Skip to content

Owner-push enforcement is opt-in (off by default): decide the default write posture #118

Description

@beardthelion

Summary

This is a default-posture decision, not a code defect: in the default configuration, owner-push enforcement is off, so any authenticated (signed) non-owner DID can push to any repo. git_receive_pack rejects a non-owner push only when config.enforce_owner_push is set, and that flag defaults to false (GITLAWB_ENFORCE_OWNER_PUSH). The git-receive-pack POST requires some valid did:key signature (require_signature via add_auth_layers), but does not bind that signature to the repo owner unless an operator opts in.

This is deliberate, documented behavior (introduced opt-in by #68 / commit 0a15e76; the config comment says to keep it off during rolling upgrades and flip it on when owners are ready; there is a committed test asserting the default-off allow). Filing it to get an explicit maintainer decision on the default, not to report broken code.

Where

  • crates/gitlawb-node/src/api/repos.rsgit_receive_pack -> owner_push_rejection(config.enforce_owner_push, &repo, caller_did); owner_push_rejection returns None (no rejection) whenever the flag is off, regardless of caller.
  • crates/gitlawb-node/src/config.rsenforce_owner_push defaults to false.

Confirmed by execution

owner_push_rejection(false, &repo, Some(STRANGER_DID)) returns None (a non-owner is not rejected when the flag is off). Verified by a throwaway unit test (reverted); a pre-existing committed test already documents the same default-off behavior.

Impact

A default-config node accepts pushes from any authenticated identity, not just the repo owner. Write integrity reduces to "holds a valid signature of any DID" rather than "is the repo owner." Branch protection still runs, but it only covers branches an owner explicitly protected and does not restore owner identity. With the receive-pack advertisement now read-parity (a granted reader can see the advertisement), this default surface is more visible.

Options

  1. Default enforce_owner_push to true and let operators opt out for rolling upgrades (rather than opt in).
  2. Keep opt-in, but surface the default-off state in deployment docs and the startup log so operators consciously choose it.
  3. Gate the receive-pack POST on owner (or explicit writer grant) directly, independent of the flag.

Pre-existing; independent of the receive-pack advertisement fix (which only touches reads).

Metadata

Metadata

Assignees

No one assigned

    Labels

    crate:nodegitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningsev:mediumDegraded but workaround existssubsystem:identityDID/UCAN, http-sig auth, push authorization

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions