kallithea Changeset - f0851f37d6be

Changeset - f0851f37d6be

Parent rev.

Child rev.

[Not reviewed]

beta

0 7 0

Marcin Kuzminski - 13 years ago 2012-07-26 23:03:26
marcin@python-works.com

Implementes #509 require SSL flag now works for both git and mercurial.
- check is done at earlies possible stage
- if detected protocol is not https and flag require is there RhodeCode will
return HTTP Error 406: Not Acceptable, before even checking credentials
- removed push_ssl flag from mercurial UI objects since that would duplicate logic

7 files changed with 40 insertions and 22 deletions:

rhodecode/lib/base.py

rhodecode/lib/middleware/https_fixup.py

rhodecode/lib/middleware/simplegit.py

rhodecode/lib/middleware/simplehg.py

rhodecode/lib/utils.py

rhodecode/model/db.py

rhodecode/templates/admin/settings/settings.html

0 comments (0 inline, 0 general)

rhodecode/lib/base.py

➞

Show inline comments

@@ @@ -20,13 +20,13 @@ from rhodecode import __version__, BACKE @@
 from rhodecode.lib.utils2 import str2bool, safe_unicode
 from rhodecode.lib.auth import AuthUser, get_container_username, authfunc,\
     HasPermissionAnyMiddleware, CookieStoreWrapper
 from rhodecode.lib.utils import get_repo_slug, invalidate_cache
 from rhodecode.model import meta
 from rhodecode.model.db import Repository
+from rhodecode.model.db import Repository, RhodeCodeUi
 from rhodecode.model.notification import NotificationModel
 from rhodecode.model.scm import ScmModel
 log = logging.getLogger(__name__)
@@ @@ -142,12 +142,27 @@ class BaseVCSController(object): @@
         return True
     def _get_ip_addr(self, environ):
         return _get_ip_addr(environ)
     def _check_ssl(self, environ, start_response):
         """
         Checks the SSL check flag and returns False if SSL is not present
         and required True otherwise
         """
         org_proto = environ['wsgi._org_proto']
         #check if we have SSL required  ! if not it's a bad request !
         require_ssl = str2bool(RhodeCodeUi.get_by_key('push_ssl')\
                                .scalar().ui_value)
         if require_ssl and org_proto == 'http':
             log.debug('proto is %s and SSL is required BAD REQUEST !'
                       % org_proto)
             return False
         return True
     def __call__(self, environ, start_response):
         start = time.time()
         try:
             return self._handle_request(environ, start_response)
         finally:
             log = logging.getLogger('rhodecode.' + self.__class__.__name__)

rhodecode/lib/middleware/https_fixup.py

➞

Show inline comments

@@ @@ -39,24 +39,23 @@ class HttpsFixup(object): @@
     def __fixup(self, environ):
         """
         Function to fixup the environ as needed. In order to use this
         middleware you should set this header inside your
         proxy ie. nginx, apache etc.
         """
         # DETECT PROTOCOL !
         if 'HTTP_X_URL_SCHEME' in environ:
             proto = environ.get('HTTP_X_URL_SCHEME')
         elif 'HTTP_X_FORWARDED_SCHEME' in environ:
             proto = environ.get('HTTP_X_FORWARDED_SCHEME')
         elif 'HTTP_X_FORWARDED_PROTO' in environ:
             proto = environ.get('HTTP_X_FORWARDED_PROTO')
         else:
             proto = 'http'
         org_proto = proto
         # if we have force, just override
         if str2bool(self.config.get('force_https')):
             proto = 'https'
         else:
             if 'HTTP_X_URL_SCHEME' in environ:
                 proto = environ.get('HTTP_X_URL_SCHEME')
             elif 'HTTP_X_FORWARDED_SCHEME' in environ:
                 proto = environ.get('HTTP_X_FORWARDED_SCHEME')
             elif 'HTTP_X_FORWARDED_PROTO' in environ:
                 proto = environ.get('HTTP_X_FORWARDED_PROTO')
             else:
                 proto = 'http'
         if proto == 'https':
             environ['wsgi.url_scheme'] = proto
         else:
             environ['wsgi.url_scheme'] = 'http'
         return None
         environ['wsgi.url_scheme'] = proto
         environ['wsgi._org_proto'] = org_proto

rhodecode/lib/middleware/simplegit.py

➞

Show inline comments

@@ @@ -71,21 +71,21 @@ dulserver.DEFAULT_HANDLERS = { @@
 # not used for now until dulwich get's fixed
 #from dulwich.repo import Repo
 #from dulwich.web import make_wsgi_chain
 from paste.httpheaders import REMOTE_USER, AUTH_TYPE
 from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \
     HTTPBadRequest, HTTPNotAcceptable
 from rhodecode.lib.utils2 import safe_str
 from rhodecode.lib.base import BaseVCSController
 from rhodecode.lib.auth import get_container_username
 from rhodecode.lib.utils import is_valid_repo, make_ui
 from rhodecode.model.db import User, RhodeCodeUi
 from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError
 log = logging.getLogger(__name__)
 GIT_PROTO_PAT = re.compile(r'^/(.+)/(info/refs|git-upload-pack|git-receive-pack)')
@@ @@ -101,13 +101,14 @@ def is_git(environ): @@
 class SimpleGit(BaseVCSController):
     def _handle_request(self, environ, start_response):
         if not is_git(environ):
             return self.application(environ, start_response)
         if not self._check_ssl(environ, start_response):
             return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)
         ipaddr = self._get_ip_addr(environ)
         username = None
         self._git_first_op = False
         # skip passing error to error controller
         environ['pylons.status_code_redirect'] = True

rhodecode/lib/middleware/simplehg.py

➞

Show inline comments

@@ @@ -30,20 +30,21 @@ import traceback @@
 import urllib
 from mercurial.error import RepoError
 from mercurial.hgweb import hgweb_mod
 from paste.httpheaders import REMOTE_USER, AUTH_TYPE
 from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError, \
     HTTPBadRequest, HTTPNotAcceptable
 from rhodecode.lib.utils2 import safe_str
 from rhodecode.lib.base import BaseVCSController
 from rhodecode.lib.auth import get_container_username
 from rhodecode.lib.utils import make_ui, is_valid_repo, ui_sections
 from rhodecode.model.db import User
 from webob.exc import HTTPNotFound, HTTPForbidden, HTTPInternalServerError
 log = logging.getLogger(__name__)
 def is_mercurial(environ):
     """
@@ @@ -65,12 +66,14 @@ def is_mercurial(environ): @@
 class SimpleHg(BaseVCSController):
     def _handle_request(self, environ, start_response):
         if not is_mercurial(environ):
             return self.application(environ, start_response)
         if not self._check_ssl(environ, start_response):
             return HTTPNotAcceptable('SSL REQUIRED !')(environ, start_response)
         ipaddr = self._get_ip_addr(environ)
         username = None
         # skip passing error to error controller
         environ['pylons.status_code_redirect'] = True

rhodecode/lib/utils.py

➞

Show inline comments

@@ @@ -309,13 +309,13 @@ def make_ui(read_from='file', path=None, @@
         ret = sa.query(RhodeCodeUi)\
             .options(FromCache("sql_cache_short", "get_hg_ui_settings"))\
             .all()
         hg_ui = ret
         for ui_ in hg_ui:
             if ui_.ui_active:
+            if ui_.ui_active and ui_.ui_key != 'push_ssl':
                 log.debug('settings ui from db[%s]%s:%s', ui_.ui_section,
                           ui_.ui_key, ui_.ui_value)
                 baseui.setconfig(ui_.ui_section, ui_.ui_key, ui_.ui_value)
         meta.Session.remove()
     return baseui

rhodecode/model/db.py

➞

Show inline comments

@@ @@ -725,13 +725,13 @@ class Repository(Base, BaseModel): @@
         ret = RhodeCodeUi.query()\
             .options(FromCache("sql_cache_short", "repository_repo_ui")).all()
         hg_ui = ret
         for ui_ in hg_ui:
             if ui_.ui_active:
+            if ui_.ui_active and ui_.ui_key != 'push_ssl':
                 log.debug('settings ui from db[%s]%s:%s', ui_.ui_section,
                           ui_.ui_key, ui_.ui_value)
                 baseui.setconfig(ui_.ui_section, ui_.ui_key, ui_.ui_value)
         return baseui

rhodecode/templates/admin/settings/settings.html

➞

Show inline comments

@@ @@ -126,13 +126,13 @@ @@
                 <div class="label label-checkbox">
                     <label>${_('Web')}:</label>
                 </div>
                 <div class="checkboxes">
 					<div class="checkbox">
 						${h.checkbox('web_push_ssl','true')}
-						<label for="web_push_ssl">${_('require ssl for pushing')}</label>
+						<label for="web_push_ssl">${_('require ssl for vcs operations')}</label>
 					</div>
 				</div>
              </div>
              <div class="field">
                 <div class="label label-checkbox">

0 comments (0 inline, 0 general)