Commit 5edf72a0 authored by Nicolas Wavrant's avatar Nicolas Wavrant

slaprunner: git repos should'n be always readable by anonymous

parent 76a2af21
...@@ -43,7 +43,7 @@ mode = 0644 ...@@ -43,7 +43,7 @@ mode = 0644
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-runner.cfg url = ${:_profile_base_location_}/instance-runner.cfg
output = ${buildout:directory}/template-runner.cfg.in output = ${buildout:directory}/template-runner.cfg.in
md5sum = 255a06bcf2129b0f7f06c8dd2f92d221 md5sum = e24429a12dc5e733f5597227adea3b10
mode = 0644 mode = 0644
[template-runner-import-script] [template-runner-import-script]
...@@ -103,7 +103,7 @@ mode = 0644 ...@@ -103,7 +103,7 @@ mode = 0644
recipe = hexagonit.recipe.download recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/httpd_conf.in url = ${:_profile_base_location_}/httpd_conf.in
download-only = true download-only = true
md5sum = b2820ee59d2162a98a5ca63ce4b11043 md5sum = ac92f32bd9a0d8c39657b80d4a80f5cc
filename = httpd_conf.in filename = httpd_conf.in
mode = 0644 mode = 0644
......
...@@ -74,20 +74,29 @@ Alias /share {{ parameters.runner_home }} ...@@ -74,20 +74,29 @@ Alias /share {{ parameters.runner_home }}
ScriptSock {{ parameters.path_pid }} ScriptSock {{ parameters.path_pid }}
SetEnv GIT_PROJECT_ROOT {{ parameters.project_folder }}
SetEnv GIT_HTTP_EXPORT_ALL SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ {{ parameters.git_http_backend }}/ ScriptAlias /git/ {{ parameters.git_http_backend }}/
ScriptAlias /git-public/ {{ parameters.git_http_backend }}/ ScriptAlias /git-public/ {{ parameters.git_http_backend }}/
RewriteCond %{QUERY_STRING} service=git-receive-pack [OR] RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
RewriteCond %{REQUEST_URI} /git-receive-pack$ RewriteCond %{REQUEST_URI} /git-receive-pack$
RewriteRule ^/git/ - [E=AUTHREQUIRED:yes] RewriteRule ^/git/ - [E=AUTHREQUIRED:yes,E=GIT_PROJECT_ROOT:{{- parameters.project_private_folder -}}]
RewriteRule ^/git-public/ - [E=AUTHREQUIRED:yes] RewriteRule ^/git-public/ - [E=AUTHREQUIRED:yes,E=GIT_PROJECT_ROOT:{{- parameters.project_public_folder -}}]
<LocationMatch "^/git/"> <LocationMatch "^/git/">
Order Deny,Allow Order Deny,Allow
Deny from env=AUTHREQUIRED Deny from env=AUTHREQUIRED
AuthType Basic
AuthName "Git Access"
AuthUserFile "{{ parameters.etc_dir }}/.htpasswd"
Require valid-user
</LocationMatch>
<LocationMatch "^/git-public/">
Order Deny,Allow
Deny from env=AUTHREQUIRED
AuthType Basic AuthType Basic
AuthName "Git Access" AuthName "Git Access"
AuthUserFile "{{ parameters.etc_dir }}/.htpasswd" AuthUserFile "{{ parameters.etc_dir }}/.htpasswd"
......
...@@ -138,6 +138,8 @@ project-test = $${:test}/project ...@@ -138,6 +138,8 @@ project-test = $${:test}/project
software-test = $${:test}/software software-test = $${:test}/software
instance-test = $${:test}/instance instance-test = $${:test}/instance
sessions = $${buildout:directory}/.sessions sessions = $${buildout:directory}/.sessions
private-project = $${:home}/.git-private
public-project = $${:home}/.git-public
#Create password recovery code for slaprunner #Create password recovery code for slaprunner
[recovery-code] [recovery-code]
...@@ -320,6 +322,8 @@ dav_lock = $${directory:var}/DavLock ...@@ -320,6 +322,8 @@ dav_lock = $${directory:var}/DavLock
etc_dir = $${directory:etc} etc_dir = $${directory:etc}
var_dir = $${directory:var} var_dir = $${directory:var}
project_folder = $${directory:project} project_folder = $${directory:project}
project_private_folder = $${runnerdirectory:private-project}
project_public_folder = $${runnerdirectory:private-project}
runner_home = $${runnerdirectory:home} runner_home = $${runnerdirectory:home}
git_http_backend = ${git:location}/libexec/git-core/git-http-backend git_http_backend = ${git:location}/libexec/git-core/git-http-backend
cgi_httpd_conf = $${monitor-httpd-configuration-file:rendered} cgi_httpd_conf = $${monitor-httpd-configuration-file:rendered}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment