1) Windows group-based auth 2) building and deployment instructions

[maxim--s]

1) Limits repo creation and push rights to the Windows group members, the group name is in web.confg 2) Added BuildingAndDeployment.txt

[gregsohl]

What I have coming for authorization is much more extensive than this, though windows group based would be a good extra authorization provider for my implementation, which includes a Git Hook to provide additional restrictions.

[otac0n]

We should get together to turn this into a an Autorization provider implementation.

[gregsohl]

See Issue #64. My commit, almost ready for pull request, is here: https://github.com/gregsohl/WebGitNet/tree/AuthorizationLayer. The hook isn't there, though I'm ready to push it. Maybe later today.

[maxim--s]

Had a brief look at your code, it looks really great. Since probably I will need to deploy Git soon at my workplace, I will use my code for now, till your code (much better one) will be fully done.

BTW – I’m using this code snippet:

            (System.Security.Principal.WindowsPrincipal)User

   to get the “current user” object. The snippet is used in ASP.NET MVC Controller context and uses the User property from the framework.

   Yes, I know that there are lots of Linux software which use some pathetic authentication like the passwords kept in the text file or such, but, since we are the Windows (ASP.NET) app, I really think we should use Windows-provided (and ASP.NET-provided) means of _authentication_, i.e. password checking.

   As about _authorization_, i.e. checking the permissions to execute the particular actions on a particular object (given that we already have some kind of the User object from authentication step) – then I really like the idea to port some well-known Linux-based stuff (my code is really a quick hack just to make the thing suitable for my needs).

   So, until there are some better ways _provided by ASP.NET or some other Microsoft’s layer_, I would really recommend to use the code snippet above to get the “current user” object (and embed all password-checking stuff there).

   Also, one of my patches was to pass the name of this user (i.e. the name typed by the client in the browser’s HTTP auth dialog) to the USER env var, so that _Git and its hooks ported from Linux_ will see it. Probably this can also be valuable.

   Max

From: Greg Sohl [mailto:notifications@github.com] Sent: Sunday, May 19, 2013 10:22 PM To: otac0n/WebGitNet Cc: Maxim Shatskikh Subject: Re: [WebGitNet] 1) Windows group-based auth 2) building and deployment instructions (#74)

What I have coming for authorization is much more extensive than this, though windows group based would be a good extra authorization provider for my implementation, which includes a Git Hook to provide additional restrictions.

— Reply to this email directly or view it on GitHubhttps://github.com/otac0n/WebGitNet/pull/74#issuecomment-18122194.

[gregsohl]

Cool.

I am using Windows Authentication. The authorization layer is based on the Gitolite config file layout.

For my hook's purpose, I am putting the authenticated user information in a environment variable before executing Git. The hook can pick it up and then evaluate using the same set of permissions, from the config file.

Would be easy to layer your windows groups based approach in this.

Greg

[maxim--s]

That’s good, Greg. Looks like I was making a point solution just to satisfy the particular needs, while you’re working on a serious well-designed stuff, also compatible with Linux stuff in terms of access rights file layout.

Probably both should survive in the master branch someday ☺