From: "Áshin László" <ashinlaszlo@gmail.com>
To: git@vger.kernel.org
Cc: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Junio C Hamano" <gitster@pobox.com>,
"László ÁSHIN" <laszlo.ashin@neti.hu>
Subject: [PATCH 1/5] git-cvsserver: implement script based pserver auth
Date: Tue, 6 Jul 2010 19:34:43 +0200 [thread overview]
Message-ID: <AANLkTilguZZVVstmJvEDudhRP5Ko6m-ajtn9d7nIl3UR@mail.gmail.com> (raw)
In-Reply-To: <449772932078145114@unknownmsgid>
---
Documentation/git-cvsserver.txt | 42 +++++++++++++++++++++++++++---
git-cvsserver.perl | 34 ++++++++++++++++++++++++
t/t9400-git-cvsserver-server.sh | 55 +++++++++++++++++++++++++++++++++++++++
3 files changed, 127 insertions(+), 4 deletions(-)
diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
index 7004dd2..59c8e5d 100644
--- a/Documentation/git-cvsserver.txt
+++ b/Documentation/git-cvsserver.txt
@@ -100,10 +100,44 @@ looks like
------
Only anonymous access is provided by pserve by default. To commit you
-will have to create pserver accounts, simply add a gitcvs.authdb
-setting in the config file of the repositories you want the cvsserver
-to allow writes to, for example:
+will have to specify an authentication option in the config file.
+Currently there are two options are available for authentication through
+pserver in git-cvsserver: one through an authenticator script and an other
+through a textual authentication database.
+
+ a. To use the authentication script based method, simply add a
+ gitcvs.authscript setting in the config file of the repositories you want
+ the cvsserver to allow writes to, for example:
++
+--
+------
+
+ [gitcvs]
+ authscript = /usr/local/bin/cvsserver-auth.sh
+
+------
+The file specified here must be executable by the user the git-cvsserver runs
+under. The script will receive two lines on standard input, the first is the
+username and the second is the password. It should return 0 if the user was
+successfully authenticated, and a non-zero value if not.
+Here is an example for an authentication script which checks the users against
+active directory:
+------
+#!/bin/sh
+# /usr/local/bin/cvsserver-auth.sh
+read username
+read password
+
+wbinfo -a "${username}%${password}"
+------
+--
+
+ b. To use the authentication database based method, simply add a
+ gitcvs.authdb setting in the config file of the repositories you want the
+ cvsserver to allow writes to, for example:
++
+--
------
[gitcvs]
@@ -125,7 +159,7 @@ Alternatively you can produce the password with
perl's crypt() operator:
-----
perl -e 'my ($user, $pass) = @ARGV; printf "%s:%s\n", $user,
crypt($user, $pass)' $USER password
-----
-
+--
Then provide your password via the pserver method, for example:
------
cvs -d:pserver:someuser:somepassword <at> server/path/repo.git co <HEAD_name>
diff --git a/git-cvsserver.perl b/git-cvsserver.perl
index e9f3037..c89d999 100755
--- a/git-cvsserver.perl
+++ b/git-cvsserver.perl
@@ -197,6 +197,40 @@ if ($state->{method} eq 'pserver') {
}
# Fall through to LOVE
+ } elsif (exists $cfg->{gitcvs}->{authscript} and
+ exists $cfg->{gitcvs}->{authdb}) {
+ print "E Ambiguous configuration of authentication methods. " .
+ "Only one authentication method can be enabled at once\n";
+ print "I HATE YOU\n";
+ exit 1;
+ } elsif (exists $cfg->{gitcvs}->{authscript}) {
+ my $authscript = $cfg->{gitcvs}->{authscript};
+
+ unless (-x $authscript) {
+ print "E The authentication script specified in " .
+ "[gitcvs.authscript] cannot be executed\n";
+ print "I HATE YOU\n";
+ exit 1;
+ }
+
+ open my $script_fd, '|-', "'$authscript'"
+ or die "Couldn't open authentication script '$authscript': $!";
+
+ if (length($password) > 0) {
+ $password = descramble($password);
+ }
+
+ print $script_fd "$user\n";
+ print $script_fd "$password\n";
+ close $script_fd;
+
+ unless ($? == 0) {
+ print "E External script authentication failed.\n";
+ print "I HATE YOU\n";
+ exit 1;
+ }
+
+ # Fall through to LOVE
} else {
# Trying to authenticate a user
if (not exists $cfg->{gitcvs}->{authdb}) {
diff --git a/t/t9400-git-cvsserver-server.sh b/t/t9400-git-cvsserver-server.sh
index 8639506..ab5cb26 100755
--- a/t/t9400-git-cvsserver-server.sh
+++ b/t/t9400-git-cvsserver-server.sh
@@ -64,6 +64,16 @@ test_expect_success 'basic checkout' \
# PSERVER AUTHENTICATION
#------------------------
+cat >"$SERVERDIR/authscript.sh" <<EOF
+#!/bin/sh
+read username
+read password
+
+test "\$username" = cvsuser -a "\$password" = cvspassword
+EOF
+
+chmod a+x "$SERVERDIR/authscript.sh"
+
cat >request-anonymous <<EOF
BEGIN AUTH REQUEST
$SERVERDIR
@@ -134,6 +144,51 @@ test_expect_success 'pserver authentication
failure (login/non-anonymous user)'
fi &&
sed -ne \$p log | grep "^I HATE YOU\$"'
+GIT_DIR="$SERVERDIR" git config gitcvs.authscript
"$SERVERDIR/authscript.sh" || exit 1
+
+test_expect_success 'pserver authentication failure (both
authentication methods)' \
+ 'if cat request-git | git-cvsserver pserver >log 2>&1
+ then
+ false
+ else
+ true
+ fi &&
+ sed -ne \$p log | grep "^I HATE YOU\$"'
+
+GIT_DIR="$SERVERDIR" git config --unset gitcvs.authdb || exit 1
+
+test_expect_success 'pserver authentication (authscript)' \
+ 'cat request-anonymous | git-cvsserver pserver >log 2>&1 &&
+ sed -ne \$p log | grep "^I LOVE YOU\$"'
+
+test_expect_success 'pserver authentication failure (authscript,
non-anonymous user)' \
+ 'if cat request-git | git-cvsserver pserver >log 2>&1
+ then
+ false
+ else
+ true
+ fi &&
+ sed -ne \$p log | grep "^I HATE YOU\$"'
+
+test_expect_success 'pserver authentication success (authscript,
non-anonymous user with password)' \
+ 'cat login-git-ok | git-cvsserver pserver >log 2>&1 &&
+ sed -ne \$p log | grep "^I LOVE YOU\$"'
+
+test_expect_success 'pserver authentication (authscript, login)' \
+ 'cat login-anonymous | git-cvsserver pserver >log 2>&1 &&
+ sed -ne \$p log | grep "^I LOVE YOU\$"'
+
+test_expect_success 'pserver authentication failure (authscript,
login/non-anonymous user)' \
+ 'if cat login-git | git-cvsserver pserver >log 2>&1
+ then
+ false
+ else
+ true
+ fi &&
+ sed -ne \$p log | grep "^I HATE YOU\$"'
+
+GIT_DIR="$SERVERDIR" git config --unset gitcvs.authscript || exit 1
+GIT_DIR="$SERVERDIR" git config gitcvs.authdb "$SERVERDIR/auth.db" || exit 1
# misuse pserver authentication for testing of req_Root
--
1.7.0.4
next parent reply other threads:[~2010-07-06 17:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <449772932078145114@unknownmsgid>
2010-07-06 17:34 ` Áshin László [this message]
2010-07-07 5:28 ` [PATCH 1/5] git-cvsserver: implement script based pserver auth Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTilguZZVVstmJvEDudhRP5Ko6m-ajtn9d7nIl3UR@mail.gmail.com \
--to=ashinlaszlo@gmail.com \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=laszlo.ashin@neti.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).