i
ivari

CGIT Gitolite Patch

This patch is completely rewritten in November 2015 discarding all previous versions.

When publishing software projects, we currently use the git versioning system. I did not like the default Gitweb frontend so I decided to use the cgit instead.

Since there are many different software projects stored on one site, there should be some reasonable access control system to prevent unauthorized pushes and pulls. We are using Gitolite for that purpose.

Unfortunately none of the web frontends did not behave well in a multiuser environment. Typical result was that repositories were if not world readable then shown in a repository listing. There are ways to limit access by utilizing file system privileges. But this looks awful since we are already using Gitolite.

To overcome that issue I created a quick patch to support Gitolite repository authorization in cgit.

My version added project-filter configuration option that refers to a worker script written in Lua. It will not perform authentication by itself, but gets authenticated user name from REMOTE_USER environment variable instead.

When building repository list, filter script will be called with a repository name currently being processed. Script must return either 1 to allow or 0 to deny access. Repository paths that got access denied will be excluded from listing therefore hiding them and effectively banning any further access.

Populating the REMOTE_USER variable can be done via HTTP Authentication (e.g. Basic). Please be reminded that HTTP Basic Authentication is insecure and should only be used over SSL channel. Since authentication is done by web server, any method works as long as the username will  be stored in a REMOTE_USER variable.

This solution can be used with any available authorization system, but we are currently relying on Gitolite. Note, that Gitolite requires HOME environment variable to be set to a directory where Gitolite configuration resides.

Further technical information is located in a sample filter script and configuration manual under project-filter configuration option.

Previous versions of the patch relied heavily on Gitolite configuration file format. It had limited support and was error prone. Therefore I decided to completely rewrite it using Lua scripting engine that was already available in cgit. This way it is effectively decoupled from Gitolite logic and can be used for any external authorization method. Previous patch is therefore considered deprecated and is entirely removed from this repository.

Artifacts