在CGIT访问控制 [英] Access control in Cgit

问题描述

我想向大家介绍访问控制CGIT一旦CGIT的CGI已经启动。该想法是将列出所有可用的gitolite回购，但启用/禁用目录列表基于用户的身份验证。

I would like to introduce access control to cgit once the cgi of cgit has been launched. The idea would be to list all the repos available in gitolite but enable/disable the directory listing based on user authentication.

我设法Apache是​​执行CGI CGIT前访问控制：

I managed to get access control before apache is executing the cgit cgi:

 AllowOverride None
 AuthType Basic
 AuthName "Restricted Files"
 AuthUserFile /var/lib/git_alfonso/passwords

  Options +ExecCGI
   Order allow,deny
   Allow from all

Alias /cgit.png /var/www/htdocs/cgit/cgit.png
Alias /cgit.css /var/www/htdocs/cgit/cgit.css
ScriptAlias /cgit "/var/www/htdocs/cgit/cgit.cgi"
RewriteRule ^$ / [R]
RewriteRule ^/(.*)$ /cgit.cgi/$1****

但我不知道如何获得同样的效果，一旦库路径访问，我试图与目录指令，并添加认证有，但一旦CGIT启动Apache不适用于HTTP规定的其他指令.conf文件。

But I don't know how to get the same effect once the repositories paths are accessed, I tried with the directory directive and adding the authentication there but once cgit is launched apache doesn't apply any other directive stated in the http.conf file.

这是如何实现的呢？任何线索

Any clue on how to achieve it?

非常感谢在前进。

溴
阿方索。

推荐答案

我已经做了precisely，在我自己的 CGIT配置。

I have done precisely that in my own cgit config.

# CGit on @PORT_HTTP_CGIT@
Listen @PORT_HTTP_CGIT@
<VirtualHost @FQN@:@PORT_HTTP_CGIT@>
ServerName @FQN@
ServerAlias @HOSTNAME@
SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend"
DocumentRoot @H@/cgit
Alias /cgit @H@/cgit
<Directory @H@/cgit>
  SetEnv GIT_PROJECT_ROOT=@H@/repositories
  AddHandler cgi-script .cgi .pl
  DirectoryIndex cgit.pl

（使用@ XX @是值的占位符模板）

(The @xx@ are template placeholder for values)

我们的想法是为包裹 cgit.cgi 与自定义脚本 cgit.pl （这里的Perl脚本，但你可以使用任何你想要的其他脚本语言），这将：

The idea is to wrap cgit.cgi with a custom script cgit.pl (here a perl script but you can use any other scripting language you want), which will:

• 呼叫gitolite


• 只显示什么是gitolite授权

您可以看到完整的 CGIT特等脚本这里。

You can see the full cgit.pl script here.

这是当您试图访问特定回购：

This is when you are trying to access to a specific repo:

if ($request_uri ne "/cgit/" && $request_uri ne "/cgit/cgit.pl/") {
  (my $repo)=($path_info =~ /\/([^\/]+)/);
  my $perm = "R";
  if ($repo ne "") {
  my $aperm = access( $repo, $user, 'R', 'any' );
  # my ($aperm, $creator) = &repo_rights($repo);
    $perm=$aperm;
  }
  if ($perm !~ /DENIED/) {
    system("@H@/cgit/cgit.cgi");
  }
}

这是当你没有一个回购调用CGIT：它应该只列出你有权查看的回购结果。
为此，调用本机 cgit.cgi ，然后过滤输出，删除对应于任何一行拒绝回购：

This is when you are calling cgit without a repo: it should list only the repos you are authorized to see.
For that, call the native cgit.cgi, and then filter the output, removing any line corresponding to a "denied" repo:

    my $fname="$user.".timestamp().".tpl";
    system("@H@/cgit/cgit.cgi > $fname");
    open(INFO, $fname); # Open the file
    @lines = <INFO>; # Read it into an array
    close(INFO);
    unlink($fname);
    pop(@lines);
    foreach (@lines) {
      my $line=$_;
      (my $repo)=($line =~ /title='([^']+)'/); #'
      my $perm = "R";
      if ($repo ne "") {
      my $aperm = access( $repo, $user, 'R', 'any' );
        # my ($aperm, $creator) = &repo_rights($repo);
        $perm=$aperm;
      }
      if ($perm !~ /DENIED/) {
        print $line;
      }
    }

这篇关于在CGIT访问控制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！