added a feature for private repositories

cmd/rest-server/main.go

@@ -32,6 +32,7 @@ func init() {
 	flags.StringVar(&restserver.Config.TLSCert, "tls-cert", restserver.Config.TLSCert, "TLS certificate path")
 	flags.StringVar(&restserver.Config.TLSKey, "tls-key", restserver.Config.TLSKey, "TLS key path")
 	flags.BoolVar(&restserver.Config.AppendOnly, "append-only", restserver.Config.AppendOnly, "enable append only mode")
+	flags.BoolVar(&restserver.Config.PrivateRepos, "private-repos", restserver.Config.PrivateRepos, "users can only access their private repo")
 	flags.BoolVar(&restserver.Config.Prometheus, "prometheus", restserver.Config.Prometheus, "enable Prometheus metrics")
 }
 
@@ -88,6 +89,12 @@ func runRoot(cmd *cobra.Command, args []string) error {
 		log.Println("Authentication enabled")
 	}
 
+	if restserver.Config.PrivateRepos {
+		log.Println("Private repositories enabled")
+	} else {
+		log.Println("Private repositories disabled")
+	}
+
 	enabledTLS, privateKey, publicKey, err := tlsSettings()
 	if err != nil {
 		return err

handlers.go

@@ -140,6 +140,13 @@ func CheckConfig(w http.ResponseWriter, r *http.Request) {
 	if Config.Debug {
 		log.Println("CheckConfig()")
 	}
+
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
 	cfg, err := getPath(r, "config")
 	if err != nil {
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -163,6 +170,13 @@ func GetConfig(w http.ResponseWriter, r *http.Request) {
 	if Config.Debug {
 		log.Println("GetConfig()")
 	}
+
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
 	cfg, err := getPath(r, "config")
 	if err != nil {
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -186,6 +200,13 @@ func SaveConfig(w http.ResponseWriter, r *http.Request) {
 	if Config.Debug {
 		log.Println("SaveConfig()")
 	}
+
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
 	cfg, err := getPath(r, "config")
 	if err != nil {
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -216,6 +237,12 @@ func DeleteConfig(w http.ResponseWriter, r *http.Request) {
 		log.Println("DeleteConfig()")
 	}
 
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
 	if Config.AppendOnly {
 		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
 		return
@@ -242,9 +269,17 @@ func DeleteConfig(w http.ResponseWriter, r *http.Request) {
 
 // ListBlobs lists all blobs of a given type in an arbitrary order.
 func ListBlobs(w http.ResponseWriter, r *http.Request) {
+
 	if Config.Debug {
 		log.Println("ListBlobs()")
 	}
+
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
 	fileType := pat.Param(r, "type")
 	path, err := getPath(r, fileType)
 	if err != nil {
@@ -300,6 +335,12 @@ func CheckBlob(w http.ResponseWriter, r *http.Request) {
 		log.Println("CheckBlob()")
 	}
 
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
 	path, err := getFilePath(r, pat.Param(r, "type"), pat.Param(r, "name"))
 	if err != nil {
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -324,6 +365,12 @@ func GetBlob(w http.ResponseWriter, r *http.Request) {
 		log.Println("GetBlob()")
 	}
 
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
 	path, err := getFilePath(r, pat.Param(r, "type"), pat.Param(r, "name"))
 	if err != nil {
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -360,6 +407,12 @@ func SaveBlob(w http.ResponseWriter, r *http.Request) {
 		log.Println("SaveBlob()")
 	}
 
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
 	path, err := getFilePath(r, pat.Param(r, "type"), pat.Param(r, "name"))
 	if err != nil {
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
@@ -429,6 +482,13 @@ func DeleteBlob(w http.ResponseWriter, r *http.Request) {
 		log.Println("DeleteBlob()")
 	}
 
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
+
 	if Config.AppendOnly && pat.Param(r, "type") != "locks" {
 		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
 		return
@@ -473,6 +533,13 @@ func CreateRepo(w http.ResponseWriter, r *http.Request) {
 		log.Println("CreateRepo()")
 	}
 
+	// private repos
+	if (Config.PrivateRepos && (getUser(r) != getRepo(r))) {
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
+
 	repo, err := join(Config.Path, getRepo(r))
 	if err != nil {
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)

mux.go

@@ -22,6 +22,7 @@ var Config = struct {
 	TLSCert    string
 	TLS        bool
 	AppendOnly bool
+	PrivateRepos bool
 	Prometheus bool
 	Debug      bool
 }{