Commit 5edf72a0 by Nicolas Wavrant

slaprunner: git repos should'n be always readable by anonymous

parent 76a2af21
......@@ -43,7 +43,7 @@ mode = 0644
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-runner.cfg
output = ${buildout:directory}/template-runner.cfg.in
md5sum = 255a06bcf2129b0f7f06c8dd2f92d221
md5sum = e24429a12dc5e733f5597227adea3b10
mode = 0644
[template-runner-import-script]
......@@ -103,7 +103,7 @@ mode = 0644
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/httpd_conf.in
download-only = true
md5sum = b2820ee59d2162a98a5ca63ce4b11043
md5sum = ac92f32bd9a0d8c39657b80d4a80f5cc
filename = httpd_conf.in
mode = 0644
......
......@@ -74,15 +74,14 @@ Alias /share {{ parameters.runner_home }}
ScriptSock {{ parameters.path_pid }}
SetEnv GIT_PROJECT_ROOT {{ parameters.project_folder }}
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ {{ parameters.git_http_backend }}/
ScriptAlias /git-public/ {{ parameters.git_http_backend }}/
RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
RewriteCond %{REQUEST_URI} /git-receive-pack$
RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]
RewriteRule ^/git-public/ - [E=AUTHREQUIRED:yes]
RewriteRule ^/git/ - [E=AUTHREQUIRED:yes,E=GIT_PROJECT_ROOT:{{- parameters.project_private_folder -}}]
RewriteRule ^/git-public/ - [E=AUTHREQUIRED:yes,E=GIT_PROJECT_ROOT:{{- parameters.project_public_folder -}}]
<LocationMatch "^/git/">
Order Deny,Allow
......@@ -92,6 +91,16 @@ RewriteRule ^/git-public/ - [E=AUTHREQUIRED:yes]
AuthName "Git Access"
AuthUserFile "{{ parameters.etc_dir }}/.htpasswd"
Require valid-user
</LocationMatch>
<LocationMatch "^/git-public/">
Order Deny,Allow
Deny from env=AUTHREQUIRED
AuthType Basic
AuthName "Git Access"
AuthUserFile "{{ parameters.etc_dir }}/.htpasswd"
Require valid-user
Satisfy any
</LocationMatch>
......
......@@ -138,6 +138,8 @@ project-test = $${:test}/project
software-test = $${:test}/software
instance-test = $${:test}/instance
sessions = $${buildout:directory}/.sessions
private-project = $${:home}/.git-private
public-project = $${:home}/.git-public
#Create password recovery code for slaprunner
[recovery-code]
......@@ -320,6 +322,8 @@ dav_lock = $${directory:var}/DavLock
etc_dir = $${directory:etc}
var_dir = $${directory:var}
project_folder = $${directory:project}
project_private_folder = $${runnerdirectory:private-project}
project_public_folder = $${runnerdirectory:private-project}
runner_home = $${runnerdirectory:home}
git_http_backend = ${git:location}/libexec/git-core/git-http-backend
cgi_httpd_conf = $${monitor-httpd-configuration-file:rendered}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment