[PATCH 1 of 3] hgweb: add a hook for processing LFS Batch API requests

Matt Harbison mharbison72 at gmail.com
Tue Mar 6 04:56:20 UTC 2018 

On Mon, 26 Feb 2018 08:47:01 -0500, Yuya Nishihara <yuya at tcha.org> wrote:

> On Thu, 22 Feb 2018 01:02:41 -0500, Matt Harbison wrote:
>> # HG changeset patch
>> # User Matt Harbison <matt_harbison at yahoo.com>
>> # Date 1519274700 18000
>> #      Wed Feb 21 23:45:00 2018 -0500
>> # Node ID d38f7cc80f9dc453e7968fdb594e0a1119003d14
>> # Parent  c8891cc3fa9ec855a3bdefd3dd759d19927c6b85
>> hgweb: add a hook for processing LFS Batch API requests
>>
>> There really isn't a clean way to give LFS a crack at intercepting the  
>> requests
>> without hardcoding some LFS knowledge in the core.  The rationale for  
>> this URI
>> is that the spec for the Batch API[1] defines the URL as the LFS server  
>> url +
>> '/objects/batch'.  The default git URLs are:
>>
>>     Git remote: https://git-server.com/foo/bar
>>     LFS server: https://git-server.com/foo/bar.git/info/lfs
>>     Batch API: https://git-server.com/foo/bar.git/info/lfs/objects/batch
>>
>> '.git/' seems like it's not something a user would normally track.  If  
>> we adhere
>> to how git defines the URLs, then the hg-git extension should be able  
>> to talk to
>> a git based server without any additional work.
>>
>> [1] https://github.com/git-lfs/git-lfs/blob/master/docs/api/batch.md
>>
>> diff --git a/mercurial/hgweb/hgweb_mod.py b/mercurial/hgweb/hgweb_mod.py
>> --- a/mercurial/hgweb/hgweb_mod.py
>> +++ b/mercurial/hgweb/hgweb_mod.py
>> @@ -95,6 +95,12 @@
>>          urlel = os.path.dirname(urlel)
>>      return reversed(breadcrumb)
>>
>> +def _processlfsbatchreq(repo, req):
>> +    """A hook for the LFS extension to wrap that handles requests to  
>> the Batch
>> +    API, and returns the appropriate JSON response.
>> +    """
>> +    raise ErrorResponse(HTTP_NOT_FOUND)
>> +
>>  class requestcontext(object):
>>      """Holds state/context for an individual request.
>>
>> @@ -371,6 +377,11 @@
>>
>>              return protohandler['dispatch']()
>>
>> +        # Route LFS Batch API requests to the appropriate handler
>> +
>> +        if req.env[r'PATH_INFO'] == '/.git/info/lfs/objects/batch':
>> +            return _processlfsbatchreq(rctx.repo, req)
>
> (CC: indygreg as web expert)
>
> I'm not pretty sure, but given we do "'PATH_INFO' in req.env" before,
> req.env['PATH_INFO'] could be missing. And maybe we'll need some  
> check_perm().

Disregard this series.  I've added a user agent check, and try/catch  
around these.  But I need to rebase a huge series over the recent  
changes.  I'm still curious what to do without PATH_INFO.

We can probably check_perm() the Batch API here, but the check on the  
actual upload/download needs to be done in the extension.  (The  
upload/download command is packed in the JSON, and implies 'push' or  
'pull' check here.)

Something strange I noticed is that hgweb.common.checkauthz() throws a 401  
if the user is on the deny_read list, or not in allow_read.  Shouldn't it  
be 403?  The git docs say it will attempt authentication and retry on a  
401 (though it seems unlikely that a git client will ever talk to this  
server).

https://github.com/git-lfs/git-lfs/blob/master/docs/api/batch.md#response-errors

More information about the Mercurial-devel mailing list