| durin42 |
| hg-reviewers |
Per the inline comment desiring to formalize permissions checking
in the protocol interface, we do that.
I'm not convinced this is the best way to go about things. I would love
for there to e.g. be a better exception for denoting permissions
problems. But it does feel strictly better than snipping attributes
on the proto instance.
| Lint Skipped |
| Unit Tests Skipped |
| Path | Packages | |||
|---|---|---|---|---|
| M | mercurial/hgweb/hgweb_mod.py (9 lines) | |||
| M | mercurial/wireproto.py (11 lines) | |||
| M | mercurial/wireprotoserver.py (23 lines) | |||
| M | mercurial/wireprototypes.py (9 lines) | |||
| M | tests/test-wireproto.py (3 lines) |
| parts = parts[len(repo_parts):] | parts = parts[len(repo_parts):] | ||||
| query = '/'.join(parts) | query = '/'.join(parts) | ||||
| else: | else: | ||||
| query = req.env[r'QUERY_STRING'].partition(r'&')[0] | query = req.env[r'QUERY_STRING'].partition(r'&')[0] | ||||
| query = query.partition(r';')[0] | query = query.partition(r';')[0] | ||||
| # Route it to a wire protocol handler if it looks like a wire protocol | # Route it to a wire protocol handler if it looks like a wire protocol | ||||
| # request. | # request. | ||||
| protohandler = wireprotoserver.parsehttprequest(rctx.repo, req, query) | protohandler = wireprotoserver.parsehttprequest(rctx, req, query, | ||||
| self.check_perm) | |||||
| if protohandler: | if protohandler: | ||||
| try: | try: | ||||
| if query: | if query: | ||||
| raise ErrorResponse(HTTP_NOT_FOUND) | raise ErrorResponse(HTTP_NOT_FOUND) | ||||
| # TODO fold this into parsehttprequest | return protohandler['dispatch']() | ||||
| checkperm = lambda op: self.check_perm(rctx, req, op) | |||||
| protohandler['proto'].checkperm = checkperm | |||||
| return protohandler['dispatch'](checkperm) | |||||
| except ErrorResponse as inst: | except ErrorResponse as inst: | ||||
| return protohandler['handleerror'](inst) | return protohandler['handleerror'](inst) | ||||
| # translate user-visible url structure to internal structure | # translate user-visible url structure to internal structure | ||||
| args = query.split('/', 2) | args = query.split('/', 2) | ||||
| if 'cmd' not in req.form and args and args[0]: | if 'cmd' not in req.form and args and args[0]: | ||||
| cmd = args.pop(0) | cmd = args.pop(0) | ||||
| op, args = pair.split(' ', 1) | op, args = pair.split(' ', 1) | ||||
| vals = {} | vals = {} | ||||
| for a in args.split(','): | for a in args.split(','): | ||||
| if a: | if a: | ||||
| n, v = a.split('=') | n, v = a.split('=') | ||||
| vals[unescapearg(n)] = unescapearg(v) | vals[unescapearg(n)] = unescapearg(v) | ||||
| func, spec = commands[op] | func, spec = commands[op] | ||||
| # If the protocol supports permissions checking, perform that | # Validate that client has permissions to perform this command. | ||||
| # checking on each batched command. | |||||
| # TODO formalize permission checking as part of protocol interface. | |||||
| if util.safehasattr(proto, 'checkperm'): | |||||
| perm = commands[op].permission | perm = commands[op].permission | ||||
| assert perm in ('push', 'pull') | assert perm in ('push', 'pull') | ||||
| proto.checkperm(perm) | proto.checkperm(perm) | ||||
| if spec: | if spec: | ||||
| keys = spec.split() | keys = spec.split() | ||||
| data = {} | data = {} | ||||
| for k in keys: | for k in keys: | ||||
| if k == '*': | if k == '*': | ||||
| star = {} | star = {} | ||||
| for key in vals.keys(): | for key in vals.keys(): | ||||
| if v is None: | if v is None: | ||||
| break | break | ||||
| chunks.append(pycompat.bytesurl(v)) | chunks.append(pycompat.bytesurl(v)) | ||||
| i += 1 | i += 1 | ||||
| return ''.join(chunks) | return ''.join(chunks) | ||||
| class httpv1protocolhandler(wireprototypes.baseprotocolhandler): | class httpv1protocolhandler(wireprototypes.baseprotocolhandler): | ||||
| def __init__(self, req, ui): | def __init__(self, req, ui, checkperm): | ||||
| self._req = req | self._req = req | ||||
| self._ui = ui | self._ui = ui | ||||
| self._checkperm = checkperm | |||||
| @property | @property | ||||
| def name(self): | def name(self): | ||||
| return 'http-v1' | return 'http-v1' | ||||
| def getargs(self, args): | def getargs(self, args): | ||||
| knownargs = self._args() | knownargs = self._args() | ||||
| data = {} | data = {} | ||||
| compengines = wireproto.supportedcompengines(repo.ui, util.SERVERROLE) | compengines = wireproto.supportedcompengines(repo.ui, util.SERVERROLE) | ||||
| if compengines: | if compengines: | ||||
| comptypes = ','.join(urlreq.quote(e.wireprotosupport().name) | comptypes = ','.join(urlreq.quote(e.wireprotosupport().name) | ||||
| for e in compengines) | for e in compengines) | ||||
| caps.append('compression=%s' % comptypes) | caps.append('compression=%s' % comptypes) | ||||
| return caps | return caps | ||||
| def checkperm(self, perm): | |||||
| return self._checkperm(perm) | |||||
| # This method exists mostly so that extensions like remotefilelog can | # This method exists mostly so that extensions like remotefilelog can | ||||
| # disable a kludgey legacy method only over http. As of early 2018, | # disable a kludgey legacy method only over http. As of early 2018, | ||||
| # there are no other known users, so with any luck we can discard this | # there are no other known users, so with any luck we can discard this | ||||
| # hook if remotefilelog becomes a first-party extension. | # hook if remotefilelog becomes a first-party extension. | ||||
| def iscmd(cmd): | def iscmd(cmd): | ||||
| return cmd in wireproto.commands | return cmd in wireproto.commands | ||||
| def parsehttprequest(repo, req, query): | def parsehttprequest(rctx, req, query, checkperm): | ||||
| """Parse the HTTP request for a wire protocol request. | """Parse the HTTP request for a wire protocol request. | ||||
| If the current request appears to be a wire protocol request, this | If the current request appears to be a wire protocol request, this | ||||
| function returns a dict with details about that request, including | function returns a dict with details about that request, including | ||||
| an ``abstractprotocolserver`` instance suitable for handling the | an ``abstractprotocolserver`` instance suitable for handling the | ||||
| request. Otherwise, ``None`` is returned. | request. Otherwise, ``None`` is returned. | ||||
| ``req`` is a ``wsgirequest`` instance. | ``req`` is a ``wsgirequest`` instance. | ||||
| """ | """ | ||||
| repo = rctx.repo | |||||
| # HTTP version 1 wire protocol requests are denoted by a "cmd" query | # HTTP version 1 wire protocol requests are denoted by a "cmd" query | ||||
| # string parameter. If it isn't present, this isn't a wire protocol | # string parameter. If it isn't present, this isn't a wire protocol | ||||
| # request. | # request. | ||||
| if 'cmd' not in req.form: | if 'cmd' not in req.form: | ||||
| return None | return None | ||||
| cmd = req.form['cmd'][0] | cmd = req.form['cmd'][0] | ||||
| # The "cmd" request parameter is used by both the wire protocol and hgweb. | # The "cmd" request parameter is used by both the wire protocol and hgweb. | ||||
| # While not all wire protocol commands are available for all transports, | # While not all wire protocol commands are available for all transports, | ||||
| # if we see a "cmd" value that resembles a known wire protocol command, we | # if we see a "cmd" value that resembles a known wire protocol command, we | ||||
| # route it to a protocol handler. This is better than routing possible | # route it to a protocol handler. This is better than routing possible | ||||
| # wire protocol requests to hgweb because it prevents hgweb from using | # wire protocol requests to hgweb because it prevents hgweb from using | ||||
| # known wire protocol commands and it is less confusing for machine | # known wire protocol commands and it is less confusing for machine | ||||
| # clients. | # clients. | ||||
| if not iscmd(cmd): | if not iscmd(cmd): | ||||
| return None | return None | ||||
| proto = httpv1protocolhandler(req, repo.ui) | proto = httpv1protocolhandler(req, repo.ui, | ||||
| lambda perm: checkperm(rctx, req, perm)) | |||||
| return { | return { | ||||
| 'cmd': cmd, | 'cmd': cmd, | ||||
| 'proto': proto, | 'proto': proto, | ||||
| 'dispatch': lambda checkperm: _callhttp(repo, req, proto, cmd, | 'dispatch': lambda: _callhttp(repo, req, proto, cmd), | ||||
| checkperm), | |||||
| 'handleerror': lambda ex: _handlehttperror(ex, req, cmd), | 'handleerror': lambda ex: _handlehttperror(ex, req, cmd), | ||||
| } | } | ||||
| def _httpresponsetype(ui, req, prefer_uncompressed): | def _httpresponsetype(ui, req, prefer_uncompressed): | ||||
| """Determine the appropriate response type and compression settings. | """Determine the appropriate response type and compression settings. | ||||
| Returns a tuple of (mediatype, compengine, engineopts). | Returns a tuple of (mediatype, compengine, engineopts). | ||||
| """ | """ | ||||
| # legacy protocol. | # legacy protocol. | ||||
| # Don't allow untrusted settings because disabling compression or | # Don't allow untrusted settings because disabling compression or | ||||
| # setting a very high compression level could lead to flooding | # setting a very high compression level could lead to flooding | ||||
| # the server's network or CPU. | # the server's network or CPU. | ||||
| opts = {'level': ui.configint('server', 'zliblevel')} | opts = {'level': ui.configint('server', 'zliblevel')} | ||||
| return HGTYPE, util.compengines['zlib'], opts | return HGTYPE, util.compengines['zlib'], opts | ||||
| def _callhttp(repo, req, proto, cmd, checkperm): | def _callhttp(repo, req, proto, cmd): | ||||
| def genversion2(gen, engine, engineopts): | def genversion2(gen, engine, engineopts): | ||||
| # application/mercurial-0.2 always sends a payload header | # application/mercurial-0.2 always sends a payload header | ||||
| # identifying the compression engine. | # identifying the compression engine. | ||||
| name = engine.wireprotosupport().name | name = engine.wireprotosupport().name | ||||
| assert 0 < len(name) < 256 | assert 0 < len(name) < 256 | ||||
| yield struct.pack('B', len(name)) | yield struct.pack('B', len(name)) | ||||
| yield name | yield name | ||||
| for chunk in gen: | for chunk in gen: | ||||
| yield chunk | yield chunk | ||||
| if not wireproto.commands.commandavailable(cmd, proto): | if not wireproto.commands.commandavailable(cmd, proto): | ||||
| req.respond(HTTP_OK, HGERRTYPE, | req.respond(HTTP_OK, HGERRTYPE, | ||||
| body=_('requested wire protocol command is not available ' | body=_('requested wire protocol command is not available ' | ||||
| 'over HTTP')) | 'over HTTP')) | ||||
| return [] | return [] | ||||
| checkperm(wireproto.commands[cmd].permission) | proto.checkperm(wireproto.commands[cmd].permission) | ||||
| rsp = wireproto.dispatch(repo, proto, cmd) | rsp = wireproto.dispatch(repo, proto, cmd) | ||||
| if isinstance(rsp, bytes): | if isinstance(rsp, bytes): | ||||
| req.respond(HTTP_OK, HGTYPE, body=rsp) | req.respond(HTTP_OK, HGTYPE, body=rsp) | ||||
| return [] | return [] | ||||
| elif isinstance(rsp, wireprototypes.bytesresponse): | elif isinstance(rsp, wireprototypes.bytesresponse): | ||||
| req.respond(HTTP_OK, HGTYPE, body=rsp.data) | req.respond(HTTP_OK, HGTYPE, body=rsp.data) | ||||
| def client(self): | def client(self): | ||||
| client = encoding.environ.get('SSH_CLIENT', '').split(' ', 1)[0] | client = encoding.environ.get('SSH_CLIENT', '').split(' ', 1)[0] | ||||
| return 'remote:ssh:' + client | return 'remote:ssh:' + client | ||||
| def addcapabilities(self, repo, caps): | def addcapabilities(self, repo, caps): | ||||
| return caps | return caps | ||||
| def checkperm(self, perm): | |||||
| pass | |||||
| class sshv2protocolhandler(sshv1protocolhandler): | class sshv2protocolhandler(sshv1protocolhandler): | ||||
| """Protocol handler for version 2 of the SSH protocol.""" | """Protocol handler for version 2 of the SSH protocol.""" | ||||
| @property | @property | ||||
| def name(self): | def name(self): | ||||
| return wireprototypes.SSHV2 | return wireprototypes.SSHV2 | ||||
| def _runsshserver(ui, repo, fin, fout, ev): | def _runsshserver(ui, repo, fin, fout, ev): | ||||
| @abc.abstractmethod | @abc.abstractmethod | ||||
| def addcapabilities(self, repo, caps): | def addcapabilities(self, repo, caps): | ||||
| """Adds advertised capabilities specific to this protocol. | """Adds advertised capabilities specific to this protocol. | ||||
| Receives the list of capabilities collected so far. | Receives the list of capabilities collected so far. | ||||
| Returns a list of capabilities. The passed in argument can be returned. | Returns a list of capabilities. The passed in argument can be returned. | ||||
| """ | """ | ||||
| @abc.abstractmethod | |||||
| def checkperm(self, perm): | |||||
| """Validate that the client has permissions to perform a request. | |||||
| The argument is the permission required to proceed. If the client | |||||
| doesn't have that permission, the exception should raise or abort | |||||
| in a protocol specific manner. | |||||
| """ | |||||
| def __init__(self, args): | def __init__(self, args): | ||||
| self.args = args | self.args = args | ||||
| def getargs(self, spec): | def getargs(self, spec): | ||||
| args = self.args | args = self.args | ||||
| args.setdefault(b'*', {}) | args.setdefault(b'*', {}) | ||||
| names = spec.split() | names = spec.split() | ||||
| return [args[n] for n in names] | return [args[n] for n in names] | ||||
| def checkperm(self, perm): | |||||
| pass | |||||
| class clientpeer(wireproto.wirepeer): | class clientpeer(wireproto.wirepeer): | ||||
| def __init__(self, serverrepo): | def __init__(self, serverrepo): | ||||
| self.serverrepo = serverrepo | self.serverrepo = serverrepo | ||||
| @property | @property | ||||
| def ui(self): | def ui(self): | ||||
| return self.serverrepo.ui | return self.serverrepo.ui | ||||