Describe the bug
Git commits carry two pieces of identifying information for the users that authored and committed them, that are set in the git client's config: user.name and user.email. Throughout the Git Proxy codebase it is assumed that user.name property relates to a GitHub user id and is used to look up the user in the database - the two most important places are:
|
let user = action.user; |
|
|
|
// Find the user associated with this Git Account |
|
const list = await db.getUsers({ gitAccount: action.user }); |
|
|
|
console.log(JSON.stringify(list)); |
|
|
|
if (list.length == 1) { |
|
user = list[0].username; |
|
isUserAllowed = await db.isUserPushAllowed(repoName, user); |
|
} |
and
|
// Get the Internal Author of the push via their Git Account name |
|
const gitAccountauthor = push.user; |
|
const list = await db.getUsers({ gitAccount: gitAccountauthor }); |
|
console.log({ list }); |
|
|
|
if (list.length === 0) { |
|
res.status(401).send({ |
|
message: `The git account ${gitAccountauthor} could not be found`, |
|
}); |
|
return; |
|
} |
|
|
|
if (list[0].username.toLowerCase() === req.user.username.toLowerCase() && !list[0].admin) { |
|
res.status(401).send({ |
|
message: `Cannot reject your own changes`, |
|
}); |
|
return; |
|
} |
Whilst the user.name may be set to the user's github user account, it doesn't have to be. Github doesn't actually expect or require it and the GIT SCM book actually demonstrates a plan name for a user (i.e. being set under first time git setup: https://git-scm.com/book/ms/v2/Getting-Started-First-Time-Git-Setup. Further, the assumption that it is the username bakes in reliance on GitHub user accounts and will cause issues applying GitProxy to other platforms such as GitLab (we'll need multiple fields where users contribute into multiple platforms and hence have multiple usernames).
Instead of the GitHub username, commits should be matched to user by email address. GitHub, GitLab and EasyCLA all associate commits with users via email - for example I've had my client setup with user.anem "Kris West", where my user name is @kriswest for years and had not had issues with GitHub or EasyCLA. The user email is readily available on commits (right next to the user.name) and already needs to be accurate for association with GitHub user accounts and projects that validate contributions with EasyCLA or CLABot.
To Reproduce
Steps to reproduce the behavior:
- Setup you git client as advised in the Git SCM book:
$ git config --global user.name "John Doe"
$ git config --global user.email johndoe@example.com
- Create a user in git proxy with the given email and set the GitHub username so that it does not match
user.name, e.g. @johndoe
- Give the user permission to push to a repository
- Raise and push a commit - it'll be refused as 'User @johndoe is not allowed to push on repo , ending'
Expected behavior
User should be identified by email correctly and allowed to push on the repo.
Additional Context
I'll raise a PR to resolve this issue - it affects a small number, but critical set of operations and can be resolved with the existing data model and no need to migrate existing installations.
Describe the bug
Git commits carry two pieces of identifying information for the users that authored and committed them, that are set in the git client's config:
user.nameanduser.email. Throughout the Git Proxy codebase it is assumed thatuser.nameproperty relates to a GitHub user id and is used to look up the user in the database - the two most important places are:git-proxy/src/proxy/processors/push-action/checkUserPushPermission.js
Lines 10 to 20 in 5d24d9d
and
git-proxy/src/service/routes/push.js
Lines 45 to 62 in 5d24d9d
Whilst the
user.namemay be set to the user's github user account, it doesn't have to be. Github doesn't actually expect or require it and the GIT SCM book actually demonstrates a plan name for a user (i.e. being set under first time git setup: https://git-scm.com/book/ms/v2/Getting-Started-First-Time-Git-Setup. Further, the assumption that it is the username bakes in reliance on GitHub user accounts and will cause issues applying GitProxy to other platforms such as GitLab (we'll need multiple fields where users contribute into multiple platforms and hence have multiple usernames).Instead of the GitHub username, commits should be matched to user by email address. GitHub, GitLab and EasyCLA all associate commits with users via email - for example I've had my client setup with user.anem "Kris West", where my user name is @kriswest for years and had not had issues with GitHub or EasyCLA. The user email is readily available on commits (right next to the
user.name) and already needs to be accurate for association with GitHub user accounts and projects that validate contributions with EasyCLA or CLABot.To Reproduce
Steps to reproduce the behavior:
$ git config --global user.name "John Doe" $ git config --global user.email johndoe@example.comuser.name, e.g. @johndoeExpected behavior
User should be identified by email correctly and allowed to push on the repo.
Additional Context
I'll raise a PR to resolve this issue - it affects a small number, but critical set of operations and can be resolved with the existing data model and no need to migrate existing installations.