From 41f9a1514c15c6d41db92f6d57d448d463ad8ff1 Mon Sep 17 00:00:00 2001 From: antonio Date: Tue, 23 Feb 2010 13:19:13 +0100 Subject: [PATCH] Redmine.pm: add Git smart HTTP support --- extra/svn/Redmine.pm | 70 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 files changed, 66 insertions(+), 4 deletions(-) diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm index 1b3b091..f371470 100644 --- a/extra/svn/Redmine.pm +++ b/extra/svn/Redmine.pm @@ -93,6 +93,38 @@ S And you need to upgrade at least reposman.rb (after r860). +=head1 GIT SMART HTTP SUPPORT + +Git's smart HTTP protocol will not work with the above settings. Redmine.pm +normally does access control depending on the HTTP method used: read-only +methods are OK for everyone in public projects and members with read rights +in private projects. The rest all require membership with write rights in the +project. + +However, this scheme doesn't work for Git's smart HTTP protocol, as it will use +POST even for a simple clone. Instead, read-only requests must be detected +using the full URL (including the query string): anything that doesn't belong +to the git-receive-pack service is read-only. + +To activate this mode of operation, add this line inside your +block: + + RedmineGitSmartHttp yes + +Once you have activated this option, you have two options when cloning a +repository. Cloning using "http://user@host/git/repo" works, but will ask for +the password all the time. To avoid being pestered by password requests, it's +best to create a ~/.netrc file with your username and password, and clone using +"http://host/git/repo" instead. + +IMPORTANT NOTE: It is *very important* that the file cannot be read by other +users, as it will contain your password in cleartext. To create the file, you +can use the following commands, replacing yourhost, youruser and yourpassword +with the right values: + + touch ~/.netrc + chmod 600 .netrc + echo -e "machine yourhost\nlogin youruser\npassword yourpassword" > ~/.netrc + =cut use strict; @@ -142,6 +174,11 @@ my @directives = ( args_how => TAKE1, errmsg => 'RedmineCacheCredsMax must be decimal number', }, + { + name => 'RedmineGitSmartHttp', + req_override => OR_AUTHCFG, + args_how => TAKE1, + }, ); sub RedmineDSN { @@ -178,6 +215,17 @@ sub RedmineCacheCredsMax { } } +sub RedmineGitSmartHttp { + my ($self, $parms, $arg) = @_; + $arg = lc $arg; + + if ($arg eq "yes" || $arg eq "true") { + $self->{RedmineGitSmartHttp} = 1; + } else { + $self->{RedmineGitSmartHttp} = 0; + } +} + sub trim { my $string = shift; $string =~ s/\s{2,}/ /g; @@ -191,9 +239,24 @@ sub set_val { Apache2::Module::add(__PACKAGE__, \@directives); my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/; +sub request_is_read_only { + my ($r) = @_; + my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config); + + # Do we use Git's smart HTTP protocol, or not? + if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp}) { + my $uri = $r->unparsed_uri; + my $is_read_only = $uri !~ /^\/git\/.*\/[^\/]*git\-receive\-pack$/o; + return $is_read_only; + } else { + # Old behaviour: check the HTTP method + my $method = $r->method; + return defined $read_only_methods{$method}; + } +} + sub access_handler { my $r = shift; @@ -202,8 +265,7 @@ sub access_handler { return FORBIDDEN; } - my $method = $r->method; - return OK unless defined $read_only_methods{$method}; + return OK unless request_is_read_only($r); my $project_id = get_project_identifier($r); @@ -291,7 +353,7 @@ sub is_member { unless ($auth_source_id) { my $method = $r->method; - if ($hashed_password eq $pass_digest && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) { + if ($hashed_password eq $pass_digest && ((request_is_read_only($r) && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) { $ret = 1; last; } -- 1.7.0