2 files changed, 309 insertions, 133 deletions
diff --git a/cmd/git-lfs-authenticate/main.c b/cmd/git-lfs-authenticate/main.c
new file mode 100644
index 0000000..0f45e49
--- /dev/null
+++ b/cmd/git-lfs-authenticate/main.c
@@ -0,0 +1,254 @@
+#include <assert.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+void die(const char *format, ...) {
+        fputs("Fatal: ", stderr);
+        va_list ap;
+        va_start(ap, format);
+        vfprintf(stderr, format, ap);
+        va_end(ap);
+        fputc('\n', stderr);
+        exit(EXIT_FAILURE);
+}
+#define USAGE "Usage: git-lfs-authenticate <REPO> upload/download"
+bool hasprefix(const char *str, const char *prefix) {
+        if (strlen(prefix) > strlen(str))
+                return false;
+        return !strncmp(str, prefix, strlen(prefix));
+}
+bool hassuffix(const char *str, const char *suffix) {
+        if (strlen(suffix) > strlen(str))
+                return false;
+        str += strlen(str) - strlen(suffix);
+        return !strcmp(str, suffix);
+}
+const char *trimspace(const char *str, size_t *length) {
+        while (*length > 0 && isspace(str[0])) {
+                str++; (*length)--;
+        }
+        while (*length > 0 && isspace(str[*length - 1]))
+                (*length)--;
+        return str;
+}
+void printescjson(const char *str) {
+        for (size_t i = 0; i < strlen(str); i++) {
+                switch (str[i]) {
+                case '"':  fputs("\\\"", stdout); break;
+                case '\\': fputs("\\\\", stdout); break;
+                case '\b': fputs("\\b",  stdout); break;
+                case '\f': fputs("\\f",  stdout); break;
+                case '\n': fputs("\\n",  stdout); break;
+                case '\r': fputs("\\r",  stdout); break;
+                case '\t': fputs("\\t",  stdout); break;
+                default:   fputc(str[i], stdout);
+                }
+        }
+}
+void checkrepopath(const char *path) {
+        if (strstr(path, "//") || strstr(path, "/./") || strstr(path, "/../")
+         || hasprefix(path, "./") || hasprefix(path, "../") || hasprefix(path, "/../"))
+                die("Bad repository name: is unresolved path");
+        if (strlen(path) > 100)
+                die("Bad repository name: longer than 100 characters");
+        if (hassuffix(path, "/"))
+                die("Bad repositry name: unexpected trailing slash");
+        if (hasprefix(path, "/"))
+                die("Bad repository name: unexpected absolute path");
+        if (!hassuffix(path, ".git"))
+                die("Bad repository name: expected '.git' repo path suffix");
+        struct stat statbuf;
+        if (stat(path, &statbuf)) {
+                if (errno == ENOENT)
+                        die("Repo not found");
+                die("Could not stat repo: %s", strerror(errno));
+        }
+        if (!S_ISDIR(statbuf.st_mode)) {
+                die("Repo not found");
+        }
+}
+char *readkeyfile(const char *path, size_t *len) {
+        FILE *f = fopen(path, "r");
+        if (!f)
+                die("Cannot read key file: %s", strerror(errno));
+        *len = 0;
+        size_t bufcap = 4096;
+        char *buf = malloc(bufcap);
+        while (!feof(f) && !ferror(f)) {
+                if (*len + 4096 > bufcap) {
+                        bufcap *= 2;
+                        buf = realloc(buf, bufcap);
+                }
+                *len += fread(buf + *len, sizeof(char), 4096, f);
+        }
+        if (ferror(f) && !feof(f)) {
+                OPENSSL_cleanse(buf, *len);
+                die("Failed to read key file (length: %lu)", *len);
+        }
+        fclose(f);
+        return buf;
+}
+#define KEYSIZE 64
+void readkey(const char *path, uint8_t dest[KEYSIZE]) {
+        size_t keybuf_len = 0;
+        char *keybuf = readkeyfile(path, &keybuf_len);
+        size_t keystr_len = keybuf_len;
+        const char *keystr = trimspace(keybuf, &keystr_len);
+        if (keystr_len != 2 * KEYSIZE) {
+                OPENSSL_cleanse(keybuf, keybuf_len);
+                die("Bad key length");
+        }
+        for (size_t i = 0; i < KEYSIZE; i++) {
+                const char c = keystr[i];
+                uint8_t nibble = 0;
+                if (c >= '0' && c <= '9')
+                        nibble = c - '0';
+                else if (c >= 'a' && c <= 'f')
+                        nibble = c - 'a' + 10;
+                else if (c >= 'A' && c <= 'F')
+                        nibble = c - 'A' + 10;
+                else {
+                        OPENSSL_cleanse(keybuf, keybuf_len);
+                        OPENSSL_cleanse(dest, KEYSIZE);
+                        die("Cannot decode key");
+                }
+                size_t ikey = i / 2;
+                if (i % 2) dest[ikey] |= nibble;
+                else dest[ikey] = nibble << 4;
+        }
+        OPENSSL_cleanse(keybuf, keybuf_len);
+        free(keybuf);
+}
+void u64tobe(uint64_t x, uint8_t b[8]) {
+        b[0] = (uint8_t)(x >> 56);
+        b[1] = (uint8_t)(x >> 48);
+        b[2] = (uint8_t)(x >> 40);
+        b[3] = (uint8_t)(x >> 32);
+        b[4] = (uint8_t)(x >> 24);
+        b[5] = (uint8_t)(x >> 16);
+        b[6] = (uint8_t)(x >>  8);
+        b[7] = (uint8_t)(x >>  0);
+}
+#define MAX_TAG_SIZE EVP_MAX_MD_SIZE
+typedef struct taginfo {
+        const char    *authtype;
+        const char    *repopath;
+        const char    *operation;
+        const int64_t  expiresat_s;
+} taginfo_t;
+void *memcat(void *dest, const void *src, size_t n) {
+        return memcpy(dest, src, n) + n;
+}
+void maketag(const taginfo_t info, uint8_t key[KEYSIZE], uint8_t dest[MAX_TAG_SIZE], uint32_t *len) {
+        uint8_t expiresat_b[8];
+        u64tobe(info.expiresat_s, expiresat_b);
+        const uint8_t zero[1] = { 0 };
+        const size_t fullsize = strlen(info.authtype) +
+                1 + strlen(info.repopath) +
+                1 + strlen(info.operation) +
+                1 + sizeof(expiresat_b);
+        uint8_t *claimbuf = alloca(fullsize);
+        uint8_t *head = claimbuf;
+        head = memcat(head, info.authtype, strlen(info.authtype));
+        head = memcat(head, zero, 1);
+        head = memcat(head, info.repopath, strlen(info.repopath));
+        head = memcat(head, zero, 1);
+        head = memcat(head, info.operation, strlen(info.operation));
+        head = memcat(head, zero, 1);
+        head = memcat(head, expiresat_b, sizeof(expiresat_b));
+        assert(head == claimbuf + fullsize);
+        memset(dest, 0, MAX_TAG_SIZE);
+        *len = 0;
+        if (!HMAC(EVP_sha256(), key, KEYSIZE, claimbuf, fullsize, dest, len)) {
+                OPENSSL_cleanse(key, KEYSIZE);
+                die("Failed to generate tag");
+        }
+}
+#define MAX_HEXTAG_STRLEN MAX_TAG_SIZE * 2
+void makehextag(const taginfo_t info, uint8_t key[KEYSIZE], char dest[MAX_HEXTAG_STRLEN + 1]) {
+        uint8_t rawtag[MAX_TAG_SIZE];
+        uint32_t rawtag_len;
+        maketag(info, key, rawtag, &rawtag_len);
+        memset(dest, 0, MAX_HEXTAG_STRLEN + 1);
+        for (size_t i = 0; i < rawtag_len; i++) {
+                uint8_t b = rawtag[i];
+                dest[i] = (b >> 4) + ((b >> 4) < 10 ? '0' : 'a');
+                dest[i + 1] = (b & 0x0F) + ((b & 0x0F) < 10 ? '0' : 'a');
+        }
+}
+int main(int argc, char *argv[]) {
+        if (argc != 3) {
+                puts(USAGE);
+                exit(EXIT_FAILURE);
+        }
+        const char *repopath  = argv[1];
+        const char *operation = argv[2];
+        if (strcmp(operation, "download") && strcmp(operation, "upload")) {
+                puts(USAGE);
+                exit(EXIT_FAILURE);
+        }
+        checkrepopath(repopath);
+        const char *hrefbase = getenv("GITOLFS3_HREF_BASE");
+        const char *keypath = getenv("GITOLFS3_KEY_PATH");
+        
+        if (!hrefbase || strlen(hrefbase) == 0)
+                die("Incomplete configuration: base URL not provided");
+        if (hrefbase[strlen(hrefbase) - 1] != '/')
+                die("Bad configuration: base URL should end with slash");
+        if (!keypath || strlen(keypath) == 0)
+                die("Incomplete configuration: key path not provided");
+        uint8_t key[64];
+        readkey(keypath, key);
+        int64_t expiresin_s = 5 * 60;
+        int64_t expiresat_s = (int64_t)time(NULL) + expiresin_s;
+        taginfo_t taginfo = {
+                .authtype    = "git-lfs-authenticate",
+                .repopath    = repopath,
+                .operation   = operation,
+                .expiresat_s = expiresat_s,
+        };
+        char hextag[MAX_HEXTAG_STRLEN + 1];
+        makehextag(taginfo, key, hextag);
+        printf("{\"header\":{\"Authorization\":\"Gitolfs3-Hmac-Sha256 %s\"},\"expires_in\":%ld,\"href\":\"", hextag, expiresin_s);
+        printescjson(hrefbase);
+        printescjson(repopath);
+        printf("/info/lfs?p=1&te=%ld\"}\n", expiresat_s);
+}
diff --git a/cmd/git-lfs-authenticate/main.go b/cmd/git-lfs-authenticate/main.go
index 3d2c1ea..3db0efe 100644
--- a/cmd/git-lfs-authenticate/main.go
+++ b/cmd/git-lfs-authenticate/main.go
@@ -2,91 +2,28 @@ package main
 import (
        "bytes"
-        "crypto/ed25519"
+        "crypto/hmac"
+        "crypto/sha256"
+        "encoding/binary"
        "encoding/hex"
        "encoding/json"
        "errors"
        "fmt"
        "io"
-        "net/url"
+        "io/fs"
        "os"
-        "os/exec"
        "path"
        "strings"
        "time"
-        "github.com/golang-jwt/jwt/v5"
-        "github.com/rs/xid"
 )
-type logger struct {
-        reqID string
-        time  time.Time
-        wc    io.WriteCloser
-}
-func newLogger(reqID string) *logger {
-        return &logger{reqID: reqID, time: time.Now()}
-}
-func (l *logger) writer() io.WriteCloser {
-        if l.wc == nil {
-                os.MkdirAll(".gitolfs3/logs/", 0o700) // Mode: drwx------
-                ts := l.time.Format("2006-01-02")
-                path := fmt.Sprintf(".gitolfs3/logs/gitolfs3-%s-%s.log", ts, l.reqID)
-                l.wc, _ = os.Create(path)
-        }
-        return l.wc
-}
-func (l *logger) logf(msg string, args ...any) {
-        fmt.Fprintf(l.writer(), msg, args...)
-}
-func (l *logger) close() {
-        if l.wc != nil {
-                l.wc.Close()
-        }
-}
 func die(msg string, args ...any) {
-        fmt.Fprint(os.Stderr, "Error: ")
+        fmt.Fprint(os.Stderr, "Fatal: ")
        fmt.Fprintf(os.Stderr, msg, args...)
        fmt.Fprint(os.Stderr, "\n")
        os.Exit(1)
 }
-func dieReqID(reqID string, msg string, args ...any) {
-        fmt.Fprint(os.Stderr, "Error: ")
-        fmt.Fprintf(os.Stderr, msg, args...)
-        fmt.Fprintf(os.Stderr, " (request ID: %s)\n", reqID)
-        os.Exit(1)
-}
-func getGitoliteAccess(logger *logger, reqID, path, user, gitolitePerm string) bool {
-        // gitolite access -q: returns only exit code
-        cmd := exec.Command("gitolite", "access", "-q", path, user, gitolitePerm)
-        err := cmd.Run()
-        permGranted := err == nil
-        var exitErr *exec.ExitError
-        if err != nil && !errors.As(err, &exitErr) {
-                logger.logf("Failed to query access information (%s): %s", cmd, err)
-                dieReqID(reqID, "failed to query access information")
-        }
-        return permGranted
-}
-type gitolfs3Claims struct {
-        Type       string `json:"type"`
-        Repository string `json:"repository"`
-        Permission string `json:"permission"`
-}
-type customClaims struct {
-        Gitolfs3 gitolfs3Claims `json:"gitolfs3"`
-        *jwt.RegisteredClaims
-}
 type authenticateResponse struct {
        // When providing href, the Git LFS client will use href as the base URL
        // instead of building the base URL using the Service Discovery mechanism.
@@ -97,7 +34,8 @@ type authenticateResponse struct {
        // In seconds.
        ExpiresIn int64 `json:"expires_in,omitempty"`
        // The expires_at (RFC3339) property could also be used, but we leave it
-        // out since we don't use it.
+        // out since we don't use it. The Git LFS docs recommend using expires_in
+        // instead (???)
 }
 func wipe(b []byte) {
@@ -106,7 +44,7 @@ func wipe(b []byte) {
        }
 }
-const usage = "Usage: git-lfs-authenticate <REPO> <OPERATION (upload/download)>"
+const usage = "Usage: git-lfs-authenticate <REPO> upload/download"
 func main() {
        // Even though not explicitly described in the Git LFS documentation, the
@@ -116,101 +54,85 @@ func main() {
        // code and print the error message in plain text to standard error. See
        // https://github.com/git-lfs/git-lfs/blob/baf40ac99850a62fe98515175d52df5c513463ec/lfshttp/ssh.go#L76-L117
-        reqID := xid.New().String()
-        logger := newLogger(reqID)
        if len(os.Args) != 3 {
                fmt.Println(usage)
                os.Exit(1)
        }
-        repo := strings.TrimPrefix(strings.TrimSuffix(os.Args[1], ".git"), "/")
+        repo := strings.TrimPrefix(path.Clean(strings.TrimSuffix(os.Args[1], ".git")), "/")
        operation := os.Args[2]
        if operation != "download" && operation != "upload" {
                fmt.Println(usage)
                os.Exit(1)
        }
+        if repo == ".." || strings.HasPrefix(repo, "../") {
+                die("highly illegal repo name (Anzeige ist raus)")
+        }
-        repoHRefBaseStr := os.Getenv("REPO_HREF_BASE")
+        repoDir := path.Join(repo + ".git")
-        var repoHRefBase *url.URL
+        finfo, err := os.Stat(repoDir)
-        var err error
+        if err != nil {
-        if repoHRefBaseStr != "" {
+                if errors.Is(err, fs.ErrNotExist) {
-                if repoHRefBase, err = url.Parse(repoHRefBaseStr); err != nil {
+                        die("repo not found")
-                        logger.logf("Failed to parse URL in environment variable REPO_HREF_BASE: %s", err)
-                        dieReqID(reqID, "internal error")
                }
+                die("could not stat repo: %s", err)
+        }
+        if !finfo.IsDir() {
+                die("repo not found")
        }
-        user := os.Getenv("GL_USER")
+        hrefBase := os.Getenv("GITOLFS3_HREF_BASE")
-        if user == "" {
+        if hrefBase == "" {
-                logger.logf("Environment variable GL_USER is not set")
+                die("incomplete configuration: base URL not provided")
-                dieReqID(reqID, "internal error")
        }
+        if !strings.HasSuffix(hrefBase, "/") {
+                hrefBase += "/"
+        }
        keyPath := os.Getenv("GITOLFS3_KEY_PATH")
        if keyPath == "" {
-                logger.logf("Environment variable GITOLFS3_KEY_PATH is not set")
+                die("incomplete configuration: key path not provided")
-                dieReqID(reqID, "internal error")
        }
        keyStr, err := os.ReadFile(keyPath)
        if err != nil {
-                logger.logf("Cannot read key in GITOLFS3_KEY_PATH: %s", err)
+                wipe(keyStr)
-                dieReqID(reqID, "internal error")
+                die("cannot read key")
        }
        keyStr = bytes.TrimSpace(keyStr)
        defer wipe(keyStr)
+        if hex.DecodedLen(len(keyStr)) != 64 {
-        if hex.DecodedLen(len(keyStr)) != ed25519.SeedSize {
+                die("bad key length")
-                logger.logf("Fatal: provided private key (seed) is invalid: does not have expected length")
-                dieReqID(reqID, "internal error")
        }
+        key := make([]byte, 64)
-        seed := make([]byte, ed25519.SeedSize)
+        defer wipe(key)
-        defer wipe(seed)
+        if _, err = hex.Decode(key, keyStr); err != nil {
-        if _, err = hex.Decode(seed, keyStr); err != nil {
+                die("cannot decode key")
-                logger.logf("Fatal: cannot decode provided private key (seed): %s", err)
-                dieReqID(reqID, "internal error")
-        }
-        privateKey := ed25519.NewKeyFromSeed(seed)
-        if !getGitoliteAccess(logger, reqID, repo, user, "R") {
-                die("repository not found")
-        }
-        if operation == "upload" && !getGitoliteAccess(logger, reqID, repo, user, "W") {
-                // User has read access but no write access
-                die("forbidden")
        }
        expiresIn := time.Minute * 5
-        claims := customClaims{
+        expiresAtUnix := time.Now().Add(expiresIn).Unix()
-                Gitolfs3: gitolfs3Claims{
-                        Type:       "batch-api",
+        tag := hmac.New(sha256.New, key)
-                        Repository: repo,
+        io.WriteString(tag, "git-lfs-authenticate")
-                        Permission: operation,
+        tag.Write([]byte{0})
-                },
+        io.WriteString(tag, repo)
-                RegisteredClaims: &jwt.RegisteredClaims{
+        tag.Write([]byte{0})
-                        Subject:   user,
+        io.WriteString(tag, operation)
-                        IssuedAt:  jwt.NewNumericDate(time.Now()),
+        tag.Write([]byte{0})
-                        ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiresIn)),
+        binary.Write(tag, binary.BigEndian, &expiresAtUnix)
-                },
+        tagStr := hex.EncodeToString(tag.Sum(nil))
-        }
-        token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
-        ss, err := token.SignedString(privateKey)
-        if err != nil {
-                logger.logf("Fatal: failed to generate JWT: %s", err)
-                die("failed to generate token")
-        }
        response := authenticateResponse{
                Header: map[string]string{
-                        "Authorization": "Bearer " + ss,
+                        "Authorization": "Tag " + tagStr,
                },
                ExpiresIn: int64(expiresIn.Seconds()),
-        }
+                HRef: fmt.Sprintf("%s%s?p=1&te=%d",
-        if repoHRefBase != nil {
+                        hrefBase,
-                response.HRef = repoHRefBase.ResolveReference(&url.URL{
+                        path.Join(repo+".git", "/info/lfs"),
-                        Path: path.Join(repo+".git", "/info/lfs"),
+                        expiresAtUnix,
-                }).String()
+                ),
        }
        json.NewEncoder(os.Stdout).Encode(response)
 }

diff --git a/cmd/git-lfs-authenticate/main.c b/cmd/git-lfs-authenticate/main.c new file mode 100644 index 0000000..0f45e49 --- /dev/null +++ b/cmd/git-lfs-authenticate/main.c
@@ -0,0 +1,254 @@
		1	#include <assert.h>
		2	#include <ctype.h>
		3	#include <errno.h>
		4	#include <stdbool.h>
		5	#include <stdio.h>
		6	#include <string.h>
		7
		8	#include <sys/stat.h>
		9
		10	#include <openssl/evp.h>
		11	#include <openssl/hmac.h>
		12
		13	void die(const char *format, ...) {
		14	fputs("Fatal: ", stderr);
		15	va_list ap;
		16	va_start(ap, format);
		17	vfprintf(stderr, format, ap);
		18	va_end(ap);
		19	fputc('\n', stderr);
		20	exit(EXIT_FAILURE);
		21	}
		22
		23	#define USAGE "Usage: git-lfs-authenticate <REPO> upload/download"
		24
		25	bool hasprefix(const char str, const char prefix) {
		26	if (strlen(prefix) > strlen(str))
		27	return false;
		28	return !strncmp(str, prefix, strlen(prefix));
		29	}
		30
		31	bool hassuffix(const char str, const char suffix) {
		32	if (strlen(suffix) > strlen(str))
		33	return false;
		34	str += strlen(str) - strlen(suffix);
		35	return !strcmp(str, suffix);
		36	}
		37
		38	const char trimspace(const char str, size_t *length) {
		39	while (*length > 0 && isspace(str[0])) {
		40	str++; (*length)--;
		41	}
		42	while (length > 0 && isspace(str[length - 1]))
		43	(*length)--;
		44	return str;
		45	}
		46
		47	void printescjson(const char *str) {
		48	for (size_t i = 0; i < strlen(str); i++) {
		49	switch (str[i]) {
		50	case '"': fputs("\\\"", stdout); break;
		51	case '\\': fputs("\\\\", stdout); break;
		52	case '\b': fputs("\\b", stdout); break;
		53	case '\f': fputs("\\f", stdout); break;
		54	case '\n': fputs("\\n", stdout); break;
		55	case '\r': fputs("\\r", stdout); break;
		56	case '\t': fputs("\\t", stdout); break;
		57	default: fputc(str[i], stdout);
		58	}
		59	}
		60	}
		61
		62	void checkrepopath(const char *path) {
		63	if (strstr(path, "//") \|\| strstr(path, "/./") \|\| strstr(path, "/../")
		64	\|\| hasprefix(path, "./") \|\| hasprefix(path, "../") \|\| hasprefix(path, "/../"))
		65	die("Bad repository name: is unresolved path");
		66	if (strlen(path) > 100)
		67	die("Bad repository name: longer than 100 characters");
		68	if (hassuffix(path, "/"))
		69	die("Bad repositry name: unexpected trailing slash");
		70	if (hasprefix(path, "/"))
		71	die("Bad repository name: unexpected absolute path");
		72	if (!hassuffix(path, ".git"))
		73	die("Bad repository name: expected '.git' repo path suffix");
		74
		75	struct stat statbuf;
		76	if (stat(path, &statbuf)) {
		77	if (errno == ENOENT)
		78	die("Repo not found");
		79	die("Could not stat repo: %s", strerror(errno));
		80	}
		81	if (!S_ISDIR(statbuf.st_mode)) {
		82	die("Repo not found");
		83	}
		84	}
		85
		86	char readkeyfile(const char path, size_t *len) {
		87	FILE *f = fopen(path, "r");
		88	if (!f)
		89	die("Cannot read key file: %s", strerror(errno));
		90	*len = 0;
		91	size_t bufcap = 4096;
		92	char *buf = malloc(bufcap);
		93	while (!feof(f) && !ferror(f)) {
		94	if (*len + 4096 > bufcap) {
		95	bufcap *= 2;
		96	buf = realloc(buf, bufcap);
		97	}
		98	len += fread(buf + len, sizeof(char), 4096, f);
		99	}
		100	if (ferror(f) && !feof(f)) {
		101	OPENSSL_cleanse(buf, *len);
		102	die("Failed to read key file (length: %lu)", *len);
		103	}
		104	fclose(f);
		105	return buf;
		106	}
		107
		108	#define KEYSIZE 64
		109
		110	void readkey(const char *path, uint8_t dest[KEYSIZE]) {
		111	size_t keybuf_len = 0;
		112	char *keybuf = readkeyfile(path, &keybuf_len);
		113
		114	size_t keystr_len = keybuf_len;
		115	const char *keystr = trimspace(keybuf, &keystr_len);
		116	if (keystr_len != 2 * KEYSIZE) {
		117	OPENSSL_cleanse(keybuf, keybuf_len);
		118	die("Bad key length");
		119	}
		120
		121	for (size_t i = 0; i < KEYSIZE; i++) {
		122	const char c = keystr[i];
		123	uint8_t nibble = 0;
		124	if (c >= '0' && c <= '9')
		125	nibble = c - '0';
		126	else if (c >= 'a' && c <= 'f')
		127	nibble = c - 'a' + 10;
		128	else if (c >= 'A' && c <= 'F')
		129	nibble = c - 'A' + 10;
		130	else {
		131	OPENSSL_cleanse(keybuf, keybuf_len);
		132	OPENSSL_cleanse(dest, KEYSIZE);
		133	die("Cannot decode key");
		134	}
		135	size_t ikey = i / 2;
		136	if (i % 2) dest[ikey] \|= nibble;
		137	else dest[ikey] = nibble << 4;
		138	}
		139
		140	OPENSSL_cleanse(keybuf, keybuf_len);
		141	free(keybuf);
		142	}
		143
		144	void u64tobe(uint64_t x, uint8_t b[8]) {
		145	b[0] = (uint8_t)(x >> 56);
		146	b[1] = (uint8_t)(x >> 48);
		147	b[2] = (uint8_t)(x >> 40);
		148	b[3] = (uint8_t)(x >> 32);
		149	b[4] = (uint8_t)(x >> 24);
		150	b[5] = (uint8_t)(x >> 16);
		151	b[6] = (uint8_t)(x >> 8);
		152	b[7] = (uint8_t)(x >> 0);
		153	}
		154
		155	#define MAX_TAG_SIZE EVP_MAX_MD_SIZE
		156
		157	typedef struct taginfo {
		158	const char *authtype;
		159	const char *repopath;
		160	const char *operation;
		161	const int64_t expiresat_s;
		162	} taginfo_t;
		163
		164	void memcat(void dest, const void *src, size_t n) {
		165	return memcpy(dest, src, n) + n;
		166	}
		167
		168	void maketag(const taginfo_t info, uint8_t key[KEYSIZE], uint8_t dest[MAX_TAG_SIZE], uint32_t *len) {
		169	uint8_t expiresat_b[8];
		170	u64tobe(info.expiresat_s, expiresat_b);
		171
		172	const uint8_t zero[1] = { 0 };
		173	const size_t fullsize = strlen(info.authtype) +
		174	1 + strlen(info.repopath) +
		175	1 + strlen(info.operation) +
		176	1 + sizeof(expiresat_b);
		177	uint8_t *claimbuf = alloca(fullsize);
		178	uint8_t *head = claimbuf;
		179	head = memcat(head, info.authtype, strlen(info.authtype));
		180	head = memcat(head, zero, 1);
		181	head = memcat(head, info.repopath, strlen(info.repopath));
		182	head = memcat(head, zero, 1);
		183	head = memcat(head, info.operation, strlen(info.operation));
		184	head = memcat(head, zero, 1);
		185	head = memcat(head, expiresat_b, sizeof(expiresat_b));
		186	assert(head == claimbuf + fullsize);
		187
		188	memset(dest, 0, MAX_TAG_SIZE);
		189	*len = 0;
		190	if (!HMAC(EVP_sha256(), key, KEYSIZE, claimbuf, fullsize, dest, len)) {
		191	OPENSSL_cleanse(key, KEYSIZE);
		192	die("Failed to generate tag");
		193	}
		194	}
		195
		196	#define MAX_HEXTAG_STRLEN MAX_TAG_SIZE * 2
		197
		198	void makehextag(const taginfo_t info, uint8_t key[KEYSIZE], char dest[MAX_HEXTAG_STRLEN + 1]) {
		199	uint8_t rawtag[MAX_TAG_SIZE];
		200	uint32_t rawtag_len;
		201	maketag(info, key, rawtag, &rawtag_len);
		202
		203	memset(dest, 0, MAX_HEXTAG_STRLEN + 1);
		204	for (size_t i = 0; i < rawtag_len; i++) {
		205	uint8_t b = rawtag[i];
		206	dest[i] = (b >> 4) + ((b >> 4) < 10 ? '0' : 'a');
		207	dest[i + 1] = (b & 0x0F) + ((b & 0x0F) < 10 ? '0' : 'a');
		208	}
		209	}
		210
		211	int main(int argc, char *argv[]) {
		212	if (argc != 3) {
		213	puts(USAGE);
		214	exit(EXIT_FAILURE);
		215	}
		216
		217	const char *repopath = argv[1];
		218	const char *operation = argv[2];
		219	if (strcmp(operation, "download") && strcmp(operation, "upload")) {
		220	puts(USAGE);
		221	exit(EXIT_FAILURE);
		222	}
		223	checkrepopath(repopath);
		224
		225	const char *hrefbase = getenv("GITOLFS3_HREF_BASE");
		226	const char *keypath = getenv("GITOLFS3_KEY_PATH");
		227
		228	if (!hrefbase \|\| strlen(hrefbase) == 0)
		229	die("Incomplete configuration: base URL not provided");
		230	if (hrefbase[strlen(hrefbase) - 1] != '/')
		231	die("Bad configuration: base URL should end with slash");
		232	if (!keypath \|\| strlen(keypath) == 0)
		233	die("Incomplete configuration: key path not provided");
		234
		235	uint8_t key[64];
		236	readkey(keypath, key);
		237
		238	int64_t expiresin_s = 5 * 60;
		239	int64_t expiresat_s = (int64_t)time(NULL) + expiresin_s;
		240
		241	taginfo_t taginfo = {
		242	.authtype = "git-lfs-authenticate",
		243	.repopath = repopath,
		244	.operation = operation,
		245	.expiresat_s = expiresat_s,
		246	};
		247	char hextag[MAX_HEXTAG_STRLEN + 1];
		248	makehextag(taginfo, key, hextag);
		249
		250	printf("{\"header\":{\"Authorization\":\"Gitolfs3-Hmac-Sha256 %s\"},\"expires_in\":%ld,\"href\":\"", hextag, expiresin_s);
		251	printescjson(hrefbase);
		252	printescjson(repopath);
		253	printf("/info/lfs?p=1&te=%ld\"}\n", expiresat_s);
		254	}


diff --git a/cmd/git-lfs-authenticate/main.go b/cmd/git-lfs-authenticate/main.go index 3d2c1ea..3db0efe 100644 --- a/cmd/git-lfs-authenticate/main.go +++ b/cmd/git-lfs-authenticate/main.go
@@ -2,91 +2,28 @@ package main
2		2
3	import (	3	import (
4	"bytes"	4	"bytes"
5	"crypto/ed25519"	5	"crypto/hmac"
		6	"crypto/sha256"
		7	"encoding/binary"
6	"encoding/hex"	8	"encoding/hex"
7	"encoding/json"	9	"encoding/json"
8	"errors"	10	"errors"
9	"fmt"	11	"fmt"
10	"io"	12	"io"
11	"net/url"	13	"io/fs"
12	"os"	14	"os"
13	"os/exec"
14	"path"	15	"path"
15	"strings"	16	"strings"
16	"time"	17	"time"
17
18	"github.com/golang-jwt/jwt/v5"
19	"github.com/rs/xid"
20	)	18	)
21		19
22	type logger struct {
23	reqID string
24	time time.Time
25	wc io.WriteCloser
26	}
27
28	func newLogger(reqID string) *logger {
29	return &logger{reqID: reqID, time: time.Now()}
30	}
31
32	func (l *logger) writer() io.WriteCloser {
33	if l.wc == nil {
34	os.MkdirAll(".gitolfs3/logs/", 0o700) // Mode: drwx------
35	ts := l.time.Format("2006-01-02")
36	path := fmt.Sprintf(".gitolfs3/logs/gitolfs3-%s-%s.log", ts, l.reqID)
37	l.wc, _ = os.Create(path)
38	}
39	return l.wc
40	}
41
42	func (l *logger) logf(msg string, args ...any) {
43	fmt.Fprintf(l.writer(), msg, args...)
44	}
45
46	func (l *logger) close() {
47	if l.wc != nil {
48	l.wc.Close()
49	}
50	}
51
52	func die(msg string, args ...any) {	20	func die(msg string, args ...any) {
53	fmt.Fprint(os.Stderr, "Error: ")	21	fmt.Fprint(os.Stderr, "Fatal: ")
54	fmt.Fprintf(os.Stderr, msg, args...)	22	fmt.Fprintf(os.Stderr, msg, args...)
55	fmt.Fprint(os.Stderr, "\n")	23	fmt.Fprint(os.Stderr, "\n")
56	os.Exit(1)	24	os.Exit(1)
57	}	25	}
58		26
59	func dieReqID(reqID string, msg string, args ...any) {
60	fmt.Fprint(os.Stderr, "Error: ")
61	fmt.Fprintf(os.Stderr, msg, args...)
62	fmt.Fprintf(os.Stderr, " (request ID: %s)\n", reqID)
63	os.Exit(1)
64	}
65
66	func getGitoliteAccess(logger *logger, reqID, path, user, gitolitePerm string) bool {
67	// gitolite access -q: returns only exit code
68	cmd := exec.Command("gitolite", "access", "-q", path, user, gitolitePerm)
69	err := cmd.Run()
70	permGranted := err == nil
71	var exitErr *exec.ExitError
72	if err != nil && !errors.As(err, &exitErr) {
73	logger.logf("Failed to query access information (%s): %s", cmd, err)
74	dieReqID(reqID, "failed to query access information")
75	}
76	return permGranted
77	}
78
79	type gitolfs3Claims struct {
80	Type string `json:"type"`
81	Repository string `json:"repository"`
82	Permission string `json:"permission"`
83	}
84
85	type customClaims struct {
86	Gitolfs3 gitolfs3Claims `json:"gitolfs3"`
87	*jwt.RegisteredClaims
88	}
89
90	type authenticateResponse struct {	27	type authenticateResponse struct {
91	// When providing href, the Git LFS client will use href as the base URL	28	// When providing href, the Git LFS client will use href as the base URL
92	// instead of building the base URL using the Service Discovery mechanism.	29	// instead of building the base URL using the Service Discovery mechanism.
@@ -97,7 +34,8 @@ type authenticateResponse struct {
97	// In seconds.	34	// In seconds.
98	ExpiresIn int64 `json:"expires_in,omitempty"`	35	ExpiresIn int64 `json:"expires_in,omitempty"`
99	// The expires_at (RFC3339) property could also be used, but we leave it	36	// The expires_at (RFC3339) property could also be used, but we leave it
100	// out since we don't use it.	37	// out since we don't use it. The Git LFS docs recommend using expires_in
		38	// instead (???)
101	}	39	}
102		40
103	func wipe(b []byte) {	41	func wipe(b []byte) {
@@ -106,7 +44,7 @@ func wipe(b []byte) {
106	}	44	}
107	}	45	}
108		46
109	const usage = "Usage: git-lfs-authenticate <REPO> <OPERATION (upload/download)>"	47	const usage = "Usage: git-lfs-authenticate <REPO> upload/download"
110		48
111	func main() {	49	func main() {
112	// Even though not explicitly described in the Git LFS documentation, the	50	// Even though not explicitly described in the Git LFS documentation, the
@@ -116,101 +54,85 @@ func main() {
116	// code and print the error message in plain text to standard error. See	54	// code and print the error message in plain text to standard error. See
117	// https://github.com/git-lfs/git-lfs/blob/baf40ac99850a62fe98515175d52df5c513463ec/lfshttp/ssh.go#L76-L117	55	// https://github.com/git-lfs/git-lfs/blob/baf40ac99850a62fe98515175d52df5c513463ec/lfshttp/ssh.go#L76-L117
118		56
119	reqID := xid.New().String()
120	logger := newLogger(reqID)
121
122	if len(os.Args) != 3 {	57	if len(os.Args) != 3 {
123	fmt.Println(usage)	58	fmt.Println(usage)
124	os.Exit(1)	59	os.Exit(1)
125	}	60	}
126		61
127	repo := strings.TrimPrefix(strings.TrimSuffix(os.Args[1], ".git"), "/")	62	repo := strings.TrimPrefix(path.Clean(strings.TrimSuffix(os.Args[1], ".git")), "/")
128	operation := os.Args[2]	63	operation := os.Args[2]
129	if operation != "download" && operation != "upload" {	64	if operation != "download" && operation != "upload" {
130	fmt.Println(usage)	65	fmt.Println(usage)
131	os.Exit(1)	66	os.Exit(1)
132	}	67	}
		68	if repo == ".." \|\| strings.HasPrefix(repo, "../") {
		69	die("highly illegal repo name (Anzeige ist raus)")
		70	}
133		71
134	repoHRefBaseStr := os.Getenv("REPO_HREF_BASE")	72	repoDir := path.Join(repo + ".git")
135	var repoHRefBase *url.URL	73	finfo, err := os.Stat(repoDir)
136	var err error	74	if err != nil {
137	if repoHRefBaseStr != "" {	75	if errors.Is(err, fs.ErrNotExist) {
138	if repoHRefBase, err = url.Parse(repoHRefBaseStr); err != nil {	76	die("repo not found")
139	logger.logf("Failed to parse URL in environment variable REPO_HREF_BASE: %s", err)
140	dieReqID(reqID, "internal error")
141	}	77	}
		78	die("could not stat repo: %s", err)
		79	}
		80	if !finfo.IsDir() {
		81	die("repo not found")
142	}	82	}
143		83
144	user := os.Getenv("GL_USER")	84	hrefBase := os.Getenv("GITOLFS3_HREF_BASE")
145	if user == "" {	85	if hrefBase == "" {
146	logger.logf("Environment variable GL_USER is not set")	86	die("incomplete configuration: base URL not provided")
147	dieReqID(reqID, "internal error")
148	}	87	}
		88	if !strings.HasSuffix(hrefBase, "/") {
		89	hrefBase += "/"
		90	}
		91
149	keyPath := os.Getenv("GITOLFS3_KEY_PATH")	92	keyPath := os.Getenv("GITOLFS3_KEY_PATH")
150	if keyPath == "" {	93	if keyPath == "" {
151	logger.logf("Environment variable GITOLFS3_KEY_PATH is not set")	94	die("incomplete configuration: key path not provided")
152	dieReqID(reqID, "internal error")
153	}	95	}
		96
154	keyStr, err := os.ReadFile(keyPath)	97	keyStr, err := os.ReadFile(keyPath)
155	if err != nil {	98	if err != nil {
156	logger.logf("Cannot read key in GITOLFS3_KEY_PATH: %s", err)	99	wipe(keyStr)
157	dieReqID(reqID, "internal error")	100	die("cannot read key")
158	}	101	}
159	keyStr = bytes.TrimSpace(keyStr)	102	keyStr = bytes.TrimSpace(keyStr)
160	defer wipe(keyStr)	103	defer wipe(keyStr)
161		104	if hex.DecodedLen(len(keyStr)) != 64 {
162	if hex.DecodedLen(len(keyStr)) != ed25519.SeedSize {	105	die("bad key length")
163	logger.logf("Fatal: provided private key (seed) is invalid: does not have expected length")
164	dieReqID(reqID, "internal error")
165	}	106	}
166		107	key := make([]byte, 64)
167	seed := make([]byte, ed25519.SeedSize)	108	defer wipe(key)
168	defer wipe(seed)	109	if _, err = hex.Decode(key, keyStr); err != nil {
169	if _, err = hex.Decode(seed, keyStr); err != nil {	110	die("cannot decode key")
170	logger.logf("Fatal: cannot decode provided private key (seed): %s", err)
171	dieReqID(reqID, "internal error")
172	}
173	privateKey := ed25519.NewKeyFromSeed(seed)
174
175	if !getGitoliteAccess(logger, reqID, repo, user, "R") {
176	die("repository not found")
177	}
178	if operation == "upload" && !getGitoliteAccess(logger, reqID, repo, user, "W") {
179	// User has read access but no write access
180	die("forbidden")
181	}	111	}
182		112
183	expiresIn := time.Minute * 5	113	expiresIn := time.Minute * 5
184	claims := customClaims{	114	expiresAtUnix := time.Now().Add(expiresIn).Unix()
185	Gitolfs3: gitolfs3Claims{	115
186	Type: "batch-api",	116	tag := hmac.New(sha256.New, key)
187	Repository: repo,	117	io.WriteString(tag, "git-lfs-authenticate")
188	Permission: operation,	118	tag.Write([]byte{0})
189	},	119	io.WriteString(tag, repo)
190	RegisteredClaims: &jwt.RegisteredClaims{	120	tag.Write([]byte{0})
191	Subject: user,	121	io.WriteString(tag, operation)
192	IssuedAt: jwt.NewNumericDate(time.Now()),	122	tag.Write([]byte{0})
193	ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiresIn)),	123	binary.Write(tag, binary.BigEndian, &expiresAtUnix)
194	},	124	tagStr := hex.EncodeToString(tag.Sum(nil))
195	}
196
197	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims)
198	ss, err := token.SignedString(privateKey)
199	if err != nil {
200	logger.logf("Fatal: failed to generate JWT: %s", err)
201	die("failed to generate token")
202	}
203		125
204	response := authenticateResponse{	126	response := authenticateResponse{
205	Header: map[string]string{	127	Header: map[string]string{
206	"Authorization": "Bearer " + ss,	128	"Authorization": "Tag " + tagStr,
207	},	129	},
208	ExpiresIn: int64(expiresIn.Seconds()),	130	ExpiresIn: int64(expiresIn.Seconds()),
209	}	131	HRef: fmt.Sprintf("%s%s?p=1&te=%d",
210	if repoHRefBase != nil {	132	hrefBase,
211	response.HRef = repoHRefBase.ResolveReference(&url.URL{	133	path.Join(repo+".git", "/info/lfs"),
212	Path: path.Join(repo+".git", "/info/lfs"),	134	expiresAtUnix,
213	}).String()	135	),
214	}	136	}
215	json.NewEncoder(os.Stdout).Encode(response)	137	json.NewEncoder(os.Stdout).Encode(response)
216	}	138	}