From mboxrd@z Thu Jan 1 00:00:00 1970 From: valentin.haenel at gmx.de (Valentin Haenel) Date: Tue, 30 Oct 2012 11:11:29 +0100 Subject: [PATCHv3 2/3] Add ability to authorize viewing a repository In-Reply-To: <1350378927-10834-1-git-send-email-valentin.haenel@gmx.de> References: <1350378927-10834-1-git-send-email-valentin.haenel@gmx.de> Message-ID: <1351591890-13605-3-git-send-email-valentin.haenel@gmx.de> This provides a mechanism for cgit to query an external program for repository authorisation, e.g. gitolite. An additional config variable 'authorization' contains the path and name of the executable to use. Signed-off-by: Valentin Haenel --- cgit.c | 22 ++++++++++++++++++++++ cgit.h | 1 + cgitrc.5.txt | 6 ++++++ 3 files changed, 29 insertions(+) diff --git a/cgit.c b/cgit.c index 5a8ae97a13..1bf1935b88 100644 --- a/cgit.c +++ b/cgit.c @@ -128,6 +128,8 @@ void config_cb(const char *name, const char *value) ctx.cfg.readme = xstrdup(value); else if (!strcmp(name, "user-envvar")) ctx.cfg.user_envvar = xstrdup(value); + else if (!strcmp(name, "authz-exec")) + ctx.cfg.authorization_helper = xstrdup(value); else if (!strcmp(name, "root-title")) ctx.cfg.root_title = xstrdup(value); else if (!strcmp(name, "root-desc")) @@ -382,6 +384,7 @@ static void prepare_context(struct cgit_context *ctx) ctx->cfg.max_atom_items = 10; ctx->cfg.ssdiff = 0; ctx->cfg.user_envvar = xstrdupn("REMOTE_USER"); + ctx->cfg.authorization_helper = NULL; ctx->env.cgit_config = xstrdupn(getenv("CGIT_CONFIG")); ctx->env.http_host = xstrdupn(getenv("HTTP_HOST")); ctx->env.https = xstrdupn(getenv("HTTPS")); @@ -554,6 +557,25 @@ static void process_request(void *cbdata) return; } + /* Here we do the authorization check. + * + * TODO figure out if this is the correct place to do the check + * + */ + if (ctx->cfg.authorization_helper && ctx->repo && + system(fmt("'%s' '%s' '%s'", + ctx->cfg.authorization_helper, + ctx->repo->name, + ctx->env.remote_user)) != 0) { + cgit_print_http_headers(ctx); + cgit_print_docstart(ctx); + cgit_print_pageheader(ctx); + cgit_print_error(fmt("Authorization failed for repo: '%s' and user: '%s'", + ctx->repo->name, ctx->env.remote_user)); + cgit_print_docend(); + return; + } + if (ctx->repo && prepare_repo_cmd(ctx)) return; diff --git a/cgit.h b/cgit.h index 016baa8e7d..48888af0d3 100644 --- a/cgit.h +++ b/cgit.h @@ -167,6 +167,7 @@ struct cgit_query { struct cgit_config { char *agefile; char *user_envvar; + char *authorization_helper; char *cache_root; char *clone_prefix; char *clone_url; diff --git a/cgitrc.5.txt b/cgitrc.5.txt index d2fca9fb9c..fa51fe6a6e 100644 --- a/cgitrc.5.txt +++ b/cgitrc.5.txt @@ -40,6 +40,12 @@ agefile:: function in libgit. Recommended timestamp-format is "yyyy-mm-dd hh:mm:ss". Default value: "info/web/last-modified". +authorization_helper:: + Specifies a path to authorization executable. The executable must take two + arguments: " []". The permission is the + type of permission we wish to check for, e.g. "R" or "RW" or "RW+". Default + value: none. + cache-root:: Path used to store the cgit cache entries. Default value: "/var/cache/cgit". See also: "MACRO EXPANSION". -- 1.7.9.5