1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
package main
import (
"bytes"
"crypto/hmac"
"crypto/sha256"
"encoding/binary"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"io"
"io/fs"
"os"
"path"
"strings"
"time"
)
func die(msg string, args ...any) {
fmt.Fprint(os.Stderr, "Fatal: ")
fmt.Fprintf(os.Stderr, msg, args...)
fmt.Fprint(os.Stderr, "\n")
os.Exit(1)
}
type authenticateResponse struct {
// When providing href, the Git LFS client will use href as the base URL
// instead of building the base URL using the Service Discovery mechanism.
// It should end with /info/lfs. See
// https://github.com/git-lfs/git-lfs/blob/baf40ac99850a62fe98515175d52df5c513463ec/docs/api/server-discovery.md#ssh
HRef string `json:"href,omitempty"`
Header map[string]string `json:"header"`
// In seconds.
ExpiresIn int64 `json:"expires_in,omitempty"`
// The expires_at (RFC3339) property could also be used, but we leave it
// out since we don't use it. The Git LFS docs recommend using expires_in
// instead (???)
}
func wipe(b []byte) {
for i := range b {
b[i] = 0
}
}
const usage = "Usage: git-lfs-authenticate <REPO> upload/download"
func main() {
// Even though not explicitly described in the Git LFS documentation, the
// git-lfs-authenticate command is expected to either exit succesfully with
// exit code 0 and to then print credentials in the prescribed JSON format
// to standard out. On errors, the command should exit with a non-zero exit
// code and print the error message in plain text to standard error. See
// https://github.com/git-lfs/git-lfs/blob/baf40ac99850a62fe98515175d52df5c513463ec/lfshttp/ssh.go#L76-L117
if len(os.Args) != 3 {
fmt.Println(usage)
os.Exit(1)
}
repo := strings.TrimPrefix(path.Clean(os.Args[1]), "/")
operation := os.Args[2]
if operation != "download" && operation != "upload" {
fmt.Println(usage)
os.Exit(1)
}
if repo == ".." || strings.HasPrefix(repo, "../") {
die("highly illegal repo name (Anzeige ist raus)")
}
if !strings.HasSuffix(repo, ".git") {
die("expected repo name to have '.git' suffix")
}
repoDir := path.Join(repo)
finfo, err := os.Stat(repoDir)
if err != nil {
if errors.Is(err, fs.ErrNotExist) {
die("repo not found")
}
die("could not stat repo: %s", err)
}
if !finfo.IsDir() {
die("repo not found")
}
hrefBase := os.Getenv("GITOLFS3_HREF_BASE")
if hrefBase == "" {
die("incomplete configuration: base URL not provided")
}
if !strings.HasSuffix(hrefBase, "/") {
hrefBase += "/"
}
keyPath := os.Getenv("GITOLFS3_KEY_PATH")
if keyPath == "" {
die("incomplete configuration: key path not provided")
}
keyStr, err := os.ReadFile(keyPath)
if err != nil {
wipe(keyStr)
die("cannot read key")
}
keyStr = bytes.TrimSpace(keyStr)
defer wipe(keyStr)
if hex.DecodedLen(len(keyStr)) != 64 {
die("bad key length")
}
key := make([]byte, 64)
defer wipe(key)
if _, err = hex.Decode(key, keyStr); err != nil {
die("cannot decode key")
}
expiresIn := time.Minute * 5
expiresAtUnix := time.Now().Add(expiresIn).Unix()
tag := hmac.New(sha256.New, key)
io.WriteString(tag, "git-lfs-authenticate")
tag.Write([]byte{0})
io.WriteString(tag, repo)
tag.Write([]byte{0})
io.WriteString(tag, operation)
tag.Write([]byte{0})
binary.Write(tag, binary.BigEndian, &expiresAtUnix)
tagStr := hex.EncodeToString(tag.Sum(nil))
response := authenticateResponse{
Header: map[string]string{
"Authorization": "Gitolfs3-Hmac-Sha256 " + tagStr,
},
ExpiresIn: int64(expiresIn.Seconds()),
HRef: fmt.Sprintf("%s%s?p=1&te=%d",
hrefBase,
path.Join(repo, "/info/lfs"),
expiresAtUnix,
),
}
json.NewEncoder(os.Stdout).Encode(response)
}
|