test smart http mode, update docs (including mob mode)

- allow a mob username to be defined; all unauthenticated access will look to gitolite like this user (if you setup apache also properly) - update doc with more details (some repeat stuff from `man git-http-backend` but it's probably worth having everything in one place
2011-01-17 19:36:26 +05:30 · 2011-01-17 19:36:26 +05:30 · 0360dc9f3f
parent c8b1d8cc5b
commit 0360dc9f3f
6 changed files with 92 additions and 35 deletions
--- a/conf/example.gitolite.rc
+++ b/conf/example.gitolite.rc
@ -53,6 +53,7 @@ $SVNSERVE = "";
 # $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
 # $GL_ADC_PATH = "";
 # $GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
+# $GL_HTTP_ANON_USER = "mob";

 # ------------------------------------------------------------------------------
 # less used/changed variables
--- a/doc/developer-notes.mkd
+++ b/doc/developer-notes.mkd
@ -40,8 +40,8 @@ suite.  The following exceptions exist:

  * basic, manual, testing only
      * most admin defined commands
-  * not yet tested
      * smart http
+  * not yet tested
      * mirroring
      * mob branches
  * things which I have no easy way to test
--- a/doc/gitolite.rc.mkd
+++ b/doc/gitolite.rc.mkd
@ -250,6 +250,14 @@ on feedback from my users to find or fix issues.

    Example: `$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"`

+  * `$GL_HTTP_ANON_USER`, string, default undef
+
+    Analogous to running mob branches over ssh (as described in
+    [doc/mob-branches.mkd][mob], this variable -- combined with appropriate
+    setup described in [doc/http-backend.mkd][smart] -- lets you pretend to
+    gitolite that unauthenticated HTTP users are actually authenticated as
+    this user.
+
 <a name="_less_used_changed_variables"></a>

 ### less used/changed variables
@ -336,3 +344,5 @@ on feedback from my users to find or fix issues.
 [faq]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd
 [adc]: http://github.com/sitaramc/gitolite/blob/pu/doc/admin-defined-commands.mkd
 [mirr]: http://github.com/sitaramc/gitolite/blob/pu/doc/mirroring.mkd
+[mob]: http://github.com/sitaramc/gitolite/blob/pu/doc/mob-branches.mkd
+[smart]: http://github.com/sitaramc/gitolite/blob/pu/doc/http-backend.mkd
--- a/doc/http-backend.mkd
+++ b/doc/http-backend.mkd
@ -12,8 +12,9 @@ In this document:
  * <a href="#_additional_requirements">additional requirements</a>
  * <a href="#_detailed_instructions">detailed instructions</a>
      * <a href="#_install_gitolite_under_apache_">install gitolite under "apache"</a>
-      * <a href="#_setup_the_http_backend">setup the http-backend</a>
+      * <a href="#_setup_apache">setup apache</a>
  * <a href="#_usage">usage</a>
+  * <a href="#_allowing_anonymous_access">allowing anonymous access</a>

 ----

@ -34,7 +35,7 @@ In this document:
    `HOME=$GITOLITE_HTTP_HOME` and hope for the best.  Luckily most of them
    have to do with sshkeys so this may not matter.  YMMV.

-  * tested on stock Fedora 13; if you test on other environments please let me
+  * tested on stock Fedora 14; if you test on other environments please let me
    know how it worked out and if we need to adjust this document

  * tested https with dummy certs and `GIT_SSL_NO_VERIFY`; no reason why it
@ -66,56 +67,74 @@ if it does not.  Similarly for "/var/www" and other file names/locations.

 #### install gitolite under "apache"

-  * follow the "non-root" method, but since you can't even "su - apache", make
-    the following variations when doing this as root:
+Follow the "non-root" method, but since you can't even "su - apache", make the
+following variations when doing this as root:

-      * `cd ~apache` first; this is `/var/www` on Fedora 13
+  * `cd ~apache` first; this is `/var/www` on Fedora 14

-      * do this in the shell
+  * do this in the shell

-            mkdir gitolite-home
-            export GITOLITE_HTTP_HOME
-            GITOLITE_HTTP_HOME=/var/www/gitolite-home
-            PATH=$PATH:$GITOLITE_HTTP_HOME/bin
+        mkdir gitolite-home
+        export GITOLITE_HTTP_HOME
+        GITOLITE_HTTP_HOME=/var/www/gitolite-home
+        PATH=$PATH:$GITOLITE_HTTP_HOME/bin

-      * now run the first 3 install steps for "non-root" method (clone, mkdir,
-        and gl-system-install), but **substitute `GITOLITE_HTTP_HOME` in place of
-        `HOME`** in the mkdir and gl-system-install steps.
+  * now run the first 3 install steps for "non-root" method (clone, mkdir, and
+    gl-system-install), but **substitute** `GITOLITE_HTTP_HOME` in place of
+    `HOME` in the mkdir and gl-system-install steps.

-        **Do NOT run the gl-setup step yet**.
+    **Do NOT run the gl-setup step yet**.

-      * after the gl-system-install step, add these to the **top** of
-        /var/www/gitolite-home/share/gitolite/conf/example.gitolite.rc
+        cd gitolite-home
+        git clone /tmp/gitolite.git gitolite-source

-            $ENV{GIT_HTTP_BACKEND} = "/usr/libexec/git-core/git-http-backend";
-                # or wherever you have that file; not NO trailing slash
-            $ENV{PATH} .= ":$ENV{GITOLITE_HTTP_HOME}/bin";
-                # note the ".=" here, not "="
+        cd gitolite-source
+        GHH=$GITOLITE_HTTP_HOME     # just for convenience in next 2 commands
+        mkdir -p              $GHH/bin $GHH/share/gitolite/conf $GHH/share/gitolite/hooks
+        src/gl-system-install $GHH/bin $GHH/share/gitolite/conf $GHH/share/gitolite/hooks

-      * run gl-setup with the name of your admin user
+  * after the gl-system-install step, add these to the **top** of
+    /var/www/gitolite-home/share/gitolite/conf/example.gitolite.rc

-            gl-setup sitaram
+        $ENV{GIT_HTTP_BACKEND} = "/usr/libexec/git-core/git-http-backend";
+            # or wherever you have that file; not NO trailing slash
+        $ENV{PATH} .= ":$ENV{GITOLITE_HTTP_HOME}/bin";
+            # note the ".=" here, not "="

-      * IMPORTANT: fix up ownerships
+  * run gl-setup with the name of your admin user

-            chown -R apache.apache $GITOLITE_HTTP_HOME
+        gl-setup sitaram

-<a name="_setup_the_http_backend"></a>
+  * IMPORTANT: fix up ownerships

-#### setup the http-backend
+        chown -R apache.apache $GITOLITE_HTTP_HOME

-  * when you setup the apache config according to "man git-http-backend",
-    change these two as below (please note the trailing slash on the
-    ScriptAlias line):
+<a name="_setup_apache"></a>

-        SetEnv GIT_PROJECT_ROOT /var/www/gitolite-home/repositories
-        ScriptAlias /git/ /var/www/gitolite-home/bin/gl-auth-command/
+#### setup apache

-    You also need this new variable:
+You will need to setup certain values in the httpd conf, as given in `man
+git-http-backend`.  You can put all them into, for instance,
+`/etc/httpd/conf.d/gitolite.conf` and apache [at least on Fedora 14] will pick
+it up.  These are the values to use; note that these are somewhat different
+from those in the manpage cited above, plus we have one extra variable:

-        SetEnv GITOLITE_HTTP_HOME /var/www/gitolite-home
+    SetEnv GIT_PROJECT_ROOT /var/www/gitolite-home/repositories
+    SetEnv GIT_HTTP_EXPORT_ALL
+    ScriptAlias /git/ /var/www/gitolite-home/bin/gl-auth-command/
+        # note trailing slash

-And that's it... you're done for the setup!
+    SetEnv GITOLITE_HTTP_HOME /var/www/gitolite-home
+
+    <Location /git>
+        AuthType Basic
+        AuthName "Private Git Access"
+        Require valid-user
+        AuthUserFile /path/to/some/passwdfile
+    </Location>
+
+Now create/update the password file in `/path/to/some/passwdfile` using the
+`htpasswd` command, and you're all done for the setup!

 <a name="_usage"></a>

@ -144,4 +163,28 @@ following works and I'm leaving it at that:
 With a few nice shell aliases, you won't even notice the horrible convolutions
 here ;-)

+<a name="_allowing_anonymous_access"></a>
+
+### allowing anonymous access
+
+Like [mob branches][mob] with ssh, you can allow completely
+**un**-authenticated users to still have some rights specified in gitolite.
+Briefly, here's how:
+
+  * specify a ScriptAlias in apache config for unauthenticated access also.  I
+    prefer something like
+
+        ScriptAlias /gitmob/ /var/www/gitolite-home/bin/gl-auth-command/
+
+  * set `$GL_HTTP_ANON_USER` to some name, like 'mob' or 'anon' in the rc file
+
+  * give rights to this user ('mob' or 'anon' or whatever you used) in the
+    gitolite config file and push the change
+
+URLs (in this example) will then look like `http://server/gitmob/reponame.git`
+-- we lose the userid:passwd part and change 'git' to 'gitmob'.
+
 Enjoy!
+
+[mob]: http://github.com/sitaramc/gitolite/blob/pu/doc/mob-branches.mkd
+
--- a/src/gitolite_rc.pm
+++ b/src/gitolite_rc.pm
@ -22,6 +22,8 @@ use Exporter 'import';
    $GL_SLAVE_MODE $GL_WILDREPOS $GL_WILDREPOS_DEFPERMS
    $GL_WILDREPOS_PERM_CATS $HTPASSWD_FILE $PROJECTS_LIST $REPO_BASE
    $REPO_UMASK $RSYNC_BASE $SVNSERVE $UPDATE_CHAINS_TO
+
+    $GL_HTTP_ANON_USER
 );

 # ------------------------------------------------------------------------------
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@ -74,6 +74,7 @@ if ($ENV{REQUEST_URI}) {
    # so the rest of the code stays the same (except the exec at the end).
    simulate_ssh_connection();

+    $ENV{REMOTE_USER} ||= $GL_HTTP_ANON_USER;   # see doc/http-backend.mkd
    $user = $ENV{GL_USER} = $ENV{REMOTE_USER};
 } else {
    # no (more) arguments given in ssh mode?  default user is $USER