Many corporations, especially financial services have strict policies towards opensource contributions. On rare occasions when a developer can contribute to open source, information security and compliance officers often demand complex shadow processes are set up to ensure code reviews, scans and other processes are adhered to before a push to the public repo takes place.
We wish to keep the process for the developer as simple and familiar as possible, therefore we feel the solution is a proxy that sits between the developer and the public repository.
The idea is quite simple, scan outgoing attempts to push to public repositor and raise compliance/info-sec friendly checks before allowing the push to complete.
Of course every corporation will have different procedures so a key feature has to be the extensibility of the framework.
All contributions are welcome. Please fork the repository before local development.
- Clone
git-proxyusinggit clone <repo path>/git-proxy - Navigate to project directory with
cd git-proxy
Install and run
- Install project dependencies using
npm iornpm install - Start Express server using
npm startafter the project has installed.
git-proxy@0.0.1 start C:\projects\github-proxy
concurrently "npm run server" "npm run client
git-proxy@0.0.1 server C:\projects\github-proxy
node index.js
git-proxy@0.0.1 client C:\projects\github-proxy
react-scripts start & node index.js
authorisedList = ["pGrovesy/test-allowed-repo.git","pGrovesy/git-proxy.git"]
data sink = "fs"
fs
Successfully connected to : ./.data/db
{
getPushes: [Function: getPushes],
writeAudit: [Function: writeAudit],
getPush: [Function: getPush],
authorise: [Function: authorise],
findByUsername: [Function (anonymous)],
findById: [Function (anonymous)]
}
Listening on 8000
Service Listening on 8080
i 「wds」: Project is running at http://192.168.0.82/
i 「wds」: webpack output is served from
i 「wds」: Content not from webpack is served from C:\projects\github-proxy\public
i 「wds」: 404s will fallback to /
Starting the development server...Now the project is running, lets test a repo through the proxy. Clone a repo that is in the authorised list (see /resources/config.json)
c:\projects\
git clone http://localhost:8000/finos/test-allowed-repo- Edit the README.md file in 'test-allowed-repo' repo
- run 'push.bat'
- You should see some activity in the node.js proxy windows
- Everything should have pushed to the remote repo.
Clone a repo that is not in the authorised list (see /resources/config.json), for example:
c:\projects\
git clone http://localhost:8000/finos/test-banned-repo- Edit the README.md file in 'test-allowed-repo' repo
- run 'push.bat'
- You should see some activity in the node.js proxy windows
- The git push should result in an error
C:\projects\github-proxy>git push origin ui2-and-authorisation
Enumerating objects: 11, done.
Counting objects: 100% (11/11), done.
Delta compression using up to 8 threads
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 613 bytes | 613.00 KiB/s, done.
Total 6 (delta 3), reused 0 (delta 0), pack-reused 0
remote: ERR pGrovesy/test-banned-repo is not listed as an authorised repository
fatal: the remote end hung up unexpectedly
fatal: the remote end hung up unexpectedly
error: failed to push some refs to 'http://localhost:8000/pGrovesy/git-proxy.git'
The push essentially rejected
The file user-settings.json exists in the project root to override config.json for local developer configuration. The following describes how to use user-settings.json
-
If the file exists in the project root
user-settings.jsonoverridesconfig.json -
If
user-settings.jsondoes not existconfig.jsonis used. -
The
jsonformat ofuser-settings.jsonmirrorsconfig.json. This enables local development scenarios, such as forking test repos as illustrated below.-
Fork
finos/test-allowed-repoandfinos/test-banned-repo -
Add the forked
test-allowed-repotouser-settings.jsonin your project root as below ...{ "repoAuthorisedList": [ "<git project>/test-allowed-repo.git" ] }
-
-
Run
git clone http://localhost:8000/<git project>/test-allowed-repo -
Run
git clone http://localhost:8000/<git project>/test-banned-repo -
Edit the README.md file in
test-allowed-repoandtest-banned-reporepo. -
Run the
gitinstructions highlighted inpush.batas illustrated in Testing a Repo Through the Proxy.
The project is now set up for local development, including git push origin master to your forked repos.
- Public repository whitelisting
- Synchronous Pluggable webhooks
- Asynchronous flows - i.e. the proxy will return the correct responses to the git client that the action has taken place, but wait for an external signal to - continue to the push.
- Become a "true" proxy that can be set via
git config http.proxy.... - Implement User access controls against corporate AD groups as well as public github accounts.
- Auditing sink + UI
Please raise an issue if you have an idea!
- Fork it link
- Create your feature branch (
git checkout -b feature/fooBar) - Read our contribution guidelines and Community Code of Conduct
- Commit your changes (
git commit -am 'Add some fooBar') - Push to the branch (
git push origin feature/fooBar) - Create a new Pull Request
NOTE: Commits and pull requests to FINOS repositories will only be accepted from those contributors with an active, executed Individual Contributor License Agreement (ICLA) with FINOS OR who are covered under an existing and active Corporate Contribution License Agreement (CCLA) executed with FINOS. Commits from individuals not covered under an ICLA or CCLA will be flagged and blocked by the FINOS Clabot tool. Please note that some CCLAs require individuals/employees to be explicitly named on the CCLA.
Need an ICLA? Unsure if you are covered under an existing CCLA? Email help@finos.org
Copyright 2020 Citigroup
Distributed under the Apache License, Version 2.0.
SPDX-License-Identifier: Apache-2.0