Only show repos in gitweb that user has access to via Gitolite

Question

I have gitolite setup and working with SSH key based auth. I can control access to repos via the gitolite-admin.git repo and the conf file. All of this works great over SSH but I would like to use GitWeb as a quick way to view the repos.

GitWeb is working great now but shows all repositories via the web interface. So my goal here is to:

Authenticate users in apache2 via PAM, I already have the Ubuntu server authenticating aginst AD and all the users are available. This should not be an issue.
Use the user name logged in with the check gitolite permissions
Display apropriate REPOS in the web interface.

Does anyone have a starting point for this? The Apache part shouldn't be difficult, and I'll set it to auth all fo the /gitweb/ url. I dont know how to pass that username around and authorize it against gitolite. Any ideas?

Thanks,

Nathan

score 1 · Accepted Answer · edited Aug 12 '14 at 12:15

1

Yes, it is possible, but you need to complete the gitweb config scripts in order to call gitolite.

The key is in the gitweb_config.perl: if that file exists, gitweb will include and call it.
See my gitweb/gitweb_config.perl file:

our $home_link_str = "ITSVC projects";
our $site_name = "ITSVC Gitweb";
use lib (".");
require "gitweb.conf.pl";

In gitweb/gitweb.conf.pl (custom script), I define the official callback function called by gitweb: export_auth_hook: that function will call gitolite.

use Gitolite::Common;
use Gitolite::Conf::Load;
#$ENV{GL_USER} = $cgi->remote_user || "gitweb";

$export_auth_hook = sub {
  my $repo = shift;
  my $user = $ENV{GL_USER};
  # gitweb passes us the full repo path; so we strip the beginning
  # and the end, to get the repo name as it is specified in gitolite conf
  return unless $repo =~ s/^\Q$projectroot\E\/?(.+)\.git$/$1/;

  # check for (at least) "R" permission
  my $ret = &access( $repo, $user, 'R', 'any' );
  my $res = $ret !~ /DENIED/;

  return ($ret !~ /DENIED/);
};

From the comments:

GL_USER is set because of the line:

$ENV{GL_USER} = $cgi->remote_user || "gitweb";

$cgi->remote_user will pick the environment REMOTE_USER set by any Apache Auth module which has completed the authentication (like in this Apache configuration file).
You can print it with a 'die' line.

"Could not find Gitolite/Rc.pm" means the INC variable used by perl doesn't contain $ENV{GL_LIBDIR}; (set to ~/gitolite/lib or <any_place_where_gitolite_was_installed>/lib).
That is why there is a line in the same gitweb/gitweb.conf.pl file which adds that to INC:

unshift @INC, $ENV{GL_LIBDIR};
use lib $ENV{GL_LIBDIR};
use Gitolite::Rc;

Edit from Nat45928: in my case I needed to insert my home path into all the '@H@' entries. That solved all of my issues right away.

edited Aug 12 '14 at 12:15

nat45928

259
1
6
20

answered Aug 11 '14 at 16:47

VonC

1,262,500
529
4,410
5,250

Ok, I think I follow all of this. How does GitWeb Know the inital username to start all of this with? – nat45928 Aug 11 '14 at 16:56
1

@nat45928 because of the line `$ENV{GL_USER} = $cgi->remote_user || "gitweb";`: the authentication is supposed to be done by Apache before calling gitweb: see https://github.com/VonC/compileEverything/blob/c1ec1e4bb4dedea93bc251d8395c9c7627c08440/apache/env.conf.tpl#L99-L134: the last line is calling gitweb `DirectoryIndex gitweb.cgi`. – VonC Aug 11 '14 at 17:01
Ah, ok. And the $cgi->remote_user is pulling the info from the Apache2 session setup with the "AuthType form" entry? So any type of Apache Auth mod can be used? Thanks for the help! – nat45928 Aug 11 '14 at 17:15
1

@nat45928 yes, as long as that Auth mod (http://httpd.apache.org/docs/current/howto/auth.html) has set the `$REMOTE_USER` variable. – VonC Aug 11 '14 at 17:19
the $REMOTE_USER variable being that $cgi->remote_user? Is there a way I can tell if that has been set? – nat45928 Aug 11 '14 at 17:27
1

@nat45928 yes, `$cgi->remote_user` will have the content of `$REMOTE_USER`. I generally set some die debug lines to check its content, as in https://github.com/VonC/compileEverything/blob/c1ec1e4bb4dedea93bc251d8395c9c7627c08440/gitweb/gitweb.conf.pl.tpl#L17 – VonC Aug 11 '14 at 17:29
Awesome. I am going to give this a whirl starting with Basic auth in apache2. I'll mark it as the answer if everything works. – nat45928 Aug 11 '14 at 17:40
Threw a "Could not find Gitolite/Rc.pm" seems like the gitolite RC file. Looks like `use Gitolite::RC;` is the line that screwed it up. any ideas on how to link those? – nat45928 Aug 11 '14 at 19:59
@nat45928 what gitolite version are you using? – VonC Aug 11 '14 at 20:09
@nat45928 note that the sources like `Gitolite/Rc.pm` is known because of the line `unshift @INC, $ENV{GL_LIBDIR};`, which adds to the PERL `@INC` variable the path to the Gitolite library perl scripts. – VonC Aug 11 '14 at 20:13
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/59126/discussion-between-nat45928-and-vonc). – nat45928 Aug 11 '14 at 20:35
@nat45928 sorry, I went to bed a bit before your chat invitation. – VonC Aug 12 '14 at 05:08
@nat45928 yes, the scripts I link are not meant to be used as is. Any @H@ are templates to be replace by actual values. – VonC Aug 12 '14 at 12:16
Yep, that's what tripped me up. I thought it was odd but I had never seen that notation. But otherwise your scripts worked flawlessly. A lot easier than I imaged this would be. Thanks again! – nat45928 Aug 12 '14 at 12:23

Only show repos in gitweb that user has access to via Gitolite

1 Answers1