From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: git@vger.kernel.org
Cc: "Sam Vilain" <sam.vilain@catalyst.net.nz>,
"Junio C Hamano" <gitster@pobox.com>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Subject: [PATCH 1/6 v2] git-cvsserver: authentication support for pserver
Date: Sat, 15 May 2010 15:06:46 +0000 [thread overview]
Message-ID: <1273936006-22357-1-git-send-email-avarab@gmail.com> (raw)
In-Reply-To: <1273891564-7523-2-git-send-email-avarab@gmail.com>
Allow git-cvsserver to use authentication over pserver mode. The
pserver user/password database is stored in the config file for each
repository.
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Worriedly-Acked-by: Martin Langhoff <martin.langhoff@gmail.com>
---
The descramble() method was potentially broken if anyone had fed it a
non-bytestring. Now it uses unpack() instead of regexes.
Documentation/git-cvsserver.txt | 21 +++++++++--
git-cvsserver.perl | 73 ++++++++++++++++++++++++++++++++++----
2 files changed, 82 insertions(+), 12 deletions(-)
diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
index dbb053e..f4e1339 100644
--- a/Documentation/git-cvsserver.txt
+++ b/Documentation/git-cvsserver.txt
@@ -72,9 +72,6 @@ plugin. Most functionality works fine with both of these clients.
LIMITATIONS
-----------
-Currently cvsserver works over SSH connections for read/write clients, and
-over pserver for anonymous CVS access.
-
CVS clients cannot tag, branch or perform GIT merges.
'git-cvsserver' maps GIT branches to CVS modules. This is very different
@@ -84,7 +81,7 @@ one or more directories.
INSTALLATION
------------
-1. If you are going to offer anonymous CVS access via pserver, add a line in
+1. If you are going to offer CVS access via pserver, add a line in
/etc/inetd.conf like
+
--
@@ -101,6 +98,22 @@ looks like
cvspserver stream tcp nowait nobody /usr/bin/git-cvsserver git-cvsserver pserver
------
+
+Only anonymous access is provided by pserve by default. To commit you
+will have to create pserver accounts, simply add a [gitcvs.users]
+section to the repositories you want to access, for example:
+
+------
+
+ [gitcvs.users]
+ someuser = somepassword
+ otheruser = otherpassword
+
+------
+Then provide your password via the pserver method, for example:
+------
+ cvs -d:pserver:someuser:somepassword <at> server/path/repo.git co <HEAD_name>
+------
No special setup is needed for SSH access, other than having GIT tools
in the PATH. If you have clients that do not accept the CVS_SERVER
environment variable, you can rename 'git-cvsserver' to `cvs`.
diff --git a/git-cvsserver.perl b/git-cvsserver.perl
index 13751db..7097419 100755
--- a/git-cvsserver.perl
+++ b/git-cvsserver.perl
@@ -183,12 +183,35 @@ if ($state->{method} eq 'pserver') {
exit 1;
}
$line = <STDIN>; chomp $line;
- unless ($line eq 'anonymous') {
- print "E Only anonymous user allowed via pserver\n";
- print "I HATE YOU\n";
- exit 1;
+ my $user = $line;
+ $line = <STDIN>; chomp $line;
+ my $password = $line;
+
+ unless ($user eq 'anonymous') {
+ # Trying to authenticate a user
+ if (not exists $cfg->{gitcvs}->{users}) {
+ print "E the repo config file needs a [gitcvs.users] section with user/password key-value pairs\n";
+ print "I HATE YOU\n";
+ exit 1;
+ } elsif (exists $cfg->{gitcvs}->{users} and not exists $cfg->{gitcvs}->{users}->{$user}) {
+ #print "E the repo config file has a [gitcvs.users] section but the user $user is not defined in it\n";
+ print "I HATE YOU\n";
+ exit 1;
+ } else {
+ my $descrambled_password = descramble($password);
+ my $cleartext_password = $cfg->{gitcvs}->{users}->{$user};
+ if ($descrambled_password ne $cleartext_password) {
+ #print "E The password supplied for user $user was incorrect\n";
+ print "I HATE YOU\n";
+ exit 1;
+ }
+ # else fall through to LOVE
+ }
}
- $line = <STDIN>; chomp $line; # validate the password?
+
+ # For checking whether the user is anonymous on commit
+ $state->{user} = $user;
+
$line = <STDIN>; chomp $line;
unless ($line eq "END $request REQUEST") {
die "E Do not understand $line -- expecting END $request REQUEST\n";
@@ -314,7 +337,7 @@ sub req_Root
}
foreach my $line ( @gitvars )
{
- next unless ( $line =~ /^(gitcvs)\.(?:(ext|pserver)\.)?([\w-]+)=(.*)$/ );
+ next unless ( $line =~ /^(gitcvs)\.(?:(ext|pserver|users)\.)?([\w-]+)=(.*)$/ );
unless ($2) {
$cfg->{$1}{$3} = $4;
} else {
@@ -1271,9 +1294,9 @@ sub req_ci
$log->info("req_ci : " . ( defined($data) ? $data : "[NULL]" ));
- if ( $state->{method} eq 'pserver')
+ if ( $state->{method} eq 'pserver' and $state->{user} eq 'anonymous' )
{
- print "error 1 pserver access cannot commit\n";
+ print "error 1 anonymous user cannot commit via pserver\n";
cleanupWorkTree();
exit;
}
@@ -2586,6 +2609,40 @@ sub cvs_author
$author;
}
+
+sub descramble
+{
+ # This table is from src/scramble.c in the CVS source
+ my @SHIFTS = (
+ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+ 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+ 114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87,
+ 111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105,
+ 41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35,
+ 125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56,
+ 36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
+ 58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223,
+ 225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190,
+ 199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193,
+ 174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212,
+ 207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246,
+ 192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176,
+ 227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127,
+ 182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195,
+ 243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152
+ );
+ my ($str) = @_;
+
+ # This should never happen, the same password format (A) bas been
+ # used by CVS since the beginning of time
+ die "invalid password format $1" unless substr($str, 0, 1) eq 'A';
+
+ my @str = unpack "C*", substr($str, 1);
+ my $ret = join '', map { chr $SHIFTS[$_] } @str;
+ return $ret;
+}
+
+
package GITCVS::log;
####
--
1.7.1.84.gd92f8
next prev parent reply other threads:[~2010-05-15 15:07 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-14 4:08 [PATCH] Authentication support for pserver Ævar Arnfjörð Bjarmason
2007-12-14 5:32 ` Junio C Hamano
2007-12-14 5:44 ` Shawn O. Pearce
2007-12-14 6:55 ` Ævar Arnfjörð Bjarmason
2007-12-14 8:13 ` Junio C Hamano
2007-12-14 21:08 ` Ævar Arnfjörð Bjarmason
2007-12-18 9:41 ` Martin Langhoff
2007-12-18 20:39 ` Martin Langhoff
[not found] ` <46a038f90712181238p7529a02bmde21c89956a3f641@mail.gmail.com>
2007-12-18 21:10 ` Ævar Arnfjörð Bjarmason
2007-12-18 21:37 ` Junio C Hamano
2008-03-07 0:48 ` Ævar Arnfjörð Bjarmason
2008-03-07 16:13 ` Ævar Arnfjörð Bjarmason
2008-06-19 17:38 ` Ævar Arnfjörð Bjarmason
2008-06-19 19:00 ` Martin Langhoff
2008-06-19 19:21 ` Junio C Hamano
2008-06-19 20:14 ` Junio C Hamano
2010-05-15 2:45 ` [PATCH 0/6] git-cvsserver: password " Ævar Arnfjörð Bjarmason
2010-05-15 2:45 ` [PATCH 1/6] git-cvsserver: authentication " Ævar Arnfjörð Bjarmason
2010-05-15 15:06 ` Ævar Arnfjörð Bjarmason [this message]
2010-05-15 2:46 ` [PATCH 2/6] git-cvsserver: use a password file cvsserver pserver Ævar Arnfjörð Bjarmason
2010-05-15 15:07 ` [PATCH 2/6 v2] " Ævar Arnfjörð Bjarmason
2010-05-15 2:46 ` [PATCH 3/6] git-cvsserver: indent & clean up authdb code Ævar Arnfjörð Bjarmason
2010-05-15 2:46 ` [PATCH 4/6] git-cvsserver: Improved error handling for pserver Ævar Arnfjörð Bjarmason
2010-05-15 2:46 ` [PATCH 5/6] git-cvsserver: document making a password without htpasswd Ævar Arnfjörð Bjarmason
2010-05-15 2:46 ` [PATCH 6/6] git-cvsserver: test for pserver authentication support Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1273936006-22357-1-git-send-email-avarab@gmail.com \
--to=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=sam.vilain@catalyst.net.nz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).