diff --git a/contrib/gitweb/gitweb.conf b/contrib/gitweb/gitweb.conf new file mode 100644 index 0000000..efe93a3 --- /dev/null +++ b/contrib/gitweb/gitweb.conf @@ -0,0 +1,40 @@ +# -------------------------------------------- +# Per-repo authorization based on gitolite ACL +# Include this in gitweb.conf +# See doc/3-faq-tips-etc.mkd for more info + +# HOME of the gitolite user +my $gl_home = "/home/git"; + +# environment variables needed by gitolite.pm +$ENV{GL_RC} = "$gl_home/.gitolite.rc"; +$ENV{GL_USER} = $cgi->remote_user; + +# variables from the RC file +our ($REPO_BASE, $GL_ADMINDIR); + +# set HOME temporarily for RC parsing +my $orig_home = $ENV{HOME}; +$ENV{HOME} = $gl_home; +do $ENV{GL_RC} + or die_error(500, "Failed to parse $ENV{GL_RC}: " . ($! or $@)); +$ENV{HOME} = $orig_home; + +# set project root etc. absolute paths +$ENV{GL_REPO_BASE_ABS} = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$gl_home/$REPO_BASE" ); +$projects_list = $projectroot = $ENV{GL_REPO_BASE_ABS}; + +# load gitolite helper routines +require "$GL_ADMINDIR/src/gitolite.pm" + or die_error(500, "Failed to parse gitolite.pm: " . ($! or $@)); + +$export_auth_hook = sub { + my $repo = shift; + # gitweb passes us the full repo path; so we strip the beginning + # and the end, to get the repo name as it is specified in gitolite conf + return unless $repo =~ s/^\Q$projectroot\E\/?(.+)\.git$/$1/; + + # check for (at least) "R" permission + my ($perm, $creator) = &repo_rights($repo); + return ($perm =~ /R/); +}; diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd index ffb5f43..06f6799 100644 --- a/doc/3-faq-tips-etc.mkd +++ b/doc/3-faq-tips-etc.mkd @@ -588,51 +588,12 @@ the users *manage their own HTTP passwords*. Here's how: * tell your users to type in `ssh git@server htpasswd` to set or change their HTTP passwords -Here's the rest of how it hangs together. +Of course some other authentication method can be used (e.g. `mod_ldap`) as +long as the usernames match. Gitweb allows you to specify a subroutine to decide on access. We use that -feature and tie it to gitolite. Sample code (untested by me, but others do -use it, munged from something I saw [here][leho]) is given below. - -Note the **utter simplicity** of the actual check (just 1 line!). This is an -unexpected piece of luck coming from the decision to keep the config parse -separate from the actual access control. The config parser puts a pure perl -hash in that file named below as `$gl_conf_compiled`, so all the parsing is -already done and we just use it! - - # completely untested... but the basic idea should work fine - - # change these as needed - # projectroot should be the same as gitolite's REPO_BASE, but converted to - # an absolute path - $projectroot = '/home/git/repositories/'; - my $gl_conf_compiled = '/home/git/.gitolite/conf/gitolite.conf-compiled.pm'; - - # I am told this gives us the HTTP auth username - my $username = $cgi->remote_user; - - # ---------- - - # parse the config file; updates %repos hash - our %repos; - die "parse $gl_conf_compiled failed: " . ($! or $@) unless do $gl_conf_compiled; - - # this is gitweb's mechanism; it calls whatever sub is pointed at by this - # variable to decide access yes/no. Gitweb calls it with one argument - # containing the full path of the repo being accessed - $export_auth_hook = sub { - my $reponame = shift; - # take the full path provided, strip the beginning... - $reponame =~ s/\Q$projectroot\E\/?//; - # ...and the end, to get the repo name as it is specified in gitolite conf - $reponame =~ s/\.git$//; - - return exists $repos{$reponame}{R}{$username} - || exists $repos{$reponame}{R}{'@all'}; - }; - - -[leho]: http://leho.kraav.com/news/2009/10/27/using-apache-authentication-with-gitweb-gitosis-repository-access-control/ +feature and tie it to gitolite. Configuration example can be found in +`contrib/gitweb/`. ### advanced features