Redmine

Oh, and the old DAV HTTP protocol would be OK, but it has performance problems and can corrupt the repository if you have the wrong version of curl :-/.

Antonio García-Domínguez wrote:

Oh, and the old DAV HTTP protocol would be OK, but it has performance problems and can corrupt the repository if you have the wrong version of curl :-/.

Forgot to add that smart HTTP can use hooks as well, and doesn't require a cronjob with "git update-server-info". Smart HTTP requires Git 1.6.6+ on server and client.

Antonio, your patch looks good, though it expects the paths to your repositories to start with /git/. Could you please rework it so that the path under which the repositories reside is configurable in the apache config, possibly defaulting to /git/ as that seems to be the canonical example?

Antonio García-Domínguez wrote:

Felix, there seems to be a slight typo in your patch: both lines 416 and 417 add something. I would normally expect the original line to be removed and the new line to be added.

Yeah, noticed that too today, was gonna correct that, but it seems you've done that already, thanks :-)

As for the /git/ prefix: would another Apache directive for customizing it be OK?

Well, I was thinking about how svn doesn't need that, and in fact there already is a function get_project_identifier which you should be able to get the identifier from, so no need for an additional setting.

Felix Schäfer wrote:

Yeah, noticed that too today, was gonna correct that, but it seems you've done that already, thanks :-)

No problem :-).

Well, I was thinking about how svn doesn't need that, and in fact there already is a function get_project_identifier which you should be able to get the identifier from, so no need for an additional setting.

Yeah, I saw it on the authen handler code. But that'd only get me the project ID, and not the path in the <Location> block (/git/ here), which is what I really need. However, I have fixed the patch so it won't need this prefix (see my previous comment).

Antonio García-Domínguez wrote:

Felix Schäfer wrote:

Well, I was thinking about how svn doesn't need that, and in fact there already is a function get_project_identifier which you should be able to get the identifier from, so no need for an additional setting.

Yeah, I saw it on the authen handler code. But that'd only get me the project ID, and not the path in the <Location> block (/git/ here), which is what I really need. However, I have fixed the patch so it won't need this prefix (see my previous comment).

Sorry, got that backwards, but I still don't like the regex being that lax. Anyway, from the aforementioned method, I can see you can get the location from the request object $r->location, why not just use that as a prefix to your regex as is done in said method?

Well, duh! :-D

I spent a while on the Apache site trying to find the appropriate method and I just found it after reading your post and checking that function. Here.

OK, I'll get on it :-).

Antonio García-Domínguez wrote:

The only caveat is that the path in the <Location> block cannot have a trailing slash. I have modified the documentation at the beginning of the file to mention this.

Again referencing the already existing commit, why not just m{^$location/*[^/]+/[^/]*git\-receive\-pack$}o?

Felix Schäfer wrote:

Again referencing the already existing commit

And by commit I mean function x_X

If http://myserv.er/my/location/project-identifier/info/refs?service=git-receive-pack really is the only path that git needs to read from the repo, this should work :-) I'll try to install it on my redmine later on.

Felix Schäfer wrote:

If http://myserv.er/my/location/project-identifier/info/refs?service=git-receive-pack really is the only path that git needs to read from the repo, this should work :-) I'll try to install it on my redmine later on.

And http://myserv.er/my/location/project-identifer/git-receive-pack, don't forget :-).

The patch works great, maybe the messages could be somewhat unified though: not being in a private project yields "fatal: Authentication failed" while being in the project and not having commit access yields "error: Cannot access URL https://git.fachschaften.org/sandbox-git/, return code 22 fatal: git-http-push failed".

I agree with you, but I'm not a Git developer :-/. That's why I placed those instructions in the documentation of Redmine.pm. Perhaps we could add your remarks as a small troubleshooting section?

No, it's just a minor annoyance, we can dig in back later if this really becomes a problem.

If the patch is OK, do you think it could be merged to trunk sometime in the near future? If possible, I'd like to stop having to juggle it around every time I update Redmine :-/.

That's Eric's or JPLang's call :-)

Eric, this patch floats my boat and it looks good to me, there's even some documentation to it ;-) Anything more you need to include it?

Hi,

I'm stuck by an error when trying to do anything with the last patch. I've followed the related documentation.

$ git clone http://my.hostname/test
Cloning into test...
fatal: http://my.hostname/test/info/refs not found: did you run git update-server-info on the server?

Run the command did nothing and the config.ru file looks good (checked).

• git 1.7.2.1.44.g721e7
• redmine 1.0.0

Any idea?

Nicolas Sebrecht wrote:

Any idea?

Please visit the forums (or IRC, I'm thegcat over there) for configuration help. Please also include some more information about your setup, thanks.

Felix Schäfer wrote:

Please visit the forums (or IRC, I'm thegcat over there) for configuration help. Please also include some more information about your setup, thanks.

The thread http://www.redmine.org/boards/2/topics/15962 did help me. I was missing the trailing "/public" for the DocumentRoot field in my apache virtualhost.

Thanks.

Hi,

I'm interested on this patch. However I'm confused. There 9 patch files.

Which one should I use?

Can anyone please remove the deprecated patches, or mark them somehow?

Hi Enrique,

I would love to do something about the old patches, but I can't :-(. In any case, you should use the very last one (the 2010-07-20 10:03 one).

I finally got this working, but here's the problem:

Redmine allows you to name your git repo anything, but Redmine.pm script assumes that the repo name is the same as the name of the project identifier.

So, I was trying to make it work with a project with identifier "testr" and a repo called "/repo/testrepo.git"

And I kept getting 401, and I couldn't figure out why.

Finally I figured out I needed to create a symlink /repo/testr to /repo/testrepo.git and suddenly it worked.

So, there's you're workaround if you're experiencing this problem.

I don't know if I can do a patch on my own, but here's a start:

sub get_project_identifier {
    my $r = shift;

    my $location = $r->location;
    $location =~ /http://[^/]*/(.*)/refs/;
    my $repo = $1;

#not sure how to do SQL in perl, but something like:
#select project_id from repositories where url='$repo';

    return $project_id;
}

select project_id from repositories where url='/repo/testrepo.git';

michael fox wrote:

[…] Redmine.pm script assumes that the repo name is the same as the name of the project identifier.

The svn version does, and so does the patch.

Ok. Maybe you'll like this one better.

I was having a problem where a user that was not authorized to commit was able to commit anyway.

I traced it back to this regular expression:

my $is_read_only = $uri !~ m{^$location/*[^/]+/(info/refs\?service=)?git\-receive\-pack$}o;

The problem occurs when there is an extra slash like:

"GET /repo/testr//info/refs?service=git-receive-pack HTTP/1.1" 

Then, somehow according to the logic of the script, it is okay for that person to commit.

This slight change fixes the problem (+ after the / before info):

my $is_read_only = $uri !~ m{^$location/*[^/]+/+(info/refs\?service=)?git\-receive\-pack$}o;

Hi, i think that patch works great with simple projects, but it doesn't work with nested projects, if i have a principal project called project1, and create a second project called project2 as a subproject of project1, then, in my directory's repository i use project1/project2 as a git repository but, when i do "git push origin master" from a remote host i get:

error: Cannot access URL http://user@server.example.com/git/project1/project2/, return code 22
fatal: git-http-push failed

Maybe i'm doing something wrong?

Christian Gutierrez wrote:

Maybe i'm doing something wrong?

1. you shouldn't checkout a repository into another repository,
2. the URLs must all be protocol://host/location/identifier, where identifier is the identifier of the project.

In your case, I think the authentication bit will only work if you put the repository for project2 to http://user@server.example.com/git/project2/.

Felix, thanks for your reply, it works with symbolic links.

Hello,

I am trying to apply this patch to the current latest release of Redmine (1.1.2). But the only result I get is the following message :
Only garbage was found in the patch input.
So I guess the patch is incompatible with this release. Is there a way to fix this ?

Thanks,

I get the issue that several Hunk (1 through 8) failed

Thanks Antonio. I was using "patch -p1 < the_patch_file". Using "git apply" worked for me.

Hello,

I followed the instructions for smart git http integration and applied 0001-merged-LeeF-s-patch-with-Michael-Fox-s-security-fix.patch on my redmine 1.0.1. When I try to access git.mydomain.com, I get the following message in my Apache error log:

Use of uninitialized value $identifier in substitution (s///) at /usr/lib/perl5/Apache/Redmine.pm line 486
I suppose this variable is not nicely initialized in the preceding instruction...

Could you please help me ? Thank you

Fabrice

Are you simply trying to visit http://git.mydomain.com or http://git.mydomain.com/? That won't work: the auth code expects URLs to start with something like http://git.mydomain.com/myproject, where myproject is your project's ID. By the way, you can't really browse through the URLs for smart HTTP access for Git with a regular browser, like SVN: you need to use a proper Git client.

According to the patch, the code around line 486 is this:

    my $location = $r->location;
    my ($identifier) = $r->uri =~ m{$location/*([^/]+)};
    $identifier =~ s/\.git//;
    $identifier;

If you get that error in line 486 ($identifier =~ s/\.git//;), that's because $identifier wasn't initialized in the previous line. That can only be if the URI does not match the $location/*([^/]+) regexp, and I can only think of two URLs which do not match that regexp: http://git.mydomain.com and http://git.mydomain.com/.

Hey,

I had this working for a long time. But recently i changed something and don't know exactly what i did wrong, so i tried a clean installation of redmine to test but can't seem to get it to work anymore. I followed this guide HowTo_configure_Redmine_for_advanced_git_integration and only implemented the basic access so no authentication is required but i keep getting 401 errors.

This is what i get on the client side:

$ git ls-remote http://git.website.com/duneinterface
error: The requested URL returned error: 401 while accessing http://git.website.com/duneinterface/info/refs

fatal: HTTP request failed

In this is what i see in the logs

ip - - [07/Apr/2011:14:17:34 +0200] "GET /duneinterface/info/refs?service=git-upload-pack HTTP/1.1" 401 283 "-" "git/1.7.0.2.msysgit.0.14.g956d7" 
ip - - [07/Apr/2011:14:17:35 +0200] "GET /duneinterface/info/refs HTTP/1.1" 401 283 "-" "git/1.7.0.2.msysgit.0.14.g956d7" 

Those URLs are read-only, according to the patch. They should only produce 401 errors if the project is private and you haven't set up the appropriate files with your credentials (see the instructions at the beginning of the patch), or if you don't have read access to the project.

Love the patch! Would really like to see this be a standard feature!!!

Hi, love this patch and works perfectly if accessing git repositories from http://git.mydomain.com/myrepo.git, but what about if i want my repos to be accessible from a subdir like http://git.mydomain.com/git/myrepo.git ?
Can anyone explain how to modify Redmine.pm to do so please ?
Thanks a lot ... :)

Loïs PUIG wrote:

Can anyone explain how to modify Redmine.pm to do so please ?
Thanks a lot ... :)

You don't need to modify Redmine.pm for it, change your apache config to say <Location /git/> instead of <Location />.

Thanks for your help :)

You don't need to modify Redmine.pm for it, change your apache config to say <Location /git/> instead of <Location />.

Well i did, and i'm allowed to access my repos with this config

SetEnv GIT_PROJECT_ROOT /srv/gitosis/repositories
SetEnv GIT_HTTP_EXPORT_ALL
AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/gitosis/repositories/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/gitosis/repositories/$1
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
<Location /git>
    Options All
    AllowOverride All
    Order allow,deny
    Allow from all
</location>

but not with this one

PerlLoadModule Apache::Redmine
SetEnv GIT_PROJECT_ROOT /srv/gitosis/repositories
SetEnv GIT_HTTP_EXPORT_ALL
AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/gitosis/repositories/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/gitosis/repositories/$1
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
<Location /git>
    Options All
    AllowOverride All
    AuthType Basic
    AuthName "Redmine git repositories" 
    Require valid-user
    PerlAccessHandler Apache::Authn::Redmine::access_handler
    PerlAuthenHandler Apache::Authn::Redmine::authen_handler
    RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
    RedmineDbUser "redmine" 
    RedmineDbPass "mypassword" 
    RedmineGitSmartHttp yes
</location>

ig get

Use of uninitialized value $identifier in substitution (s///) at /usr/lib/perl5/Apache/Redmine.pm line 486.\n

Any ideas ?

Antonio García-Domínguez wrote:

the auth code expects URLs to start with something like http://git.mydomain.com/myproject, where myproject is your project's ID.

Loïs PUIG wrote:

Any ideas ?

Redmine.pm expects the path part of the URL to be $LOCATION/$PROJECT_NAME, so your stuff should work if you have a project with the identifier myrepo. If you have and it doesn't work (notice: being admin doesn't give you special rights, you must explicitly be a member of the project and have repo read rights), try <Location /git/> instead of <Location /git>.

try <Location /git/> instead of <Location /git>.

It wasn't that but i finally got it !! I needed to add the following line to the location directive

    Order allow,deny
    Allow from all

and now it works perfectly... Here is the config..

PerlLoadModule Apache::Redmine
SetEnv GIT_PROJECT_ROOT /srv/gitosis/repositories
SetEnv GIT_HTTP_EXPORT_ALL
AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /srv/gitosis/repositories/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /srv/gitosis/repositories/$1
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
<Location /git>
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "Redmine git repositories" 
    Require valid-user
    PerlAccessHandler Apache::Authn::Redmine::access_handler
    PerlAuthenHandler Apache::Authn::Redmine::authen_handler
    RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
    RedmineDbUser "redmine" 
    RedmineDbPass "mypassword" 
    RedmineGitSmartHttp yes
</location>

Anyway a big thanks for your bloody quick support, i really appreciated feeling being supported.. Long life to Redmine, a damn nice App!!

Hi,

I am running Redmine version: Redmine 1.1.3.devel.5759 from redmine trunk and git version 1.7.4.1 on ubuntu natty.
I am not using gitosis or gitolite, but creating the repositories with reposman and serving them with git-http-backend as described in http://www.redmine.org/projects/redmine/wiki/HowTo_configure_Redmine_for_advanced_git_integration.

I applied 0001-merged-LeeF-s-patch-with-Michael-Fox-s-security-fix-redminetrunk.patch on Redmine.pm.

I have the following Virtualhost configuration, inspired by the one posted by Loïs PUIG:

<VirtualHost *:80>
    ServerName git.thimios-host.thimios.com

        ErrorLog /var/log/githosting/error.log
        CustomLog /var/log/githosting/access.log combined

    PerlLoadModule Apache::Redmine
    SetEnv GIT_PROJECT_ROOT /home/thimios/Work/repositories/git
    SetEnv GIT_HTTP_EXPORT_ALL
    AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /home/thimios/Work/repositories/git/$1
    AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /home/thimios/Work/repositories/git/$1
    ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
    <Location /git>
        Options None
        AllowOverride None
        Order allow,deny
        Allow from all
        AuthType Basic
        AuthName "Redmine git repositories" 
        Require valid-user
        PerlAccessHandler Apache::Authn::Redmine::access_handler
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
        RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
        RedmineDbUser "redmine" 
        RedmineDbPass "r3dm1n3" 
        RedmineGitSmartHttp yes
    </location>
</VirtualHost>

But, when I try to clone a repository, I get the following error:

thimios@thimios-host:/tmp$ git clone http://git.thimios-host.thimios.com/test1
Cloning into test1...
error: The requested URL returned error: 501 while accessing http://git.thimios-host.thimios.com/test1/info/refs

fatal: HTTP request failed

There is a warning when restarting apache:

[warn] Useless use of AllowOverride in line 17 of /etc/apache2/sites-enabled/githostinghttpbackend

There is nothing in the apache logs. It shouldn't be a permissions problem, since www-data user has read-write access to the complete directory tree of the repository. Any ideas about what the problem could be or where to look for more debugging info?

thanks a lot

Sorry for the late reply :-(. Have you tried changing the LogLevel to something a bit more verbose, like "info"?

Just a quick heads up: what are the chances of integrating this patch into trunk in the near future? I've been applying it since Redmine 0.8.x, and it's worked pretty well for me. It also seems to be used by quite a few people, judging from the comments here.

Hi,
thanks a lot for this, I highly appreciate it :-)
Just did an test installation with Redmine on Ubuntu 11.10 Server and this git integration is great :)

Two Questions left:
Has someone gone a step further and automated the initialization of the git repository on creation of a new project in redmine? And wiring the repository path to the new project? That would be just perfect :)

I'm planning to use this setup with SSL . I hope it would be just activating HTTPS/SSL in Apache. Would you expect more difficulties?

Would love to see this in the main release :)
Thanks a lot for your work!

Markus Schlichting wrote:

thanks a lot for this, I highly appreciate it :-)
Just did an test installation with Redmine on Ubuntu 11.10 Server and this git integration is great :)

I'm glad you like it :-).

Two Questions left:
Has someone gone a step further and automated the initialization of the git repository on creation of a new project in redmine? And wiring the repository path to the new project? That would be just perfect :)

I think you can automate that, using reposman.rb with the proper options. Look at HowTo Automate repository creation for hints. There are a few undocumented options for reposman.rb that have to do with Git, I think. The only limitation is that you cannot generate both SVN and Git repositories automatically: you have to pick between SVN or Git.

I'm planning to use this setup with SSL . I hope it would be just activating HTTPS/SSL in Apache. Would you expect more difficulties?

Not really, but remember to disable weak ciphers and SSL 2.0. For instance, I use this in my Apache virtual host:

SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2

Make sure your ~/.netrc is only readable by your own user account and nobody else. Oh, and if you use a self-signed certificate or your CA is not in /etc/ssl/certs (or wherever your OpenSSL CA certificate store is), you'll probably have to tell Git not to verify the chain of trust of the certificate using something like git config --global http.sslVerify no.

Markus Schlichting wrote:

Two Questions left:
Has someone gone a step further and automated the initialization of the git repository on creation of a new project in redmine? And wiring the repository path to the new project? That would be just perfect :)

As Antonio said, you can use reposman, or the redmine_scm plugin

I'm planning to use this setup with SSL . I hope it would be just activating HTTPS/SSL in Apache. Would you expect more difficulties?

Except the "sslVerify no" part (I wouldn't set this globally…) for self-signed certificates, it should all work well.

Hi,

The last version of the patch :
0001-merged-LeeF-s-patch-with-Michael-Fox-s-security-fix-redminetrunk.patch

doesn't work on the 1.3.0 version of Redmine :

patch < ~/0001-merged-LeeF-s-patch-with-Michael-Fox-s-security-fix-redminetrunk.patch
patching file Redmine.pm
Hunk #2 succeeded at 219 with fuzz 1.
Hunk #3 succeeded at 261 (offset 1 line).
Hunk #5 succeeded at 313 (offset 1 line).
Hunk #6 FAILED at 431.
Hunk #7 FAILED at 450.
Hunk #8 succeeded at 509 with fuzz 1 (offset 25 lines).
2 out of 8 hunks FAILED -- saving rejects to file Redmine.pm.rej

expected :
- if ($hashed_password eq $salted_password && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
found :
if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {

for information : line 441
my $access_mode = request_is_read_only($r) ? "R" : "W";

I would suggest to update this line to :
my $access_mode = defined $read_only_methods{$r->method} ? "R" : "W";

Could anyone confirm or update the patch ?

Best,

Hervé Leroux

my mistake, you should have read the following :
for information : line 441
my $access_mode = defined $read_only_methods{$r->method} ? "R" : "W";

I would suggest to update this line to :
my $access_mode = $request_is_read_only($r) ? "R" : "W";

Thanks. It works.

Funny things is I went through the code and mislooked this type even though I remember I spot on that!

Miloš

Hi,

just installed the latest patch and started a few tests with it. Now a registered user has access to all git repositories (just needs to know the repo-name).
I played around with Redmine + Git + this patch a few weeks before and if I remember correct, then users needed to be assigned to a project + has to have a least a developer role.
Is this correct or did this change?

Cheers,
derkaan

der kaan wrote:

just installed the latest patch and started a few tests with it. Now a registered user has access to all git repositories (just needs to know the repo-name).
I played around with Redmine + Git + this patch a few weeks before and if I remember correct, then users needed to be assigned to a project + has to have a least a developer role.
Is this correct or did this change?

It depends on whether it's a public project or not. Basically, we're reusing the same logic Redmine uses for SVN repositories, but instead of looking at the HTTP method, we look at the URL to be served by the Git smart-http handler. To sum it up:

• Public projects: anyone can fetch, but only members with write access can push.

• Private projects: only members with read access can fetch, and only members with write access can push.

Do you mean that any registered user can push without having write access, and that any registered user can fetch from a private project without having read access? In that case, it'd be a regression. Could you try the same with SVN repositories?

If it happens with SVN repos as well, that'd be a regression in the original Redmine.pm, and you'd need to report it as a separate bug.

If it only happens with Git repositories, then maybe something changed in the URLs served by Git's smart-http protocol. Could you please indicate which versions of Git are you using at the client and server sides?

Thanks for the perfect info + Setting the project to private solved my issue.