didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

fix(git-http): log access-hook denial detail to stdout
test / unit (pull_request) Successful in 33s
Details
test / integration (pull_request) Successful in 39s
Details
test / unit (push) Successful in 43s
Details
test / integration (push) Successful in 59s
Details

Browse Source 
Previously when the access-hook returned non-zero, git-http would pipe
the hook's stderr into the 403 body sent back to the agent's git
client but never log it locally, so docker logs just showed
`"GET ... 403 -"` with no explanation. Operators had to shell into
the sidecar and re-run the hook by hand to find out why a clone was
being refused (e.g. upstream SSH unreachable, missing credentials).

Route the hook's stderr/stdout through the existing log_message
channel before sending the 403, one log line per output line so the
default request-log format stays readable. When the hook exits
non-zero with no output, log the exit code so the line is still
informative.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit was merged in pull request #161.
This commit is contained in:
didericis
2026-06-02 23:02:10 -04:00
parent 1105d9a269
commit f427d35e72
2 changed files with 103 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bot_bottle/git_http_backend.py
+12
View File
@@ -49,6 +49,18 @@ class GitHttpHandler(BaseHTTPRequestHandler):
check=False,
)
if hook.returncode != 0:
detail = (hook.stderr or hook.stdout).decode(
"utf-8", errors="replace",
).rstrip()
if detail:
for line in detail.splitlines():
self.log_message("access-hook denied %s: %s",
parsed.path, line)
else:
self.log_message(
"access-hook denied %s: exit=%d (no output)",
parsed.path, hook.returncode,
)
self.send_response(403)
self.send_header("Content-Type", "text/plain; charset=utf-8")
self.end_headers()