aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Rutger Broekhoff2024-01-02 17:44:14 +0100
committerLibravatar Rutger Broekhoff2024-01-02 17:44:14 +0100
commitd4f75fb6db22e57577867445a022227e70958931 (patch)
tree666fe132e94b9d2e7c9a8526f4033b66d271607e
parente556fb266333be1938afd8673df2c6cd2fb7a3aa (diff)
downloadgitolfs3-d4f75fb6db22e57577867445a022227e70958931.tar.gz
gitolfs3-d4f75fb6db22e57577867445a022227e70958931.zip
Wheee
-rw-r--r--cmd/git-lfs-server/main.go27
1 files changed, 20 insertions, 7 deletions
diff --git a/cmd/git-lfs-server/main.go b/cmd/git-lfs-server/main.go
index 0652e87..b13f997 100644
--- a/cmd/git-lfs-server/main.go
+++ b/cmd/git-lfs-server/main.go
@@ -92,12 +92,13 @@ type batchResponse struct {
92} 92}
93 93
94type handler struct { 94type handler struct {
95 mc *minio.Client 95 mc *minio.Client
96 bucket string 96 bucket string
97 anonUser string 97 anonUser string
98 gitolitePath string 98 gitolitePath string
99 privateKey ed25519.PrivateKey 99 privateKey ed25519.PrivateKey
100 baseURL *url.URL 100 baseURL *url.URL
101 exportAllForwardedHosts []string
101} 102}
102 103
103func isValidSHA256Hash(hash string) bool { 104func isValidSHA256Hash(hash string) bool {
@@ -566,6 +567,16 @@ func (h *handler) authorizeBatchAPI(w http.ResponseWriter, r *http.Request, or o
566 user := h.anonUser 567 user := h.anonUser
567 ctx := r.Context() 568 ctx := r.Context()
568 569
570 if or.operation == operationDownload {
571 // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
572 forwardedHost := r.Header.Get("X-Forwarded-Host")
573 if forwardedHost != "" && slices.Contains(h.exportAllForwardedHosts, forwardedHost) {
574 // This is a forwarded host for which all repositories are exported,
575 // regardless of ownership configuration in Gitolite.
576 return true
577 }
578 }
579
569 if authz := r.Header.Get("Authorization"); authz != "" { 580 if authz := r.Header.Get("Authorization"); authz != "" {
570 if !strings.HasPrefix(authz, "Bearer ") { 581 if !strings.HasPrefix(authz, "Bearer ") {
571 makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest) 582 makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest)
@@ -821,8 +832,10 @@ func main() {
821 baseURLStr := os.Getenv("BASE_URL") 832 baseURLStr := os.Getenv("BASE_URL")
822 listenHost := os.Getenv("LISTEN_HOST") 833 listenHost := os.Getenv("LISTEN_HOST")
823 listenPort := os.Getenv("LISTEN_PORT") 834 listenPort := os.Getenv("LISTEN_PORT")
835 exportAllForwardedHostsStr := os.Getenv("EXPORT_ALL_FORWARDED_HOSTS")
824 836
825 listenAddr := net.JoinHostPort(listenHost, listenPort) 837 listenAddr := net.JoinHostPort(listenHost, listenPort)
838 exportAllForwardedHosts := strings.Split(exportAllForwardedHostsStr, ",")
826 839
827 if gitolitePath == "" { 840 if gitolitePath == "" {
828 gitolitePath = "gitolite" 841 gitolitePath = "gitolite"
@@ -879,7 +892,7 @@ func main() {
879 die("Fatal: failed to create S3 client: %s", err) 892 die("Fatal: failed to create S3 client: %s", err)
880 } 893 }
881 894
882 h := &handler{mc, bucket, anonUser, gitolitePath, privateKey, baseURL} 895 h := &handler{mc, bucket, anonUser, gitolitePath, privateKey, baseURL, exportAllForwardedHosts}
883 if err = http.ListenAndServe(listenAddr, h); err != nil { 896 if err = http.ListenAndServe(listenAddr, h); err != nil {
884 die("Fatal: failed to serve CGI: %s", err) 897 die("Fatal: failed to serve CGI: %s", err)
885 } 898 }