git-http-backend: anonymous read, authenticated write

git-http-backend: anonymous read, authenticated write

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 1232 bytes --]

I've been trying to set up git-http-backend+lighttpd.  I've managed to
set up anonymous read-only access, and I then successfully configured
authentication for both read and write.  Then I get stuck.  The
man-page for git-http-backend says that the following snippet can be
used for Apache 2.x:

    <LocationMatch "^/git/.*/git-receive-pack$">
        AuthType Basic
        AuthName "Git Access"
        Require group committers
        ...
    </LocationMatch>

However, when I put in this match on location in my lighty config and
try to push I'm not asked for a password, instead I'm greeted with

    % git push 
    error: The requested URL returned error: 403 Forbidden while accessing http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack

AFAICS this means the man-page is wrong, and that I instead ought to
match on the "service=git-receive-pack" part.  Is that a correct
conclusion?

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus

I invented the term Object-Oriented, and I can tell you I did not have
C++ in mind.
     -- Alan Kay

[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]

Re: git-http-backend: anonymous read, authenticated write

[Jakub Narębski]

On 09.04.2013, Magnus Therning wrote:

> I've been trying to set up git-http-backend+lighttpd.  I've managed to
> set up anonymous read-only access, and I then successfully configured
> authentication for both read and write.  Then I get stuck.  The
> man-page for git-http-backend says that the following snippet can be
> used for Apache 2.x:
> 
>     <LocationMatch "^/git/.*/git-receive-pack$">
>         AuthType Basic
>         AuthName "Git Access"
>         Require group committers
>         ...
>     </LocationMatch>
> 
> However, when I put in this match on location in my lighty config and
> try to push I'm not asked for a password, instead I'm greeted with
> 
>     % git push 
>     error: The requested URL returned error: 403 Forbidden while 
>      accessing
http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack
> 
> AFAICS this means the man-page is wrong, and that I instead ought to
> match on the "service=git-receive-pack" part.  Is that a correct
> conclusion?

Yes, it is.

I have tried to do the same anonymous read and authenticated write
in "smart HTTP" access in Apache.  There are some proposals[1],
all I think which use mod_rewrite (as LocationMatch doesn't take
query string into account, unfortunately), but I haven't been able
to make it work.

The problem is that both POST *and GET* (to get refs) must be authethicated.

Nb. I thought that it was corrected... which git version do you use?

[1]: http://paperlined.org/apps/git/SmartHTTP_Ubuntu.html


In the end I have worked around this by allowing all registered users to
read with "require valid-user" (which in my situation might be even more
correct solution; the case being repositories for Computer Science class
lab work), and restricting write via pre-receive hook which checks
REMOTE_USER.

-- 
Jakub Narębski

Re: git-http-backend: anonymous read, authenticated write

[Jeff King]

On Tue, Apr 09, 2013 at 07:45:53AM +0200, Magnus Therning wrote:

> I've been trying to set up git-http-backend+lighttpd.  I've managed to
> set up anonymous read-only access, and I then successfully configured
> authentication for both read and write.  Then I get stuck.  The
> man-page for git-http-backend says that the following snippet can be
> used for Apache 2.x:
> 
>     <LocationMatch "^/git/.*/git-receive-pack$">
>         AuthType Basic
>         AuthName "Git Access"
>         Require group committers
>         ...
>     </LocationMatch>
> 
> However, when I put in this match on location in my lighty config and
> try to push I'm not asked for a password, instead I'm greeted with
> 
>     % git push 
>     error: The requested URL returned error: 403 Forbidden while accessing http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack

Something in your config is blocking access to info/refs there. It
should not be the block shown above, which handles only the actual POST
of the data. The sequence of http requests made is:

  1. GET $repo/info/refs?service=git-receive-pack

     This makes initial contact and gets the ref information which push
     uses to decide what it is going to push. So it is read-only, and in
     an anonymous-read setup, does not need to be protected.

  2. POST $repo/git-receive-pack

     This actually pushes up the objects and updates the refs, and
     must be protected.

The setup listed above does work with apache; it is tested as part of
our test suite (you can see the actual config in t/lib-httpd/apache.conf).
So what in lighttpd is giving us the 403? Can you share your whole
config?

> AFAICS this means the man-page is wrong, and that I instead ought to
> match on the "service=git-receive-pack" part.  Is that a correct
> conclusion?

No. It is not a bad idea to _also_ match on info/refs, but I think it's
a little trickier (you need to reliably match the query string to
differentiate it from a fetch, which IIRC is a little hard in apache, at
least).

But if you drop the protections on "/git-receive-pack$", then an
attacker can just POST whatever they want into your repository.

-Peff

Re: git-http-backend: anonymous read, authenticated write

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 5523 bytes --]

On Tue, Apr 09, 2013 at 01:12:47PM -0400, Jeff King wrote:
> On Tue, Apr 09, 2013 at 07:45:53AM +0200, Magnus Therning wrote:
> 
>> I've been trying to set up git-http-backend+lighttpd.  I've managed
>> to set up anonymous read-only access, and I then successfully
>> configured authentication for both read and write.  Then I get
>> stuck.  The man-page for git-http-backend says that the following
>> snippet can be used for Apache 2.x:
>> 
>>     <LocationMatch "^/git/.*/git-receive-pack$">
>>         AuthType Basic
>>         AuthName "Git Access"
>>         Require group committers
>>         ...
>>     </LocationMatch>
>> 
>> However, when I put in this match on location in my lighty config
>> and try to push I'm not asked for a password, instead I'm greeted
>> with
>> 
>>     % git push 
>>     error: The requested URL returned error: 403 Forbidden while accessing http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack
> 
> Something in your config is blocking access to info/refs there. It
> should not be the block shown above, which handles only the actual POST
> of the data. The sequence of http requests made is:
> 
>   1. GET $repo/info/refs?service=git-receive-pack
> 
>      This makes initial contact and gets the ref information which push
>      uses to decide what it is going to push. So it is read-only, and in
>      an anonymous-read setup, does not need to be protected.
> 
>   2. POST $repo/git-receive-pack
> 
>      This actually pushes up the objects and updates the refs, and
>      must be protected.
> 
> The setup listed above does work with apache; it is tested as part of
> our test suite (you can see the actual config in t/lib-httpd/apache.conf).
> So what in lighttpd is giving us the 403? Can you share your whole
> config?

I was putting together a *long* response, with my different
configurations when it suddenly hit me how to make it work.

So, this is the accesslog for a successful `git push`:

192.168.1.84 tracsrv.local - [10/Apr/2013:22:24:59 +0200] "GET /git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 401 351 "-" "git/1.8.2.1"
192.168.1.84 tracsrv.local - [10/Apr/2013:22:24:59 +0200] "GET /git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 401 351 "-" "git/1.8.2.1"
192.168.1.84 tracsrv.local magnus [10/Apr/2013:22:25:04 +0200] "GET /git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 200 202 "-" "git/1.8.2.1"
192.168.1.84 tracsrv.local magnus [10/Apr/2013:22:25:09 +0200] "POST /git/foo.git/git-receive-pack HTTP/1.1" 200 73 "-" "git/1.8.2.1"

That is, *both* the GET and POST queries require a valid username
(trying to push without a valid user will fail with a 403 already on
the GET query).  Maybe Apache 2.x simply behaves *very* differently
from lighttpd, but I still can't see how a rule to require a valid
user only on the POST can ever work.

>> AFAICS this means the man-page is wrong, and that I instead ought
>> to match on the "service=git-receive-pack" part.  Is that a correct
>> conclusion?
> 
> No. It is not a bad idea to _also_ match on info/refs, but I think
> it's a little trickier (you need to reliably match the query string
> to differentiate it from a fetch, which IIRC is a little hard in
> apache, at least).

This is what triggered me to find a working config.  Matching on the
query string is actually *very* easy in lighttpd.  Here's the relevant
bit of a working configuration[1]:

    alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" )
    $HTTP["querystring"] =~ "service=git-receive-pack" {
        $HTTP["url"] =~ "^/git" {
            cgi.assign = ( "" => "" )
            setenv.add-environment = (
                "GIT_PROJECT_ROOT" => "/srv/git",
                "GIT_HTTP_EXPORT_ALL" => ""
            )
            include "trac-git-auth.conf"
        }
    } else $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
        cgi.assign = ( "" => "" )
        setenv.add-environment = (
            "GIT_PROJECT_ROOT" => "/srv/git",
            "GIT_HTTP_EXPORT_ALL" => ""
        )
        include "trac-git-auth.conf"
    } else $HTTP["url"] =~ "^/git" {
        cgi.assign = ( "" => "" )
        setenv.add-environment = (
            "GIT_PROJECT_ROOT" => "/srv/git",
            "GIT_HTTP_EXPORT_ALL" => ""
        )
    }

> But if you drop the protections on "/git-receive-pack$", then an
> attacker can just POST whatever they want into your repository.

This setup is for a server on the internal network, but still, your
comment holds.  The reason for wanting to allow reading without
authentication is that then I can signal a CI server to pull without
having to give it credentials.

/M

[1]: The configuration for the authentication looks like this at the
moment, but it's only for testing:

    auth.backend = "plain"
    auth.backend.plain.userfile = "/srv/git/pwds.plain"
    auth.require = (
        "/" => (
            "method" => "basic",
            "realm" => "git",
            "require" => "valid-user"
            )
        )
-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus

Most software today is very much like an Egyptian pyramid with
millions of bricks piled on top of each other, with no structural
integrity, but just done by brute force and thousands of slaves.
     -- Alan Kay

[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]

Re: git-http-backend: anonymous read, authenticated write

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 2837 bytes --]

On Tue, Apr 09, 2013 at 02:24:26PM +0200, Jakub Narębski wrote:
> On 09.04.2013, Magnus Therning wrote:
> 
> > I've been trying to set up git-http-backend+lighttpd.  I've managed to
> > set up anonymous read-only access, and I then successfully configured
> > authentication for both read and write.  Then I get stuck.  The
> > man-page for git-http-backend says that the following snippet can be
> > used for Apache 2.x:
> > 
> >     <LocationMatch "^/git/.*/git-receive-pack$">
> >         AuthType Basic
> >         AuthName "Git Access"
> >         Require group committers
> >         ...
> >     </LocationMatch>
> > 
> > However, when I put in this match on location in my lighty config and
> > try to push I'm not asked for a password, instead I'm greeted with
> > 
> >     % git push 
> >     error: The requested URL returned error: 403 Forbidden while 
> >      accessing
> http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack
> > 
> > AFAICS this means the man-page is wrong, and that I instead ought to
> > match on the "service=git-receive-pack" part.  Is that a correct
> > conclusion?
> 
> Yes, it is.
> 
> I have tried to do the same anonymous read and authenticated write
> in "smart HTTP" access in Apache.  There are some proposals[1],
> all I think which use mod_rewrite (as LocationMatch doesn't take
> query string into account, unfortunately), but I haven't been able
> to make it work.
> 
> The problem is that both POST *and GET* (to get refs) must be authethicated.
> 
> Nb. I thought that it was corrected... which git version do you use?

1.8.2 on the server, though 1.8.2.1 is available for the distro I'm
using.  The discussion you refer to took place in 2010, I doubt any
improvement has been made to this in that point release, or am I
wrong?

> [1]: http://paperlined.org/apps/git/SmartHTTP_Ubuntu.html
> 
> 
> In the end I have worked around this by allowing all registered users to
> read with "require valid-user" (which in my situation might be even more
> correct solution; the case being repositories for Computer Science class
> lab work), and restricting write via pre-receive hook which checks
> REMOTE_USER.

I *really* want anonymous RO access so the CI server doesn't need any
credentials.  I could of course set up git-http-backend to be served
on two different URLs, but that's just ugly ;)

Luckily I did find a working configuration, which I posted in another
email in this thread.

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus


Perl is another example of filling a tiny, short-term need, and then
being a real problem in the longer term.
     -- Alan Kay

[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]

Re: git-http-backend: anonymous read, authenticated write

[Jakub Narębski]

Jeff King wrote:
> On Tue, Apr 09, 2013 at 07:45:53AM +0200, Magnus Therning wrote:

>>     % git push 
>>     error: The requested URL returned error: 403 Forbidden while accessing
>>
http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack
> 
> Something in your config is blocking access to info/refs there. It
> should not be the block shown above, which handles only the actual POST
> of the data. The sequence of http requests made is:
> 
>   1. GET $repo/info/refs?service=git-receive-pack
> 
>      This makes initial contact and gets the ref information which push
>      uses to decide what it is going to push. So it is read-only, and in
>      an anonymous-read setup, does not need to be protected.

Yes, it doesn't need to be protected, but *git-receive-pack* requires
(or required) valid user even for above GET request for getting refs.

>   2. POST $repo/git-receive-pack
> 
>      This actually pushes up the objects and updates the refs, and
>      must be protected.
> 
> The setup listed above does work with apache; it is tested as part of
> our test suite (you can see the actual config in t/lib-httpd/apache.conf).
> So what in lighttpd is giving us the 403? Can you share your whole
> config?

I think I have seen a patch on git mailing list to correct this, but
I am not sure.

Are you sure that we test this correctly?

-- 
Jakub Narębski

Re: git-http-backend: anonymous read, authenticated write

[Jeff King]

On Wed, Apr 10, 2013 at 11:30:59PM +0200, Jakub Narębski wrote:

> >   1. GET $repo/info/refs?service=git-receive-pack
> > 
> >      This makes initial contact and gets the ref information which push
> >      uses to decide what it is going to push. So it is read-only, and in
> >      an anonymous-read setup, does not need to be protected.
> 
> Yes, it doesn't need to be protected, but *git-receive-pack* requires
> (or required) valid user even for above GET request for getting refs.

Right. But that is not anything receive-pack is doing; it is up to his
webserver config, which is why I asked to see it.

> >   2. POST $repo/git-receive-pack
> > 
> >      This actually pushes up the objects and updates the refs, and
> >      must be protected.
> > 
> > The setup listed above does work with apache; it is tested as part of
> > our test suite (you can see the actual config in t/lib-httpd/apache.conf).
> > So what in lighttpd is giving us the 403? Can you share your whole
> > config?
> 
> I think I have seen a patch on git mailing list to correct this, but
> I am not sure.
> 
> Are you sure that we test this correctly?

Perhaps you are thinking of the jk/maint-http-half-auth-push topic from
last August/September. It explicitly tests the setup from the manpage.
The relevant commits are 4c71009 (t: test http access to "half-auth"
repositories, 2012-08-27) which demonstrates the problem, and b81401c
(http: prompt for credentials on failed POST, 2012-08-27).

However, even before the fix, it never got a 403 on the GET of
info/refs. It got a 401 on the later POST, but didn't prompt for
credentials.

-Peff

Re: git-http-backend: anonymous read, authenticated write

[Jeff King]

On Wed, Apr 10, 2013 at 10:45:44PM +0200, Magnus Therning wrote:

> I was putting together a *long* response, with my different
> configurations when it suddenly hit me how to make it work.
> 
> So, this is the accesslog for a successful `git push`:
> 
> 192.168.1.84 tracsrv.local - [10/Apr/2013:22:24:59 +0200] "GET /git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 401 351 "-" "git/1.8.2.1"
> 192.168.1.84 tracsrv.local - [10/Apr/2013:22:24:59 +0200] "GET /git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 401 351 "-" "git/1.8.2.1"
> 192.168.1.84 tracsrv.local magnus [10/Apr/2013:22:25:04 +0200] "GET /git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 200 202 "-" "git/1.8.2.1"
> 192.168.1.84 tracsrv.local magnus [10/Apr/2013:22:25:09 +0200] "POST /git/foo.git/git-receive-pack HTTP/1.1" 200 73 "-" "git/1.8.2.1"
> 
> That is, *both* the GET and POST queries require a valid username
> (trying to push without a valid user will fail with a 403 already on
> the GET query).  Maybe Apache 2.x simply behaves *very* differently
> from lighttpd, but I still can't see how a rule to require a valid
> user only on the POST can ever work.

Right. But that is not configured at all by the apache config shown in
the manpage:

               <LocationMatch "^/git/.*/git-receive-pack$">
                       AuthType Basic
                       AuthName "Git Access"
                       Require group committers
                       ...
               </LocationMatch>

which should not match on the info/refs request at all. That is why I
suspect there is something else wrong in your lighttpd config, or
something wrong in the conversion of the apache config to lighttpd.

Anyway, it sounds like you found a working config.

-Peff

Re: git-http-backend: anonymous read, authenticated write

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 3821 bytes --]

On Wed, Apr 10, 2013 at 05:47:22PM -0400, Jeff King wrote:
> On Wed, Apr 10, 2013 at 11:30:59PM +0200, Jakub Narębski wrote:
> 
>>>   1. GET $repo/info/refs?service=git-receive-pack
>>> 
>>>      This makes initial contact and gets the ref information which
>>>      push uses to decide what it is going to push. So it is
>>>      read-only, and in an anonymous-read setup, does not need to
>>>      be protected.
>> 
>> Yes, it doesn't need to be protected, but *git-receive-pack*
>> requires (or required) valid user even for above GET request for
>> getting refs.
> 
> Right. But that is not anything receive-pack is doing; it is up to
> his webserver config, which is why I asked to see it.

Nope.  I'm pretty sure this had *nothing* to do with my config.  This
is the original config, which doesn't work:

$HTTP["url"] =~ "^/git" {
    cgi.assign = ( "" => "" )
    setenv.add-environment = (
        "GIT_PROJECT_ROOT" => "/srv/git",
        "GIT_HTTP_EXPORT_ALL" => ""
    )
    $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
        include "trac-git-auth.conf"
    }
}

This will turn on authentication *only* for URLs matching
^/git/.*/git-receive-pack$, which AFAIU is *exactly* what the manpage states is
all that is needed.

This is the configuration that actually works:

$HTTP["querystring"] =~ "service=git-receive-pack" {
    $HTTP["url"] =~ "^/git" {
        cgi.assign = ( "" => "" )
        setenv.add-environment = (
            "GIT_PROJECT_ROOT" => "/srv/git",
            "GIT_HTTP_EXPORT_ALL" => ""
        )
        include "trac-git-auth.conf"
    }
} else $HTTP["url"] =~ "^/git" {
    cgi.assign = ( "" => "" )
    setenv.add-environment = (
        "GIT_PROJECT_ROOT" => "/srv/git",
        "GIT_HTTP_EXPORT_ALL" => ""
    )
    $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
        include "trac-git-auth.conf"
    }
}

The top bit adds matching against the query string and ^/git which
forces authentication on the initial GET as well.

>>>   2. POST $repo/git-receive-pack
>>> 
>>>      This actually pushes up the objects and updates the refs, and
>>>      must be protected.
>>> 
>>> The setup listed above does work with apache; it is tested as part
>>> of our test suite (you can see the actual config in
>>> t/lib-httpd/apache.conf).  So what in lighttpd is giving us the
>>> 403? Can you share your whole config?
>> 
>> I think I have seen a patch on git mailing list to correct this,
>> but I am not sure.
>> 
>> Are you sure that we test this correctly?
> 
> Perhaps you are thinking of the jk/maint-http-half-auth-push topic
> from last August/September. It explicitly tests the setup from the
> manpage.  The relevant commits are 4c71009 (t: test http access to
> "half-auth" repositories, 2012-08-27) which demonstrates the
> problem, and b81401c (http: prompt for credentials on failed POST,
> 2012-08-27).
> 
> However, even before the fix, it never got a 403 on the GET of
> info/refs. It got a 401 on the later POST, but didn't prompt for
> credentials.

I know nothing about CGI, but surely the script signals the need for a
valid user to the server somehow, couldn't the web server then decide
to return 403 rather than 401 *if there's no configuration for
authentication*?

In any case it seems there is no fix in the version of git in Arch
Linux[1].

/M

[1]: The package I've been using is built from these unpatched
sources: http://git-core.googlecode.com/files/git-1.8.2.tar.gz

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus

I invented the term Object-Oriented, and I can tell you I did not have
C++ in mind.
     -- Alan Kay

[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]

Re: git-http-backend: anonymous read, authenticated write

[Jeff King]

On Thu, Apr 11, 2013 at 01:19:19AM +0200, Magnus Therning wrote:

> Nope.  I'm pretty sure this had *nothing* to do with my config.  This
> is the original config, which doesn't work:
> 
> $HTTP["url"] =~ "^/git" {
>     cgi.assign = ( "" => "" )
>     setenv.add-environment = (
>         "GIT_PROJECT_ROOT" => "/srv/git",
>         "GIT_HTTP_EXPORT_ALL" => ""
>     )
>     $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
>         include "trac-git-auth.conf"
>     }
> }

Ah, I think I see what it is.

Did you turn on http.receivepack in the git config to enable pushing?
From "git help http-backend":

  By default, only the upload-pack service is enabled, which serves git
  fetch-pack and git ls-remote clients, which are invoked from git
  fetch, git pull, and git clone. If the client is authenticated, the
  receive-pack service is enabled, which serves git send-pack clients,
  which is invoked from git push.

  [...]

  http.receivepack
      This serves git send-pack clients, allowing push. It is disabled
      by default for anonymous users, and enabled by default for users
      authenticated by the web server. It can be disabled by setting
      this item to false, or enabled for all users, including anonymous
      users, by setting it to true.

If there is no authentication happening for the initial service-request,
then the default http.receivepack kicks in, which is to turn pushing
off (because there is no authenticated user).

When you do this;

> $HTTP["querystring"] =~ "service=git-receive-pack" {
>     $HTTP["url"] =~ "^/git" {
>         cgi.assign = ( "" => "" )
>         setenv.add-environment = (
>             "GIT_PROJECT_ROOT" => "/srv/git",
>             "GIT_HTTP_EXPORT_ALL" => ""
>         )
>         include "trac-git-auth.conf"
>     }

Then you are asking for authentication earlier (on the first request),
and the default behavior is to allow the push.

The documentation should probably make the use of http.receivepack more
clear in this situation.

> > However, even before the fix, it never got a 403 on the GET of
> > info/refs. It got a 401 on the later POST, but didn't prompt for
> > credentials.
> 
> I know nothing about CGI, but surely the script signals the need for a
> valid user to the server somehow, couldn't the web server then decide
> to return 403 rather than 401 *if there's no configuration for
> authentication*?

I think that series is a red herring. It did not affect the server-side
at all, but was a fix for the _client_ to handle the 401 it should
receive in that situation. But your server was generating a 403, for
different reasons.

So _if_ you fixed it by setting http.receivepack (which I think is the
simplest thing under Apache, since matching the query string there is
hard), then you would need a version of git with that fix on the
client side to actually have git prompt for the password correctly.

But your fix under lighttpd is much better, as it asks for the
credentials up front (which means the client does not go to any work
creating a packfile just to find out that it does not have access).

-Peff

[PATCH 0/2] http-backend documentation examples

[Jeff King]

On Wed, Apr 10, 2013 at 09:56:13PM -0400, Jeff King wrote:

> The documentation should probably make the use of http.receivepack more
> clear in this situation.

Here's a patch series to do that. The first one would (hopefully) have
helped you arrive at the http.receivepack fix, as well as any other
people configuring Apache. The second one actually adds some basic
lighttpd config, including the query-string match, which is a better
solution anyway.

  [1/2]: doc/http-backend: clarify "half-auth" repo configuration
  [2/2]: doc/http-backend: give some lighttpd config examples

-Peff

[PATCH 1/2] doc/http-backend: clarify "half-auth" repo configuration

[Jeff King]

When the http-backend is set up to allow anonymous read but
authenticated write, the http-backend manual suggests
catching only the "/git-receive-pack" POST of the packfile,
not the initial "info/refs?service=git-receive-pack" GET in
which we advertise refs.

This does work and is secure, as we do not allow any write
during the info/refs request, and the information in the ref
advertisement is the same that you would get from a fetch.

However, the configuration required by the server is
slightly more complex. The default `http.receivepack`
setting is to allow pushes if the webserver tells us that
the user authenticated, and otherwise to return a 403
("Forbidden"). That works fine if authentication is turned
on completely; the initial request requires authentication,
and http-backend realizes it is OK to do a push.

But for this "half-auth" state, no authentication has
occurred during the initial ref advertisement. The
http-backend CGI therefore does not think that pushing
should be enabled, and responds with a 403. The client
cannot continue, even though the server would have allowed
it to run if it had provided credentials.

It would be much better if the server responded with a 401,
asking for credentials during the initial contact. But
git-http-backend does not know about the server's auth
configuration (so a 401 would be confusing in the case of a
true anonymous server). Unfortunately, configuring Apache to
recognize the query string and apply the auth appropriately
to receive-pack (but not upload-pack) initial requests is
non-trivial.

The site admin can work around this by just turning on
http.receivepack explicitly in its repositories. Let's
document this workaround.

Signed-off-by: Jeff King <peff@peff.net>
---
My understanding is that you can do query-string matching through a
clever use of mod-rewrite. I am not nearly clever nor interested in
Apache enough to figure it out, but if somebody does, it would be nice
to put the recipe here.

 Documentation/git-http-backend.txt | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt
index 7b1e85c..f43980f 100644
--- a/Documentation/git-http-backend.txt
+++ b/Documentation/git-http-backend.txt
@@ -91,6 +91,15 @@ require authorization with a LocationMatch directive:
 </LocationMatch>
 ----------------------------------------------------------------
 +
+In this mode, the server will not request authentication until the
+client actually starts the object negotiation phase of the push, rather
+than during the initial contact.  For this reason, you must also enable
+the `http.receivepack` config option in any repositories that should
+accept a push. The default behavior, if `http.receivepack` is not set,
+is to reject any pushes by unauthenticated users; the initial request
+will therefore report `403 Forbidden` to the client, without even giving
+an opportunity for authentication.
++
 To require authentication for both reads and writes, use a Location
 directive around the repository, or one of its parent directories:
 +
-- 
1.8.2.rc0.33.gd915649

[PATCH 2/2] doc/http-backend: give some lighttpd config examples

[Jeff King]

The examples in the documentation are all for Apache. Let's
at least cover the basics: an anonymous server, an
authenticated server, and a "half auth" server with
anonymous read and authenticated write.

Signed-off-by: Jeff King <peff@peff.net>
---
I am by no means a lighttpd expert, so there may be better ways to do
some of these. But I did test that they all work as expected.

I was tempted for a moment to provide a mechanism for the t55* tests to
use either lighttpd _or_ apache, so that these could get some automated
testing. But I don't relish the thought of trying to keep both configs
synchronized as people update one or the other.

There are also some advanced setups in the apache part of the doc that I
didn't translate here (e.g., dumb-http fallback, and static serving of
dumb-http files). Mostly because I don't think they are that commonly
used these days, and I do not know enough about lighttpd configuration
to translate them easily. If somebody wants to make a patch on top, they
can.

 Documentation/git-http-backend.txt | 55 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt
index f43980f..cad18ce 100644
--- a/Documentation/git-http-backend.txt
+++ b/Documentation/git-http-backend.txt
@@ -167,6 +167,61 @@ ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
 ScriptAlias /git/ /var/www/cgi-bin/gitweb.cgi/
 ----------------------------------------------------------------
 
+Lighttpd::
+	Ensure that `mod_cgi`, `mod_alias, `mod_auth`, `mod_setenv` are
+	loaded, then set `GIT_PROJECT_ROOT` appropriately and redirect
+	all requests to the CGI:
++
+----------------------------------------------------------------
+alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" )
+$HTTP["url"] =~ "^/git" {
+	cgi.assign = ("" => "")
+	setenv.add-environment = (
+		"GIT_PROJECT_ROOT" => "/var/www/git",
+		"GIT_HTTP_EXPORT_ALL" => ""
+	)
+}
+----------------------------------------------------------------
++
+To enable anonymous read access but authenticated write access:
++
+----------------------------------------------------------------
+$HTTP["querystring"] =~ "service=git-receive-pack" {
+	include "git-auth.conf"
+}
+$HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
+	include "git-auth.conf"
+}
+----------------------------------------------------------------
++
+where `git-auth.conf` looks something like:
++
+----------------------------------------------------------------
+auth.require = (
+	"/" => (
+		"method" => "basic",
+		"realm" => "Git Access",
+		"require" => "valid-user"
+	       )
+)
+# ...and set up auth.backend here
+----------------------------------------------------------------
++
+Note that unlike the similar setup with Apache, we can easily match the
+query string for receive-pack, catching the initial request from the
+client. This means that the server administrator does not have to worry
+about configuring `http.receivepack` for the repositories (the default
+value, which enables it only in the case of authentication, is
+sufficient).
++
+To require authentication for both reads and writes:
++
+----------------------------------------------------------------
+$HTTP["url"] =~ "^/git/private" {
+	include "git-auth.conf"
+}
+----------------------------------------------------------------
+
 
 ENVIRONMENT
 -----------
-- 
1.8.2.rc0.33.gd915649

Re: git-http-backend: anonymous read, authenticated write

[Magnus Therning]

On Thu, Apr 11, 2013 at 3:56 AM, Jeff King <peff@peff.net> wrote:
> On Thu, Apr 11, 2013 at 01:19:19AM +0200, Magnus Therning wrote:
>
>> Nope.  I'm pretty sure this had *nothing* to do with my config.  This
>> is the original config, which doesn't work:
>>
>> $HTTP["url"] =~ "^/git" {
>>     cgi.assign = ( "" => "" )
>>     setenv.add-environment = (
>>         "GIT_PROJECT_ROOT" => "/srv/git",
>>         "GIT_HTTP_EXPORT_ALL" => ""
>>     )
>>     $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
>>         include "trac-git-auth.conf"
>>     }
>> }
>
> Ah, I think I see what it is.
>
> Did you turn on http.receivepack in the git config to enable pushing?

Nope, of course I didn't :)  Instead I did what the man-page tells me
will allow full export of a git repo *without* having to fiddle around
with the repo's config:

1. set GIT_HTTP_EXPORT_ALL in the environment
2. turn on authentication for *one* location that requires it for
pushing: ^/git/.*/git-receive-pack$

[...]
> If there is no authentication happening for the initial service-request,
> then the default http.receivepack kicks in, which is to turn pushing
> off (because there is no authenticated user).

Yes, but that only becomes clear when looking at the traffic.  In
fact, the whole design of services is not clearly mentioned in the
man-page.  I was *very* surprised to see the query strings when I
started looking at the access logs.

> The documentation should probably make the use of http.receivepack more
> clear in this situation.

I think that'd be good.  The fact that it wasn't until several mails
into the thread that anyone thought of the http.receivepack setting
also suggests that its use is a bit un-intuitive (even though it
probably makes perfect sense and is a good solution).

> So _if_ you fixed it by setting http.receivepack (which I think is the
> simplest thing under Apache, since matching the query string there is
> hard), then you would need a version of git with that fix on the
> client side to actually have git prompt for the password correctly.

Ah, so *that* is the fix that has been mentioned (I haven't bothered
reading it myself), or are there in fact two fixes that have been
referred to in the thread?

> But your fix under lighttpd is much better, as it asks for the
> credentials up front (which means the client does not go to any work
> creating a packfile just to find out that it does not have access).

Yes, I think it also helps with my particular scenario where new repos
will be added from time to time.  This way there is no second step,
after `git init`, that must be remembered.

Thank you very much for taking the time to help me out with this!
I'll also take a look at the patches you sent, as a dumb simpler user
I might have something to add, who knows?

/M

--
Magnus Therning                      OpenPGP: 0xAB4DFBA4
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus

Re: [PATCH 1/2] doc/http-backend: clarify "half-auth" repo configuration

[Magnus Therning]

On Thu, Apr 11, 2013 at 5:32 AM, Jeff King <peff@peff.net> wrote:
> When the http-backend is set up to allow anonymous read but
> authenticated write, the http-backend manual suggests
> catching only the "/git-receive-pack" POST of the packfile,
> not the initial "info/refs?service=git-receive-pack" GET in
> which we advertise refs.
>
> This does work and is secure, as we do not allow any write
> during the info/refs request, and the information in the ref
> advertisement is the same that you would get from a fetch.
>
> However, the configuration required by the server is
> slightly more complex. The default `http.receivepack`
> setting is to allow pushes if the webserver tells us that
> the user authenticated, and otherwise to return a 403
> ("Forbidden"). That works fine if authentication is turned
> on completely; the initial request requires authentication,
> and http-backend realizes it is OK to do a push.
>
> But for this "half-auth" state, no authentication has
> occurred during the initial ref advertisement. The
> http-backend CGI therefore does not think that pushing
> should be enabled, and responds with a 403. The client
> cannot continue, even though the server would have allowed
> it to run if it had provided credentials.
>
> It would be much better if the server responded with a 401,
> asking for credentials during the initial contact. But
> git-http-backend does not know about the server's auth
> configuration (so a 401 would be confusing in the case of a
> true anonymous server). Unfortunately, configuring Apache to
> recognize the query string and apply the auth appropriately
> to receive-pack (but not upload-pack) initial requests is
> non-trivial.
>
> The site admin can work around this by just turning on
> http.receivepack explicitly in its repositories. Let's
> document this workaround.
>
> Signed-off-by: Jeff King <peff@peff.net>
> ---
> My understanding is that you can do query-string matching through a
> clever use of mod-rewrite. I am not nearly clever nor interested in
> Apache enough to figure it out, but if somebody does, it would be nice
> to put the recipe here.
>
>  Documentation/git-http-backend.txt | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt
> index 7b1e85c..f43980f 100644
> --- a/Documentation/git-http-backend.txt
> +++ b/Documentation/git-http-backend.txt
> @@ -91,6 +91,15 @@ require authorization with a LocationMatch directive:
>  </LocationMatch>
>  ----------------------------------------------------------------
>  +
> +In this mode, the server will not request authentication until the
> +client actually starts the object negotiation phase of the push, rather
> +than during the initial contact.  For this reason, you must also enable
> +the `http.receivepack` config option in any repositories that should
> +accept a push. The default behavior, if `http.receivepack` is not set,
> +is to reject any pushes by unauthenticated users; the initial request
> +will therefore report `403 Forbidden` to the client, without even giving
> +an opportunity for authentication.
> ++
>  To require authentication for both reads and writes, use a Location
>  directive around the repository, or one of its parent directories:
>  +
> --
> 1.8.2.rc0.33.gd915649
>

As the dumb user who started the thread that lead to this proposed
change, I do think this makes the documentation much clearer and had I
read this I most probably would have managed to set up the webserver
on my own.

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus

Re: git-http-backend: anonymous read, authenticated write

[Jakub Narębski]

W dniu 11.04.2013 03:56, Jeff King napisał:

> So _if_ you fixed it by setting http.receivepack (which I think is the
> simplest thing under Apache, since matching the query string there is
> hard), then you would need a version of git with that fix on the
> client side to actually have git prompt for the password correctly.
> 
> But your fix under lighttpd is much better, as it asks for the
> credentials up front (which means the client does not go to any work
> creating a packfile just to find out that it does not have access).

According to http://paperlined.org/apps/git/SmartHTTP_Ubuntu.html
it is (supposedly) not that hard in Apache (though it requires mod_rewrite):


  RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
  RewriteCond %{REQUEST_URI} /git-receive-pack$
  RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]

  <Location /git/>
      Order Deny,Allow
      Deny from env=AUTHREQUIRED

      AuthType Basic
      AuthName "Git Access"
      Require group committers

      Satisfy Any
  <Location>

Not tested.


P.S. By the way, is there some debugger for apache config (mod_rewrite
and deny/allow)?
-- 
Jakub Narębski

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

[Jakub Narębski]

W dniu 11.04.2013 05:36, Jeff King napisał:

> +Note that unlike the similar setup with Apache, we can easily match the
> +query string for receive-pack, catching the initial request from the
> +client. This means that the server administrator does not have to worry
> +about configuring `http.receivepack` for the repositories (the default
> +value, which enables it only in the case of authentication, is
> +sufficient).

Perhaps it would be worth including for Apache2 beside basic setup that
requires http.receivepack set to true, also one like for LigHTTPd, i.e.

  RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
  RewriteCond %{REQUEST_URI} /git-receive-pack$
  RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]

  <Location /gitweb/>
      Order Deny,Allow
      Deny from env=AUTHREQUIRED

      AuthType Basic
      AuthName "Git Access"
      Require group committers

      Satisfy Any
  <Location>

And perhaps also adding it as test...
-- 
Jakub Narębski

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

[Jeff King]

On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote:

> W dniu 11.04.2013 05:36, Jeff King napisał:
> 
> > +Note that unlike the similar setup with Apache, we can easily match the
> > +query string for receive-pack, catching the initial request from the
> > +client. This means that the server administrator does not have to worry
> > +about configuring `http.receivepack` for the repositories (the default
> > +value, which enables it only in the case of authentication, is
> > +sufficient).
> 
> Perhaps it would be worth including for Apache2 beside basic setup that
> requires http.receivepack set to true, also one like for LigHTTPd, i.e.
> 
>   RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
>   RewriteCond %{REQUEST_URI} /git-receive-pack$
>   RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]
> 
>   <Location /gitweb/>
>       Order Deny,Allow
>       Deny from env=AUTHREQUIRED
> 
>       AuthType Basic
>       AuthName "Git Access"
>       Require group committers
> 
>       Satisfy Any
>   <Location>
> 
> And perhaps also adding it as test...

That was the "I am not clever nor interested in Apache enough to figure
out how to do this..." part that I wrote. I have no clue if the above
works, but I'd be happy if you wanted to test it out and submit it as a
patch on top (I think it could even replace my 1/2, as making it just
work is a much better solution than having to explain the extra step in
the documentation).

-Peff

> -- 
> Jakub Narębski

Re: [PATCH 2/2] doc/http-backend: give some lighttpd config examples

[Jakub Narębski]

W dniu 11.04.2013 19:02, Jeff King napisał:
> On Thu, Apr 11, 2013 at 06:47:49PM +0200, Jakub Narębski wrote:
>> W dniu 11.04.2013 05:36, Jeff King napisał:
>>
>>> +Note that unlike the similar setup with Apache, we can easily match the
>>> +query string for receive-pack, catching the initial request from the
>>> +client. This means that the server administrator does not have to worry
>>> +about configuring `http.receivepack` for the repositories (the default
>>> +value, which enables it only in the case of authentication, is
>>> +sufficient).
>>
>> Perhaps it would be worth including for Apache2 beside basic setup that
>> requires http.receivepack set to true, also one like for LigHTTPd, i.e.
>>
>>   RewriteCond %{QUERY_STRING} =service=git-receive-pack [OR]
>>   RewriteCond %{REQUEST_URI} /git-receive-pack$
>>   RewriteRule (.*) $1 [E=AUTHREQUIRED:yes]
[...]
>> And perhaps also adding it as test...
> 
> That was the "I am not clever nor interested in Apache enough to figure
> out how to do this..." part that I wrote. I have no clue if the above
> works, but I'd be happy if you wanted to test it out and submit it as a
> patch on top (I think it could even replace my 1/2, as making it just
> work is a much better solution than having to explain the extra step in
> the documentation).

I don't know if short description of `http.receivepack`, suitable for
a reference documentation, tells a new user how to configure web server
for pushes.


With `http.receivepack` unset git (git-http-backed?) will refuse
unauthenthicated pushes but allow authenthicated ones (though it doesn't
handle authorization).  This makes it easy to configure web server for
fetches (read-only) access via smart HTTP (and you can make it
bulletproof by refusing pushes at all with `http.receivepack` false,
isn't it?).

But in this case (`http.receivepack` unset - the default) web server
must be configured to request authorization for both steps of push:
requesting references (for coming up with what
repositories have in common), i.e.

  GET ...?service=git-receive-pack

and actual sending of data and updating refs...

  POST .../git-receive-pack

though only second part is actually writing.


With `http.receivepack` set to true git (git-http-backend?) allows
anonymous pushes, and it is responsibility of web server configuration
to deny unauthorized pushes... but it is sufficient to do it only for
writes i.e.

  POST .../git-receive-pack


[Now to translate it to manpage or users-manual contents...]

P.S. Do I understand it correctly that `http.receivepack` is
three-state: true (allow all), unset (allow authenthicated) and false
(deny all)?

P.P.S. It would be better to accept both patches; I don't know when
I would be able to test Apache config; I remember that I had problems
with it...
-- 
Jakub Narębski

Re: git-http-backend: anonymous read, authenticated write

[Jeff King]

On Thu, Apr 11, 2013 at 08:52:56AM +0200, Magnus Therning wrote:

> > The documentation should probably make the use of http.receivepack more
> > clear in this situation.
> 
> I think that'd be good.  The fact that it wasn't until several mails
> into the thread that anyone thought of the http.receivepack setting
> also suggests that its use is a bit un-intuitive (even though it
> probably makes perfect sense and is a good solution).

Yeah, I did not even think of http.receivepack because I have never had
to set it before (it was turned on in the original tests that I built
top of). I have the impression that the anonymous-read/authenticated-write
setup you are using has not been all that commonly used. The example in
the manpage dates back to 2009, but it was only in 2012 that we got a
bug report that the client-side authentication handler has problems with
it.

> > So _if_ you fixed it by setting http.receivepack (which I think is the
> > simplest thing under Apache, since matching the query string there is
> > hard), then you would need a version of git with that fix on the
> > client side to actually have git prompt for the password correctly.
> 
> Ah, so *that* is the fix that has been mentioned (I haven't bothered
> reading it myself), or are there in fact two fixes that have been
> referred to in the thread?

No, there's only the one fix in git itself (not counting improving the
documentation just now). With the Apache config given in the manual,
clients older than git v1.7.11.7 will not properly handle the 401
response they get mid-way through the push process.

But you do not have to worry about that with your configuration, as you
provide the 401 up-front.

> > But your fix under lighttpd is much better, as it asks for the
> > credentials up front (which means the client does not go to any work
> > creating a packfile just to find out that it does not have access).
> 
> Yes, I think it also helps with my particular scenario where new repos
> will be added from time to time.  This way there is no second step,
> after `git init`, that must be remembered.

Yeah, avoiding setting http.receivepack at all is helpful. Though note
that you can also set it in /etc/gitconfig for the whole system at once.

> Thank you very much for taking the time to help me out with this!
> I'll also take a look at the patches you sent, as a dumb simpler user
> I might have something to add, who knows?

You're welcome. I'm glad we got it resolved, and looking over the
documentation patch is appreciated.

-Peff

Re: git-http-backend: anonymous read, authenticated write

[Magnus Therning]

On Thu, Apr 11, 2013 at 9:34 PM, Jeff King <peff@peff.net> wrote:
> On Thu, Apr 11, 2013 at 08:52:56AM +0200, Magnus Therning wrote:
>
>> > The documentation should probably make the use of http.receivepack more
>> > clear in this situation.
>>
>> I think that'd be good.  The fact that it wasn't until several mails
>> into the thread that anyone thought of the http.receivepack setting
>> also suggests that its use is a bit un-intuitive (even though it
>> probably makes perfect sense and is a good solution).
>
> Yeah, I did not even think of http.receivepack because I have never had
> to set it before (it was turned on in the original tests that I built
> top of). I have the impression that the anonymous-read/authenticated-write
> setup you are using has not been all that commonly used. The example in
> the manpage dates back to 2009, but it was only in 2012 that we got a
> bug report that the client-side authentication handler has problems with
> it.

Really?  I certainly think it deserves a bit more attention than that.
 It may be that gitosis and other SSH-based solutions have been around
longer than git-http-backend, but from what I've understood from
reading, it fits very nicely in between git-daemon and the rather
heavy SSH-based stuff.

>> > But your fix under lighttpd is much better, as it asks for the
>> > credentials up front (which means the client does not go to any work
>> > creating a packfile just to find out that it does not have access).
>>
>> Yes, I think it also helps with my particular scenario where new repos
>> will be added from time to time.  This way there is no second step,
>> after `git init`, that must be remembered.
>
> Yeah, avoiding setting http.receivepack at all is helpful. Though note
> that you can also set it in /etc/gitconfig for the whole system at once.

Good point.

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus

[PATCH 3/2] doc/http-backend: match query-string in apache half-auth example

[Jeff King]

When setting up a "half-auth" repository in which reads can
be done anonymously but writes require authentication, it is
best if the server can require authentication for both the
ref advertisement and the actual receive-pack POSTs. This
alleviates the need for the admin to set http.receivepack in
the repositories, and means that the client is challenged
for credentials immediately, instead of partway through the
push process (and git clients older than v1.7.11.7 had
trouble handling these challenges).

Since detecting a push during the ref advertisement requires
matching the query string, and this is non-trivial to do in
Apache, we have traditionally punted and instructed users to
just protect "/git-receive-pack$".  This patch provides the
mod_rewrite recipe to actually match the ref advertisement,
which is preferred.

While we're at it, let's add the recipe to our test scripts
so that we can be sure that it works, and doesn't get broken
(either by our changes or by changes in Apache).

Signed-off-by: Jeff King <peff@peff.net>
---
This is on top of the jk/doc-http-backend topic.

Note that I have never used this in production, but it was pieced
together from various advice I found on the web, and I did confirm that
it works.

I kind of assume mod-rewrite is everywhere these days, so we could
potentially drop the fallback config completely, as it is likely to
confuse people.

 Documentation/git-http-backend.txt | 32 ++++++++++++++++++++++++--------
 t/lib-httpd/apache.conf            | 18 ++++++++++++++++++
 t/t5541-http-push.sh               | 30 ++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 8 deletions(-)

diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt
index cad18ce..e3bcdb5 100644
--- a/Documentation/git-http-backend.txt
+++ b/Documentation/git-http-backend.txt
@@ -80,7 +80,30 @@ To enable anonymous read access but authenticated write access,
 ----------------------------------------------------------------
 +
 To enable anonymous read access but authenticated write access,
-require authorization with a LocationMatch directive:
+require authorization for both the initial ref advertisement (which we
+detect as a push via the service parameter in the query string), and the
+receive-pack invocation itself:
++
+----------------------------------------------------------------
+RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
+RewriteCond %{REQUEST_URI} /git-receive-pack$
+RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]
+
+<LocationMatch "^/git/">
+	Order Deny,Allow
+	Deny from env=AUTHREQUIRED
+
+	AuthType Basic
+	AuthName "Git Access"
+	Require group committers
+	Satisfy Any
+	...
+</LocationMatch>
+----------------------------------------------------------------
++
+If you do not have `mod_rewrite` available to match against the query
+string, it is sufficient to just protect `git-receive-pack` itself,
+like:
 +
 ----------------------------------------------------------------
 <LocationMatch "^/git/.*/git-receive-pack$">
@@ -207,13 +230,6 @@ auth.require = (
 # ...and set up auth.backend here
 ----------------------------------------------------------------
 +
-Note that unlike the similar setup with Apache, we can easily match the
-query string for receive-pack, catching the initial request from the
-client. This means that the server administrator does not have to worry
-about configuring `http.receivepack` for the repositories (the default
-value, which enables it only in the case of authentication, is
-sufficient).
-+
 To require authentication for both reads and writes:
 +
 ----------------------------------------------------------------
diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index 938b4cf..542241b 100644
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -40,6 +40,9 @@ ErrorLog error.log
 <IfModule !mod_authz_user.c>
 	LoadModule authz_user_module modules/mod_authz_user.so
 </IfModule>
+<IfModule !mod_authz_host.c>
+	LoadModule authz_host_module modules/mod_authz_host.so
+</IfModule>
 </IfVersion>
 
 PassEnv GIT_VALGRIND
@@ -110,6 +113,21 @@ SSLEngine On
 	Require valid-user
 </LocationMatch>
 
+RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
+RewriteCond %{REQUEST_URI} /git-receive-pack$
+RewriteRule ^/half-auth-complete/ - [E=AUTHREQUIRED:yes]
+
+<Location /half-auth-complete/>
+  Order Deny,Allow
+  Deny from env=AUTHREQUIRED
+
+  AuthType Basic
+  AuthName "Git Access"
+  AuthUserFile passwd
+  Require valid-user
+  Satisfy Any
+</Location>
+
 <IfDefine DAV>
 	LoadModule dav_module modules/mod_dav.so
 	LoadModule dav_fs_module modules/mod_dav_fs.so
diff --git a/t/t5541-http-push.sh b/t/t5541-http-push.sh
index 4086f02..beb00be 100755
--- a/t/t5541-http-push.sh
+++ b/t/t5541-http-push.sh
@@ -294,5 +294,35 @@ test_expect_success 'push to auth-only-for-push repo' '
 	test_cmp expect actual
 '
 
+test_expect_success 'create repo without http.receivepack set' '
+	cd "$ROOT_PATH" &&
+	git init half-auth &&
+	(
+		cd half-auth &&
+		test_commit one
+	) &&
+	git clone --bare half-auth "$HTTPD_DOCUMENT_ROOT_PATH/half-auth.git"
+'
+
+test_expect_success 'clone via half-auth-complete does not need password' '
+	cd "$ROOT_PATH" &&
+	set_askpass wrong &&
+	git clone "$HTTPD_URL"/half-auth-complete/smart/half-auth.git \
+		half-auth-clone &&
+	expect_askpass none
+'
+
+test_expect_success 'push into half-auth-complete requires password' '
+	cd "$ROOT_PATH/half-auth-clone" &&
+	echo two >expect &&
+	test_commit two &&
+	set_askpass user@host &&
+	git push "$HTTPD_URL/half-auth-complete/smart/half-auth.git" &&
+	git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/half-auth.git" \
+		log -1 --format=%s >actual &&
+	expect_askpass both user@host &&
+	test_cmp expect actual
+'
+
 stop_httpd
 test_done
-- 
1.8.2.rc0.33.gd915649

Re: [PATCH 3/2] doc/http-backend: match query-string in apache half-auth example

[Jakub Narębski]

W dniu 13.04.2013 05:33, Jeff King pisze:

> When setting up a "half-auth" repository in which reads can
> be done anonymously but writes require authentication, it is
> best if the server can require authentication for both the
> ref advertisement and the actual receive-pack POSTs. [...]

Thanks for writing(and testing) this patch.
-- 
Jakub Narębski