chore: Refator/fix workspace directory permission issues

Author: robinshine

server-core/src/main/java/io/onedev/server/CoreModule.java

@@ -422,7 +422,6 @@
 import io.onedev.server.web.websocket.WorkspaceEventBroadcaster;
 import io.onedev.server.workspace.DefaultWorkspaceQueryPersonalizationService;
 import io.onedev.server.workspace.DefaultWorkspaceService;
-import io.onedev.server.workspace.WorkspacePostCommitCallback;
 import io.onedev.server.workspace.WorkspaceQueryPersonalizationService;
 import io.onedev.server.workspace.WorkspaceService;
 import io.onedev.server.xodus.CommitInfoService;
@@ -580,7 +579,6 @@ public boolean isCascadable(Object traversableObject, Node traversableProperty,
 		bind(DashboardGroupShareService.class).to(DefaultDashboardGroupShareService.class);
 		bind(DashboardVisitService.class).to(DefaultDashboardVisitService.class);
 		bind(WorkspaceService.class).to(DefaultWorkspaceService.class);
-		bind(WorkspacePostCommitCallback.class);
 		bind(LabelSpecService.class).to(DefaultLabelSpecService.class);
 		bind(ProjectLabelService.class).to(DefaultProjectLabelService.class);
 		bind(BuildLabelService.class).to(DefaultBuildLabelService.class);

server-core/src/main/java/io/onedev/server/git/GitFilter.java

@@ -2,15 +2,13 @@
 
 import static io.onedev.server.model.Project.decodeFullRepoNameAsPath;
 import static io.onedev.server.util.IOUtils.BUFFER_SIZE;
-import static io.onedev.server.workspace.WorkspaceService.GIT_PREFIX;
 import static org.apache.commons.lang3.StringUtils.strip;
 
 import java.io.File;
 import java.io.FilterInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.util.Collections;
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
 
@@ -41,7 +39,6 @@
 import org.eclipse.jgit.http.server.ServletUtils;
 import org.eclipse.jgit.transport.PacketLineOut;
 import org.glassfish.jersey.client.ClientProperties;
-import org.jspecify.annotations.Nullable;
 
 import io.onedev.commons.utils.ExplicitException;
 import io.onedev.k8shelper.KubernetesHelper;
@@ -52,7 +49,6 @@
 import io.onedev.server.git.command.AdvertiseUploadRefsCommand;
 import io.onedev.server.git.hook.HookUtils;
 import io.onedev.server.model.Project;
-import io.onedev.server.model.Workspace;
 import io.onedev.server.persistence.SessionService;
 import io.onedev.server.security.CodePullAuthorizationSource;
 import io.onedev.server.security.CodePushAuthorizationSource;
@@ -128,25 +124,6 @@ private void doNotCache(HttpServletResponse response) {
 		response.setHeader("Cache-Control", "no-cache, max-age=0, must-revalidate");
 	}
 
-	@Nullable
-	private File getWorkspaceGitDir(String projectInfo) {
-		projectInfo = strip(projectInfo, "/");
-		int idx = projectInfo.indexOf(GIT_PREFIX);
-		if (idx < 0)
-			return null;
-		String projectPath = strip(projectInfo.substring(0, idx), "/");
-		String numberStr = projectInfo.substring(idx + GIT_PREFIX.length());
-		numberStr = strip(numberStr, "/");
-		var facade = projectService.findFacadeByPath(projectPath);
-		if (facade == null)
-			throw new EntityNotFoundException("Project not found: " + projectPath);
-		long workspaceNumber = Long.parseLong(numberStr);
-		File gitDir = new File(Workspace.getWorkDir(facade.getId(), workspaceNumber), ".git");
-		if (!gitDir.exists())
-			throw new ExplicitException("Workspace git directory not found");
-		return gitDir;
-	}
-
 	protected void processPack(final HttpServletRequest request, final HttpServletResponse response) 
 			throws IOException, InterruptedException, ExecutionException {
 		boolean upload = GitSmartHttpTools.isUploadPack(request);
@@ -158,31 +135,6 @@ protected void processPack(final HttpServletRequest request, final HttpServletRe
 		String principal = (String) SecurityUtils.getSubject().getPrincipal();
 		boolean clusterAccess = SecurityUtils.isSystem(principal);
 
-		File workspaceGitDir = getWorkspaceGitDir(projectInfo);
-		if (workspaceGitDir != null) {
-			if (!clusterAccess)
-				throw new UnauthorizedException("Cluster credential required to access workspace git");
-			if (!upload)
-				throw new ExplicitException("Push to workspace git is not supported");
-
-			doNotCache(response);
-			response.setHeader("Content-Type", "application/x-" + service + "-result");
-
-			InputStream stdin = new FilterInputStream(ServletUtils.getInputStream(request)) {
-				@Override
-				public void close() {
-				}
-			};
-			OutputStream stdout = new OutputStreamWrapper(response.getOutputStream()) {
-				@Override
-				public void close() {
-				}
-			};
-
-			String protocol = request.getHeader("Git-Protocol");
-			CommandUtils.uploadPack(workspaceGitDir, Collections.emptyMap(), protocol, stdin, stdout);
-			return;
-		}
 		var projectPath = decodeFullRepoNameAsPath(strip(projectInfo, "/"));
 		Long projectId = getProjectId(projectPath, clusterAccess, upload);
 
@@ -363,25 +315,6 @@ protected void processRefs(HttpServletRequest request, HttpServletResponse respo
 		String projectInfo = pathInfo.substring(0, pathInfo.length() - INFO_REFS.length());
 
 		boolean clusterAccess = SecurityUtils.isSystem();
-		File workspaceGitDir = getWorkspaceGitDir(projectInfo);
-		if (workspaceGitDir != null) {
-			if (!clusterAccess)
-				throw new UnauthorizedException("Cluster credential required to access workspace git");
-			if (!upload)
-				throw new ExplicitException("Push to workspace git is not supported");
-
-			writeInitial(response, service);
-
-			OutputStream output = new OutputStreamWrapper(response.getOutputStream()) {
-				@Override
-				public void close() throws IOException {
-				}
-			};
-
-			String protocol = request.getHeader("Git-Protocol");
-			new AdvertiseUploadRefsCommand(workspaceGitDir, output).protocol(protocol).run();
-			return;
-		} 
 		var projectPath = decodeFullRepoNameAsPath(strip(projectInfo, "/"));
 		Long projectId = getProjectId(projectPath, clusterAccess, upload);
 

server-core/src/main/java/io/onedev/server/git/GitLfsFilter.java

@@ -5,7 +5,6 @@
 import static io.onedev.server.model.Project.decodeFullRepoNameAsPath;
 import static io.onedev.server.util.CollectionUtils.newHashMap;
 import static io.onedev.server.util.IOUtils.BUFFER_SIZE;
-import static io.onedev.server.workspace.WorkspaceService.GIT_PREFIX;
 import static javax.servlet.http.HttpServletResponse.SC_CONFLICT;
 import static javax.servlet.http.HttpServletResponse.SC_CREATED;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
@@ -16,7 +15,6 @@
 import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 import static javax.ws.rs.core.HttpHeaders.AUTHORIZATION;
 import static javax.ws.rs.core.MediaType.APPLICATION_OCTET_STREAM;
-import static org.apache.commons.lang3.StringUtils.strip;
 import static org.apache.commons.lang3.StringUtils.substringBeforeLast;
 import static org.apache.tika.mime.MimeTypes.OCTET_STREAM;
 import static org.glassfish.jersey.client.ClientProperties.REQUEST_ENTITY_PROCESSING;
@@ -69,7 +67,6 @@
 import io.onedev.server.cluster.ClusterService;
 import io.onedev.server.model.GitLfsLock;
 import io.onedev.server.model.Project;
-import io.onedev.server.model.Workspace;
 import io.onedev.server.persistence.SessionService;
 import io.onedev.server.persistence.dao.EntityCriteria;
 import io.onedev.server.security.CodePullAuthorizationSource;
@@ -167,46 +164,6 @@ private boolean canAccessProject(HttpServletRequest request, Project project) {
 		}
 	}
 
-	private boolean isWorkspacePath(String pathInfo) {
-		return pathInfo.contains(GIT_PREFIX);
-	}
-
-	@Nullable
-	private long[] parseWorkspaceInfo(String pathInfo) {
-		int idx = pathInfo.indexOf(GIT_PREFIX);
-		if (idx < 0)
-			return null;
-		String projectPath = strip(pathInfo.substring(0, idx), "/");
-		String afterWorkspaces = pathInfo.substring(idx + GIT_PREFIX.length());
-		String numberStr;
-		int dotGitIdx = afterWorkspaces.indexOf(".git/");
-		if (dotGitIdx >= 0) {
-			numberStr = afterWorkspaces.substring(0, dotGitIdx);
-		} else {
-			int slashIdx = afterWorkspaces.indexOf('/');
-			numberStr = slashIdx >= 0 ? afterWorkspaces.substring(0, slashIdx) : afterWorkspaces;
-		}
-		var facade = projectService.findFacadeByPath(projectPath);
-		if (facade == null)
-			throw new ExplicitException("Project not found: " + projectPath);
-		long workspaceNumber = Long.parseLong(numberStr);
-		return new long[]{facade.getId(), workspaceNumber};
-	}
-
-	private File getWorkspaceLfsFile(long projectId, long workspaceNumber, String objectId) {
-		File workDir = Workspace.getWorkDir(projectId, workspaceNumber);
-		return new File(workDir, ".git/lfs/objects/"
-				+ objectId.substring(0, 2) + "/"
-				+ objectId.substring(2, 4) + "/" + objectId);
-	}
-
-	private String getWorkspaceObjectUrl(long projectId, long workspaceNumber, String objectId) {
-		var serverUrl = clusterService.getServerUrl(clusterService.getLocalServerAddress());
-		var projectPath = projectService.findFacadeById(projectId).getPath();
-		return String.format("%s/%s/%s%d.git/lfs/objects/%s?lfs-objects=true",
-				serverUrl, projectPath, GIT_PREFIX, workspaceNumber, objectId);
-	}
-
 	private String getObjectUrl(HttpServletRequest request, String projectPath, 
 			String objectId, boolean clusterAccess) {
 		var serverUrl = clusterAccess ? clusterService.getServerUrl(clusterService.getLocalServerAddress()) : settingService.getSystemSetting().getServerUrl();
@@ -241,32 +198,6 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 		boolean clusterAccess = SecurityUtils.isSystem();
 
 		if ("true".equals(httpRequest.getParameter("lfs-objects"))) {
-			if (isWorkspacePath(pathInfo)) {
-				if (!clusterAccess) {
-					sendBatchError(httpResponse, SC_UNAUTHORIZED, 
-							"Cluster credential required to access workspace LFS");
-					return;
-				}
-				if (!httpRequest.getMethod().equals("GET")) {
-					sendBatchError(httpResponse, SC_FORBIDDEN, 
-							"Upload to workspace LFS is not supported");
-					return;
-				}
-				long[] workspaceInfo = parseWorkspaceInfo(pathInfo);
-				String objectId = StringUtils.substringAfterLast(pathInfo, "/");
-				File lfsFile = getWorkspaceLfsFile(workspaceInfo[0], workspaceInfo[1], objectId);
-				if (lfsFile.exists()) {
-					httpResponse.setContentType(OCTET_STREAM);
-					try (InputStream is = new FileInputStream(lfsFile);
-						 OutputStream os = httpResponse.getOutputStream()) {
-						IOUtils.copy(is, os, BUFFER_SIZE);
-					}
-				} else {
-					httpResponse.setStatus(SC_NOT_FOUND);
-				}
-				return;
-			}
-
 			String projectPath = getProjectPath(pathInfo);
 			String objectId = StringUtils.substringAfterLast(pathInfo, "/");
 
@@ -394,23 +325,7 @@ else if (canWriteCode(httpRequest, project))
 					&& httpRequest.getContentType().startsWith(CONTENT_TYPE)
 				|| httpRequest.getHeader("Accept") != null 
 					&& httpRequest.getHeader("Accept").startsWith(CONTENT_TYPE)) {
-			if (isWorkspacePath(pathInfo)) {
-				if (!clusterAccess) {
-					sendBatchError(httpResponse, SC_UNAUTHORIZED, 
-							"Cluster credential required to access workspace LFS");
-					return;
-				}
-				httpResponse.setContentType(CONTENT_TYPE);
-				if (pathInfo.endsWith("/batch")) {
-					long[] workspaceInfo = parseWorkspaceInfo(pathInfo);
-					processWorkspaceBatch(httpRequest, httpResponse, workspaceInfo[0], workspaceInfo[1]);
-				} else {
-					sendBatchError(httpResponse, SC_NOT_IMPLEMENTED, 
-							"Locks are not supported for workspace LFS");
-				}
-				return;
-			}
-			String projectPath = getProjectPath(pathInfo);			
+			String projectPath = getProjectPath(pathInfo);
 			if (clusterAccess) {
 				ProjectFacade project = projectService.findFacadeByPath(projectPath);
 				if (project == null) {
@@ -677,46 +592,6 @@ private void processBatch(HttpServletRequest httpRequest, HttpServletResponse ht
 			writeTo(httpResponse, batchResponse);
 		}
 	}
-	
-	private void processWorkspaceBatch(HttpServletRequest httpRequest, HttpServletResponse httpResponse,
-									   long projectId, long workspaceNumber) {
-		JsonNode batchRequestNode = parseAndValidateBatchRequest(httpRequest, httpResponse);
-		if (batchRequestNode == null)
-			return;
-
-		boolean upload = batchRequestNode.get("operation").asText().equals("upload");
-		if (upload) {
-			sendBatchError(httpResponse, SC_FORBIDDEN,
-					"Upload to workspace LFS is not supported");
-			return;
-		}
-
-		List<Map<String, Object>> objectsResponse = new ArrayList<>();
-		for (JsonNode objectNode : batchRequestNode.get("objects")) {
-			String objectId = objectNode.get("oid").asText();
-			long objectSize = objectNode.get("size").asLong();
-			Map<String, Object> objectResponse = new HashMap<>();
-			objectResponse.put("oid", objectId);
-			objectResponse.put("size", objectSize);
-			File lfsFile = getWorkspaceLfsFile(projectId, workspaceNumber, objectId);
-			if (lfsFile.exists()) {
-				Map<Object, Object> actionResponse = newHashMap(
-						"href", getWorkspaceObjectUrl(projectId, workspaceNumber, objectId));
-				actionResponse.put("header", newHashMap(
-						"Authorization", BEARER + " " + clusterService.getCredential()));
-				objectResponse.put("actions", newHashMap("download", actionResponse));
-			} else {
-				objectResponse.put("error", newHashMap(
-						"code", SC_NOT_FOUND,
-						"message", "Object not found"));
-			}
-			objectsResponse.add(objectResponse);
-		}
-
-		Map<String, Object> batchResponse = new HashMap<>();
-		batchResponse.put("objects", objectsResponse);
-		writeTo(httpResponse, batchResponse);
-	}
 
 	private void sendAuthorizationError(HttpServletResponse response) {
 		if (SecurityUtils.getUser() != null) {

server-core/src/main/java/io/onedev/server/git/hook/HookUtils.java

@@ -22,27 +22,19 @@ public class HookUtils {
 
 	private static final String gitReceiveHook;
 
-	private static final String gitWorkspacePostCommitHook;
-	
 	static {
         try (InputStream is = HookUtils.class.getClassLoader().getResourceAsStream("git-receive-hook")) {
         	Preconditions.checkNotNull(is);
             gitReceiveHook = StringUtils.join(IOUtils.readLines(is, Charset.defaultCharset()), "\n");
         } catch (IOException e) {
             throw new RuntimeException(e);
         }
-		try (InputStream is = HookUtils.class.getClassLoader().getResourceAsStream("git-workspace-postcommit-hook")) {
-			Preconditions.checkNotNull(is);
-			gitWorkspacePostCommitHook = StringUtils.join(IOUtils.readLines(is, Charset.defaultCharset()), "\n");
-		} catch (IOException e) {
-			throw new RuntimeException(e);
-		}
 	}
 
-	public static Map<String, String> getCommonHookEnvs() {
+	public static Map<String, String> getCommonHookEnvs(String host) {
 		ServerConfig serverConfig = OneDev.getInstance(ServerConfig.class);
 		SettingService settingService = OneDev.getInstance(SettingService.class);
-		String hookUrl = "http://localhost:" + serverConfig.getHttpPort();
+		String hookUrl = "http://" + host + "/" + serverConfig.getHttpPort();
 		String curl = settingService.getSystemSetting().getCurlLocation().getExecutable();
 
 		Map<String, String> envs = new HashMap<>();
@@ -54,7 +46,15 @@ public static Map<String, String> getCommonHookEnvs() {
 	}
 
 	public static Map<String, String> getReceiveHookEnvs(Long projectId, String principal) {		
-		var envs = getCommonHookEnvs();
+		var envs = new HashMap<String, String>();
+		ServerConfig serverConfig = OneDev.getInstance(ServerConfig.class);
+		SettingService settingService = OneDev.getInstance(SettingService.class);
+		String hookUrl = "http://localhost:" + serverConfig.getHttpPort();
+		String curl = settingService.getSystemSetting().getCurlLocation().getExecutable();
+
+		envs.put("ONEDEV_CURL", curl);
+		envs.put("ONEDEV_URL", hookUrl);
+
 		envs.put("ONEDEV_HOOK_TOKEN", RECEIVE_HOOK_TOKEN);
 		envs.put("ONEDEV_USER_ID", principal);
 		envs.put("ONEDEV_REPOSITORY_ID", projectId.toString());				
@@ -79,28 +79,6 @@ public static boolean isReceiveHookValid(File gitDir, String hookName) {
 
         return true;
 	}
-	
-	public static Map<String, String> getWorkspacePostCommitHookEnvs(String workspaceToken) {
-		var envs = getCommonHookEnvs();
-		envs.put("ONEDEV_HOOK_TOKEN", workspaceToken);
-		return envs;
-	}
-
-	public static void setupWorkspacePostCommitHook(File gitDir, boolean lfsEnabled) {
-		File hooksDir = new File(gitDir, "hooks");
-		FileUtils.createDir(hooksDir);
-		File postCommitHookFile = new File(hooksDir, "post-commit");
-
-		String lfsAwareHook;
-		if (lfsEnabled) {
-			lfsAwareHook = String.format(gitWorkspacePostCommitHook, "git lfs post-commit \"$@\"");
-		} else {
-			lfsAwareHook = String.format(gitWorkspacePostCommitHook, "");
-		}
-
-		FileUtils.writeFile(postCommitHookFile, lfsAwareHook);
-		postCommitHookFile.setExecutable(true);
-	}
 
 	public static void checkReceiveHooks(File gitDir) {
 		if (!isReceiveHookValid(gitDir, "pre-receive") || !isReceiveHookValid(gitDir, "post-receive")) {