diff options
| author | Vincent Ambo <mail@tazj.in> | 2022-02-11T10·17+0300 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2022-02-13T17·39+0000 |
| commit | 813e0c07475bfdfbd1f05ba658ae65b8f1a4ef82 (patch) | |
| tree | 66b3309beae61e72a9847277d8763a28241c7190 /third_party/josh | |
| parent | fe290a5ff8033b1b606ac80131ec2e5b0b30f0e4 (diff) | |
fix(3p/josh): Require HTTP authentication when pushing back r/3815
With this change it becomes possible to push back to code.tvl.fyi through josh views. We probably want to change this patch so that it can be upstreamed, but for now I just want to get this to work. Change-Id: I7cdacf384e38da6ba9621e5818cfaf7c5d5c99a2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5273 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su>
Diffstat (limited to 'third_party/josh')
| -rw-r--r-- | third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch | 43 | ||||
| -rw-r--r-- | third_party/josh/default.nix | 4 |
2 files changed, 47 insertions, 0 deletions
diff --git a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch new file mode 100644 index 0000000000..d3a2c0e998 --- /dev/null +++ b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch @@ -0,0 +1,43 @@ +From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001 +From: Vincent Ambo <mail@tazj.in> +Date: Fri, 11 Feb 2022 13:14:02 +0300 +Subject: [PATCH] josh-proxy: Always require authentication when pushing + +This supports the use-case where josh serves a public repo without +auth, but requires auth for pushing back. +--- + josh-proxy/src/auth.rs | 4 ++-- + josh-proxy/src/bin/josh-proxy.rs | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs +index 96a8241..0a007f3 100644 +--- a/josh-proxy/src/auth.rs ++++ b/josh-proxy/src/auth.rs +@@ -54,8 +54,8 @@ impl Handle { + } + } + +-pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> { +- if required && auth.hash.is_empty() { ++pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> { ++ if auth.hash.is_empty() && (required || pathinfo == "/git-receive-pack") { + return Ok(false); + } + +diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs +index 700f2da..a96da1c 100644 +--- a/josh-proxy/src/bin/josh-proxy.rs ++++ b/josh-proxy/src/bin/josh-proxy.rs +@@ -449,7 +449,7 @@ async fn call_service( + ] + .join(""); + +- if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth")) ++ if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth")) + .in_current_span() + .await? + { +-- +2.34.1 + diff --git a/third_party/josh/default.nix b/third_party/josh/default.nix index 7e32a37e77..70786a2648 100644 --- a/third_party/josh/default.nix +++ b/third_party/josh/default.nix @@ -26,4 +26,8 @@ depot.third_party.naersk.buildPackage { "-p" "josh-ui" ]; + + overrideMain = x: { + patches = [ ./0001-josh-proxy-Always-require-authentication-when-pushin.patch ]; + }; } |