#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import plugins.basetypes import plugins.session import plugins.ldap import re import os import aiohttp.client import asyncio import shutil import asfpy.messaging GIT_EXEC = shutil.which("git") MAIL_LISTS_URL = "https://webmod.apache.org/lists" GB_CLONE_EXEC = "/x1/gitbox/bin/gitbox-clone" NEW_REPO_NOTIFY = 'notifications@infra.apache.org' NEW_REPO_NOTIFY_MSG = """ A new repository has been set up by %(uid)s@apache.org: %(reponame)s Commit mail target: %(commit_mail)s Dev/issue mail target: %(issue_mail)s The repository can be found at: GitBox: %(repourl_gb)s GitHub: %(repourl_gh)s With regards, Boxer Git Management Services """ """ Repository editor endpoint for Boxer""" GB_GITWEB_PATH = "/x1/gitbox/conf/httpd/gitweb.%(pmc)s.pl" GB_GITWEB_CONFIG = """ # This gitweb config file was dynamically generated by Boxer our $projectroot = "/x1/repos/private/%(pmc)s"; our $site_name = "Private repositories for Apache%(pmc)s"; our $site_header = "<h1>Apache %(pmc)s Private Git Repos</h1>"; # Fix URLs for static assests to simplify the # httpd configuration. our @stylesheets = ("/static/gitweb.css"); our $logo = "/static/git-logo.png"; our $favicon = "/static/git-favicon.png"; our $javascript = "/static/gitweb.js"; $feature{'avatar'}{'default'} = ['gravatar']; $feature{'highlight'}{'default'} = [1]; """ EXEC_ADDITIONAL_PROJECTS = ["board", "members", "foundation"] async def process( server: plugins.basetypes.Server, session: plugins.session.SessionObject, indata: dict ) -> dict: if not session.credentials: return {"okay": False, "message": "You need to be logged in to access this end point"} action = indata.get("action") if action == "create": reponame = indata.get("repository") uid = session.credentials.uid private = indata.get("private", False) m = re.match(r"^(?:incubator-)?([a-z0-9]+)(-[-0-9a-z]+)?\.git$", reponame) # httpd.git or sling-foo.git etc if not m: return {"okay": False, "message": "Invalid repository name specified"} pmc = m.group(1) title = indata.get("title", "Apache %s" % pmc) # Check LDAP ownership if not session.credentials.admin and not (session.credentials.member and pmc in EXEC_ADDITIONAL_PROJECTS): async with plugins.ldap.LDAPClient(server.config.ldap) as lc: committer_list, pmc_list = await lc.get_members(pmc) if not pmc_list: return {"okay": False, "message": "Invalid project prefix '%s' specified" % pmc} if session.credentials.uid not in pmc_list: return {"okay": False, "message": "Only (I)PMC members of this project may create repositories"} repourl_gh = f"https://github.com/{server.config.github.org}/{reponame}" repourl_gb = f"https://gitbox.apache.org/repos/asf/{reponame}" if not private: repo_path = os.path.join(server.config.repos.public, reponame) if os.path.exists(repo_path): return {"okay": False, "message": "A repository by that name already exists"} else: if not session.credentials.admin: return {"okay": False, "message": "Private repositories can only be created by Infrastructure staff"} repourl_gb = f"https://gitbox.apache.org/repos/private/{pmc}/{reponame}" repo_path = os.path.join(server.config.repos.private, pmc, reponame) pmc_dir = os.path.join(server.config.repos.private, pmc) # If PMC dir does not exist, create it and plop in a .htaccess file for auth if not os.path.isdir(pmc_dir): os.mkdir(pmc_dir) htaccess = f""" # This htaccess file was dynamically generated by Boxer <Location /repos/private/{pmc}> AuthType Basic AuthName "ASF Private Repos for Apache {pmc}" AuthBasicProvider ldap AuthLDAPUrl "ldaps://ldap-eu.apache.org/ou=people,dc=apache,dc=org?uid" AuthLDAPBindDN cn=nss_p6,ou=users,ou=services,dc=apache,dc=org AuthLDAPBindPassword "exec:/usr/bin/asfldapsearch --pwd" AuthLDAPGroupAttribute owner AuthLDAPGroupAttributeIsDN on Require ldap-group cn={pmc},ou=project,ou=groups,dc=apache,dc=org </Location> """ gitwebconf = f""" our $projectroot = "{pmc_dir}"; our $site_name = "Private repositories for Apache {pmc}"; our $site_header = "<h1>ASF Private Git Repositories for Apache {pmc}</h1>"; our @stylesheets = ("/static/gitweb.css"); our $logo = "/static/git-logo.png"; our $favicon = "/static/git-favicon.png"; our $javascript = "/static/gitweb.js"; """ with open(f"/x1/gitbox/conf/httpd/gitweb.{pmc}.pl", "w") as f: f.write(gitwebconf) f.close() with open(f"/x1/gitbox/conf/httpd/htaccess.{pmc}", "w") as f: f.write(htaccess) f.close() proc = await asyncio.create_subprocess_exec( '/usr/bin/sudo', '/usr/sbin/service', 'apache2', 'graceful', stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await proc.communicate() if proc.returncode != 0: return {"okay": False, "message": "Could not apply pre-create security controls: " + stderr.encode("utf-8")} if os.path.exists(repo_path): return {"okay": False, "message": "A repository by that name already exists"} # Get last bits of info commit_mail = indata.get("commit", "commits@%s.apache.org" % pmc) issue_mail = indata.get("issue", "dev@%s.apache.org" % pmc) # Verify mailing lists against mailgw, re INFRA-23797 session_timeout = aiohttp.ClientTimeout(total=None, sock_connect=15, sock_read=15) async with aiohttp.client.ClientSession(timeout=session_timeout) as hc: rv = await hc.get(MAIL_LISTS_URL) mailinglists = await rv.json() if commit_mail not in mailinglists: return {"okay": False, "message": "The commit mailing list target is not a valid apache.org mailing list, please fix!"} if issue_mail not in mailinglists: return {"okay": False, "message": "The issues mailing list target is not a valid apache.org mailing list, please fix!"} # Create the repo if private and GB_GITWEB_PATH: with open(GB_GITWEB_PATH % locals(), "w") as f: f.write(GB_GITWEB_CONFIG % locals()) f.close() rv = await create_repo(server, reponame, title, pmc, private) if rv is True: params = ['-c', commit_mail, '-d', title, "git@github:%s/%s" % (server.config.github.org, reponame), repo_path] proc = await asyncio.create_subprocess_exec( GB_CLONE_EXEC, *params, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await proc.communicate() # Everything went okay? if proc.returncode == 0: # Add the apache.dev setting with open(os.path.join(repo_path, "config"), "a") as f: f.write("\n[apache]\n dev = %s\n" % issue_mail) f.close() asfpy.messaging.mail( sender="GitBox <gitbox@apache.org>", recipients=[NEW_REPO_NOTIFY, f"private@{pmc}.apache.org"], subject=f"New GitBox/GitHub repository set up: {reponame}", message=NEW_REPO_NOTIFY_MSG % locals() ) return {"okay": True, "message": "Repository created!"} else: return {"okay": False, "message": str(stderr)} else: return {"okay": False, "message": rv} async def create_repo(server, repo, title, pmc, private = False): url = "https://api.github.com/orgs/%s/repos" % server.config.github.org session_timeout = aiohttp.ClientTimeout(total=None, sock_connect=15, sock_read=15) async with aiohttp.client.ClientSession(timeout=session_timeout) as hc: rv = await hc.post(url, json={ 'name': repo, 'description': title, 'homepage': "https://%s.apache.org/" % pmc, 'private': private, 'has_issues': False, 'has_projects': False, 'has_wiki': False }, headers={'Authorization': "token %s" % server.config.github.token} ) if rv.status == 201: return True else: txt = await rv.text() return txt def register(server: plugins.basetypes.Server): return plugins.basetypes.Endpoint(process)