about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch43
-rw-r--r--third_party/josh/default.nix4
2 files changed, 47 insertions, 0 deletions
diff --git a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
new file mode 100644
index 000000000000..d3a2c0e99836
--- /dev/null
+++ b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
@@ -0,0 +1,43 @@
+From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001
+From: Vincent Ambo <mail@tazj.in>
+Date: Fri, 11 Feb 2022 13:14:02 +0300
+Subject: [PATCH] josh-proxy: Always require authentication when pushing
+
+This supports the use-case where josh serves a public repo without
+auth, but requires auth for pushing back.
+---
+ josh-proxy/src/auth.rs           | 4 ++--
+ josh-proxy/src/bin/josh-proxy.rs | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs
+index 96a8241..0a007f3 100644
+--- a/josh-proxy/src/auth.rs
++++ b/josh-proxy/src/auth.rs
+@@ -54,8 +54,8 @@ impl Handle {
+     }
+ }
+ 
+-pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
+-    if required && auth.hash.is_empty() {
++pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
++    if auth.hash.is_empty() && (required || pathinfo == "/git-receive-pack") {
+         return Ok(false);
+     }
+ 
+diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs
+index 700f2da..a96da1c 100644
+--- a/josh-proxy/src/bin/josh-proxy.rs
++++ b/josh-proxy/src/bin/josh-proxy.rs
+@@ -449,7 +449,7 @@ async fn call_service(
+     ]
+     .join("");
+ 
+-    if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth"))
++    if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth"))
+         .in_current_span()
+         .await?
+     {
+-- 
+2.34.1
+
diff --git a/third_party/josh/default.nix b/third_party/josh/default.nix
index 7e32a37e7761..70786a2648cf 100644
--- a/third_party/josh/default.nix
+++ b/third_party/josh/default.nix
@@ -26,4 +26,8 @@ depot.third_party.naersk.buildPackage {
     "-p"
     "josh-ui"
   ];
+
+  overrideMain = x: {
+    patches = [ ./0001-josh-proxy-Always-require-authentication-when-pushin.patch ];
+  };
 }