git_http.go

package web

import (
	"bytes"
	"compress/gzip"
	"encoding/base64"
	"errors"
	"fmt"
	"github.com/thomiceli/opengist/internal/utils"
	"net/http"
	"os"
	"os/exec"
	"path"
	"regexp"
	"strconv"
	"strings"
	"time"

	"github.com/google/uuid"
	"github.com/labstack/echo/v4"
	"github.com/rs/zerolog/log"
	"github.com/thomiceli/opengist/internal/auth"
	"github.com/thomiceli/opengist/internal/db"
	"github.com/thomiceli/opengist/internal/git"
	"github.com/thomiceli/opengist/internal/memdb"
	"gorm.io/gorm"
)

var routes = []struct {
	gitUrl  string
	method  string
	handler func(ctx echo.Context) error
}{
	{"(.*?)/git-upload-pack$", "POST", uploadPack},
	{"(.*?)/git-receive-pack$", "POST", receivePack},
	{"(.*?)/info/refs$", "GET", infoRefs},
	{"(.*?)/HEAD$", "GET", textFile},
	{"(.*?)/objects/info/alternates$", "GET", textFile},
	{"(.*?)/objects/info/http-alternates$", "GET", textFile},
	{"(.*?)/objects/info/packs$", "GET", infoPacks},
	{"(.*?)/objects/info/[^/]*$", "GET", textFile},
	{"(.*?)/objects/[0-9a-f]{2}/[0-9a-f]{38}$", "GET", looseObject},
	{"(.*?)/objects/pack/pack-[0-9a-f]{40}\\.pack$", "GET", packFile},
	{"(.*?)/objects/pack/pack-[0-9a-f]{40}\\.idx$", "GET", idxFile},
}

func gitHttp(ctx echo.Context) error {
	for _, route := range routes {
		matched, _ := regexp.MatchString(route.gitUrl, ctx.Request().URL.Path)
		if ctx.Request().Method == route.method && matched {
			if !strings.HasPrefix(ctx.Request().Header.Get("User-Agent"), "git/") {
				continue
			}

			gist := getData(ctx, "gist").(*db.Gist)

			isInit := strings.HasPrefix(ctx.Request().URL.Path, "/init/info/refs")
			isInitReceive := strings.HasPrefix(ctx.Request().URL.Path, "/init/git-receive-pack")
			isInfoRefs := strings.HasSuffix(route.gitUrl, "/info/refs$")
			isPull := ctx.QueryParam("service") == "git-upload-pack" ||
				strings.HasSuffix(ctx.Request().URL.Path, "git-upload-pack") ||
				ctx.Request().Method == "GET" && !isInfoRefs

			repositoryPath := git.RepositoryPath(gist.User.Username, gist.Uuid)
			if _, err := os.Stat(repositoryPath); os.IsNotExist(err) {
				if err != nil {
					log.Info().Err(err).Msg("Repository directory does not exist")
					return errorRes(404, "Repository directory does not exist", err)
				}
			}

			setData(ctx, "repositoryPath", repositoryPath)

			allow, err := auth.ShouldAllowUnauthenticatedGistAccess(ContextAuthInfo{ctx}, true)
			if err != nil {
				panic("impossible")
			}

			// Shows basic auth if :
			// - user wants to push the gist
			// - user wants to clone/pull a private gist
			// - gist is not found (obfuscation)
			// - admin setting to require login is set to true
			if isPull && gist.Private != db.PrivateVisibility && gist.ID != 0 && allow {
				return route.handler(ctx)
			}

			authHeader := ctx.Request().Header.Get("Authorization")
			if authHeader == "" {
				return basicAuth(ctx)
			}

			authFields := strings.Fields(authHeader)
			if len(authFields) != 2 || authFields[0] != "Basic" {
				return basicAuth(ctx)
			}

			authUsername, authPassword, err := basicAuthDecode(authFields[1])
			if err != nil {
				return basicAuth(ctx)
			}

			if !isInit && !isInitReceive {
				if gist.ID == 0 {
					return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
				}

				if ok, err := utils.Argon2id.Verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername {
					if err != nil {
						return errorRes(500, "Cannot verify password", err)
					}
					log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
					return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
				}
			} else {
				var user *db.User
				if user, err = db.GetUserByUsername(authUsername); err != nil {
					if !errors.Is(err, gorm.ErrRecordNotFound) {
						return errorRes(500, "Cannot get user", err)
					}
					log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
					return errorRes(401, "Invalid credentials", nil)
				}

				if ok, err := utils.Argon2id.Verify(authPassword, user.Password); !ok {
					if err != nil {
						return errorRes(500, "Cannot check for password", err)
					}
					log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
					return errorRes(401, "Invalid credentials", nil)
				}

				if isInit {
					gist = new(db.Gist)
					gist.UserID = user.ID
					gist.User = *user
					uuidGist, err := uuid.NewRandom()
					if err != nil {
						return errorRes(500, "Error creating an UUID", err)
					}
					gist.Uuid = strings.Replace(uuidGist.String(), "-", "", -1)
					gist.Title = "gist:" + gist.Uuid

					if err = gist.InitRepository(); err != nil {
						return errorRes(500, "Cannot init repository in the file system", err)
					}

					if err = gist.Create(); err != nil {
						return errorRes(500, "Cannot init repository in database", err)
					}

					if err := memdb.InsertGistInit(user.ID, gist); err != nil {
						return errorRes(500, "Cannot save the URL for the new Gist", err)
					}

					setData(ctx, "gist", gist)
				} else {
					gistFromMemdb, err := memdb.GetGistInitAndDelete(user.ID)
					if err != nil {
						return errorRes(500, "Cannot get the gist link from the in memory database", err)
					}

					gist := gistFromMemdb.Gist
					setData(ctx, "gist", gist)
					setData(ctx, "repositoryPath", git.RepositoryPath(gist.User.Username, gist.Uuid))
				}
			}

			return route.handler(ctx)
		}
	}
	return notFound("Gist not found")
}

func uploadPack(ctx echo.Context) error {
	return pack(ctx, "upload-pack")
}

func receivePack(ctx echo.Context) error {
	return pack(ctx, "receive-pack")
}

func pack(ctx echo.Context, serviceType string) error {
	noCacheHeaders(ctx)
	defer ctx.Request().Body.Close()

	if ctx.Request().Header.Get("Content-Type") != "application/x-git-"+serviceType+"-request" {
		return errorRes(401, "Git client unsupported", nil)
	}
	ctx.Response().Header().Set("Content-Type", "application/x-git-"+serviceType+"-result")

	var err error
	reqBody := ctx.Request().Body

	if ctx.Request().Header.Get("Content-Encoding") == "gzip" {
		reqBody, err = gzip.NewReader(reqBody)
		if err != nil {
			return errorRes(500, "Cannot create gzip reader", err)
		}
	}

	repositoryPath := getData(ctx, "repositoryPath").(string)
	gist := getData(ctx, "gist").(*db.Gist)

	var stderr bytes.Buffer
	cmd := exec.Command("git", serviceType, "--stateless-rpc", repositoryPath)
	cmd.Dir = repositoryPath
	cmd.Stdin = reqBody
	cmd.Stdout = ctx.Response().Writer
	cmd.Stderr = &stderr
	cmd.Env = os.Environ()
	cmd.Env = append(cmd.Env, "OPENGIST_REPOSITORY_URL_INTERNAL="+git.RepositoryUrl(ctx, gist.User.Username, gist.Identifier()))
	cmd.Env = append(cmd.Env, "OPENGIST_REPOSITORY_ID="+strconv.Itoa(int(gist.ID)))

	if err = cmd.Run(); err != nil {
		return errorRes(500, "Cannot run git "+serviceType+" ; "+stderr.String(), err)
	}

	return nil
}

func infoRefs(ctx echo.Context) error {
	noCacheHeaders(ctx)
	var service string

	gist := getData(ctx, "gist").(*db.Gist)

	serviceType := ctx.QueryParam("service")
	if strings.HasPrefix(serviceType, "git-") {
		service = strings.TrimPrefix(serviceType, "git-")
	}

	if service != "upload-pack" && service != "receive-pack" {
		if err := gist.UpdateServerInfo(); err != nil {
			return errorRes(500, "Cannot update server info", err)
		}
		return sendFile(ctx, "text/plain; charset=utf-8")
	}

	refs, err := gist.RPC(service)
	if err != nil {
		return errorRes(500, "Cannot run git "+service, err)
	}

	ctx.Response().Header().Set("Content-Type", "application/x-git-"+service+"-advertisement")
	ctx.Response().WriteHeader(200)
	_, _ = ctx.Response().Write(packetWrite("# service=git-" + service + "\n"))
	_, _ = ctx.Response().Write([]byte("0000"))
	_, _ = ctx.Response().Write(refs)

	return nil
}

func textFile(ctx echo.Context) error {
	noCacheHeaders(ctx)
	return sendFile(ctx, "text/plain")
}

func infoPacks(ctx echo.Context) error {
	cacheHeadersForever(ctx)
	return sendFile(ctx, "text/plain; charset=utf-8")
}

func looseObject(ctx echo.Context) error {
	cacheHeadersForever(ctx)
	return sendFile(ctx, "application/x-git-loose-object")
}

func packFile(ctx echo.Context) error {
	cacheHeadersForever(ctx)
	return sendFile(ctx, "application/x-git-packed-objects")
}

func idxFile(ctx echo.Context) error {
	cacheHeadersForever(ctx)
	return sendFile(ctx, "application/x-git-packed-objects-toc")
}

func noCacheHeaders(ctx echo.Context) {
	ctx.Response().Header().Set("Expires", "Thu, 01 Jan 1970 00:00:00 UTC")
	ctx.Response().Header().Set("Pragma", "no-cache")
	ctx.Response().Header().Set("Cache-Control", "no-cache, max-age=0, must-revalidate")
}

func cacheHeadersForever(ctx echo.Context) {
	now := time.Now().Unix()
	expires := now + 31536000
	ctx.Response().Header().Set("Date", fmt.Sprintf("%d", now))
	ctx.Response().Header().Set("Expires", fmt.Sprintf("%d", expires))
	ctx.Response().Header().Set("Cache-Control", "public, max-age=31536000")
}

func basicAuth(ctx echo.Context) error {
	ctx.Response().Header().Set("WWW-Authenticate", `Basic realm="."`)
	return plainText(ctx, 401, "Requires authentication")
}

func basicAuthDecode(encoded string) (string, string, error) {
	s, err := base64.StdEncoding.DecodeString(encoded)
	if err != nil {
		return "", "", err
	}

	auth := strings.SplitN(string(s), ":", 2)
	return auth[0], auth[1], nil
}

func sendFile(ctx echo.Context, contentType string) error {
	gitFile := "/" + strings.Join(strings.Split(ctx.Request().URL.Path, "/")[3:], "/")
	gitFile = path.Join(getData(ctx, "repositoryPath").(string), gitFile)
	fi, err := os.Stat(gitFile)
	if os.IsNotExist(err) {
		return errorRes(404, "File not found", nil)
	}
	ctx.Response().Header().Set("Content-Type", contentType)
	ctx.Response().Header().Set("Content-Length", fmt.Sprintf("%d", fi.Size()))
	ctx.Response().Header().Set("Last-Modified", fi.ModTime().Format(http.TimeFormat))
	return ctx.File(gitFile)
}

func packetWrite(str string) []byte {
	s := strconv.FormatInt(int64(len(str)+4), 16)

	if len(s)%4 != 0 {
		s = strings.Repeat("0", 4-len(s)%4) + s
	}

	return []byte(s + str)
}