[PATCH 2/3] Add ability to authorize viewing a repository
Valentin Haenel
valentin.haenel at gmx.de
Tue Oct 16 11:15:25 CEST 2012
This provides a mechanism for cgit to query an external program for repository
authorisation, e.g. gitolite. An additional config variable 'authorization'
contains the path and name of the executable to use.
Signed-off-by: Valentin Haenel <valentin.haenel at gmx.de>
---
cgit.c | 24 ++++++++++++++++++++++++
cgit.h | 1 +
cgitrc.5.txt | 6 ++++++
3 files changed, 31 insertions(+)
diff --git a/cgit.c b/cgit.c
index 101954e12a..f06528215d 100644
--- a/cgit.c
+++ b/cgit.c
@@ -123,6 +123,8 @@ void config_cb(const char *name, const char *value)
ctx.cfg.readme = xstrdup(value);
else if (!strcmp(name, "user-envvar"))
ctx.cfg.user_envvar = xstrdup(value);
+ else if (!strcmp(name, "authorization"))
+ ctx.cfg.authorization = xstrdup(value);
else if (!strcmp(name, "root-title"))
ctx.cfg.root_title = xstrdup(value);
else if (!strcmp(name, "root-desc"))
@@ -372,6 +374,7 @@ static void prepare_context(struct cgit_context *ctx)
ctx->cfg.summary_tags = 10;
ctx->cfg.max_atom_items = 10;
ctx->cfg.ssdiff = 0;
+ ctx->cfg.authorization = "/bin/true";
ctx->cfg.user_envvar = "REMOTE_USER";
ctx->env.cgit_config = xstrdupn(getenv("CGIT_CONFIG"));
ctx->env.http_host = xstrdupn(getenv("HTTP_HOST"));
@@ -545,6 +548,27 @@ static void process_request(void *cbdata)
return;
}
+ /* Here we do the authorization check.
+ *
+ * TODO
+ * ----
+ * * figure out if this is the correct place to do the check
+ * * check that the authorization script exists and is executable
+ *
+ */
+ if (ctx->repo && system(fmt("%s %s %s",
+ ctx->cfg.authorization,
+ ctx->repo->name,
+ ctx->env.remote_user)) != 0) {
+ cgit_print_http_headers(ctx);
+ cgit_print_docstart(ctx);
+ cgit_print_pageheader(ctx);
+ cgit_print_error(fmt("Authorization failed for repo: '%s' and user: '%s'",
+ ctx->repo->name, ctx->env.remote_user));
+ cgit_print_docend();
+ exit(1);
+ }
+
if (ctx->repo && prepare_repo_cmd(ctx))
return;
diff --git a/cgit.h b/cgit.h
index 369dd8af8b..43f4f562f3 100644
--- a/cgit.h
+++ b/cgit.h
@@ -166,6 +166,7 @@ struct cgit_query {
struct cgit_config {
char *agefile;
char *user_envvar;
+ char *authorization;
char *cache_root;
char *clone_prefix;
char *clone_url;
diff --git a/cgitrc.5.txt b/cgitrc.5.txt
index cd7327a4b3..d864289502 100644
--- a/cgitrc.5.txt
+++ b/cgitrc.5.txt
@@ -40,6 +40,12 @@ agefile::
function in libgit. Recommended timestamp-format is "yyyy-mm-dd
hh:mm:ss". Default value: "info/web/last-modified".
+authorization::
+ Specifies a path to authorization executable. The executable must take two
+ arguments: "<repository> <user> [<permissions>]". The permission is the
+ type of permission we wish to check for, e.g. "R" or "RW" or "RW+". A
+ common use case is to call gitolite through this machinery.
+
cache-root::
Path used to store the cgit cache entries. Default value:
"/var/cache/cgit". See also: "MACRO EXPANSION".
--
1.7.9.5
More information about the CGit
mailing list