def _configure_POST(github):
valid = Validation(request)
repo = valid.require("repo")
if not valid.ok:
return "quit yo hackin bullshit"
repo = github.get_repo(repo)
if not repo:
return "quit yo hackin bullshit"
task = Task()
task.name = "{}::github_pr_to_build".format(repo.full_name)
task.user_id = current_user.id
task._taskdef = "github_pr_to_build"
db.session.add(task)
db.session.flush()
record = GitHubPRToBuild._GitHubPRToBuildRecord()
record.id = uuid4()
record.user_id = current_user.id
record.task_id = task.id
record.github_webhook_id = -1
record.repo = repo.full_name
db.session.add(record)
db.session.flush()
hook = repo.create_hook("web", {
"url":
_root +
url_for("github_pr_to_build._webhook", record_id=record.id),
"content_type":
"json",
}, ["pull_request"],
active=True)
record.github_webhook_id = hook.id
db.session.commit()
return redirect(url_for("html.edit_task", task_id=task.id))
def _webhook(record_id):
record_id = UUID(record_id)
hook = GitHubCommitToBuild._GitHubCommitToBuildRecord.query.filter(
GitHubCommitToBuild._GitHubCommitToBuildRecord.id ==
record_id).one_or_none()
if not hook:
return "Unknown hook " + str(record_id), 404
valid = Validation(request)
commit = valid.require("head_commit")
repo = valid.require("repository")
ref = valid.require("ref")
if not valid.ok:
return "Got request, but it has no commits"
return submit_github_build(
"commits",
hook,
repo,
commit,
env={
"GITHUB_DELIVERY": request.headers.get("X-GitHub-Delivery"),
"GITHUB_EVENT": request.headers.get("X-GitHub-Event"),
"GITHUB_REF": ref,
"GITHUB_REPO": repo["full_name"],
},
secrets=hook.secrets)
def _webhook(record_id):
record_id = UUID(record_id)
hook = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter(
GitHubPRToBuild._GitHubPRToBuildRecord.id == record_id).first()
if not hook:
return "Unknown hook " + str(record_id), 404
valid = Validation(request)
pr = valid.require("pull_request")
action = valid.require("action")
if not valid.ok:
return "Got request, but it has no commits"
if action not in ["opened", "synchronize"]:
return "Got update, but there are no new commits"
head = pr["head"]
base = pr["base"]
base_repo = base["repo"]
head_repo = head["repo"]
auth = GitHubAuthorization.query.filter(
GitHubAuthorization.user_id == hook.user_id).first()
if not auth:
return ("You have not authorized us to access your GitHub account",
401)
return submit_build(hook,
head_repo,
head,
base_repo,
secrets=False,
extras={
"automerge": hook.automerge,
"pr": pr["number"]
})
def _webhook(record_id):
record_id = UUID(record_id)
hook = GitLabCommitToBuild._GitLabCommitToBuildRecord.query.filter(
GitLabCommitToBuild._GitLabCommitToBuildRecord.id == record_id
).one_or_none()
if not hook:
return "Unknown hook " + str(record_id), 404
auth = GitLabAuthorization.query.filter(
GitLabAuthorization.user_id == hook.user_id,
GitLabAuthorization.upstream == hook.upstream,
).first()
if not auth:
return "Invalid authorization for this hook"
gitlab = Gitlab(f"https://{hook.upstream}",
oauth_token=auth.oauth_token)
valid = Validation(request)
commit = valid.require("after")
ref = valid.require("ref")
if not valid.ok:
return "Unexpected hook payload"
try:
project = gitlab.projects.get(hook.repo_id)
commit = project.commits.get(commit)
except:
return "Unable to fetch commit information"
urls = submit_gitlab_build("commits", auth, hook, project, commit, env={
"GITLAB_REF": ref,
})
if isinstance(urls, str):
return urls
return "Submitted:\n\n" + "\n".join([f"{n}: {u}" for n, u in urls])
def authorize():
valid = Validation(request)
client_id = request.headers.get("X-OAuth-ID")
client_secret = request.headers.get("X-OAuth-Secret")
valid.expect(client_id and client_secret,
"Required X-OAuth-ID and X-OAuth-Secret headers missing")
if not valid.ok:
return valid.response
client = (OAuthClient.query.filter(
OAuthClient.client_id == client_id).one_or_none())
valid.expect(client is not None, "Unknown X-OAuth-ID")
if not valid.ok:
return valid.response
client_secret_hash = hashlib.sha512(client_secret.encode()).hexdigest()
valid.expect(client_secret_hash == client.client_secret_hash,
"Incorrect X-OAuth-Secret")
if not valid.ok:
return valid.response
valid.expect(
client.preauthorized,
"This feature is only available to first-party OAuth clients")
if not valid.ok:
return valid.response
g.oauth_client = client
def tracker_labels_POST(owner, name):
tracker, access = get_tracker(owner, name)
is_owner = current_user.id == tracker.owner_id
if not tracker:
abort(404)
if not is_owner:
abort(403)
valid = Validation(request)
label_name = valid.require("name")
label_color = valid.require("color")
if not valid.ok:
return render_template("tracker-labels.html",
tracker=tracker,
access=access,
is_owner=is_owner,
**valid.kwargs), 400
valid.expect(2 < len(label_name) < 50,
"Must be between 2 and 50 characters",
field="name")
valid.expect(color.valid_hex_color_code(label_color),
"Invalid hex color code",
field="color")
if not valid.ok:
return render_template("tracker-labels.html",
tracker=tracker,
access=access,
is_owner=is_owner,
**valid.kwargs), 400
existing_label = (Label.query.filter(
Label.tracker_id == tracker.id).filter(
Label.name == label_name)).first()
valid.expect(not existing_label,
"A label with this name already exists",
field="name")
if not valid.ok:
return render_template("tracker-labels.html",
tracker=tracker,
access=access,
is_owner=is_owner,
**valid.kwargs), 400
# Determine a foreground color to use
label_color_rgb = color.color_from_hex(label_color)
text_color_rgb = color.get_text_color(label_color_rgb)
text_color = color.color_to_hex(text_color_rgb)
label = Label()
label.tracker_id = tracker.id
label.name = label_name
label.color = label_color
label.text_color = text_color
db.session.add(label)
db.session.commit()
return redirect(url_for(".tracker_labels_GET", owner=owner, name=name))
def edit_POST(task):
record = GitLabCommitToBuild._GitLabCommitToBuildRecord.query.filter(
GitLabCommitToBuild._GitLabCommitToBuildRecord.task_id == task.id
).one_or_none()
valid = Validation(request)
secrets = valid.optional("secrets", cls=bool, default=False)
record.secrets = bool(secrets)
db.session.commit()
return redirect(url_for("html.edit_task", task_id=task.id))
def edit_POST(task):
record = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter(
GitHubPRToBuild._GitHubPRToBuildRecord.task_id ==
task.id).one_or_none()
valid = Validation(request)
automerge = valid.optional("automerge", cls=bool, default=False)
record.automerge = bool(automerge)
db.session.commit()
return redirect(url_for("html.edit_task", task_id=task.id))
def edit_POST(task):
record = GitLabMRToBuild._GitLabMRToBuildRecord.query.filter(
GitLabMRToBuild._GitLabMRToBuildRecord.task_id ==
task.id).one_or_none()
valid = Validation(request)
# TODO: Check if the repo is public/private and enable secrets if so
secrets = valid.optional("secrets", cls=bool, default=False)
record.secrets = bool(secrets)
db.session.commit()
return redirect(url_for("html.edit_task", task_id=task.id))
def ssh_keys_POST():
user = User.query.get(current_user.id)
valid = Validation(request)
ssh_key = valid.require("ssh-key")
if valid.ok:
try:
parsed_key = ssh.SSHKey(ssh_key)
valid.expect(parsed_key.bits, "This is not a valid SSH key",
"ssh-key")
except:
valid.error("This is not a valid SSH key", "ssh-key")
if valid.ok:
fingerprint = parsed_key.hash_md5()[4:]
valid.expect(SSHKey.query\
.filter(SSHKey.fingerprint == fingerprint) \
.count() == 0, "We already have this SSH key on file.", "ssh-key")
if not valid.ok:
return render_template("keys.html",
current_user=user,
ssh_key=ssh_key,
valid=valid)
key = SSHKey(user, ssh_key, fingerprint, parsed_key.comment)
db.session.add(key)
audit_log("ssh key added", 'Added SSH key {}'.format(fingerprint))
db.session.commit()
return redirect("/keys")
def create():
if not current_app.repo_api:
abort(501)
valid = Validation(request)
repo = current_app.repo_api.create_repo(valid, current_user)
if not valid.ok:
return render_template("create.html", **valid.kwargs)
another = valid.optional("another")
if another == "on":
return redirect("/create?another")
else:
return redirect("/~{}/{}".format(current_user.username, repo.name))
def settings_info_POST(owner_name, repo_name):
owner, repo = check_access(owner_name, repo_name, UserAccess.manage)
if isinstance(repo, BaseRedirectMixin):
repo = repo.new_repo
valid = Validation(request)
desc = valid.optional("description", default=repo.description)
visibility = valid.optional("visibility",
cls=RepoVisibility,
default=repo.visibility)
repo.visibility = visibility
repo.description = desc
db.session.commit()
return redirect("/{}/{}/settings/info".format(owner_name, repo_name))
def _webhook(record_id):
record_id = UUID(record_id)
hook = GitHubCommitToBuild._GitHubCommitToBuildRecord.query.filter(
GitHubCommitToBuild._GitHubCommitToBuildRecord.id == record_id
).one_or_none()
if not hook:
return "Unknown hook " + str(record_id), 404
valid = Validation(request)
commit = valid.require("head_commit")
repo = valid.require("repository")
if not valid.ok:
return "Got request, but it has no commits"
return submit_build(hook, repo, commit, secrets=hook.secrets)
def ticket_edit_POST(owner, name, ticket_id):
tracker, _ = get_tracker(owner, name)
if not tracker:
abort(404)
ticket, access = get_ticket(tracker, ticket_id)
if not ticket:
abort(404)
if not TicketAccess.edit in access:
abort(401)
valid = Validation(request)
title = valid.require("title", friendly_name="Title")
desc = valid.optional("description")
valid.expect(not title or 3 <= len(title) <= 2048,
"Title must be between 3 and 2048 characters.",
field="title")
valid.expect(not desc or len(desc) < 16384,
"Description must be no more than 16384 characters.",
field="description")
if not valid.ok:
return render_template("edit_ticket.html",
tracker=tracker,
ticket=ticket,
**valid.kwargs)
ticket.title = title
ticket.description = desc
db.session.commit()
return redirect(ticket_url(ticket))
def submit_POST():
valid = Validation(request)
_manifest = valid.require("manifest", friendly_name="Manifest")
max_len = Job.manifest.prop.columns[0].type.length
note = valid.optional("note", default="Submitted on the web")
valid.expect(not _manifest or len(_manifest) < max_len,
"Manifest must be less than {} bytes".format(max_len),
field="manifest")
if not valid.ok:
return render_template("submit.html", **valid.kwargs)
try:
manifest = Manifest(yaml.safe_load(_manifest))
except Exception as ex:
valid.error(str(ex), field="manifest")
return render_template("submit.html", **valid.kwargs)
job = Job(current_user, _manifest)
job.note = note
db.session.add(job)
db.session.flush()
for task in manifest.tasks:
t = Task(job, task.name)
db.session.add(t)
db.session.flush() # assigns IDs for ordering purposes
queue_build(job, manifest) # commits the session
return redirect("/~" + current_user.username + "/job/" + str(job.id))
def ticket_add_label(owner, name, ticket_id):
tracker, _ = get_tracker(owner, name)
if not tracker:
abort(404)
ticket, access = get_ticket(tracker, ticket_id)
if not ticket:
abort(404)
if not TicketAccess.edit in access:
abort(401)
valid = Validation(request)
label_id = valid.require("label_id", friendly_name="A label")
if not valid.ok:
ctx = get_ticket_context(ticket, tracker, access)
return render_template("ticket.html", **ctx, **valid.kwargs)
valid.expect(re.match(r"^\d+$", label_id),
"Label ID must be numeric",
field="label_id")
if not valid.ok:
ctx = get_ticket_context(ticket, tracker, access)
return render_template("ticket.html", **ctx, **valid.kwargs)
label_id = int(request.form.get('label_id'))
label = Label.query.filter(Label.id == label_id).first()
if not label:
abort(404)
ticket_label = (TicketLabel.query.filter(
TicketLabel.label_id == label.id).filter(
TicketLabel.ticket_id == ticket.id)).first()
if not ticket_label:
ticket_label = TicketLabel()
ticket_label.ticket_id = ticket.id
ticket_label.label_id = label.id
ticket_label.user_id = current_user.id
event = Event()
event.event_type = EventType.label_added
event.user_id = current_user.id
event.ticket_id = ticket.id
event.label_id = label.id
db.session.add(ticket_label)
db.session.add(event)
db.session.commit()
return redirect(ticket_url(ticket))
def settings_access_POST(owner, name):
tracker, access = get_tracker(owner, name)
if not tracker:
abort(404)
if current_user.id != tracker.owner_id:
abort(403)
valid = Validation(request)
perm_anon = parse_html_perms('anon', valid)
perm_user = parse_html_perms('user', valid)
perm_submit = parse_html_perms('submit', valid)
# TODO: once repos are linked
#perm_commit = parse_html_perms('commit', valid)
if not valid.ok:
return render_template("tracker-access.html",
tracker=tracker,
access_type_list=TicketAccess,
access_help_map=access_help_map,
**valid.kwargs), 400
tracker.default_anonymous_perms = perm_anon
tracker.default_user_perms = perm_user
tracker.default_submitter_perms = perm_submit
#tracker.default_committer_perms = perm_commit
db.session.commit()
return redirect(tracker_url(tracker))
def repos_POST():
if not current_app.repo_api:
abort(501)
valid = Validation(request)
repo = current_app.repo_api.create_repo(valid, current_token.user)
if not valid.ok:
return valid.response
return repo_json(repo)
def forgot_POST():
valid = Validation(request)
email = valid.require("email", friendly_name="Email")
if not valid.ok:
return render_template("forgot.html", **valid.kwargs)
user = User.query.filter(User.email == email).first()
valid.expect(user, "No account found with this email address.")
if not valid.ok:
return render_template("forgot.html", **valid.kwargs)
factors = (UserAuthFactor.query.filter(
UserAuthFactor.user_id == user.id)).all()
valid.expect(
not any(f for f in factors
if f.factor_type in [FactorType.totp, FactorType.u2f]),
"This account has two-factor authentication enabled, contact support.")
if not valid.ok:
return render_template("forgot.html", **valid.kwargs)
rh = user.gen_reset_hash()
db.session.commit()
send_email(
'reset_pw',
user.email,
'Reset your password on {}'.format(site_name),
headers={
"From":
f"{cfg('sr.ht', 'owner-name')} <*****@*****.**>",
"To":
"{} <{}>".format(user.username, user.email),
"Reply-To":
f"{cfg('sr.ht', 'owner-name')} <{cfg('sr.ht', 'owner-email')}>",
},
user=user)
audit_log("password reset requested", user=user)
return render_template("forgot.html", done=True)
def user_webhooks_POST():
valid = Validation(request)
sub = UserWebhook.Subscription(valid,
current_token.client_id, current_token.user_id)
if not valid.ok:
return valid.response
db.session.add(sub)
db.session.commit()
return sub.to_dict()
def repos_by_name_PUT(owner, name):
user, repo = check_repo(owner, name, authorized=current_token.user)
if isinstance(repo, BaseRedirectMixin):
abort(404)
valid = Validation(request)
prop(valid, repo, "visibility", cls=RepoVisibility)
prop(valid, repo, "description", cls=str)
db.session.commit()
return repo_json(repo)
def _webhook(record_id):
record_id = UUID(record_id)
hook = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter(
GitHubPRToBuild._GitHubPRToBuildRecord.id == record_id).first()
if not hook:
return "Unknown hook " + str(record_id), 404
valid = Validation(request)
pr = valid.require("pull_request")
action = valid.require("action")
if not valid.ok:
return "Got request, but it has no commits"
if action not in ["opened", "synchronize"]:
return "Got update, but there are no new commits"
head = pr["head"]
base = pr["base"]
base_repo = base["repo"]
head_repo = head["repo"]
auth = GitHubAuthorization.query.filter(
GitHubAuthorization.user_id == hook.user_id).first()
if not auth:
return ("You have not authorized us to access your GitHub account",
401)
secrets = hook.secrets
if not base_repo["private"]:
secrets = False
return submit_github_build(
"pulls",
hook,
head_repo,
head,
base_repo,
secrets=secrets,
extras={
"automerge": hook.automerge,
"pr": pr["number"]
},
env={
"GITHUB_DELIVERY": request.headers.get("X-GitHub-Delivery"),
"GITHUB_EVENT": request.headers.get("X-GitHub-Event"),
"GITHUB_PR_NUMBER": str(pr["number"]),
"GITHUB_PR_TITLE": pr["title"],
"GITHUB_BASE_REPO": base_repo["full_name"],
"GITHUB_HEAD_REPO": head_repo["full_name"],
})
def ticket_comment_POST(owner, name, ticket_id):
tracker, access = get_tracker(owner, name)
if not tracker:
abort(404)
ticket, access = get_ticket(tracker, ticket_id)
if not ticket:
abort(404)
valid = Validation(request)
text = valid.optional("comment")
resolve = valid.optional("resolve")
resolution = valid.optional("resolution")
reopen = valid.optional("reopen")
valid.expect(not text or 3 <= len(text) <= 16384,
"Comment must be between 3 and 16384 characters.",
field="comment")
valid.expect(text or resolve or reopen,
"Comment is required",
field="comment")
if (resolve or reopen) and TicketAccess.edit not in access:
abort(403)
if resolve:
try:
resolution = TicketResolution(int(resolution))
except Exception as ex:
abort(400, "Invalid resolution")
else:
resolution = None
if not valid.ok:
ctx = get_ticket_context(ticket, tracker, access)
return render_template("ticket.html", **ctx, **valid.kwargs)
comment = add_comment(current_user,
ticket,
text=text,
resolve=resolve,
resolution=resolution,
reopen=reopen)
return redirect(ticket_url(ticket, comment))
def _webhook(record_id):
record_id = UUID(record_id)
hook = GitLabMRToBuild._GitLabMRToBuildRecord.query.filter(
GitLabMRToBuild._GitLabMRToBuildRecord.id ==
record_id).one_or_none()
if not hook:
return "Unknown hook " + str(record_id), 404
auth = GitLabAuthorization.query.filter(
GitLabAuthorization.user_id == hook.user_id,
GitLabAuthorization.upstream == hook.upstream,
).first()
if not auth:
return "Invalid authorization for this hook"
gitlab = Gitlab(f"https://{hook.upstream}",
oauth_token=auth.oauth_token)
valid = Validation(request)
object_attrs = valid.require("object_attributes")
if not valid.ok:
return "Unexpected hook payload"
source = object_attrs["source"]
last_commit = object_attrs["last_commit"]
project = gitlab.projects.get(hook.repo_id)
source = gitlab.projects.get(source["id"])
commit = project.commits.get(last_commit["id"])
merge_req = project.mergerequests.get(object_attrs["iid"])
urls = submit_gitlab_build(
"mrs", auth, hook, project, commit, source, {
"GITLAB_MR_NUMBER": object_attrs["iid"],
"GITLAB_MR_TITLE": object_attrs["title"],
"GITLAB_BASE_REPO": project.attributes["name_with_namespace"],
"GITLAB_HEAD_REPO": source.attributes["name_with_namespace"],
})
if isinstance(urls, str):
return urls
summary = "\n\nbuilds.sr.ht jobs:\n\n" + ("\n".join(
[f"[{n}]({url}): :clock1: running" for n, u in urls]))
merge_req.description += summary
merge_req.save()
return
def settings_POST(owner_name, list_name):
owner, ml, access = get_list(owner_name, list_name)
if not ml:
abort(404)
if ml.owner_id != current_user.id:
abort(401)
valid = Validation(request)
list_desc = valid.optional("list_desc")
if list_desc == "":
list_desc = None
valid.expect(not list_desc or 16 < len(list_desc) < 2048,
"Description must be between 16 and 2048 characters.",
field="list_desc")
if not valid.ok:
return render_template("list-settings.html",
list=ml,
owner=owner,
access_type_list=ListAccess,
access_help_map=access_help_map,
**valid.kwargs)
def process(perm):
bitfield = ListAccess.none
for access in ListAccess:
if access in [ListAccess.none]:
continue
if valid.optional("perm_{}_{}".format(perm, access.name)) != None:
bitfield |= access
return bitfield
ml.description = list_desc
ml.nonsubscriber_permissions = process("nonsub")
ml.subscriber_permissions = process("sub")
ml.account_permissions = process("account")
db.session.commit()
return redirect(
url_for("archives.archive", owner_name=owner_name,
list_name=list_name))
def settings_details_POST(owner, name):
tracker, access = get_tracker(owner, name)
if not tracker:
abort(404)
if current_user.id != tracker.owner_id:
abort(403)
valid = Validation(request)
desc = valid.optional("tracker_desc", default=tracker.description)
valid.expect(not desc or len(desc) < 4096,
"Must be less than 4096 characters",
field="tracker_desc")
if not valid.ok:
return render_template("tracker-details.html",
tracker=tracker,
**valid.kwargs), 400
tracker.description = desc
db.session.commit()
return redirect(tracker_url(tracker))
def secret_delete_POST():
valid = Validation(request)
uuid = valid.require("uuid")
if not uuid:
abort(404)
secret = Secret.query.filter(Secret.uuid == uuid).first()
if not secret:
abort(404)
if secret.user_id != current_user.id:
abort(401)
name = secret.name
db.session.delete(secret)
db.session.commit()
session["message"] = "Successfully removed secret {}{}.".format(
uuid, " ({})".format(name) if name else "")
return redirect("/secrets")
def new_payment_POST():
valid = Validation(request)
term = valid.require("term")
token = valid.require("stripe-token")
if not valid.ok:
return "Invalid form submission", 400
if not current_user.stripe_customer:
new_customer = True
try:
customer = stripe.Customer.create(
description="~" + current_user.username,
email=current_user.email,
card=token)
current_user.stripe_customer = customer.id
current_user.payment_due = datetime.utcnow() + timedelta(seconds=-1)
except stripe.error.CardError as e:
details = e.json_body["error"]["message"]
return render_template("new-payment.html",
amount=current_user.payment_cents, error=details)
else:
new_customer = False
try:
customer = stripe.Customer.retrieve(current_user.stripe_customer)
source = customer.sources.create(source=token)
customer.default_source = source.stripe_id
customer.save()
except stripe.error.CardError as e:
details = e.json_body["error"]["message"]
return render_template("new-payment.html",
amount=current_user.payment_cents, error=details)
audit_log("billing", "New payment method handed")
current_user.payment_interval = PaymentInterval(term)
success, details = charge_user(current_user)
if not success:
return render_template("new-payment.html",
amount=current_user.payment_cents, error=details)
db.session.commit()
if new_customer:
return redirect(onboarding_redirect)
session["message"] = "Your payment method was updated."
return redirect(url_for("billing.billing_GET"))
def privacy_POST():
valid = Validation(request)
key_id = valid.require("pgp-key")
key_id = key_id if key_id != "null" else None
key = None
if key_id:
key = PGPKey.query.get(int(key_id))
valid.expect(key.user_id == current_user.id, "Invalid PGP key")
if not valid.ok:
return redirect("/privacy")
user = User.query.get(current_user.id)
user.pgp_key = key
audit_log("changed pgp key",
"Set default PGP key to {}".format(key.key_id if key else None))
db.session.commit()
return redirect("/privacy")
def reset_POST(token):
user = User.query.filter(User.reset_hash == token).first()
if not user:
abort(404)
if user.reset_expiry < datetime.utcnow():
abort(404)
valid = Validation(request)
password = valid.require("password", friendly_name="Password")
if not valid.ok:
return render_template("reset.html", valid=valid)
valid.expect(8 <= len(password) <= 512,
"Password must be between 8 and 512 characters.", "password")
if not valid.ok:
return render_template("reset.html", valid=valid)
user.password = bcrypt.hashpw(password.encode('utf-8'),
salt=bcrypt.gensalt()).decode('utf-8')
audit_log("password reset", user=user)
db.session.commit()
login_user(user, remember=True)
metrics.meta_pw_resets.inc()
return redirect("/")
