+ %package            mirror

+ Summary:            The mirroring service for pagure

+ BuildArch:          noarch

+ Requires:           %{name} = %{version}-%{release}

+ %{?systemd_requires}

+ %description        mirror

+ pagure-mirror is the service mirroring projects that asked for it outside

+ of this pagure instance.

+ 

+ 

+ # Install the systemd file for the mirror service

+ install -p -m 644 files/pagure_mirror.service \

+     $RPM_BUILD_ROOT/%{_unitdir}/pagure_mirror.service

+ 

+ %post mirror

+ %systemd_post pagure_mirror.service

+ %preun mirror

+ %systemd_preun pagure_mirror.service

+ %postun mirror

+ %systemd_postun_with_restart pagure_mirror.service

+ %files mirror

+ %license LICENSE

+ %{_unitdir}/pagure_mirror.service

+ 

+ 

+ # This is a systemd's service file for the mirroring service, if you change

+ # the default value of the CI_CELERY_QUEUE configuration key, do not

+ # forget to edit it in the ExecStart line below

+ 

+ [Unit]

+ Description=Pagure service mirroring projects outside of pagure that asked for it

+ After=redis.target

+ Documentation=https://pagure.io/pagure

+ 

+ [Service]

+ ExecStart=/usr/bin/celery worker -A pagure.lib.tasks_mirror --loglevel=info -Q pagure_mirror

+ Environment="PAGURE_CONFIG=/etc/pagure/pagure.cfg"

+ Type=simple

+ User=mirror

+ Group=mirror

+ Restart=on-failure

+ 

+ [Install]

+ WantedBy=multi-user.target

+ MIRRORING_QUEUE = 'pagure_mirror'

+ # Folder where to place the ssh keys for the mirroring feature

+ MIRROR_SSHKEYS_FOLDER = '/var/lib/pagure/sshkeys/'

+ 

+ #! /usr/bin/env python

+ 

+ 

+ """Pagure specific hook to mirror a repo to another location.

+ """

+ from __future__ import unicode_literals, print_function

+ 

+ 

+ import logging

+ import os

+ import sys

+ 

+ 

+ if 'PAGURE_CONFIG' not in os.environ \

+         and os.path.exists('/etc/pagure/pagure.cfg'):

+     os.environ['PAGURE_CONFIG'] = '/etc/pagure/pagure.cfg'

+ 

+ 

+ import pagure.config  # noqa: E402

+ import pagure.exceptions  # noqa: E402

+ import pagure.lib  # noqa: E402

+ import pagure.lib.tasks_mirror  # noqa: E402

+ import pagure.ui.plugins  # noqa: E402

+ 

+ 

+ _log = logging.getLogger(__name__)

+ _config = pagure.config.config

+ abspath = os.path.abspath(os.environ['GIT_DIR'])

+ 

+ 

+ def main(args):

+ 

+     repo = pagure.lib.git.get_repo_name(abspath)

+     username = pagure.lib.git.get_username(abspath)

+     namespace = pagure.lib.git.get_repo_namespace(abspath)

+     if _config.get('HOOK_DEBUG', False):

+         print('repo:', repo)

+         print('user:', username)

+         print('namespace:', namespace)

+ 

+     session = pagure.lib.create_session(_config['DB_URL'])

+     project = pagure.lib._get_project(

+         session, repo, user=username, namespace=namespace)

+ 

+     if not project:

+         print('Could not find a project corresponding to this git repo')

+         session.close()

+         return 1

+ 

+     pagure.lib.tasks_mirror.mirror_project.delay(

+         username=project.user.user if project.is_fork else None,

+         namespace=project.namespace,

+         name=project.name)

+ 

+     session.close()

+     return 0

+ 

+ 

+ if __name__ == '__main__':

+     main(sys.argv[1:])

+ import pagure.config  # noqa: E402

+ # -*- coding: utf-8 -*-

+ 

+ """

+  (c) 2016-2018 - Copyright Red Hat Inc

+ 

+  Authors:

+    Pierre-Yves Chibon <pingou@pingoured.fr>

+ 

+ """

+ 

+ 

+ import sqlalchemy as sa

+ import wtforms

+ 

+ try:

+     from flask_wtf import FlaskForm

+ except ImportError:

+     from flask_wtf import Form as FlaskForm

+ from sqlalchemy.orm import relation

+ from sqlalchemy.orm import backref

+ 

+ import pagure.lib.tasks_mirror

+ from pagure.hooks import BaseHook, RequiredIf

+ from pagure.lib.model import BASE, Project

+ from pagure.utils import get_repo_path, ssh_urlpattern

+ 

+ 

+ class MirrorTable(BASE):

+     """ Stores information about the mirroring hook deployed on a project.

+ 

+     Table -- mirror_pagure

+     """

+ 

+     __tablename__ = 'hook_mirror'

+ 

+     id = sa.Column(sa.Integer, primary_key=True)

+     project_id = sa.Column(

+         sa.Integer,

+         sa.ForeignKey(

+             'projects.id', onupdate='CASCADE', ondelete='CASCADE'),

+         nullable=False,

+         unique=True,

+         index=True)

+ 

+     active = sa.Column(sa.Boolean, nullable=False, default=False)

+ 

+     public_key = sa.Column(sa.Text, nullable=True)

+     target = sa.Column(sa.Text, nullable=True)

+     last_log = sa.Column(sa.Text, nullable=True)

+ 

+     project = relation(

+         'Project', remote_side=[Project.id],

+         backref=backref(

+             'mirror_hook', cascade="delete, delete-orphan",

+             single_parent=True, uselist=False)

+     )

+ 

+ 

+ class CustomRegexp(wtforms.validators.Regexp):

+ 

+     def __init__(self, *args, **kwargs):

+         self.optional = kwargs.get('optional') or False

+         if self.optional:

+             kwargs.pop('optional')

+         super(CustomRegexp, self).__init__(*args, **kwargs)

+ 

+     def __call__(self, form, field):

+         if self.optional:

+             if field.data:

+                 return super(CustomRegexp, self).__call__(form, field)

+         else:

+             return super(CustomRegexp, self).__call__(form, field)

+ 

+ 

+ class MirrorForm(FlaskForm):

+     ''' Form to configure the mirror hook. '''

+     active = wtforms.BooleanField(

+         'Active',

+         [wtforms.validators.Optional()]

+     )

+ 

+     target = wtforms.TextField(

+         'Git repo to mirror to',

+         [

+             RequiredIf('active'),

+             CustomRegexp(ssh_urlpattern, optional=True),

+         ]

+     )

+ 

+     public_key = wtforms.TextAreaField(

+         'Public SSH key',

+         [wtforms.validators.Optional()]

+     )

+     last_log = wtforms.TextAreaField(

+         'Log of the last sync:',

+         [wtforms.validators.Optional()]

+     )

+ 

+ 

+ DESCRIPTION = '''

+ Pagure specific hook to mirror a repo hosted on pagure to another location.

+ 

+ The first field below should contain the URL to be set in the git configuration

+ as the URL of the git repository to mirror to.

+ It's format is going to be something like:

+ 

+     <user>@<host>:<path>

+ 

+ The public SSH key is being generated by pagure and will be available in this

+ page shortly after the activation of this hook. Just refresh the page until

+ it shows up.

+ 

+ Finally the log of the last sync at the bottom is meant.

+ '''

+ 

+ 

+ class MirrorHook(BaseHook):

+     ''' Mirror hook. '''

+ 

+     name = 'Mirroring'

+     description = DESCRIPTION

+     form = MirrorForm

+     db_object = MirrorTable

+     backref = 'mirror_hook'

+     form_fields = ['active', 'target', 'public_key', 'last_log']

+     form_fields_readonly = ['public_key', 'last_log']

+ 

+     @classmethod

+     def install(cls, project, dbobj):

+         ''' Method called to install the hook for a project.

+ 

+         :arg project: a ``pagure.model.Project`` object to which the hook

+             should be installed

+ 

+         '''

+         pagure.lib.tasks_mirror.setup_mirroring.delay(

+             username=project.user.user if project.is_fork else None,

+             namespace=project.namespace,

+             name=project.name)

+ 

+         repopaths = [get_repo_path(project)]

+         cls.base_install(repopaths, dbobj, 'mirror', 'mirror.py')

+ 

+     @classmethod

+     def remove(cls, project):

+         ''' Method called to remove the hook of a project.

+ 

+         :arg project: a ``pagure.model.Project`` object to which the hook

+             should be installed

+ 

+         '''

+         pagure.lib.tasks_mirror.teardown_mirroring.delay(

+             username=project.user.user if project.is_fork else None,

+             namespace=project.namespace,

+             name=project.name)

+ 

+         repopaths = [get_repo_path(project)]

+         cls.base_remove(repopaths, 'mirror')

+ from pagure.lib import tasks_services

+         tasks_services.trigger_ci_build.delay(

+         tasks_services.trigger_ci_build.delay(

+         tasks_services.trigger_ci_build.delay(

+ def read_output(cmd, abspath, input=None, keepends=False, error=False, **kw):

+     """ Read the output from the given command to run.

+ 

+     cmd:

+         The command to run, this is a list with each space separated into an

+         element of the list.

+     abspath:

+         The absolute path where the command should be ran.

+     input:

+         Whether the command should take input from stdin or not.

+         (Defaults to False)

+     keepends:

+         Whether to strip the newline characters at the end of the standard

+         output or not.

+     error:

+         Whether to return both the standard output and the standard error,

+         or just the standard output.

+         (Defaults to False).

+     kw*:

+         Any other arguments to be passed onto the subprocess.Popen command,

+         such as env, shell, executable...

+ 

+     """

+ 

+     if error:

+         return (out, err)

+     else:

+         return out

+ def read_git_output(

+         args, abspath, input=None, keepends=False, error=False, **kw):

+         ['git'] + args, abspath, input=input,

+         keepends=keepends, error=error, **kw)

+ def read_git_lines(args, abspath, keepends=False, error=False, **kw):

+     if error:

+         return read_git_output(

+             args, abspath, keepends=keepends, error=error, **kw

+         )

+     else:

+         return read_git_output(

+             args, abspath, keepends=keepends, **kw

+         ).splitlines(keepends)

+ # -*- coding: utf-8 -*-

+ 

+ """

+  (c) 2018 - Copyright Red Hat Inc

+ 

+  Authors:

+    Pierre-Yves Chibon <pingou@pingoured.fr>

+ 

+ """

+ 

+ from __future__ import unicode_literals

+ 

+ import base64

+ import logging

+ import os

+ import shutil

+ import stat

+ import struct

+ import tempfile

+ 

+ import pygit2

+ import six

+ import werkzeug

+ 

+ from celery import Celery

+ from cryptography import utils

+ from cryptography.hazmat.backends import default_backend

+ from cryptography.hazmat.primitives.asymmetric import rsa

+ from cryptography.hazmat.primitives import serialization

+ 

+ import pagure.lib

+ from pagure.config import config as pagure_config

+ from pagure.lib.tasks import pagure_task

+ from pagure.utils import ssh_urlpattern

+ 

+ # logging.config.dictConfig(pagure_config.get('LOGGING') or {'version': 1})

+ _log = logging.getLogger(__name__)

+ 

+ 

+ if os.environ.get('PAGURE_BROKER_URL'):  # pragma: no-cover

+     broker_url = os.environ['PAGURE_BROKER_URL']

+ elif pagure_config.get('BROKER_URL'):

+     broker_url = pagure_config['BROKER_URL']

+ else:

+     broker_url = 'redis://%s' % pagure_config['REDIS_HOST']

+ 

+ conn = Celery('tasks_mirror', broker=broker_url, backend=broker_url)

+ conn.conf.update(pagure_config['CELERY_CONFIG'])

+ 

+ 

+ # Code from:

+ # https://github.com/pyca/cryptography/blob/6b08aba7f1eb296461528328a3c9871fa7594fc4/src/cryptography/hazmat/primitives/serialization.py#L161

+ # Taken from upstream cryptography since the version we have is too old

+ # and doesn't have this code (yet)

+ def _ssh_write_string(data):

+     return struct.pack(">I", len(data)) + data

+ 

+ 

+ def _ssh_write_mpint(value):

+     data = utils.int_to_bytes(value)

+     if six.indexbytes(data, 0) & 0x80:

+         data = b"\x00" + data

+     return _ssh_write_string(data)

+ 

+ 

+ # Code from _openssh_public_key_bytes at:

+ # https://github.com/pyca/cryptography/tree/6b08aba7f1eb296461528328a3c9871fa7594fc4/src/cryptography/hazmat/backends/openssl#L1616

+ # Taken from upstream cryptography since the version we have is too old

+ # and doesn't have this code (yet)

+ def _serialize_public_ssh_key(key):

+     if isinstance(key, rsa.RSAPublicKey):

+         public_numbers = key.public_numbers()

+         return b"ssh-rsa " + base64.b64encode(

+             _ssh_write_string(b"ssh-rsa") +

+             _ssh_write_mpint(public_numbers.e) +

+             _ssh_write_mpint(public_numbers.n)

+         )

+     else:

+         # Since we only write RSA keys, drop the other serializations

+         return

+ 

+ 

+ def _create_ssh_key(keyfile):

+     ''' Create the public and private ssh keys.

+ 

+     The specified file name will be the private key and the public one will

+     be in a similar file name ending with a '.pub'.

+ 

+     '''

+     private_key = rsa.generate_private_key(

+         public_exponent=65537,

+         key_size=4096,

+         backend=default_backend()

+     )

+ 

+     private_pem = private_key.private_bytes(

+         encoding=serialization.Encoding.PEM,

+         format=serialization.PrivateFormat.TraditionalOpenSSL,

+         encryption_algorithm=serialization.NoEncryption()

+     )

+     with os.fdopen(os.open(

+             keyfile, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0o600), 'wb')\

+             as stream:

+         stream.write(private_pem)

+ 

+     public_key = private_key.public_key()

+     public_pem = _serialize_public_ssh_key(public_key)

+     if public_pem:

+         with open(keyfile + '.pub', 'wb') as stream:

+             stream.write(public_pem)

+ 

+ 

+ @conn.task(queue=pagure_config['MIRRORING_QUEUE'], bind=True)

+ @pagure_task

+ def setup_mirroring(self, session, username, namespace, name):

+     ''' Setup the specified project for mirroring.

+     '''

+     plugin = pagure.lib.plugins.get_plugin('Mirroring')

+     plugin.db_object()

+ 

+     project = pagure.lib._get_project(

+         session, namespace=namespace, name=name, user=username)

+ 

+     public_key_name = werkzeug.secure_filename(project.fullname)

+     ssh_folder = pagure_config['MIRROR_SSHKEYS_FOLDER']

+ 

+     if not os.path.exists(ssh_folder):

+         os.makedirs(ssh_folder, mode=0o700)

+     else:

+         if os.path.islink(ssh_folder):

+             raise pagure.exceptions.PagureException(

+                 'SSH folder is a link')

+         folder_stat = os.stat(ssh_folder)

+         filemode = stat.S_IMODE(folder_stat.st_mode)

+         if filemode != int('0700', 8):

+             raise pagure.exceptions.PagureException(

+                 'SSH folder had invalid permissions')

+         if folder_stat.st_uid != os.getuid() \

+                 or folder_stat.st_gid != os.getgid():

+             raise pagure.exceptions.PagureException(

+                 'SSH folder does not belong to the user or group running '

+                 'this task')

+ 

+     public_key_file = os.path.join(ssh_folder, '%s.pub' % public_key_name)

+     _log.info('Public key of interest: %s', public_key_file)

+ 

+     if os.path.exists(public_key_file):

+         raise pagure.exceptions.PagureException('SSH key already exists')

+ 

+     _log.info('Creating public key')

+     _create_ssh_key(os.path.join(ssh_folder, public_key_name))

+ 

+     with open(public_key_file) as stream:

+         public_key = stream.read()

+ 

+     if project.mirror_hook.public_key != public_key:

+         _log.info('Updating information in the DB')

+         project.mirror_hook.public_key = public_key

+         session.add(project.mirror_hook)

+         session.commit()

+ 

+ 

+ @conn.task(queue=pagure_config['MIRRORING_QUEUE'], bind=True)

+ @pagure_task

+ def teardown_mirroring(self, session, username, namespace, name):

+     ''' Stop the mirroring of the specified project.

+     '''

+     plugin = pagure.lib.plugins.get_plugin('Mirroring')

+     plugin.db_object()

+ 

+     project = pagure.lib._get_project(

+         session, namespace=namespace, name=name, user=username)

+ 

+     ssh_folder = pagure_config['MIRROR_SSHKEYS_FOLDER']

+ 

+     public_key_name = werkzeug.secure_filename(project.fullname)

+     private_key_file = os.path.join(ssh_folder, public_key_name)

+     public_key_file = os.path.join(

+         ssh_folder, '%s.pub' % public_key_name)

+ 

+     if os.path.exists(private_key_file):

+         os.unlink(private_key_file)

+ 

+     if os.path.exists(public_key_file):

+         os.unlink(public_key_file)

+ 

+     project.mirror_hook.public_key = None

+     session.add(project.mirror_hook)

+     session.commit()

+ 

+ 

+ @conn.task(queue=pagure_config['MIRRORING_QUEUE'], bind=True)

+ @pagure_task

+ def mirror_project(self, session, username, namespace, name):

+     ''' Does the actual mirroring of the specified project.

+     '''

+     plugin = pagure.lib.plugins.get_plugin('Mirroring')

+     plugin.db_object()

+ 

+     project = pagure.lib._get_project(

+         session, namespace=namespace, name=name, user=username)

+ 

+     repofolder = pagure_config['GIT_FOLDER']

+     repopath = os.path.join(repofolder, project.path)

+     if not os.path.exists(repopath):

+         _log.info('Git folder not found at: %s, bailing', repopath)

+         return

+ 

+     newpath = tempfile.mkdtemp(prefix='pagure-mirror-')

+     pygit2.clone_repository(repopath, newpath)

+ 

+     ssh_folder = pagure_config['MIRROR_SSHKEYS_FOLDER']

+     public_key_name = werkzeug.secure_filename(project.fullname)

+     private_key_file = os.path.join(ssh_folder, public_key_name)

+ 

+     # Get the list of remotes

+     remotes = [

+         remote.strip()

+         for remote in project.mirror_hook.target.split('\n')

+         if project.mirror_hook and remote.strip()

+         and ssh_urlpattern.match(remote.strip())

+     ]

+ 

+     # Add the remotes

+     for idx, remote in enumerate(remotes):

+         remote_name = '%s_%s' % (public_key_name, idx)

+         _log.info('Adding remote %s as %s', remote, remote_name)

+         (stdout, stderr) = pagure.lib.git.read_git_lines(

+             ['remote', 'add', remote_name, remote, '--mirror=push'],

+             abspath=newpath, error=True)

+         _log.info(

+             "Output from git remote add:\n  stdout: %s\n  stderr: %s",

+             stdout, stderr)

+ 

+     # Push

+     logs = []

+     for idx, remote in enumerate(remotes):

+         remote_name = '%s_%s' % (public_key_name, idx)

+         _log.info(

+             'Pushing to remote %s using key: %s', remote_name,

+             private_key_file)

+         (stdout, stderr) = pagure.lib.git.read_git_lines(

+             ['push', remote_name],

+             abspath=newpath, error=True,

+             env={'GIT_SSH_COMMAND': 'ssh -i %s' % private_key_file})

+         log = "Output from the push:\n  stdout: %s\n  stderr: %s" % (

+             stdout, stderr)

+         logs.append(log)

+     if logs:

+         project.mirror_hook.last_log = '\n'.join(logs)

+         session.add(project.mirror_hook)

+         session.commit()

+         _log.info('\n'.join(logs))

+ 

+     # Remove the clone

+     shutil.rmtree(newpath)

+ {% macro render_field_in_row(field, after="", readonly=False) %}

+     <td>{{ field(class="form-control", readonly=readonly)|safe }}</td>

+       {% if field.id in form_fields_readonly %}

+       {{ render_field_in_row(field, readonly=True) }}

+       {% else %}

+       {% endif %}

+     form_fields_readonly = []

+     if hasattr(plugin, 'form_fields_readonly'):

+         form_fields_readonly = plugin.form_fields_readonly

+ 

+         fields=fields,

+         form_fields_readonly=form_fields_readonly,

+     )

+ ssh_urlregex = re.compile(

+     u"^"

+     # protocol identifier

+     u"(?:(?:(git\+)?ssh)://)"

+     # user:pass authentication

+     u"(?:\S+(?::\S*)?@)?"

+     u"(?:"

+     u"(?P<private_ip>"

+     # IP address exclusion

+     # private & local networks

+     u"(?:(?:10|127)" + ip_middle_octet + u"{2}" + ip_last_octet + u")|"

+     u"(?:(?:169\.254|192\.168)" + ip_middle_octet + ip_last_octet + u")|"

+     u"(?:172\.(?:1[6-9]|2\d|3[0-1])" + ip_middle_octet + ip_last_octet + u"))"

+     u"|"

+     # IP address dotted notation octets

+     # excludes loopback network 0.0.0.0

+     # excludes reserved space >= 224.0.0.0

+     # excludes network & broadcast addresses

+     # (first & last IP address of each class)

+     u"(?P<public_ip>"

+     u"(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])"

+     u"" + ip_middle_octet + u"{2}"

+     u"" + ip_last_octet + u")"

+     u"|"

+     # host name

+     u"(?:(?:[a-z\u00a1-\uffff0-9]-?)*[a-z\u00a1-\uffff0-9]+)"

+     # domain name

+     u"(?:\.(?:[a-z\u00a1-\uffff0-9]-?)*[a-z\u00a1-\uffff0-9]+)*"

+     # TLD identifier

+     u"(?:\.(?:[a-z\u00a1-\uffff]{2,}))"

+     u")"

+     # port number

+     u"(?::\d{2,5})?"

+     # resource path

+     u"(?:/\S*)?"

+     u"$",

+     re.UNICODE | re.IGNORECASE

+ )

+ ssh_urlpattern = re.compile(ssh_urlregex)

+ 

+ 

+         imp.reload(pagure.lib.tasks_mirror)

+                 'Mirroring',

+ # -*- coding: utf-8 -*-

+ 

+ """

+  (c) 2018 - Copyright Red Hat Inc

+ 

+  Authors:

+    Pierre-Yves Chibon <pingou@pingoured.fr>

+ 

+ """

+ 

+ from __future__ import unicode_literals

+ 

+ __requires__ = ['SQLAlchemy >= 0.8']

+