| 1 |
brianr |
1.1 |
diff -urN smeserver-gitweb-1.1.0.org/createlinks smeserver-gitweb-1.1.0/createlinks |
| 2 |
|
|
--- smeserver-gitweb-1.1.0.org/createlinks 2013-02-10 17:36:15.000000000 +1030 |
| 3 |
|
|
+++ smeserver-gitweb-1.1.0/createlinks 2016-02-17 10:07:37.486757581 +1030 |
| 4 |
|
|
@@ -6,7 +6,7 @@ |
| 5 |
|
|
# Domain Modify |
| 6 |
|
|
# ------------- |
| 7 |
|
|
|
| 8 |
|
|
-for my $event ( qw( domain-modify ) ) |
| 9 |
|
|
+for my $event ( qw( domain-modify update-ifcfg ) ) |
| 10 |
|
|
{ |
| 11 |
|
|
safe_symlink("sigusr1", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); |
| 12 |
|
|
templates2events("/etc/gitweb.conf", $event) |
| 13 |
|
|
diff -urN smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress |
| 14 |
|
|
--- smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress 1970-01-01 09:30:00.000000000 +0930 |
| 15 |
|
|
+++ smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/22LocalIPAddress 2016-02-17 10:15:03.499265848 +1030 |
| 16 |
|
|
@@ -0,0 +1,13 @@ |
| 17 |
|
|
+{ |
| 18 |
|
|
+ # Retrieve the server local IP address |
| 19 |
|
|
+ use esmith::NetworksDB; |
| 20 |
|
|
+ |
| 21 |
|
|
+ my $networks_db = esmith::NetworksDB->open_ro() or |
| 22 |
|
|
+ die "Could not open the NetworksDB"; |
| 23 |
|
|
+ |
| 24 |
|
|
+ # Get server private IP address and mask for access to the local network only |
| 25 |
|
|
+ my $network_setting = $networks_db->local_access_spec('private'); |
| 26 |
|
|
+ |
| 27 |
|
|
+ $OUT .= "# The server local IP address and mask\n"; |
| 28 |
|
|
+ $OUT .= "\$local_network_setting = \"" . $network_setting . "\"\;\n"; |
| 29 |
|
|
+} |
| 30 |
|
|
diff -urN smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook |
| 31 |
|
|
--- smeserver-gitweb-1.1.0.org/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook 2016-02-17 10:05:07.105784576 +1030 |
| 32 |
|
|
+++ smeserver-gitweb-1.1.0/root/etc/e-smith/templates/etc/gitweb.conf/60ExportAuthHook 2016-02-17 10:13:43.902517553 +1030 |
| 33 |
|
|
@@ -17,12 +17,11 @@ |
| 34 |
|
|
# Install a export authorisation hook to ensure Gitweb only list thise projects that the user |
| 35 |
|
|
# is authorised to see. |
| 36 |
|
|
# local_unauthorised internet_unauthorised local_authorised internet_authorised |
| 37 |
|
|
-# internet anonymous pull Yes Yes Yes |
| 38 |
|
|
+# internet anonymous pull Yes Yes Yes |
| 39 |
|
|
# local anonymous pull Yes No Yes |
| 40 |
|
|
# internet && authorised pull Yes No Yes |
| 41 |
|
|
# local && authorised pull Yes No Yes |
| 42 |
|
|
|
| 43 |
|
|
-use esmith::NetworksDB; |
| 44 |
|
|
use esmith::GitDB; |
| 45 |
|
|
use MIME::Base64; |
| 46 |
|
|
use NetAddr::IP; |
| 47 |
|
|
@@ -38,49 +37,47 @@ |
| 48 |
|
|
auth_error("401 Unauthorized", |
| 49 |
|
|
"You wanted to provide authorization, so I asked for it."); |
| 50 |
|
|
\} |
| 51 |
|
|
- |
| 52 |
|
|
+ |
| 53 |
|
|
# Don't allow hidden .git dirs (like the toplevel one) |
| 54 |
|
|
return 0 if ($projectdir =~ m-/.git-); |
| 55 |
|
|
- |
| 56 |
|
|
+ |
| 57 |
|
|
if ($action =~ m/^(?:opml|project_list|project_index)$/) \{ |
| 58 |
|
|
# They're viewing an index. |
| 59 |
|
|
- |
| 60 |
|
|
+ |
| 61 |
|
|
# If gitweb-noindex is in the repo, disallow it now. |
| 62 |
|
|
return 0 if (-e "$projectdir/gitweb-noindex"); |
| 63 |
|
|
- |
| 64 |
|
|
+ |
| 65 |
|
|
$isindex = 1; |
| 66 |
|
|
\} |
| 67 |
|
|
- |
| 68 |
|
|
- # Check authorisation |
| 69 |
|
|
- |
| 70 |
|
|
- my $repository_view_allowed = 0; |
| 71 |
|
|
+ |
| 72 |
|
|
+ # Check authorisation |
| 73 |
|
|
+ |
| 74 |
|
|
+ my $repository_view_allowed = 0; |
| 75 |
|
|
my $internet_access_allowed = 0; |
| 76 |
|
|
my $host_request_allowed = 0; # Will be 1 when the view is allowed based on the current host address and 'allow_access_from' setting |
| 77 |
|
|
my $anonymous_pull = 0; # Will be 1 when the repository does not require pull authorisation |
| 78 |
|
|
- my $authorised_repository_view_allowed = 0; # Will be 1 when the authorised user has pull permissions on the repository |
| 79 |
|
|
+ my $authorised_repository_view_allowed = 0; # Will be 1 when the authorised user has pull permissions on the repository |
| 80 |
|
|
my $pull_users = ''; |
| 81 |
|
|
|
| 82 |
|
|
# Retrieve project properties from DB |
| 83 |
|
|
- |
| 84 |
|
|
+ |
| 85 |
|
|
if($projectdir =~ (/(.*?)\.git/)) \{ |
| 86 |
|
|
my $projectname = basename($1); |
| 87 |
|
|
|
| 88 |
|
|
# Retrieve project properties from database |
| 89 |
|
|
my $git_db = esmith::GitDB->open_ro() or |
| 90 |
|
|
auth_error( "500 Internal Error", "Could not open the Git repository database! Does the web server have permission to read the git database file?" ); |
| 91 |
|
|
- |
| 92 |
|
|
- my $repository = $git_db->get($projectname) or |
| 93 |
|
|
+ |
| 94 |
|
|
+ my $repository = $git_db->get($projectname) or |
| 95 |
|
|
auth_error( "500 Internal Error", "The git repository '$projectname' does not seem to exist in the repository database!" ); |
| 96 |
|
|
- |
| 97 |
|
|
- my %properties = $repository->props; |
| 98 |
|
|
+ |
| 99 |
|
|
+ my %properties = $repository->props; |
| 100 |
|
|
|
| 101 |
|
|
# Check if the request is from a local IP address for this host |
| 102 |
|
|
- my $networks_db = esmith::NetworksDB->open_ro() or |
| 103 |
|
|
- auth_error( "500 Internal Error", "Could not open the networks database!" ); |
| 104 |
|
|
- |
| 105 |
|
|
+ |
| 106 |
|
|
# Get server private IP address and mask for access to the local network only |
| 107 |
|
|
- my @network_setting = split(/[\/ ]/, $networks_db->local_access_spec('private')); |
| 108 |
|
|
- |
| 109 |
|
|
+ my @network_setting = split(/[\/ ]/, $local_network_setting ); |
| 110 |
|
|
+ |
| 111 |
|
|
# Check if the REMOTE_ADDR is within the range of the 'private' address for this server |
| 112 |
|
|
my $remote_addr = NetAddr::IP->new( $ENV\{'REMOTE_ADDR'\} ); |
| 113 |
|
|
if( $remote_addr->within( new NetAddr::IP @network_setting[1], @network_setting[2] ) ) \{ |
| 114 |
|
|
@@ -105,18 +102,18 @@ |
| 115 |
|
|
|
| 116 |
|
|
# For the remaining access from the internet, we need an authorised user |
| 117 |
|
|
# that is allowed to either pull or push this repository. |
| 118 |
|
|
- |
| 119 |
|
|
+ |
| 120 |
|
|
# Check if we have: |
| 121 |
|
|
# a) a user that is listed in the repository pull or push permissions |
| 122 |
|
|
# b) valid credentials i.e password can be validated. |
| 123 |
|
|
if( $ENV\{'HTTP_AUTHORIZATION'\} ) \{ |
| 124 |
|
|
my @http_authorisation = split(/ /, $ENV\{'HTTP_AUTHORIZATION'\} ); |
| 125 |
|
|
my @http_digest = split( /:/, decode_base64( @http_authorisation[1] ) ); |
| 126 |
|
|
- |
| 127 |
|
|
+ |
| 128 |
|
|
# See who the effective users are for this repository. The AccountsDB needs |
| 129 |
|
|
# to have world read permissions to allow this to work. |
| 130 |
|
|
- my $effective_pull_users = $git_db->effective_users_list_from( $properties\{'pull_groups'\}, |
| 131 |
|
|
- $properties\{'pull_users'\} ); |
| 132 |
|
|
+ my $effective_pull_users = $git_db->effective_users_list_from( $properties\{'pull_groups'\}, |
| 133 |
|
|
+ $properties\{'pull_users'\} ); |
| 134 |
|
|
if( @http_digest[0] ~~ $effective_pull_users ) \{ |
| 135 |
|
|
# USER IN AUTHORISED LIST -> CHECK PASSWORD |
| 136 |
|
|
if( trypass( @http_digest[0], @http_digest[1] ) == 0 ) \{ |
| 137 |
|
|
@@ -131,7 +128,7 @@ |
| 138 |
|
|
return 0; # EXIT NO AUTHORISATION SUPPLIED -> DENY REPOSITORY VIEW |
| 139 |
|
|
\} |
| 140 |
|
|
\} |
| 141 |
|
|
- |
| 142 |
|
|
+ |
| 143 |
|
|
# Not reached. No access. |
| 144 |
|
|
return 0; |
| 145 |
|
|
\}; |
Parent Directory
| 
Revision Log
| 
Revision Graph
