Limiting repo access

The Ranger ranger at risk.ee
Fri Nov 27 21:45:57 CET 2015


Hi everybody,

I have been struggling here for some time to allow users access only to 
certain repositories via cgit. As a quick workaround I implemented a 
gitolite configuration file parser some time ago. This was not an 
elegant solution because of tight coupling, but was enough for me at 
that time.

Now, while migrating the server, I decided to try a cleaner approach.
I tested the auth-filter using a sample Lua script provided in filters 
directory, but it turned out not to be exactly what I needed. The 
problem is that auth-filter actually shows protected repositories in a 
repo list. My requirement was that unauthorized repositories should be 
excluded from repository list and completely hidden.

Therefore, I moved one step forward and implemented a quick 
"project-filter" configuration option. This is similar to existing 
auth-filter, with following differences:

- No authentication is done by the filter, rather a username from a 
REMOTE_USER environment variable is read. Therefore, HTTP Basic Auth 
with any existing authentication provider can be used to verify username 
and password.

- In filter initialization phase, allowed repository list can be 
preloaded into filter for authenticate user to avoid hammering and 
flooding against any external DB or script.

- While building repo list, filter will be invoked and it will flag 
whether the access is granted or denied. If access is denied, repo will 
not be included in the list, therefore by effectively hiding it and 
denying any access to it.

- I have created a sample filter script in Lua that invokes gitolite and 
obtains a repo list from the response.

Although I'm no expert on cgit development, I will send my patches. 
Maybe somebody has any further thoughts or they can be somewhat more 
useful than rotten in my personal git repository (now being again 
happily served with cgit).


-- 
rgrds,
Ranger



More information about the CGit mailing list