cron: note in examples to run the chroot jail's sshd with -u0
[girocco.git] / cgi / authrequired.cgi
blobf17920545cec33e441f5ecb4c32fd491f095416d
1 #!/bin/sh
3 # authrequired.cgi -- show certification authorization instructions on 401
4 # Copyright (c) 2014 Kyle J. McKay. All rights reserved.
6 # This program is free software; you can redistribute it and/or
7 # modify it under the terms of the GNU General Public License
8 # as published by the Free Software Foundation; either version 2
9 # of the License, or (at your option) any later version.
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 # Version 1.1
22 # We pretend like we don't exist. Unless this was an attempt to access a
23 # push URL over HTTPS in which case we return a suitable error message in plain
24 # text (unless we detect the client isn't a Git client in which case it's HTML).
26 # Some of this detection requires REQUEST_URI to be set which is an Apache
27 # extension. If REQUEST_URI is not set that portion of the smart detection
28 # will be disabled.
30 # Also note that we return a 403 error instead of a 401 error because we require
31 # a user push certificate. Returning a 401 error and having the client then
32 # provide a user name and password is completely pointless since we now are
33 # providing copious amounts of help text.
35 # If the client appears to be an older version of Git that will probably not
36 # display a text/plain error response to the user then the error message is
37 # sent as an 'ERR ' packet in smart protocol format instead. Git versions
38 # older than 1.8.3 as well as JGit and libgit require the 'ERR ' packet format.
39 # This 'ERR ' packet format support requires that REQUEST_URI be set to the
40 # original URI that was fetched or it will never trigger.
42 set -e
44 headers() {
45 printf '%s\r\n' "Status: $1"
46 printf '%s\r\n' "Expires: Fri, 01 Jan 1980 00:00:00 GMT"
47 printf '%s\r\n' "Pragma: no-cache"
48 printf '%s\r\n' "Cache-Control: no-cache, max-age=0, must-revalidate"
49 printf '%s\r\n' "Content-Type: $2"
50 [ -z "$3" ] || printf "%s\r\n" "$3"
51 printf '\r\n'
54 notfound() {
55 # Simulate a 404 error as though we do not exist
56 headers 404 "text/html; charset=iso-8859-1"
57 SPACE=
58 [ -z "$REQUEST_URI" ] || SPACE=" "
59 cat <<EOF
60 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
61 <html><head>
62 <title>404 Not Found</title>
63 </head><body>
64 <h1>Not Found</h1>
65 <p>The requested URL $REQUEST_URI${SPACE}was not found on this server.</p>
66 <hr />
67 $SERVER_SIGNATURE
68 </body></html>
69 EOF
70 exit 0
73 # If the request is not over HTTPS return not found
74 [ "$HTTPS" = "on" ] || notfound
76 # Set isgit if we've detected a Git client or a Git-only URL
77 isgit=
78 isoldgit=
79 case "$HTTP_USER_AGENT" in *[Gg]it/*)
80 isgit=1
81 case "$HTTP_USER_AGENT" in
82 *[Jj][Gg]it/*)
83 isoldgit=1
86 suffix="${HTTP_USER_AGENT##*[Gg]it/}"
87 gitvers="${suffix%%[!0-9.]*}"
88 gitvers="${gitvers%.}"
89 case "$gitvers" in
90 [1-9][0-9]*|[2-9]|[2-9].*|1.[1-9][0-9]*|1.9*| \
91 1.8.[1-9][0-9]*|1.8.[3-9]|1.8.[3-9].*) :;;
93 isoldgit=1
94 esac
95 esac
96 esac
98 needsauth=1
99 service=
100 if [ -n "$REQUEST_URI" ]; then
101 # Try to detect whether or not it was something that needs auth
102 needsauth=
103 BASE="${REQUEST_URI%%[?]*}"
104 QS="${REQUEST_URI#$BASE}"
105 QS="${QS#[?]}"
106 case "$BASE" in
107 */info/refs)
108 case "&$QS&" in *"&service=git-receive-pack&"*)
109 service=git-receive-pack
110 case "$BASE" in
111 /r/*)
112 needsauth=1
113 #isgit=1
116 [ -z "$isgit" ] || needsauth=1
117 esac
118 esac
120 */git-receive-pack)
121 service=git-receive-pack
122 case "$BASE" in
123 /r/*)
124 needsauth=1
125 #isgit=1
128 [ -z "$isgit" ] || needsauth=1
129 esac
130 esac
132 [ -n "$needsauth" ] || notfound
134 # Return a text/plain response WITHOUT any additional parameters (such as
135 # charset=) so that the Git client will display the result unless the client
136 # doesn't appear to be Git in which case send an HTML response.
138 # We need some config variables
139 . @basedir@/shlib.sh
141 if [ -n "$isgit" ]; then
142 message="\
143 ======================================================================
144 Authentication Required
145 ======================================================================
147 In order to push using https, you must first
148 configure a user push certificate.
150 You may download a user push certificate from
151 the edit user page that may be accessed at:
153 $cfg_webadmurl/edituser.cgi
155 Instructions for configuring Git to use the
156 downloaded push certificate can be found at:
158 $cfg_htmlurl/httpspush.html
160 Do not forget to also configure the location
161 of your private key (see the above page).
163 ======================================================================
165 if [ -n "$isoldgit" -a -n "$service" ]; then
166 l1=$(printf 'xxxx# service=%s\n' "$service" | wc -c)
167 l2=$(printf 'xxxxERR \n%s' "$message" | wc -c)
168 headers 200 "application/x-$service-advertisement" \
169 "Content-Length: $(( $l1 + 4 + $l2 ))"
170 printf '%04x# service=%s\n0000%04xERR \n%s' $l1 "$service" \
171 $l2 "$message"
172 else
173 headers 403 "text/plain"
174 printf '%s' "$message"
176 exit 0
179 # Send it in HTML instead as it appears that a Git push URL has been
180 # fetched using a browser instead of a Git client.
182 headers 403 "text/html; charset=iso-8859-1"
183 cat <<EOF
184 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
185 <html><head>
186 <title>Authentication Required</title>
187 </head><body>
188 <h1>Authentication Required</h1>
190 <p>In order to push using https, you must first
191 configure a user push certificate.</p>
193 <p>You may download a user push certificate from
194 the edit user page that may be accessed at:</p>
196 <ul><a href="$cfg_webadmurl/edituser.cgi">$cfg_webadmurl/edituser.cgi</a></ul>
198 <p>Instructions for configuring Git to use the
199 downloaded push certificate can be found at:</p>
201 <ul><a href="$cfg_htmlurl/httpspush.html">$cfg_htmlurl/httpspush.html</a></ul>
203 <p>Do not forget to also configure the location
204 of your private key (see the above page).</p>
206 <hr />
207 $SERVER_SIGNATURE</body></html>
209 exit 0