| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 1 | package dockerimg |
| 2 | |
| 3 | import ( |
| Philip Zeyliger | 51e8e2b | 2025-05-09 21:41:12 +0000 | [diff] [blame] | 4 | "context" |
| Philip Zeyliger | 5e227dd | 2025-04-21 15:55:29 -0700 | [diff] [blame] | 5 | "crypto/subtle" |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 6 | "fmt" |
| 7 | "log/slog" |
| 8 | "net/http" |
| 9 | "net/http/cgi" |
| Josh Bleecher Snyder | 784d5bd | 2025-07-11 00:09:30 +0000 | [diff] [blame] | 10 | "os" |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 11 | "os/exec" |
| Josh Bleecher Snyder | 784d5bd | 2025-07-11 00:09:30 +0000 | [diff] [blame] | 12 | "path/filepath" |
| Philip Zeyliger | 5e227dd | 2025-04-21 15:55:29 -0700 | [diff] [blame] | 13 | "runtime" |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 14 | "strings" |
| Philip Zeyliger | 51e8e2b | 2025-05-09 21:41:12 +0000 | [diff] [blame] | 15 | "time" |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 16 | ) |
| 17 | |
| 18 | type gitHTTP struct { |
| 19 | gitRepoRoot string |
| Josh Bleecher Snyder | 9f6a998 | 2025-04-22 17:34:15 -0700 | [diff] [blame] | 20 | pass []byte |
| Josh Bleecher Snyder | 9957046 | 2025-05-05 10:26:14 -0700 | [diff] [blame] | 21 | browserC chan bool // browser launch requests |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 22 | } |
| 23 | |
| 24 | func (g *gitHTTP) ServeHTTP(w http.ResponseWriter, r *http.Request) { |
| 25 | defer func() { |
| 26 | if err := recover(); err != nil { |
| 27 | slog.ErrorContext(r.Context(), "gitHTTP.ServeHTTP panic", slog.Any("recovered_err", err)) |
| 28 | |
| 29 | // Return an error response to the client |
| 30 | http.Error(w, fmt.Sprintf("panic: %v\n", err), http.StatusInternalServerError) |
| 31 | } |
| 32 | }() |
| Philip Zeyliger | 5e227dd | 2025-04-21 15:55:29 -0700 | [diff] [blame] | 33 | |
| 34 | // Get the Authorization header |
| 35 | username, password, ok := r.BasicAuth() |
| 36 | |
| 37 | // Check if credentials were provided |
| 38 | if !ok { |
| 39 | // No credentials provided, return 401 Unauthorized |
| 40 | w.Header().Set("WWW-Authenticate", `Basic realm="Sketch Git Repository"`) |
| 41 | http.Error(w, "Unauthorized", http.StatusUnauthorized) |
| 42 | slog.InfoContext(r.Context(), "githttp: denied (basic auth)", "remote addr", r.RemoteAddr) |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 43 | return |
| 44 | } |
| Philip Zeyliger | 5e227dd | 2025-04-21 15:55:29 -0700 | [diff] [blame] | 45 | |
| Philip Zeyliger | 5e227dd | 2025-04-21 15:55:29 -0700 | [diff] [blame] | 46 | // Check if credentials are valid |
| Josh Bleecher Snyder | 9f6a998 | 2025-04-22 17:34:15 -0700 | [diff] [blame] | 47 | if username != "sketch" || subtle.ConstantTimeCompare([]byte(password), g.pass) != 1 { |
| Philip Zeyliger | 5e227dd | 2025-04-21 15:55:29 -0700 | [diff] [blame] | 48 | w.Header().Set("WWW-Authenticate", `Basic realm="Git Repository"`) |
| 49 | http.Error(w, "Unauthorized", http.StatusUnauthorized) |
| 50 | slog.InfoContext(r.Context(), "githttp: denied (basic auth)", "remote addr", r.RemoteAddr) |
| 51 | return |
| 52 | } |
| 53 | |
| Josh Bleecher Snyder | 3e2111b | 2025-04-30 17:53:28 +0000 | [diff] [blame] | 54 | // TODO: real mux? |
| 55 | if strings.HasPrefix(r.URL.Path, "/browser") { |
| 56 | if r.Method != http.MethodPost { |
| 57 | http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) |
| 58 | return |
| 59 | } |
| Josh Bleecher Snyder | 3e2111b | 2025-04-30 17:53:28 +0000 | [diff] [blame] | 60 | defer r.Body.Close() |
| Josh Bleecher Snyder | 9957046 | 2025-05-05 10:26:14 -0700 | [diff] [blame] | 61 | |
| Josh Bleecher Snyder | 3e2111b | 2025-04-30 17:53:28 +0000 | [diff] [blame] | 62 | select { |
| Josh Bleecher Snyder | 9957046 | 2025-05-05 10:26:14 -0700 | [diff] [blame] | 63 | case g.browserC <- true: |
| 64 | slog.InfoContext(r.Context(), "open browser requested") |
| Josh Bleecher Snyder | 3e2111b | 2025-04-30 17:53:28 +0000 | [diff] [blame] | 65 | w.WriteHeader(http.StatusOK) |
| 66 | default: |
| 67 | http.Error(w, "Too many browser launch requests", http.StatusTooManyRequests) |
| 68 | } |
| 69 | return |
| 70 | } |
| 71 | |
| Philip Zeyliger | 5e227dd | 2025-04-21 15:55:29 -0700 | [diff] [blame] | 72 | if runtime.GOOS == "darwin" { |
| 73 | // On the Mac, Docker connections show up from localhost. On Linux, the docker |
| 74 | // network is more arbitrary, so we don't do this additional check there. |
| 75 | if !strings.HasPrefix(r.RemoteAddr, "127.0.0.1:") { |
| 76 | slog.InfoContext(r.Context(), "githttp: denied", "remote addr", r.RemoteAddr) |
| 77 | http.Error(w, "no", http.StatusUnauthorized) |
| 78 | return |
| 79 | } |
| 80 | } |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 81 | gitBin, err := exec.LookPath("git") |
| 82 | if err != nil { |
| 83 | http.Error(w, "no git: "+err.Error(), http.StatusInternalServerError) |
| 84 | return |
| 85 | } |
| 86 | |
| Philip Zeyliger | c898abf | 2025-06-04 16:33:57 +0000 | [diff] [blame] | 87 | // Check if this is a .git/info/refs request for git-upload-pack service (which happens during git fetch) |
| Philip Zeyliger | 222bf41 | 2025-06-04 16:42:58 +0000 | [diff] [blame] | 88 | // Use `GIT_CURL_VERBOSE=1 git fetch origin` to inspect what's going on under the covers for git. |
| Philip Zeyliger | c898abf | 2025-06-04 16:33:57 +0000 | [diff] [blame] | 89 | if r.Method == http.MethodGet && strings.Contains(r.URL.Path, ".git/info/refs") && r.URL.Query().Get("service") == "git-upload-pack" { |
| Philip Zeyliger | 51e8e2b | 2025-05-09 21:41:12 +0000 | [diff] [blame] | 90 | slog.InfoContext(r.Context(), "detected git info/refs request, running git fetch origin") |
| 91 | |
| 92 | // Create a context with a 5 second timeout |
| 93 | ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second) |
| 94 | defer cancel() |
| 95 | |
| 96 | // Run git fetch origin in the background |
| 97 | cmd := exec.CommandContext(ctx, gitBin, "fetch", "origin") |
| 98 | cmd.Dir = g.gitRepoRoot |
| 99 | |
| 100 | // Execute the command |
| 101 | output, err := cmd.CombinedOutput() |
| 102 | if err != nil { |
| 103 | slog.WarnContext(r.Context(), "git fetch failed", |
| 104 | "error", err, |
| 105 | "output", string(output)) |
| 106 | // We don't return here, continue with normal processing |
| 107 | } else { |
| 108 | slog.InfoContext(r.Context(), "git fetch completed successfully") |
| 109 | } |
| 110 | } |
| 111 | |
| Josh Bleecher Snyder | 784d5bd | 2025-07-11 00:09:30 +0000 | [diff] [blame] | 112 | // Dumb hack for bare repos: if the path starts with .git, and there is no .git, strip it off. |
| 113 | path := r.URL.Path |
| 114 | if _, err := os.Stat(filepath.Join(g.gitRepoRoot, path)); os.IsNotExist(err) { |
| 115 | path = strings.TrimPrefix(path, "/.git") // turn /.git/info/refs into /info/refs |
| 116 | } |
| 117 | |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 118 | w.Header().Set("Cache-Control", "no-cache") |
| 119 | h := &cgi.Handler{ |
| 120 | Path: gitBin, |
| 121 | Args: []string{"http-backend"}, |
| 122 | Dir: g.gitRepoRoot, |
| 123 | Env: []string{ |
| 124 | "GIT_PROJECT_ROOT=" + g.gitRepoRoot, |
| Josh Bleecher Snyder | 784d5bd | 2025-07-11 00:09:30 +0000 | [diff] [blame] | 125 | "PATH_INFO=" + path, |
| Earl Lee | 2e463fb | 2025-04-17 11:22:22 -0700 | [diff] [blame] | 126 | "QUERY_STRING=" + r.URL.RawQuery, |
| 127 | "REQUEST_METHOD=" + r.Method, |
| 128 | "GIT_HTTP_EXPORT_ALL=true", |
| 129 | "GIT_HTTP_ALLOW_REPACK=true", |
| 130 | "GIT_HTTP_ALLOW_PUSH=true", |
| 131 | "GIT_HTTP_VERBOSE=1", |
| 132 | }, |
| 133 | } |
| 134 | h.ServeHTTP(w, r) |
| 135 | } |