aboutsummaryrefslogtreecommitdiffstats
path: root/server/src
diff options
context:
space:
mode:
Diffstat (limited to 'server/src')
-rw-r--r--server/src/main.rs19
1 files changed, 9 insertions, 10 deletions
diff --git a/server/src/main.rs b/server/src/main.rs
index e615d19..514be39 100644
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -789,16 +789,16 @@ fn authorize_batch_unauthenticated(
789 StatusCode::FORBIDDEN, 789 StatusCode::FORBIDDEN,
790 "Authentication required to upload", 790 "Authentication required to upload",
791 )); 791 ));
792 }, 792 }
793 common::Operation::Download => { 793 common::Operation::Download => {
794 // Again, trusted users can see all repos. For untrusted users, we first need to check 794 // Again, trusted users can see all repos. For untrusted users, we first need to check
795 // whether the repo is public before we authorize. If the user is untrusted and the 795 // whether the repo is public before we authorize. If the user is untrusted and the
796 // repo isn't public, we just act like it doesn't even exist. 796 // repo isn't public, we just act like it doesn't even exist.
797 if !trusted { 797 if !trusted {
798 if !public { 798 if !public {
799 return Err(REPO_NOT_FOUND) 799 return Err(REPO_NOT_FOUND);
800 } 800 }
801 return Ok(Trusted(false)) 801 return Ok(Trusted(false));
802 } 802 }
803 return Ok(Trusted(true)); 803 return Ok(Trusted(true));
804 } 804 }
@@ -931,12 +931,13 @@ fn verify_claims(
931 return Ok(false); 931 return Ok(false);
932 }; 932 };
933 let authz = authz.to_str().map_err(|_| INVALID_AUTHZ_HEADER)?; 933 let authz = authz.to_str().map_err(|_| INVALID_AUTHZ_HEADER)?;
934 let val = authz.strip_prefix("Gitolfs3-Hmac-Sha256 ").ok_or(INVALID_AUTHZ_HEADER)?; 934 let val = authz
935 .strip_prefix("Gitolfs3-Hmac-Sha256 ")
936 .ok_or(INVALID_AUTHZ_HEADER)?;
935 let (tag, expires_at) = val.split_once(' ').ok_or(INVALID_AUTHZ_HEADER)?; 937 let (tag, expires_at) = val.split_once(' ').ok_or(INVALID_AUTHZ_HEADER)?;
936 let tag: common::Digest<32> = tag.parse().map_err(|_| INVALID_AUTHZ_HEADER)?; 938 let tag: common::Digest<32> = tag.parse().map_err(|_| INVALID_AUTHZ_HEADER)?;
937 let expires_at: i64 = expires_at.parse().map_err(|_| INVALID_AUTHZ_HEADER)?; 939 let expires_at: i64 = expires_at.parse().map_err(|_| INVALID_AUTHZ_HEADER)?;
938 let expires_at = 940 let expires_at = DateTime::<Utc>::from_timestamp(expires_at, 0).ok_or(INVALID_AUTHZ_HEADER)?;
939 DateTime::<Utc>::from_timestamp(expires_at, 0).ok_or(INVALID_AUTHZ_HEADER)?;
940 let expected_tag = common::generate_tag( 941 let expected_tag = common::generate_tag(
941 common::Claims { 942 common::Claims {
942 specific_claims: claims.specific_claims, 943 specific_claims: claims.specific_claims,
@@ -944,10 +945,8 @@ fn verify_claims(
944 expires_at, 945 expires_at,
945 }, 946 },
946 &conf.key, 947 &conf.key,
947 ).ok_or_else(|| make_error_resp( 948 )
948 StatusCode::INTERNAL_SERVER_ERROR, 949 .ok_or_else(|| make_error_resp(StatusCode::INTERNAL_SERVER_ERROR, "Internal server error"))?;
949 "Internal server error",
950 ))?;
951 if tag != expected_tag { 950 if tag != expected_tag {
952 return Err(INVALID_AUTHZ_HEADER); 951 return Err(INVALID_AUTHZ_HEADER);
953 } 952 }