about summary refs log tree commit diff
path: root/third_party/josh
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/josh')
-rw-r--r--third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch43
-rw-r--r--third_party/josh/default.nix38
2 files changed, 81 insertions, 0 deletions
diff --git a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
new file mode 100644
index 000000000000..d3a2c0e99836
--- /dev/null
+++ b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch
@@ -0,0 +1,43 @@
+From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001
+From: Vincent Ambo <mail@tazj.in>
+Date: Fri, 11 Feb 2022 13:14:02 +0300
+Subject: [PATCH] josh-proxy: Always require authentication when pushing
+
+This supports the use-case where josh serves a public repo without
+auth, but requires auth for pushing back.
+---
+ josh-proxy/src/auth.rs           | 4 ++--
+ josh-proxy/src/bin/josh-proxy.rs | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs
+index 96a8241..0a007f3 100644
+--- a/josh-proxy/src/auth.rs
++++ b/josh-proxy/src/auth.rs
+@@ -54,8 +54,8 @@ impl Handle {
+     }
+ }
+ 
+-pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
+-    if required && auth.hash.is_empty() {
++pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
++    if auth.hash.is_empty() && (required || pathinfo == "/git-receive-pack") {
+         return Ok(false);
+     }
+ 
+diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs
+index 700f2da..a96da1c 100644
+--- a/josh-proxy/src/bin/josh-proxy.rs
++++ b/josh-proxy/src/bin/josh-proxy.rs
+@@ -449,7 +449,7 @@ async fn call_service(
+     ]
+     .join("");
+ 
+-    if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth"))
++    if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth"))
+         .in_current_span()
+         .await?
+     {
+-- 
+2.34.1
+
diff --git a/third_party/josh/default.nix b/third_party/josh/default.nix
new file mode 100644
index 000000000000..c82f91f80c94
--- /dev/null
+++ b/third_party/josh/default.nix
@@ -0,0 +1,38 @@
+# https://github.com/esrlabs/josh
+{ depot, pkgs, ... }:
+
+let
+  src = pkgs.fetchFromGitHub {
+    owner = "esrlabs";
+    repo = "josh";
+    rev = "effe6290559136faba5591a115e56c2b30210329";
+    hash = "sha256:0kam9rqjk96brvh15wj3h3vm2sqnr5pckz91az2ida5617d5gp9v";
+  };
+in
+depot.third_party.naersk.buildPackage {
+  inherit src;
+
+  buildInputs = with pkgs; [
+    libgit2
+    openssl
+    pkgconfig
+  ];
+
+  cargoBuildOptions = x: x ++ [
+    "-p"
+    "josh"
+    "-p"
+    "josh-proxy"
+    "-p"
+    "josh-ui"
+  ];
+
+  overrideMain = x: {
+    patches = [ ./0001-josh-proxy-Always-require-authentication-when-pushin.patch ];
+
+    nativeBuildInputs = (x.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
+    postInstall = ''
+      wrapProgram $out/bin/josh-proxy --prefix PATH : "${pkgs.git}/bin"
+    '';
+  };
+}
generated by cgit-pink 1.4.1 (git 2.44.2) at 2025-01-16T15ยท14+0000