chore(3p/josh): update josh to recent master commit r/5895

It's been a long time since we updated josh, almost 400 commits in
between. I read through the entire changelog, and here are relevant
josh commits from in between that might be interesting to us:

  38eecee Fix optimisation bug for compose filter (#1159)
  e1d10b6 Add :rev(...) filter
  0f1a07b Initial implementation of refs locking (#929)
  88cea2a Initial work on meta repo support
  030ad93 Change magic refs to include "for"
  28b1d75 Add split changes feature (#904)
  1f908d7 Discover filters only on HEAD (#774)
  a368d8f Make --require-auth only apply to push
  8d80230 Add :linear filter (#741)
  3460ec2 Implement redundant refs filtering (#700)
  55b4e50 Implement stacked changes support (#699)
  ea1f814 Handle @sha urls by creating magic ref (#690)
  883a381 Run filter discovery only on changed refs (#685)
  4bb004f Prepend refs/heads to base parameter as default (#664)

Of particular interest is a368d8f, which allows us to drop our
authentication patch and use the standard --require-auth flag again.

The default behaviour of dropping signatures on commits (which are
invalid after filtering) has also been changed in josh, now only
occuring when the `:unsign` filter is present. Since this breaks
commit hashes with our existing exported histories, we are opting to
set a `:unsign` filter prefix on all proxy requests to ensure that the
hashes stay consistent.

During this update we found a bug (josh#1155) which was fixed in the
commit that this CL moves josh to.

Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI

2 files changed, 7 insertions, 52 deletions

diff --git a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
deleted file mode 100644
index d3a2c0e998..0000000000
--- a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001
-From: Vincent Ambo <mail@tazj.in>
-Date: Fri, 11 Feb 2022 13:14:02 +0300
-Subject: [PATCH] josh-proxy: Always require authentication when pushing
-
-This supports the use-case where josh serves a public repo without
-auth, but requires auth for pushing back.
----
- josh-proxy/src/auth.rs           | 4 ++--
- josh-proxy/src/bin/josh-proxy.rs | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs
-index 96a8241..0a007f3 100644
---- a/josh-proxy/src/auth.rs
-+++ b/josh-proxy/src/auth.rs
-@@ -54,8 +54,8 @@ impl Handle {
-     }
- }
- 
--pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
--    if required && auth.hash.is_empty() {
-+pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
-+    if auth.hash.is_empty() && (required || pathinfo == "/git-receive-pack") {
-         return Ok(false);
-     }
- 
-diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs
-index 700f2da..a96da1c 100644
---- a/josh-proxy/src/bin/josh-proxy.rs
-+++ b/josh-proxy/src/bin/josh-proxy.rs
-@@ -449,7 +449,7 @@ async fn call_service(
-     ]
-     .join("");
- 
--    if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth"))
-+    if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth"))
-         .in_current_span()
-         .await?
-     {
--- 
-2.34.1
-
diff --git a/third_party/josh/default.nix b/third_party/josh/default.nix
index 8900c6ad45..bc8640a19b 100644
--- a/third_party/josh/default.nix
+++ b/third_party/josh/default.nix
@@ -1,16 +1,18 @@
-# https://github.com/esrlabs/josh
+# https://github.com/josh-project/josh
 { depot, pkgs, ... }:
 
 let
+  rev = "fc857afda2c1536234e3bb1983c518a1abf63d25";
   src = pkgs.fetchFromGitHub {
-    owner = "esrlabs";
+    owner = "josh-project";
     repo = "josh";
-    rev = "effe6290559136faba5591a115e56c2b30210329";
-    hash = "sha256:0kam9rqjk96brvh15wj3h3vm2sqnr5pckz91az2ida5617d5gp9v";
+    inherit rev;
+    hash = "sha256:16ch7al7xfyjipgqh2n7grj985fv713mhi8y5bixb736vsad9q3w";
   };
 in
 depot.third_party.naersk.buildPackage {
   inherit src;
+  JOSH_VERSION = "git-${builtins.substring 0 8 rev}";
 
   buildInputs = with pkgs; [
     libgit2
@@ -20,16 +22,12 @@ depot.third_party.naersk.buildPackage {
 
   cargoBuildOptions = x: x ++ [
     "-p"
-    "josh"
+    "josh-filter"
     "-p"
     "josh-proxy"
-    "-p"
-    "josh-ui"
   ];
 
   overrideMain = x: {
-    patches = [ ./0001-josh-proxy-Always-require-authentication-when-pushin.patch ];
-
     nativeBuildInputs = (x.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
     postInstall = ''
       wrapProgram $out/bin/josh-proxy --prefix PATH : "${pkgs.git}/bin"