diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2014-01-15 05:49:31 (JST) |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2014-01-16 10:28:12 (JST) |
commit | d6e9200cc35411f3f27426b608bcfdef9348e6d3 (patch) | |
tree | 9cdd921b03465458d10b99ff4357f79a810501c0 /cgit.c | |
parent | 3741254a6989b2837cd8d20480f152f0096bcb9a (diff) | |
download | cgit-d6e9200cc35411f3f27426b608bcfdef9348e6d3.zip cgit-d6e9200cc35411f3f27426b608bcfdef9348e6d3.tar.gz |
auth: add basic authentication filter framework
This leverages the new lua support. See
filters/simple-authentication.lua for explaination of how this works.
There is also additional documentation in cgitrc.5.txt.
Though this is a cookie-based approach, cgit's caching mechanism is
preserved for authenticated pages.
Very plugable and extendable depending on user needs.
The sample script uses an HMAC-SHA1 based cookie to store the
currently logged in user, with an expiration date.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'cgit.c')
-rw-r--r-- | cgit.c | 96 |
1 files changed, 94 insertions, 2 deletions
@@ -192,6 +192,8 @@ static void config_cb(const char *name, const char *value) | |||
192 | ctx.cfg.commit_filter = cgit_new_filter(value, COMMIT); | 192 | ctx.cfg.commit_filter = cgit_new_filter(value, COMMIT); |
193 | else if (!strcmp(name, "email-filter")) | 193 | else if (!strcmp(name, "email-filter")) |
194 | ctx.cfg.email_filter = cgit_new_filter(value, EMAIL); | 194 | ctx.cfg.email_filter = cgit_new_filter(value, EMAIL); |
195 | else if (!strcmp(name, "auth-filter")) | ||
196 | ctx.cfg.auth_filter = cgit_new_filter(value, AUTH); | ||
195 | else if (!strcmp(name, "embedded")) | 197 | else if (!strcmp(name, "embedded")) |
196 | ctx.cfg.embedded = atoi(value); | 198 | ctx.cfg.embedded = atoi(value); |
197 | else if (!strcmp(name, "max-atom-items")) | 199 | else if (!strcmp(name, "max-atom-items")) |
@@ -378,6 +380,10 @@ static void prepare_context(struct cgit_context *ctx) | |||
378 | ctx->env.script_name = getenv("SCRIPT_NAME"); | 380 | ctx->env.script_name = getenv("SCRIPT_NAME"); |
379 | ctx->env.server_name = getenv("SERVER_NAME"); | 381 | ctx->env.server_name = getenv("SERVER_NAME"); |
380 | ctx->env.server_port = getenv("SERVER_PORT"); | 382 | ctx->env.server_port = getenv("SERVER_PORT"); |
383 | ctx->env.http_cookie = getenv("HTTP_COOKIE"); | ||
384 | ctx->env.http_referer = getenv("HTTP_REFERER"); | ||
385 | ctx->env.content_length = getenv("CONTENT_LENGTH") ? strtoul(getenv("CONTENT_LENGTH"), NULL, 10) : 0; | ||
386 | ctx->env.authenticated = 0; | ||
381 | ctx->page.mimetype = "text/html"; | 387 | ctx->page.mimetype = "text/html"; |
382 | ctx->page.charset = PAGE_ENCODING; | 388 | ctx->page.charset = PAGE_ENCODING; |
383 | ctx->page.filename = NULL; | 389 | ctx->page.filename = NULL; |
@@ -593,11 +599,92 @@ static int prepare_repo_cmd(struct cgit_context *ctx) | |||
593 | return 0; | 599 | return 0; |
594 | } | 600 | } |
595 | 601 | ||
602 | static inline void open_auth_filter(struct cgit_context *ctx, const char *function) | ||
603 | { | ||
604 | cgit_open_filter(ctx->cfg.auth_filter, function, | ||
605 | ctx->env.http_cookie ? ctx->env.http_cookie : "", | ||
606 | ctx->env.request_method ? ctx->env.request_method : "", | ||
607 | ctx->env.query_string ? ctx->env.query_string : "", | ||
608 | ctx->env.http_referer ? ctx->env.http_referer : "", | ||
609 | ctx->env.path_info ? ctx->env.path_info : "", | ||
610 | ctx->env.http_host ? ctx->env.http_host : "", | ||
611 | ctx->env.https ? ctx->env.https : "", | ||
612 | ctx->qry.repo ? ctx->qry.repo : "", | ||
613 | ctx->qry.page ? ctx->qry.page : "", | ||
614 | ctx->qry.url ? ctx->qry.url : ""); | ||
615 | } | ||
616 | |||
617 | #define MAX_AUTHENTICATION_POST_BYTES 4096 | ||
618 | static inline void authenticate_post(struct cgit_context *ctx) | ||
619 | { | ||
620 | if (ctx->env.http_referer && strlen(ctx->env.http_referer) > 0) { | ||
621 | html("Status: 302 Redirect\n"); | ||
622 | html("Cache-Control: no-cache, no-store\n"); | ||
623 | htmlf("Location: %s\n", ctx->env.http_referer); | ||
624 | } else { | ||
625 | html("Status: 501 Missing Referer\n"); | ||
626 | html("Cache-Control: no-cache, no-store\n\n"); | ||
627 | exit(0); | ||
628 | } | ||
629 | |||
630 | open_auth_filter(ctx, "authenticate-post"); | ||
631 | char buffer[MAX_AUTHENTICATION_POST_BYTES]; | ||
632 | int len; | ||
633 | len = ctx->env.content_length; | ||
634 | if (len > MAX_AUTHENTICATION_POST_BYTES) | ||
635 | len = MAX_AUTHENTICATION_POST_BYTES; | ||
636 | if (read(STDIN_FILENO, buffer, len) < 0) | ||
637 | die_errno("Could not read POST from stdin"); | ||
638 | if (write(STDOUT_FILENO, buffer, len) < 0) | ||
639 | die_errno("Could not write POST to stdout"); | ||
640 | /* The filter may now spit out a Set-Cookie: ... */ | ||
641 | cgit_close_filter(ctx->cfg.auth_filter); | ||
642 | |||
643 | html("\n"); | ||
644 | exit(0); | ||
645 | } | ||
646 | |||
647 | static inline void authenticate_cookie(struct cgit_context *ctx) | ||
648 | { | ||
649 | /* If we don't have an auth_filter, consider all cookies valid, and thus return early. */ | ||
650 | if (!ctx->cfg.auth_filter) { | ||
651 | ctx->env.authenticated = 1; | ||
652 | return; | ||
653 | } | ||
654 | |||
655 | /* If we're having something POST'd to /login, we're authenticating POST, | ||
656 | * instead of the cookie, so call authenticate_post and bail out early. | ||
657 | * This pattern here should match /?p=login with POST. */ | ||
658 | if (ctx->env.request_method && ctx->qry.page && !ctx->repo && \ | ||
659 | !strcmp(ctx->env.request_method, "POST") && !strcmp(ctx->qry.page, "login")) { | ||
660 | authenticate_post(ctx); | ||
661 | return; | ||
662 | } | ||
663 | |||
664 | /* If we've made it this far, we're authenticating the cookie for real, so do that. */ | ||
665 | open_auth_filter(ctx, "authenticate-cookie"); | ||
666 | ctx->env.authenticated = cgit_close_filter(ctx->cfg.auth_filter); | ||
667 | } | ||
668 | |||
596 | static void process_request(void *cbdata) | 669 | static void process_request(void *cbdata) |
597 | { | 670 | { |
598 | struct cgit_context *ctx = cbdata; | 671 | struct cgit_context *ctx = cbdata; |
599 | struct cgit_cmd *cmd; | 672 | struct cgit_cmd *cmd; |
600 | 673 | ||
674 | /* If we're not yet authenticated, no matter what page we're on, | ||
675 | * display the authentication body from the auth_filter. This should | ||
676 | * never be cached. */ | ||
677 | if (!ctx->env.authenticated) { | ||
678 | ctx->page.title = "Authentication Required"; | ||
679 | cgit_print_http_headers(ctx); | ||
680 | cgit_print_docstart(ctx); | ||
681 | cgit_print_pageheader(ctx); | ||
682 | open_auth_filter(ctx, "body"); | ||
683 | cgit_close_filter(ctx->cfg.auth_filter); | ||
684 | cgit_print_docend(); | ||
685 | return; | ||
686 | } | ||
687 | |||
601 | cmd = cgit_get_cmd(ctx); | 688 | cmd = cgit_get_cmd(ctx); |
602 | if (!cmd) { | 689 | if (!cmd) { |
603 | ctx->page.title = "cgit error"; | 690 | ctx->page.title = "cgit error"; |
@@ -911,6 +998,7 @@ int main(int argc, const char **argv) | |||
911 | int err, ttl; | 998 | int err, ttl; |
912 | 999 | ||
913 | cgit_init_filters(); | 1000 | cgit_init_filters(); |
1001 | atexit(cgit_cleanup_filters); | ||
914 | 1002 | ||
915 | prepare_context(&ctx); | 1003 | prepare_context(&ctx); |
916 | cgit_repolist.length = 0; | 1004 | cgit_repolist.length = 0; |
@@ -948,18 +1036,22 @@ int main(int argc, const char **argv) | |||
948 | cgit_parse_url(ctx.qry.url); | 1036 | cgit_parse_url(ctx.qry.url); |
949 | } | 1037 | } |
950 | 1038 | ||
1039 | /* Before we go any further, we set ctx.env.authenticated by checking to see | ||
1040 | * if the supplied cookie is valid. All cookies are valid if there is no | ||
1041 | * auth_filter. If there is an auth_filter, the filter decides. */ | ||
1042 | authenticate_cookie(&ctx); | ||
1043 | |||
951 | ttl = calc_ttl(); | 1044 | ttl = calc_ttl(); |
952 | if (ttl < 0) | 1045 | if (ttl < 0) |
953 | ctx.page.expires += 10 * 365 * 24 * 60 * 60; /* 10 years */ | 1046 | ctx.page.expires += 10 * 365 * 24 * 60 * 60; /* 10 years */ |
954 | else | 1047 | else |
955 | ctx.page.expires += ttl * 60; | 1048 | ctx.page.expires += ttl * 60; |
956 | if (ctx.env.request_method && !strcmp(ctx.env.request_method, "HEAD")) | 1049 | if (!ctx.env.authenticated || (ctx.env.request_method && !strcmp(ctx.env.request_method, "HEAD"))) |
957 | ctx.cfg.nocache = 1; | 1050 | ctx.cfg.nocache = 1; |
958 | if (ctx.cfg.nocache) | 1051 | if (ctx.cfg.nocache) |
959 | ctx.cfg.cache_size = 0; | 1052 | ctx.cfg.cache_size = 0; |
960 | err = cache_process(ctx.cfg.cache_size, ctx.cfg.cache_root, | 1053 | err = cache_process(ctx.cfg.cache_size, ctx.cfg.cache_root, |
961 | ctx.qry.raw, ttl, process_request, &ctx); | 1054 | ctx.qry.raw, ttl, process_request, &ctx); |
962 | cgit_cleanup_filters(); | ||
963 | if (err) | 1055 | if (err) |
964 | cgit_print_error("Error processing page: %s (%d)", | 1056 | cgit_print_error("Error processing page: %s (%d)", |
965 | strerror(err), err); | 1057 | strerror(err), err); |