REMOTE_USER value propagation through http push

REMOTE_USER value propagation through http push

[Axel]

Hello

I set up a git server with HTTP authentication with Apache through LDAP 
(Debian Squeeze + Apache 2.2 + mod_authnz_ldap).

I m using gitweb for browsing the repositories. At this moment, the 
commiter name appears to be the local user who called "git push". The 
username used for HTTP authentication is not used as commiter name, 
though the REMOTE_USER environment variable is defined.

After a quick look at http-backend.c it looks like the GIT_COMMITER_NAME 
variable should have been defined with the REMOTE_USER variable. Is this 
right ?

In Apache access logs, the REMOTE_USER appears to be defined in the last 
request of the push :

127.0.1.1 - - [13/Apr/2011:11:45:08 +0200] "GET 
/git/sandbox/info/refs?service=git-receive-pack HTTP/1.1" 200 467 "-" 
"git/1.7.2.5"
127.0.1.1 - - [13/Apr/2011:11:45:08 +0200] "POST 
/git/sandbox/git-receive-pack HTTP/1.1" 401 618 "-" "git/1.7.2.5"
127.0.1.1 - ldapuser [13/Apr/2011:11:45:08 +0200] "POST 
/git/sandbox/git-receive-pack HTTP/1.1" 200 353 "-" "git/1.7.2.5"

Is this behaviour expected ?

Thanks

Re: REMOTE_USER value propagation through http push

[Jakub Narebski]

Axel <axel.ml@laposte.net> writes:

> I set up a git server with HTTP authentication with Apache through
> LDAP (Debian Squeeze + Apache 2.2 + mod_authnz_ldap).
> 
> I m using gitweb for browsing the repositories. At this moment, the
> commiter name appears to be the local user who called "git push". The
> username used for HTTP authentication is not used as commiter name,
> though the REMOTE_USER environment variable is defined.
> 
> After a quick look at http-backend.c it looks like the
> GIT_COMMITER_NAME variable should have been defined with the
> REMOTE_USER variable. Is this right ?
> 
> In Apache access logs, the REMOTE_USER appears to be defined in the
> last request of the push :
> 
> 127.0.1.1 - - [13/Apr/2011:11:45:08 +0200] "GET
> /git/sandbox/info/refs?service=git-receive-pack HTTP/1.1" 200 467 "-"
> "git/1.7.2.5"
> 127.0.1.1 - - [13/Apr/2011:11:45:08 +0200] "POST
> /git/sandbox/git-receive-pack HTTP/1.1" 401 618 "-" "git/1.7.2.5"
> 127.0.1.1 - ldapuser [13/Apr/2011:11:45:08 +0200] "POST
> /git/sandbox/git-receive-pack HTTP/1.1" 200 353 "-" "git/1.7.2.5"
> 
> Is this behaviour expected ?

I don't quite understand.

With push over _any_ transport you transfer commits from your
repository to remote repository *without changing them*.  Committer is
a person who created a commit, i.e. did "git commit" (or "git am", or
"git rebase", or "git merge").

The only place where user who did "git push" can appear in is _reflogs_
(I don't know if it appears or not)... but gitweb doesn't show wny
reflog information.  That of course can be improved...

-- 
Jakub Narebski
Poland
ShadeHawk on #git

Re: REMOTE_USER value propagation through http push

[axel.ml]

Message du 13/04/11 13:00
> De : "Jakub Narebski" 
> A : "Axel" 
> Copie à : git@vger.kernel.org
> Objet : Re: REMOTE_USER value propagation through http push
>
> 
> Axel  writes:
> 
> > I set up a git server with HTTP authentication with Apache through
> > LDAP (Debian Squeeze + Apache 2.2 + mod_authnz_ldap).
> > 
> > I m using gitweb for browsing the repositories. At this moment, the
> > commiter name appears to be the local user who called "git push". The
> > username used for HTTP authentication is not used as commiter name,
> > though the REMOTE_USER environment variable is defined.
> > 
> > After a quick look at http-backend.c it looks like the
> > GIT_COMMITER_NAME variable should have been defined with the
> > REMOTE_USER variable. Is this right ?
> > 
> > In Apache access logs, the REMOTE_USER appears to be defined in the
> > last request of the push :
> > 
> > 127.0.1.1 - - [13/Apr/2011:11:45:08 +0200] "GET
> > /git/sandbox/info/refs?service=git-receive-pack HTTP/1.1" 200 467 "-"
> > "git/1.7.2.5"
> > 127.0.1.1 - - [13/Apr/2011:11:45:08 +0200] "POST
> > /git/sandbox/git-receive-pack HTTP/1.1" 401 618 "-" "git/1.7.2.5"
> > 127.0.1.1 - ldapuser [13/Apr/2011:11:45:08 +0200] "POST
> > /git/sandbox/git-receive-pack HTTP/1.1" 200 353 "-" "git/1.7.2.5"
> > 
> > Is this behaviour expected ?
> 
> I don't quite understand.
> 
> With push over _any_ transport you transfer commits from your
> repository to remote repository *without changing them*. Committer is
> a person who created a commit, i.e. did "git commit" (or "git am", or
> "git rebase", or "git merge").
> 
> The only place where user who did "git push" can appear in is _reflogs_
> (I don't know if it appears or not)... but gitweb doesn't show wny
> reflog information. That of course can be improved...
> 

Indeed I wrongly used the "commit" word. I m switching from SVN/WebDAV, and the HTTP authentication name is usually used as the commiter name in the SVN repository. This name was informative only but useful when browsing repository and logs.

I would have enjoy to reproduce this behavior with git/http, since it s common (in our organisation at least) that the commiter is the pusher. In fact until today the authentication was almost only used as tracing commiters in logs and not really for security considerations.

So I assume that it s cannot be done for the moment :)
Thanks for your answer !

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: REMOTE_USER value propagation through http push

[Jakub Narebski]

axel.ml@laposte.net writes:
> Jakub Narebski wrote:
> > Axel  writes:
> > 
> > > I set up a git server with HTTP authentication with Apache through
> > > LDAP (Debian Squeeze + Apache 2.2 + mod_authnz_ldap).
> > > 
> > > I m using gitweb for browsing the repositories. At this moment, the
> > > commiter name appears to be the local user who called "git push".

The comitter name is local user who created a commit (as specified in
his/her configuration file, fallback to GECOS).

> > > The username used for HTTP authentication is not used as
> > > commiter name, though the REMOTE_USER environment variable is
> > > defined.
> > > 
> > > After a quick look at http-backend.c it looks like the
> > > GIT_COMMITER_NAME variable should have been defined with the
> > > REMOTE_USER variable. Is this right ?

No, it isn't.

> > > In Apache access logs, the REMOTE_USER appears to be defined in the
> > > last request of the push :
> > > 
> > > 127.0.1.1 - - [13/Apr/2011:11:45:08 +0200] "GET
> > > /git/sandbox/info/refs?service=git-receive-pack HTTP/1.1" 200 467 "-"
> > > "git/1.7.2.5"
> > > 127.0.1.1 - - [13/Apr/2011:11:45:08 +0200] "POST
> > > /git/sandbox/git-receive-pack HTTP/1.1" 401 618 "-" "git/1.7.2.5"
> > > 127.0.1.1 - ldapuser [13/Apr/2011:11:45:08 +0200] "POST
> > > /git/sandbox/git-receive-pack HTTP/1.1" 200 353 "-" "git/1.7.2.5"
> > > 
> > > Is this behaviour expected ?
> > 
> > I don't quite understand.
> > 
> > With push over _any_ transport you transfer commits from your
> > repository to remote repository *without changing them*. Committer is
> > a person who created a commit, i.e. did "git commit" (or "git am", or
> > "git rebase", or "git merge").
> > 
> > The only place where user who did "git push" can appear in is _reflogs_
> > (I don't know if it appears or not)... but gitweb doesn't show wny
> > reflog information. That of course can be improved...
> > 
> 
> Indeed I wrongly used the "commit" word. I'm switching from
> SVN/WebDAV, and the HTTP authentication name is usually used as the
> commiter name in the SVN repository. This name was informative only
> but useful when browsing repository and logs.

This is because Subversion is CENTRALIZED version control system:
creating a commit involves contacting central server that holds
repository.  If you use HTTP(S) to contact this central server, then
of course HTTP authentication name will be used for "committer" name
(IIRC Subversion has only _author_ name, not separate author and
committer names like in Git[1]).

Git on the other hand is DISTRIBUTED version control system.  Here the
act of creating a commit is decoupled from the act of publishing[2].
User creates commit in his/her local clone (copy) of repository, using
their local configuration, and then push to some distribution point
(depending on workflow).

For git-aware push transports (ssh, "smart" http, IIRC also file) you
can configure git via hook mechanism to check comitter and reject
pushes if there are commits that were not made by the person who is
doing the push.  See e.g. update-paranoid in contrib/hooks/ area of
git.git repository, Gitosis and Gitolite git repository management
solutions.


[1] Author is usually the same as committer -- it can be different
    if for example you are applying (with "git am") patch from somebody
    else you got e.g. via email.

[2] Credentials used for authentication when pushing doesn't need to
    have anything in comon with configured user identity.

> 
> I would have enjoy to reproduce this behavior with git/http, since
> it's common (in our organisation at least) that the commiter is the
> pusher. In fact until today the authentication was almost only used
> as tracing commiters in logs and not really for security
> considerations.
> 
> So I assume that it s cannot be done for the moment :)
> Thanks for your answer !

Could you explain in more detail _what_ behavior would you like to
see?  Gitweb does display author and comitter (though in 'log' and
'shortlog' only author is visible).

-- 
Jakub Narebski
Poland
ShadeHawk on #git

Re: REMOTE_USER value propagation through http push

[axel.ml]

> Could you explain in more detail _what_ behavior would you like to
> see? Gitweb does display author and comitter (though in 'log' and
> 'shortlog' only author is visible).
> 

I understand well your explanations about git mechanisms.

Though git is decentralized, we still use a "central" repository on which gitweb is installed, mainly for pratical reasons (you may tell "then you don't need git!" :) ) because not only developers browse the commits history.
At this moment we use HTTP authentication more for tracing purposes (knowing who pushed data to the repo) than for allowing or not push access.

If i m not wrong, the AUTHOR field displayed in gitweb comes from the git client configuration ($GIT_AUTHOR_NAME).

I would go further : HTTP authentication (for in-house organisation of course, not internet-wide access) usefulness is unclear since the credentials do not pop up anywhere in git repository. We have to trust the client-side configuration. The way to know who pushed something is to browse Apache access.log and cross the date/time with the git log.

What I d like to see is that the push authentication credentials overwrite an eventually defined author name at the client side in order to be displayed while browsing git log.

Even better, in the case of LDAP authentication (I m not sure if it would be possible for htaccess authentication), email and fullname could be extracted from LDAP directory, stored in environment variables by Apache, and given to git-http-backend (as is the REMOTE_USER variable).

Though I dont know if this request is relevant, I guess that if git-http-backend was looking for GIT_AUTHOR_NAME & GIT_AUTHOR_EMAIL environment variables that Apache could have defined, it could replace the client-side values defined. (Note that I absolutly don't know if it would be technically possible to overwrite those variables or even if their values are in the push payload).


Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: REMOTE_USER value propagation through http push

[Jakub Narebski]

On Wed, 13 Apr 2011, Axel wrote:
> 
> > Could you explain in more detail _what_ behavior would you like to
> > see? Gitweb does display author and comitter (though in 'log' and
> > 'shortlog' only author is visible).
> > 
> 
> I understand well your explanations about git mechanisms.
> 
> Though git is decentralized, we still use a "central" repository on
> which gitweb is installed, mainly for pratical reasons (you may tell
> "then you don't need git!" :) ) because not only developers browse the
> commits history.

That is quite common in many workflows to have one "central" 
by-convention repository where everybody can view history and get 
latest version of a project.

Note however that there are other possible workflows than SVN-like
one where everybody publish to single "central" repository.  Quite 
common at least for open source project is workflow where one person 
(maintainer) is responsible for getting contributions from other 
developers (via pull, via email, etc.) and pushing them to this 
"central" repository.

I recommend reading chapters "Distributed Git" (for description of 
possible workflows) and "Git on the Server" (among others describing 
configuring access and logging) of free CC-BY-NC-SA  "Pro Git" book:

  http://progit.org/book/

> At this moment we use HTTP authentication more for tracing purposes
> (knowing who pushed data to the repo) than for allowing or not push
> access.  

I'm not sure if it is a best solution.  HTTP authentication is decoupled 
from git itself.  I don't know if you are using older "dumb" HTTP 
transport, or new "smart" HTTP transport (the latter requires git to be 
installed on server), but any git-aware transport can log updates to 
repository via hooks mechanism.

See for example "better logging" issue in Gitolite FAQ:

http://sitaramc.github.com/gitolite/doc/3-faq-tips-etc.html#_better_logging

Gitolite is one of tools to manage git repositories.
 
> If i m not wrong, the AUTHOR field displayed in gitweb comes from the
> git client configuration ($GIT_AUTHOR_NAME). 

Yes it does, though actually modern way is to put

  [user]
  	name  = Joe R. Hacker
  	email = J.Hacker@example.com

in $HOME/.gitconfigure file for user (client).
 
> I would go further : HTTP authentication (for in-house organisation
> of course, not internet-wide access) usefulness is unclear since the
> credentials do not pop up anywhere in git repository. We have to trust
> the client-side configuration. The way to know who pushed something is
> to browse Apache access.log and cross the date/time with the git log.    
> 
> What I'd like to see is that the push authentication credentials
> overwrite an eventually defined author name at the client side in
> order to be displayed while browsing git log.  

This is not possible, and I don't see that it would be changed.  
Changing credentials would require (because of SHA-1 based addressing) 
changing commits.  Note that one is usually pushing more than one 
commit at once with push.
 
What you can do is the REVERSE.  Check on push if committer info matches 
authentication credentials used for publishing, and refuse push if it 
is not true.  But that requires git-aware transport; I think Gitolite
can be configured to do that, and that update-paranoid hook example also
can do this.

> Even better, in the case of LDAP authentication (I m not sure if it
> would be possible for htaccess authentication), email and fullname
> could be extracted from LDAP directory, stored in environment
> variables by Apache, and given to git-http-backend (as is the
> REMOTE_USER variable).    

Because commits are created on client side, in client repository, you 
cannot trust committer and author stored in git commits.

If user.name is not set, and neither are GIT_AUTHOR_NAME / 
GIT_COMMITTER_NAME environmental variables, git tries to take name from 
login information.  I think operating system can be configured to take 
it from LDAP, but git itself doesn't do this -- but it could.
 
> Though I don't know if this request is relevant, I guess that if
> git-http-backend was looking for GIT_AUTHOR_NAME & GIT_AUTHOR_EMAIL
> environment variables that Apache could have defined, it could replace
> the client-side values defined. (Note that I absolutly don't know if
> it would be technically possible to overwrite those variables or even
> if their values are in the push payload).     

Nope, at the time of push commits are already created, and author and 
committer info are already set in stone, and not possible to change 
without rewriting commits.
 
HTH
-- 
Jakub Narebski
Poland

Re: REMOTE_USER value propagation through http push

[axel.ml]

> Message du 13/04/11 16:29
> De : "Jakub Narebski" 
> A : "Axel" 
> Copie à : git@vger.kernel.org
> Objet : Re: REMOTE_USER value propagation through http push
>
> 
> Nope, at the time of push commits are already created, and author and 
> committer info are already set in stone, and not possible to change 
> without rewriting commits.
>

I will dive further into the links you gave. I think I'll sacrify the credentials information then for the moment.
Is there a chance that we ll see one day this third level of information (the authentication credentials) added to the push and displayed by gitweb ?

I thank you for your long answers.


Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: REMOTE_USER value propagation through http push

[Jakub Narebski]

Axel <axel.ml@laposte.net> writes:

> Jakub Narebski wrote:
> > 
> > Nope, at the time of push commits are already created, and author and 
> > committer info are already set in stone, and not possible to change 
> > without rewriting commits.
> 
> I will dive further into the links you gave. I think I'll sacrify
> the credentials information then for the moment.

What you can do in _distributed_ version control system such as git is
to ensure that pushed *existing* commits (created on client) match
credentials.

That is opposed to situation in _centralized_ version control system
where credentials are used to *create* commits on server.

> Is there a chance that we ll see one day this third level of
> information (the authentication credentials) added to the push and
> displayed by gitweb ?

Well, git by itself doesn't log authentication credentials.  In the
reflog you have user which git is running as, and only if push was
done via smart protocol (and core.logAllRefUpdates is true on server).

So it is unlikely for gitweb to display e.g. gitolite logs... well,
unless gitolite would adds it to gitweb via some pluggable mechanism
like $feature{'actions'}.

-- 
Jakub Narebski
Poland
ShadeHawk on #git