GitSwitch: A proof-of-concept for macaroons-backed git hosting
77 views
Skip to first unread message
Robert Escriva
Dec 12, 2015, 6:05:59 PM12/12/15
to maca...@googlegroups.com
I've pushed a sample project I made to demonstrate macaroons.
From the README:
GitSwitch is a proof of concept that shows how macaroons could be used to
provide authorization for Git repositories. Macaroons are the ideal
authorization tool for git, because they can be shared in much the same way
that git allows code to be shared. A user with read rights to a repository can
always share those rights with someone else simply by pulling/pushing the code
periodically for others. With GitSwitch, direct sharing is possible, even on a
per-branch basis; a caveat can be added allowing a user push access to just a
single branch of the repository, which is great for providing time-limited
access (great for one-off push or pull requests).
Here are the features that are implemented:
- Clone repositories over the gitswitch:// protocol. If the git* programs in
this repo are in your path, the following should prompt for macaroons for
the request.
git clone gitswitch://localhost:8080/some-repo
- Example caveats:
# to limit a macaroon to just one repo
gitswitch-repo: some-repo
# to limit actions to just cloning
gitswitch-service: upload-pack
# to limit actions to just pushing
gitswitch-service: receive-pack
# just the master branch:
gitswitch-head: master
# just the v0.1 tag:
gitswitch-tag: v0.1
# expiration of macaroons (valid through the end of 2015)
gitswitch-expires: 2016-01-01T00:00:00
The code is not intended to be run by anyone not willing to develop it
further; instead, it is a reading exercise for those looking to learn more
about best practices with macaroons.
Here's where I've pushed the code: https://github.com/rescrv/gitswitch
I've no intent on developing it beyond a POC and a teaching demo.
-Robert
From the README:
GitSwitch is a proof of concept that shows how macaroons could be used to
provide authorization for Git repositories. Macaroons are the ideal
authorization tool for git, because they can be shared in much the same way
that git allows code to be shared. A user with read rights to a repository can
always share those rights with someone else simply by pulling/pushing the code
periodically for others. With GitSwitch, direct sharing is possible, even on a
per-branch basis; a caveat can be added allowing a user push access to just a
single branch of the repository, which is great for providing time-limited
access (great for one-off push or pull requests).
Here are the features that are implemented:
- Clone repositories over the gitswitch:// protocol. If the git* programs in
this repo are in your path, the following should prompt for macaroons for
the request.
git clone gitswitch://localhost:8080/some-repo
- Example caveats:
# to limit a macaroon to just one repo
gitswitch-repo: some-repo
# to limit actions to just cloning
gitswitch-service: upload-pack
# to limit actions to just pushing
gitswitch-service: receive-pack
# just the master branch:
gitswitch-head: master
# just the v0.1 tag:
gitswitch-tag: v0.1
# expiration of macaroons (valid through the end of 2015)
gitswitch-expires: 2016-01-01T00:00:00
The code is not intended to be run by anyone not willing to develop it
further; instead, it is a reading exercise for those looking to learn more
about best practices with macaroons.
Here's where I've pushed the code: https://github.com/rescrv/gitswitch
I've no intent on developing it beyond a POC and a teaching demo.
-Robert
Tony Arcieri
Dec 12, 2015, 7:07:51 PM12/12/15
to maca...@googlegroups.com
Great work Robert. I think there's been a lack of "real world" examples of how to use Macaroons, and I think this is the sort of example that's easy to understand for anyone who knows git.
-Robert
--
You received this message because you are subscribed to the Google Groups "Macaroons" group.
To unsubscribe from this group and stop receiving emails from it, send an email to macaroons+...@googlegroups.com.
To post to this group, send email to maca...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/macaroons/20151212230627.GB21891%40rave.systems.cs.cornell.edu.
For more options, visit https://groups.google.com/d/optout.
Tony Arcieri
Reply all
Reply to author
Forward
0 new messages