From: valentin.haenel at gmx.de (Valentin Haenel)
Subject: [PATCHv4 1/2] Add ability to authorize viewing a repository
Date: Wed, 31 Oct 2012 19:52:35 +0100 [thread overview]
Message-ID: <1351709556-29355-1-git-send-email-valentin.haenel@gmx.de> (raw)
In-Reply-To: <1351709440-29185-1-git-send-email-valentin.haenel@gmx.de>
This provides a mechanism for cgit to query an external program for repository
authorisation, e.g. gitolite. An additional config variable 'authorization-helper'
contains the path and name of the executable to use.
Signed-off-by: Valentin Haenel <valentin.haenel at gmx.de>
---
cgit.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
cgit.h | 1 +
cgitrc.5.txt | 6 ++++++
3 files changed, 53 insertions(+)
diff --git a/cgit.c b/cgit.c
index a97ed69653..dbce4c2e1c 100644
--- a/cgit.c
+++ b/cgit.c
@@ -126,6 +126,8 @@ void config_cb(const char *name, const char *value)
repo_config(ctx.repo, name + 5, value);
else if (!strcmp(name, "readme"))
ctx.cfg.readme = xstrdup(value);
+ else if (!strcmp(name, "authorization-helper"))
+ ctx.cfg.authorization_helper = xstrdup(value);
else if (!strcmp(name, "root-title"))
ctx.cfg.root_title = xstrdup(value);
else if (!strcmp(name, "root-desc"))
@@ -379,6 +381,7 @@ static void prepare_context(struct cgit_context *ctx)
ctx->cfg.summary_tags = 10;
ctx->cfg.max_atom_items = 10;
ctx->cfg.ssdiff = 0;
+ ctx->cfg.authorization_helper = NULL;
ctx->env.cgit_config = xstrdupn(getenv("CGIT_CONFIG"));
ctx->env.http_host = xstrdupn(getenv("HTTP_HOST"));
ctx->env.https = xstrdupn(getenv("HTTPS"));
@@ -513,6 +516,40 @@ static int prepare_repo_cmd(struct cgit_context *ctx)
return 0;
}
+/* Run an external authorization helper via fork/exec/wait.
+ *
+ * Returns the exit code of the authorization helper if this exited
+ * successfully (0 will be success) and -1 in case of any other errors. If
+ * there is no authorization helper configured, it will return 0 too.
+ *
+ * */
+static int run_authorization_helper(struct cgit_context *ctx)
+{
+ if (ctx->cfg.authorization_helper == NULL)
+ return 0;
+ int wait_ret;
+ pid_t pid = fork();
+ switch (pid) {
+ case -1: /* fork failed */
+ return -1;
+ case 0: /* child */
+ execl(ctx->cfg.authorization_helper, ctx->cfg.authorization_helper, NULL);
+ /* exec failed */
+ exit(-1);
+ default: /* parent */
+ if (waitpid(pid, &wait_ret, 0) < 0) {
+ return -1; /* waitpid failed */
+ } else if (WIFSIGNALED(wait_ret)) {
+ return -1; /* helper terminated by signal */
+ } else if (WIFEXITED(wait_ret)) {
+ /* helper exited normally */
+ int status = WEXITSTATUS(wait_ret);
+ return status;
+ }
+ }
+ return -1;
+}
+
static void process_request(void *cbdata)
{
struct cgit_context *ctx = cbdata;
@@ -554,6 +591,15 @@ static void process_request(void *cbdata)
if (ctx->repo && prepare_repo_cmd(ctx))
return;
+ if (ctx->repo && run_authorization_helper(ctx) != 0){
+ cgit_print_http_headers(ctx);
+ cgit_print_docstart(ctx);
+ cgit_print_pageheader(ctx);
+ cgit_print_error(fmt("Authorization failed"));
+ cgit_print_docend();
+ return;
+ }
+
if (cmd->want_layout) {
cgit_print_http_headers(ctx);
cgit_print_docstart(ctx);
diff --git a/cgit.h b/cgit.h
index 7a99135710..5c95c46502 100644
--- a/cgit.h
+++ b/cgit.h
@@ -166,6 +166,7 @@ struct cgit_query {
struct cgit_config {
char *agefile;
+ char *authorization_helper;
char *cache_root;
char *clone_prefix;
char *clone_url;
diff --git a/cgitrc.5.txt b/cgitrc.5.txt
index 5887cee9a8..45ea1fe248 100644
--- a/cgitrc.5.txt
+++ b/cgitrc.5.txt
@@ -40,6 +40,12 @@ agefile::
function in libgit. Recommended timestamp-format is "yyyy-mm-dd
hh:mm:ss". Default value: "info/web/last-modified".
+authorization-helper::
+ Specifies a path to authorization executable. The executable is given the
+ full environment from the webserver, including all "CGIT_*" variables
+ available for filters. The executable is expected to return "0" on
+ authorization success. Default value: none. See also: "FILTER API"
+
cache-root::
Path used to store the cgit cache entries. Default value:
"/var/cache/cgit". See also: "MACRO EXPANSION".
--
1.7.9.5
next prev parent reply other threads:[~2012-10-31 18:52 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-16 9:15 [PATCH 0/3] Implement authorization via external program valentin.haenel
2012-10-16 9:15 ` [PATCH 1/3] Add config option user-envvar valentin.haenel
2012-10-28 1:11 ` Jason
2012-10-29 9:49 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-16 11:21 ` Jason
2012-10-16 12:48 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 2/3] Add ability to authorize viewing a repository using valentin.haenel
2012-10-16 9:17 ` valentin.haenel
2012-10-16 9:15 ` [PATCH 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-22 8:29 ` [PATCHv2 1/3] Add config option user-envvar valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-29 9:22 ` valentin.haenel
2012-10-29 14:53 ` mathstuf
2012-10-29 15:50 ` valentin.haenel
2012-10-22 8:29 ` [PATCHv2 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-28 1:16 ` Jason
2012-10-28 1:29 ` mathstuf
2012-10-28 1:33 ` Jason
2012-10-29 9:43 ` valentin.haenel
2012-10-29 14:52 ` mathstuf
2012-10-29 15:45 ` valentin.haenel
2012-10-28 1:17 ` Jason
2012-10-29 12:38 ` valentin.haenel
2012-10-30 9:54 ` valentin.haenel
2012-10-28 1:14 ` Jason
2012-10-29 9:36 ` valentin.haenel
2012-10-22 8:29 ` [PATCHv2 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-28 1:00 ` mathstuf
2012-10-29 9:27 ` valentin.haenel
2012-10-30 10:11 ` [PATCHv3 0/3] Implement authorization via external program (v3) valentin.haenel
2012-10-30 15:04 ` mathstuf
2012-10-30 16:30 ` Jason
2012-10-30 10:11 ` [PATCHv3 1/3] Add config option user-envvar valentin.haenel
2012-10-30 16:29 ` Jason
2012-10-30 10:11 ` [PATCHv3 2/3] Add ability to authorize viewing a repository valentin.haenel
2012-10-30 16:30 ` Jason
2012-10-30 10:11 ` [PATCHv3 3/3] Helper script to interface to gitolite valentin.haenel
2012-10-30 15:05 ` mathstuf
2012-10-31 18:50 ` [PATCHv4 0/2] Authorize viewing a repository valentin.haenel
2012-10-31 18:52 ` valentin.haenel [this message]
2012-10-31 18:52 ` [PATCHv4 2/2] Helper script to interface to gitolite valentin.haenel
2012-11-01 3:03 ` jamie.couture
2012-11-01 3:23 ` mathstuf
2012-11-01 4:20 ` Jason
2012-11-01 4:31 ` mathstuf
2012-11-01 8:58 ` valentin.haenel
2012-11-01 17:32 ` Jason
2012-11-01 10:40 ` [PATCHv4 0/2] Authorize viewing a repository valentin.haenel
2012-11-01 17:27 ` Jason
2012-11-01 17:32 ` valentin.haenel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1351709556-29355-1-git-send-email-valentin.haenel@gmx.de \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).