[gotwebd] add respect_exportok flag to hide/dont expose some repositories

From:: Omar Polo <op@omarpolo.com>
Subject:: Re: [gotwebd] add respect_exportok flag to hide/dont expose some repositories
To:: Landry Breuil <landry@openbsd.org>
Cc:: gameoftrees@openbsd.org
Date:: Mon, 31 Oct 2022 16:04:19 +0100

Download raw body.

Thread

2022-10-31 13:54 Landry Breuil:
[gotwebd] add respect_exportok flag to hide/dont expose some repositories
- 2022-10-31 15:04 Omar Polo:
  [gotwebd] add respect_exportok flag to hide/dont expose some repositories
- - 2022-10-31 15:34 Landry Breuil:
    [gotwebd] add respect_exportok flag to hide/dont expose some repositories
  - - 2022-10-31 16:05 Omar Polo:
      [gotwebd] add respect_exportok flag to hide/dont expose some repositories

On 2022/10/31 14:54:16 +0100, Landry Breuil <landry@openbsd.org> wrote:
> Hi,
> 
> replacing my cgit install by gotwebd, got annoyed because by default
> gotwebd displays all repositories while cgitrc allows to list the
> repositories to display in the index.
> 
> discussing it with stsp@ we pondered about adding per-repo settings, but
> he suggested reusing the magic 'git-daemon-export-ok' file, that
> git-daemon checks for existence to figure out if it should export a
> repo.
> 
> so here's a diff that :
> - adds respect_exportok boolean flag to the config, defaulting to
>   false -> no change to existing configs needed
> - if the flag is true, check that the git-daemon-export-ok magic file
>   exists in the repo, and returns GOT_ERR_NOT_GIT_REPO if it doesnt
>   exist
> 
> this way, i can have "hidden" git repos in /var/www/htdocs/git that can
> still be cloned only by the ones who know their name, and the same repos
> listed in https://cgit.rhaalovely.net/
> are seen in https://cgit.rhaalovely.net/gotwebd/
> 
> feedback welcome.

Love the idea.

I had the same issue when migrating from cgit to gotwebd, and ended
up with a gitolite post-receive hook that copies only some repos
to /var/www.  With something like diff below I could avoid doing
that, thanks!

> Landry
> diff refs/heads/main refs/heads/foo
> commit - b2e7d31ee036249faf5099d0a548d8e0b1dcc520
> commit + 70c522a63bb0def0601951963f7dfd546c08437a
> blob - 62c8c986ac17851a371bfa80e6bdff7c7dd2084f
> blob + 0e5695cd1f8bf1ddc42ba2137e7544ebb541d645
> --- gotwebd/gotweb.c
> +++ gotwebd/gotweb.c
> @@ -2439,6 +2439,17 @@ done:
>  	}
>  done:
> +	if (srv->respect_exportok) {
> +		if (asprintf(&dir_test, "%s/%s/git-daemon-export-ok",

This should be fine, however I'd prefer if we can avoid allocating
yet another string and just peek into the directory with faccessat
since we've just opened it.

> +		    srv->repos_path, repo_dir->name) == -1)
> +				return got_error_from_errno("asprintf");

one extra indent level for the return.

Also, what about enabling respect_exportok by default? :)

2022-10-31 13:54 Landry Breuil:
[gotwebd] add respect_exportok flag to hide/dont expose some repositories
- 2022-10-31 15:04 Omar Polo:
  [gotwebd] add respect_exportok flag to hide/dont expose some repositories
- - 2022-10-31 15:34 Landry Breuil:
    [gotwebd] add respect_exportok flag to hide/dont expose some repositories
  - - 2022-10-31 16:05 Omar Polo:
      [gotwebd] add respect_exportok flag to hide/dont expose some repositories