From 813e0c07475bfdfbd1f05ba658ae65b8f1a4ef82 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 11 Feb 2022 13:17:35 +0300 Subject: [PATCH] fix(3p/josh): Require HTTP authentication when pushing back With this change it becomes possible to push back to code.tvl.fyi through josh views. We probably want to change this patch so that it can be upstreamed, but for now I just want to get this to work. Change-Id: I7cdacf384e38da6ba9621e5818cfaf7c5d5c99a2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5273 Tested-by: BuildkiteCI Reviewed-by: sterni Autosubmit: tazjin --- ...s-require-authentication-when-pushin.patch | 43 +++++++++++++++++++ third_party/josh/default.nix | 4 ++ 2 files changed, 47 insertions(+) create mode 100644 third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch diff --git a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch new file mode 100644 index 000000000..d3a2c0e99 --- /dev/null +++ b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch @@ -0,0 +1,43 @@ +From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001 +From: Vincent Ambo +Date: Fri, 11 Feb 2022 13:14:02 +0300 +Subject: [PATCH] josh-proxy: Always require authentication when pushing + +This supports the use-case where josh serves a public repo without +auth, but requires auth for pushing back. +--- + josh-proxy/src/auth.rs | 4 ++-- + josh-proxy/src/bin/josh-proxy.rs | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs +index 96a8241..0a007f3 100644 +--- a/josh-proxy/src/auth.rs ++++ b/josh-proxy/src/auth.rs +@@ -54,8 +54,8 @@ impl Handle { + } + } + +-pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult { +- if required && auth.hash.is_empty() { ++pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult { ++ if auth.hash.is_empty() && (required || pathinfo == "/git-receive-pack") { + return Ok(false); + } + +diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs +index 700f2da..a96da1c 100644 +--- a/josh-proxy/src/bin/josh-proxy.rs ++++ b/josh-proxy/src/bin/josh-proxy.rs +@@ -449,7 +449,7 @@ async fn call_service( + ] + .join(""); + +- if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth")) ++ if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth")) + .in_current_span() + .await? + { +-- +2.34.1 + diff --git a/third_party/josh/default.nix b/third_party/josh/default.nix index 7e32a37e7..70786a264 100644 --- a/third_party/josh/default.nix +++ b/third_party/josh/default.nix @@ -26,4 +26,8 @@ depot.third_party.naersk.buildPackage { "-p" "josh-ui" ]; + + overrideMain = x: { + patches = [ ./0001-josh-proxy-Always-require-authentication-when-pushin.patch ]; + }; }