alarsyo/lohr
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: alarsyo:main
Branches Tags
alarsyo:main
alarsyo:ci-cachix
alarsyo:fix-flake
alarsyo:rocket-stable
alarsyo:v0.4.6
alarsyo:v0.4.5
alarsyo:v0.4.4
alarsyo:v0.4.3
alarsyo:v0.4.2
alarsyo:v0.4.1
alarsyo:v0.4.0
alarsyo:v0.3.3
alarsyo:v0.3.2
alarsyo:v0.3.1
alarsyo:v0.3.0
alarsyo:v0.2.1
alarsyo:v0.2.0
..
compare: alarsyo:v0.2.0
Branches Tags
alarsyo:main
alarsyo:ci-cachix
alarsyo:fix-flake
alarsyo:rocket-stable
alarsyo:v0.4.6
alarsyo:v0.4.5
alarsyo:v0.4.4
alarsyo:v0.4.3
alarsyo:v0.4.2
alarsyo:v0.4.1
alarsyo:v0.4.0
alarsyo:v0.3.3
alarsyo:v0.3.2
alarsyo:v0.3.1
alarsyo:v0.3.0
alarsyo:v0.2.1
alarsyo:v0.2.0

No commits in common. "main" and "v0.2.0" have entirely different histories.
main ... v0.2.0

15 changed files with 841 additions and 1613 deletions
Download patch file Download diff file Expand all files Collapse all files

20
.github/workflows/cachix.yaml vendored
View file

@ -1,20 +0,0 @@
name: "Cachix build"
on:
workflow_dispatch:
push:
paths:
- 'flake.nix'
- 'flake.lock'
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v24
- uses: cachix/cachix-action@v12
with:
name: alarsyo
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: |
nix build --verbose

56
.github/workflows/ci.yaml vendored
View file

@ -1,4 +1,4 @@
on: [push, pull_request, workflow_dispatch]
on: [push, pull_request]
name: CI
@ -8,34 +8,62 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@v2
- name: Install stable toolchain
uses: dtolnay/rust-toolchain@stable
- name: Install nightly toolchain
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: nightly
override: true
- run: cargo check
- name: Run cargo check
uses: actions-rs/cargo@v1
with:
command: check
test:
name: Test Suite
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@v2
- name: Install stable toolchain
uses: dtolnay/rust-toolchain@stable
- name: Install nightly toolchain
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: nightly
override: true
- run: cargo test
- name: Run cargo test
uses: actions-rs/cargo@v1
with:
command: test
lints:
name: Lints
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@v2
- name: Install stable toolchain
uses: dtolnay/rust-toolchain@stable
- name: Install nightly toolchain
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: nightly
override: true
components: rustfmt, clippy
- run: cargo fmt --all -- --check
- run: cargo clippy --all-features -- -D warnings
- name: Run cargo fmt
uses: actions-rs/cargo@v1
with:
command: fmt
args: --all -- --check
- name: Run cargo clippy
uses: actions-rs/clippy-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
args: --all-features

1765
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

23
Cargo.toml
View file

@ -1,34 +1,17 @@
[package]
name = "lohr"
version = "0.4.6"
version = "0.2.0"
authors = ["Antoine Martin <antoine@alarsyo.net>"]
edition = "2018"
license = "Apache-2.0 OR MIT"
description = "A Git mirroring daemon"
homepage = "https://github.com/alarsyo/lohr"
repository = "https://github.com/alarsyo/lohr"
resolver = "2"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
anyhow = "1.0.40"
hex = "0.4.3"
hmac = "0.10.1"
log = "0.4.14"
regex = "1"
rocket = "0.4.7"
rocket_contrib = { version = "0.4.7", features = [ "json" ] }
serde = { version = "1.0.125", features = [ "derive" ] }
serde_json = "1.0.64"
serde_regex = "1.1.0"
serde_yaml = "0.8.17"
sha2 = "0.9.3"
[dependencies.rocket]
version = "0.5.0"
# don't need private-cookies
default-features = false
[dependencies.clap]
version = "2.33.3"
# no need for suggestions or color with only one argument
default-features = false

138
README.md
View file

@ -1,138 +0,0 @@
# lohr
`lohr` is a Git mirroring tool.
I created it to solve a simple problem I had: I host my own git server at
<https://git.alarsyo.net>, but want to mirror my public projects to GitHub /
GitLab, for backup and visibility purposes.
GitLab has a mirroring setting, but it doesn't allow for multiple mirrors, as
far as I know. I also wanted my instance to be the single source of truth.
## How it works
Gitea is setup to send webhooks to my `lohr` server on every push update. When
`lohr` receives a push, it clones the concerned repository, or updates it if
already cloned. Then it pushes the update to **all remotes listed** in the
[.lohr](.lohr) file at the repo root.
### Destructive
This is a very destructive process: anything removed from the single source of
truth is effectively removed from any mirror as well.
## Installing
`lohr` is [published on crates.io](https://crates.io/crates/lohr), so you can
install it with `cargo install`:
$ cargo install lohr
Note: currently this method won't get you the latest version of `lohr`, as it
depends on Rocket v0.5.0, which isn't released yet. Updated versions of `lohr`
will be published on crates.io as soon as Rocket v0.5.0 releases.
## Setup
### Quickstart
Setting up `lohr` should be quite simple:
1. Create a `Rocket.toml` file and [add your
configuration](https://rocket.rs/v0.4/guide/configuration/).
2. Export a secret variable:
$ export LOHR_SECRET=42 # please don't use this secret
3. Run `lohr`:
$ cargo run # or `cargo run --release` for production usage
4. Configure your favorite git server to send a webhook to `lohr`'s address on
every push event.
I used [Gitea's webhooks format](https://docs.gitea.io/en-us/webhooks/), but
I **think** they're similar to GitHub and GitLab's webhooks, so these should
work too! (If they don't, **please** file an issue!)
Don't forget to set the webhook secret to the one you chose above.
5. Add a `.lohr` file containing the remotes you want to mirror this repo to:
git@github.com:you/your_repo
and push it. That's it! `lohr` is mirroring your repo now.
### Configuration
#### Home directory
`lohr` needs a place to clone repos and store its data. By default, it's the
current directory, but you can set the `LOHR_HOME` environment variable to
customize it.
#### Shared secret
As shown in the quickstart guide, you **must** set the `LOHR_SECRET` environment
variable.
#### Extra remote configuration
You can provide `lohr` with a YAML file containing additional configuration. You
can pass its path to the `--config` flag when launching `lohr`. If no
configuration is provided via a CLI flag, `lohr` will check the `LOHR_CONFIG`
environment variable. If the environment variable isn't set either, it will
check in `LOHR_HOME` is a `lohr-config.yaml` file exists, and try to load it.
This file takes the following format:
``` yaml
default_remotes:
- "git@github:user"
- "git@gitlab:user"
additional_remotes:
- "git@git.sr.ht:~user"
blacklist:
- "private-.*"
```
- `default_remotes` is a list of remotes to use if no `.lohr` file is found in a
repository.
- `additional_remotes` is a list of remotes to add in any case, whether the
original set of remotes is set via `default_remotes` or via a `.lohr` file.
- `blacklist` is a list of regular expressions to match against the full
repository names. Any that matches will not be mirrored, even if it contains a
`.lohr` file.
Both settings take as input a list of "stems", i.e. incomplete remote addresses,
to which the repo's name will be appended (so for example, if my
`default_remotes` contains `git@github.com:alarsyo`, and a push event webhook is
received for repository `git@gitlab.com:some/long/path/repo_name`, then the
mirror destination will be `git@github.com:alarsyo/repo_name`.
## Contributing
I accept patches anywhere! Feel free to [open a GitHub Pull
Request](https://github.com/alarsyo/lohr/pulls), [a GitLab Merge
Request](https://gitlab.com/alarsyo/lohr/-/merge_requests), or [send me a patch
by email](https://lists.sr.ht/~alarsyo/lohr-dev)!
## Why lohr?
I was looking for a cool name, and thought about the Magic Mirror in Snow White.
Some **[furious wikipedia
searching](https://en.wikipedia.org/wiki/Magic_Mirror_(Snow_White))** later, I
found that the Magic Mirror was probably inspired by [the Talking Mirror in Lohr
am Main](http://spessartmuseum.de/seiten/schneewittchen_engl.html). That's it,
that's the story.
## License
`lohr` is distributed under the terms of both the MIT license and the Apache
License (Version 2.0).
See [LICENSE-APACHE](LICENSE-APACHE) and [LICENSE-MIT](LICENSE-MIT) for details.

103
README.org Normal file
View file

@ -0,0 +1,103 @@
#+title: lohr
=lohr= is a Git mirroring tool.
I created it to solve a simple problem I had: I host my own git server at
[[https://git.alarsyo.net]], but want to mirror my public projects to GitHub /
GitLab, for backup and visibility purposes.
GitLab has a mirroring setting, but it doesn't allow for multiple mirrors, as
far as I know. I also wanted my instance to be the single source of truth.
** How it works
Gitea is setup to send webhooks to my =lohr= server on every push update. When
=lohr= receives a push, it clones the concerned repository, or updates it if
already cloned. Then it pushes the update to *all remotes listed* in the [[file:.lohr][.lohr]]
file at the repo root.
*** Destructive
This is a very destructive process: anything removed from the single source of
truth is effectively removed from any mirror as well.
** Setup
*** Quickstart
Setting up =lohr= should be quite simple:
1. Create a =Rocket.toml= file and [[https://rocket.rs/v0.4/guide/configuration/][add your configuration]].
2. Run =lohr=:
#+begin_src sh
$ cargo run # or `cargo run --release` for production usage
#+end_src
3. Configure your favorite git server to send a webhook to =lohr='s address on
every push event.
I used [[https://docs.gitea.io/en-us/webhooks/][Gitea's webhooks format]], but I *think* they're similar to GitHub and
GitLab's webhooks, so these should work too! (If they don't, *please* file an
issue!)
4. Add a =.lohr= file containing the remotes you want to mirror this repo to:
#+begin_example
git@github.com:you/your_repo
#+end_example
and push it. That's it! =lohr= is mirroring your repo now.
*** Configuration
**** Home directory
=lohr= needs a place to clone repos and store its data. By default, it's the
current directory, but you can set the =LOHR_HOME= environment variable to
customize it.
**** Extra remote configuration
=lohr= looks for a =lohr-config.yaml= file in its =LOHR_HOME= directory. This
file takes the following format:
#+begin_src yaml
default_remotes:
- "git@github:user"
- "git@gitlab:user"
additional_remotes:
- "git@git.sr.ht:~user"
#+end_src
- ~default_remotes~ is a list of remotes to use if no ~.lohr~ file is found in a
repository.
- ~additional_remotes~ is a list of remotes to add in any case, whether the
original set of remotes is set via ~default_remotes~ or via a =.lohr= file.
Both settings take as input a list of "stems", i.e. incomplete remote addresses,
to which the repo's name will be appended (so for example, if my
~default_remotes~ contains ~git@github.com:alarsyo~, and a push event webhook
is received for repository =git@gitlab.com:some/long/path/repo_name=, then the
mirror destination will be =git@github.com:alarsyo/repo_name=.
** Contributing
I accept patches anywhere! Feel free to [[https://github.com/alarsyo/lohr/pulls][open a GitHub Pull Request]], [[https://gitlab.com/alarsyo/lohr/-/merge_requests][a GitLab
Merge Request]], or [[https://lists.sr.ht/~alarsyo/lohr-dev][send me a patch by email]]!
** Why lohr?
I was looking for a cool name, and thought about the Magic Mirror in Snow White.
Some *[[https://en.wikipedia.org/wiki/Magic_Mirror_(Snow_White)][furious wikipedia searching]]* later, I found that the Magic Mirror was
probably inspired by [[http://spessartmuseum.de/seiten/schneewittchen_engl.html][the Talking Mirror in Lohr am Main]]. That's it, that's the
story.
** License
=lohr= is distributed under the terms of both the MIT license and the Apache
License (Version 2.0).
See [[file:LICENSE-APACHE][LICENSE-APACHE]] and [[file:LICENSE-MIT][LICENSE-MIT]] for details.

77
flake.lock generated
View file

@ -3,11 +3,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"lastModified": 1606424373,
"narHash": "sha256-oq8d4//CJOrVj+EcOaSXvMebvuTkmBJuT5tzlfewUnQ=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"rev": "99f1c2157fba4bfe6211a321fd0ee43199025dbf",
"type": "github"
},
"original": {
@ -17,15 +17,12 @@
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"type": "github"
},
"original": {
@ -34,18 +31,55 @@
"type": "github"
}
},
"mozillapkgs": {
"flake": false,
"locked": {
"lastModified": 1603906276,
"narHash": "sha256-RsNPnEKd7BcogwkqhaV5kI/HuNC4flH/OQCC/4W5y/8=",
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4",
"type": "github"
},
"original": {
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1614785451,
"narHash": "sha256-TPw8kQvr2UNCuvndtY+EjyXp6Q5GEW2l9UafXXh1XmI=",
"owner": "nmattia",
"repo": "naersk",
"rev": "e0fe990b478a66178a58c69cf53daec0478ca6f9",
"type": "github"
},
"original": {
"owner": "nmattia",
"ref": "master",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1740162160,
"narHash": "sha256-SSYxFhqCOb3aiPb6MmN68yEzBIltfom8IgRz7phHscM=",
"lastModified": 1616670887,
"narHash": "sha256-wn+l9qJfR5sj5Gq4DheJHAcBDfOs9K2p9seW2f35xzs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "11415c7ae8539d6292f2928317ee7a8410b28bb9",
"rev": "c0e881852006b132236cbf0301bd1939bb50867e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -54,23 +88,10 @@
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"mozillapkgs": "mozillapkgs",
"naersk": "naersk",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

44
flake.nix
View file

@ -1,6 +1,14 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
naersk = {
url = "github:nmattia/naersk/master";
inputs.nixpkgs.follows = "nixpkgs";
};
mozillapkgs = {
url = "github:mozilla/nixpkgs-mozilla";
flake = false;
};
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
flake-utils.url = "github:numtide/flake-utils";
flake-compat = {
url = "github:edolstra/flake-compat";
@ -8,26 +16,27 @@
};
};
outputs = { self, nixpkgs, flake-utils, ... }:
outputs = { self, naersk, mozillapkgs, nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs { inherit system; };
mozilla = pkgs.callPackage (mozillapkgs + "/package-set.nix") { };
rustNightly = (mozilla.rustChannelOf {
date = "2021-03-29";
channel = "nightly";
sha256 = "sha256-Y94CnslybZgiZlNVV6Cg0TUPV2OeDXakPev1kqdt9Kk=";
}).rust;
naersk-lib = pkgs.callPackage naersk {
cargo = rustNightly;
rustc = rustNightly;
};
in
{
defaultPackage = pkgs.rustPlatform.buildRustPackage {
pname = "lohr";
version = "0.4.6";
defaultPackage = naersk-lib.buildPackage {
src = ./.;
cargoHash = "sha256-EUhyrhPe+mUgMmm4o+bxRIiSNReJRfw+/O1fPr8r7lo=";
meta = with pkgs.lib; {
description = "A Git mirroring tool";
homepage = "https://github.com/alarsyo/lohr";
license = with licenses; [ mit asl20 ];
platforms = platforms.unix;
};
pname = "lohr";
};
defaultApp = flake-utils.lib.mkApp {
@ -36,14 +45,11 @@
devShell = pkgs.mkShell {
buildInputs = with pkgs; [
cargo
clippy
nixpkgs-fmt
pre-commit
rustPackages.clippy
rustc
rustNightly
rustfmt
rust-analyzer
];
RUST_SRC_PATH = pkgs.rustPlatform.rustLibSrc;

1
rust-toolchain Normal file
View file

@ -0,0 +1 @@
nightly

2
rust-toolchain.toml
View file

@ -1,2 +0,0 @@
[toolchain]
channel = "stable"

3
src/gitea.rs
View file

@ -2,8 +2,9 @@ use serde::Deserialize;
#[derive(Clone, Deserialize)]
pub(crate) struct Repository {
pub(crate) name: String,
pub(crate) full_name: String,
pub(crate) ssh_url: String,
pub(crate) clone_url: String,
}
#[derive(Deserialize)]

10
src/job.rs
View file

@ -38,7 +38,7 @@ impl Job {
let output = Command::new("git")
.arg("clone")
.arg("--mirror")
.arg(&self.repo.ssh_url)
.arg(&self.repo.clone_url)
.arg(format!("{}", self.local_path.as_ref().unwrap().display()))
.output()?;
@ -125,13 +125,7 @@ impl Job {
let output = String::from_utf8(output.stdout)?;
Ok(Some(
output
.lines()
.map(String::from)
.filter(|s| !s.is_empty())
.collect(),
))
Ok(Some(output.lines().map(String::from).collect()))
}
fn get_remotes(&self, config: &GlobalSettings) -> anyhow::Result<Vec<RepoUrl>> {

92
src/main.rs
View file

@ -1,16 +1,18 @@
#![feature(proc_macro_hygiene, decl_macro)]
use std::env;
use std::fs::File;
use std::path::{Path, PathBuf};
use std::path::PathBuf;
use std::sync::{
mpsc::{channel, Receiver, Sender},
Mutex,
};
use std::thread;
use anyhow::Context;
use clap::{crate_version, App, Arg};
use log::{error, info};
use rocket::{http::Status, post, routes, State};
use rocket_contrib::json::Json;
use log::error;
mod gitea;
use gitea::GiteaWebHook;
@ -21,29 +23,11 @@ use job::Job;
mod settings;
use settings::GlobalSettings;
mod signature;
use signature::SignedJson;
struct JobSender(Mutex<Sender<Job>>);
struct Secret(String);
#[post("/", data = "<payload>")]
fn gitea_webhook(
payload: SignedJson<GiteaWebHook>,
sender: &State<JobSender>,
config: &State<GlobalSettings>,
) -> Status {
if config
.blacklist
.iter()
.any(|re| re.is_match(&payload.repository.full_name))
{
info!(
"Ignoring webhook for repo {} which is blacklisted",
payload.repository.full_name
);
return Status::Ok;
}
fn gitea_webhook(payload: Json<GiteaWebHook>, sender: State<JobSender>) -> Status {
// TODO: validate Gitea signature
{
let sender = sender.0.lock().unwrap();
@ -64,70 +48,34 @@ fn repo_updater(rx: Receiver<Job>, homedir: PathBuf, config: GlobalSettings) {
}
}
fn parse_config(home: &Path, flags: &clap::ArgMatches) -> anyhow::Result<GlobalSettings> {
// prioritize CLI flag, then env var
let config_path = flags.value_of("config").map(PathBuf::from);
let config_path = config_path.or_else(|| env::var("LOHR_CONFIG").map(PathBuf::from).ok());
let file = match config_path {
Some(config_path) => File::open(&config_path).with_context(|| {
format!(
"could not open provided configuration file at {}",
config_path.display()
)
})?,
None => {
// check if file exists in lohr home
let config_path = home.join("lohr-config.yaml");
if !config_path.is_file() {
return Ok(Default::default());
}
File::open(config_path).context("failed to open configuration file in LOHR_HOME")?
}
fn parse_config(mut path: PathBuf) -> anyhow::Result<GlobalSettings> {
path.push("lohr-config");
path.set_extension("yaml");
let config = if let Ok(file) = File::open(path.as_path()) {
serde_yaml::from_reader(file)?
} else {
Default::default()
};
serde_yaml::from_reader(file).context("could not parse configuration file")
Ok(config)
}
#[rocket::main]
async fn main() -> anyhow::Result<()> {
let matches = App::new("lohr")
.version(crate_version!())
.about("Git mirroring daemon")
.arg(
Arg::with_name("config")
.short("c")
.long("config")
.value_name("FILE")
.help("Use a custom config file")
.takes_value(true),
)
.get_matches();
fn main() -> anyhow::Result<()> {
let (sender, receiver) = channel();
let homedir = env::var("LOHR_HOME").unwrap_or_else(|_| "./".to_string());
let homedir: PathBuf = homedir.into();
let homedir = homedir.canonicalize().expect("LOHR_HOME isn't valid!");
let secret = env::var("LOHR_SECRET")
.expect("please provide a secret, otherwise anyone can send you a malicious webhook");
let config = parse_config(&homedir, &matches)?;
let config_state = config.clone();
let config = parse_config(homedir.clone())?;
thread::spawn(move || {
repo_updater(receiver, homedir, config);
});
rocket::build()
rocket::ignite()
.mount("/", routes![gitea_webhook])
.manage(JobSender(Mutex::new(sender)))
.manage(Secret(secret))
.manage(config_state)
.launch()
.await?;
.launch();
Ok(())
}

6
src/settings.rs
View file

@ -2,7 +2,7 @@ use serde::Deserialize;
pub(crate) type RepoUrl = String; // FIXME: probably needs a better type than this
#[derive(Clone, Default, Deserialize)]
#[derive(Default, Deserialize)]
pub(crate) struct GlobalSettings {
/// List of remote stems to use when no `.lohr` file is found
#[serde(default)]
@ -10,8 +10,4 @@ pub(crate) struct GlobalSettings {
/// List of remote stems to use for every repository
#[serde(default)]
pub additional_remotes: Vec<RepoUrl>,
/// List of regexes, if a repository's name matches any of the, it is not mirrored by `lohr`
/// even if it contains a `.lorh` file.
#[serde(with = "serde_regex", default)]
pub blacklist: Vec<regex::Regex>,
}

114
src/signature.rs
View file

@ -1,114 +0,0 @@
use std::{
io,
ops::{Deref, DerefMut},
};
use rocket::{
data::{ByteUnit, FromData, Outcome},
http::ContentType,
State,
};
use rocket::{http::Status, request::local_cache};
use rocket::{Data, Request};
use anyhow::{anyhow, Context};
use serde::Deserialize;
use crate::Secret;
const X_GITEA_SIGNATURE: &str = "X-Gitea-Signature";
fn validate_signature(secret: &str, signature: &str, data: &str) -> bool {
use hmac::{Hmac, Mac, NewMac};
use sha2::Sha256;
type HmacSha256 = Hmac<Sha256>;
let mut mac = HmacSha256::new_varkey(secret.as_bytes()).expect("this should never fail");
mac.update(data.as_bytes());
match hex::decode(signature) {
Ok(bytes) => mac.verify(&bytes).is_ok(),
Err(_) => false,
}
}
pub struct SignedJson<T>(pub T);
impl<T> Deref for SignedJson<T> {
type Target = T;
fn deref(&self) -> &T {
&self.0
}
}
impl<T> DerefMut for SignedJson<T> {
fn deref_mut(&mut self) -> &mut T {
&mut self.0
}
}
const LIMIT: ByteUnit = ByteUnit::Mebibyte(1);
impl<'r, T: Deserialize<'r>> SignedJson<T> {
fn from_str(s: &'r str) -> anyhow::Result<Self> {
serde_json::from_str(s)
.map(SignedJson)
.context("could not parse json")
}
}
// This is a one to one implementation of request_contrib::Json's FromData, but with HMAC
// validation.
//
// Tracking issue for chaining Data guards to avoid this:
// https://github.com/SergioBenitez/Rocket/issues/775
#[rocket::async_trait]
impl<'r, T> FromData<'r> for SignedJson<T>
where
T: Deserialize<'r>,
{
type Error = anyhow::Error;
async fn from_data(request: &'r Request<'_>, data: Data<'r>) -> Outcome<'r, Self> {
let json_ct = ContentType::new("application", "json");
if request.content_type() != Some(&json_ct) {
return Outcome::Error((Status::BadRequest, anyhow!("wrong content type")));
}
let signatures = request.headers().get(X_GITEA_SIGNATURE).collect::<Vec<_>>();
if signatures.len() != 1 {
return Outcome::Error((
Status::BadRequest,
anyhow!("request header needs exactly one signature"),
));
}
let size_limit = request.limits().get("json").unwrap_or(LIMIT);
let content = match data.open(size_limit).into_string().await {
Ok(s) if s.is_complete() => s.into_inner(),
Ok(_) => {
let eof = io::ErrorKind::UnexpectedEof;
return Outcome::Error((
Status::PayloadTooLarge,
io::Error::new(eof, "data limit exceeded").into(),
));
}
Err(e) => return Outcome::Error((Status::BadRequest, e.into())),
};
let signature = signatures[0];
let secret = request.guard::<&State<Secret>>().await.unwrap();
if !validate_signature(&secret.0, signature, &content) {
return Outcome::Error((Status::BadRequest, anyhow!("couldn't verify signature")));
}
match Self::from_str(local_cache!(request, content)) {
Ok(content) => Outcome::Success(content),
Err(e) => Outcome::Error((Status::BadRequest, e)),
}
}
}