diff options
| -rw-r--r-- | Documentation/git-http-backend.txt | 32 | ||||
| -rw-r--r-- | t/lib-httpd/apache.conf | 18 | ||||
| -rwxr-xr-x | t/t5541-http-push.sh | 30 |
3 files changed, 72 insertions, 8 deletions
diff --git a/Documentation/git-http-backend.txt b/Documentation/git-http-backend.txt index cad18ceb9d..e3bcdb50e3 100644 --- a/Documentation/git-http-backend.txt +++ b/Documentation/git-http-backend.txt @@ -80,7 +80,30 @@ ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ ---------------------------------------------------------------- + To enable anonymous read access but authenticated write access, -require authorization with a LocationMatch directive: +require authorization for both the initial ref advertisement (which we +detect as a push via the service parameter in the query string), and the +receive-pack invocation itself: ++ +---------------------------------------------------------------- +RewriteCond %{QUERY_STRING} service=git-receive-pack [OR] +RewriteCond %{REQUEST_URI} /git-receive-pack$ +RewriteRule ^/git/ - [E=AUTHREQUIRED:yes] + +<LocationMatch "^/git/"> + Order Deny,Allow + Deny from env=AUTHREQUIRED + + AuthType Basic + AuthName "Git Access" + Require group committers + Satisfy Any + ... +</LocationMatch> +---------------------------------------------------------------- ++ +If you do not have `mod_rewrite` available to match against the query +string, it is sufficient to just protect `git-receive-pack` itself, +like: + ---------------------------------------------------------------- <LocationMatch "^/git/.*/git-receive-pack$"> @@ -207,13 +230,6 @@ auth.require = ( # ...and set up auth.backend here ---------------------------------------------------------------- + -Note that unlike the similar setup with Apache, we can easily match the -query string for receive-pack, catching the initial request from the -client. This means that the server administrator does not have to worry -about configuring `http.receivepack` for the repositories (the default -value, which enables it only in the case of authentication, is -sufficient). -+ To require authentication for both reads and writes: + ---------------------------------------------------------------- diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf index 938b4cf803..542241b229 100644 --- a/t/lib-httpd/apache.conf +++ b/t/lib-httpd/apache.conf @@ -40,6 +40,9 @@ ErrorLog error.log <IfModule !mod_authz_user.c> LoadModule authz_user_module modules/mod_authz_user.so </IfModule> +<IfModule !mod_authz_host.c> + LoadModule authz_host_module modules/mod_authz_host.so +</IfModule> </IfVersion> PassEnv GIT_VALGRIND @@ -110,6 +113,21 @@ SSLEngine On Require valid-user </LocationMatch> +RewriteCond %{QUERY_STRING} service=git-receive-pack [OR] +RewriteCond %{REQUEST_URI} /git-receive-pack$ +RewriteRule ^/half-auth-complete/ - [E=AUTHREQUIRED:yes] + +<Location /half-auth-complete/> + Order Deny,Allow + Deny from env=AUTHREQUIRED + + AuthType Basic + AuthName "Git Access" + AuthUserFile passwd + Require valid-user + Satisfy Any +</Location> + <IfDefine DAV> LoadModule dav_module modules/mod_dav.so LoadModule dav_fs_module modules/mod_dav_fs.so diff --git a/t/t5541-http-push.sh b/t/t5541-http-push.sh index 4b4b4a604f..8a9dc85931 100755 --- a/t/t5541-http-push.sh +++ b/t/t5541-http-push.sh @@ -295,5 +295,35 @@ test_expect_success 'push to auth-only-for-push repo' ' test_cmp expect actual ' +test_expect_success 'create repo without http.receivepack set' ' + cd "$ROOT_PATH" && + git init half-auth && + ( + cd half-auth && + test_commit one + ) && + git clone --bare half-auth "$HTTPD_DOCUMENT_ROOT_PATH/half-auth.git" +' + +test_expect_success 'clone via half-auth-complete does not need password' ' + cd "$ROOT_PATH" && + set_askpass wrong && + git clone "$HTTPD_URL"/half-auth-complete/smart/half-auth.git \ + half-auth-clone && + expect_askpass none +' + +test_expect_success 'push into half-auth-complete requires password' ' + cd "$ROOT_PATH/half-auth-clone" && + echo two >expect && + test_commit two && + set_askpass user@host && + git push "$HTTPD_URL/half-auth-complete/smart/half-auth.git" && + git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/half-auth.git" \ + log -1 --format=%s >actual && + expect_askpass both user@host && + test_cmp expect actual +' + stop_httpd test_done |