1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
# go-git-server
`go-git-server` is an experimental web server that provides authentication and authorization for git repositories.
An attempt at a secure Git HTTP server implementation in Go that provides authentication and authorization, inspired by Gitolite.
## Design
Initially `go-git-server` wraps the built-in git-http-backend CGI process. This is done to provide complete compatibility out of the box. In the future a native go backend could be created but there's no compelling story to re-write the backend.
Authentication is done using a token system with unique access IDs. Each token is associated with both an access ID (for internal use) and a friendly name (for human readability). Tokens are generated by the server with a fixed length of 32 bytes using cryptographically secure random numbers. The system supports different types of identities including users (uid:), service accounts (aid:), bots, and CI systems.
Authorization is implemented using [casbin](https://github.com/casbin/casbin). The system provides role-based access control with predefined roles like admin, maintainers, and bots. Each role has specific permissions defined in the policy file.
## Focus
The current focus is for a single user and CI user(s) and intends to become self hosted as soon as possible. The focus is to simplify ongoing maintance and hosting simplicity. It's specifically designed for running in kubernetes.
## Why
Tools like gitea are great, but they require things like a DBMS. This increases hosting comlexity and maintenance especially for small teams or single user bases.
## Features
- Git HTTP backend wrapper with authentication
- Token-based authentication
- Role-based access control using Casbin
- Git repository management
- Configuration via Git (optional management repo)
- Graceful fallback to default configuration when management repo is not found
- Cgit support
## Installation
```bash
# Clone the repository
git clone https://git.ofmax.li/go-git-server
cd go-git-server
# Build the binary
go build ./cmd/main.go
```
## Usage
Start the server:
```bash
./main -r /path/to/repos -t tokens.csv -p policy.csv -m auth_model.ini
```
### Generate Authentication Token
Currently the `tokentool` is not in the container nor is a binary built for it and available. You will have to build it yourself or use it like `go run cmd/tokentool/main.go`
```bash
./tokentool -generate -name username
```
This will:
1. Generate a new access ID and token
2. Create an entry in tokens.csv with the format: `<access_id>,<friendly_name>,<hash>`
3. Display the token that should be used for authentication
To list existing tokens:
```bash
./tokentool -list
```
The tokens.csv file format is:
```
access_id,friendly_name,hash
```
Special prefixes for friendly names:
- `uid:` - Regular users (default if no prefix)
- `aid:` - Special accounts with the following types:
- `bot+` - Bot accounts (e.g. bot+argo)
## Configuration
### Server Configuration (gitserver.yaml)
```yaml
name: "go-git-server"
version: "v1alpha1"
basepath: ./repos
repos:
- name: myrepo
public: false
permissions:
- role: maintainers
mode: 1
git_web_config:
owner: username
description: Repository description
```
The server will automatically use the repository directory path as the base path when using the default configuration if the management repository is not found.
### Authentication Model (auth_model.ini)
The authentication model uses Casbin for role-based access control.
### Token File (tokens.csv)
Format:
```
accessid,uid:username,hash
```
## Development
Requirements:
- Go 1.24+
- Git
Run tests:
```bash
just test
```
|
