cgi/authrequired.cgi

   1 #!/bin/sh
   2
   3 # authrequired.cgi -- show certification authorization instructions on 401
   4 # Copyright (c) 2014 Kyle J. McKay.  All rights reserved.
   5
   6 # This program is free software; you can redistribute it and/or
   7 # modify it under the terms of the GNU General Public License
   8 # as published by the Free Software Foundation; either version 2
   9 # of the License, or (at your option) any later version.
  10 #
  11 # This program is distributed in the hope that it will be useful,
  12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14 # GNU General Public License for more details.
  15 #
  16 # You should have received a copy of the GNU General Public License
  17 # along with this program; if not, write to the Free Software
  18 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  19
  20 # Version 1.1
  21
  22 # We pretend like we don't exist.  Unless this was an attempt to access a
  23 # push URL over HTTPS in which case we return a suitable error message in plain
  24 # text (unless we detect the client isn't a Git client in which case it's HTML).
  25
  26 # Some of this detection requires REQUEST_URI to be set which is an Apache
  27 # extension.  If REQUEST_URI is not set that portion of the smart detection
  28 # will be disabled.
  29
  30 # Also note that we return a 403 error instead of a 401 error because we require
  31 # a user push certificate.  Returning a 401 error and having the client then
  32 # provide a user name and password is completely pointless since we now are
  33 # providing copious amounts of help text.
  34
  35 # If the client appears to be an older version of Git that will probably not
  36 # display a text/plain error response to the user then the error message is
  37 # sent as an 'ERR ' packet in smart protocol format instead.  Git versions
  38 # older than 1.8.3 as well as JGit and libgit require the 'ERR ' packet format.
  39 # This 'ERR ' packet format support requires that REQUEST_URI be set to the
  40 # original URI that was fetched or it will never trigger.
  41
  42 set -e
  43
  44 headers() {
  45         printf '%s\r\n' "Status: $1"
  46         printf '%s\r\n' "Expires: Fri, 01 Jan 1980 00:00:00 GMT"
  47         printf '%s\r\n' "Pragma: no-cache"
  48         printf '%s\r\n' "Cache-Control: no-cache, max-age=0, must-revalidate"
  49         printf '%s\r\n' "Content-Type: $2"
  50         [ -z "$3" ] || printf "%s\r\n" "$3"
  51         printf '\r\n'
  52 }
  53
  54 notfound() {
  55         # Simulate a 404 error as though we do not exist
  56         headers 404 "text/html; charset=iso-8859-1"
  57         SPACE=
  58         [ -z "$REQUEST_URI" ] || SPACE=" "
  59         cat <<EOF
  60 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  61 <html><head>
  62 <title>404 Not Found</title>
  63 </head><body>
  64 <h1>Not Found</h1>
  65 <p>The requested URL $REQUEST_URI${SPACE}was not found on this server.</p>
  66 <hr />
  67 $SERVER_SIGNATURE
  68 </body></html>
  69 EOF
  70         exit 0
  71 }
  72
  73 # If the request is not over HTTPS return not found
  74 [ "$HTTPS" = "on" ] || notfound
  75
  76 # Set isgit if we've detected a Git client or a Git-only URL
  77 isgit=
  78 isoldgit=
  79 case "$HTTP_USER_AGENT" in *[Gg]it/*)
  80         isgit=1
  81         case "$HTTP_USER_AGENT" in
  82         *[Jj][Gg]it/*)
  83                 isoldgit=1
  84                 ;;
  85         *)
  86                 suffix="${HTTP_USER_AGENT##*[Gg]it/}"
  87                 gitvers="${suffix%%[!0-9.]*}"
  88                 gitvers="${gitvers%.}"
  89                 case "$gitvers" in
  90                         [1-9][0-9]*|[2-9]|[2-9].*|1.[1-9][0-9]*|1.9*| \
  91                         1.8.[1-9][0-9]*|1.8.[3-9]|1.8.[3-9].*) :;;
  92                         *)
  93                                 isoldgit=1
  94                 esac
  95         esac
  96 esac
  97
  98 needsauth=1
  99 service=
 100 if [ -n "$REQUEST_URI" ]; then
 101         # Try to detect whether or not it was something that needs auth
 102         needsauth=
 103         BASE="${REQUEST_URI%%[?]*}"
 104         QS="${REQUEST_URI#$BASE}"
 105         QS="${QS#[?]}"
 106         case "$BASE" in
 107                 */info/refs)
 108                         case "&$QS&" in *"&service=git-receive-pack&"*)
 109                                 service=git-receive-pack
 110                                 case "$BASE" in
 111                                         /r/*)
 112                                                 needsauth=1
 113                                                 #isgit=1
 114                                                 ;;
 115                                         *)
 116                                                 [ -z "$isgit" ] || needsauth=1
 117                                 esac
 118                         esac
 119                         ;;
 120                 */git-receive-pack)
 121                         service=git-receive-pack
 122                         case "$BASE" in
 123                                 /r/*)
 124                                         needsauth=1
 125                                         #isgit=1
 126                                         ;;
 127                                 *)
 128                                         [ -z "$isgit" ] || needsauth=1
 129                         esac
 130         esac
 131 fi
 132 [ -n "$needsauth" ] || notfound
 133
 134 # Return a text/plain response WITHOUT any additional parameters (such as
 135 # charset=) so that the Git client will display the result unless the client
 136 # doesn't appear to be Git in which case send an HTML response.
 137
 138 # We need some config variables
 139 . @basedir@/shlib.sh
 140
 141 if [ -n "$isgit" ]; then
 142         message="\
 143 ======================================================================
 144 Authentication Required
 145 ======================================================================
 146
 147 In order to push using https, you must first
 148 configure a user push certificate.
 149
 150 You may download a user push certificate from
 151 the edit user page that may be accessed at:
 152
 153   $cfg_webadmurl/edituser.cgi
 154
 155 Instructions for configuring Git to use the
 156 downloaded push certificate can be found at:
 157
 158   $cfg_htmlurl/httpspush.html
 159
 160 Do not forget to also configure the location
 161 of your private key (see the above page).
 162
 163 ======================================================================
 164 "
 165         if [ -n "$isoldgit" -a -n "$service" ]; then
 166                 l1=$(printf 'xxxx# service=%s\n' "$service" | wc -c)
 167                 l2=$(printf 'xxxxERR \n%s' "$message" | wc -c)
 168                 headers 200 "application/x-$service-advertisement" \
 169                         "Content-Length: $(( $l1 + 4 + $l2 ))"
 170                 printf '%04x# service=%s\n0000%04xERR \n%s' $l1 "$service" \
 171                         $l2 "$message"
 172         else
 173                 headers 403 "text/plain"
 174                 printf '%s' "$message"
 175         fi
 176         exit 0
 177 fi
 178
 179 # Send it in HTML instead as it appears that a Git push URL has been
 180 # fetched using a browser instead of a Git client.
 181
 182 headers 403 "text/html; charset=iso-8859-1"
 183 cat <<EOF
 184 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 185 <html><head>
 186 <title>Authentication Required</title>
 187 </head><body>
 188 <h1>Authentication Required</h1>
 189
 190 <p>In order to push using https, you must first
 191 configure a user push certificate.</p>
 192
 193 <p>You may download a user push certificate from
 194 the edit user page that may be accessed at:</p>
 195
 196 <ul><a href="$cfg_webadmurl/edituser.cgi">$cfg_webadmurl/edituser.cgi</a></ul>
 197
 198 <p>Instructions for configuring Git to use the
 199 downloaded push certificate can be found at:</p>
 200
 201 <ul><a href="$cfg_htmlurl/httpspush.html">$cfg_htmlurl/httpspush.html</a></ul>
 202
 203 <p>Do not forget to also configure the location
 204 of your private key (see the above page).</p>
 205
 206 <hr />
 207 $SERVER_SIGNATURE</body></html>
 208 EOF
 209 exit 0