* Advise on a push only repo
@ 2015-01-15 18:02 Jason Pyeron
2015-01-15 19:31 ` Junio C Hamano
0 siblings, 1 reply; 4+ messages in thread
From: Jason Pyeron @ 2015-01-15 18:02 UTC (permalink / raw)
To: git
I am setting up a continous integration (CI) system for an open source project and I want to allow forking developers to use the system, but I do not want anyone to do a clone or fetch from the CI git repo, the repo.
Any advice on limiting the https smart protocol to push only, blocking clone and fetch?
Looking at http-backend.c
542 static struct service_cmd {
543 const char *method;
544 const char *pattern;
545 void (*imp)(char *);
546 } services[] = {
547 {"GET", "/HEAD$", get_head},
548 {"GET", "/info/refs$", get_info_refs},
549 {"GET", "/objects/info/alternates$", get_text_file},
550 {"GET", "/objects/info/http-alternates$", get_text_file},
551 {"GET", "/objects/info/packs$", get_info_packs},
552 {"GET", "/objects/[0-9a-f]{2}/[0-9a-f]{38}$", get_loose_object},
553 {"GET", "/objects/pack/pack-[0-9a-f]{40}\\.pack$", get_pack_file},
554 {"GET", "/objects/pack/pack-[0-9a-f]{40}\\.idx$", get_idx_file},
555
556 {"POST", "/git-upload-pack$", service_rpc},
557 {"POST", "/git-receive-pack$", service_rpc}
558 };
I feel I could just filter /git-receive-pack and /objects/ .
I am going to build my test system now.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Advise on a push only repo
2015-01-15 18:02 Advise on a push only repo Jason Pyeron
@ 2015-01-15 19:31 ` Junio C Hamano
2015-01-15 22:13 ` Jason Pyeron
0 siblings, 1 reply; 4+ messages in thread
From: Junio C Hamano @ 2015-01-15 19:31 UTC (permalink / raw)
To: Jason Pyeron; +Cc: git
"Jason Pyeron" <jpyeron@pdinc.us> writes:
> I am setting up a continous integration (CI) system for an open source
> project and I want to allow forking developers to use the system, but
> I do not want anyone to do a clone or fetch from the CI git repo, the
> repo.
>
> Any advice on limiting the https smart protocol to push only, blocking clone and fetch?
>
> Looking at http-backend.c
> 542 static struct service_cmd {
> ...
> 558 };
Looking at http-backend.c
19 struct rpc_service {
20 const char *name;
21 const char *config_name;
22 signed enabled : 2;
23 };
24
25 static struct rpc_service rpc_service[] = {
26 { "upload-pack", "uploadpack", 1 },
27 { "receive-pack", "receivepack", -1 },
28 };
So it would be natural to assume that there must be a way to
enable/disable these two services, no?
Looking at http_config() there, I would guess perhaps:
[http]
uploadpack = false
getanyfile = false
but I am not sure if the latter is needed (or anybody seriously
tested it, for that matter).
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Advise on a push only repo
2015-01-15 19:31 ` Junio C Hamano
@ 2015-01-15 22:13 ` Jason Pyeron
2015-01-15 22:24 ` Junio C Hamano
0 siblings, 1 reply; 4+ messages in thread
From: Jason Pyeron @ 2015-01-15 22:13 UTC (permalink / raw)
To: git
> -----Original Message-----
> From: Junio C Hamano
> Sent: Thursday, January 15, 2015 14:31
>
> "Jason Pyeron" <jpyeron@pdinc.us> writes:
>
> > I am setting up a continous integration (CI) system for an
> open source
> > project and I want to allow forking developers to use the
> system, but
> > I do not want anyone to do a clone or fetch from the CI git
> repo, the
> > repo.
> >
> > Any advice on limiting the https smart protocol to push
> only, blocking clone and fetch?
> >
> > Looking at http-backend.c
> > 542 static struct service_cmd {
> > ...
> > 558 };
>
> Looking at http-backend.c
>
> 19 struct rpc_service {
> 20 const char *name;
> 21 const char *config_name;
> 22 signed enabled : 2;
> 23 };
> 24
> 25 static struct rpc_service rpc_service[] = {
> 26 { "upload-pack", "uploadpack", 1 },
> 27 { "receive-pack", "receivepack", -1 },
> 28 };
>
> So it would be natural to assume that there must be a way to
> enable/disable these two services, no?
>
> Looking at http_config() there, I would guess perhaps:
>
> [http]
> uploadpack = false
> getanyfile = false
>
> but I am not sure if the latter is needed (or anybody seriously
> tested it, for that matter).
Perfect! Had to add receivepack=true for the anonymous part.
root@twenty-one-100 /opt/git/public
# cat /etc/httpd/conf.d/git.conf
SetEnv GIT_PROJECT_ROOT /opt/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
<Directory "/usr/lib/git-core*">
Options ExecCGI Indexes
Order allow,deny
Allow from all
Require all granted
</Directory>
root@twenty-one-100 /opt/git/public
# cat /opt/git/public/config
[core]
repositoryformatversion = 0
filemode = true
bare = true
[http]
receivepack = true
uploadpack = false
getanyfile = false
Test get known object...
root@twenty-one-100 /opt/git/public
# dir objects/bd/e1557acecaf3cebb4775b7b734f095e6010c15
-r--r--r--. 1 apache apache 163 Jan 15 16:56 objects/bd/e1557acecaf3cebb4775b7b734f095e6010c15
root@twenty-one-100 /opt/git/public
# curl http://127.0.0.1/git/public/objects/bd/e1557acecaf3cebb4775b7b734f095e6010c15 -v
* About to connect() to 127.0.0.1 port 80 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /git/public/objects/bd/e1557acecaf3cebb4775b7b734f095e6010c15 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 127.0.0.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Thu, 15 Jan 2015 22:08:48 GMT
< Server: Apache/2.2.15 (CentOS)
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Content-Length: 0
< Connection: close
< Content-Type: text/plain; charset=UTF-8
<
* Closing connection #0
root@twenty-one-100 /opt/git/public
# fg
tail -f /var/log/httpd/*_log (wd: /opt/git)
==> /var/log/httpd/error_log <==
[Thu Jan 15 17:08:48 2015] [error] [client 127.0.0.1] Unsupported service: getanyfile
==> /var/log/httpd/access_log <==
127.0.0.1 - - [15/Jan/2015:17:08:48 -0500] "GET /git/public/objects/bd/e1557acecaf3cebb4775b7b734f095e6010c15 HTTP/1.1" 403 - "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
^Z
[1]+ Stopped tail -f /var/log/httpd/*_log (wd: /opt/git)
(wd now: /opt/git/public)
root@twenty-one-100 /opt/git/public
#
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Advise on a push only repo
2015-01-15 22:13 ` Jason Pyeron
@ 2015-01-15 22:24 ` Junio C Hamano
0 siblings, 0 replies; 4+ messages in thread
From: Junio C Hamano @ 2015-01-15 22:24 UTC (permalink / raw)
To: Jason Pyeron; +Cc: git
"Jason Pyeron" <jpyeron@pdinc.us> writes:
>> Looking at http_config() there, I would guess perhaps:
>>
>> [http]
>> uploadpack = false
>> getanyfile = false
>>
>> but I am not sure if the latter is needed (or anybody seriously
>> tested it, for that matter).
>
> Perfect! Had to add receivepack=true for the anonymous part.
Good.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-01-15 22:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-15 18:02 Advise on a push only repo Jason Pyeron
2015-01-15 19:31 ` Junio C Hamano
2015-01-15 22:13 ` Jason Pyeron
2015-01-15 22:24 ` Junio C Hamano
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.