search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
apache.conf.in: use @@certsdir@@ not @@webroot@@/../certs
[girocco.git] / bin / git-http-backend-verify
blobba19dd37fc59cd0385072463478c2fe634882a90
1 #!/bin/sh
2 #
3 # Abort any push early if the pushing user doesn't have any push permissions
4 # at all. This avoids unnecessary traffic and unpacked object pollution.
5 #
6 # Set GIT_HTTP_BACKEND_BIN to change the default http-backend binary from
7 # the default of Config.pm $git_http_backend_bin (which itself has a default
8 # of "/usr/lib/git-core/git-http-backend")
9 #
10 # Note that GIT_PROJECT_ROOT is automatically set to $cfg_reporoot and exported
11 # any incoming value for it will be ignored.
12 #
13 # Note that GIT_HTTP_EXPORT_ALL is automatically set to 1 and exported.
14 #
15 # Also prevents standard error output from git-http-backend cluttering up the
16 # server's log unless GIT_HTTP_BACKEND_SHOW_ERRORS is set to a non-empty value.
17 #
18 # Bundle fetches are handled in this script as well.
19
20 set -e
21
22 . @basedir@/shlib.sh
23
24 unset GIT_USER_AGENT
25 unset GIT_HTTP_USER_AGENT
26 if [ -n "$defined_cfg_git_server_ua" ]; then
27 GIT_USER_AGENT="$cfg_git_server_ua"
28 export GIT_USER_AGENT
29 fi
30 if [ -n "$cfg_SmartHTTPOnly" ] && [ "$cfg_SmartHTTPOnly" != "0" ]; then
31 git_add_config "http.getanyfile=false"
32 fi
33
34 [ -z "$GIT_HTTP_BACKEND_BIN" ] || cfg_git_http_backend_bin="$GIT_HTTP_BACKEND_BIN"
35 [ -n "$cfg_git_http_backend_bin" ] ||
36 cfg_git_http_backend_bin="$var_git_exec_path/git-http-backend"
37
38 GIT_PROJECT_ROOT="$cfg_reporoot"
39 GIT_HTTP_EXPORT_ALL=1
40 export GIT_PROJECT_ROOT
41 export GIT_HTTP_EXPORT_ALL
42
43 # This script is called for both fetch and push.
44 # Only the following conditions trigger a push permissions check:
45 #
46 # 1. REQUEST_METHOD=GET
47 # and PATH_INFO ends with "/info/refs"
48 # and QUERY_STRING has "service=git-receive-pack"
49 #
50 # 2. REQUEST_METHOD=POST
51 # and PATH_INFO ends with "/git-receive-pack"
52 #
53 # Note that there is no check for PATH_INFO being under a certain root as
54 # GIT_PROJECT_ROOT will be exported and set so all PATH_INFO values are
55 # effectively forced under the desired root.
56 #
57 # The REQUEST_METHOD is validated. For smart HTTP requests only the project
58 # name is extracted and validated and the corresponding project directory must
59 # exist under $cfg_reporoot. Non-smart HTTP fetch requests (GET or HEAD) are
60 # passed on unchanged and unchecked.
61
62 errorhdrsct()
63 {
64 _ct="$1"; shift
65 printf '%s\r\n' "Status: $1 $2"
66 printf '%s\r\n' "Expires: Fri, 01 Jan 1980 00:00:00 GMT"
67 printf '%s\r\n' "Pragma: no-cache"
68 printf '%s\r\n' "Cache-Control: no-cache,max-age=0,must-revalidate"
69 [ -z "$3" ] || printf '%s\r\n' "$3"
70 printf '%s\r\n' "Content-Type: $_ct"
71 printf '\r\n'
72 }
73
74 errorhdrs()
75 {
76 errorhdrsct 'text/plain; charset=utf-8; format=fixed' "$@"
77 }
78
79 msglines()
80 {
81 [ $# -le 0 ] || printf '%s\n' "$@"
82 }
83
84 internalerr()
85 {
86 errorhdrs 500 "Internal Server Error"
87 [ $# -gt 0 ] || set -- "Internal Server Error"
88 msglines "$@" >&2
89 msglines "$@"
90 exit 0
91 }
92
93 methodnotallowed()
94 {
95 errorhdrs 405 "Method Not Allowed" "Allow: GET,HEAD,POST"
96 [ $# -gt 0 ] || set -- "Method Not Allowed"
97 msglines "$@"
98 exit 0
99 }
100
101 forbidden()
102 {
103 errorhdrs 403 Forbidden
104 [ $# -gt 0 ] || set -- "Forbidden"
105 msglines "$@"
106 exit 0
107 }
108
109 notfound()
110 {
111 errorhdrs 404 "Not Found"
112 [ $# -gt 0 ] || set -- "Not Found"
113 msglines "$@"
114 exit 0
115 }
116
117 needsauth()
118 {
119 unset AUTHREQUIRED_MESSAGE
120 msg="$*"
121 if [ -n "$msg" ]; then
122 AUTHREQUIRED_MESSAGE="$msg"
123 export AUTHREQUIRED_MESSAGE
124 fi
125 exec "$cfg_cgiroot/authrequired.cgi" || :
126 # fallback in case exec fails
127 errorhdrs 401 "Authorization Required"
128 [ $# -gt 0 ] || set -- "Authorization Required"
129 msglines "$@"
130 exit 0
131 }
132
133 # Single argument is an absolute PATH (NOT a URI) to 302 redirect to
134 # The appropriate http pull URL path prefix is automatically inserted
135 redir()
136 {
137 _pullurl="$cfg_httpbundleurl"
138 [ -n "$_pullurl" ] || _pullurl="$cfg_httpspushurl"
139 [ -n "$_pullurl" ] || _pullurl="$cfg_httppullurl"
140 _absbase="${_pullurl%/}/"
141 _absbase="${absbase##*://}"
142 _absbase="${absbase##*/}"
143 [ -z "$_absbase" ] || _absbase="/$_absbase"
144 _loc="https"
145 [ "$HTTPS" = "on" ] || _loc="http"
146 _loc="$_loc://$SERVER_NAME"
147 [ "$HTTPS" != "on" ] || [ "$SERVER_PORT" = "443" ] || _loc="$_loc:$SERVER_PORT"
148 [ "$HTTPS" = "on" ] || [ "$SERVER_PORT" = "80" ] || _loc="$_loc:$SERVER_PORT"
149 _loc="$_loc$_absbase"
150 case "$1" in /*) :;; *) _loc="$_loc/";; esac
151 _loc="$_loc$1"
152 errorhdrsct 'text/html; charset=utf-8' 302 "Found" "Location: $_loc"
153 if [ "$REQUEST_METHOD" != "HEAD" ]; then
154 printf '<p>Temporarily redirected to <a href="%s">%s</a></p>\n' \
155 "$_loc" "$_loc"
156 fi
157 exit 0
158 }
159
160 # A quick sanity check
161 if [ -z "$cfg_git_http_backend_bin" ] || ! [ -x "$cfg_git_http_backend_bin" ]; then
162 internalerr "bad cfg_git_http_backend_bin: $cfg_git_http_backend_bin"
163 exit 1
164 fi
165 case "$cfg_reporoot" in /?*) :;; *)
166 internalerr "bad reporoot: $cfg_reporoot"
167 exit 1
168 esac
169 [ -n "$GIT_PROJECT_ROOT" ] || { internalerr 'GIT_PROJECT_ROOT must be set'; exit 1; }
170
171 PATH="$(dirname "$cfg_git_http_backend_bin"):$PATH"
172 export PATH
173
174 digit='[0-9]'
175 digit6="$digit$digit$digit$digit$digit$digit"
176 digit8="$digit6$digit$digit"
177 proj=
178 smart=
179 bundle=
180 suffix=
181 needsauthcheck=
182 pathcheck="${PATH_INFO#/}"
183 if [ "$REQUEST_METHOD" = "GET" ] || [ "$REQUEST_METHOD" = "HEAD" ]; then
184 # We do not currently validate non-smart GET/HEAD requests.
185 # There are only 8 possible suffix values that need to be allowed for
186 # non-smart HTTP GET/HEAD fetches (see http-backend.c):
187 # /HEAD
188 # /info/refs
189 # /objects/info/alternates
190 # /objects/info/http-alternates
191 # /objects/info/packs
192 # /objects/[0-9a-f]{2}/[0-9a-f]{38}
193 # /objects/pack/pack-[0-9a-f]{40}.idx
194 # /objects/pack/pack-[0-9a-f]{40}.pack
195 # We do, however, need to recognize a /*.bundle fetch so that
196 # we can properly handle it.
197 case "$pathcheck" in
198 *"/info/refs")
199 proj="${pathcheck%/info/refs}"
200 case "&$QUERY_STRING&" in
201 *"&service=git-receive-pack&"*)
202 smart=1
203 needsauthcheck=1
204 suffix=info/refs
205 ;;
206 *"&service=git-upload-pack&"*)
207 smart=1
208 suffix=info/refs
209 ;;
210 esac
211 ;;
212 */*[!./].bundle)
213 bundle=1
214 smart=1
215 proj="${pathcheck%/*.bundle}"
216 suffix="${pathcheck#$proj/}"
217 ;;
218 esac
219 elif [ "$REQUEST_METHOD" = "POST" ]; then
220 case "$pathcheck" in
221 *"/git-receive-pack")
222 smart=1
223 needsauthcheck=1
224 proj="${pathcheck%/git-receive-pack}"
225 suffix=git-receive-pack
226 ;;
227 *"/git-upload-pack")
228 smart=1
229 proj="${pathcheck%/git-upload-pack}"
230 suffix=git-upload-pack
231 ;;
232 *)
233 forbidden
234 exit 1
235 ;;
236 esac
237 else
238 methodnotallowed
239 exit 1
240 fi
241
242 # Reject any project names that start with _ or contain ..
243 case "$pathcheck" in _*|*..*)
244 forbidden
245 esac
246
247 if [ -n "$smart" ]; then
248 # add a missing trailing .git
249 case "$proj" in
250 *.git) :;;
251 *)
252 proj="$proj.git"
253 esac
254
255 projbare="${proj%.git}"
256 reporoot="$cfg_reporoot"
257 dir="$reporoot/$proj"
258
259 # Valid project names never end in .git (we add that automagically), so a valid
260 # fork can never have .git at the end of any path component except the last.
261 # We check this to avoid a situation where a certain collection of pushed refs
262 # could be mistaken for a GIT_DIR. Git would ultimately complain, but some
263 # undesirable things could happen along the way.
264
265 # Remove the leading $reporoot and trailing .git to get a test string
266 testpath="${dir#$reporoot/}"
267 testpath="${testpath%.git}"
268 case "$testpath/" in *.[Gg][Ii][Tt]/*|_*)
269 forbidden
270 exit 1
271 esac
272
273 if ! [ -d "$dir" ] || ! [ -f "$dir/HEAD" ] || ! [ -d "$dir/objects" ]; then
274 forbidden
275 exit 1
276 fi
277 fi
278
279 if [ -n "$bundle" ]; then
280 # We support two kinds of bundles:
281 # 1) /path/to/foo.git/clone.bundle
282 # 2) /path/to/foo.git/foo-????????.bundle
283 # The first ALWAYS returns a 302 or 404 response
284 # The second ALWAYS returns a 404 or success
285 isredir=
286 projbase="${projbare##*/}"
287 case "$suffix" in
288 "clone.bundle")
289 isredir=1
290 ;;
291 "$projbase-"$octet4".bundle")
292 :;;
293 *)
294 forbidden
295 exit 1
296 esac
297 if [ -n "$isredir" ]; then
298 # A bundles/latest symlink must exist and
299 # point to an existing file in the same directory
300 # matching the magic format (\d{8}_\d{6}-$octet4)
301 if ! [ -L "$dir/bundles/latest" ] || ! [ -f "$dir/bundles/latest" ]; then
302 notfound
303 exit 0
304 fi
305 linked="$(readlink "$dir/bundles/latest")" || { notfound; exit 0; }
306 case "$linked" in ${digit8}_$digit6-$octet4) :;; *)
307 notfound
308 exit 0
309 esac
310 bundlefile="$dir/bundles/$linked"
311 linked="$projbase-${linked#????????_??????-}"
312 else
313 bundleid="${suffix%.bundle}"
314 bundleid="${bundleid##*-}"
315 bundlepat="${digit8}_$digit6-$bundleid"
316 bundlefile="$(printf '%s\n' "$dir/bundles/"$bundlepat 2>/dev/null)" || :
317 if [ "$dir/bundles/$bundlepat" = "$bundlefile" ] || ! [ -f "$bundlefile" ]; then
318 notfound
319 exit 0
320 fi
321 fi
322 { {
323 read -r bundlehdr || :
324 read -r bundlepck || :
325 } <"$bundlefile"; } 2>/dev/null || :
326 [ -n "$bundlehdr" ] && [ -n "$bundlepck" ] || { notfound; exit 0; }
327 # Non-absolute paths are relative to the repository's objects/pack dir
328 case "$bundlehdr" in /*) :;; *)
329 bundlehdr="$dir/objects/pack/$bundlehdr"
330 esac
331 case "$bundlepck" in /*) :;; *)
332 bundlepck="$dir/objects/pack/$bundlepck"
333 esac
334 [ -f "$bundlehdr" ] && [ -f "$bundlepck" ] || { notfound; exit 0; }
335 [ -s "$bundlehdr" ] || [ -s "$bundlepck" ] || { notfound; exit 0; }
336 [ -z "$isredir" ] || { redir "/$proj/$linked.bundle"; exit 0; }
337 exec "$cfg_basedir/bin/rangecgi" -c 'application/x-git-bundle' \
338 -f "$suffix" -e 180 -m 1 "$bundlehdr" "$bundlepck"
339 internalerr "exec failed: $cfg_basedir/bin/rangecgi"
340 exit 1
341 fi
342
343 if [ "${cfg_fetch_stash_refs:-0}" = "0" ] && [ -n "$var_have_git_235" ]; then
344 git_add_config "uploadpack.hiderefs=refs/stash"
345 git_add_config "uploadpack.hiderefs=refs/tgstash"
346 fi
347
348 if [ -z "$needsauthcheck" ] || [ -z "$smart" ]; then
349 [ -z "$var_upload_window" ] || [ -z "$smart" ] ||
350 git_add_config "pack.window=$var_upload_window"
351 if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
352 exec "$cfg_git_http_backend_bin" "$@"
353 else
354 exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
355 fi
356 internalerr "exec failed: $cfg_git_http_backend_bin"
357 exit 1
358 fi
359
360 if ! [ -f "$dir/.nofetch" ]; then
361 forbidden "The $proj project is a mirror and may not be pushed to, sorry"
362 exit 1
363 fi
364
365 git_add_config 'receive.unpackLimit=1'
366 # Note the git config documentation is wrong
367 # transfer.unpackLimit, if set, overrides receive.unpackLimit
368 git_add_config 'transfer.unpackLimit=1'
369
370 if [ "${SSL_CLIENT_VERIFY+set}" = "set" ] && [ "$SSL_CLIENT_VERIFY" != "SUCCESS" ]; then
371 needsauth "Only validated client certificates may push, sorry."
372 exit 1
373 fi
374 authuser="${REMOTE_USER#/UID=}"
375 authuser="${authuser#UID = }"
376 authuuid="$authuser"
377 authuser="${authuser%/dnQualifier=*}"
378 authuser="${authuser%, dnQualifier = *}"
379 authuuid="${authuuid#$authuser}"
380 authuuid="${authuuid#/dnQualifier=}"
381 authuuid="${authuuid#, dnQualifier = }"
382 if [ -z "$authuser" ]; then
383 needsauth "Only authenticated users may push, sorry."
384 exit 1
385 fi
386 if [ "$authuser" != "mob" ] || [ "$cfg_mob" != "mob" ]; then
387 if ! useruuid="$("$cfg_basedir/bin/get_user_uuid" "$authuser")" || [ "$useruuid" != "$authuuid" ]; then
388 forbidden "The user '$authuser' certificate being used is no longer valid." \
389 "You may download a new user certificate at $cfg_webadmurl/edituser.cgi"
390 exit 1
391 fi
392 fi
393
394 if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$authuser"; then
395 # If mob is enabled and mob has push permissions and
396 # the current user is not the mob then it's a personal mob push
397 # presuming the special mob directory has been set up
398 if [ "$cfg_mob" = "mob" ] && [ "$authuser" != "mob" ] && [ -d "$cfg_reporoot/$proj/mob" ] &&
399 "$cfg_basedir/bin/can_user_push_http" "$projbare" "mob"; then
400 (
401 umask 113
402 >"$cfg_chroot/etc/sshactive/$authuser,"
403 mv -f "$cfg_chroot/etc/sshactive/$authuser," "$cfg_chroot/etc/sshactive/$authuser"
404 ! [ -e "$dir/.delaygc" ] || >"$dir/.allowgc" || :
405 )
406 PATH_INFO="/$proj/mob/$suffix"
407 export PATH_INFO
408 if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
409 exec "$cfg_git_http_backend_bin" "$@"
410 else
411 exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
412 fi
413 internalerr "exec failed: $cfg_git_http_backend_bin"
414 exit 1
415 fi
416 forbidden "The user '$authuser' does not have push permissions for project '$proj'." \
417 "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj"
418 exit 1
419 fi
420
421 (
422 umask 113
423 >"$cfg_chroot/etc/sshactive/$authuser,"
424 mv -f "$cfg_chroot/etc/sshactive/$authuser," "$cfg_chroot/etc/sshactive/$authuser"
425 ! [ -e "$dir/.delaygc" ] || >"$dir/.allowgc" || :
426 )
427 if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
428 exec "$cfg_git_http_backend_bin" "$@"
429 else
430 exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
431 fi
432 internalerr "exec failed: $cfg_git_http_backend_bin"
433 exit 1
The repo.or.cz duct tape "Girocco"