1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
package ssh
import (
"context"
"errors"
"fmt"
"io"
"strings"
"sync"
"github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus/ctxlogrus"
log "github.com/sirupsen/logrus"
"gitlab.com/gitlab-org/gitaly/v16/internal/command"
"gitlab.com/gitlab-org/gitaly/v16/internal/git"
"gitlab.com/gitlab-org/gitaly/v16/internal/git/pktline"
"gitlab.com/gitlab-org/gitaly/v16/internal/git/stats"
"gitlab.com/gitlab-org/gitaly/v16/internal/gitaly/service"
"gitlab.com/gitlab-org/gitaly/v16/internal/helper"
"gitlab.com/gitlab-org/gitaly/v16/internal/sidechannel"
"gitlab.com/gitlab-org/gitaly/v16/internal/stream"
"gitlab.com/gitlab-org/gitaly/v16/internal/structerr"
"gitlab.com/gitlab-org/gitaly/v16/proto/go/gitalypb"
"gitlab.com/gitlab-org/gitaly/v16/streamio"
)
func (s *server) SSHUploadPack(stream gitalypb.SSHService_SSHUploadPackServer) error {
ctx := stream.Context()
req, err := stream.Recv() // First request contains Repository only
if err != nil {
return structerr.NewInternal("%w", err)
}
ctxlogrus.Extract(ctx).WithFields(log.Fields{
"GlRepository": req.GetRepository().GetGlRepository(),
"GitConfigOptions": req.GitConfigOptions,
"GitProtocol": req.GitProtocol,
}).Debug("SSHUploadPack")
if err = validateFirstUploadPackRequest(req); err != nil {
return structerr.NewInvalidArgument("%w", err)
}
stdin := streamio.NewReader(func() ([]byte, error) {
request, err := stream.Recv()
return request.GetStdin(), err
})
// gRPC doesn't allow concurrent writes to a stream, so we need to
// synchronize writing stdout and stderr.
var m sync.Mutex
stdout := streamio.NewSyncWriter(&m, func(p []byte) error {
return stream.Send(&gitalypb.SSHUploadPackResponse{Stdout: p})
})
stderr := streamio.NewSyncWriter(&m, func(p []byte) error {
return stream.Send(&gitalypb.SSHUploadPackResponse{Stderr: p})
})
if status, err := s.sshUploadPack(ctx, req, stdin, stdout, stderr); err != nil {
if errSend := stream.Send(&gitalypb.SSHUploadPackResponse{
ExitStatus: &gitalypb.ExitStatus{Value: int32(status)},
}); errSend != nil {
ctxlogrus.Extract(ctx).WithError(errSend).Error("send final status code")
}
return structerr.NewInternal("%w", err)
}
return nil
}
type sshUploadPackRequest interface {
GetRepository() *gitalypb.Repository
GetGitConfigOptions() []string
GetGitProtocol() string
}
func (s *server) sshUploadPack(rpcContext context.Context, req sshUploadPackRequest, stdin io.Reader, stdout, stderr io.Writer) (int, error) {
ctx, cancelCtx := context.WithCancel(rpcContext)
defer cancelCtx()
stdoutCounter := &helper.CountingWriter{W: stdout}
// Use large copy buffer to reduce the number of system calls
stdout = &largeBufferReaderFrom{Writer: stdoutCounter}
repo := req.GetRepository()
repoPath, err := s.locator.GetRepoPath(repo)
if err != nil {
return 0, err
}
git.WarnIfTooManyBitmaps(ctx, s.locator, repo.StorageName, repoPath)
config, err := git.ConvertConfigOptions(req.GetGitConfigOptions())
if err != nil {
return 0, err
}
var wg sync.WaitGroup
pr, pw := io.Pipe()
defer func() {
pw.Close()
wg.Wait()
}()
stdin = io.TeeReader(stdin, pw)
wg.Add(1)
go func() {
defer func() {
wg.Done()
pr.Close()
}()
stats, err := stats.ParsePackfileNegotiation(pr)
if err != nil {
ctxlogrus.Extract(ctx).WithError(err).Debug("failed parsing packfile negotiation")
return
}
stats.UpdateMetrics(s.packfileNegotiationMetrics)
}()
commandOpts := []git.CmdOpt{
git.WithGitProtocol(req),
git.WithConfig(config...),
git.WithPackObjectsHookEnv(repo, "ssh"),
}
var stderrBuilder strings.Builder
stderr = io.MultiWriter(stderr, &stderrBuilder)
cmd, monitor, err := monitorStdinCommand(ctx, s.gitCmdFactory, repo, stdin, stdout, stderr, git.Command{
Name: "upload-pack",
Args: []string{repoPath},
}, commandOpts...)
if err != nil {
return 0, err
}
timeoutTicker := helper.NewTimerTicker(s.uploadPackRequestTimeout)
// upload-pack negotiation is terminated by either a flush, or the "done"
// packet: https://github.com/git/git/blob/v2.20.0/Documentation/technical/pack-protocol.txt#L335
//
// "flush" tells the server it can terminate, while "done" tells it to start
// generating a packfile. Add a timeout to the second case to mitigate
// use-after-check attacks.
go monitor.Monitor(ctx, pktline.PktDone(), timeoutTicker, cancelCtx)
if err := cmd.Wait(); err != nil {
status, _ := command.ExitStatus(err)
// When waiting for the packfile negotiation to end times out we'll cancel the local
// context, but not cancel the overall RPC's context. Our statushandler middleware
// thus cannot observe the fact that we're cancelling the context, and neither do we
// provide any valuable information to the caller that we do indeed kill the command
// because of our own internal timeout.
//
// We thus need to special-case the situation where we cancel our own context in
// order to provide that information and return a proper gRPC error code.
if ctx.Err() != nil && rpcContext.Err() == nil {
return status, structerr.NewDeadlineExceeded("waiting for packfile negotiation: %w", ctx.Err())
}
// A common error case is that the client is terminating the request prematurely,
// e.g. by killing their git-fetch(1) process because it's taking too long. This is
// an expected failure, but we're not in a position to easily tell this error apart
// from other errors returned by git-upload-pack(1). So we have to resort to parsing
// the error message returned by Git, and if we see that it matches we return an
// error with a `Canceled` error code.
//
// Note that we're being quite strict with how we match the error for now. We may
// have to make it more lenient in case we see that this doesn't catch all cases.
if stderrBuilder.String() == "fatal: the remote end hung up unexpectedly\n" {
return status, structerr.NewCanceled("user canceled the fetch")
}
return status, fmt.Errorf("cmd wait: %w, stderr: %q", err, stderrBuilder.String())
}
ctxlogrus.Extract(ctx).WithField("response_bytes", stdoutCounter.N).Info("request details")
return 0, nil
}
func validateFirstUploadPackRequest(req *gitalypb.SSHUploadPackRequest) error {
if err := service.ValidateRepository(req.GetRepository()); err != nil {
return err
}
if req.Stdin != nil {
return errors.New("non-empty stdin in first request")
}
return nil
}
type largeBufferReaderFrom struct {
io.Writer
}
func (rf *largeBufferReaderFrom) ReadFrom(r io.Reader) (int64, error) {
return io.CopyBuffer(rf.Writer, r, make([]byte, 64*1024))
}
func (s *server) SSHUploadPackWithSidechannel(ctx context.Context, req *gitalypb.SSHUploadPackWithSidechannelRequest) (*gitalypb.SSHUploadPackWithSidechannelResponse, error) {
conn, err := sidechannel.OpenSidechannel(ctx)
if err != nil {
return nil, structerr.NewUnavailable("opennig sidechannel: %w", err)
}
defer conn.Close()
sidebandWriter := pktline.NewSidebandWriter(conn)
stdout := sidebandWriter.Writer(stream.BandStdout)
stderr := sidebandWriter.Writer(stream.BandStderr)
if _, err := s.sshUploadPack(ctx, req, conn, stdout, stderr); err != nil {
return nil, structerr.NewInternal("%w", err)
}
if err := conn.Close(); err != nil {
return nil, structerr.NewInternal("close sidechannel: %w", err)
}
return &gitalypb.SSHUploadPackWithSidechannelResponse{}, nil
}
|
