[PATCHv2 1/3] Add config option user-envvar

[valentin.haenel at gmx.de (Valentin Haenel)]

When cgit sits on a backend server and relies on a set of
front-ends to do authentication, it will read the username
from an environment variable defined by this option.

In this way, one can safely use any forwarded HTTP header
and not only the expected REMOTE_USER variable set by the
CGI standard.

Signed-off-by: Valentin Haenel <valentin.haenel at gmx.de>
---
 cgit.c       |   10 ++++++++++
 cgit.h       |    2 ++
 cgitrc.5.txt |    6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/cgit.c b/cgit.c
index a97ed69653..92e35ae958 100644
--- a/cgit.c
+++ b/cgit.c
@@ -126,6 +126,8 @@ void config_cb(const char *name, const char *value)
 		repo_config(ctx.repo, name + 5, value);
 	else if (!strcmp(name, "readme"))
 		ctx.cfg.readme = xstrdup(value);
+	else if (!strcmp(name, "user-envvar"))
+		ctx.cfg.user_envvar = xstrdup(value);
 	else if (!strcmp(name, "root-title"))
 		ctx.cfg.root_title = xstrdup(value);
 	else if (!strcmp(name, "root-desc"))
@@ -379,6 +381,7 @@ static void prepare_context(struct cgit_context *ctx)
 	ctx->cfg.summary_tags = 10;
 	ctx->cfg.max_atom_items = 10;
 	ctx->cfg.ssdiff = 0;
+	ctx->cfg.user_envvar = "REMOTE_USER";
 	ctx->env.cgit_config = xstrdupn(getenv("CGIT_CONFIG"));
 	ctx->env.http_host = xstrdupn(getenv("HTTP_HOST"));
 	ctx->env.https = xstrdupn(getenv("HTTPS"));
@@ -823,6 +826,13 @@ int main(int argc, const char **argv)
 	ctx.repo = NULL;
 	http_parse_querystring(ctx.qry.raw, querystring_cb);
 
+	/*
+	 * Get the username of an authenticated user. It will get
+	 * from the environment variable defined by the user-header
+	 * option (defaults to REMOTE_USER)
+	 */
+	ctx.env.remote_user = xstrdupn(getenv(ctx.cfg.user_envvar));
+
 	/* If virtual-root isn't specified in cgitrc, lets pretend
 	 * that virtual-root equals SCRIPT_NAME, minus any possibly
 	 * trailing slashes.
diff --git a/cgit.h b/cgit.h
index 7a99135710..016baa8e7d 100644
--- a/cgit.h
+++ b/cgit.h
@@ -166,6 +166,7 @@ struct cgit_query {
 
 struct cgit_config {
 	char *agefile;
+	char *user_envvar;
 	char *cache_root;
 	char *clone_prefix;
 	char *clone_url;
@@ -263,6 +264,7 @@ struct cgit_environment {
 	char *script_name;
 	char *server_name;
 	char *server_port;
+	char *remote_user;
 };
 
 struct cgit_context {
diff --git a/cgitrc.5.txt b/cgitrc.5.txt
index 7d01fcde58..7a479d1d84 100644
--- a/cgitrc.5.txt
+++ b/cgitrc.5.txt
@@ -389,6 +389,12 @@ strict-export::
 	repositories to match those exported by git-daemon. This option MUST come
 	before 'scan-path'.
 
+user-envvar::
+	Environment variable to read the user name from in a CGI environment. By
+	default, CGI exports it with the REMOTE_USER variable. This parameter can
+	be adjusted to a custom variable (e.g. any HTTP header forwarded by an
+	external authentication engine like HTTP_X_FORWARDED_USER)
+
 virtual-root::
 	Url which, if specified, will be used as root for all cgit links. It
 	will also cause cgit to generate 'virtual urls', i.e. urls like
-- 
1.7.9.5