError, "Unable to write to meta config, someone else is currently using it. Try again in a few minutes."
+      end
+      File.open( tmp_file , 'w' ) do |f|
+        f.write(YAML.dump @groups)
+      end
+
+      ref = git.execute(['hash-object', '-w', tmp_file])
+      File.open( @config_file , 'w') do |f|
+        f.write(ref)
+      end
+      FileUtils.rm(tmp_file)
+      return true
+    end
+
+    def read_from_git
+      ref = File.open(@config_file, &:readline).chomp
+      yml = git.execute(['cat-file', '-p', ref])
+      @groups = YAML.load yml
+      return @groups
+    rescue
+      @groups = {}
+    end
+
+    def add_branch(group, priv, branch)
+      @groups = read_from_git
+      @groups[group] = {:read =>[], :write => []} unless @groups[group]
+      validate_privilege priv
+      unless @groups[group][priv].include? branch
+        if valid_branch_name? branch
+          @groups[group][priv] << branch
+          write_to_git
+        else
+          raise Blaggard::GroupConfigError, "Branch name #{branch} invalid. Must be of format 'refs/heads/<branch_name>"
+        end
+      end
+    end
+
+    def delete_branch(group, priv, branch)
+      @groups = read_from_git
+      validate_group group
+      validate_privilege priv
+      if @groups[group][priv].delete(branch)
+        write_to_git
+      else
+        return false
+      end
+    end
+
+    def delete_group(group)
+      @groups = read_from_git
+      validate_group group
+      if @groups.delete(group)
+        write_to_git
+      else
+        false
+      end
+    end
+
+    def can_access_branch?(group, priv, branch)
+      validate_group group rescue (return false)
+      validate_privilege priv
+      @groups[group][priv].include? branch
+    end
+
+    def branches(user_groups, priv)
+      validate_privilege priv
+      user_groups.map{ |group|
+        validate_group group rescue next
+        @groups[group][priv]
+      }.uniq.flatten.compact
+    end
+
+    def valid_branch_name?(branch)
+      valid_branches = Dir[File.join(@repo_path, 'refs/heads/*')].map{|b| b.split('/')[-3..-1].join('/')}
+      valid_branches << 'refs/heads/*'
+      return valid_branches.include?(branch)
+    end
+
+    # Validation Methods
+
+    def validate_group(group)
+      unless @groups[group]
+        raise Blaggard::GroupConfigError, "Group #{group} does not exist. Use add_branch to create it."
+      end
+    end
+
+    def validate_privilege(priv)
+      raise Blaggard::GroupConfigError, "Privilege must be either :read or :write" unless [:read, :write].include?(priv)
+    end
+  end
+end

data/lib/blaggard/group_finder.rb

@@ -0,0 +1,28 @@
+require 'net/http'
+require 'json'
+module Blaggard
+  class GroupFinder
+    def initialize(config)
+      # Make your base url and resource something like:
+      #
+      #   https://example.com/api/v1/users_groups/user1
+      #
+      # Ideally this should bring down a list of strings that
+      # will correspond to the group keys in the repo config.
+      # These will be the groups that user is a part of. The
+      # User is identified by their username over http auth
+      # ie. the REMOTE_USER header.
+      @url = "#{config[:base_url]}/#{config[:group_resource]}/:id"
+    end
+
+    def find(identifier)
+      uri = URI(@url.gsub(':id', identifier))
+      res = Net::HTTP.get_response(uri)
+      if res.code == "200"
+        return JSON.load(res.body)
+      else
+        []
+      end
+    end
+  end
+end

data/lib/blaggard/server.rb

@@ -0,0 +1,311 @@
+module Blaggard
+  class Server
+    attr_reader :git, :config
+    SERVICES = [
+      ["POST", 'service_rpc',      "(.*?)/git-upload-pack$",  'upload-pack'],
+      ["POST", 'service_rpc',      "(.*?)/git-receive-pack$", 'receive-pack'],
+
+      ["GET",  'get_info_refs',    "(.*?)/info/refs$"],
+      ["GET",  'get_text_file',    "(.*?)/HEAD$"],
+      ["GET",  'get_text_file',    "(.*?)/objects/info/alternates$"],
+      ["GET",  'get_text_file',    "(.*?)/objects/info/http-alternates$"],
+      ["GET",  'get_info_packs',   "(.*?)/objects/info/packs$"],
+      ["GET",  'get_text_file',    "(.*?)/objects/info/[^/]*$"],
+      ["GET",  'get_loose_object', "(.*?)/objects/[0-9a-f]{2}/[0-9a-f]{38}$"],
+      ["GET",  'get_pack_file',    "(.*?)/objects/pack/pack-[0-9a-f]{40}\\.pack$"],
+      ["GET",  'get_idx_file',     "(.*?)/objects/pack/pack-[0-9a-f]{40}\\.idx$"],
+    ]
+
+    def initialize(conf = false)
+      if conf.instance_of? Hash
+        @config = conf
+      elsif (File.exist?(conf) rescue false)
+        @config = YAML.load( File.read conf )
+      else
+        @config = {}
+      end
+    end
+
+    def set_config_setting(key, value)
+      @config[key] = value
+    end
+
+    def call(env)
+      dup._call(env)
+    end
+
+    def _call(env)
+      @env = env
+      # puts env
+      @req = Rack::Request.new(env)
+
+      cmd, path, @reqfile, @rpc = match_routing
+      return render_method_not_allowed if cmd == 'not_allowed'
+      return render_not_found if !cmd
+
+      @git = get_git(path)
+      return render_not_found unless git.valid_repo?
+
+
+      identifier = env['REMOTE_USER']
+      @groups = Blaggard::GroupFinder.new(@config).find(identifier) if @config[:use_acl]
+
+      self.method(cmd).call()
+    end
+
+    # ---------------------------------
+    # actual command handling functions
+    # ---------------------------------
+
+    # Uses chunked (streaming) transfer, otherwise response
+    # blocks to calculate Content-Length header
+    # http://en.wikipedia.org/wiki/Chunked_transfer_encoding
+
+    CRLF = "\r\n"
+
+    def service_rpc
+      return render_no_access unless has_access?(@rpc, true)
+
+      input = read_body
+
+      @res = Rack::Response.new
+      @res.status = 200
+      @res["Content-Type"] = "application/x-git-%s-result" % @rpc
+      @res["Transfer-Encoding"] = "chunked"
+      @res["Cache-Control"] = "no-cache"
+
+      @res.finish do
+        git.execute([@rpc, '--stateless-rpc', git.repo]) do |pipe|
+          pipe.write(input)
+          pipe.close_write
+
+          while !pipe.eof?
+            block = pipe.read(8192)     # 8KB at a time
+            @res.write encode_chunk(block)  # stream it to the client
+          end
+
+          @res.write terminating_chunk
+        end
+      end
+    end
+
+    def encode_chunk(chunk)
+      size_in_hex = chunk.size.to_s(16)
+      [ size_in_hex, CRLF, chunk, CRLF ].join
+    end
+
+    def terminating_chunk
+      [ 0, CRLF, CRLF ].join
+    end
+
+    def get_info_refs
+      service_name = get_service_type
+      return render_no_access unless has_access?(service_name)
+
+      refs = begin
+        if @config[:use_acl]
+          Blaggard::Advertisement.new(git.repo, @groups, service_name).advertise
+        else
+          git.execute(%W(#{service_name} --stateless-rpc --advertise-refs #{git.repo}))
+        end
+      end
+
+      @res = Rack::Response.new
+      @res.status = 200
+      @res["Content-Type"] = "application/x-git-%s-advertisement" % service_name
+      hdr_nocache
+      @res.write(pkt_write("# service=git-#{service_name}\n"))
+      @res.write(pkt_flush)
+      @res.write(refs)
+      @res.finish
+    end
+
+    def dumb_info_refs
+      git.update_server_info
+      send_file(@reqfile, "text/plain; charset=utf-8") do
+        hdr_nocache
+      end
+    end
+
+    def get_info_packs
+      # objects/info/packs
+      send_file(@reqfile, "text/plain; charset=utf-8") do
+        hdr_nocache
+      end
+    end
+
+    def get_loose_object
+      send_file(@reqfile, "application/x-git-loose-object") do
+        hdr_cache_forever
+      end
+    end
+
+    def get_pack_file
+      send_file(@reqfile, "application/x-git-packed-objects") do
+        hdr_cache_forever
+      end
+    end
+
+    def get_idx_file
+      send_file(@reqfile, "application/x-git-packed-objects-toc") do
+        hdr_cache_forever
+      end
+    end
+
+    def get_text_file
+      send_file(@reqfile, "text/plain") do
+        hdr_nocache
+      end
+    end
+
+    # ------------------------
+    # logic helping functions
+    # ------------------------
+
+    # some of this borrowed from the Rack::File implementation
+    def send_file(reqfile, content_type)
+     reqfile = File.join(git.repo, reqfile)
+     return render_not_found unless File.exists?(reqfile)
+
+     return render_not_found unless reqfile == File.realpath(reqfile)
+
+     # reqfile looks legit: no path traversal, no leading '|'
+
+     @res = Rack::Response.new
+     @res.status = 200
+     @res["Content-Type"]  = content_type
+     @res["Last-Modified"] = File.mtime(reqfile).httpdate
+
+     yield
+
+     if size = File.size?(reqfile)
+       @res["Content-Length"] = size.to_s
+       @res.finish do
+         File.open(reqfile, "rb") do |file|
+           while part = file.read(8192)
+             @res.write part
+           end
+         end
+       end
+     else
+       body = [File.read(reqfile)]
+       size = Rack::Utils.bytesize(body.first)
+       @res["Content-Length"] = size
+       @res.write body
+       @res.finish
+     end
+   end
+
+    def get_git(path)
+      root = @config[:project_root] || Dir.pwd
+      path = File.join(root, path)
+      Blaggard::Git.new( path, @config[:git_path] )
+    end
+
+    def get_service_type
+      service_type = @req.params['service']
+      return false if !service_type
+      return false if service_type[0, 4] != 'git-'
+      service_type.gsub('git-', '')
+    end
+
+    def match_routing
+      SERVICES.each do |method, handler, match, rpc|
+        if m = Regexp.new(match).match(@req.path_info)
+          return ['not_allowed'] if method != @req.request_method
+          cmd = handler
+          path = m[1]
+          file = @req.path_info.sub(path + '/', '')
+          return [cmd, path, file, rpc]
+        end
+      end
+      return nil
+    end
+
+    def smart_http?(rpc = @rpc)
+      @req.content_type ==  "application/x-git-#{rpc}-request"
+    end
+
+    def has_access?(rpc, check_content_type = false)
+      if check_content_type
+        return false unless smart_http?(rpc)
+      end
+
+      return false unless ['upload-pack', 'receive-pack'].include?(rpc)
+
+      if rpc == 'receive-pack'
+        return @config[:receive_pack] if @config.include?(:receive_pack)
+      end
+
+      if rpc == 'upload-pack'
+        return @config[:upload_pack] if @config.include?(:upload_pack)
+      end
+
+      git.config_setting(rpc)
+    end
+
+
+
+    def read_body
+      if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
+        input = Zlib::GzipReader.new(@req.body).read
+      else
+        input = @req.body.read
+      end
+    end
+
+    # --------------------------------------
+    # HTTP error response handling functions
+    # --------------------------------------
+
+    PLAIN_TYPE = {"Content-Type" => "text/plain"}
+
+    def render_method_not_allowed
+      if @env['SERVER_PROTOCOL'] == "HTTP/1.1"
+        [405, PLAIN_TYPE, ["Method Not Allowed"]]
+      else
+        [400, PLAIN_TYPE, ["Bad Request"]]
+      end
+    end
+
+    def render_not_found
+      [404, PLAIN_TYPE, ["Not Found"]]
+    end
+
+    def render_no_access
+      [403, PLAIN_TYPE, ["Forbidden"]]
+    end
+
+
+    # ------------------------------
+    # packet-line handling functions
+    # ------------------------------
+
+    def pkt_flush
+      '0000'
+    end
+
+    def pkt_write(str)
+      (str.size + 4).to_s(base=16).rjust(4, '0') + str
+    end
+
+
+    # ------------------------
+    # header writing functions
+    # ------------------------
+
+    def hdr_nocache
+      @res["Expires"] = "Fri, 01 Jan 1980 00:00:00 GMT"
+      @res["Pragma"] = "no-cache"
+      @res["Cache-Control"] = "no-cache, max-age=0, must-revalidate"
+    end
+
+    def hdr_cache_forever
+      now = Time.now().to_i
+      @res["Date"] = now.to_s
+      @res["Expires"] = (now + 31536000).to_s;
+      @res["Cache-Control"] = "public, max-age=31536000";
+    end
+
+  end
+end