在 Git HTTP Smart 上读取身份验证不发出登录挑战

Question

I have implemented a Centos8 based Git Smart HTTP Server. All of the "push" ops are working correctly and are requiring sign on authentication. Read ops work properly but are not requiring authentication. SSL is also working.

While anonymous "reads" are standard for a public central repo, in a "private" environment it is quite likely there will be a requirement to prevent unauthenticated reads. For example, the following request should require a user and password. At the moment, it doesn't and is open to the public. this is the git-srv.include file. I have omitted the git-srv.conf file as it is trivial. This is a examples of an undesirable un-authenticated access
$ git ls-remote https://git.xxxxxx.systems/git/jtest 6c3652164e4694d76b41eb87662b997b813d8b51 HEAD 6c3652164e4694d76b41eb87662b997b813d8b51 refs/heads/master

I have added the following "Location" block in Apache .include but It is not forcing a signon for read operations. Write signons are required. The LocationsMatch Block is from the original I copied.

RewriteEngine On
RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
RewriteCond %{REQUEST_URI} /git-receive-pack$
RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/jtest /usr/libexec/git-core/git-http-backend/

<Location "/srv/git/jtest">

    SetEnv GIT_PROJECT_ROOT /srv/git/<br/>
    AuthType Basic<br/>
    AuthName "Git Read Access to jtest"<br/>
    AuthUserFile /etc/httpd/.authusers-<br/>
    Require valid-user<br/>
    Order deny,allow<br/>
    Deny from env=AUTHREQUIRED<br/>
    Satisfy any<br/>

</Location>

<LocationMatch "^/git/jtest">

    SetEnv GIT_PROJECT_ROOT /srv/git/<br/>
    AuthType Basic<br/>
    AuthName "Git Write Access to jtest"<br/>
    AuthUserFile /etc/httpd/.authusers-<br/>
    Require valid-user<br/>
    Order deny,allow<br/>
    Deny from env=AUTHREQUIRED<br/>
    Satisfy any<br/>

</LocationMatch>

Any suggestions would be appreciated.

Answer 1

The problem is with this block:

RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
RewriteCond %{REQUEST_URI} /git-receive-pack$
RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]

This block sets AUTHREQUIRED if your operation is git-receive-pack (an upload) but not if your operation is git-upload-pack (a clone or fetch).

You probably want to just remove that block since you always want to require authentication, and then change this:

Require valid-user
Order deny,allow
Deny from env=AUTHREQUIRED
Satisfy any

to this:

Require valid-user
Order deny,allow
Deny from all
Satisfy any

Then the default behavior is to deny, and you can satisfy your request by providing a valid user.

If you need fancier access control, you can consider something like gitolite, which can control access to different repositories based on the user accessing it.

Answer 2

The response by bk220k answered the issue. With that response. I was then able to reduce the git-srv.include file to solely the following code. Now both reads and writes require authentication as I sought,

    SetEnv GIT_HTTP_EXPORT_ALL

    ScriptAlias /git/jtest /usr/libexec/git- 
      core/git-http-backend/
    <LocationMatch "^/git/jtest">
      SetEnv GIT_PROJECT_ROOT /srv/git/jtest    
      AuthType Basic
      AuthName "Git Write Access to jtest"
      AuthUserFile /etc/httpd/.authusers-jtest
      Require valid-user
      Order deny,allow
      Deny from all
      Satisfy any
    </LocationMatch>