public override void OnAuthorization(AuthorizationContext filterContext) { base.OnAuthorization(filterContext); var repository = filterContext.Controller.ControllerContext.RouteData.Values["id"].ToString(); var user = filterContext.HttpContext.User.Identity.Name; if (RequiresRepositoryAdministrator) { if (!RepositoryPermissionService.IsRepositoryAdministrator(user, repository)) { filterContext.Result = new HttpUnauthorizedResult(); } } else { if (!RepositoryPermissionService.HasPermission(user, repository)) { if (!RepositoryPermissionService.AllowsAnonymous(repository)) { filterContext.Result = new HttpUnauthorizedResult(); } } } }
public ActionResult GitLfsBasicTransferUpload(string repositoryName, string oid) { bool authorized = RepositoryPermissionService.HasPermission(User.Id(), RepositoryRepository.GetRepository(repositoryName).Id, RepositoryAccessLevel.Pull); if (!authorized) { Response.StatusCode = 403; return(Content( Newtonsoft.Json.JsonConvert.SerializeObject(new BatchApiErrorResponse() { Message = "You do not have permission to PUSH (LFS upload)." }) , GitLfsConsts.GIT_LFS_CONTENT_TYPE)); } // If the object already exists, the client does not send it. But even if it does, we will still not replace it. if (!StorageProvider.Exists(repositoryName, oid)) { using (Stream destStream = StorageProvider.GetWriteStream(LfsOperationNames.UPLOAD, repositoryName, oid)) { Request.InputStream.CopyTo(destStream); destStream.Flush(); destStream.Close(); } } Response.StatusCode = 200; return(null); }
public ActionResult SecureGetInfoRefs(String repositoryName, String service) { bool isPush = String.Equals("git-receive-pack", service, StringComparison.OrdinalIgnoreCase); if (!RepositoryIsValid(repositoryName)) { // This isn't a real repo - but we might consider allowing creation if (isPush && UserConfiguration.Current.AllowPushToCreate) { if (!RepositoryPermissionService.HasCreatePermission(User.Id())) { return(UnauthorizedResult()); } if (!TryCreateOnPush(repositoryName)) { return(UnauthorizedResult()); } } else { return(new HttpNotFoundResult()); } } var requiredLevel = isPush ? RepositoryAccessLevel.Push : RepositoryAccessLevel.Pull; if (RepositoryPermissionService.HasPermission(User.Id(), repositoryName, requiredLevel)) { return(GetInfoRefs(repositoryName, service)); } else { return(UnauthorizedResult()); } }
private void InitialiseTestObjects() { _roles = new ADRoleProvider(); _teams = new ADTeamRepository(); _users = new ADMembershipServiceTestFacade(new ADMembershipService(), _testSupport); _repos = new ADRepositoryRepository(); _service = new RepositoryPermissionService(_repos, _roles, _teams); }
public ActionResult Create(RepositoryDetailModel model) { if (!RepositoryPermissionService.HasCreatePermission(User.Id())) { return(RedirectToAction("Unauthorized", "Home")); } bool isAControllerPath = false; if (model != null && !string.IsNullOrEmpty(model.Name)) { model.Name = Regex.Replace(model.Name, @"\s", ""); model.Name = model.Name.Replace('/', '\\'); var rootDir = model.Name.Split('\\').FirstOrDefault(); isAControllerPath = DoesControllerExistConstraint.DoesControllerExist(rootDir); } if (model != null && string.IsNullOrEmpty(model.Name)) { ModelState.AddModelError("Name", Resources.Repository_Create_NameFailure); } else if (model != null && !model.Name.Contains(".git")) { ModelState.AddModelError("Name", Resources.Repository_Create_NameExtensionFailure); } else if (model != null && isAControllerPath) { ModelState.AddModelError("Name", Resources.Repository_Create_IsAControllerNameFailure); } else if (ModelState.IsValid) { var repo_model = ConvertRepositoryDetailModel(model); if (RepositoryRepository.Create(repo_model)) { string path = Path.Combine(UserConfiguration.Current.Repositories, model.Name); if (!Directory.Exists(path)) { LibGit2Sharp.Repository.Init(path, true); TempData["CreateSuccess"] = true; TempData["SuccessfullyCreatedRepositoryName"] = model.Name; TempData["SuccessfullyCreatedRepositoryId"] = repo_model.Id; return(RedirectToAction("Index")); } else { RepositoryRepository.Delete(model.Id); ModelState.AddModelError("", Resources.Repository_Create_DirectoryExists); } } else { ModelState.AddModelError("", Resources.Repository_Create_Failure); } } PopulateCheckboxListData(ref model); return(View(model)); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, GitRequirement requirement) { if (context == null) { throw new ArgumentNullException(nameof(context)); } HttpContext httpContext = _httpContextAccessor.HttpContext; string incomingRepoName = GetRepoPath(httpContext.Request.Path, httpContext.Request.PathBase); string repoName = Repository.NormalizeRepositoryName(incomingRepoName, RepositoryRepository); // Add header to prevent redirection to login page even if we fail auth later (see IAuthenticationProvider.Configure) // If we don't fail auth later, then this is benign httpContext.Request.Headers.Add("AuthNoRedirect", "1"); if (context.User != null && context.User.Identity.IsAuthenticated && context.User.Identity is ClaimsIdentity) { // We already have a claims id, we don't need to worry about the rest of these checks Log.Verbose("GitAuth: User {username} already has identity", httpContext.User.DisplayName()); context.Succeed(requirement); return(Task.FromResult(0)); } string authHeader = httpContext.Request.Headers["Authorization"]; if (String.IsNullOrEmpty(authHeader)) { // We don't have an auth header, but if we're doing an anonymous operation, that's OK if (RepositoryPermissionService.HasPermission(Guid.Empty, repoName, RepositoryAccessLevel.Pull)) { // Allow this through. If it turns out they're actually trying to do an anon push and that's not allowed for this repo // then the GitController will reject them in there Log.Information("GitAuth: No auth header, anon operation may be allowed"); context.Succeed(requirement); return(Task.FromResult(0)); } else { // If we're not even allowed to do an anonymous pull, then we should bounce this now, // and tell the other end to try again with an auth header included next time httpContext.Response.Headers.Add("WWW-Authenticate", "Basic realm=\"Bonobo Git\""); context.Fail(); Log.Warning("GitAuth: No auth header, anon operations not allowed"); return(Task.FromResult(0)); } } // Process the auth header and see if we've been given valid credentials if (!IsUserAuthorized(authHeader, httpContext)) { context.Fail(); } return(Task.FromResult(0)); }
protected void InitialiseTestObjects() { _teams = new EFTeamRepository(() => _connection.GetContext()); _users = new EFMembershipService(() => _connection.GetContext()); _repos = new EFRepositoryRepository(() => _connection.GetContext()); _roles = new EFRoleProvider(() => _connection.GetContext()); _service = new RepositoryPermissionService(_repos, _roles, _teams); new AutomaticUpdater().RunWithContext(_connection.GetContext(), Substitute.For <IAuthenticationProvider>()); }
public ActionResult SecureUploadPack(String project) { if (RepositoryPermissionService.HasPermission(User.Id(), project) || RepositoryPermissionService.AllowsAnonymous(project)) { return(ExecuteUploadPack(project)); } else { return(UnauthorizedResult()); } }
public ActionResult SecureReceivePack(String project) { if (RepositoryPermissionService.HasPermission(User.Id(), project) || (RepositoryPermissionService.AllowsAnonymous(project) && UserConfiguration.Current.AllowAnonymousPush)) { return(ExecuteReceivePack(project)); } else { return(UnauthorizedResult()); } }
public ActionResult SecureGetInfoRefs(String project, String service) { if (RepositoryPermissionService.HasPermission(User.Id(), project) || (RepositoryPermissionService.AllowsAnonymous(project) && (String.Equals("git-upload-pack", service, StringComparison.OrdinalIgnoreCase) || UserConfiguration.Current.AllowAnonymousPush))) { return(GetInfoRefs(project, service)); } else { return(UnauthorizedResult()); } }
public ActionResult Clone(Guid id) { if (!RepositoryPermissionService.HasCreatePermission(User.Id())) { return(RedirectToAction("Unauthorized", "Home")); } var model = ConvertRepositoryModel(RepositoryRepository.GetRepository(id), User); model.Name = ""; PopulateCheckboxListData(ref model); ViewBag.ID = id; return(View(model)); }
public ActionResult Detail(string id) { ViewBag.ID = id; if (!String.IsNullOrEmpty(id)) { var model = ConvertRepositoryModel(RepositoryRepository.GetRepository(id)); if (model != null) { model.IsCurrentUserAdministrator = RepositoryPermissionService.IsRepositoryAdministrator(User.Identity.Name, id); } return View(model); } return View(); }
public override void OnAuthorization(System.Web.Mvc.AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } HttpContextBase httpContext = filterContext.HttpContext; string incomingRepoName = GetRepoPath(httpContext.Request.Path, httpContext.Request.ApplicationPath); string repoName = Repository.NormalizeRepositoryName(incomingRepoName, RepositoryRepository); // Add header to prevent redirection to login page even if we fail auth later (see IAuthenticationProvider.Configure) // If we don't fail auth later, then this is benign httpContext.Request.Headers.Add("AuthNoRedirect", "1"); if (httpContext.Request.IsAuthenticated && httpContext.User != null && httpContext.User.Identity is System.Security.Claims.ClaimsIdentity) { // We already have a claims id, we don't need to worry about the rest of these checks return; } string authHeader = httpContext.Request.Headers["Authorization"]; if (String.IsNullOrEmpty(authHeader)) { // We don't have an auth header, but if we're doing an anonymous operation, that's OK if (RepositoryPermissionService.HasPermission(Guid.Empty, repoName, RepositoryAccessLevel.Pull)) { // Allow this through. If it turns out they're actually trying to do an anon push and that's not allowed for this repo // then the GitController will reject them in there return; } else { // If we're not even allowed to do an anonymous pull, then we should bounce this now, // and tell the other end to try again with an auth header included next time httpContext.Response.Headers.Add("WWW-Authenticate", "Basic realm=\"Bonobo Git\""); filterContext.Result = new HttpStatusCodeResult(HttpStatusCode.Unauthorized); return; } } // Process the auth header and see if we've been given valid credentials if (!IsUserAuthorized(authHeader, httpContext)) { filterContext.Result = new HttpStatusCodeResult(HttpStatusCode.Unauthorized); } }
public ActionResult Create() { if (!RepositoryPermissionService.HasCreatePermission(User.Id())) { return(RedirectToAction("Unauthorized", "Home")); } var model = new RepositoryDetailModel { Administrators = new UserModel[] { MembershipService.GetUserModel(User.Id()) }, }; PopulateCheckboxListData(ref model); return(View(model)); }
public ActionResult SecureUploadPack(String repositoryName) { if (!RepositoryIsValid(repositoryName)) { return(new HttpNotFoundResult()); } if (RepositoryPermissionService.HasPermission(User.Id(), repositoryName, RepositoryAccessLevel.Pull)) { return(ExecuteUploadPack(repositoryName)); } else { return(UnauthorizedResult()); } }
public ActionResult SecureReceivePack(String repositoryName) { if (!RepositoryIsValid(repositoryName)) { return(new HttpNotFoundResult()); } if (RepositoryPermissionService.HasPermission(User.Id(), repositoryName) || (RepositoryPermissionService.AllowsAnonymous(repositoryName) && UserConfiguration.Current.AllowAnonymousPush)) { return(ExecuteReceivePack(repositoryName)); } else { return(UnauthorizedResult()); } }
public ActionResult Create(RepositoryDetailModel model) { if (!RepositoryPermissionService.HasCreatePermission(User.Id())) { return(RedirectToAction("Unauthorized", "Home")); } if (model != null && !String.IsNullOrEmpty(model.Name)) { model.Name = Regex.Replace(model.Name, @"\s", ""); } if (model != null && String.IsNullOrEmpty(model.Name)) { ModelState.AddModelError("Name", Resources.Repository_Create_NameFailure); } else if (ModelState.IsValid) { var repo_model = ConvertRepositoryDetailModel(model); if (RepositoryRepository.Create(repo_model)) { string path = Path.Combine(UserConfiguration.Current.Repositories, model.Name); if (!Directory.Exists(path)) { LibGit2Sharp.Repository.Init(path, true); TempData["CreateSuccess"] = true; TempData["SuccessfullyCreatedRepositoryName"] = model.Name; TempData["SuccessfullyCreatedRepositoryId"] = repo_model.Id; return(RedirectToAction("Index")); } else { RepositoryRepository.Delete(model.Id); ModelState.AddModelError("", Resources.Repository_Create_DirectoryExists); } } else { ModelState.AddModelError("", Resources.Repository_Create_Failure); } } PopulateCheckboxListData(ref model); return(View(model)); }
public ActionResult Detail(Guid id) { ViewBag.ID = id; var model = ConvertRepositoryModel(RepositoryRepository.GetRepository(id)); if (model != null) { model.IsCurrentUserAdministrator = RepositoryPermissionService.HasPermission(User.Id(), model.Id, RepositoryAccessLevel.Administer); SetGitUrls(model); } using (var browser = new RepositoryBrowser(Path.Combine(UserConfiguration.Current.Repositories, model.Name))) { string defaultReferenceName; browser.BrowseTree(null, null, out defaultReferenceName); RouteData.Values.Add("encodedName", defaultReferenceName); } return(View(model)); }
public ActionResult GitLfsBasicTransferDownload(string repositoryName, string oid) { bool authorized = RepositoryPermissionService.HasPermission(User.Id(), RepositoryRepository.GetRepository(repositoryName).Id, RepositoryAccessLevel.Pull); if (!authorized) { Response.StatusCode = 403; return(Content( Newtonsoft.Json.JsonConvert.SerializeObject(new BatchApiErrorResponse() { Message = "You do not have permission to PULL (LFS download)." }) , GitLfsConsts.GIT_LFS_CONTENT_TYPE)); } Stream readStream = StorageProvider.GetReadStream(LfsOperationNames.DOWNLOAD, repositoryName, oid); return(File(readStream, "application/octet-stream")); }
public override void OnAuthorization(AuthorizationContext filterContext) { base.OnAuthorization(filterContext); var repository = filterContext.Controller.ControllerContext.RouteData.Values["id"].ToString(); var user = filterContext.HttpContext.User.Identity.Name; if (RequiresRepositoryAdministrator) { if (RepositoryPermissionService.IsRepositoryAdministrator(user, repository)) { return; } } else { if (RepositoryPermissionService.HasPermission(user, repository)) { return; } if (RepositoryPermissionService.AllowsAnonymous(repository)) { return; } } if (filterContext.HttpContext.User == null || !(filterContext.HttpContext.User.Identity is FormsIdentity) || !filterContext.HttpContext.User.Identity.IsAuthenticated) { filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "controller", "Home" }, { "action", "LogOn" }, { "returnUrl", filterContext.HttpContext.Request.Url.PathAndQuery } }); } else { filterContext.Result = new RedirectResult("~/Home/Unauthorized"); } }
public ActionResult SecureGetInfoRefs(String repositoryName, String service) { if (!RepositoryIsValid(repositoryName)) { return(new HttpNotFoundResult()); } bool isPush = String.Equals("git-receive-pack", service, StringComparison.OrdinalIgnoreCase); var requiredLevel = isPush ? RepositoryAccessLevel.Push : RepositoryAccessLevel.Pull; if (RepositoryPermissionService.HasPermission(User.Id(), repositoryName, requiredLevel)) { return(GetInfoRefs(repositoryName, service)); } else { return(UnauthorizedResult()); } }
public override void OnAuthorization(AuthorizationContext filterContext) { base.OnAuthorization(filterContext); if (!(filterContext.Result is HttpUnauthorizedResult)) { Guid repoId = Guid.Parse(filterContext.Controller.ControllerContext.RouteData.Values["id"].ToString()); Guid userId = filterContext.HttpContext.User.Id(); var requiredAccess = RequiresRepositoryAdministrator ? RepositoryAccessLevel.Administer : RepositoryAccessLevel.Push; if (RepositoryPermissionService.HasPermission(userId, repoId, requiredAccess)) { return; } filterContext.Result = new RedirectResult("~/Home/Unauthorized"); } }
public override void OnAuthorization(AuthorizationContext filterContext) { base.OnAuthorization(filterContext); if (!(filterContext.Result is HttpUnauthorizedResult)) { Guid repoId; var urlhelper = new UrlHelper(filterContext.RequestContext); if (Guid.TryParse(filterContext.Controller.ControllerContext.RouteData.Values["id"].ToString(), out repoId)) { Guid userId = filterContext.HttpContext.User.Id(); var requiredAccess = RequiresRepositoryAdministrator ? RepositoryAccessLevel.Administer : RepositoryAccessLevel.Push; if (RepositoryPermissionService.HasPermission(userId, repoId, requiredAccess)) { return; } filterContext.Result = new RedirectResult(urlhelper.Action("Unauthorized", "Home")); } else { var rd = filterContext.RequestContext.RouteData; var action = rd.GetRequiredString("action"); var controller = rd.GetRequiredString("controller"); if (action.Equals("index", StringComparison.OrdinalIgnoreCase) && controller.Equals("repository", StringComparison.OrdinalIgnoreCase)) { filterContext.Result = new RedirectResult(urlhelper.Action("Unauthorized", "Home")); } else { filterContext.Controller.TempData["RepositoryNotFound"] = true; filterContext.Result = new RedirectResult(urlhelper.Action("Index", "Repository")); } } } }
private ActionResult SecureGetInfoRefs(String repositoryName, String service) { bool isPush = String.Equals("git-receive-pack", service, StringComparison.OrdinalIgnoreCase); if (!RepositoryIsValid(repositoryName)) { // This isn't a real repo - but we might consider allowing creation if (isPush && UserConfiguration.Current.AllowPushToCreate) { if (!RepositoryPermissionService.HasCreatePermission(User.Id())) { Log.Warning("GitC: User {UserId} is not allowed to do push-to-create", User.Id()); return(UnauthorizedResult()); } if (!TryCreateOnPush(repositoryName)) { return(UnauthorizedResult()); } } else { return(new HttpNotFoundResult()); } } var requiredLevel = isPush ? RepositoryAccessLevel.Push : RepositoryAccessLevel.Pull; if (RepositoryPermissionService.HasPermission(User.Id(), repositoryName, requiredLevel)) { return(GetInfoRefs(repositoryName, service)); } else { Log.Warning("GitC: SecureGetInfoRefs unauth because User {UserId} doesn't have permission {Permission} on repo {RepositoryName}", User.Id(), requiredLevel, repositoryName); return(UnauthorizedResult()); } }
public ActionResult SecureGetInfoRefs(String repositoryName, String service) { if (!RepositoryIsValid(repositoryName)) { return(new HttpNotFoundResult()); } bool allowAnonClone = RepositoryPermissionService.AllowsAnonymous(repositoryName); bool hasPermission = RepositoryPermissionService.HasPermission(User.Id(), repositoryName); bool isClone = String.Equals("git-upload-pack", service, StringComparison.OrdinalIgnoreCase); bool isPush = String.Equals("git-receive-pack", service, StringComparison.OrdinalIgnoreCase); bool allowAnonPush = UserConfiguration.Current.AllowAnonymousPush; if (hasPermission || (allowAnonClone && isClone) || (allowAnonPush && isPush)) { return(GetInfoRefs(repositoryName, service)); } else { return(UnauthorizedResult()); } }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, WebRequirement requirement) { Guid repoId; var urlhelper = new UrlHelper(_actionContextAccessor.ActionContext); if (Guid.TryParse(_actionContextAccessor.ActionContext.RouteData.Values["id"].ToString(), out repoId)) { Guid userId = context.User.Id(); var requiredAccess = RequiresRepositoryAdministrator ? RepositoryAccessLevel.Administer : RepositoryAccessLevel.Push; if (RepositoryPermissionService.HasPermission(userId, repoId, requiredAccess)) { context.Succeed(requirement); return(Task.FromResult(0)); } //filterContext.Result = new RedirectResult(urlhelper.Action("Unauthorized", "Home")); } else { var rd = _actionContextAccessor.ActionContext.RouteData; rd.Values.TryGetValue("action", out var action); rd.Values.TryGetValue("controller", out var controller); if (((string)action).Equals("index", StringComparison.OrdinalIgnoreCase) && ((string)controller).Equals("repository", StringComparison.OrdinalIgnoreCase)) { //filterContext.Result = new RedirectResult(urlhelper.Action("Unauthorized", "Home")); } else { //filterContext.Controller.TempData["RepositoryNotFound"] = true; //filterContext.Result = new RedirectResult(urlhelper.Action("Index", "Repository")); } } return(Task.FromResult(0)); }
public override void OnAuthorization(AuthorizationContext filterContext) { base.OnAuthorization(filterContext); if (!(filterContext.Result is HttpUnauthorizedResult)) { string repository = filterContext.Controller.ControllerContext.RouteData.Values["id"].ToString(); string user = filterContext.HttpContext.User.Id(); if (filterContext.HttpContext.User.IsInRole(Definitions.Roles.Administrator)) { return; } if (RequiresRepositoryAdministrator) { if (RepositoryPermissionService.IsRepositoryAdministrator(user, repository)) { return; } } else { if (RepositoryPermissionService.HasPermission(user, repository)) { return; } if (RepositoryPermissionService.AllowsAnonymous(repository)) { return; } } filterContext.Result = new RedirectResult("~/Home/Unauthorized"); } }
protected void InitialiseTestObjects() { _teams = new EFTeamRepository { CreateContext = () => _connection.GetContext() }; _users = new EFMembershipService { CreateContext = () => _connection.GetContext() }; _repos = new EFRepositoryRepository { CreateContext = () => _connection.GetContext() }; _roles = new EFRoleProvider { CreateContext = () => _connection.GetContext() }; _service = new RepositoryPermissionService { Repository = _repos, TeamRepository = _teams, RoleProvider = _roles }; new AutomaticUpdater().RunWithContext(_connection.GetContext()); }
private IEnumerable <RepositoryDetailModel> GetIndexModel() { return(RepositoryPermissionService.GetAllPermittedRepositories(User.Id(), RepositoryAccessLevel.Pull).Select(x => ConvertRepositoryModel(x, User)).ToList()); }
public ActionResult Clone(Guid id, RepositoryDetailModel model) { if (!RepositoryPermissionService.HasCreatePermission(User.Id())) { return(RedirectToAction("Unauthorized", "Home")); } if (model != null && !String.IsNullOrEmpty(model.Name)) { model.Name = Regex.Replace(model.Name, @"\s", ""); } if (model != null && String.IsNullOrEmpty(model.Name)) { ModelState.AddModelError("Name", Resources.Repository_Create_NameFailure); } else if (ModelState.IsValid) { var repo_model = ConvertRepositoryDetailModel(model); if (RepositoryRepository.Create(repo_model)) { string targetRepositoryPath = Path.Combine(UserConfiguration.Current.Repositories, model.Name); if (!Directory.Exists(targetRepositoryPath)) { var source_repo = RepositoryRepository.GetRepository(id); string sourceRepositoryPath = Path.Combine(UserConfiguration.Current.Repositories, source_repo.Name); LibGit2Sharp.CloneOptions options = new LibGit2Sharp.CloneOptions() { IsBare = true, Checkout = false }; LibGit2Sharp.Repository.Clone(sourceRepositoryPath, targetRepositoryPath, options); using (var repo = new LibGit2Sharp.Repository(targetRepositoryPath)) { if (repo.Network.Remotes.Any(r => r.Name == "origin")) { repo.Network.Remotes.Remove("origin"); } } TempData["CloneSuccess"] = true; return(RedirectToAction("Index")); } else { RepositoryRepository.Delete(model.Id); ModelState.AddModelError("", Resources.Repository_Create_DirectoryExists); } } else { ModelState.AddModelError("", Resources.Repository_Create_Failure); } } ViewBag.ID = id; PopulateCheckboxListData(ref model); return(View(model)); }