about summary refs log tree commit diff
path: root/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2023-02-28T12·17+0300
committerclbot <clbot@tvl.fyi>2023-03-07T16·46+0000
commit89d9ce39b4c2d61e446fc5efdfe925f8835c9930 (patch)
tree20349b005ba70f2d1e1f4e177d380addf36d349c /third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
parentb74ffda583d40db8b94b58418f70430687b2eaf0 (diff)
chore(3p/josh): update josh to recent master commit r/5895
It's been a long time since we updated josh, almost 400 commits in
between. I read through the entire changelog, and here are relevant
josh commits from in between that might be interesting to us:

  38eecee Fix optimisation bug for compose filter (#1159)
  e1d10b6 Add :rev(...) filter
  0f1a07b Initial implementation of refs locking (#929)
  88cea2a Initial work on meta repo support
  030ad93 Change magic refs to include "for"
  28b1d75 Add split changes feature (#904)
  1f908d7 Discover filters only on HEAD (#774)
  a368d8f Make --require-auth only apply to push
  8d80230 Add :linear filter (#741)
  3460ec2 Implement redundant refs filtering (#700)
  55b4e50 Implement stacked changes support (#699)
  ea1f814 Handle @sha urls by creating magic ref (#690)
  883a381 Run filter discovery only on changed refs (#685)
  4bb004f Prepend refs/heads to base parameter as default (#664)

Of particular interest is a368d8f, which allows us to drop our
authentication patch and use the standard --require-auth flag again.

The default behaviour of dropping signatures on commits (which are
invalid after filtering) has also been changed in josh, now only
occuring when the `:unsign` filter is present. Since this breaks
commit hashes with our existing exported histories, we are opting to
set a `:unsign` filter prefix on all proxy requests to ensure that the
hashes stay consistent.

During this update we found a bug (josh#1155) which was fixed in the
commit that this CL moves josh to.

Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Diffstat (limited to 'third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch')
-rw-r--r--third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch43
1 files changed, 0 insertions, 43 deletions
diff --git a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
deleted file mode 100644
index d3a2c0e99836..000000000000
--- a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001
-From: Vincent Ambo <mail@tazj.in>
-Date: Fri, 11 Feb 2022 13:14:02 +0300
-Subject: [PATCH] josh-proxy: Always require authentication when pushing
-
-This supports the use-case where josh serves a public repo without
-auth, but requires auth for pushing back.
----
- josh-proxy/src/auth.rs           | 4 ++--
- josh-proxy/src/bin/josh-proxy.rs | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs
-index 96a8241..0a007f3 100644
---- a/josh-proxy/src/auth.rs
-+++ b/josh-proxy/src/auth.rs
-@@ -54,8 +54,8 @@ impl Handle {
-     }
- }
- 
--pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
--    if required && auth.hash.is_empty() {
-+pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
-+    if auth.hash.is_empty() && (required || pathinfo == "/git-receive-pack") {
-         return Ok(false);
-     }
- 
-diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs
-index 700f2da..a96da1c 100644
---- a/josh-proxy/src/bin/josh-proxy.rs
-+++ b/josh-proxy/src/bin/josh-proxy.rs
-@@ -449,7 +449,7 @@ async fn call_service(
-     ]
-     .join("");
- 
--    if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth"))
-+    if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth"))
-         .in_current_span()
-         .await?
-     {
--- 
-2.34.1
-