diff -urN smeserver-gitweb-1.1.0.org/createlinks smeserver-gitweb-1.1.0/createlinks --- smeserver-gitweb-1.1.0.org/createlinks 2013-02-10 17:36:15.000000000 +1030 +++ smeserver-gitweb-1.1.0/createlinks 2016-02-17 10:07:37.486757581 +1030 @@ -6,7 +6,7 @@ # Domain Modify # ------------- -for my $event ( qw( domain-modify ) ) +for my $event ( qw( domain-modify update-ifcfg ) ) { safe_symlink("sigusr1", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); templates2events("/etc/gitweb.conf", $event) diff -urN smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress --- smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress 1970-01-01 09:30:00.000000000 +0930 +++ smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress 2016-02-17 10:15:03.499265848 +1030 @@ -0,0 +1,13 @@ +{ + # Retrieve the server local IP address + use esmith::NetworksDB; + + my $networks_db = esmith::NetworksDB->open_ro() or + die "Could not open the NetworksDB"; + + # Get server private IP address and mask for access to the local network only + my $network_setting = $networks_db->local_access_spec('private'); + + $OUT .= "# The server local IP address and mask\n"; + $OUT .= "\$local_network_setting = \"" . $network_setting . "\"\;\n"; +} diff -urN smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook --- smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook 2016-02-17 10:05:07.105784576 +1030 +++ smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook 2016-02-17 10:13:43.902517553 +1030 @@ -17,12 +17,11 @@ # Install a export authorisation hook to ensure Gitweb only list thise projects that the user # is authorised to see. # local_unauthorised internet_unauthorised local_authorised internet_authorised -# internet anonymous pull Yes Yes Yes +# internet anonymous pull Yes Yes Yes # local anonymous pull Yes No Yes # internet && authorised pull Yes No Yes # local && authorised pull Yes No Yes -use esmith::NetworksDB; use esmith::GitDB; use MIME::Base64; use NetAddr::IP; @@ -38,49 +37,47 @@ auth_error("401 Unauthorized", "You wanted to provide authorization, so I asked for it."); \} - + # Don't allow hidden .git dirs (like the toplevel one) return 0 if ($projectdir =~ m-/.git-); - + if ($action =~ m/^(?:opml|project_list|project_index)$/) \{ # They're viewing an index. - + # If gitweb-noindex is in the repo, disallow it now. return 0 if (-e "$projectdir/gitweb-noindex"); - + $isindex = 1; \} - - # Check authorisation - - my $repository_view_allowed = 0; + + # Check authorisation + + my $repository_view_allowed = 0; my $internet_access_allowed = 0; my $host_request_allowed = 0; # Will be 1 when the view is allowed based on the current host address and 'allow_access_from' setting my $anonymous_pull = 0; # Will be 1 when the repository does not require pull authorisation - my $authorised_repository_view_allowed = 0; # Will be 1 when the authorised user has pull permissions on the repository + my $authorised_repository_view_allowed = 0; # Will be 1 when the authorised user has pull permissions on the repository my $pull_users = ''; # Retrieve project properties from DB - + if($projectdir =~ (/(.*?)\.git/)) \{ my $projectname = basename($1); # Retrieve project properties from database my $git_db = esmith::GitDB->open_ro() or auth_error( "500 Internal Error", "Could not open the Git repository database! Does the web server have permission to read the git database file?" ); - - my $repository = $git_db->get($projectname) or + + my $repository = $git_db->get($projectname) or auth_error( "500 Internal Error", "The git repository '$projectname' does not seem to exist in the repository database!" ); - - my %properties = $repository->props; + + my %properties = $repository->props; # Check if the request is from a local IP address for this host - my $networks_db = esmith::NetworksDB->open_ro() or - auth_error( "500 Internal Error", "Could not open the networks database!" ); - + # Get server private IP address and mask for access to the local network only - my @network_setting = split(/[\/ ]/, $networks_db->local_access_spec('private')); - + my @network_setting = split(/[\/ ]/, $local_network_setting ); + # Check if the REMOTE_ADDR is within the range of the 'private' address for this server my $remote_addr = NetAddr::IP->new( $ENV\{'REMOTE_ADDR'\} ); if( $remote_addr->within( new NetAddr::IP @network_setting[1], @network_setting[2] ) ) \{ @@ -105,18 +102,18 @@ # For the remaining access from the internet, we need an authorised user # that is allowed to either pull or push this repository. - + # Check if we have: # a) a user that is listed in the repository pull or push permissions # b) valid credentials i.e password can be validated. if( $ENV\{'HTTP_AUTHORIZATION'\} ) \{ my @http_authorisation = split(/ /, $ENV\{'HTTP_AUTHORIZATION'\} ); my @http_digest = split( /:/, decode_base64( @http_authorisation[1] ) ); - + # See who the effective users are for this repository. The AccountsDB needs # to have world read permissions to allow this to work. - my $effective_pull_users = $git_db->effective_users_list_from( $properties\{'pull_groups'\}, - $properties\{'pull_users'\} ); + my $effective_pull_users = $git_db->effective_users_list_from( $properties\{'pull_groups'\}, + $properties\{'pull_users'\} ); if( @http_digest[0] ~~ $effective_pull_users ) \{ # USER IN AUTHORISED LIST -> CHECK PASSWORD if( trypass( @http_digest[0], @http_digest[1] ) == 0 ) \{ @@ -131,7 +128,7 @@ return 0; # EXIT NO AUTHORISATION SUPPLIED -> DENY REPOSITORY VIEW \} \} - + # Not reached. No access. return 0; \};