ZhenYi/gitdataai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0c1a9ddf98
gitdataai/libs/git/http/auth.rs
ZhenYi 0c1a9ddf98 refactor(git): migrate libs/git from slog to tracing 
- Remove all use slog::* imports and log: slog::Logger fields
- ssh/handle.rs: replace slog macro chains with tracing::{info!, warn!,
  error!, debug!}; remove log field from GitSshHandle
- ssh/authz.rs, ssh/mod.rs, ssh/server.rs: remove slog Logger fields
- http/: auth.rs, handler.rs, mod.rs, routes.rs: remove slog usage
- hook/: pool worker, sync modules, webhook_dispatch.rs: remove slog
2026-04-21 22:29:26 +08:00

67 lines
2.1 KiB
Rust
Raw Blame History

use crate::http::utils::{extract_basic_credentials, hash_access_key};
use crate::ssh::authz::SshAuthService;
use actix_web::{Error, HttpRequest};
use db::database::AppDatabase;
use models::repos::repo;
use models::users::{user, user_token};
use sea_orm::sqlx::types::chrono;
use sea_orm::*;
pub async fn verify_access_token(
db: &AppDatabase,
username: &str,
access_key: &str,
) -> Result<user::Model, Error> {
let user = user::Entity::find()
.filter(user::Column::Username.eq(username))
.one(db.reader())
.await
.map_err(|_| actix_web::error::ErrorUnauthorized("Invalid username or access key"))?
.ok_or_else(|| actix_web::error::ErrorUnauthorized("Invalid username or access key"))?;
let token_hash = hash_access_key(access_key);
let token = user_token::Entity::find()
.filter(user_token::Column::User.eq(user.uid))
.filter(user_token::Column::TokenHash.eq(token_hash))
.filter(user_token::Column::IsRevoked.eq(false))
.one(db.reader())
.await
.map_err(|_| actix_web::error::ErrorUnauthorized("Invalid username or access key"))?
.ok_or_else(|| actix_web::error::ErrorUnauthorized("Invalid username or access key"))?;
if let Some(expires_at) = token.expires_at {
if expires_at < chrono::Utc::now() {
return Err(actix_web::error::ErrorUnauthorized(
"Access key has expired",
));
}
}
Ok(user)
}
pub async fn authorize_repo_access(
req: &HttpRequest,
db: &AppDatabase,
repo: &repo::Model,
is_write: bool,
) -> Result<(), Error> {
if !is_write && !repo.is_private {
return Ok(());
}
let (username, access_key) = extract_basic_credentials(req)?;
let user = verify_access_token(db, &username, &access_key).await?;
let authz = SshAuthService::new(db.clone());
let can_access = authz.check_repo_permission(&user, repo, is_write).await;
if !can_access {
return Err(actix_web::error::ErrorForbidden(
"No permission for repository",
));
}
Ok(())
}
Reference in New Issue View Git Blame Copy Permalink