Merge pull request #1674 from josmo/stash-security-cleanup

Stash security cleanup
2016-06-16 08:30:09 -07:00 · 2016-06-16 08:30:09 -07:00 · 30d55a224e
commit 30d55a224e
parent 8a5978699e 6d7f1bf295
1 changed files with 58 additions and 40 deletions
--- a/remote/bitbucketserver/bitbucketserver.go
+++ b/remote/bitbucketserver/bitbucketserver.go
@ -151,47 +151,11 @@ func (*client) Teams(u *model.User) ([]*model.Team, error) {
 }

 func (c *client) Repo(u *model.User, owner, name string) (*model.Repo, error) {
-
 	client := NewClientWithToken(&c.Consumer, u.Token)
-
-	urlString := fmt.Sprintf("%s/rest/api/1.0/projects/%s/repos/%s", c.URL, owner, name)
-
-	response, err := client.Get(urlString)
+	repo , err := c.FindRepo(client,owner,name)
 	if err != nil {
-		log.Error(err)
-	}
-	defer response.Body.Close()
-	contents, err := ioutil.ReadAll(response.Body)
-	bsRepo := BSRepo{}
-	err = json.Unmarshal(contents, &bsRepo)
-	if err !=nil {
 		return nil, err
 	}
-	repo := &model.Repo{
-		Name:      bsRepo.Slug,
-		Owner:     bsRepo.Project.Key,
-		Branch:    "master",
-		Kind:      model.RepoGit,
-		IsPrivate: true, // TODO(josmo) possibly set this as a setting - must always be private to use netrc
-		FullName:  fmt.Sprintf("%s/%s", bsRepo.Project.Key, bsRepo.Slug),
-	}
-
-	for _, item := range bsRepo.Links.Clone {
-		if item.Name == "http" {
-			uri, err := url.Parse(item.Href)
-			if err != nil {
-				return nil, err
-			}
-			uri.User = nil
-			repo.Clone = uri.String()
-		}
-	}
-	for _, item := range bsRepo.Links.Self {
-		if item.Href != "" {
-			repo.Link = item.Href
-		}
-	}
-
 	return repo, nil
 }

@ -228,11 +192,22 @@ func (c *client) Repos(u *model.User) ([]*model.RepoLite, error) {
 }

 func (c *client) Perm(u *model.User, owner, repo string) (*model.Perm, error) {
-	// TODO need to fetch real permissions here
+	client := NewClientWithToken(&c.Consumer, u.Token)
 	perms := new(model.Perm)
+
+	// If you don't have access return none right away
+	_, err := c.FindRepo(client, owner, repo)
+	if err != nil {
+		return perms, err
+	}
+
+	// Must have admin to be able to list hooks. If have access the enable perms
+	_, err = client.Get(fmt.Sprintf("%s/rest/api/1.0/projects/%s/repos/%s/settings/hooks/%s", c.URL, owner, repo,"com.atlassian.stash.plugin.stash-web-post-receive-hooks-plugin:postReceiveHook"))
+	if err == nil {
+		perms.Push = true
+		perms.Admin = true
+	}
 	perms.Pull = true
-	perms.Admin = true
-	perms.Push = true
 	return perms, nil
 }

@ -363,3 +338,46 @@ func (bs *client) DeleteHook(client *http.Client, project, slug, hook_key, link

 	return nil
 }
+
+func (c *client) FindRepo(client *http.Client, owner string, name string) (*model.Repo, error){
+
+	urlString := fmt.Sprintf("%s/rest/api/1.0/projects/%s/repos/%s", c.URL, owner, name)
+
+	response, err := client.Get(urlString)
+	if err != nil {
+		log.Error(err)
+	}
+	defer response.Body.Close()
+	contents, err := ioutil.ReadAll(response.Body)
+	bsRepo := BSRepo{}
+	err = json.Unmarshal(contents, &bsRepo)
+	if err !=nil {
+		return nil, err
+	}
+	repo := &model.Repo{
+		Name:      bsRepo.Slug,
+		Owner:     bsRepo.Project.Key,
+		Branch:    "master",
+		Kind:      model.RepoGit,
+		IsPrivate: true, // TODO(josmo) possibly set this as a setting - must always be private to use netrc
+		FullName:  fmt.Sprintf("%s/%s", bsRepo.Project.Key, bsRepo.Slug),
+	}
+
+	for _, item := range bsRepo.Links.Clone {
+		if item.Name == "http" {
+			uri, err := url.Parse(item.Href)
+			if err != nil {
+				return nil, err
+			}
+			uri.User = nil
+			repo.Clone = uri.String()
+		}
+	}
+	for _, item := range bsRepo.Links.Self {
+		if item.Href != "" {
+			repo.Link = item.Href
+		}
+	}
+
+	return repo, nil
+}