From d95e868620ef345eb69159334453624827f2e6e6 Mon Sep 17 00:00:00 2001
From: Simon Arlott <simon@fire.lp0.eu>
Date: Sun, 9 May 2010 18:04:54 +0300
Subject: [PATCH 1/3] add svnserve exec support

---
 src/gitolite.pm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/gitolite.pm b/src/gitolite.pm
index 3bc513f..b3efd0c 100644
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -35,6 +35,7 @@ our $REPOPATT_PATT=qr(^\@?[0-9a-zA-Z][\\^.$|()[\]*+?{}0-9a-zA-Z._\@/-]*$);
 
 # these come from the RC file
 our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS);
+our ($SVNSERVE);
 our %repos;
 
 # ----------------------------------------------------------------------------
@@ -385,6 +386,8 @@ sub special_cmd
         &ext_cmd_htpasswd($HTPASSWD_FILE);
     } elsif ($RSYNC_BASE and $cmd =~ /^rsync /) {
         &ext_cmd_rsync($GL_CONF_COMPILED, $RSYNC_BASE, $cmd);
+    } elsif ($SVNSERVE and $cmd eq 'svnserve -t') {
+        &ext_cmd_svnserve($SVNSERVE);
     } else {
         # if the user is allowed a shell, just run the command
         exec $ENV{SHELL}, "-c", $cmd if $shell_allowed;
@@ -480,4 +483,17 @@ EOFhtp
     die "htpasswd command seems to have failed with $rc return code...\n" if $rc;
 }
 
+# ----------------------------------------------------------------------------
+#       external command helper: svnserve
+# ----------------------------------------------------------------------------
+
+sub ext_cmd_svnserve
+{
+    my $SVNSERVE = shift;
+
+    $SVNSERVE =~ s/%u/$ENV{GL_USER}/g;
+    exec $SVNSERVE;
+    die "svnserve exec failed\n";
+}
+
 1;

From cf9bb98e87fbeec265a5e981e76750f9fb4a1b44 Mon Sep 17 00:00:00 2001
From: Vladimir Panteleev <vladimir@thecybershadow.net>
Date: Sun, 9 May 2010 18:04:55 +0300
Subject: [PATCH 2/3] tweaked and documented svnserve support

---
 conf/example.gitolite.rc | 14 ++++++++++++++
 doc/3-faq-tips-etc.mkd   | 12 ++++++++++++
 src/gitolite.pm          |  3 +--
 src/gl-auth-command      |  4 ++--
 4 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/conf/example.gitolite.rc b/conf/example.gitolite.rc
index b1a921f..91c776b 100644
--- a/conf/example.gitolite.rc
+++ b/conf/example.gitolite.rc
@@ -143,6 +143,20 @@ $RSYNC_BASE = "";
 # $RSYNC_BASE = "/home/git/up-down";
 # $RSYNC_BASE = "/tmp/up-down";
 
+# --------------------------------------
+# EXTERNAL COMMAND HELPER -- SVNSERVE
+
+# security note: runs an external command (svnserve) with specific arguments,
+# as specified below. %u is substituted with the username.
+
+# This setting allows launching svnserve when requested by the ssh client.
+# This allows using the same SSH setup (hostname/username/public key) for both
+# SVN and git access. Leave it undefined or set to the empty string to disable
+# svnserve access.
+
+$SVNSERVE = "";
+# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u";
+
 # --------------------------------------
 # ALLOW REPO CONFIG TO USE WILDCARDS
 
diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd
index ff8dc09..cd8336d 100644
--- a/doc/3-faq-tips-etc.mkd
+++ b/doc/3-faq-tips-etc.mkd
@@ -503,6 +503,18 @@ You can specify hooks that you want to propagate to all repos, as well as
 per-repo "gitconfig" settings.  Please see `doc/2-admin.mkd` and
 `conf/example.conf` for details.
 
+<a name="svnserve"></a>
+
+#### svnserve ####
+
+If you are transitioning from SVN to gitolite, and have a lot of users using
+public-key authentication with SVN, this feature may be useful to you. Once
+you migrate all users' public keys into gitolite, you can set the `$SVNSERVE`
+variable in `~/.gitolite.rc` to tie `svnserve` with gitolite's authentication
+system. Assuming you installed gitolite to the same user as the one you used
+for SVN, SVN connectivity will be retained, and users will be able to use
+both SVN and git using the same SSH configuration.
+
 <a name="gitweb"></a>
 
 ### helping with gitweb
diff --git a/src/gitolite.pm b/src/gitolite.pm
index b3efd0c..e7239d3 100644
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -35,7 +35,6 @@ our $REPOPATT_PATT=qr(^\@?[0-9a-zA-Z][\\^.$|()[\]*+?{}0-9a-zA-Z._\@/-]*$);
 
 # these come from the RC file
 our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS);
-our ($SVNSERVE);
 our %repos;
 
 # ----------------------------------------------------------------------------
@@ -365,7 +364,7 @@ sub expand_wild
 
 sub special_cmd
 {
-    my ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE) = @_;
+    my ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE, $SVNSERVE) = @_;
 
     my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
     my $user = $ENV{GL_USER};
diff --git a/src/gl-auth-command b/src/gl-auth-command
index 24fc5b9..2cb4371 100755
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@@ -24,7 +24,7 @@ use warnings;
 # ----------------------------------------------------------------------------
 
 # these are set by the "rc" file
-our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS);
+our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $SVNSERVE, $GL_WILDREPOS);
 # and these are set by gitolite.pm
 our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT);
 our %repos;
@@ -151,7 +151,7 @@ if ($ENV{SSH_ORIGINAL_COMMAND} =~ $CUSTOM_COMMANDS) {
 my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/);
 unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
     # ok, it's not a normal git command; call the special command helper
-    &special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE);
+    &special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE, $SVNSERVE);
     exit;
 }
 die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;

From 4ad9807225c95074ed8d40e9d84a003ec975feaa Mon Sep 17 00:00:00 2001
From: Sitaram Chamarty <sitaram@atc.tcs.com>
Date: Mon, 10 May 2010 07:25:23 +0530
Subject: [PATCH 3/3] doc/3: made doc for extcmd a little more generic,

with specific sections for commands as needed
---
 doc/3-faq-tips-etc.mkd | 36 ++++++++++++++++++++++--------------
 1 file changed, 22 insertions(+), 14 deletions(-)

diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd
index cd8336d..4dd49b2 100644
--- a/doc/3-faq-tips-etc.mkd
+++ b/doc/3-faq-tips-etc.mkd
@@ -503,18 +503,6 @@ You can specify hooks that you want to propagate to all repos, as well as
 per-repo "gitconfig" settings.  Please see `doc/2-admin.mkd` and
 `conf/example.conf` for details.
 
-<a name="svnserve"></a>
-
-#### svnserve ####
-
-If you are transitioning from SVN to gitolite, and have a lot of users using
-public-key authentication with SVN, this feature may be useful to you. Once
-you migrate all users' public keys into gitolite, you can set the `$SVNSERVE`
-variable in `~/.gitolite.rc` to tie `svnserve` with gitolite's authentication
-system. Assuming you installed gitolite to the same user as the one you used
-for SVN, SVN connectivity will be retained, and users will be able to use
-both SVN and git using the same SSH configuration.
-
 <a name="gitweb"></a>
 
 ### helping with gitweb
@@ -656,14 +644,34 @@ Please see `doc/4-wildcard-repositories.mkd` for all the details.
 Gitolite now has a mechanism for allowing access control for arbitrary
 external commands, as long as they are invoked via ssh and present a
 server-side command that contains enough information to make an access control
-decision.  The first (and only, so far) such command implemented is rsync.
+decision.
 
 Note that this is incompatible with giving people shell access as described in
 `doc/6-ssh-troubleshooting.mkd` -- people who have shell access are not
 subject to this mechanism (it wouldn't make sense to try and control someone
 who has shell access anyway).
 
-Please see the config files (both of them) for examples and usage.
+In general, external commands require changes in one or both the config files;
+the sample files in `conf/` double as documentation, so you should look there
+for examples and usage.
+
+Commands implemented so far are:
+
+  * rsync
+  * svnserve (see next section for a brief description; this has been
+    contributed by Simon and Vladimir)
+
+<a name="svnserve"></a>
+
+##### svnserve
+
+If you are transitioning from SVN to gitolite, and have a lot of users using
+public-key authentication with SVN, this feature may be useful to you. Once
+you migrate all users' public keys into gitolite, you can set the `$SVNSERVE`
+variable in `~/.gitolite.rc` to tie `svnserve` with gitolite's authentication
+system. Assuming you installed gitolite to the same user as the one you used
+for SVN, SVN connectivity will be retained, and users will be able to use
+both SVN and git using the same SSH configuration.
 
 ## design choices