Simplify git-lfs-authenticate, rip out Gitolite

Zero dependencies for git-lfs-authenticate now. Not compatible with the LFS server. Assumes that any user who has access to the Git user, should have access to all repositories.
author: Rutger Broekhoff 2024-01-09 18:13:01 +0100
committer: Rutger Broekhoff 2024-01-09 18:13:01 +0100
commit: bc465de960aa5d53b28d51bd6bbead28433f2010 (patch)
tree: 2beb723462e122ad61a83eab04df2f682c2e7480 /cmd/git-lfs-authenticate/main.go
parent: 6345d7df02784887311a403ce1267fc4e82f13aa (diff)
download: gitolfs3-bc465de960aa5d53b28d51bd6bbead28433f2010.tar.gz
gitolfs3-bc465de960aa5d53b28d51bd6bbead28433f2010.zip
1 files changed, 55 insertions, 133 deletions
diff --git a/cmd/git-lfs-authenticate/main.go b/cmd/git-lfs-authenticate/main.go
index 3d2c1ea..3db0efe 100644
--- a/cmd/git-lfs-authenticate/main.go
+++ b/cmd/git-lfs-authenticate/main.go
@@ -2,91 +2,28 @@ package main
 import (
        "bytes"
-        "crypto/ed25519"
+        "crypto/hmac"
+        "crypto/sha256"
+        "encoding/binary"
        "encoding/hex"
        "encoding/json"
        "errors"
        "fmt"
        "io"
-        "net/url"
+        "io/fs"
        "os"
-        "os/exec"
        "path"
        "strings"
        "time"
-        "github.com/golang-jwt/jwt/v5"
-        "github.com/rs/xid"
 )
-type logger struct {
-        reqID string
-        time  time.Time
-        wc    io.WriteCloser
-}
-func newLogger(reqID string) *logger {
-        return &logger{reqID: reqID, time: time.Now()}
-}
-func (l *logger) writer() io.WriteCloser {
-        if l.wc == nil {
-                os.MkdirAll(".gitolfs3/logs/", 0o700) // Mode: drwx------
-                ts := l.time.Format("2006-01-02")
-                path := fmt.Sprintf(".gitolfs3/logs/gitolfs3-%s-%s.log", ts, l.reqID)
-                l.wc, _ = os.Create(path)
-        }
-        return l.wc
-}
-func (l *logger) logf(msg string, args ...any) {
-        fmt.Fprintf(l.writer(), msg, args...)
-}
-func (l *logger) close() {
-        if l.wc != nil {
-                l.wc.Close()
-        }
-}
 func die(msg string, args ...any) {
-        fmt.Fprint(os.Stderr, "Error: ")
+        fmt.Fprint(os.Stderr, "Fatal: ")
        fmt.Fprintf(os.Stderr, msg, args...)
        fmt.Fprint(os.Stderr, "\n")
        os.Exit(1)
 }
-func dieReqID(reqID string, msg string, args ...any) {
-        fmt.Fprint(os.Stderr, "Error: ")
-        fmt.Fprintf(os.Stderr, msg, args...)
-        fmt.Fprintf(os.Stderr, " (request ID: %s)\n", reqID)
-        os.Exit(1)
-}
-func getGitoliteAccess(logger *logger, reqID, path, user, gitolitePerm string) bool {
-        // gitolite access -q: returns only exit code
-        cmd := exec.Command("gitolite", "access", "-q", path, user, gitolitePerm)
-        err := cmd.Run()
-        permGranted := err == nil
-        var exitErr *exec.ExitError
-        if err != nil && !errors.As(err, &exitErr) {
-                logger.logf("Failed to query access information (%s): %s", cmd, err)
-                dieReqID(reqID, "failed to query access information")
-        }
-        return permGranted
-}
-type gitolfs3Claims struct {
-        Type       string `json:"type"`
-        Repository string `json:"repository"`
-        Permission string `json:"permission"`
-}
-type customClaims struct {
-        Gitolfs3 gitolfs3Claims `json:"gitolfs3"`
-        *jwt.RegisteredClaims
-}
 type authenticateResponse struct {
        // When providing href, the Git LFS client will use href as the base URL
        // instead of building the base URL using the Service Discovery mechanism.
@@ -97,7 +34,8 @@ type authenticateResponse struct {
        // In seconds.
        ExpiresIn int64 `json:"expires_in,omitempty"`
        // The expires_at (RFC3339) property could also be used, but we leave it
-        // out since we don't use it.
+        // out since we don't use it. The Git LFS docs recommend using expires_in
+        // instead (???)
 }
 func wipe(b []byte) {
@@ -106,7 +44,7 @@ func wipe(b []byte) {
        }
 }
-const usage = "Usage: git-lfs-authenticate <REPO> <OPERATION (upload/download)>"
+const usage = "Usage: git-lfs-authenticate <REPO> upload/download"
 func main() {
        // Even though not explicitly described in the Git LFS documentation, the
@@ -116,101 +54,85 @@ func main() {
        // code and print the error message in plain text to standard error. See
        // https://github.com/git-lfs/git-lfs/blob/baf40ac99850a62fe98515175d52df5c513463ec/lfshttp/ssh.go#L76-L117
-        reqID := xid.New().String()
-        logger := newLogger(reqID)
        if len(os.Args) != 3 {
                fmt.Println(usage)
                os.Exit(1)
        }
-        repo := strings.TrimPrefix(strings.TrimSuffix(os.Args[1], ".git"), "/")
+        repo := strings.TrimPrefix(path.Clean(strings.TrimSuffix(os.Args[1], ".git")), "/")
        operation := os.Args[2]
        if operation != "download" && operation != "upload" {
                fmt.Println(usage)
                os.Exit(1)
        }
+        if repo == ".." || strings.HasPrefix(repo, "../") {
+                die("highly illegal repo name (Anzeige ist raus)")
+        }
-        repoHRefBaseStr := os.Getenv("REPO_HREF_BASE")
+        repoDir := path.Join(repo + ".git")
-        var repoHRefBase *url.URL
+        finfo, err := os.Stat(repoDir)
-        var err error
+        if err != nil {
-        if repoHRefBaseStr != "" {
+                if errors.Is(err, fs.ErrNotExist) {
-                if repoHRefBase, err = url.Parse(repoHRefBaseStr); err != nil {
+                        die("repo not found")
-                        logger.logf("Failed to parse URL in environment variable REPO_HREF_BASE: %s", err)
-                        dieReqID(reqID, "internal error")
                }
+                die("could not stat repo: %s", err)
+        }
+        if !finfo.IsDir() {
+                die("repo not found")
        }
-        user := os.Getenv("GL_USER")
+        hrefBase := os.Getenv("GITOLFS3_HREF_BASE")
-        if user == "" {
+        if hrefBase == "" {
-                logger.logf("Environment variable GL_USER is not set")
+                die("incomplete configuration: base URL not provided")
-                dieReqID(reqID, "internal error")
        }
+        if !strings.HasSuffix(hrefBase, "/") {
+                hrefBase += "/"
+        }
        keyPath := os.Getenv("GITOLFS3_KEY_PATH")
        if keyPath == "" {
-                logger.logf("Environment variable GITOLFS3_KEY_PATH is not set")
+                die("incomplete configuration: key path not provided")
-                dieReqID(reqID, "internal error")
        }
        keyStr, err := os.ReadFile(keyPath)
        if err != nil {
-                logger.logf("Cannot read key in GITOLFS3_KEY_PATH: %s", err)
+                wipe(keyStr)
-                dieReqID(reqID, "internal error")
+                die("cannot read key")
        }
        keyStr = bytes.TrimSpace(keyStr)
        defer wipe(keyStr)
+        if hex.DecodedLen(len(keyStr)) != 64 {
-        if hex.DecodedLen(len(keyStr)) != ed25519.SeedSize {
+                die("bad key length")
-                logger.logf("Fatal: provided private key (seed) is invalid: does not have expected length")
-                dieReqID(reqID, "internal error")
        }
+        key := make([]byte, 64)
-        seed := make([]byte, ed25519.SeedSize)
+        defer wipe(key)
-        defer wipe(seed)
+        if _, err = hex.Decode(key, keyStr); err != nil {
-        if _, err = hex.Decode(seed, keyStr); err != nil {
+                die("cannot decode key")
-                logger.logf("Fatal: cannot decode provided private key (seed): %s", err)
-                dieReqID(reqID, "internal error")
-        }
-        privateKey := ed25519.NewKeyFromSeed(seed)
-        if !getGitoliteAccess(logger, reqID, repo, user, "R") {
-                die("repository not found")
-        }
-        if operation == "upload" && !getGitoliteAccess(logger, reqID, repo, user, "W") {
-                // User has read access but no write access
-                die("forbidden")
        }
        expiresIn := time.Minute * 5
-        claims := customClaims{
+        expiresAtUnix := time.Now().Add(expiresIn).Unix()
-                Gitolfs3: gitolfs3Claims{
-                        Type:       "batch-api",
+        tag := hmac.New(sha256.New, key)
-                        Repository: repo,
+        io.WriteString(tag, "git-lfs-authenticate")
-                        Permission: operation,
+        tag.Write([]byte{0})
-                },
+        io.WriteString(tag, repo)
-                RegisteredClaims: &jwt.RegisteredClaims{
+        tag.Write([]byte{0})
-                        Subject:   user,
+        io.WriteString(tag, operation)
-                        IssuedAt:  jwt.NewNumericDate(time.Now()),
+        tag.Write([]byte{0})
-                        ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiresIn)),
+        binary.Write(tag, binary.BigEndian, &expiresAtUnix)
-                },
+        tagStr := hex.EncodeToString(tag.Sum(nil))
-        }
-        token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
-        ss, err := token.SignedString(privateKey)
-        if err != nil {
-                logger.logf("Fatal: failed to generate JWT: %s", err)
-                die("failed to generate token")
-        }
        response := authenticateResponse{
                Header: map[string]string{
-                        "Authorization": "Bearer " + ss,
+                        "Authorization": "Tag " + tagStr,
                },
                ExpiresIn: int64(expiresIn.Seconds()),
-        }
+                HRef: fmt.Sprintf("%s%s?p=1&te=%d",
-        if repoHRefBase != nil {
+                        hrefBase,
-                response.HRef = repoHRefBase.ResolveReference(&url.URL{
+                        path.Join(repo+".git", "/info/lfs"),
-                        Path: path.Join(repo+".git", "/info/lfs"),
+                        expiresAtUnix,
-                }).String()
+                ),
        }
        json.NewEncoder(os.Stdout).Encode(response)
 }
author	Rutger Broekhoff	2024-01-09 18:13:01 +0100
committer	Rutger Broekhoff	2024-01-09 18:13:01 +0100
commit	bc465de960aa5d53b28d51bd6bbead28433f2010 (patch)
tree	2beb723462e122ad61a83eab04df2f682c2e7480 /cmd/git-lfs-authenticate/main.go
parent	6345d7df02784887311a403ce1267fc4e82f13aa (diff)
download	gitolfs3-bc465de960aa5d53b28d51bd6bbead28433f2010.tar.gz gitolfs3-bc465de960aa5d53b28d51bd6bbead28433f2010.zip

diff --git a/cmd/git-lfs-authenticate/main.go b/cmd/git-lfs-authenticate/main.go index 3d2c1ea..3db0efe 100644 --- a/cmd/git-lfs-authenticate/main.go +++ b/cmd/git-lfs-authenticate/main.go
@@ -2,91 +2,28 @@ package main
2		2
3	import (	3	import (
4	"bytes"	4	"bytes"
5	"crypto/ed25519"	5	"crypto/hmac"
		6	"crypto/sha256"
		7	"encoding/binary"
6	"encoding/hex"	8	"encoding/hex"
7	"encoding/json"	9	"encoding/json"
8	"errors"	10	"errors"
9	"fmt"	11	"fmt"
10	"io"	12	"io"
11	"net/url"	13	"io/fs"
12	"os"	14	"os"
13	"os/exec"
14	"path"	15	"path"
15	"strings"	16	"strings"
16	"time"	17	"time"
17
18	"github.com/golang-jwt/jwt/v5"
19	"github.com/rs/xid"
20	)	18	)
21		19
22	type logger struct {
23	reqID string
24	time time.Time
25	wc io.WriteCloser
26	}
27
28	func newLogger(reqID string) *logger {
29	return &logger{reqID: reqID, time: time.Now()}
30	}
31
32	func (l *logger) writer() io.WriteCloser {
33	if l.wc == nil {
34	os.MkdirAll(".gitolfs3/logs/", 0o700) // Mode: drwx------
35	ts := l.time.Format("2006-01-02")
36	path := fmt.Sprintf(".gitolfs3/logs/gitolfs3-%s-%s.log", ts, l.reqID)
37	l.wc, _ = os.Create(path)
38	}
39	return l.wc
40	}
41
42	func (l *logger) logf(msg string, args ...any) {
43	fmt.Fprintf(l.writer(), msg, args...)
44	}
45
46	func (l *logger) close() {
47	if l.wc != nil {
48	l.wc.Close()
49	}
50	}
51
52	func die(msg string, args ...any) {	20	func die(msg string, args ...any) {
53	fmt.Fprint(os.Stderr, "Error: ")	21	fmt.Fprint(os.Stderr, "Fatal: ")
54	fmt.Fprintf(os.Stderr, msg, args...)	22	fmt.Fprintf(os.Stderr, msg, args...)
55	fmt.Fprint(os.Stderr, "\n")	23	fmt.Fprint(os.Stderr, "\n")
56	os.Exit(1)	24	os.Exit(1)
57	}	25	}
58		26
59	func dieReqID(reqID string, msg string, args ...any) {
60	fmt.Fprint(os.Stderr, "Error: ")
61	fmt.Fprintf(os.Stderr, msg, args...)
62	fmt.Fprintf(os.Stderr, " (request ID: %s)\n", reqID)
63	os.Exit(1)
64	}
65
66	func getGitoliteAccess(logger *logger, reqID, path, user, gitolitePerm string) bool {
67	// gitolite access -q: returns only exit code
68	cmd := exec.Command("gitolite", "access", "-q", path, user, gitolitePerm)
69	err := cmd.Run()
70	permGranted := err == nil
71	var exitErr *exec.ExitError
72	if err != nil && !errors.As(err, &exitErr) {
73	logger.logf("Failed to query access information (%s): %s", cmd, err)
74	dieReqID(reqID, "failed to query access information")
75	}
76	return permGranted
77	}
78
79	type gitolfs3Claims struct {
80	Type string `json:"type"`
81	Repository string `json:"repository"`
82	Permission string `json:"permission"`
83	}
84
85	type customClaims struct {
86	Gitolfs3 gitolfs3Claims `json:"gitolfs3"`
87	*jwt.RegisteredClaims
88	}
89
90	type authenticateResponse struct {	27	type authenticateResponse struct {
91	// When providing href, the Git LFS client will use href as the base URL	28	// When providing href, the Git LFS client will use href as the base URL
92	// instead of building the base URL using the Service Discovery mechanism.	29	// instead of building the base URL using the Service Discovery mechanism.
@@ -97,7 +34,8 @@ type authenticateResponse struct {
97	// In seconds.	34	// In seconds.
98	ExpiresIn int64 `json:"expires_in,omitempty"`	35	ExpiresIn int64 `json:"expires_in,omitempty"`
99	// The expires_at (RFC3339) property could also be used, but we leave it	36	// The expires_at (RFC3339) property could also be used, but we leave it
100	// out since we don't use it.	37	// out since we don't use it. The Git LFS docs recommend using expires_in
		38	// instead (???)
101	}	39	}
102		40
103	func wipe(b []byte) {	41	func wipe(b []byte) {
@@ -106,7 +44,7 @@ func wipe(b []byte) {
106	}	44	}
107	}	45	}
108		46
109	const usage = "Usage: git-lfs-authenticate <REPO> <OPERATION (upload/download)>"	47	const usage = "Usage: git-lfs-authenticate <REPO> upload/download"
110		48
111	func main() {	49	func main() {
112	// Even though not explicitly described in the Git LFS documentation, the	50	// Even though not explicitly described in the Git LFS documentation, the
@@ -116,101 +54,85 @@ func main() {
116	// code and print the error message in plain text to standard error. See	54	// code and print the error message in plain text to standard error. See
117	// https://github.com/git-lfs/git-lfs/blob/baf40ac99850a62fe98515175d52df5c513463ec/lfshttp/ssh.go#L76-L117	55	// https://github.com/git-lfs/git-lfs/blob/baf40ac99850a62fe98515175d52df5c513463ec/lfshttp/ssh.go#L76-L117
118		56
119	reqID := xid.New().String()
120	logger := newLogger(reqID)
121
122	if len(os.Args) != 3 {	57	if len(os.Args) != 3 {
123	fmt.Println(usage)	58	fmt.Println(usage)
124	os.Exit(1)	59	os.Exit(1)
125	}	60	}
126		61
127	repo := strings.TrimPrefix(strings.TrimSuffix(os.Args[1], ".git"), "/")	62	repo := strings.TrimPrefix(path.Clean(strings.TrimSuffix(os.Args[1], ".git")), "/")
128	operation := os.Args[2]	63	operation := os.Args[2]
129	if operation != "download" && operation != "upload" {	64	if operation != "download" && operation != "upload" {
130	fmt.Println(usage)	65	fmt.Println(usage)
131	os.Exit(1)	66	os.Exit(1)
132	}	67	}
		68	if repo == ".." \|\| strings.HasPrefix(repo, "../") {
		69	die("highly illegal repo name (Anzeige ist raus)")
		70	}
133		71
134	repoHRefBaseStr := os.Getenv("REPO_HREF_BASE")	72	repoDir := path.Join(repo + ".git")
135	var repoHRefBase *url.URL	73	finfo, err := os.Stat(repoDir)
136	var err error	74	if err != nil {
137	if repoHRefBaseStr != "" {	75	if errors.Is(err, fs.ErrNotExist) {
138	if repoHRefBase, err = url.Parse(repoHRefBaseStr); err != nil {	76	die("repo not found")
139	logger.logf("Failed to parse URL in environment variable REPO_HREF_BASE: %s", err)
140	dieReqID(reqID, "internal error")
141	}	77	}
		78	die("could not stat repo: %s", err)
		79	}
		80	if !finfo.IsDir() {
		81	die("repo not found")
142	}	82	}
143		83
144	user := os.Getenv("GL_USER")	84	hrefBase := os.Getenv("GITOLFS3_HREF_BASE")
145	if user == "" {	85	if hrefBase == "" {
146	logger.logf("Environment variable GL_USER is not set")	86	die("incomplete configuration: base URL not provided")
147	dieReqID(reqID, "internal error")
148	}	87	}
		88	if !strings.HasSuffix(hrefBase, "/") {
		89	hrefBase += "/"
		90	}
		91
149	keyPath := os.Getenv("GITOLFS3_KEY_PATH")	92	keyPath := os.Getenv("GITOLFS3_KEY_PATH")
150	if keyPath == "" {	93	if keyPath == "" {
151	logger.logf("Environment variable GITOLFS3_KEY_PATH is not set")	94	die("incomplete configuration: key path not provided")
152	dieReqID(reqID, "internal error")
153	}	95	}
		96
154	keyStr, err := os.ReadFile(keyPath)	97	keyStr, err := os.ReadFile(keyPath)
155	if err != nil {	98	if err != nil {
156	logger.logf("Cannot read key in GITOLFS3_KEY_PATH: %s", err)	99	wipe(keyStr)
157	dieReqID(reqID, "internal error")	100	die("cannot read key")
158	}	101	}
159	keyStr = bytes.TrimSpace(keyStr)	102	keyStr = bytes.TrimSpace(keyStr)
160	defer wipe(keyStr)	103	defer wipe(keyStr)
161		104	if hex.DecodedLen(len(keyStr)) != 64 {
162	if hex.DecodedLen(len(keyStr)) != ed25519.SeedSize {	105	die("bad key length")
163	logger.logf("Fatal: provided private key (seed) is invalid: does not have expected length")
164	dieReqID(reqID, "internal error")
165	}	106	}
166		107	key := make([]byte, 64)
167	seed := make([]byte, ed25519.SeedSize)	108	defer wipe(key)
168	defer wipe(seed)	109	if _, err = hex.Decode(key, keyStr); err != nil {
169	if _, err = hex.Decode(seed, keyStr); err != nil {	110	die("cannot decode key")
170	logger.logf("Fatal: cannot decode provided private key (seed): %s", err)
171	dieReqID(reqID, "internal error")
172	}
173	privateKey := ed25519.NewKeyFromSeed(seed)
174
175	if !getGitoliteAccess(logger, reqID, repo, user, "R") {
176	die("repository not found")
177	}
178	if operation == "upload" && !getGitoliteAccess(logger, reqID, repo, user, "W") {
179	// User has read access but no write access
180	die("forbidden")
181	}	111	}
182		112
183	expiresIn := time.Minute * 5	113	expiresIn := time.Minute * 5
184	claims := customClaims{	114	expiresAtUnix := time.Now().Add(expiresIn).Unix()
185	Gitolfs3: gitolfs3Claims{	115
186	Type: "batch-api",	116	tag := hmac.New(sha256.New, key)
187	Repository: repo,	117	io.WriteString(tag, "git-lfs-authenticate")
188	Permission: operation,	118	tag.Write([]byte{0})
189	},	119	io.WriteString(tag, repo)
190	RegisteredClaims: &jwt.RegisteredClaims{	120	tag.Write([]byte{0})
191	Subject: user,	121	io.WriteString(tag, operation)
192	IssuedAt: jwt.NewNumericDate(time.Now()),	122	tag.Write([]byte{0})
193	ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiresIn)),	123	binary.Write(tag, binary.BigEndian, &expiresAtUnix)
194	},	124	tagStr := hex.EncodeToString(tag.Sum(nil))
195	}
196
197	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
198	ss, err := token.SignedString(privateKey)
199	if err != nil {
200	logger.logf("Fatal: failed to generate JWT: %s", err)
201	die("failed to generate token")
202	}
203		125
204	response := authenticateResponse{	126	response := authenticateResponse{
205	Header: map[string]string{	127	Header: map[string]string{
206	"Authorization": "Bearer " + ss,	128	"Authorization": "Tag " + tagStr,
207	},	129	},
208	ExpiresIn: int64(expiresIn.Seconds()),	130	ExpiresIn: int64(expiresIn.Seconds()),
209	}	131	HRef: fmt.Sprintf("%s%s?p=1&te=%d",
210	if repoHRefBase != nil {	132	hrefBase,
211	response.HRef = repoHRefBase.ResolveReference(&url.URL{	133	path.Join(repo+".git", "/info/lfs"),
212	Path: path.Join(repo+".git", "/info/lfs"),	134	expiresAtUnix,
213	}).String()	135	),
214	}	136	}
215	json.NewEncoder(os.Stdout).Encode(response)	137	json.NewEncoder(os.Stdout).Encode(response)
216	}	138	}