tvl-depot/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch

From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 11 Feb 2022 13:14:02 +0300
Subject: [PATCH] josh-proxy: Always require authentication when pushing

This supports the use-case where josh serves a public repo without
auth, but requires auth for pushing back.
---
 josh-proxy/src/auth.rs           | 4 ++--
 josh-proxy/src/bin/josh-proxy.rs | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs
index 96a8241..0a007f3 100644
--- a/josh-proxy/src/auth.rs
+++ b/josh-proxy/src/auth.rs
@@ -54,8 +54,8 @@ impl Handle {
     }
 }
 
-pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
-    if required && auth.hash.is_empty() {
+pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {
+    if auth.hash.is_empty() && (required || pathinfo == "/git-receive-pack") {
         return Ok(false);
     }
 
diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs
index 700f2da..a96da1c 100644
--- a/josh-proxy/src/bin/josh-proxy.rs
+++ b/josh-proxy/src/bin/josh-proxy.rs
@@ -449,7 +449,7 @@ async fn call_service(
     ]
     .join("");
 
-    if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth"))
+    if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth"))
         .in_current_span()
         .await?
     {
-- 
2.34.1
fix(3p/josh): Require HTTP authentication when pushing back With this change it becomes possible to push back to code.tvl.fyi through josh views. We probably want to change this patch so that it can be upstreamed, but for now I just want to get this to work. Change-Id: I7cdacf384e38da6ba9621e5818cfaf7c5d5c99a2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5273 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Autosubmit: tazjin <tazjin@tvl.su> 2022-02-11 11:17:35 +01:00			`From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001`
			`From: Vincent Ambo <mail@tazj.in>`
			`Date: Fri, 11 Feb 2022 13:14:02 +0300`
			`Subject: [PATCH] josh-proxy: Always require authentication when pushing`

			`This supports the use-case where josh serves a public repo without`
			`auth, but requires auth for pushing back.`
			`---`
			`josh-proxy/src/auth.rs \| 4 ++--`
			`josh-proxy/src/bin/josh-proxy.rs \| 2 +-`
			`2 files changed, 3 insertions(+), 3 deletions(-)`

			`diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs`
			`index 96a8241..0a007f3 100644`
			`--- a/josh-proxy/src/auth.rs`
			`+++ b/josh-proxy/src/auth.rs`
			`@@ -54,8 +54,8 @@ impl Handle {`
			`}`
			`}`

			`-pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {`
			`- if required && auth.hash.is_empty() {`
			`+pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult<bool> {`
			`+ if auth.hash.is_empty() && (required \|\| pathinfo == "/git-receive-pack") {`
			`return Ok(false);`
			`}`

			`diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs`
			`index 700f2da..a96da1c 100644`
			`--- a/josh-proxy/src/bin/josh-proxy.rs`
			`+++ b/josh-proxy/src/bin/josh-proxy.rs`
			`@@ -449,7 +449,7 @@ async fn call_service(`
			`]`
			`.join("");`

			`- if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth"))`
			`+ if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth"))`
			`.in_current_span()`
			`.await?`
			`{`
			`--`
			`2.34.1`