[PATCH] Implement ACL module architecture and sample MySQL ACL module

[PATCH] Implement ACL module architecture and sample MySQL ACL module

[Michal Novotny]

Hi,
this is the patch to introduce the ACL module architecture into git
versioning system. The variable of GIT_BASE_DIR is being used to seek
for the modules if available. If variable is unset then daemon looks
for the /etc/git-daemon.conf file existence and reads the
'base_path' key if it exists to determine the root path for
the git-daemon. This will be referred to as to $GIT_BASE_DIR
directory and the ACL modules subdirectory should reside in path of
$GIT_BASE_DIR/modules/acl. For MySQL connection you have to
alter the modules/config/modgitacl_mysql.cfg file to be able
to connect to the MySQL server using your credentials.

For MySQL database connection 2 new tables will get created
on your server and in the desired database. One holds the
ACLs for IP addresses and repositories and the second is
optional logging to the history table. This is by default
disabled however it could be enabled by setting the "log_history"
column of the git_access_acl entry to 1.

The patch also introduces the global_access_rule key to the config
which defines the default access policy if address and repository
key combination doesn't exist in the database. This automatically
creates the default access rule for the repository (which is
basically an entry with addr field set to '%' as all possible
entries in this column) based on the key settings.

The search algorithm for the entries is as follows:
1) Try to find the default entry for the repository
   - If default entry doesn't exist then create it based on the
     global_access_rule key settings (if set and valid)
2) Try to find entry for repository and IP address to override
   default settings
3) Log entries access if appropriate

If the new default access rule is being created then logging is
enabled for 'deny' global_access_rule and disabled for 'allow'
global_access_rule settings.

The MySQL module is just the working example of how to use the
ACL architecture so it's not being compiled by default and user
has to compile it manually. Basically this module is showing how
git ACL infrastructure works and it's good point to start writing
such modules.

The patch has been tested using following command line on one terminal:

$ make && (cd modules/acl && make && cd -) && GIT_BASE_DIR=`pwd` ./git-daemon --export-all

and cloning the existing repository on the second terminal with testing
all possible options in the database (using the sample MySQL module)
and everything was working fine.

Thanks,
Michal

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 Makefile                           |   1 +
 daemon.c                           | 123 +++++++++++++++++++++
 modules/acl/Makefile               |   6 ++
 modules/acl/modgitacl_mysql.c      | 211 +++++++++++++++++++++++++++++++++++++
 modules/config/modgitacl_mysql.cfg |  12 +++
 modules/modules.h                  |   9 ++
 6 files changed, 362 insertions(+)
 create mode 100644 modules/acl/Makefile
 create mode 100644 modules/acl/modgitacl_mysql.c
 create mode 100644 modules/config/modgitacl_mysql.cfg
 create mode 100644 modules/modules.h

diff --git a/Makefile b/Makefile
index 6b0c961..6fe32a7 100644
--- a/Makefile
+++ b/Makefile
@@ -932,6 +932,7 @@ ifeq ($(uname_S),OSF1)
 	NO_NSEC = YesPlease
 endif
 ifeq ($(uname_S),Linux)
+	BASIC_CFLAGS += -ldl -rdynamic
 	NO_STRLCPY = YesPlease
 	NO_MKSTEMPS = YesPlease
 	HAVE_PATHS_H = YesPlease
diff --git a/daemon.c b/daemon.c
index ab21e66..8a06c05 100644
--- a/daemon.c
+++ b/daemon.c
@@ -1,9 +1,14 @@
+#define	GIT_DAEMON_CONFIG_FILE			"/etc/git-daemon.conf"
+#define	GIT_DAEMON_CONFIG_FILE_PATH_KEY		"base_path"
+#define	BUFSIZE					1 << 12
+
 #include "cache.h"
 #include "pkt-line.h"
 #include "exec_cmd.h"
 #include "run-command.h"
 #include "strbuf.h"
 #include "string-list.h"
+#include "modules/modules.h"
 
 #ifndef HOST_NAME_MAX
 #define HOST_NAME_MAX 256
@@ -256,6 +261,117 @@ static int daemon_error(const char *dir, const char *msg)
 	return -1;
 }
 
+static char* daemon_read_config(const char *filename, char *key)
+{
+	FILE *fp;
+	char line[BUFSIZE];
+
+	fp = fopen(filename, "r");
+	if (fp == NULL)
+		return NULL;
+
+	while (!feof(fp)) {
+		fgets(line, sizeof(line), fp);
+
+		if (strncmp(line, key, strlen(key)) == 0) {
+			return strdup( line + strlen(key) + 3 );
+		}
+	}
+	fclose(fp);
+
+	return NULL;
+}
+
+static int check_access_addrdir(char *libname, char *base_path, char *addr, const char *dir)
+{
+	int ret = -EPERM;
+	void *lib = NULL;
+	void *pCheck = NULL;
+	typedef int (*tCheckFunc) (char *base_path, char *addr, const char *dir);
+
+	lib = dlopen(libname, RTLD_LAZY);
+	if (lib == NULL) {
+		logerror("%s: Cannot load ACL library '%s'", __FUNCTION__, libname);
+		goto cleanup;
+	}
+
+	pCheck = dlsym(lib, "check_access_addrdir");
+	if (pCheck == NULL) {
+		logerror("%s: Cannot read check_access_addrdir symbol from ACL library %s",
+			__FUNCTION__, libname);
+		goto cleanup;
+	}
+
+	tCheckFunc fCheck = (tCheckFunc) pCheck;
+	if (fCheck == NULL)
+		goto cleanup;
+
+	ret = fCheck(base_path, addr, dir);
+
+	if (ret == -EINVAL) {
+		logerror("%s: Module '%s' complained about invalid parameters. Allowing access for now",
+			__FUNCTION__, libname);
+		ret = 0;
+		goto cleanup;
+	}
+
+cleanup:
+	if (lib != NULL)
+		dlclose(lib);
+
+	return ret;
+}
+
+static int check_access_by_all_modules(const char *dir)
+{
+	char fn[NAME_MAX+1];
+	char *directory = NULL;
+	char *daemon_path = NULL;
+	struct dirent *entry;
+	int ret = -EPERM;
+	DIR *d;
+	
+	if (getenv(GIT_BASE_DIR_ENVVAR_NAME) != NULL) {
+		daemon_path = strdup( getenv(GIT_BASE_DIR_ENVVAR_NAME) );
+		snprintf(fn, sizeof(fn), "%s/modules/acl", daemon_path);
+	}
+	else {
+		if (access(GIT_DAEMON_CONFIG_FILE, R_OK) == 0) {
+			if ((daemon_path = daemon_read_config(GIT_DAEMON_CONFIG_FILE,
+				GIT_DAEMON_CONFIG_FILE_PATH_KEY)) == NULL)
+				return daemon_error("Cannot read config file %s",
+							GIT_DAEMON_CONFIG_FILE);
+
+			TRIM_LAST_CHAR_RETURN(daemon_path);
+
+			snprintf(fn, sizeof(fn), "%s/modules/acl", daemon_path);
+		}
+		else {
+			logerror("%s: Cannot open module path. Please include '%s' key into '%s' file",
+					__FUNCTION__, GIT_DAEMON_CONFIG_FILE_PATH_KEY, GIT_DAEMON_CONFIG_FILE);
+			return 0;
+		}
+	}
+
+	directory = strdup(fn);
+
+	d = opendir(directory);
+	if (d == NULL)
+		return 0;
+
+	setenv(GIT_BASE_DIR_ENVVAR_NAME, directory, 1);
+	while ((entry = readdir(d)) != NULL) {
+		if (strstr(entry->d_name, ".so") != NULL) {
+			snprintf(fn, sizeof(fn), "%s/%s", directory, entry->d_name);
+			if ((ret = check_access_addrdir(fn, daemon_path, getenv("REMOTE_ADDR"), dir)) < 0)
+				break;
+		}
+	}
+
+	closedir(d);
+	return ret;
+}
+
 static int run_service(char *dir, struct daemon_service *service)
 {
 	const char *path;
@@ -289,6 +405,13 @@ static int run_service(char *dir, struct daemon_service *service)
 		return daemon_error(dir, "repository not exported");
 	}
 
+	/* Address-based and repository-based access */
+	if (check_access_by_all_modules( dir ) != 0) {
+		logerror("'%s': repository access denied", path);
+		errno = EACCES;
+		return daemon_error(dir, "repository access denied");
+	}
+
 	if (service->overridable) {
 		service_looking_at = service;
 		service_enabled = -1;
diff --git a/modules/acl/Makefile b/modules/acl/Makefile
new file mode 100644
index 0000000..2b5cd7e
--- /dev/null
+++ b/modules/acl/Makefile
@@ -0,0 +1,6 @@
+all:	gitacl_mysql
+
+gitacl_mysql:
+	$(CC) -c -fPIC modgitacl_mysql.c
+	$(CC) -shared -fPIC -o modgitacl_mysql.so modgitacl_mysql.o `mysql_config --libs` `mysql_config --cflags`
+	rm -f modgitacl_mysql.o
diff --git a/modules/acl/modgitacl_mysql.c b/modules/acl/modgitacl_mysql.c
new file mode 100644
index 0000000..f58eeba
--- /dev/null
+++ b/modules/acl/modgitacl_mysql.c
@@ -0,0 +1,211 @@
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <mysql/mysql.h>
+#include "../modules.h"
+
+#define BUFSIZE		1 << 13
+#define DEFAULT_TABLE_ACL	"git_access_acl"
+#define DEFAULT_TABLE_HISTORY	"git_access_history"
+#define CONFIG_FILE		"modgitacl_mysql.cfg"
+
+#define	REPO_ACCESS_UNSET	0x00
+#define	REPO_ACCESS_UNKNOWN	0x01
+#define	REPO_ACCESS_ALLOW	0x02
+#define	REPO_ACCESS_DENY	0x04
+
+char	*base_path = NULL;
+int	globalRepositoryAccess = REPO_ACCESS_UNSET;
+
+/* MySQL Database related settings */
+char	*server = NULL;
+char	*username = NULL;
+char	*password = NULL;
+char	*database = NULL;
+char	*table_acl = NULL;
+char	*table_history = NULL;
+
+int ensure_table_exists(MYSQL sql)
+{
+	char qry[BUFSIZE];
+
+	/* Ensure ACL table existence */
+	snprintf(qry, sizeof(qry), "CREATE TABLE IF NOT EXISTS %s (id int(11) AUTO_INCREMENT, addr varchar(128) NOT NULL, repository varchar(255) NOT NULL, "
+					"enabled tinyint(1) NOT NULL DEFAULT '1',  log_history tinyint(1) NOT NULL DEFAULT '0', added timestamp NOT NULL "
+					"DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (id))",
+					table_acl ? table_acl : DEFAULT_TABLE_ACL);
+
+	mysql_real_query(&sql, qry, strlen(qry));
+
+	/* Ensure history table existence */
+	snprintf(qry, sizeof(qry), "CREATE TABLE IF NOT EXISTS %s (id int(11) AUTO_INCREMENT, addr varchar(128) NOT NULL, repository varchar(255) NOT NULL, "
+					" granted tinyint(1) NOT NULL, time timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (id))",
+					table_history ? table_history : DEFAULT_TABLE_HISTORY);
+
+	mysql_real_query(&sql, qry, strlen(qry));
+}
+
+int load_mysql_settings()
+{
+	char cfgfile[BUFSIZE];
+	char line[BUFSIZE];
+	FILE *fp;
+
+	if (base_path == NULL)
+		return -EINVAL;
+
+	snprintf(cfgfile, sizeof(cfgfile), "%s/modules/config/%s", base_path, CONFIG_FILE);
+	fp = fopen(cfgfile, "r");
+	if (fp == NULL)
+		return -EPERM;
+
+	while (!feof(fp)) {
+		fgets(line, sizeof(line), fp);
+
+		if (strncmp(line, "Server = ", 9) == 0)
+			server = strdup( line + 9 );
+		else
+		if (strncmp(line, "Username = ", 11) == 0)
+			username = strdup( line + 11 );
+		else
+		if (strncmp(line, "Password = ", 11) == 0)
+			password = strdup( line + 11 );
+		else
+		if (strncmp(line, "Database = ", 11) == 0)
+			database = strdup( line + 11 );
+		else
+		if (strncmp(line, "Table_acl = ", 12) == 0)
+			table_acl = strdup( line + 12 );
+		else
+		if (strncmp(line, "Table_history = ", 16) == 0)
+			table_history = strdup( line + 16 );
+		else
+		if (strncmp(line, "Global_access_rule = ", 21) == 0) {
+			char *tmp = strdup( line + 21 );
+
+			if (strncmp(tmp, "allow", 5) == 0)
+				globalRepositoryAccess = REPO_ACCESS_ALLOW;
+			else
+			if (strncmp(tmp, "deny", 4) == 0)
+				globalRepositoryAccess = REPO_ACCESS_DENY;
+			else
+				globalRepositoryAccess = REPO_ACCESS_UNKNOWN;
+
+			free(tmp);
+		}
+	}
+	fclose(fp);
+
+	TRIM_LAST_CHAR_RETURN(server);
+	TRIM_LAST_CHAR_RETURN(username);
+	TRIM_LAST_CHAR_RETURN(password);
+	TRIM_LAST_CHAR_RETURN(database);
+	TRIM_LAST_CHAR_RETURN(table_acl);
+	TRIM_LAST_CHAR_RETURN(table_history);
+
+	return 0;
+}
+
+void free_all(void)
+{
+	free(server);
+	free(username);
+	free(password);
+	free(database);
+	free(table_acl);
+	free(table_history);
+
+	server = NULL;
+	username = NULL;
+	password = NULL;
+	database = NULL;
+	table_acl = NULL;
+	table_history = NULL;
+}
+
+int check_access_addrdir(char *daemon_base_path, char *addr, char *dir)
+{
+	MYSQL sql;
+	MYSQL_RES *res;
+	MYSQL_ROW row;
+	int ret = 0;
+	int log = 0;
+	char qry[BUFSIZE];
+
+	base_path = (daemon_base_path ? daemon_base_path : getenv(GIT_BASE_DIR_ENVVAR_NAME));
+	if (base_path == NULL)
+		return ret;
+
+	if (mysql_init(&sql) == NULL)
+		return ret;
+
+	if (load_mysql_settings() != 0)
+		goto cleanup;
+
+	if (globalRepositoryAccess == REPO_ACCESS_UNKNOWN) {
+		ret = -EINVAL;
+		goto cleanup;
+	}
+
+	if (!mysql_real_connect(&sql, server, username, password, database, 0, NULL, 0))
+		return ret;
+
+	ensure_table_exists(sql);
+
+	/* Check the default settings for repository */
+	snprintf(qry, sizeof(qry), "SELECT enabled, log_history FROM %s WHERE addr = '%%' AND repository = '%s'",
+				table_acl ? table_acl : DEFAULT_TABLE_ACL, dir);
+
+	if (mysql_real_query(&sql, qry, strlen(qry)) != 0)
+		goto cleanup;
+
+	res = mysql_store_result(&sql);
+	if (mysql_num_rows(res) > 0) {
+		row = mysql_fetch_row(res);
+		ret = (atoi(row[0]) == 1) ? 0 : -EPERM;
+		log = atoi(row[1]);
+	}
+	else
+	if (globalRepositoryAccess != REPO_ACCESS_UNSET) {
+		snprintf(qry, sizeof(qry), "INSERT INTO %s(addr, repository, enabled, log_history) VALUES('%%', '%s', %d, %d)",
+			table_acl ? table_acl : DEFAULT_TABLE_ACL, dir,
+			(globalRepositoryAccess == REPO_ACCESS_ALLOW),
+			(globalRepositoryAccess == REPO_ACCESS_DENY));
+
+		mysql_real_query(&sql, qry, strlen(qry));
+
+		ret = (globalRepositoryAccess == REPO_ACCESS_ALLOW) ? 0 : -EPERM;
+		log = (ret < 0);
+	}
+	mysql_free_result(res);
+
+	/* Check the settings for IP address of access */
+	snprintf(qry, sizeof(qry), "SELECT enabled, log_history FROM %s WHERE addr = '%s' AND repository = '%s'",
+				table_acl ? table_acl : DEFAULT_TABLE_ACL, addr, dir);
+
+	if (mysql_real_query(&sql, qry, strlen(qry)) != 0)
+		goto cleanup;
+
+	res = mysql_store_result(&sql);
+	if (mysql_num_rows(res) > 0) {
+		row = mysql_fetch_row(res);
+		ret = (atoi(row[0]) == 1) ? 0 : -EPERM;
+		log = atoi(row[1]);
+	}
+	mysql_free_result(res);
+
+	/* If logging is enabled then log to the history table */
+	if (log) {
+		snprintf(qry, sizeof(qry), "INSERT INTO %s(addr, repository, granted) VALUES('%s', '%s', %d)",
+				table_history ? table_history : DEFAULT_TABLE_HISTORY, addr, dir, (ret == 0) ? 1 : 0);
+		mysql_real_query(&sql, qry, strlen(qry));
+	}
+
+cleanup:
+	free_all();
+	mysql_close(&sql);
+
+	return ret;
+}
+
diff --git a/modules/config/modgitacl_mysql.cfg b/modules/config/modgitacl_mysql.cfg
new file mode 100644
index 0000000..e371f4e
--- /dev/null
+++ b/modules/config/modgitacl_mysql.cfg
@@ -0,0 +1,12 @@
+# MySQL server settings
+Server = <server>
+Username = <username>
+Password = <password>
+Database = <database>
+
+# Table names, those are default values
+Table_acl = git_access_acl
+Table_history = git_access_history
+
+# Global access rule can be only 'allow' or 'deny'
+Global_access_rule = allow
diff --git a/modules/modules.h b/modules/modules.h
new file mode 100644
index 0000000..54c61dd
--- /dev/null
+++ b/modules/modules.h
@@ -0,0 +1,9 @@
+#ifndef GIT_MODULES
+#define GIT_MODULES
+
+#include <dlfcn.h>
+#define GIT_BASE_DIR_ENVVAR_NAME	"GIT_BASE_DIR"
+#define TRIM_LAST_CHAR(x)		x[ strlen(x) - 1 ] = 0;
+#define TRIM_LAST_CHAR_RETURN(x)	if (x[strlen(x)-1] == '\n') x[ strlen(x) - 1 ] = 0;
+
+#endif
-- 
1.7.11.2

Re: [PATCH] Implement ACL module architecture and sample MySQL ACL module

[Junio C Hamano]

Michal Novotny <minovotn@redhat.com> writes:

> Hi,
> this is the patch to introduce the ACL module architecture into git
> versioning system.

No, it doesn't.  It adds something only to "git daemon", but does
not affect any other uses of Git.

    Side note: I am not saying other uses of Git must be ACL
    controlled by MySQL database.  They shouldn't be.  I am only
    saying that the proposed commit log message must match what the
    change does.

Please familiarize yourself with Documentation/SubmittingPatches
first, and then imitate the style in existing commits in the history
and posted patches by the "good" developers (you can tell who they
are by observing the list traffic for a few weeks), by the way.

As "git daemon" already has a mechanism to specify what repositories
are served with whitelist or blacklist, I am not sure if this patch
adds enough value to the system to make us want to add further
complexity only to carry more code to be audited for security.

Opinions?

Re: [PATCH] Implement ACL module architecture and sample MySQL ACL module

[Shawn Pearce]

On Tue, Aug 14, 2012 at 9:12 AM, Junio C Hamano <gitster@pobox.com> wrote:
> Michal Novotny <minovotn@redhat.com> writes:
>
>> Hi,
>> this is the patch to introduce the ACL module architecture into git
>> versioning system.
>
> No, it doesn't.  It adds something only to "git daemon", but does
> not affect any other uses of Git.

Yes, this part of the commit message also confused me until I read
through the patch further. :-(

>     Side note: I am not saying other uses of Git must be ACL
>     controlled by MySQL database.  They shouldn't be.  I am only
>     saying that the proposed commit log message must match what the
>     change does.
>
> Please familiarize yourself with Documentation/SubmittingPatches
> first, and then imitate the style in existing commits in the history
> and posted patches by the "good" developers (you can tell who they
> are by observing the list traffic for a few weeks), by the way.
>
> As "git daemon" already has a mechanism to specify what repositories
> are served with whitelist or blacklist, I am not sure if this patch
> adds enough value to the system to make us want to add further
> complexity only to carry more code to be audited for security.
>
> Opinions?

Traditionally Git has been about providing the plumbing to handle the
protocol and storage, and other tools that wrap git manage access
controls, e.g. UNIX filesystem or gitolite. I would strongly prefer to
keep that arrangement.

Parsing the request line of git-daemon is easy. But we could make it
easier. An alternative arrangement would be to add a new command line
flag to git daemon like --command-filter that names an executable
git-daemon will invoke after parsing the request line. It can pass
along the client IP address, command request, repository name, and
resolved repository path, and tie stdin/stdout to the client. This
binary can decide to exec the proper git binary for the named command,
or just exit to disconnect the client and refuse service. This makes
it simple for a tool like gitolite to plug into the git-daemon
authorization path, without needing to be the network daemon itself,
worry about number of active connection slots, etc.

Re: [PATCH] Implement ACL module architecture and sample MySQL ACL module

[Junio C Hamano]

Shawn Pearce <spearce@spearce.org> writes:

> Parsing the request line of git-daemon is easy. But we could make it
> easier. An alternative arrangement would be to add a new command line
> flag to git daemon like --command-filter that names an executable
> git-daemon will invoke after parsing the request line. It can pass
> along the client IP address, command request, repository name, and
> resolved repository path, and tie stdin/stdout to the client. This
> binary can decide to exec the proper git binary for the named command,
> or just exit to disconnect the client and refuse service. This makes
> it simple for a tool like gitolite to plug into the git-daemon
> authorization path, without needing to be the network daemon itself,
> worry about number of active connection slots, etc.

I think that is a good direction to go in, except that I am unsure
what kind of conversation do you want to allow between the "command
filter" helper and the client by exposing standard input and output
stream to to the helper.  If the client side has a matching "pre
negotiate command" helper support, then presumably the helpers can
discuss what Git protocol proper does not care about before deciding
to allow the connection go through, but until that happens, opening
the stdio streams up to the helper sounds like an accident waiting
to happen to me (e.g. "fetch-pack" connects, the server side helper
reads the first pkt-line from the client, says "OK, you may proceed"
to the daemon, then the daemon spawns the "upload-pack", which will
obviously see a corrupt request stream from "fetch-pack").

Re: [PATCH] Implement ACL module architecture and sample MySQL ACL module

[Shawn Pearce]

On Tue, Aug 14, 2012 at 10:06 AM, Junio C Hamano <gitster@pobox.com> wrote:
> Shawn Pearce <spearce@spearce.org> writes:
>
>> Parsing the request line of git-daemon is easy. But we could make it
>> easier. An alternative arrangement would be to add a new command line
>> flag to git daemon like --command-filter that names an executable
>> git-daemon will invoke after parsing the request line. It can pass
>> along the client IP address, command request, repository name, and
>> resolved repository path, and tie stdin/stdout to the client. This
>> binary can decide to exec the proper git binary for the named command,
>> or just exit to disconnect the client and refuse service. This makes
>> it simple for a tool like gitolite to plug into the git-daemon
>> authorization path, without needing to be the network daemon itself,
>> worry about number of active connection slots, etc.
>
> I think that is a good direction to go in, except that I am unsure
> what kind of conversation do you want to allow between the "command
> filter" helper and the client by exposing standard input and output
> stream to to the helper.

Sorry, I was thinking the helper would exec the git command, and thus
pass along the stdin/stdout socket.

>  If the client side has a matching "pre
> negotiate command" helper support, then presumably the helpers can
> discuss what Git protocol proper does not care about before deciding
> to allow the connection go through, but until that happens, opening
> the stdio streams up to the helper sounds like an accident waiting
> to happen to me (e.g. "fetch-pack" connects, the server side helper
> reads the first pkt-line from the client, says "OK, you may proceed"
> to the daemon, then the daemon spawns the "upload-pack", which will
> obviously see a corrupt request stream from "fetch-pack").

But seeing this, yes, that is a bad idea. Better to treat that like a
hook, where exit status 0 allows the connection to continue, and exit
status non-zero causes the connection to be closed. Maybe with an
error printed to stderr (if any) being echoed first to the client if
possible using the ERR formatting notation.

Re: [PATCH] Implement ACL module architecture and sample MySQL ACL module

[Junio C Hamano]

Shawn Pearce <spearce@spearce.org> writes:

> But seeing this, yes, that is a bad idea. Better to treat that like a
> hook, where exit status 0 allows the connection to continue, and exit
> status non-zero causes the connection to be closed. Maybe with an
> error printed to stderr (if any) being echoed first to the client if
> possible using the ERR formatting notation.

Yeah, note that we can only give a single "ERR " line, though.

Something like this?  Totally untested, of course ;-)

 daemon.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/daemon.c b/daemon.c
index ab21e66..41a9679 100644
--- a/daemon.c
+++ b/daemon.c
@@ -30,6 +30,7 @@ static const char daemon_usage[] =
 "           [--interpolated-path=<path>]\n"
 "           [--reuseaddr] [--pid-file=<file>]\n"
 "           [--(enable|disable|allow-override|forbid-override)=<service>]\n"
+"           [--access-hook=<path>]\n"
 "           [--inetd | [--listen=<host_or_ipaddr>] [--port=<n>]\n"
 "                      [--detach] [--user=<user> [--group=<group>]]\n"
 "           [<directory>...]";
@@ -256,6 +257,73 @@ static int daemon_error(const char *dir, const char *msg)
 	return -1;
 }
 
+static char *access_hook;
+
+static int run_access_hook(struct daemon_service *service, const char *dir, const char *path)
+{
+	struct child_process child;
+	struct strbuf buf = STRBUF_INIT;
+	const char *argv[8];
+	const char **arg = argv;
+	char *eol;
+	int seen_errors = 0;
+
+#define STRARG(x) ((x) ? (x) : "")
+	*arg++ = access_hook;
+	*arg++ = service->name;
+	*arg++ = path;
+	*arg++ = STRARG(hostname);
+	*arg++ = STRARG(canon_hostname);
+	*arg++ = STRARG(ip_address);
+	*arg++ = STRARG(tcp_port);
+	*arg = NULL;
+#undef STRARG
+
+	memset(&child, 0, sizeof(child));
+	child.use_shell = 1;
+	child.argv = argv;
+	child.no_stdin = 1;
+	child.no_stderr = 1;
+	child.out = -1;
+	if (start_command(&child)) {
+		logerror("daemon access hook '%s' failed to start",
+			 access_hook);
+		goto error_return;
+	}
+	if (strbuf_read(&buf, child.out, 0) < 0) {
+		logerror("failed to read from pipe to daemon access hook '%s'",
+			 access_hook);
+		strbuf_reset(&buf);
+		seen_errors = 1;
+	}
+	if (close(child.out) < 0) {
+		logerror("failed to close pipe to daemon access hook '%s'",
+			 access_hook);
+		seen_errors = 1;
+	}
+	if (finish_command(&child) < 0) {
+		logerror("failed to finish-command daemon access hook '%s'",
+			 access_hook);
+		seen_errors = 1;
+	}
+	if (!seen_errors) {
+		strbuf_release(&buf);
+		return 0;
+	}
+
+error_return:
+	strbuf_ltrim(&buf);
+	if (!buf.len)
+		strbuf_addstr(&buf, "service rejected");
+	eol = strchr(buf.buf, '\n');
+	if (eol)
+		*eol = '\0';
+	errno = EACCES;
+	daemon_error(dir, buf.buf);
+	strbuf_release(&buf);
+	return -1;
+}
+
 static int run_service(char *dir, struct daemon_service *service)
 {
 	const char *path;
@@ -304,6 +372,13 @@ static int run_service(char *dir, struct daemon_service *service)
 	}
 
 	/*
+	 * Optionally, a hook can choose to deny access to the
+	 * repository depending on the phase of the moon.
+	 */
+	if (access_hook && run_access_hook(service, dir, path))
+		return -1;
+
+	/*
 	 * We'll ignore SIGTERM from now on, we have a
 	 * good client.
 	 */
@@ -1142,6 +1217,10 @@ int main(int argc, char **argv)
 			export_all_trees = 1;
 			continue;
 		}
+		if (!prefixcmp(arg, "--access-hook=")) {
+			access_hook = arg + 14;
+			continue;
+		}
 		if (!prefixcmp(arg, "--timeout=")) {
 			timeout = atoi(arg+10);
 			continue;

[PATCH] daemon: --access-hook option

[Junio C Hamano]

The --access-hook option to "git daemon" specifies an external
command to be run every time a client connects, with

 - service name (e.g. "upload-pack", etc.),
 - path to the repository,
 - hostname (%H),
 - canonical hostname (%CH),
 - ip address (%IP),
 - tcp port (%P)

as its command line arguments.  The external command can decide to
decline the service by exiting with a non-zero status (or to allow it
by exiting with a zero status).  It can also look at the $REMOTE_ADDR
and $REMOTE_PORT environment variables to learn about the requestor
when making this decision.

The external command can optionally write a single line to its
standard output to be sent to the requestor as an error message when
it declines the service.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---

 * This time, minimally tested, with a documentation update.

 Documentation/git-daemon.txt | 16 +++++++++
 daemon.c                     | 77 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+)

diff --git a/Documentation/git-daemon.txt b/Documentation/git-daemon.txt
index 31b28fc..c3ba4d7 100644
--- a/Documentation/git-daemon.txt
+++ b/Documentation/git-daemon.txt
@@ -16,6 +16,7 @@ SYNOPSIS
 	     [--reuseaddr] [--detach] [--pid-file=<file>]
 	     [--enable=<service>] [--disable=<service>]
 	     [--allow-override=<service>] [--forbid-override=<service>]
+	     [--access-hook=<path>]
 	     [--inetd | [--listen=<host_or_ipaddr>] [--port=<n>] [--user=<user> [--group=<group>]]
 	     [<directory>...]
 
@@ -171,6 +172,21 @@ the facility of inet daemon to achieve the same before spawning
 	errors are not enabled, all errors report "access denied" to the
 	client. The default is --no-informative-errors.
 
+--access-hook=<path>::
+	Every time a client connects, first run an external command
+	specified by the <path> with service name (e.g. "upload-pack"),
+	path to the repository, hostname (%H), canonical hostname
+	(%CH), ip address (%IP), and tcp port (%P) as its command line
+	arguments. The external command can decide to decline the
+	service by exiting with a non-zero status (or to allow it by
+	exiting with a zero status).  It can also look at the $REMOTE_ADDR
+	and $REMOTE_PORT environment variables to learn about the
+	requestor when making this decision.
++
+The external command can optionally write a single line to its
+standard output to be sent to the requestor as an error message when
+it declines the service.
+
 <directory>::
 	A directory to add to the whitelist of allowed directories. Unless
 	--strict-paths is specified this will also include subdirectories
diff --git a/daemon.c b/daemon.c
index ab21e66..4602b46 100644
--- a/daemon.c
+++ b/daemon.c
@@ -30,6 +30,7 @@ static const char daemon_usage[] =
 "           [--interpolated-path=<path>]\n"
 "           [--reuseaddr] [--pid-file=<file>]\n"
 "           [--(enable|disable|allow-override|forbid-override)=<service>]\n"
+"           [--access-hook=<path>]\n"
 "           [--inetd | [--listen=<host_or_ipaddr>] [--port=<n>]\n"
 "                      [--detach] [--user=<user> [--group=<group>]]\n"
 "           [<directory>...]";
@@ -256,6 +257,71 @@ static int daemon_error(const char *dir, const char *msg)
 	return -1;
 }
 
+static char *access_hook;
+
+static int run_access_hook(struct daemon_service *service, const char *dir, const char *path)
+{
+	struct child_process child;
+	struct strbuf buf = STRBUF_INIT;
+	const char *argv[8];
+	const char **arg = argv;
+	char *eol;
+	int seen_errors = 0;
+
+#define STRARG(x) ((x) ? (x) : "")
+	*arg++ = access_hook;
+	*arg++ = service->name;
+	*arg++ = path;
+	*arg++ = STRARG(hostname);
+	*arg++ = STRARG(canon_hostname);
+	*arg++ = STRARG(ip_address);
+	*arg++ = STRARG(tcp_port);
+	*arg = NULL;
+#undef STRARG
+
+	memset(&child, 0, sizeof(child));
+	child.use_shell = 1;
+	child.argv = argv;
+	child.no_stdin = 1;
+	child.no_stderr = 1;
+	child.out = -1;
+	if (start_command(&child)) {
+		logerror("daemon access hook '%s' failed to start",
+			 access_hook);
+		goto error_return;
+	}
+	if (strbuf_read(&buf, child.out, 0) < 0) {
+		logerror("failed to read from pipe to daemon access hook '%s'",
+			 access_hook);
+		strbuf_reset(&buf);
+		seen_errors = 1;
+	}
+	if (close(child.out) < 0) {
+		logerror("failed to close pipe to daemon access hook '%s'",
+			 access_hook);
+		seen_errors = 1;
+	}
+	if (finish_command(&child))
+		seen_errors = 1;
+
+	if (!seen_errors) {
+		strbuf_release(&buf);
+		return 0;
+	}
+
+error_return:
+	strbuf_ltrim(&buf);
+	if (!buf.len)
+		strbuf_addstr(&buf, "service rejected");
+	eol = strchr(buf.buf, '\n');
+	if (eol)
+		*eol = '\0';
+	errno = EACCES;
+	daemon_error(dir, buf.buf);
+	strbuf_release(&buf);
+	return -1;
+}
+
 static int run_service(char *dir, struct daemon_service *service)
 {
 	const char *path;
@@ -304,6 +370,13 @@ static int run_service(char *dir, struct daemon_service *service)
 	}
 
 	/*
+	 * Optionally, a hook can choose to deny access to the
+	 * repository depending on the phase of the moon.
+	 */
+	if (access_hook && run_access_hook(service, dir, path))
+		return -1;
+
+	/*
 	 * We'll ignore SIGTERM from now on, we have a
 	 * good client.
 	 */
@@ -1142,6 +1215,10 @@ int main(int argc, char **argv)
 			export_all_trees = 1;
 			continue;
 		}
+		if (!prefixcmp(arg, "--access-hook=")) {
+			access_hook = arg + 14;
+			continue;
+		}
 		if (!prefixcmp(arg, "--timeout=")) {
 			timeout = atoi(arg+10);
 			continue;
-- 
1.7.12.rc2.85.g1de7134

Re: [PATCH] daemon: --access-hook option

[Shawn Pearce]

On Tue, Aug 14, 2012 at 10:12 PM, Junio C Hamano <gitster@pobox.com> wrote:
> The --access-hook option to "git daemon" specifies an external
> command to be run every time a client connects, with
>
>  - service name (e.g. "upload-pack", etc.),
>  - path to the repository,
>  - hostname (%H),
>  - canonical hostname (%CH),
>  - ip address (%IP),
>  - tcp port (%P)
>
> as its command line arguments.  The external command can decide to
> decline the service by exiting with a non-zero status (or to allow it
> by exiting with a zero status).  It can also look at the $REMOTE_ADDR
> and $REMOTE_PORT environment variables to learn about the requestor
> when making this decision.
>
> The external command can optionally write a single line to its
> standard output to be sent to the requestor as an error message when
> it declines the service.
>
> Signed-off-by: Junio C Hamano <gitster@pobox.com>

Thanks Junio, this looks like the best approach.

Acked-by: Shawn O. Pearce <spearce@spearce.org>

Re: [PATCH] daemon: --access-hook option

[Michal Novotny]

Right, this approach of having ACL using the --access-hook option looks
much better. At least you got inspired this could be useful for somebody ;-)

Michal

On 08/15/2012 07:12 AM, Junio C Hamano wrote:
> The --access-hook option to "git daemon" specifies an external
> command to be run every time a client connects, with
>
>  - service name (e.g. "upload-pack", etc.),
>  - path to the repository,
>  - hostname (%H),
>  - canonical hostname (%CH),
>  - ip address (%IP),
>  - tcp port (%P)
>
> as its command line arguments.  The external command can decide to
> decline the service by exiting with a non-zero status (or to allow it
> by exiting with a zero status).  It can also look at the $REMOTE_ADDR
> and $REMOTE_PORT environment variables to learn about the requestor
> when making this decision.
>
> The external command can optionally write a single line to its
> standard output to be sent to the requestor as an error message when
> it declines the service.
>
> Signed-off-by: Junio C Hamano <gitster@pobox.com>
> ---
>
>  * This time, minimally tested, with a documentation update.
>
>  Documentation/git-daemon.txt | 16 +++++++++
>  daemon.c                     | 77 ++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 93 insertions(+)
>
> diff --git a/Documentation/git-daemon.txt b/Documentation/git-daemon.txt
> index 31b28fc..c3ba4d7 100644
> --- a/Documentation/git-daemon.txt
> +++ b/Documentation/git-daemon.txt
> @@ -16,6 +16,7 @@ SYNOPSIS
>  	     [--reuseaddr] [--detach] [--pid-file=<file>]
>  	     [--enable=<service>] [--disable=<service>]
>  	     [--allow-override=<service>] [--forbid-override=<service>]
> +	     [--access-hook=<path>]
>  	     [--inetd | [--listen=<host_or_ipaddr>] [--port=<n>] [--user=<user> [--group=<group>]]
>  	     [<directory>...]
>  
> @@ -171,6 +172,21 @@ the facility of inet daemon to achieve the same before spawning
>  	errors are not enabled, all errors report "access denied" to the
>  	client. The default is --no-informative-errors.
>  
> +--access-hook=<path>::
> +	Every time a client connects, first run an external command
> +	specified by the <path> with service name (e.g. "upload-pack"),
> +	path to the repository, hostname (%H), canonical hostname
> +	(%CH), ip address (%IP), and tcp port (%P) as its command line
> +	arguments. The external command can decide to decline the
> +	service by exiting with a non-zero status (or to allow it by
> +	exiting with a zero status).  It can also look at the $REMOTE_ADDR
> +	and $REMOTE_PORT environment variables to learn about the
> +	requestor when making this decision.
> ++
> +The external command can optionally write a single line to its
> +standard output to be sent to the requestor as an error message when
> +it declines the service.
> +
>  <directory>::
>  	A directory to add to the whitelist of allowed directories. Unless
>  	--strict-paths is specified this will also include subdirectories
> diff --git a/daemon.c b/daemon.c
> index ab21e66..4602b46 100644
> --- a/daemon.c
> +++ b/daemon.c
> @@ -30,6 +30,7 @@ static const char daemon_usage[] =
>  "           [--interpolated-path=<path>]\n"
>  "           [--reuseaddr] [--pid-file=<file>]\n"
>  "           [--(enable|disable|allow-override|forbid-override)=<service>]\n"
> +"           [--access-hook=<path>]\n"
>  "           [--inetd | [--listen=<host_or_ipaddr>] [--port=<n>]\n"
>  "                      [--detach] [--user=<user> [--group=<group>]]\n"
>  "           [<directory>...]";
> @@ -256,6 +257,71 @@ static int daemon_error(const char *dir, const char *msg)
>  	return -1;
>  }
>  
> +static char *access_hook;
> +
> +static int run_access_hook(struct daemon_service *service, const char *dir, const char *path)
> +{
> +	struct child_process child;
> +	struct strbuf buf = STRBUF_INIT;
> +	const char *argv[8];
> +	const char **arg = argv;
> +	char *eol;
> +	int seen_errors = 0;
> +
> +#define STRARG(x) ((x) ? (x) : "")
> +	*arg++ = access_hook;
> +	*arg++ = service->name;
> +	*arg++ = path;
> +	*arg++ = STRARG(hostname);
> +	*arg++ = STRARG(canon_hostname);
> +	*arg++ = STRARG(ip_address);
> +	*arg++ = STRARG(tcp_port);
> +	*arg = NULL;
> +#undef STRARG
> +
> +	memset(&child, 0, sizeof(child));
> +	child.use_shell = 1;
> +	child.argv = argv;
> +	child.no_stdin = 1;
> +	child.no_stderr = 1;
> +	child.out = -1;
> +	if (start_command(&child)) {
> +		logerror("daemon access hook '%s' failed to start",
> +			 access_hook);
> +		goto error_return;
> +	}
> +	if (strbuf_read(&buf, child.out, 0) < 0) {
> +		logerror("failed to read from pipe to daemon access hook '%s'",
> +			 access_hook);
> +		strbuf_reset(&buf);
> +		seen_errors = 1;
> +	}
> +	if (close(child.out) < 0) {
> +		logerror("failed to close pipe to daemon access hook '%s'",
> +			 access_hook);
> +		seen_errors = 1;
> +	}
> +	if (finish_command(&child))
> +		seen_errors = 1;
> +
> +	if (!seen_errors) {
> +		strbuf_release(&buf);
> +		return 0;
> +	}
> +
> +error_return:
> +	strbuf_ltrim(&buf);
> +	if (!buf.len)
> +		strbuf_addstr(&buf, "service rejected");
> +	eol = strchr(buf.buf, '\n');
> +	if (eol)
> +		*eol = '\0';
> +	errno = EACCES;
> +	daemon_error(dir, buf.buf);
> +	strbuf_release(&buf);
> +	return -1;
> +}
> +
>  static int run_service(char *dir, struct daemon_service *service)
>  {
>  	const char *path;
> @@ -304,6 +370,13 @@ static int run_service(char *dir, struct daemon_service *service)
>  	}
>  
>  	/*
> +	 * Optionally, a hook can choose to deny access to the
> +	 * repository depending on the phase of the moon.
> +	 */
> +	if (access_hook && run_access_hook(service, dir, path))
> +		return -1;
> +
> +	/*
>  	 * We'll ignore SIGTERM from now on, we have a
>  	 * good client.
>  	 */
> @@ -1142,6 +1215,10 @@ int main(int argc, char **argv)
>  			export_all_trees = 1;
>  			continue;
>  		}
> +		if (!prefixcmp(arg, "--access-hook=")) {
> +			access_hook = arg + 14;
> +			continue;
> +		}
>  		if (!prefixcmp(arg, "--timeout=")) {
>  			timeout = atoi(arg+10);
>  			continue;

-- 
Michal Novotny <minovotn@redhat.com>, RHCE, Red Hat
Virtualization | libvirt-php bindings | php-virt-control.org