authentication is implemented
just need to make Command.P2PHttp generate a GetServerMode from options
This commit is contained in:
Joey Hess
parent
e5bf49b879
commit
6a8a4d1775
3 changed files with 46 additions and 21 deletions
26
P2P/Http.hs
26
P2P/Http.hs
|
|
@ -161,6 +161,7 @@ type CheckPresentAPI
|
||||||
:> ClientUUID Required
|
:> ClientUUID Required
|
||||||
:> ServerUUID Required
|
:> ServerUUID Required
|
||||||
:> BypassUUIDs
|
:> BypassUUIDs
|
||||||
|
:> AuthHeader
|
||||||
:> Post '[JSON] CheckPresentResult
|
:> Post '[JSON] CheckPresentResult
|
||||||
|
|
||||||
serveCheckPresent
|
serveCheckPresent
|
||||||
|
|
@ -171,9 +172,11 @@ serveCheckPresent
|
||||||
-> B64UUID ClientSide
|
-> B64UUID ClientSide
|
||||||
-> B64UUID ServerSide
|
-> B64UUID ServerSide
|
||||||
-> [B64UUID Bypass]
|
-> [B64UUID Bypass]
|
||||||
|
-> Maybe Auth
|
||||||
-> Handler CheckPresentResult
|
-> Handler CheckPresentResult
|
||||||
serveCheckPresent st apiver (B64Key k) cu su bypass = do
|
serveCheckPresent st apiver (B64Key k) cu su bypass auth = do
|
||||||
res <- withP2PConnection apiver st cu su bypass $ \runst conn ->
|
res <- withP2PConnection apiver st cu su bypass auth ReadAction
|
||||||
|
$ \runst conn ->
|
||||||
liftIO $ runNetProto runst conn $ checkPresent k
|
liftIO $ runNetProto runst conn $ checkPresent k
|
||||||
case res of
|
case res of
|
||||||
Right (Right b) -> return (CheckPresentResult b)
|
Right (Right b) -> return (CheckPresentResult b)
|
||||||
|
|
@ -186,6 +189,7 @@ clientCheckPresent'
|
||||||
-> B64UUID ClientSide
|
-> B64UUID ClientSide
|
||||||
-> B64UUID ServerSide
|
-> B64UUID ServerSide
|
||||||
-> [B64UUID Bypass]
|
-> [B64UUID Bypass]
|
||||||
|
-> Maybe Auth
|
||||||
-> ClientM CheckPresentResult
|
-> ClientM CheckPresentResult
|
||||||
clientCheckPresent' (ProtocolVersion ver) = case ver of
|
clientCheckPresent' (ProtocolVersion ver) = case ver of
|
||||||
3 -> v3 V3
|
3 -> v3 V3
|
||||||
|
|
@ -204,9 +208,10 @@ clientCheckPresent
|
||||||
-> B64UUID ClientSide
|
-> B64UUID ClientSide
|
||||||
-> B64UUID ServerSide
|
-> B64UUID ServerSide
|
||||||
-> [B64UUID Bypass]
|
-> [B64UUID Bypass]
|
||||||
|
-> Maybe Auth
|
||||||
-> IO Bool
|
-> IO Bool
|
||||||
clientCheckPresent clientenv protover key cu su bypass = do
|
clientCheckPresent clientenv protover key cu su bypass auth = do
|
||||||
let cli = clientCheckPresent' protover key cu su bypass
|
let cli = clientCheckPresent' protover key cu su bypass auth
|
||||||
withClientM cli clientenv $ \case
|
withClientM cli clientenv $ \case
|
||||||
Left err -> throwM err
|
Left err -> throwM err
|
||||||
Right (CheckPresentResult res) -> return res
|
Right (CheckPresentResult res) -> return res
|
||||||
|
|
@ -216,6 +221,7 @@ type RemoveAPI result
|
||||||
:> ClientUUID Required
|
:> ClientUUID Required
|
||||||
:> ServerUUID Required
|
:> ServerUUID Required
|
||||||
:> BypassUUIDs
|
:> BypassUUIDs
|
||||||
|
:> AuthHeader
|
||||||
:> Post '[JSON] result
|
:> Post '[JSON] result
|
||||||
|
|
||||||
serveRemove
|
serveRemove
|
||||||
|
|
@ -227,6 +233,7 @@ serveRemove
|
||||||
-> B64UUID ClientSide
|
-> B64UUID ClientSide
|
||||||
-> B64UUID ServerSide
|
-> B64UUID ServerSide
|
||||||
-> [B64UUID Bypass]
|
-> [B64UUID Bypass]
|
||||||
|
-> Maybe Auth
|
||||||
-> Handler t
|
-> Handler t
|
||||||
serveRemove = undefined
|
serveRemove = undefined
|
||||||
|
|
||||||
|
|
@ -236,12 +243,13 @@ clientRemove
|
||||||
-> B64UUID ClientSide
|
-> B64UUID ClientSide
|
||||||
-> B64UUID ServerSide
|
-> B64UUID ServerSide
|
||||||
-> [B64UUID Bypass]
|
-> [B64UUID Bypass]
|
||||||
|
-> Maybe Auth
|
||||||
-> ClientM RemoveResultPlus
|
-> ClientM RemoveResultPlus
|
||||||
clientRemove (ProtocolVersion ver) k cu su bypass = case ver of
|
clientRemove (ProtocolVersion ver) k cu su bypass auth = case ver of
|
||||||
3 -> v3 V3 k cu su bypass
|
3 -> v3 V3 k cu su bypass auth
|
||||||
2 -> v2 V2 k cu su bypass
|
2 -> v2 V2 k cu su bypass auth
|
||||||
1 -> plus <$> v1 V1 k cu su bypass
|
1 -> plus <$> v1 V1 k cu su bypass auth
|
||||||
0 -> plus <$> v0 V0 k cu su bypass
|
0 -> plus <$> v0 V0 k cu su bypass auth
|
||||||
_ -> error "unsupported protocol version"
|
_ -> error "unsupported protocol version"
|
||||||
where
|
where
|
||||||
_ :<|> _ :<|> _ :<|> _ :<|>
|
_ :<|> _ :<|> _ :<|> _ :<|>
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,9 @@ mkP2PHttpServerState acquireconn getservermode = P2PHttpServerState
|
||||||
<*> pure getservermode
|
<*> pure getservermode
|
||||||
<*> newTMVarIO mempty
|
<*> newTMVarIO mempty
|
||||||
|
|
||||||
|
data ActionClass = ReadAction | WriteAction | RemoveAction
|
||||||
|
deriving (Eq)
|
||||||
|
|
||||||
withP2PConnection
|
withP2PConnection
|
||||||
:: APIVersion v
|
:: APIVersion v
|
||||||
=> v
|
=> v
|
||||||
|
|
@ -43,10 +46,20 @@ withP2PConnection
|
||||||
-> B64UUID ClientSide
|
-> B64UUID ClientSide
|
||||||
-> B64UUID ServerSide
|
-> B64UUID ServerSide
|
||||||
-> [B64UUID Bypass]
|
-> [B64UUID Bypass]
|
||||||
|
-> Maybe Auth
|
||||||
|
-> ActionClass
|
||||||
-> (RunState -> P2PConnection -> Handler a)
|
-> (RunState -> P2PConnection -> Handler a)
|
||||||
-> Handler a
|
-> Handler a
|
||||||
withP2PConnection apiver st cu su bypass connaction = do
|
withP2PConnection apiver st cu su bypass auth actionclass connaction =
|
||||||
liftIO (acquireP2PConnection st cp) >>= \case
|
case (getServerMode st auth, actionclass) of
|
||||||
|
(Just P2P.ServeReadWrite, _) -> go P2P.ServeReadWrite
|
||||||
|
(Just P2P.ServeAppendOnly, RemoveAction) -> throwError err403
|
||||||
|
(Just P2P.ServeAppendOnly, _) -> go P2P.ServeAppendOnly
|
||||||
|
(Just P2P.ServeReadOnly, ReadAction) -> go P2P.ServeReadOnly
|
||||||
|
(Just P2P.ServeReadOnly, _) -> throwError err403
|
||||||
|
(Nothing, _) -> throwError err401
|
||||||
|
where
|
||||||
|
go servermode = liftIO (acquireP2PConnection st cp) >>= \case
|
||||||
Left (ConnectionFailed err) ->
|
Left (ConnectionFailed err) ->
|
||||||
throwError err502 { errBody = encodeBL err }
|
throwError err502 { errBody = encodeBL err }
|
||||||
Left TooManyConnections ->
|
Left TooManyConnections ->
|
||||||
|
|
@ -60,10 +73,11 @@ withP2PConnection apiver st cu su bypass connaction = do
|
||||||
, connectionServerUUID = fromB64UUID su
|
, connectionServerUUID = fromB64UUID su
|
||||||
, connectionClientUUID = fromB64UUID cu
|
, connectionClientUUID = fromB64UUID cu
|
||||||
, connectionBypass = map fromB64UUID bypass
|
, connectionBypass = map fromB64UUID bypass
|
||||||
, connectionServerMode = P2P.ServeReadWrite -- XXX auth
|
, connectionServerMode = servermode
|
||||||
}
|
}
|
||||||
|
|
||||||
type GetServerMode = IsSecure -> Maybe BasicAuthData -> Maybe P2P.ServerMode
|
-- Nothing when the server is not allowed to serve any requests.
|
||||||
|
type GetServerMode = Maybe Auth -> Maybe P2P.ServerMode
|
||||||
|
|
||||||
data ConnectionParams = ConnectionParams
|
data ConnectionParams = ConnectionParams
|
||||||
{ connectionProtocolVersion :: P2P.ProtocolVersion
|
{ connectionProtocolVersion :: P2P.ProtocolVersion
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,9 @@ it will fail with 401 Unauthorized.
|
||||||
Authentication is done using HTTP basic auth. The realm to use when
|
Authentication is done using HTTP basic auth. The realm to use when
|
||||||
authenticating is "git-annex".
|
authenticating is "git-annex".
|
||||||
|
|
||||||
|
When authentication is successful but does not allow a request to be
|
||||||
|
performed, it will fail with 403 Forbidden.
|
||||||
|
|
||||||
Note that HTTP basic auth is not encrypted so is only secure when used
|
Note that HTTP basic auth is not encrypted so is only secure when used
|
||||||
over HTTPS.
|
over HTTPS.
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue