Merge pull request #1674 from josmo/stash-security-cleanup

Stash security cleanup
This commit is contained in:
Brad Rydzewski 2016-06-16 08:30:09 -07:00 committed by GitHub
commit 30d55a224e

View file

@ -151,47 +151,11 @@ func (*client) Teams(u *model.User) ([]*model.Team, error) {
}
func (c *client) Repo(u *model.User, owner, name string) (*model.Repo, error) {
client := NewClientWithToken(&c.Consumer, u.Token)
urlString := fmt.Sprintf("%s/rest/api/1.0/projects/%s/repos/%s", c.URL, owner, name)
response, err := client.Get(urlString)
if err != nil {
log.Error(err)
}
defer response.Body.Close()
contents, err := ioutil.ReadAll(response.Body)
bsRepo := BSRepo{}
err = json.Unmarshal(contents, &bsRepo)
repo , err := c.FindRepo(client,owner,name)
if err != nil {
return nil, err
}
repo := &model.Repo{
Name: bsRepo.Slug,
Owner: bsRepo.Project.Key,
Branch: "master",
Kind: model.RepoGit,
IsPrivate: true, // TODO(josmo) possibly set this as a setting - must always be private to use netrc
FullName: fmt.Sprintf("%s/%s", bsRepo.Project.Key, bsRepo.Slug),
}
for _, item := range bsRepo.Links.Clone {
if item.Name == "http" {
uri, err := url.Parse(item.Href)
if err != nil {
return nil, err
}
uri.User = nil
repo.Clone = uri.String()
}
}
for _, item := range bsRepo.Links.Self {
if item.Href != "" {
repo.Link = item.Href
}
}
return repo, nil
}
@ -228,11 +192,22 @@ func (c *client) Repos(u *model.User) ([]*model.RepoLite, error) {
}
func (c *client) Perm(u *model.User, owner, repo string) (*model.Perm, error) {
// TODO need to fetch real permissions here
client := NewClientWithToken(&c.Consumer, u.Token)
perms := new(model.Perm)
perms.Pull = true
perms.Admin = true
// If you don't have access return none right away
_, err := c.FindRepo(client, owner, repo)
if err != nil {
return perms, err
}
// Must have admin to be able to list hooks. If have access the enable perms
_, err = client.Get(fmt.Sprintf("%s/rest/api/1.0/projects/%s/repos/%s/settings/hooks/%s", c.URL, owner, repo,"com.atlassian.stash.plugin.stash-web-post-receive-hooks-plugin:postReceiveHook"))
if err == nil {
perms.Push = true
perms.Admin = true
}
perms.Pull = true
return perms, nil
}
@ -363,3 +338,46 @@ func (bs *client) DeleteHook(client *http.Client, project, slug, hook_key, link
return nil
}
func (c *client) FindRepo(client *http.Client, owner string, name string) (*model.Repo, error){
urlString := fmt.Sprintf("%s/rest/api/1.0/projects/%s/repos/%s", c.URL, owner, name)
response, err := client.Get(urlString)
if err != nil {
log.Error(err)
}
defer response.Body.Close()
contents, err := ioutil.ReadAll(response.Body)
bsRepo := BSRepo{}
err = json.Unmarshal(contents, &bsRepo)
if err !=nil {
return nil, err
}
repo := &model.Repo{
Name: bsRepo.Slug,
Owner: bsRepo.Project.Key,
Branch: "master",
Kind: model.RepoGit,
IsPrivate: true, // TODO(josmo) possibly set this as a setting - must always be private to use netrc
FullName: fmt.Sprintf("%s/%s", bsRepo.Project.Key, bsRepo.Slug),
}
for _, item := range bsRepo.Links.Clone {
if item.Name == "http" {
uri, err := url.Parse(item.Href)
if err != nil {
return nil, err
}
uri.User = nil
repo.Clone = uri.String()
}
}
for _, item := range bsRepo.Links.Self {
if item.Href != "" {
repo.Link = item.Href
}
}
return repo, nil
}