mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
git-annex/Command/P2PHttp.hs

274 lines
7.8 KiB
Haskell
Raw Normal View History

started servant implementation of HTTP P2P protocol
2024-07-07 16:08:10 +00:00
{- git-annex command
-
- Copyright 2024 Joey Hess <id@joeyh.name>
-
- Licensed under the GNU AGPL version 3 or higher.
-}
{-# LANGUAGE DataKinds #-}
{-# LANGUAGE TypeOperators #-}
{-# LANGUAGE OverloadedStrings #-}
module Command.P2PHttp where
p2phttp support --jobs with --directory --jobs is usually an Annex option setter, but --directory runs in IO, so would not have that available. So instead moved the option parser into the command's Options.
2024-11-21 18:15:14 +00:00
import Command hiding (jobsOption)
factor out http server and client into own modules To avoid a cycle when Remote.Git uses the client.
2024-07-23 18:12:03 +00:00
import P2P.Http.Server
starting support for remote.name.annexUrl set to annex+http In this case, Remote.Git should not use that url for all access to the repository. It will only be used for annex operations, which isn't done yet.
2024-07-23 13:12:21 +00:00
import P2P.Http.Url
p2phttp is almost working for checkpresent The server is fully running annex actions, only the P2PConnection is wrong, currently using stdio.
2024-07-09 17:37:55 +00:00
import qualified P2P.Protocol as P2P
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
import Utility.Env
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
import Annex.UUID
import qualified Git
import qualified Git.Construct
import qualified Annex
p2phttp support --jobs with --directory --jobs is usually an Annex option setter, but --directory runs in IO, so would not have that available. So instead moved the option parser into the command's Options.
2024-11-21 18:15:14 +00:00
import Types.Concurrency
started servant implementation of HTTP P2P protocol
2024-07-07 16:08:10 +00:00
Remote.Git retrieveKeyFile works with annex+http urls This includes a bugfix to serveGet, it hung at the end.
2024-07-24 13:45:14 +00:00
import Servant
convert lockcontent api to http long polling Websockets would work, but the problem with using them for this is that each lockcontent call is a separate websocket connection. And that's an actual TCP connection. One TCP connection per file dropped would be too expensive. With http long polling, regular http pipelining can be used, so it will reuse a TCP connection. Unfortunately, at least with servant, bi-directional streams with long polling don't result in true bidirectional full duplex communication. Servant processes the whole client body stream before generating the server body stream. I think it's entirely possible to do full bi-directional communication over http, but it would need changes to servant. And, there's no way for the client to tell if the server successfully locked the content, since the server will keep processing the client stream no matter what.: So, added a new api endpoint, keeplocked. lockcontent will lock the key for 10 minutes with retention lock, and then a call to keeplocked will keep it locked for as long as needed. This does mean that there will need to be a Map of locks by key, and I will probably want to add some kind of lock identifier that lockcontent returns.
2024-07-08 14:40:38 +00:00
import qualified Network.Wai.Handler.Warp as Warp
add --bind option and listen to both ipv4 and ipv6 by default
2024-07-23 19:19:56 +00:00
import qualified Network.Wai.Handler.WarpTLS as Warp
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
import Network.Socket (PortNumber)
import qualified Data.Map as M
add --bind option and listen to both ipv4 and ipv6 by default
2024-07-23 19:19:56 +00:00
import Data.String
p2phttp: notice when new repositories are added to --directory When a uuid is not known, rescan for new repositories. Easy. When a repository is removed, it will also get removed from the server state on the next scan. But until a new uuid is seen, there will not be a scan. This leaves the server trying to serve a uuid whose repository is gone. That seems buggy. While getting just fails, dropping fails the first time, but seems to leave the server in an unusable state, so the next drop attempt hangs. The server is still able to serve other uuids, only the one whose repository was removed has that problem.
2024-11-21 19:09:12 +00:00
import Control.Concurrent.STM
convert lockcontent api to http long polling Websockets would work, but the problem with using them for this is that each lockcontent call is a separate websocket connection. And that's an actual TCP connection. One TCP connection per file dropped would be too expensive. With http long polling, regular http pipelining can be used, so it will reuse a TCP connection. Unfortunately, at least with servant, bi-directional streams with long polling don't result in true bidirectional full duplex communication. Servant processes the whole client body stream before generating the server body stream. I think it's entirely possible to do full bi-directional communication over http, but it would need changes to servant. And, there's no way for the client to tell if the server successfully locked the content, since the server will keep processing the client stream no matter what.: So, added a new api endpoint, keeplocked. lockcontent will lock the key for 10 minutes with retention lock, and then a call to keeplocked will keep it locked for as long as needed. This does mean that there will need to be a Map of locks by key, and I will probably want to add some kind of lock identifier that lockcontent returns.
2024-07-08 14:40:38 +00:00
started servant implementation of HTTP P2P protocol
2024-07-07 16:08:10 +00:00
cmd :: Command
p2phttp support --jobs with --directory --jobs is usually an Annex option setter, but --directory runs in IO, so would not have that available. So instead moved the option parser into the command's Options.
2024-11-21 18:15:14 +00:00
cmd = noMessages $ dontCheck repoExists $
noRepo (startIO <$$> optParser) $
command "p2phttp" SectionPlumbing
"communicate in P2P protocol over http"
paramNothing (startAnnex <$$> optParser)
started on auth
2024-07-09 21:30:55 +00:00
data Options = Options
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
{ portOption :: Maybe PortNumber
add --bind option and listen to both ipv4 and ipv6 by default
2024-07-23 19:19:56 +00:00
, bindOption :: Maybe String
p2phttp support https
2024-07-23 19:37:36 +00:00
, certFileOption :: Maybe FilePath
, privateKeyFileOption :: Maybe FilePath
, chainFileOption :: [FilePath]
started on auth
2024-07-09 21:30:55 +00:00
, authEnvOption :: Bool
, authEnvHttpOption :: Bool
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
, unauthReadOnlyOption :: Bool
, unauthAppendOnlyOption :: Bool
p2phttp: Allow unauthenticated users to lock content by default * p2phttp: Allow unauthenticated users to lock content by default. * p2phttp: Added --unauth-nolocking option to prevent unauthenticated users from locking content. The rationalle for this is that locking is not really a write operation, so makes sense to allow in a repository that only allows read-only access. Not supporting locking in that situation will prevent the user from dropping content from a special remote they control in cases where the other copy of the content is on the p2phttp server. Also, when p2phttp is configured to also allow authenticated access, lockcontent was resulting in a password prompt for users who had no way to authenticate. And there is no good way to distinguish between the two types of users client side. --unauth-nolocking anticipates that this might be abused, and seems better than disabling unauthenticated access entirely if a server is being attacked. It may be that rate limiting locking by IP address or similar would be an effective measure in such a situation. Or just limiting the number of locks by anonymous users that can be live at any one time. Since the impact of such an DOS attempt is limited to preventing dropping content from the server, it seems not a very appealing target anyway.
2024-10-21 14:02:12 +00:00
, unauthNoLockingOption :: Bool
started on auth
2024-07-09 21:30:55 +00:00
, wideOpenOption :: Bool
implement proxy connection pool removeOldestProxyConnectionPool will be innefficient the larger the pool is. A better data structure could be more efficient. Eg, make each value in the pool include the timestamp of its oldest element, then the oldest value can be found and modified, rather than rebuilding the whole Map. But, for pools of a few hundred items, this should be fine. It's O(n*n log n) or so. Also, when more than 1 connection with the same pool key exists, it's efficient even for larger pools, since removeOldestProxyConnectionPool is not needed. The default of 1 idle connection could perhaps be larger.. like the number of jobs? Otoh, it seems good to ramp up and down the number of connections, which does happen. With 1, there is at most one stale connection, which might cause a request to fail.
2024-07-26 20:34:08 +00:00
, proxyConnectionsOption :: Maybe Integer
p2phttp support --jobs with --directory --jobs is usually an Annex option setter, but --directory runs in IO, so would not have that available. So instead moved the option parser into the command's Options.
2024-11-21 18:15:14 +00:00
, jobsOption :: Maybe Concurrency
add --clusterjobs option and default to 1 The default of 1 is not ideal at all, but it avoids an accidental M*N causing so much concurrency it becomes unusable.
2024-07-28 14:36:22 +00:00
, clusterJobsOption :: Maybe Int
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
, directoryOption :: [FilePath]
started on auth
2024-07-09 21:30:55 +00:00
}
started servant implementation of HTTP P2P protocol
2024-07-07 16:08:10 +00:00
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
optParser :: CmdParamsDesc -> Parser Options
optParser _ = Options
<$> optional (option auto
( long "port" <> metavar paramNumber
<> help "specify port to listen on"
))
add --bind option and listen to both ipv4 and ipv6 by default
2024-07-23 19:19:56 +00:00
<*> optional (strOption
( long "bind" <> metavar paramAddress
<> help "specify address to bind to"
))
p2phttp support https
2024-07-23 19:37:36 +00:00
<*> optional (strOption
( long "certfile" <> metavar paramFile
<> help "TLS certificate file for HTTPS"
))
<*> optional (strOption
( long "privatekeyfile" <> metavar paramFile
<> help "TLS private key file for HTTPS"
))
<*> many (strOption
( long "chainfile" <> metavar paramFile
<> help "TLS chain file"
))
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
<*> switch
( long "authenv"
<> help "authenticate users from environment (https only)"
)
<*> switch
( long "authenv-http"
<> help "authenticate users from environment (including http)"
)
<*> switch
( long "unauth-readonly"
<> help "allow unauthenticated users to read the repository"
)
<*> switch
( long "unauth-appendonly"
<> help "allow unauthenticated users to read and append to the repository"
)
p2phttp: Allow unauthenticated users to lock content by default * p2phttp: Allow unauthenticated users to lock content by default. * p2phttp: Added --unauth-nolocking option to prevent unauthenticated users from locking content. The rationalle for this is that locking is not really a write operation, so makes sense to allow in a repository that only allows read-only access. Not supporting locking in that situation will prevent the user from dropping content from a special remote they control in cases where the other copy of the content is on the p2phttp server. Also, when p2phttp is configured to also allow authenticated access, lockcontent was resulting in a password prompt for users who had no way to authenticate. And there is no good way to distinguish between the two types of users client side. --unauth-nolocking anticipates that this might be abused, and seems better than disabling unauthenticated access entirely if a server is being attacked. It may be that rate limiting locking by IP address or similar would be an effective measure in such a situation. Or just limiting the number of locks by anonymous users that can be live at any one time. Since the impact of such an DOS attempt is limited to preventing dropping content from the server, it seems not a very appealing target anyway.
2024-10-21 14:02:12 +00:00
<*> switch
( long "unauth-nolocking"
<> help "prevent unauthenticated users from locking content in the repository"
)
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
<*> switch
( long "wideopen"
<> help "give unauthenticated users full read+write access"
)
implement proxy connection pool removeOldestProxyConnectionPool will be innefficient the larger the pool is. A better data structure could be more efficient. Eg, make each value in the pool include the timestamp of its oldest element, then the oldest value can be found and modified, rather than rebuilding the whole Map. But, for pools of a few hundred items, this should be fine. It's O(n*n log n) or so. Also, when more than 1 connection with the same pool key exists, it's efficient even for larger pools, since removeOldestProxyConnectionPool is not needed. The default of 1 idle connection could perhaps be larger.. like the number of jobs? Otoh, it seems good to ramp up and down the number of connections, which does happen. With 1, there is at most one stale connection, which might cause a request to fail.
2024-07-26 20:34:08 +00:00
<*> optional (option auto
( long "proxyconnections" <> metavar paramNumber
<> help "maximum number of idle connections when proxying"
))
p2phttp support --jobs with --directory --jobs is usually an Annex option setter, but --directory runs in IO, so would not have that available. So instead moved the option parser into the command's Options.
2024-11-21 18:15:14 +00:00
<*> optional jobsOptionParser
add --clusterjobs option and default to 1 The default of 1 is not ideal at all, but it avoids an accidental M*N causing so much concurrency it becomes unusable.
2024-07-28 14:36:22 +00:00
<*> optional (option auto
( long "clusterjobs" <> metavar paramNumber
<> help "number of concurrent node accesses per connection"
))
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
<*> many (strOption
( long "directory" <> metavar paramPath
<> help "serve repositories in subdirectories of a directory"
))
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
startAnnex :: Options -> Annex ()
startAnnex o
| null (directoryOption o) = ifM ((/=) NoUUID <$> getUUID)
( do
authenv <- liftIO getAuthEnv
st <- mkServerState o authenv
liftIO $ runServer o st
-- Run in a git repository that is not a git-annex repository.
, liftIO $ startIO o
)
| otherwise = liftIO $ startIO o
startIO :: Options -> IO ()
startIO o
| null (directoryOption o) =
giveup "Use the --directory option to specify which git-annex repositories to serve."
| otherwise = do
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
authenv <- getAuthEnv
p2phttp: notice when new repositories are added to --directory When a uuid is not known, rescan for new repositories. Easy. When a repository is removed, it will also get removed from the server state on the next scan. But until a new uuid is seen, there will not be a scan. This leaves the server trying to serve a uuid whose repository is gone. That seems buggy. While getting just fails, dropping fails the first time, but seems to leave the server in an unusable state, so the next drop attempt hangs. The server is still able to serve other uuids, only the one whose repository was removed has that problem.
2024-11-21 19:09:12 +00:00
st <- mkst authenv mempty
runServer o st
where
mkst authenv oldst = do
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
repos <- findRepos o
sts <- forM repos $ \r -> do
strd <- Annex.new r
p2phttp: notice when new repositories are added to --directory When a uuid is not known, rescan for new repositories. Easy. When a repository is removed, it will also get removed from the server state on the next scan. But until a new uuid is seen, there will not be a scan. This leaves the server trying to serve a uuid whose repository is gone. That seems buggy. While getting just fails, dropping fails the first time, but seems to leave the server in an unusable state, so the next drop attempt hangs. The server is still able to serve other uuids, only the one whose repository was removed has that problem.
2024-11-21 19:09:12 +00:00
Annex.eval strd (mkstannex authenv oldst)
return (mconcat sts)
{ updateRepos = updaterepos authenv
}
mkstannex authenv oldst = do
u <- getUUID
if u == NoUUID
then return mempty
else case M.lookup u (servedRepos oldst) of
Nothing -> mkServerState o authenv
Just old -> return $ P2PHttpServerState
{ servedRepos = M.singleton u old
, serverShutdownCleanup = mempty
, updateRepos = mempty
}
updaterepos authenv oldst = do
newst <- mkst authenv oldst
return $ newst
{ serverShutdownCleanup =
serverShutdownCleanup newst
<> serverShutdownCleanup oldst
}
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
runServer :: Options -> P2PHttpServerState -> IO ()
runServer o mst = go `finally` serverShutdownCleanup mst
where
go = do
add --bind option and listen to both ipv4 and ipv6 by default
2024-07-23 19:19:56 +00:00
let settings = Warp.setPort port $ Warp.setHost host $
Warp.defaultSettings
p2phttp: notice when new repositories are added to --directory When a uuid is not known, rescan for new repositories. Easy. When a repository is removed, it will also get removed from the server state on the next scan. But until a new uuid is seen, there will not be a scan. This leaves the server trying to serve a uuid whose repository is gone. That seems buggy. While getting just fails, dropping fails the first time, but seems to leave the server in an unusable state, so the next drop attempt hangs. The server is still able to serve other uuids, only the one whose repository was removed has that problem.
2024-11-21 19:09:12 +00:00
mstv <- newTMVarIO mst
p2phttp support https
2024-07-23 19:37:36 +00:00
case (certFileOption o, privateKeyFileOption o) of
p2phttp: notice when new repositories are added to --directory When a uuid is not known, rescan for new repositories. Easy. When a repository is removed, it will also get removed from the server state on the next scan. But until a new uuid is seen, there will not be a scan. This leaves the server trying to serve a uuid whose repository is gone. That seems buggy. While getting just fails, dropping fails the first time, but seems to leave the server in an unusable state, so the next drop attempt hangs. The server is still able to serve other uuids, only the one whose repository was removed has that problem.
2024-11-21 19:09:12 +00:00
(Nothing, Nothing) -> Warp.runSettings settings (p2pHttpApp mstv)
p2phttp support https
2024-07-23 19:37:36 +00:00
(Just certfile, Just privatekeyfile) -> do
let tlssettings = Warp.tlsSettingsChain
certfile (chainFileOption o) privatekeyfile
p2phttp: notice when new repositories are added to --directory When a uuid is not known, rescan for new repositories. Easy. When a repository is removed, it will also get removed from the server state on the next scan. But until a new uuid is seen, there will not be a scan. This leaves the server trying to serve a uuid whose repository is gone. That seems buggy. While getting just fails, dropping fails the first time, but seems to leave the server in an unusable state, so the next drop attempt hangs. The server is still able to serve other uuids, only the one whose repository was removed has that problem.
2024-11-21 19:09:12 +00:00
Warp.runTLS tlssettings settings (p2pHttpApp mstv)
p2phttp support https
2024-07-23 19:37:36 +00:00
_ -> giveup "You must use both --certfile and --privatekeyfile options to enable HTTPS."
add --bind option and listen to both ipv4 and ipv6 by default
2024-07-23 19:19:56 +00:00
port = maybe
starting support for remote.name.annexUrl set to annex+http In this case, Remote.Git should not use that url for all access to the repository. It will only be used for annex operations, which isn't done yet.
2024-07-23 13:12:21 +00:00
(fromIntegral defaultP2PHttpProtocolPort)
add --bind option and listen to both ipv4 and ipv6 by default
2024-07-23 19:19:56 +00:00
fromIntegral
starting support for remote.name.annexUrl set to annex+http In this case, Remote.Git should not use that url for all access to the repository. It will only be used for annex operations, which isn't done yet.
2024-07-23 13:12:21 +00:00
(portOption o)
add --bind option and listen to both ipv4 and ipv6 by default
2024-07-23 19:19:56 +00:00
host = maybe
(fromString "*") -- both ipv4 and ipv6
fromString
(bindOption o)
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
mkServerState :: Options -> M.Map Auth P2P.ServerMode -> Annex P2PHttpServerState
mkServerState o authenv =
p2phttp support --jobs with --directory --jobs is usually an Annex option setter, but --directory runs in IO, so would not have that available. So instead moved the option parser into the command's Options.
2024-11-21 18:15:14 +00:00
withAnnexWorkerPool (jobsOption o) $
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
mkP2PHttpServerState
(mkGetServerMode authenv o)
p2phttp: notice when new repositories are added to --directory When a uuid is not known, rescan for new repositories. Easy. When a repository is removed, it will also get removed from the server state on the next scan. But until a new uuid is seen, there will not be a scan. This leaves the server trying to serve a uuid whose repository is gone. That seems buggy. While getting just fails, dropping fails the first time, but seems to leave the server in an unusable state, so the next drop attempt hangs. The server is still able to serve other uuids, only the one whose repository was removed has that problem.
2024-11-21 19:09:12 +00:00
return
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
(fromMaybe 1 $ proxyConnectionsOption o)
(fromMaybe 1 $ clusterJobsOption o)
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
mkGetServerMode :: M.Map Auth P2P.ServerMode -> Options -> GetServerMode
mkGetServerMode _ o _ Nothing
p2phttp: Allow unauthenticated users to lock content by default * p2phttp: Allow unauthenticated users to lock content by default. * p2phttp: Added --unauth-nolocking option to prevent unauthenticated users from locking content. The rationalle for this is that locking is not really a write operation, so makes sense to allow in a repository that only allows read-only access. Not supporting locking in that situation will prevent the user from dropping content from a special remote they control in cases where the other copy of the content is on the p2phttp server. Also, when p2phttp is configured to also allow authenticated access, lockcontent was resulting in a password prompt for users who had no way to authenticate. And there is no good way to distinguish between the two types of users client side. --unauth-nolocking anticipates that this might be abused, and seems better than disabling unauthenticated access entirely if a server is being attacked. It may be that rate limiting locking by IP address or similar would be an effective measure in such a situation. Or just limiting the number of locks by anonymous users that can be live at any one time. Since the impact of such an DOS attempt is limited to preventing dropping content from the server, it seems not a very appealing target anyway.
2024-10-21 14:02:12 +00:00
| wideOpenOption o = ServerMode
{ serverMode = P2P.ServeReadWrite
, unauthenticatedLockingAllowed = unauthlock
, authenticationAllowed = False
}
| unauthAppendOnlyOption o = ServerMode
{ serverMode = P2P.ServeAppendOnly
, unauthenticatedLockingAllowed = unauthlock
, authenticationAllowed = canauth
}
| unauthReadOnlyOption o = ServerMode
{ serverMode = P2P.ServeReadOnly
, unauthenticatedLockingAllowed = unauthlock
, authenticationAllowed = canauth
}
p2phttp combining unauth and auth options p2phttp: Support serving unauthenticated users while requesting authentication for operations that need it. Eg, --unauth-readonly can be combined with --authenv. Drop locking currently needs authentication so it will prompt for that. That still needs to be addressed somehow.
2024-10-17 15:10:28 +00:00
| otherwise = CannotServeRequests
where
canauth = authEnvOption o || authEnvHttpOption o
p2phttp: Allow unauthenticated users to lock content by default * p2phttp: Allow unauthenticated users to lock content by default. * p2phttp: Added --unauth-nolocking option to prevent unauthenticated users from locking content. The rationalle for this is that locking is not really a write operation, so makes sense to allow in a repository that only allows read-only access. Not supporting locking in that situation will prevent the user from dropping content from a special remote they control in cases where the other copy of the content is on the p2phttp server. Also, when p2phttp is configured to also allow authenticated access, lockcontent was resulting in a password prompt for users who had no way to authenticate. And there is no good way to distinguish between the two types of users client side. --unauth-nolocking anticipates that this might be abused, and seems better than disabling unauthenticated access entirely if a server is being attacked. It may be that rate limiting locking by IP address or similar would be an effective measure in such a situation. Or just limiting the number of locks by anonymous users that can be live at any one time. Since the impact of such an DOS attempt is limited to preventing dropping content from the server, it seems not a very appealing target anyway.
2024-10-21 14:02:12 +00:00
unauthlock = not (unauthNoLockingOption o)
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
mkGetServerMode authenv o issecure (Just auth) =
case (issecure, authEnvOption o, authEnvHttpOption o) of
(Secure, True, _) -> checkauth
(NotSecure, _, True) -> checkauth
_ -> noauth
where
checkauth = case M.lookup auth authenv of
p2phttp: Allow unauthenticated users to lock content by default * p2phttp: Allow unauthenticated users to lock content by default. * p2phttp: Added --unauth-nolocking option to prevent unauthenticated users from locking content. The rationalle for this is that locking is not really a write operation, so makes sense to allow in a repository that only allows read-only access. Not supporting locking in that situation will prevent the user from dropping content from a special remote they control in cases where the other copy of the content is on the p2phttp server. Also, when p2phttp is configured to also allow authenticated access, lockcontent was resulting in a password prompt for users who had no way to authenticate. And there is no good way to distinguish between the two types of users client side. --unauth-nolocking anticipates that this might be abused, and seems better than disabling unauthenticated access entirely if a server is being attacked. It may be that rate limiting locking by IP address or similar would be an effective measure in such a situation. Or just limiting the number of locks by anonymous users that can be live at any one time. Since the impact of such an DOS attempt is limited to preventing dropping content from the server, it seems not a very appealing target anyway.
2024-10-21 14:02:12 +00:00
Just servermode -> ServerMode
{ serverMode = servermode
, authenticationAllowed = False
, unauthenticatedLockingAllowed = False
}
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
Nothing -> noauth
p2phttp combining unauth and auth options p2phttp: Support serving unauthenticated users while requesting authentication for operations that need it. Eg, --unauth-readonly can be combined with --authenv. Drop locking currently needs authentication so it will prompt for that. That still needs to be addressed somehow.
2024-10-17 15:10:28 +00:00
noauth = mkGetServerMode authenv noautho issecure Nothing
noautho = o { authEnvOption = False, authEnvHttpOption = False }
git-annex p2phttp options
2024-07-10 03:44:40 +00:00
getAuthEnv :: IO (M.Map Auth P2P.ServerMode)
getAuthEnv = do
environ <- getEnvironment
let permmap = M.fromList (mapMaybe parseperms environ)
return $ M.fromList $
map (addperms permmap) $
mapMaybe parseusername environ
where
parseperms (k, v) = case deprefix "GIT_ANNEX_P2PHTTP_PERMISSIONS_" k of
Nothing -> Nothing
Just username -> case v of
"readonly" -> Just
(encodeBS username, P2P.ServeReadOnly)
"appendonly" -> Just
(encodeBS username, P2P.ServeAppendOnly)
_ -> Nothing
parseusername (k, v) = case deprefix "GIT_ANNEX_P2PHTTP_PASSWORD_" k of
Nothing -> Nothing
Just username -> Just $ Auth (encodeBS username) (encodeBS v)
deprefix prefix s
| prefix `isPrefixOf` s = Just (drop (length prefix) s)
| otherwise = Nothing
addperms permmap auth@(Auth user _) =
case M.lookup user permmap of
Nothing -> (auth, P2P.ServeReadWrite)
Just perms -> (auth, perms)
p2phttp --directory implementation Untested, but it compiles, so. Known problems: * --jobs is not available to startIO * Does not notice when new repositories are added to a directory. * Does not notice when repositories are removed from a directory.
2024-11-21 17:53:23 +00:00
findRepos :: Options -> IO [Git.Repo]
findRepos o = do
files <- map toRawFilePath . concat
<$> mapM dirContents (directoryOption o)
map Git.Construct.newFrom . catMaybes
<$> mapM Git.Construct.checkForRepo files
Reference in a new issue Copy permalink