--- extra/svn/Redmine.pm.org 2012-04-28 01:19:43.268017879 +0900 +++ extra/svn/Redmine.pm 2012-04-28 07:26:53.211039483 +0900 @@ -102,6 +102,83 @@ And you need to upgrade at least reposman.rb (after r860). +=head1 GIT SMART HTTP SUPPORT + +Git's smart HTTP protocol (available since Git 1.7.0) will not work with the +above settings. Redmine.pm normally does access control depending on the HTTP +method used: read-only methods are OK for everyone in public projects and +members with read rights in private projects. The rest require membership with +commit rights in the project. + +However, this scheme doesn't work for Git's smart HTTP protocol, as it will use +POST even for a simple clone. Instead, read-only requests must be detected using +the full URL (including the query string): anything that doesn't belong to the +git-receive-pack service is read-only. + +To activate this mode of operation, add this line inside your +block: + + RedmineGitSmartHttp yes + +Here's a sample Apache configuration which integrates git-http-backend with +a MySQL database and this new option: + + SetEnv GIT_PROJECT_ROOT /var/www/git/ + SetEnv GIT_HTTP_EXPORT_ALL + ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ + + Order allow,deny + Allow from all + + AuthType Basic + AuthName Git + Require valid-user + + PerlAccessHandler Apache::Authn::Redmine::access_handler + PerlAuthenHandler Apache::Authn::Redmine::authen_handler + # for mysql + RedmineDSN "DBI:mysql:database=redmine;host=127.0.0.1" + RedmineDbUser "redmine" + RedmineDbPass "xxx" + RedmineGitSmartHttp yes + + +Make sure that all the names of the repositories under /var/www/git/ have a +matching identifier for some project: /var/www/git/myproject and +/var/www/git/myproject.git will work. You can put both bare and non-bare +repositories in /var/www/git, though bare repositories are strongly +recommended. You should create them with the rights of the user running Redmine, +like this: + + cd /var/www/git + sudo -u user-running-redmine mkdir myproject + cd myproject + sudo -u user-running-redmine git init --bare + +Once you have activated this option, you have three options when cloning a +repository: + +- Cloning using "http://user@host/git/repo(.git)" works, but will ask for the password + all the time. + +- Cloning with "http://user:pass@host/git/repo(.git)" does not have this problem, but + this could reveal accidentally your password to the console in some versions + of Git, and you would have to ensure that .git/config is not readable except + by the owner for each of your projects. + +- Use "http://host/git/repo(.git)", and store your credentials in the ~/.netrc + file. This is the recommended solution, as you only have one file to protect + and passwords will not be leaked accidentally to the console. + + IMPORTANT NOTE: It is *very important* that the file cannot be read by other + users, as it will contain your password in cleartext. To create the file, you + can use the following commands, replacing yourhost, youruser and yourpassword + with the right values: + + touch ~/.netrc + chmod 600 ~/.netrc + echo -e "machine yourhost\nlogin youruser\npassword yourpassword" > ~/.netrc + =cut use strict; @@ -151,6 +228,11 @@ args_how => TAKE1, errmsg => 'RedmineCacheCredsMax must be decimal number', }, + { + name => 'RedmineGitSmartHttp', + req_override => OR_AUTHCFG, + args_how => TAKE1, + }, ); sub RedmineDSN { @@ -188,6 +270,17 @@ } } +sub RedmineGitSmartHttp { + my ($self, $parms, $arg) = @_; + $arg = lc $arg; + + if ($arg eq "yes" || $arg eq "true") { + $self->{RedmineGitSmartHttp} = 1; + } else { + $self->{RedmineGitSmartHttp} = 0; + } +} + sub trim { my $string = shift; $string =~ s/\s{2,}/ /g; @@ -204,6 +297,23 @@ my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/; +sub request_is_read_only { + my ($r) = @_; + my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config); + + # Do we use Git's smart HTTP protocol, or not? + if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp}) { + my $uri = $r->unparsed_uri; + my $location = $r->location; + my $is_read_only = $uri !~ m{^$location/*[^/]+/+(info/refs\?service=)?git\-receive\-pack$}o; + return $is_read_only; + } else { + # Old behaviour: check the HTTP method + my $method = $r->method; + return defined $read_only_methods{$method}; + } +} + sub access_handler { my $r = shift; @@ -212,8 +322,7 @@ return FORBIDDEN; } - my $method = $r->method; - return OK unless defined $read_only_methods{$method}; + return OK unless request_is_read_only($r); my $project_id = get_project_identifier($r); @@ -338,7 +447,7 @@ my $pass_digest = Digest::SHA::sha1_hex($redmine_pass); - my $access_mode = defined $read_only_methods{$r->method} ? "R" : "W"; + my $access_mode = request_is_read_only($r) ? "R" : "W"; my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config); my $usrprojpass; @@ -409,7 +518,16 @@ my $location = $r->location; my ($identifier) = $r->uri =~ m{$location/*([^/.]+)}; - $identifier; + my $dbh = connect_database($r); + my $sth = $dbh->prepare( + "SELECT name FROM projects WHERE id = (SELECT project_id FROM repositories WHERE url LIKE ?);" + ); + $identifier =~ s/_/\\_/g; + $sth->execute('%/'.$identifier); + my @row = $sth->fetchrow_array; + $sth->finish(); + $dbh->disconnect(); + $row[0]; } sub connect_database {