search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
pushing: improve error text on https push w/o user certificate
[girocco.git] / cgi / authrequired.cgi
blobdca7db958ed2f454aaf189279841d78ff1d59448
1 #!/bin/sh
2
3 # authrequired.cgi -- show certification authorization instructions on 401
4 # Copyright (c) 2014 Kyle J. McKay. All rights reserved.
5
6 # This program is free software; you can redistribute it and/or
7 # modify it under the terms of the GNU General Public License
8 # as published by the Free Software Foundation; either version 2
9 # of the License, or (at your option) any later version.
10 #
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19
20 # Version 1.0
21
22 # We pretend like we don't exist. Unless this was an attempt to access a
23 # push URL over HTTPS in which case we return a suitable error message in plain
24 # text (unless we detect the client isn't a Git client in which case it's HTML).
25
26 # Some of this detection requires REQUEST_URI to be set which is an Apache
27 # extension. If REQUEST_URI is not set that portion of the smart detection
28 # will be disabled.
29
30 # Also note that we return a 403 error instead of a 401 error because we require
31 # a user push certificate. Returning a 401 error and having the client then
32 # provide a user name and password is completely pointless since we now are
33 # providing copious amounts of help text.
34
35 set -e
36
37 headers() {
38 printf '%s\r\n' "Status: $1"
39 printf '%s\r\n' "Expires: Fri, 01 Jan 1980 00:00:00 GMT"
40 printf '%s\r\n' "Pragma: no-cache"
41 printf '%s\r\n' "Cache-Control: no-cache, max-age=0, must-revalidate"
42 printf '%s\r\n' "Content-Type: $2"
43 printf '\r\n'
44 }
45
46 notfound() {
47 # Simulate a 404 error as though we do not exist
48 headers 404 "text/html; charset=iso-8859-1"
49 SPACE=
50 [ -z "$REQUEST_URI" ] || SPACE=" "
51 cat <<EOF
52 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
53 <html><head>
54 <title>404 Not Found</title>
55 </head><body>
56 <h1>Not Found</h1>
57 <p>The requested URL $REQUEST_URI${SPACE}was not found on this server.</p>
58 <hr />
59 $SERVER_SIGNATURE
60 </body></html>
61 EOF
62 exit 0
63 }
64
65 # If the request is not over HTTPS return not found
66 [ "$HTTPS" = "on" ] || notfound
67
68 # Set isgit if we've detected a Git client or a Git-only URL
69 isgit=
70 case "$HTTP_USER_AGENT" in *[Gg]it/*)
71 isgit=1
72 esac
73
74 needsauth=1
75 if [ -n "$REQUEST_URI" ]; then
76 # Try to detect whether or not it was something that needs auth
77 needsauth=
78 BASE="${REQUEST_URI%%[?]*}"
79 QS="${REQUEST_URI#$BASE}"
80 QS="${QS#[?]}"
81 case "$BASE" in
82 */info/refs)
83 case "&$QS&" in *"&service=git-receive-pack&"*)
84 case "$BASE" in
85 /r/*)
86 needsauth=1
87 #isgit=1
88 ;;
89 *)
90 [ -z "$isgit" ] || needsauth=1
91 esac
92 esac
93 ;;
94 */git-receive-pack)
95 case "$BASE" in
96 /r/*)
97 needsauth=1
98 #isgit=1
99 ;;
100 *)
101 [ -z "$isgit" ] || needsauth=1
102 esac
103 esac
104 fi
105 [ -n "$needsauth" ] || notfound
106
107 # Return a text/plain response WITHOUT any additional parameters (such as
108 # charset=) so that the Git client will display the result unless the client
109 # doesn't appear to be Git in which case send an HTML response.
110
111 # We need some config variables
112 . @basedir@/shlib.sh
113
114 if [ -n "$isgit" ]; then
115 headers 403 "text/plain"
116 cat <<EOF
117 ======================================================================
118 Authentication Required
119 ======================================================================
120
121 In order to push using https, you must first
122 configure a user push certificate.
123
124 You may download a user push certificate from
125 the edit user page that may be accessed at:
126
127 $cfg_webadmurl/edituser.cgi
128
129 Instructions for configuring Git to use the
130 downloaded push certificate can be found at:
131
132 $cfg_htmlurl/httpspush.html
133
134 Do not forget to also configure the location
135 of your private key (see the above page).
136
137 ======================================================================
138 EOF
139 exit 0
140 fi
141
142 # Send it in HTML instead as it appears that a Git push URL has been
143 # fetched using a browser instead of a Git client.
144
145 headers 403 "text/html; charset=iso-8859-1"
146 cat <<EOF
147 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
148 <html><head>
149 <title>Authentication Required</title>
150 </head><body>
151 <h1>Authentication Required</h1>
152
153 <p>In order to push using https, you must first
154 configure a user push certificate.</p>
155
156 <p>You may download a user push certificate from
157 the edit user page that may be accessed at:</p>
158
159 <ul><a href="$cfg_webadmurl/edituser.cgi">$cfg_webadmurl/edituser.cgi</a></ul>
160
161 <p>Instructions for configuring Git to use the
162 downloaded push certificate can be found at:</p>
163
164 <ul><a href="$cfg_htmlurl/httpspush.html">$cfg_htmlurl/httpspush.html</a></ul>
165
166 <p>Do not forget to also configure the location
167 of your private key (see the above page).</p>
168
169 <hr />
170 $SERVER_SIGNATURE</body></html>
171 EOF
172 exit 0
The repo.or.cz duct tape "Girocco"