List for cgit developers and users
 help / color / mirror / Atom feed
* [PATCH 04/07] Inject repo authorization filter. Provide sample for gitolite integration.
@ 2015-11-27 20:46 ranger
  2017-06-23 16:57 ` georg
  0 siblings, 1 reply; 3+ messages in thread
From: ranger @ 2015-11-27 20:46 UTC (permalink / raw)


---
 filters/gitolite-authorization.lua | 74 ++++++++++++++++++++++++++++++++++++++
 scan-tree.c                        | 18 ++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 filters/gitolite-authorization.lua

diff --git a/filters/gitolite-authorization.lua b/filters/gitolite-authorization.lua
new file mode 100644
index 0000000..2f0e4f5
--- /dev/null
+++ b/filters/gitolite-authorization.lua
@@ -0,0 +1,74 @@
+-- This script can be used with project-filter option
+-- It uses REMOTE_USER environment variable to obtain the user who needs to be authorized
+-- This variable is normally set by HTTP Basic Authentication.
+-- In Apache something like this can be used:
+--
+--    AuthType Basic
+--    AuthName Protected area
+--    AuthUserFile users.htpasswd
+--    Require valid-user
+--
+-- For anonymous access a public username can be set in environment config.
+-- In Apache, using mod_env:
+--
+--    SetEnv REMOTE_USER gitweb
+--
+-- Gitolite requires HOME environment variable to work properly and point to valid Gitolite
+-- environment. Since the user, under which web server process runs, usually does not have
+-- this set, HOME should be explicitly configured and pointed to valid gitolite setup.
+-- In Apache, using mod_env:
+--
+--    SetEnv HOME /path/to/gitolite/home
+
+
+local git = {}
+local http = {}
+local repos = {}
+local action = nil
+
+function action_init()
+	-- Anonymous access, cancel repo list building
+	if git.user == nil or git.user == "" then return end
+	
+	local handle = io.popen("gitolite list-phy-repos | gitolite access % " .. git.user .. " R any")
+	
+	while true do
+		local repo = handle:read()
+		if repo == nil then break end
+		
+		-- Skip DENIED repos
+		if not string.find(repo, "DENIED") then
+			-- Gitolite returns string: <repo>\t<user>\t<refs>
+			-- We are interested only in the first field for now
+			-- Append .git extension since Gitolite does not and cgit repo name has it
+			local name = string.sub(repo, 0, string.find(repo, "\t") - 1) .. ".git"
+			repos[name] = 1 -- Authorize flag is > 0
+		end
+	end
+	
+	handle:close()
+end
+
+function action_filter()
+	-- Return > 0 if access is authorized
+	return repos[git.repo]
+end
+
+local actions = {}
+actions["init"] = action_init;
+actions["filter"] = action_filter;
+
+function filter_open(...)
+	action = actions[select(1, ...)]
+	
+	git["repo"] = select(2, ...)
+	git["user"] = select(3, ...)
+	
+	http["server"] = select(4, ...)
+	http["path"] = select(5, ...)
+end
+
+function filter_close()
+	return action()
+end
+
diff --git a/scan-tree.c b/scan-tree.c
index e17bca9..7490e74 100644
--- a/scan-tree.c
+++ b/scan-tree.c
@@ -74,6 +74,14 @@ static char *xstrrchr(char *s, char *from, int c)
 	return from < s ? NULL : from;
 }
 
+static int open_project_filter(const char *action, const char *repo) {
+	return cgit_open_filter(ctx.cfg.project_filter, action, repo,
+			ctx.env.remote_user ? ctx.env.remote_user : "",
+			ctx.env.server_name ? ctx.env.server_name : "",
+			ctx.env.path_info ? ctx.env.path_info : ""
+	);
+}
+
 static void add_repo(const char *base, struct strbuf *path, repo_config_fn fn)
 {
 	struct stat st;
@@ -115,6 +123,11 @@ static void add_repo(const char *base, struct strbuf *path, repo_config_fn fn)
 	else if (rel.len && rel.buf[rel.len - 1] == '/')
 		strbuf_setlen(&rel, rel.len - 1);
 
+	if(ctx.cfg.project_filter) {
+		if(open_project_filter("filter", rel.buf)) return;
+		if(cgit_close_filter(ctx.cfg.project_filter) < 1) return;
+	}
+
 	repo = cgit_add_repo(rel.buf);
 	config_fn = fn;
 	if (ctx.cfg.enable_git_config) {
@@ -261,6 +274,11 @@ void scan_projects(const char *path, const char *projectsfile, repo_config_fn fn
 
 void scan_tree(const char *path, repo_config_fn fn)
 {
+	if (ctx.cfg.project_filter) {
+		open_project_filter("init", path);
+		cgit_close_filter(ctx.cfg.project_filter);
+	}
+
 	if (ctx.cfg.project_list) {
 		scan_projects(path, ctx.cfg.project_list, fn);
 		return;
-- 
2.1.4



^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 04/07] Inject repo authorization filter. Provide sample for gitolite integration.
  2015-11-27 20:46 [PATCH 04/07] Inject repo authorization filter. Provide sample for gitolite integration ranger
@ 2017-06-23 16:57 ` georg
  2017-07-22 11:07   ` john
  0 siblings, 1 reply; 3+ messages in thread
From: georg @ 2017-06-23 16:57 UTC (permalink / raw)


Hi all,

Any chance of getting this merged?

Cheers,
Georg

On 15-11-27 22:46:57, The Ranger wrote:
> ---
>  filters/gitolite-authorization.lua | 74 ++++++++++++++++++++++++++++++++++++++
>  scan-tree.c                        | 18 ++++++++++
>  2 files changed, 92 insertions(+)
>  create mode 100644 filters/gitolite-authorization.lua
> 
> diff --git a/filters/gitolite-authorization.lua b/filters/gitolite-authorization.lua
> new file mode 100644
> index 0000000..2f0e4f5
> --- /dev/null
> +++ b/filters/gitolite-authorization.lua
> @@ -0,0 +1,74 @@
> +-- This script can be used with project-filter option
> +-- It uses REMOTE_USER environment variable to obtain the user who needs to be authorized
> +-- This variable is normally set by HTTP Basic Authentication.
> +-- In Apache something like this can be used:
> +--
> +--    AuthType Basic
> +--    AuthName Protected area
> +--    AuthUserFile users.htpasswd
> +--    Require valid-user
> +--
> +-- For anonymous access a public username can be set in environment config.
> +-- In Apache, using mod_env:
> +--
> +--    SetEnv REMOTE_USER gitweb
> +--
> +-- Gitolite requires HOME environment variable to work properly and point to valid Gitolite
> +-- environment. Since the user, under which web server process runs, usually does not have
> +-- this set, HOME should be explicitly configured and pointed to valid gitolite setup.
> +-- In Apache, using mod_env:
> +--
> +--    SetEnv HOME /path/to/gitolite/home
> +
> +
> +local git = {}
> +local http = {}
> +local repos = {}
> +local action = nil
> +
> +function action_init()
> +	-- Anonymous access, cancel repo list building
> +	if git.user == nil or git.user == "" then return end
> +	
> +	local handle = io.popen("gitolite list-phy-repos | gitolite access % " .. git.user .. " R any")
> +	
> +	while true do
> +		local repo = handle:read()
> +		if repo == nil then break end
> +		
> +		-- Skip DENIED repos
> +		if not string.find(repo, "DENIED") then
> +			-- Gitolite returns string: <repo>\t<user>\t<refs>
> +			-- We are interested only in the first field for now
> +			-- Append .git extension since Gitolite does not and cgit repo name has it
> +			local name = string.sub(repo, 0, string.find(repo, "\t") - 1) .. ".git"
> +			repos[name] = 1 -- Authorize flag is > 0
> +		end
> +	end
> +	
> +	handle:close()
> +end
> +
> +function action_filter()
> +	-- Return > 0 if access is authorized
> +	return repos[git.repo]
> +end
> +
> +local actions = {}
> +actions["init"] = action_init;
> +actions["filter"] = action_filter;
> +
> +function filter_open(...)
> +	action = actions[select(1, ...)]
> +	
> +	git["repo"] = select(2, ...)
> +	git["user"] = select(3, ...)
> +	
> +	http["server"] = select(4, ...)
> +	http["path"] = select(5, ...)
> +end
> +
> +function filter_close()
> +	return action()
> +end
> +
> diff --git a/scan-tree.c b/scan-tree.c
> index e17bca9..7490e74 100644
> --- a/scan-tree.c
> +++ b/scan-tree.c
> @@ -74,6 +74,14 @@ static char *xstrrchr(char *s, char *from, int c)
>  	return from < s ? NULL : from;
>  }
>  
> +static int open_project_filter(const char *action, const char *repo) {
> +	return cgit_open_filter(ctx.cfg.project_filter, action, repo,
> +			ctx.env.remote_user ? ctx.env.remote_user : "",
> +			ctx.env.server_name ? ctx.env.server_name : "",
> +			ctx.env.path_info ? ctx.env.path_info : ""
> +	);
> +}
> +
>  static void add_repo(const char *base, struct strbuf *path, repo_config_fn fn)
>  {
>  	struct stat st;
> @@ -115,6 +123,11 @@ static void add_repo(const char *base, struct strbuf *path, repo_config_fn fn)
>  	else if (rel.len && rel.buf[rel.len - 1] == '/')
>  		strbuf_setlen(&rel, rel.len - 1);
>  
> +	if(ctx.cfg.project_filter) {
> +		if(open_project_filter("filter", rel.buf)) return;
> +		if(cgit_close_filter(ctx.cfg.project_filter) < 1) return;
> +	}
> +
>  	repo = cgit_add_repo(rel.buf);
>  	config_fn = fn;
>  	if (ctx.cfg.enable_git_config) {
> @@ -261,6 +274,11 @@ void scan_projects(const char *path, const char *projectsfile, repo_config_fn fn
>  
>  void scan_tree(const char *path, repo_config_fn fn)
>  {
> +	if (ctx.cfg.project_filter) {
> +		open_project_filter("init", path);
> +		cgit_close_filter(ctx.cfg.project_filter);
> +	}
> +
>  	if (ctx.cfg.project_list) {
>  		scan_projects(path, ctx.cfg.project_list, fn);
>  		return;
> -- 
> 2.1.4
> 
> _______________________________________________
> CGit mailing list
> CGit at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/cgit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20170623/646848c0/attachment.asc>


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 04/07] Inject repo authorization filter. Provide sample for gitolite integration.
  2017-06-23 16:57 ` georg
@ 2017-07-22 11:07   ` john
  0 siblings, 0 replies; 3+ messages in thread
From: john @ 2017-07-22 11:07 UTC (permalink / raw)


On Fri, Jun 23, 2017 at 06:57:12PM +0200, Georg Faerber wrote:
> Any chance of getting this merged?

The code changes look reasonable from a cursory reading, but all of the
patches are missing commit messages, and far more importantly are not
signed off (see https://git-scm.com/docs/git-commit.html#git-commit--s
and https://developercertificate.org/ for what this means).

> On 15-11-27 22:46:57, The Ranger wrote:
> > ---
> >  filters/gitolite-authorization.lua | 74 ++++++++++++++++++++++++++++++++++++++
> >  scan-tree.c                        | 18 ++++++++++
> >  2 files changed, 92 insertions(+)
> >  create mode 100644 filters/gitolite-authorization.lua
> > 
> > diff --git a/filters/gitolite-authorization.lua b/filters/gitolite-authorization.lua
> > new file mode 100644
> > index 0000000..2f0e4f5
> > --- /dev/null
> > +++ b/filters/gitolite-authorization.lua
> > @@ -0,0 +1,74 @@
> > +-- This script can be used with project-filter option
> > +-- It uses REMOTE_USER environment variable to obtain the user who needs to be authorized
> > +-- This variable is normally set by HTTP Basic Authentication.
> > +-- In Apache something like this can be used:
> > +--
> > +--    AuthType Basic
> > +--    AuthName Protected area
> > +--    AuthUserFile users.htpasswd
> > +--    Require valid-user
> > +--
> > +-- For anonymous access a public username can be set in environment config.
> > +-- In Apache, using mod_env:
> > +--
> > +--    SetEnv REMOTE_USER gitweb
> > +--
> > +-- Gitolite requires HOME environment variable to work properly and point to valid Gitolite
> > +-- environment. Since the user, under which web server process runs, usually does not have
> > +-- this set, HOME should be explicitly configured and pointed to valid gitolite setup.
> > +-- In Apache, using mod_env:
> > +--
> > +--    SetEnv HOME /path/to/gitolite/home
> > +
> > +
> > +local git = {}
> > +local http = {}
> > +local repos = {}
> > +local action = nil
> > +
> > +function action_init()
> > +	-- Anonymous access, cancel repo list building
> > +	if git.user == nil or git.user == "" then return end
> > +	
> > +	local handle = io.popen("gitolite list-phy-repos | gitolite access % " .. git.user .. " R any")
> > +	
> > +	while true do
> > +		local repo = handle:read()
> > +		if repo == nil then break end
> > +		
> > +		-- Skip DENIED repos
> > +		if not string.find(repo, "DENIED") then
> > +			-- Gitolite returns string: <repo>\t<user>\t<refs>
> > +			-- We are interested only in the first field for now
> > +			-- Append .git extension since Gitolite does not and cgit repo name has it
> > +			local name = string.sub(repo, 0, string.find(repo, "\t") - 1) .. ".git"
> > +			repos[name] = 1 -- Authorize flag is > 0
> > +		end
> > +	end
> > +	
> > +	handle:close()
> > +end
> > +
> > +function action_filter()
> > +	-- Return > 0 if access is authorized
> > +	return repos[git.repo]
> > +end
> > +
> > +local actions = {}
> > +actions["init"] = action_init;
> > +actions["filter"] = action_filter;
> > +
> > +function filter_open(...)
> > +	action = actions[select(1, ...)]
> > +	
> > +	git["repo"] = select(2, ...)
> > +	git["user"] = select(3, ...)
> > +	
> > +	http["server"] = select(4, ...)
> > +	http["path"] = select(5, ...)
> > +end
> > +
> > +function filter_close()
> > +	return action()
> > +end
> > +
> > diff --git a/scan-tree.c b/scan-tree.c
> > index e17bca9..7490e74 100644
> > --- a/scan-tree.c
> > +++ b/scan-tree.c
> > @@ -74,6 +74,14 @@ static char *xstrrchr(char *s, char *from, int c)
> >  	return from < s ? NULL : from;
> >  }
> >  
> > +static int open_project_filter(const char *action, const char *repo) {
> > +	return cgit_open_filter(ctx.cfg.project_filter, action, repo,
> > +			ctx.env.remote_user ? ctx.env.remote_user : "",
> > +			ctx.env.server_name ? ctx.env.server_name : "",
> > +			ctx.env.path_info ? ctx.env.path_info : ""
> > +	);
> > +}
> > +
> >  static void add_repo(const char *base, struct strbuf *path, repo_config_fn fn)
> >  {
> >  	struct stat st;
> > @@ -115,6 +123,11 @@ static void add_repo(const char *base, struct strbuf *path, repo_config_fn fn)
> >  	else if (rel.len && rel.buf[rel.len - 1] == '/')
> >  		strbuf_setlen(&rel, rel.len - 1);
> >  
> > +	if(ctx.cfg.project_filter) {
> > +		if(open_project_filter("filter", rel.buf)) return;
> > +		if(cgit_close_filter(ctx.cfg.project_filter) < 1) return;
> > +	}
> > +
> >  	repo = cgit_add_repo(rel.buf);
> >  	config_fn = fn;
> >  	if (ctx.cfg.enable_git_config) {
> > @@ -261,6 +274,11 @@ void scan_projects(const char *path, const char *projectsfile, repo_config_fn fn
> >  
> >  void scan_tree(const char *path, repo_config_fn fn)
> >  {
> > +	if (ctx.cfg.project_filter) {
> > +		open_project_filter("init", path);
> > +		cgit_close_filter(ctx.cfg.project_filter);
> > +	}
> > +
> >  	if (ctx.cfg.project_list) {
> >  		scan_projects(path, ctx.cfg.project_list, fn);
> >  		return;
> > -- 
> > 2.1.4
> > 
> > _______________________________________________
> > CGit mailing list
> > CGit at lists.zx2c4.com
> > http://lists.zx2c4.com/mailman/listinfo/cgit



> _______________________________________________
> CGit mailing list
> CGit at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/cgit



^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-07-22 11:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-27 20:46 [PATCH 04/07] Inject repo authorization filter. Provide sample for gitolite integration ranger
2017-06-23 16:57 ` georg
2017-07-22 11:07   ` john

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).