Re: git-http-backend: anonymous read, authenticated write

[Magnus Therning <magnus@therning.org>]

[-- Attachment #1: Type: text/plain, Size: 3821 bytes --]

On Wed, Apr 10, 2013 at 05:47:22PM -0400, Jeff King wrote:
> On Wed, Apr 10, 2013 at 11:30:59PM +0200, Jakub Narębski wrote:
> 
>>>   1. GET $repo/info/refs?service=git-receive-pack
>>> 
>>>      This makes initial contact and gets the ref information which
>>>      push uses to decide what it is going to push. So it is
>>>      read-only, and in an anonymous-read setup, does not need to
>>>      be protected.
>> 
>> Yes, it doesn't need to be protected, but *git-receive-pack*
>> requires (or required) valid user even for above GET request for
>> getting refs.
> 
> Right. But that is not anything receive-pack is doing; it is up to
> his webserver config, which is why I asked to see it.

Nope.  I'm pretty sure this had *nothing* to do with my config.  This
is the original config, which doesn't work:

$HTTP["url"] =~ "^/git" {
    cgi.assign = ( "" => "" )
    setenv.add-environment = (
        "GIT_PROJECT_ROOT" => "/srv/git",
        "GIT_HTTP_EXPORT_ALL" => ""
    )
    $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
        include "trac-git-auth.conf"
    }
}

This will turn on authentication *only* for URLs matching
^/git/.*/git-receive-pack$, which AFAIU is *exactly* what the manpage states is
all that is needed.

This is the configuration that actually works:

$HTTP["querystring"] =~ "service=git-receive-pack" {
    $HTTP["url"] =~ "^/git" {
        cgi.assign = ( "" => "" )
        setenv.add-environment = (
            "GIT_PROJECT_ROOT" => "/srv/git",
            "GIT_HTTP_EXPORT_ALL" => ""
        )
        include "trac-git-auth.conf"
    }
} else $HTTP["url"] =~ "^/git" {
    cgi.assign = ( "" => "" )
    setenv.add-environment = (
        "GIT_PROJECT_ROOT" => "/srv/git",
        "GIT_HTTP_EXPORT_ALL" => ""
    )
    $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
        include "trac-git-auth.conf"
    }
}

The top bit adds matching against the query string and ^/git which
forces authentication on the initial GET as well.

>>>   2. POST $repo/git-receive-pack
>>> 
>>>      This actually pushes up the objects and updates the refs, and
>>>      must be protected.
>>> 
>>> The setup listed above does work with apache; it is tested as part
>>> of our test suite (you can see the actual config in
>>> t/lib-httpd/apache.conf).  So what in lighttpd is giving us the
>>> 403? Can you share your whole config?
>> 
>> I think I have seen a patch on git mailing list to correct this,
>> but I am not sure.
>> 
>> Are you sure that we test this correctly?
> 
> Perhaps you are thinking of the jk/maint-http-half-auth-push topic
> from last August/September. It explicitly tests the setup from the
> manpage.  The relevant commits are 4c71009 (t: test http access to
> "half-auth" repositories, 2012-08-27) which demonstrates the
> problem, and b81401c (http: prompt for credentials on failed POST,
> 2012-08-27).
> 
> However, even before the fix, it never got a 403 on the GET of
> info/refs. It got a 401 on the later POST, but didn't prompt for
> credentials.

I know nothing about CGI, but surely the script signals the need for a
valid user to the server somehow, couldn't the web server then decide
to return 403 rather than 401 *if there's no configuration for
authentication*?

In any case it seems there is no fix in the version of git in Arch
Linux[1].

/M

[1]: The package I've been using is built from these unpatched
sources: http://git-core.googlecode.com/files/git-1.8.2.tar.gz

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus

I invented the term Object-Oriented, and I can tell you I did not have
C++ in mind.
     -- Alan Kay

[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]