From 749af9b6f284ea6e9f57b80f84288311844a9cc8 Mon Sep 17 00:00:00 2001
From: wj00037 <1292876134@qq.com>
Date: Mon, 21 Oct 2024 15:34:13 +0800
Subject: [PATCH] add 403, add logs

---
 auth/client.go   |  8 ++++----
 auth/gitee.go    | 32 ++++++++++++++++++++------------
 server/server.go | 19 ++++++++++++-------
 3 files changed, 36 insertions(+), 23 deletions(-)

diff --git a/auth/client.go b/auth/client.go
index a2a4d68..e0a6348 100644
--- a/auth/client.go
+++ b/auth/client.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"strings"
 )
 
 type Client struct {
@@ -19,7 +18,6 @@ func getParsedResponse(method, path string, header http.Header, body io.Reader,
 		panic(err)
 	}
 	req.Header = header
-	fmt.Println(strings.Split(path, "?")[0])
 	response, err := http.DefaultClient.Do(req)
 	if err != nil {
 		panic(err)
@@ -27,11 +25,13 @@ func getParsedResponse(method, path string, header http.Header, body io.Reader,
 	defer response.Body.Close()
 	if response.StatusCode/100 != 2 {
 		if response.StatusCode == http.StatusNotFound {
-			return errors.New("repository not found")
+			return errors.New("not_found")
 		} else if response.StatusCode == http.StatusUnauthorized {
 			return errors.New("unauthorized")
+		} else if response.StatusCode == http.StatusForbidden {
+			return errors.New("forbidden")
 		}
-		return errors.New("error occurred accessing gitee")
+		return fmt.Errorf("other error: %v", response.StatusCode)
 	}
 	data, err := io.ReadAll(response.Body)
 	if err != nil {
diff --git a/auth/gitee.go b/auth/gitee.go
index cbf7177..43623cb 100644
--- a/auth/gitee.go
+++ b/auth/gitee.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/metalogical/BigFiles/config"
+	"github.com/sirupsen/logrus"
 )
 
 var (
@@ -23,7 +24,6 @@ var (
 )
 
 type giteeUser struct {
-	Login      string `json:"login"`
 	Permission string `json:"permission"`
 }
 
@@ -101,7 +101,8 @@ func CheckRepoOwner(userInRepo UserInRepo) error {
 	repo := new(Repo)
 	err := getParsedResponse("GET", path, headers, nil, &repo)
 	if err != nil {
-		return err
+		msg := err.Error() + ": check repo_id failed"
+		return errors.New(msg)
 	}
 	for _, allowedRepo := range allowedRepos {
 		if strings.Split(repo.Fullname, "/")[0] == allowedRepo {
@@ -116,8 +117,9 @@ func CheckRepoOwner(userInRepo UserInRepo) error {
 			}
 		}
 	}
-
-	return errors.New("your repository does not appear to have permission to use this lfs service")
+	msg := "forbidden: repo has no permission to use this lfs server"
+	logrus.Error(fmt.Sprintf("CheckRepoOwner: %s", msg))
+	return errors.New(msg)
 }
 
 // getToken gets access_token by username and password
@@ -135,7 +137,8 @@ func getToken(username, password string) (string, error) {
 	accessToken := new(AccessToken)
 	err := getParsedResponse("POST", path, headers, strings.NewReader(form.Encode()), &accessToken)
 	if err != nil {
-		return "", err
+		msg := err.Error() + ": get token failed. Or may be it is already a token"
+		return "", errors.New(msg)
 	}
 
 	return accessToken.Token, nil
@@ -156,27 +159,32 @@ func verifyUser(userInRepo UserInRepo) error {
 	giteeUser := new(giteeUser)
 	err := getParsedResponse("GET", path, headers, nil, &giteeUser)
 	if err != nil {
-		return err
+		msg := err.Error() + ": verify user permission failed"
+		logrus.Error(fmt.Sprintf("verifyUser: %s", msg))
+		return errors.New(msg)
 	}
 
-	if giteeUser.Login != userInRepo.Username {
-		return errors.New("username does not match")
-	}
 	if userInRepo.Operation == "upload" {
 		for _, v := range uploadPermissions {
 			if giteeUser.Permission == v {
 				return nil
 			}
 		}
-		return errors.New("user has no permission uploading to the repository")
+		msg := "forbidden: user has no permission to upload"
+		logrus.Error(fmt.Sprintf("verifyUser: %s", msg))
+		return errors.New(msg)
 	} else if userInRepo.Operation == "download" {
 		for _, v := range downloadPermissions {
 			if giteeUser.Permission == v {
 				return nil
 			}
 		}
-		return errors.New("user has no permission downloading in the repository")
+		msg := "forbidden: user has no permission to download"
+		logrus.Error(fmt.Sprintf("verifyUser: %s", msg))
+		return errors.New(msg)
 	} else {
-		return errors.New("unknow operation")
+		msg := "other error: unknow operation"
+		logrus.Error(fmt.Sprintf("verifyUser: %s", msg))
+		return errors.New(msg)
 	}
 }
diff --git a/server/server.go b/server/server.go
index 4e0f1f9..241e493 100644
--- a/server/server.go
+++ b/server/server.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"os"
 	"regexp"
+	"strings"
 	"time"
 
 	"github.com/go-chi/chi"
@@ -139,18 +140,22 @@ func (s *server) handleBatch(w http.ResponseWriter, r *http.Request) {
 			userInRepo.Username = username
 			userInRepo.Password = password
 			err = s.isAuthorized(userInRepo)
-			// TODO: 若仓库无lfs服务权限，不能返回401，否则会继续提示输入用户名密码。返回403
-			if err != nil {
-				err = fmt.Errorf("unauthorized: %w", err)
-			}
 		} else {
-			err = errors.New("Unauthorized")
+			err = errors.New("unauthorized: cannot get password")
 		}
 		if err != nil {
+			v := err.Error()
+			switch {
+			case strings.HasPrefix(v, "unauthorized") || strings.HasPrefix(v, "not_found"):
+				w.WriteHeader(401)
+			case strings.HasPrefix(v, "forbidden"):
+				w.WriteHeader(403)
+			default:
+				w.WriteHeader(500)
+			}
 			w.Header().Set("LFS-Authenticate", `Basic realm="Git LFS"`)
-			w.WriteHeader(401)
 			must(json.NewEncoder(w).Encode(batch.ErrorResponse{
-				Message: err.Error(),
+				Message: v,
 			}))
 			return
 		}