From: georg at riseup.net (Georg Faerber)
Subject: [PATCH 04/07] Inject repo authorization filter. Provide sample for gitolite integration.
Date: Fri, 23 Jun 2017 18:57:12 +0200 [thread overview]
Message-ID: <20170623165712.GC10726@riseup.net> (raw)
In-Reply-To: <1448657217.362252.7291.nullmailer@cypher.risk.ee>
Hi all,
Any chance of getting this merged?
Cheers,
Georg
On 15-11-27 22:46:57, The Ranger wrote:
> ---
> filters/gitolite-authorization.lua | 74 ++++++++++++++++++++++++++++++++++++++
> scan-tree.c | 18 ++++++++++
> 2 files changed, 92 insertions(+)
> create mode 100644 filters/gitolite-authorization.lua
>
> diff --git a/filters/gitolite-authorization.lua b/filters/gitolite-authorization.lua
> new file mode 100644
> index 0000000..2f0e4f5
> --- /dev/null
> +++ b/filters/gitolite-authorization.lua
> @@ -0,0 +1,74 @@
> +-- This script can be used with project-filter option
> +-- It uses REMOTE_USER environment variable to obtain the user who needs to be authorized
> +-- This variable is normally set by HTTP Basic Authentication.
> +-- In Apache something like this can be used:
> +--
> +-- AuthType Basic
> +-- AuthName Protected area
> +-- AuthUserFile users.htpasswd
> +-- Require valid-user
> +--
> +-- For anonymous access a public username can be set in environment config.
> +-- In Apache, using mod_env:
> +--
> +-- SetEnv REMOTE_USER gitweb
> +--
> +-- Gitolite requires HOME environment variable to work properly and point to valid Gitolite
> +-- environment. Since the user, under which web server process runs, usually does not have
> +-- this set, HOME should be explicitly configured and pointed to valid gitolite setup.
> +-- In Apache, using mod_env:
> +--
> +-- SetEnv HOME /path/to/gitolite/home
> +
> +
> +local git = {}
> +local http = {}
> +local repos = {}
> +local action = nil
> +
> +function action_init()
> + -- Anonymous access, cancel repo list building
> + if git.user == nil or git.user == "" then return end
> +
> + local handle = io.popen("gitolite list-phy-repos | gitolite access % " .. git.user .. " R any")
> +
> + while true do
> + local repo = handle:read()
> + if repo == nil then break end
> +
> + -- Skip DENIED repos
> + if not string.find(repo, "DENIED") then
> + -- Gitolite returns string: <repo>\t<user>\t<refs>
> + -- We are interested only in the first field for now
> + -- Append .git extension since Gitolite does not and cgit repo name has it
> + local name = string.sub(repo, 0, string.find(repo, "\t") - 1) .. ".git"
> + repos[name] = 1 -- Authorize flag is > 0
> + end
> + end
> +
> + handle:close()
> +end
> +
> +function action_filter()
> + -- Return > 0 if access is authorized
> + return repos[git.repo]
> +end
> +
> +local actions = {}
> +actions["init"] = action_init;
> +actions["filter"] = action_filter;
> +
> +function filter_open(...)
> + action = actions[select(1, ...)]
> +
> + git["repo"] = select(2, ...)
> + git["user"] = select(3, ...)
> +
> + http["server"] = select(4, ...)
> + http["path"] = select(5, ...)
> +end
> +
> +function filter_close()
> + return action()
> +end
> +
> diff --git a/scan-tree.c b/scan-tree.c
> index e17bca9..7490e74 100644
> --- a/scan-tree.c
> +++ b/scan-tree.c
> @@ -74,6 +74,14 @@ static char *xstrrchr(char *s, char *from, int c)
> return from < s ? NULL : from;
> }
>
> +static int open_project_filter(const char *action, const char *repo) {
> + return cgit_open_filter(ctx.cfg.project_filter, action, repo,
> + ctx.env.remote_user ? ctx.env.remote_user : "",
> + ctx.env.server_name ? ctx.env.server_name : "",
> + ctx.env.path_info ? ctx.env.path_info : ""
> + );
> +}
> +
> static void add_repo(const char *base, struct strbuf *path, repo_config_fn fn)
> {
> struct stat st;
> @@ -115,6 +123,11 @@ static void add_repo(const char *base, struct strbuf *path, repo_config_fn fn)
> else if (rel.len && rel.buf[rel.len - 1] == '/')
> strbuf_setlen(&rel, rel.len - 1);
>
> + if(ctx.cfg.project_filter) {
> + if(open_project_filter("filter", rel.buf)) return;
> + if(cgit_close_filter(ctx.cfg.project_filter) < 1) return;
> + }
> +
> repo = cgit_add_repo(rel.buf);
> config_fn = fn;
> if (ctx.cfg.enable_git_config) {
> @@ -261,6 +274,11 @@ void scan_projects(const char *path, const char *projectsfile, repo_config_fn fn
>
> void scan_tree(const char *path, repo_config_fn fn)
> {
> + if (ctx.cfg.project_filter) {
> + open_project_filter("init", path);
> + cgit_close_filter(ctx.cfg.project_filter);
> + }
> +
> if (ctx.cfg.project_list) {
> scan_projects(path, ctx.cfg.project_list, fn);
> return;
> --
> 2.1.4
>
> _______________________________________________
> CGit mailing list
> CGit at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/cgit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20170623/646848c0/attachment.asc>
next prev parent reply other threads:[~2017-06-23 16:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-27 20:46 ranger
2017-06-23 16:57 ` georg [this message]
2017-07-22 11:07 ` john
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170623165712.GC10726@riseup.net \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).