annex.listen can be configured, instead of using --listen

This commit is contained in:
Joey Hess 2014-03-01 00:31:17 -04:00
parent 2fd72fc2fd
commit 6a355686ff
7 changed files with 69 additions and 32 deletions

View file

@ -124,7 +124,7 @@ startDaemon assistant foreground startdelay cannotrun listenhost startbrowser =
notice ["starting", desc, "version", SysConfig.packageversion] notice ["starting", desc, "version", SysConfig.packageversion]
urlrenderer <- liftIO newUrlRenderer urlrenderer <- liftIO newUrlRenderer
#ifdef WITH_WEBAPP #ifdef WITH_WEBAPP
let webappthread = [ assist $ webAppThread d urlrenderer False cannotrun listenhost Nothing webappwaiter ] let webappthread = [ assist $ webAppThread d urlrenderer False cannotrun Nothing listenhost webappwaiter ]
#else #else
let webappthread = [] let webappthread = []
#endif #endif

View file

@ -1,6 +1,6 @@
{- git-annex assistant webapp thread {- git-annex assistant webapp thread
- -
- Copyright 2012 Joey Hess <joey@kitenet.net> - Copyright 2012-2014 Joey Hess <joey@kitenet.net>
- -
- Licensed under the GNU GPL version 3 or higher. - Licensed under the GNU GPL version 3 or higher.
-} -}
@ -41,6 +41,7 @@ import Utility.WebApp
import Utility.Tmp import Utility.Tmp
import Utility.FileMode import Utility.FileMode
import Git import Git
import qualified Annex
import Yesod import Yesod
import Network.Socket (SockAddr, HostName) import Network.Socket (SockAddr, HostName)
@ -56,13 +57,17 @@ webAppThread
-> UrlRenderer -> UrlRenderer
-> Bool -> Bool
-> Maybe String -> Maybe String
-> Maybe HostName
-> Maybe (IO Url) -> Maybe (IO Url)
-> Maybe HostName
-> Maybe (Url -> FilePath -> IO ()) -> Maybe (Url -> FilePath -> IO ())
-> NamedThread -> NamedThread
webAppThread assistantdata urlrenderer noannex cannotrun listenhost postfirstrun onstartup = thread $ liftIO $ do webAppThread assistantdata urlrenderer noannex cannotrun postfirstrun listenhost onstartup = thread $ liftIO $ do
listenhost' <- if isJust listenhost
then pure listenhost
else getAnnex $ annexListen <$> Annex.getGitConfig
tlssettings <- getAnnex getTlsSettings
#ifdef __ANDROID__ #ifdef __ANDROID__
when (isJust listenhost) $ when (isJust listenhost') $
-- See Utility.WebApp -- See Utility.WebApp
error "Sorry, --listen is not currently supported on Android" error "Sorry, --listen is not currently supported on Android"
#endif #endif
@ -74,22 +79,20 @@ webAppThread assistantdata urlrenderer noannex cannotrun listenhost postfirstrun
<*> pure postfirstrun <*> pure postfirstrun
<*> pure cannotrun <*> pure cannotrun
<*> pure noannex <*> pure noannex
<*> pure listenhost <*> pure listenhost'
setUrlRenderer urlrenderer $ yesodRender webapp (pack "") setUrlRenderer urlrenderer $ yesodRender webapp (pack "")
app <- toWaiAppPlain webapp app <- toWaiAppPlain webapp
app' <- ifM debugEnabled app' <- ifM debugEnabled
( return $ httpDebugLogger app ( return $ httpDebugLogger app
, return app , return app
) )
tlssettings <- runThreadState (threadState assistantdata) getTlsSettings runWebApp tlssettings listenhost' app' $ \addr -> if noannex
runWebApp tlssettings listenhost app' $ \addr -> if noannex
then withTmpFile "webapp.html" $ \tmpfile h -> do then withTmpFile "webapp.html" $ \tmpfile h -> do
hClose h hClose h
go tlssettings addr webapp tmpfile Nothing go tlssettings addr webapp tmpfile Nothing
else do else do
let st = threadState assistantdata htmlshim <- getAnnex' $ fromRepo gitAnnexHtmlShim
htmlshim <- runThreadState st $ fromRepo gitAnnexHtmlShim urlfile <- getAnnex' $ fromRepo gitAnnexUrlFile
urlfile <- runThreadState st $ fromRepo gitAnnexUrlFile
go tlssettings addr webapp htmlshim (Just urlfile) go tlssettings addr webapp htmlshim (Just urlfile)
where where
-- The webapp thread does not wait for the startupSanityCheckThread -- The webapp thread does not wait for the startupSanityCheckThread
@ -100,13 +103,18 @@ webAppThread assistantdata urlrenderer noannex cannotrun listenhost postfirstrun
| noannex = return Nothing | noannex = return Nothing
| otherwise = Just <$> | otherwise = Just <$>
(relHome =<< absPath (relHome =<< absPath
=<< runThreadState (threadState assistantdata) (fromRepo repoPath)) =<< getAnnex' (fromRepo repoPath))
go tlssettings addr webapp htmlshim urlfile = do go tlssettings addr webapp htmlshim urlfile = do
let url = myUrl tlssettings webapp addr let url = myUrl tlssettings webapp addr
maybe noop (`writeFileProtected` url) urlfile maybe noop (`writeFileProtected` url) urlfile
writeHtmlShim "Starting webapp..." url htmlshim writeHtmlShim "Starting webapp..." url htmlshim
maybe noop (\a -> a url htmlshim) onstartup maybe noop (\a -> a url htmlshim) onstartup
getAnnex a
| noannex = pure Nothing
| otherwise = getAnnex' a
getAnnex' = runThreadState (threadState assistantdata)
myUrl :: Maybe TLS.TLSSettings -> WebApp -> SockAddr -> Url myUrl :: Maybe TLS.TLSSettings -> WebApp -> SockAddr -> Url
myUrl tlssettings webapp addr = unpack $ yesodRender webapp urlbase DashboardR [] myUrl tlssettings webapp addr = unpack $ yesodRender webapp urlbase DashboardR []
where where

View file

@ -68,16 +68,22 @@ start' allowauto listenhost = do
cannotrun <- needsUpgrade . fromMaybe (error "no version") =<< getVersion cannotrun <- needsUpgrade . fromMaybe (error "no version") =<< getVersion
browser <- fromRepo webBrowser browser <- fromRepo webBrowser
f <- liftIO . absPath =<< fromRepo gitAnnexHtmlShim f <- liftIO . absPath =<< fromRepo gitAnnexHtmlShim
listenhost' <- if isJust listenhost
then pure listenhost
else annexListen <$> Annex.getGitConfig
ifM (checkpid <&&> checkshim f) ifM (checkpid <&&> checkshim f)
( if isJust listenhost ( if isJust listenhost
then error "The assistant is already running, so --listen cannot be used." then error "The assistant is already running, so --listen cannot be used."
else do else do
url <- liftIO . readFile url <- liftIO . readFile
=<< fromRepo gitAnnexUrlFile =<< fromRepo gitAnnexUrlFile
liftIO $ openBrowser browser f url Nothing Nothing liftIO $ if isJust listenhost'
, startDaemon True True Nothing cannotrun listenhost $ Just $ then putStrLn url
else liftIO $ openBrowser browser f url Nothing Nothing
, do
startDaemon True True Nothing cannotrun listenhost' $ Just $
\origout origerr url htmlshim -> \origout origerr url htmlshim ->
if isJust listenhost if isJust listenhost'
then maybe noop (`hPutStrLn` url) origout then maybe noop (`hPutStrLn` url) origout
else openBrowser browser htmlshim url origout origerr else openBrowser browser htmlshim url origout origerr
) )
@ -142,8 +148,9 @@ firstRun listenhost = do
let callback a = Just $ a v let callback a = Just $ a v
runAssistant d $ do runAssistant d $ do
startNamedThread urlrenderer $ startNamedThread urlrenderer $
webAppThread d urlrenderer True Nothing listenhost webAppThread d urlrenderer True Nothing
(callback signaler) (callback signaler)
listenhost
(callback mainthread) (callback mainthread)
waitNamedThreads waitNamedThreads
where where

View file

@ -50,6 +50,7 @@ data GitConfig = GitConfig
, annexExpireUnused :: Maybe (Maybe Duration) , annexExpireUnused :: Maybe (Maybe Duration)
, annexSecureEraseCommand :: Maybe String , annexSecureEraseCommand :: Maybe String
, annexGenMetaData :: Bool , annexGenMetaData :: Bool
, annexListen :: Maybe String
, coreSymlinks :: Bool , coreSymlinks :: Bool
, gcryptId :: Maybe String , gcryptId :: Maybe String
} }
@ -83,6 +84,7 @@ extractGitConfig r = GitConfig
<$> getmaybe (annex "expireunused") <$> getmaybe (annex "expireunused")
, annexSecureEraseCommand = getmaybe (annex "secure-erase-command") , annexSecureEraseCommand = getmaybe (annex "secure-erase-command")
, annexGenMetaData = getbool (annex "genmetadata") False , annexGenMetaData = getbool (annex "genmetadata") False
, annexListen = getmaybe (annex "listen")
, coreSymlinks = getbool "core.symlinks" True , coreSymlinks = getbool "core.symlinks" True
, gcryptId = getmaybe "core.gcrypt-id" , gcryptId = getmaybe "core.gcrypt-id"
} }

1
debian/changelog vendored
View file

@ -3,6 +3,7 @@ git-annex (5.20140228) UNRELEASED; urgency=medium
* webapp: Now supports HTTPS. * webapp: Now supports HTTPS.
* webapp: No longer supports a port specified after --listen, since * webapp: No longer supports a port specified after --listen, since
it was buggy, and that use case is better supported by setting up HTTPS. it was buggy, and that use case is better supported by setting up HTTPS.
* annex.listen can be configured, instead of using --listen
* Probe for quvi version at run time. * Probe for quvi version at run time.
* webapp: Filter out from Switch Repository list any * webapp: Filter out from Switch Repository list any
repositories listed in autostart file that don't have a repositories listed in autostart file that don't have a

View file

@ -308,7 +308,8 @@ subdirectories).
it opens a browser window. it opens a browser window.
To use the webapp on a remote computer, use the `--listen=address` To use the webapp on a remote computer, use the `--listen=address`
option to specify the address the web server should listen on. option to specify the address the web server should listen on
(or set annex.listen).
This disables running a local web browser, and outputs the url you This disables running a local web browser, and outputs the url you
can use to open the webapp. can use to open the webapp.
@ -1376,6 +1377,12 @@ Here are all the supported configuration settings.
Set to false to prevent the git-annex assistant from automatically Set to false to prevent the git-annex assistant from automatically
committing changes to files in the repository. committing changes to files in the repository.
* `annex.listen`
Configures which address the webapp listens on. The default is localhost.
Can be either an IP address, or a hostname that resolves to the desired
address.
* `annex.debug` * `annex.debug`
Set to true to enable debug logging by default. Set to true to enable debug logging by default.

View file

@ -4,7 +4,13 @@ web browser.
Sure, no problem! It can even be done securely! Sure, no problem! It can even be done securely!
First, you need to generate a private key and a certificate for HTTPS. Let's start by making the git-annex repository on the remote server.
git init annex
cd annex
git annex init
Now, you need to generate a private key and a certificate for HTTPS.
These files are stored in `.git/annex/privkey.pem` and These files are stored in `.git/annex/privkey.pem` and
`.git/annex/certificate.pem` inside the git repository. Here's `.git/annex/certificate.pem` inside the git repository. Here's
one way to generate those files, using a self-signed certificate: one way to generate those files, using a self-signed certificate:
@ -17,22 +23,28 @@ With those files in place, git-annex will automatically only accept HTTPS
connections. That's good, since HTTP connections are not secure over the connections. That's good, since HTTP connections are not secure over the
big bad internet. big bad internet.
All that remains is to start the webapp listening on the external interface All that remains is to make the webapp listen on the external interface
of the server. Normally, for security, git-annex only listens on localhost. of the server. Normally, for security, git-annex only listens on localhost.
Tell it what hostname to listen on:
git annex webapp --listen=host.example.com git config annex.listen host.example.com
(If your hostname doesn't work, its IP address certianly will..) (If your hostname doesn't work, its IP address certianly will..)
When you run the webapp like that, it'll print out the URL to use to open When you run the webapp configured like that, it'll print out the
it. You can paste that into your web browser. URL to use to open it. You can paste that into your web browser.
Notice that the URL has a big jumble of letters at the end -- this is a secret git annex webapp
token that the webapp uses to verify you're you. So random attackers can't find http://host.example.com:42232/?auth=ea7857ad...
your webapp and do bad things with it.
The webapp also writes its url to `.git/annex/url`, so you can use that Notice that the URL has a big jumble of letters at the end -- this is a
file to automate opening the url. For example, you could make your server secret token that the webapp uses to verify you're you. So random attackers
start the webapp on boot, and then to open it, run: can't find your webapp and do bad things with it.
xdg-open "$(ssh host.example.com cat annex/.git/annex/url)" If you like, you can make the server run `git annex assistant --autostart`
on boot.
To automate opening the remote server's webapp in your local browser,
just run this:
firefox "$(ssh host.example.com git annex webapp)"