gitweb: Use OpenID Connect instead of pubtkt based SSO

- Regression: Users who to don't have git-access permission can't access the public repositories. Tests: - Functional tests work. - Admin user is able to view and access the repos when there are some public repos and when there no public repos. - User belonging to git-access are regular usrs are unable to access private repos. But they are also not able to access the public repos. They have to logout to be able to do that. - Anonymous user is not able to access the application if all repos are private. If there is at least one public repo, the repo listing can be accessed and public repos can be seen and accessed. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-03-11 09:04:54 +00:00 · 2025-11-24 08:57:24 -08:00 · 2025-11-24 08:57:24 -08:00 · 64272a2bef
commit 64272a2bef
parent af892adb5e
3 changed files with 7 additions and 10 deletions
--- a/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox-auth.conf
+++ b/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox-auth.conf
@ -4,8 +4,6 @@
 ## is to be enabled when there are no public git projects.
 ##
 <Directory /usr/share/gitweb>
-    Include includes/freedombox-single-sign-on.conf
-    <IfModule mod_auth_pubtkt.c>
-        TKTAuthToken "git-access" "admin"
-    </IfModule>
+    Use AuthOpenIDConnect
+    Use RequireGroup git-access
 </Directory>
--- a/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox.conf
+++ b/plinth/modules/gitweb/data/usr/share/freedombox/etc/apache2/conf-available/gitweb-freedombox.conf
@ -24,11 +24,10 @@ Alias /gitweb /usr/share/gitweb
    # Make gitweb work with custom FreedomBox configuration.
    SetEnv GITWEB_CONFIG /etc/gitweb-freedombox.conf

-    <If "%{HTTP_COOKIE} =~ /auth_pubtkt=.*tokens.*(admin|git-access)/">
-        Include includes/freedombox-single-sign-on.conf
-        <IfModule mod_auth_pubtkt.c>
-            TKTAuthToken "git-access" "admin"
-        </IfModule>
+    # Authentication is required for any operation if repository is private.
+    <If "%{HTTP_COOKIE} =~ /sessionid=/">
+        Use AuthOpenIDConnect
+        Use RequireGroup git-access
    </If>

    # Allow index.cgi symlink to gitweb.cgi to work. Treat gitweb.cgi as CGI
--- a/plinth/modules/gitweb/data/usr/share/freedombox/etc/gitweb-freedombox.conf
+++ b/plinth/modules/gitweb/data/usr/share/freedombox/etc/gitweb-freedombox.conf
@ -52,7 +52,7 @@ our $project_maxdepth = 1;

 # export private repos only if authorized
 our $per_request_config = sub {
-    if(defined $ENV{'REMOTE_USER_TOKENS'}){
+    if(defined $ENV{'REMOTE_USER'}){
        our $export_auth_hook = sub { return 1; };
    }
    else {