search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
scripts: purge use of test '-a' and '-o' ops and clean up
[girocco.git] / bin / git-http-backend-verify
blob61ec3cf2f9661f4f0b7f3fcd8268f292e65dc2ea
1 #!/bin/sh
2 #
3 # Abort any push early if the pushing user doesn't have any push permissions
4 # at all. This avoids unnecessary traffic and unpacked object pollution.
5 #
6 # Set GIT_HTTP_BACKEND_BIN to change the default http-backend binary from
7 # the default of Config.pm $git_http_backend_bin (which itself has a default
8 # of "/usr/lib/git-core/git-http-backend")
9 #
10 # Note that GIT_PROJECT_ROOT is automatically set to $cfg_reporoot and exported
11 # any incoming value for it will be ignored.
12 #
13 # Note that GIT_HTTP_EXPORT_ALL is automatically set to 1 and exported.
14 #
15 # Also prevents standard error output from git-http-backend cluttering up the
16 # server's log unless GIT_HTTP_BACKEND_SHOW_ERRORS is set to a non-empty value.
17 #
18 # Bundle fetches are handled in this script as well.
19
20 set -e
21
22 . @basedir@/shlib.sh
23
24 unset GIT_USER_AGENT
25 unset GIT_HTTP_USER_AGENT
26 if [ -n "$defined_cfg_git_server_ua" ]; then
27 GIT_USER_AGENT="$cfg_git_server_ua"
28 export GIT_USER_AGENT
29 GIT_HTTP_USER_AGENT="$cfg_git_server_ua"
30 export GIT_HTTP_USER_AGENT
31 fi
32 if [ -n "$cfg_SmartHTTPOnly" ] && [ "$cfg_SmartHTTPOnly" != "0" ]; then
33 git_add_config "http.getanyfile=false"
34 fi
35
36 [ -z "$GIT_HTTP_BACKEND_BIN" ] || cfg_git_http_backend_bin="$GIT_HTTP_BACKEND_BIN"
37 [ -n "$cfg_git_http_backend_bin" ] ||
38 cfg_git_http_backend_bin="$var_git_exec_path/git-http-backend"
39
40 GIT_PROJECT_ROOT="$cfg_reporoot"
41 GIT_HTTP_EXPORT_ALL=1
42 export GIT_PROJECT_ROOT
43 export GIT_HTTP_EXPORT_ALL
44
45 # This script is called for both fetch and push.
46 # Only the following conditions trigger a push permissions check:
47 #
48 # 1. REQUEST_METHOD=GET
49 # and PATH_INFO ends with "/info/refs"
50 # and QUERY_STRING has "service=git-receive-pack"
51 #
52 # 2. REQUEST_METHOD=POST
53 # and PATH_INFO ends with "/git-receive-pack"
54 #
55 # Note that there is no check for PATH_INFO being under a certain root as
56 # GIT_PROJECT_ROOT will be exported and set so all PATH_INFO values are
57 # effectively forced under the desired root.
58 #
59 # The REQUEST_METHOD is validated. For smart HTTP requests only the project
60 # name is extracted and validated and the corresponding project directory must
61 # exist under $cfg_reporoot. Non-smart HTTP fetch requests (GET or HEAD) are
62 # passed on unchanged and unchecked.
63
64 errorhdrsct()
65 {
66 _ct="$1"; shift
67 printf '%s\r\n' "Status: $1 $2"
68 printf '%s\r\n' "Expires: Fri, 01 Jan 1980 00:00:00 GMT"
69 printf '%s\r\n' "Pragma: no-cache"
70 printf '%s\r\n' "Cache-Control: no-cache,max-age=0,must-revalidate"
71 [ -z "$3" ] || printf '%s\r\n' "$3"
72 printf '%s\r\n' "Content-Type: $_ct"
73 printf '\r\n'
74 }
75
76 errorhdrs()
77 {
78 errorhdrsct 'text/plain' "$@"
79 }
80
81 msglines()
82 {
83 [ $# -le 0 ] || printf '%s\n' "$@"
84 }
85
86 internalerr()
87 {
88 errorhdrs 500 "Internal Server Error"
89 [ $# -gt 0 ] || set -- "Internal Server Error"
90 msglines "$@" >&2
91 msglines "$@"
92 exit 0
93 }
94
95 methodnotallowed()
96 {
97 errorhdrs 405 "Method Not Allowed" "Allow: GET,HEAD,POST"
98 [ $# -gt 0 ] || set -- "Method Not Allowed"
99 msglines "$@"
100 exit 0
101 }
102
103 forbidden()
104 {
105 errorhdrs 403 Forbidden
106 [ $# -gt 0 ] || set -- "Forbidden"
107 msglines "$@"
108 exit 0
109 }
110
111 notfound()
112 {
113 errorhdrs 404 "Not Found"
114 [ $# -gt 0 ] || set -- "Not Found"
115 msglines "$@"
116 exit 0
117 }
118
119 needsauth()
120 {
121 unset AUTHREQUIRED_MESSAGE
122 msg="$*"
123 if [ -n "$msg" ]; then
124 AUTHREQUIRED_MESSAGE="$msg"
125 export AUTHREQUIRED_MESSAGE
126 fi
127 exec "$cfg_cgiroot/authrequired.cgi" || :
128 # fallback in case exec fails
129 errorhdrs 401 "Authorization Required"
130 [ $# -gt 0 ] || set -- "Authorization Required"
131 msglines "$@"
132 exit 0
133 }
134
135 # Single argument is an absolute PATH (NOT a URI) to 302 redirect to
136 # The appropriate http pull URL path prefix is automatically inserted
137 redir()
138 {
139 _pullurl="$cfg_httpbundleurl"
140 [ -n "$_pullurl" ] || _pullurl="$cfg_httpspushurl"
141 [ -n "$_pullurl" ] || _pullurl="$cfg_httppullurl"
142 _absbase="${_pullurl%/}/"
143 _absbase="${absbase##*://}"
144 _absbase="${absbase##*/}"
145 [ -z "$_absbase" ] || _absbase="/$_absbase"
146 _loc="https"
147 [ "$HTTPS" = "on" ] || _loc="http"
148 _loc="$_loc://$SERVER_NAME"
149 [ "$HTTPS" != "on" ] || [ "$SERVER_PORT" = "443" ] || _loc="$_loc:$SERVER_PORT"
150 [ "$HTTPS" = "on" ] || [ "$SERVER_PORT" = "80" ] || _loc="$_loc:$SERVER_PORT"
151 _loc="$_loc$_absbase"
152 case "$1" in /*) :;; *) _loc="$_loc/";; esac
153 _loc="$_loc$1"
154 errorhdrsct 'text/html' 302 "Found" "Location: $_loc"
155 if [ "$REQUEST_METHOD" != "HEAD" ]; then
156 printf '<p>Temporarily redirected to <a href="%s">%s</a></p>\n' \
157 "$_loc" "$_loc"
158 fi
159 exit 0
160 }
161
162 # A quick sanity check
163 if [ -z "$cfg_git_http_backend_bin" ] || ! [ -x "$cfg_git_http_backend_bin" ]; then
164 internalerr "bad cfg_git_http_backend_bin: $cfg_git_http_backend_bin"
165 exit 1
166 fi
167 case "$cfg_reporoot" in /?*) :;; *)
168 internalerr "bad reporoot: $cfg_reporoot"
169 exit 1
170 esac
171 [ -n "$GIT_PROJECT_ROOT" ] || { internalerr 'GIT_PROJECT_ROOT must be set'; exit 1; }
172
173 PATH="$(dirname "$cfg_git_http_backend_bin"):$PATH"
174 export PATH
175
176 digit='[0-9]'
177 digit6="$digit$digit$digit$digit$digit$digit"
178 digit8="$digit6$digit$digit"
179 proj=
180 smart=
181 bundle=
182 suffix=
183 needsauthcheck=
184 pathcheck="${PATH_INFO#/}"
185 if [ "$REQUEST_METHOD" = "GET" ] || [ "$REQUEST_METHOD" = "HEAD" ]; then
186 # We do not currently validate non-smart GET/HEAD requests.
187 # There are only 8 possible suffix values that need to be allowed for
188 # non-smart HTTP GET/HEAD fetches (see http-backend.c):
189 # /HEAD
190 # /info/refs
191 # /objects/info/alternates
192 # /objects/info/http-alternates
193 # /objects/info/packs
194 # /objects/[0-9a-f]{2}/[0-9a-f]{38}
195 # /objects/pack/pack-[0-9a-f]{40}.idx
196 # /objects/pack/pack-[0-9a-f]{40}.pack
197 # We do, however, need to recognize a /*.bundle fetch so that
198 # we can properly handle it.
199 case "$pathcheck" in
200 *"/info/refs")
201 proj="${pathcheck%/info/refs}"
202 case "&$QUERY_STRING&" in
203 *"&service=git-receive-pack&"*)
204 smart=1
205 needsauthcheck=1
206 suffix=info/refs
207 ;;
208 *"&service=git-upload-pack&"*)
209 smart=1
210 suffix=info/refs
211 ;;
212 esac
213 ;;
214 */*[!./].bundle)
215 bundle=1
216 smart=1
217 proj="${pathcheck%/*.bundle}"
218 suffix="${pathcheck#$proj/}"
219 ;;
220 esac
221 elif [ "$REQUEST_METHOD" = "POST" ]; then
222 case "$pathcheck" in
223 *"/git-receive-pack")
224 smart=1
225 needsauthcheck=1
226 proj="${pathcheck%/git-receive-pack}"
227 suffix=git-receive-pack
228 ;;
229 *"/git-upload-pack")
230 smart=1
231 proj="${pathcheck%/git-upload-pack}"
232 suffix=git-upload-pack
233 ;;
234 *)
235 forbidden
236 exit 1
237 ;;
238 esac
239 else
240 methodnotallowed
241 exit 1
242 fi
243
244 # Reject any project names that start with _ or contain ..
245 case "$pathcheck" in _*|*..*)
246 forbidden
247 esac
248
249 if [ -n "$smart" ]; then
250 # add a missing trailing .git
251 case "$proj" in
252 *.git) :;;
253 *)
254 proj="$proj.git"
255 esac
256
257 projbare="${proj%.git}"
258 reporoot="$cfg_reporoot"
259 dir="$reporoot/$proj"
260
261 # Valid project names never end in .git (we add that automagically), so a valid
262 # fork can never have .git at the end of any path component except the last.
263 # We check this to avoid a situation where a certain collection of pushed refs
264 # could be mistaken for a GIT_DIR. Git would ultimately complain, but some
265 # undesirable things could happen along the way.
266
267 # Remove the leading $reporoot and trailing .git to get a test string
268 testpath="${dir#$reporoot/}"
269 testpath="${testpath%.git}"
270 case "$testpath/" in *.[Gg][Ii][Tt]/*|_*)
271 forbidden
272 exit 1
273 esac
274
275 if ! [ -d "$dir" ] || ! [ -f "$dir/HEAD" ] || ! [ -d "$dir/objects" ]; then
276 forbidden
277 exit 1
278 fi
279 fi
280
281 if [ -n "$bundle" ]; then
282 # We support two kinds of bundles:
283 # 1) /path/to/foo.git/clone.bundle
284 # 2) /path/to/foo.git/foo-????????.bundle
285 # The first ALWAYS returns a 302 or 404 response
286 # The second ALWAYS returns a 404 or success
287 isredir=
288 projbase="${projbare##*/}"
289 case "$suffix" in
290 "clone.bundle")
291 isredir=1
292 ;;
293 "$projbase-"$octet4".bundle")
294 :;;
295 *)
296 forbidden
297 exit 1
298 esac
299 if [ -n "$isredir" ]; then
300 # A bundles/latest symlink must exist and
301 # point to an existing file in the same directory
302 # matching the magic format (\d{8}_\d{6}-$octet4)
303 if ! [ -L "$dir/bundles/latest" ] || ! [ -f "$dir/bundles/latest" ]; then
304 notfound
305 exit 0
306 fi
307 linked="$(readlink "$dir/bundles/latest")" || { notfound; exit 0; }
308 case "$linked" in ${digit8}_$digit6-$octet4) :;; *)
309 notfound
310 exit 0
311 esac
312 bundlefile="$dir/bundles/$linked"
313 linked="$projbase-${linked#????????_??????-}"
314 else
315 bundleid="${suffix%.bundle}"
316 bundleid="${bundleid##*-}"
317 bundlepat="${digit8}_$digit6-$bundleid"
318 bundlefile="$(printf '%s\n' "$dir/bundles/"$bundlepat 2>/dev/null)" || :
319 if [ "$dir/bundles/$bundlepat" = "$bundlefile" ] || ! [ -f "$bundlefile" ]; then
320 notfound
321 exit 0
322 fi
323 fi
324 { {
325 read -r bundlehdr || :
326 read -r bundlepck || :
327 } <"$bundlefile"; } 2>/dev/null || :
328 [ -n "$bundlehdr" ] && [ -n "$bundlepck" ] || { notfound; exit 0; }
329 # Non-absolute paths are relative to the repository's objects/pack dir
330 case "$bundlehdr" in /*) :;; *)
331 bundlehdr="$dir/objects/pack/$bundlehdr"
332 esac
333 case "$bundlepck" in /*) :;; *)
334 bundlepck="$dir/objects/pack/$bundlepck"
335 esac
336 [ -f "$bundlehdr" ] && [ -f "$bundlepck" ] || { notfound; exit 0; }
337 [ -s "$bundlehdr" ] || [ -s "$bundlepck" ] || { notfound; exit 0; }
338 [ -z "$isredir" ] || { redir "/$proj/$linked.bundle"; exit 0; }
339 exec "$cfg_basedir/bin/rangecgi" -c 'application/x-git-bundle' -e 180 \
340 -m 1 "$bundlehdr" "$bundlepck"
341 internalerr "exec failed: $cfg_basedir/bin/rangecgi"
342 exit 1
343 fi
344
345 if [ -z "$needsauthcheck" ] || [ -z "$smart" ]; then
346 [ -z "$var_upload_window" ] || [ -z "$smart" ] ||
347 git_add_config "pack.window=$var_upload_window"
348 if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
349 exec "$cfg_git_http_backend_bin" "$@"
350 else
351 exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
352 fi
353 internalerr "exec failed: $cfg_git_http_backend_bin"
354 exit 1
355 fi
356
357 if ! [ -f "$dir/.nofetch" ]; then
358 forbidden "The $proj project is a mirror and may not be pushed to, sorry"
359 exit 1
360 fi
361
362 git_add_config 'receive.unpackLimit=1'
363 # Note the git config documentation is wrong
364 # transfer.unpackLimit, if set, overrides receive.unpackLimit
365 git_add_config 'transfer.unpackLimit=1'
366
367 if [ "${SSL_CLIENT_VERIFY+set}" = "set" ] && [ "$SSL_CLIENT_VERIFY" != "SUCCESS" ]; then
368 needsauth "Only validated client certificates may push, sorry."
369 exit 1
370 fi
371 authuser="${REMOTE_USER#/UID=}"
372 authuuid="$authuser"
373 authuser="${authuser%/dnQualifier=*}"
374 authuuid="${authuuid#$authuser}"
375 authuuid="${authuuid#/dnQualifier=}"
376 if [ -z "$authuser" ]; then
377 needsauth "Only authenticated users may push, sorry."
378 exit 1
379 fi
380 if [ "$authuser" != "mob" ] || [ "$cfg_mob" != "mob" ]; then
381 if ! useruuid="$("$cfg_basedir/bin/get_user_uuid" "$authuser")" || [ "$useruuid" != "$authuuid" ]; then
382 forbidden "The user '$authuser' certificate being used is no longer valid." \
383 "You may download a new user certificate at $cfg_webadmurl/edituser.cgi"
384 exit 1
385 fi
386 fi
387
388 if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$authuser"; then
389 # If mob is enabled and mob has push permissions and
390 # the current user is not the mob then it's a personal mob push
391 # presuming the special mob directory has been set up
392 if [ "$cfg_mob" = "mob" ] && [ "$authuser" != "mob" ] && [ -d "$cfg_reporoot/$proj/mob" ] &&
393 "$cfg_basedir/bin/can_user_push_http" "$projbare" "mob"; then
394 (
395 umask 113
396 >"$cfg_chroot/etc/sshactive/$authuser,"
397 mv -f "$cfg_chroot/etc/sshactive/$authuser," "$cfg_chroot/etc/sshactive/$authuser"
398 ! [ -e "$dir/.delaygc" ] || >"$dir/.allowgc" || :
399 )
400 PATH_INFO="/$proj/mob/$suffix"
401 export PATH_INFO
402 if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
403 exec "$cfg_git_http_backend_bin" "$@"
404 else
405 exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
406 fi
407 internalerr "exec failed: $cfg_git_http_backend_bin"
408 exit 1
409 fi
410 forbidden "The user '$authuser' does not have push permissions for project '$proj'." \
411 "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj"
412 exit 1
413 fi
414
415 (
416 umask 113
417 >"$cfg_chroot/etc/sshactive/$authuser,"
418 mv -f "$cfg_chroot/etc/sshactive/$authuser," "$cfg_chroot/etc/sshactive/$authuser"
419 ! [ -e "$dir/.delaygc" ] || >"$dir/.allowgc" || :
420 )
421 if [ -n "$GIT_HTTP_BACKEND_SHOW_ERRORS" ]; then
422 exec "$cfg_git_http_backend_bin" "$@"
423 else
424 exec "$cfg_git_http_backend_bin" "$@" 2>/dev/null
425 fi
426 internalerr "exec failed: $cfg_git_http_backend_bin"
427 exit 1
The repo.or.cz duct tape "Girocco"