From eca82164d36504fb4dad9b6e0d62eef11d2a4aaf Mon Sep 17 00:00:00 2001
From: Pedro Alvarez <pedro.alvarez@codethink.co.uk>
Date: Mon, 9 Nov 2015 16:54:30 +0000
Subject: lighttpd: Only require HTTPS authentication for Gitano URLs

Previously the whole of git.baserock.org was effectively inaccessible
over HTTPS, because it would require a username and password for all
HTTPS requests. This was done to ensure that we don't make Trove
"insecure by default" by allowing access to hidden repos over anonymous
HTTPS.

Firstly, we only need to require auth for the actual Gitano URLs. The
other ones (cgit, lc-status.html, releases) are identical over HTTP and
HTTPS anyway, so there's no point in hiding them on one protocol but not
the other.

Also, I have now verified that Gitano's CGI scripts authenticate based
on the REMOTE_USER variable set by mod_auth, and if this isn't set they
treat the request as anonymous and correctly deny any requests that
the anonymous user doesn't have permissions for. This is noted in a
comment.

The behaviour of Gitano-over-HTTPS in Trove should be completely
unchanged by this commit, however.

Change-Id: Ie5dbc3bd3ab8d37ef3e5c08c9541c571944e1f58
---
 .../trove-setup/templates/lighttpd/git-httpd.conf  | 33 +++++++++++++---------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf
index f2d61c9..be51358 100644
--- a/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf
+++ b/ansible/roles/trove-setup/templates/lighttpd/git-httpd.conf
@@ -26,8 +26,8 @@ $SERVER["socket"] == ":443" {
 index-file.names = ("index.html")
 
 cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1",
-	"gitano-smart-http.cgi" => "/usr/bin/lua5.1",
-	"cgit.cgi" => ""
+        "gitano-smart-http.cgi" => "/usr/bin/lua5.1",
+        "cgit.cgi" => ""
 )
 cgi.execute-x-only = "enable"
 
@@ -48,6 +48,15 @@ $HTTP["url"] =~ ".*/gitano-command.cgi$" {
                 "HOME" => "/home/git",
                 "GITANO_ROOT" => "/home/git/repos"
         )
+
+        $HTTP["scheme"] == "https" {
+                # gitano-command.cgi controls access over HTTP[S] according to
+                # the REMOTE_USER variable set by mod_auth and passed through
+                # the environment. If the web server doesn't set REMOTE_USER,
+                # then Gitano will treat the request as anonymous and deny
+                # access appropriately.
+                include "git-auth.conf"
+        }
 }
 
 $HTTP["url"] =~ "^/git/.*$" {
@@ -60,6 +69,15 @@ $HTTP["url"] =~ "^/git/.*$" {
                 "HOME" => "/home/git",
                 "GITANO_ROOT" => "/home/git/repos"
         )
+
+        $HTTP["scheme"] == "https" {
+                # gitano-smart-http.cgi controls access over HTTP[S] according to
+                # the REMOTE_USER variable set by mod_auth and passed through
+                # the environment. If the web server doesn't set REMOTE_USER,
+                # then Gitano will treat the request as anonymous and deny
+                # access appropriately.
+                include "git-auth.conf"
+        }
 }
 
 # Avoid needlessly long cgit URLs. This must correspond with the
@@ -75,14 +93,3 @@ $HTTP["url"] =~ "^/(baserock|delta)(/.*)?$" {
     url.redirect = ( "^/(.*)" => "/cgit/$1" )
 }
 
-$HTTP["scheme"] == "https" {
-        include "git-auth.conf"
-
-        $HTTP["querystring"] =~ "service=git-receive-pack" {
-                include "git-auth.conf"
-        }
-
-        $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
-                include "git-auth.conf"
-        }
-}
-- 
cgit v1.2.1