deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
gitolite/src/gl-compile-conf

607 lines
25 KiB
Plaintext
Raw Normal View History

use-warnings
2009-08-25 05:14:46 +02:00
#!/usr/bin/perl
shell? perl? schizophrenia? fix it NOW dammit :)
2009-08-23 07:35:14 +02:00
use strict;
use-warnings
2009-08-25 05:14:46 +02:00
use warnings;
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
use Data::Dumper;
compile/update hook: COMPILED FILE CHANGE -- PLEASE READ BELOW Summary: DONT forget to run src/gl-compile-conf as the last step in the upgrade Details: The compiled file format has changed quite a bit, to make it easier for the rebel edition coming up :-) compile: - we don't split RW/RW+ into individual perms anymore - we store the info required for the first level check separately now: (repo, R/W, user) - the order for second level check is now: repo, user, [{ref=>perms}...] (list of hashes) update hook logic: the first refex that: - matches the incoming ref, AND - contains the perm you're trying to use, causes the match loop to exit with success. Fallthrough is failure
2009-09-18 14:30:14 +02:00
$Data::Dumper::Indent = 1;
compile: make compiled config be key-sorted makes debugging access changes much easier (doh! why didn't I do this earlier!)
2009-11-23 13:34:18 +01:00
$Data::Dumper::Sortkeys = 1;
shell? perl? schizophrenia? fix it NOW dammit :)
2009-08-23 07:35:14 +02:00
# === add-auth-keys ===
project renamed to gitolite
2009-08-26 02:47:27 +02:00
# part of the gitolite (GL) suite
shell? perl? schizophrenia? fix it NOW dammit :)
2009-08-23 07:35:14 +02:00
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
# (1) - "compiles" ~/.ssh/authorized_keys from the list of pub-keys
# (2) - also "compiles" the user-friendly GL conf file into something easier
# to parse. We're doing this because both the gl-auth-command and the
# (gl-)update hook need this, and it seems easier to do this than
# replicate the parsing code in both those places. As a bonus, it's
# probably more efficient.
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item
2009-09-25 08:47:33 +02:00
# (3) - finally does what I have resisted doing all along -- handle gitweb and
# git-daemon access. It won't *setup* gitweb/daemon for you -- you have
# to that yourself. What this does is make sure that "repo.git"
# contains the file "git-daemon-export-ok" (for daemon case) and the
# line "repo.git" exists in the "projects.list" file (for gitweb case).
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
shell? perl? schizophrenia? fix it NOW dammit :)
2009-08-23 07:35:14 +02:00
# how run: manual, by GL admin
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
# when:
gl-compile-conf changed (see below) and "rc" file added - factored out all the pathnames etc to an rc - taught it to create repos that dont exist but are mentioned - promoted user up one level (moving ref down) because gl-auth needs it - REPO_BASE no longer contains $HOME so that has to be added in manually - little bugs here and there, like in @refs
2009-08-23 11:25:50 +02:00
# - anytime a pubkey is added/deleted
project renamed to gitolite
2009-08-26 02:47:27 +02:00
# - anytime gitolite.conf is changed
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
# input:
Fix default configuration paths in documentation Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-04 16:04:40 +01:00
# - GL_CONF (default: ~/.gitolite/conf/gitolite.conf)
project renamed to gitolite
2009-08-26 02:47:27 +02:00
# - GL_KEYDIR (default: ~/.gitolite/keydir)
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
# output:
gl-compile-conf changed (see below) and "rc" file added - factored out all the pathnames etc to an rc - taught it to create repos that dont exist but are mentioned - promoted user up one level (moving ref down) because gl-auth needs it - REPO_BASE no longer contains $HOME so that has to be added in manually - little bugs here and there, like in @refs
2009-08-23 11:25:50 +02:00
# - ~/.ssh/authorized_keys (dictated by sshd)
Fix default configuration paths in documentation Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-04 16:04:40 +01:00
# - GL_CONF_COMPILED (default: ~/.gitolite/conf/gitolite.conf-compiled.pm)
shell? perl? schizophrenia? fix it NOW dammit :)
2009-08-23 07:35:14 +02:00
# security:
# - touches a very critical system file that manages the restrictions on
# incoming users. Be sure to audit AUTH_COMMAND and AUTH_OPTIONS (see
# below) on any change to this script
# - no security checks within program. The GL admin runs this manually
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
# warnings:
shell? perl? schizophrenia? fix it NOW dammit :)
2009-08-23 07:35:14 +02:00
# - if the "start" line exists, but the "end" line does not, you lose the
# rest of the existing authkey file. In general, "don't do that (TM)",
# but we do have a "vim -d" popping up so you can see the changes being
# made, just in case...
gl-compile-conf changed (see below) and "rc" file added - factored out all the pathnames etc to an rc - taught it to create repos that dont exist but are mentioned - promoted user up one level (moving ref down) because gl-auth needs it - REPO_BASE no longer contains $HOME so that has to be added in manually - little bugs here and there, like in @refs
2009-08-23 11:25:50 +02:00
# ----------------------------------------------------------------------------
# common definitions
# ----------------------------------------------------------------------------
install and compile: learnt a '-q' flag (not for manual use!) ...only for easy install to use in "quiet" mode
2009-10-25 13:03:06 +01:00
# setup quiet mode if asked; please do not use this when running manually
open STDOUT, ">", "/dev/null" if (@ARGV and shift eq '-q');
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
# these are set by the "rc" file
(big-config) update doc and rc, allow skipping gitweb/daemon skipping gitweb/daemon has an enormous impact on speed of an admin-push!
2010-05-16 02:48:08 +02:00
our ($GL_ADMINDIR, $GL_CONF, $GL_KEYDIR, $GL_CONF_COMPILED, $REPO_BASE, $REPO_UMASK, $PROJECTS_LIST, $GIT_PATH, $GL_WILDREPOS, $GL_GITCONFIG_KEYS, $GL_PACKAGE_HOOKS, $GL_SETPERMS_OVERRIDES_CONFIG, $GL_BIG_CONFIG, $GL_NO_DAEMON_NO_GITWEB);
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
# and these are set by gitolite.pm
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
our ($REPONAME_PATT, $REPOPATT_PATT, $USERNAME_PATT, $AUTH_COMMAND, $AUTH_OPTIONS, $ABRT, $WARN);
compile: make error messages grab the admin's attention required if you do "push to admin"
2009-09-15 17:32:23 +02:00
the rc file can now be in one of 2 places... Packaging gitolite for debian requires the rc file to be in /etc/gitolite. But non-root installs must still be supported, and they need it in $HOME. This means the rc file is no longer in a fixed place, which needs code to find the rc file first. See comments inside new file 'gitolite.pm' for details. The rest of the changes are in the other programs, to replace the hard-coded rc filename with a call to this new code.
2009-10-25 03:59:52 +01:00
# the common setup module is in the same directory as this running program is
my $bindir = $0;
$bindir =~ s/\/[^\/]+$//;
make $bindir absolute
2010-02-09 12:30:01 +01:00
$bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//;
the rc file can now be in one of 2 places... Packaging gitolite for debian requires the rc file to be in /etc/gitolite. But non-root installs must still be supported, and they need it in $HOME. This means the rc file is no longer in a fixed place, which needs code to find the rc file first. See comments inside new file 'gitolite.pm' for details. The rest of the changes are in the other programs, to replace the hard-coded rc filename with a call to this new code.
2009-10-25 03:59:52 +01:00
require "$bindir/gitolite.pm";
# ask where the rc file is, get it, and "do" it
&where_is_rc();
compile: death should be a little louder and clearer :)
2009-11-03 15:54:53 +01:00
die "$ABRT parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
gl-compile-conf changed (see below) and "rc" file added - factored out all the pathnames etc to an rc - taught it to create repos that dont exist but are mentioned - promoted user up one level (moving ref down) because gl-auth needs it - REPO_BASE no longer contains $HOME so that has to be added in manually - little bugs here and there, like in @refs
2009-08-23 11:25:50 +02:00
support git installed outside default $PATH (also some minor fixes to doc/3)
2009-10-13 06:32:45 +02:00
# add a custom path for git binaries, if specified
$ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH;
gl-compile-conf changed (see below) and "rc" file added - factored out all the pathnames etc to an rc - taught it to create repos that dont exist but are mentioned - promoted user up one level (moving ref down) because gl-auth needs it - REPO_BASE no longer contains $HOME so that has to be added in manually - little bugs here and there, like in @refs
2009-08-23 11:25:50 +02:00
# ----------------------------------------------------------------------------
# definitions specific to this program
# ----------------------------------------------------------------------------
shell? perl? schizophrenia? fix it NOW dammit :)
2009-08-23 07:35:14 +02:00
# command and options for authorized_keys
auth/install/pu-hook: pass ADMINDIR and BINDIR via ENV The admin repo's post-update hook needs to know where $GL_ADMINDIR is, and we had a weird way of doing that which depended on gl-install actually munging the hook code. We also always assumed the binaries are in GL_ADMINDIR/src. We now use an env var to pass both these values. This removes the weird dependency on gl-install that the post-update hook had, as well as make running other programs easier due to the new $GL_BINDIR env var.
2009-12-15 08:05:48 +01:00
$AUTH_COMMAND="$bindir/gl-auth-command";
(minor fixup)
2010-04-14 06:19:09 +02:00
$AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty";
shell? perl? schizophrenia? fix it NOW dammit :)
2009-08-23 07:35:14 +02:00
compile: comments+efficiency - add better comments on the 2 main hashes - work around an inefficiency caused by the exclude prep code needing a list instead of a hash at a certain place
2009-10-05 16:51:33 +02:00
# groups can now represent user groups or repo groups.
# $groups{group}{member} = "master" (or name of fragment file in which the
# group is defined).
compile: (oopsies...) plug security hole in delegation feature I was trying to determine how close gitolite can come to the ACL model of a proprietary product called codebeamer, and one of the items was how to make a "role" (like QA_Lead) have different "members" in different projects. I then realised delegation already does that! Which is great, but as I thought about it more, I realised... well, we'll let the in-code comments speak for themselves :-) Anyway, all it needed was a 1-line fix, luckily... <phew> And it would have only affected people who use delegation.
2009-11-23 18:15:00 +01:00
our %groups = ();
compile: comments+efficiency - add better comments on the 2 main hashes - work around an inefficiency caused by the exclude prep code needing a list instead of a hash at a certain place
2009-10-05 16:51:33 +02:00
# %repos has two functions.
# $repos{repo}{R|W}{user} = 1 if user has R (or W) permissions for at least
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
# one branch in repo. This is used by the "level 1 check" (see faq). There's
# also the new "C" (create a repo) permission now
compile: comments+efficiency - add better comments on the 2 main hashes - work around an inefficiency caused by the exclude prep code needing a list instead of a hash at a certain place
2009-10-05 16:51:33 +02:00
# $repos{repo}{user} is a list of {ref, perms} pairs. This is used by the
# level 2 check. In order to allow "exclude" rules, the order of rules now
# matters, so what used to be entirely "hash of hash of hash" now has a list
# in between :)
all: some "our"s changed to "my"
2009-08-25 05:38:11 +02:00
my %repos = ();
compile: comments+efficiency - add better comments on the 2 main hashes - work around an inefficiency caused by the exclude prep code needing a list instead of a hash at a certain place
2009-10-05 16:51:33 +02:00
(big one!) rule sequencing changes! There were 2 problems with rule sequencing. Eli had a use case where everyone is equal, but some are more equal than the others ;-) He wanted a way to say "everyone can create repos under their own names, but only some people should be able to rewind their branches". Something like this would be ideal (follow the rules in sequence for u1/u2/u3/u4, and you will see that the "deny" rule kicks in to prevent u1/u2 from being able to rewind, although they can certainly delete their branches): @private-owners = u1 u2 @experienced-private-owners = u3 u4 repo CREATOR/.* C = @private-owners @experienced-private-owners RWD = CREATOR RW = WRITERS R = READERS - = @private-owners RW+D = CREATOR In normal gitolite this doesn't work because the CREATOR rules (which get translated to "u1" at runtime) end up over-writing the "deny" rule when u1 or u2 are the creators. This over-writing happens directly at the "do compiled.pm" step. With big-config, this does not happen (because @private-owners does not get expanded to u1 and u2), but the problem remains: the order of picking up elements of repo_plus and user_plus is such that, again, the RW+D wins (it appears before the "-" rule). We fix all that by - making CREATOR complete to more than just the creator's name (for "u1", it now becomes "u1 - wild", which is actually illegal to use for real so there's no possibility of a name clash!) - maintaining a rule sequence number that is used to sort the rules eventually applied (this also resulted in the refex+perm hash becoming a list)
2010-05-18 11:27:14 +02:00
# rule sequence number
my $rule_seq = 0;
compile: comments+efficiency - add better comments on the 2 main hashes - work around an inefficiency caused by the exclude prep code needing a list instead of a hash at a certain place
2009-10-05 16:51:33 +02:00
# <sigh>... having been forced to use a list as described above, we lose some
# efficiency due to the possibility of the same {ref, perms} pair showing up
# multiple times for the same repo+user. So...
my %rurp_seen = ();
# catch usernames<->pubkeys mismatches; search for "lint" below
my %user_list = ();
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
Add support for repo configurations Git repository configurations can be set/unset by declaring "config" lines in "repo" stanzas in gitolite.conf. For example: repo gitolite config hooks.mailinglist = gitolite-commits@example.tld config hooks.emailprefix = "[gitolite] " config foo.bar = "" config foo.baz = The firs two set (override) the values. Double quotes must be used to preserve preceding spaces. Third one sets an empty value and the last removes all keys. Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-07 21:20:29 +01:00
# repo configurations
my %repo_config = ();
compile: add owner field in the same line as the gitweb descriptions this goes into the project list
2009-11-27 08:53:48 +01:00
# gitweb descriptions and owners; plain text, keyed by "$repo.git"
compile: added repo descriptions example line in config file: gitolite = "fast, secure, access control for git in a corporate environment"
2009-11-12 10:19:39 +01:00
my %desc = ();
compile: add owner field in the same line as the gitweb descriptions this goes into the project list
2009-11-27 08:53:48 +01:00
my %owner = ();
compile: added repo descriptions example line in config file: gitolite = "fast, secure, access control for git in a corporate environment"
2009-11-12 10:19:39 +01:00
compile, rc, doc/3: allow custom umask
2009-09-21 11:11:37 +02:00
# set the umask before creating any files
umask($REPO_UMASK);
compile: move umask up to cover other outputs also
2009-08-25 03:36:36 +02:00
gl-compile-conf changed (see below) and "rc" file added - factored out all the pathnames etc to an rc - taught it to create repos that dont exist but are mentioned - promoted user up one level (moving ref down) because gl-auth needs it - REPO_BASE no longer contains $HOME so that has to be added in manually - little bugs here and there, like in @refs
2009-08-23 11:25:50 +02:00
# ----------------------------------------------------------------------------
# subroutines
# ----------------------------------------------------------------------------
compile+conf: allow lists (@listname) for reponames too why should just usernames have all the fun :) The "expand_userlist" function is now "expand_list" and serves generically. The example conf has also been updated correspondingly
2009-09-15 17:37:00 +02:00
sub expand_list
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
{
my @list = @_;
my @new_list = ();
for my $item (@list)
{
if ($item =~ /^@/) # nested group
{
compile: death should be a little louder and clearer :)
2009-11-03 15:54:53 +01:00
die "$ABRT undefined group $item\n" unless $groups{$item};
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
# add those names to the list
compile: change %groups from hash of lists to hash of hashes This makes it easier to test if a repo is a member of a group, which is required for the delegation feature coming up
2009-10-02 18:24:23 +02:00
push @new_list, sort keys %{ $groups{$item} };
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
}
else
{
push @new_list, $item;
}
}
return @new_list;
}
# ----------------------------------------------------------------------------
# "compile" GL conf
# ----------------------------------------------------------------------------
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
sub parse_conf_file
{
compile: (large changes) parse delegated fragments if any [Note: this is a fairly involved commit, compared to most of the others. See doc/5-delegation.mkd for a user-level feature description.] parse delegated config fragments (found as conf/fragments/*.conf). Any repos being referenced within a fragment config *must* belong to the "@group" with the same name as the fragment. That is, a fragment called conf/fragments/abc.conf can only refer to repos that are members of the "@abc" repo group. It cannot specify access control for any other repos. If it does, those settings are ignored, and a warning message is produced. since the delegated config must have the flexibility of (re-)defining group names for internal convenience, and since all such definitions go into the same "groups" hash, it is quite easy for conf/fragments/abc.conf to write in its own (re-)definition of "@abc"! That would be a neat little security hole :) The way to close it is to consider only members of the "@abc" groupset defined in the main ("master") config file for this purpose.
2009-10-04 06:26:40 +02:00
my ($conffile, $fragment) = @_;
# the second arg, $fragment, is passed in as "master" when parsing the
# main config, and the fragment name when parsing a fragment. In the
# latter case, the parser uses that information to ignore (and warn about)
# any repos in the fragment that are not members of the "repo group" of
# the same name.
my %ignored = ();
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
my $conf_fh = wrap_open( "<", $conffile );
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
# the syntax is fairly simple, so we parse it inline
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
my @repos;
while (<$conf_fh>)
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
{
compile: allow "#" in *simple* strings like: config notify.ircChannel = "#foo" (thanks, jhelwig)
2010-01-23 10:27:22 +01:00
# kill comments, but take care of "#" inside *simple* strings
s/^((".*?"|[^#"])*)#.*/$1/;
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
# normalise whitespace; keeps later regexes very simple
s/=/ = /;
s/\s+/ /g;
s/^ //;
s/ $//;
# and blank lines
next unless /\S/;
# user or repo groups
if (/^(@\S+) = (.*)/)
{
(big-config) compile: fragments in big-config Since it is possible to do all sorts of shenanigans with wildcards and repo groups, we - allow only a fragment called "foo" to set permissions for a group called "@foo", in addition to a repo called "foo" - forbid defining any groups within a fragment conf. All "@foo = bar baz" must be done in the main config file now. If this proves too limiting for anyone I'll worry about it then.
2010-05-12 18:39:51 +02:00
die "$ABRT defining groups is not allowed inside fragments\n"
if $GL_BIG_CONFIG and $fragment ne 'master';
compile: (large changes) parse delegated fragments if any [Note: this is a fairly involved commit, compared to most of the others. See doc/5-delegation.mkd for a user-level feature description.] parse delegated config fragments (found as conf/fragments/*.conf). Any repos being referenced within a fragment config *must* belong to the "@group" with the same name as the fragment. That is, a fragment called conf/fragments/abc.conf can only refer to repos that are members of the "@abc" repo group. It cannot specify access control for any other repos. If it does, those settings are ignored, and a warning message is produced. since the delegated config must have the flexibility of (re-)defining group names for internal convenience, and since all such definitions go into the same "groups" hash, it is quite easy for conf/fragments/abc.conf to write in its own (re-)definition of "@abc"! That would be a neat little security hole :) The way to close it is to consider only members of the "@abc" groupset defined in the main ("master") config file for this purpose.
2009-10-04 06:26:40 +02:00
# store the members of each group as hash key. Keep track of when
# the group was *first* created by using $fragment as the *value*
do { $groups{$1}{$_} ||= $fragment } for ( expand_list( split(' ', $2) ) );
compile: death should be a little louder and clearer :)
2009-11-03 15:54:53 +01:00
die "$ABRT bad group $1\n" unless $1 =~ $REPONAME_PATT;
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
}
# repo(s)
elsif (/^repo (.*)/)
{
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
# grab the list...
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
@repos = split ' ', $1;
@all for repos is now much cleaner; a true @all... - no need to put it at the end of the config file now, yeaaay! - @all for @all is meaningless and not supported. People asking will be told to get a life or use git-daemon. - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-23 17:50:34 +01:00
unless (@repos == 1 and $repos[0] eq '@all') {
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
# ...expand groups in the default case
@repos = expand_list ( @repos ) unless $GL_BIG_CONFIG;
# ...sanity check
(minor) more helpful message when the user forgot to set $GL_WILDREPOS thanks to konrad for catching this also make lack of WILDREPOS more noticable on compile
2010-04-25 10:19:19 +02:00
for (@repos) {
die "$ABRT bad reponame $_\n"
if ($GL_WILDREPOS and $_ !~ $REPOPATT_PATT);
die "$ABRT bad reponame $_ or you forgot to set \$GL_WILDREPOS\n"
if (not $GL_WILDREPOS and $_ !~ $REPONAME_PATT);
}
compile: support "repo @all" definitions "repo @all" can be used to set permissions or configurations for all already defined repos. (A repository is defined if it has permission rules associated, empty "repo" stanza or "@group=..." line is not enough.) For example to allow a backup user to clone all repos: # All other configuration [...] repo @all R = backup Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-21 00:55:45 +01:00
}
spelling cluestick... Ouch! How mortifying :) I'd always thought this was one of the Brit/US differences, but to find out that it really *isn't* a word... hmph! Anyway, in the interest of not breaking existing wild repos, the ownership file is still called "gl-creater". Everything else has been changed. (...thanks to Sverre)
2010-04-25 19:09:27 +02:00
s/\bCREAT[EO]R\b/\$creator/g for @repos;
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
}
# actual permission line
"D" must be combined with RW or RW+ (warning: minor backward compat breakage) Having to specify "D" separately from RW or RW+ was cumbersome, and although I don't actually use this feature, I can see the point. One way to think of this is: - RW and RW+ were the only existing branch level rights - it doesnt make sense to have D rights without W (hence RW) rights - so we simply suffix a D to these if required. Thus you can have RW, RW+, RWD, RW+D. I hope the (hopefully few) of you who have started to use this feature will convert your configs when you next upgrade to "pu". I now regret pushing the previous syntax to master too quickly -- lots of people use master only, and on the next promotion of pu the syntax will change. To reduce this exposure, this change will be promoted to master very soon.
2010-04-15 03:02:39 +02:00
elsif (/^(-|C|R|RW\+?D?) (.* )?= (.+)/)
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
{
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
my $perms = $1;
my @refs; @refs = split(' ', $2) if $2;
compile: users and repos have groups... why not refs? this came up in some other discussion with bremner. As usual I said no I won't do it because I don't see any real need. ...then I realised it's just one line :)
2010-02-13 15:30:45 +01:00
@refs = expand_list ( @refs );
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
my @users = split ' ', $3;
(minor) more helpful message when the user forgot to set $GL_WILDREPOS thanks to konrad for catching this also make lack of WILDREPOS more noticable on compile
2010-04-25 10:19:19 +02:00
die "$ABRT \$GL_WILDREPOS is not set, you cant use 'C' in config\n" if $perms eq 'C' and not $GL_WILDREPOS;
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
# if no ref is given, this PERM applies to all refs
@refs = qw(refs/.*) unless @refs;
deprecation warning about old style PATH/ syntax (this commit will probably get reverted after a suitable period has elapsed and no one is likely to still be using the old syntax). Forgetting to change it to NAME/ after is a security issue -- you end up permitting stuff you don't want to! This commit allows the old syntax but prints a warning
2010-01-09 15:27:44 +01:00
# deprecation warning
map { warn "WARNING: old syntax 'PATH/' found; please use new syntax 'NAME/'\n" if s(^PATH/)(NAME/) } @refs;
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
# fully qualify refs that dont start with "refs/" or "NAME/";
compile: allow PATH/foo and populate the hash correctly
2009-11-16 15:35:08 +01:00
# prefix them with "refs/heads/"
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
@refs = map { m(^(refs|NAME)/) or s(^)(refs/heads/); $_ } @refs;
compile/update hook: enable new style personal branches The new style personal branches work by interpreting the special sequence /USER/ (including the slashes) in a refname. Docs should be in the next commit...
2010-03-16 02:56:33 +01:00
@refs = map { s(/USER/)(/\$gl_user/); $_ } @refs;
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
# expand the user list, unless it is just "@all"
@users = expand_list ( @users )
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
unless ($GL_BIG_CONFIG or (@users == 1 and $users[0] eq '@all'));
compile: death should be a little louder and clearer :)
2009-11-03 15:54:53 +01:00
do { die "$ABRT bad username $_\n" unless $_ =~ $USERNAME_PATT } for @users;
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
spelling cluestick... Ouch! How mortifying :) I'd always thought this was one of the Brit/US differences, but to find out that it really *isn't* a word... hmph! Anyway, in the interest of not breaking existing wild repos, the ownership file is still called "gl-creater". Everything else has been changed. (...thanks to Sverre)
2010-04-25 19:09:27 +02:00
s/\bCREAT[EO]R\b/~\$creator/g for @users;
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
s/\bREADERS\b/\$readers/g for @users;
s/\bWRITERS\b/\$writers/g for @users;
allow setperms to override config file permissions
2010-05-14 07:22:58 +02:00
# and double it up if $GL_SETPERMS_OVERRIDES_CONFIG
do { s/\$(creator|readers|writers)\b/~\$$1/g for @users } if $GL_SETPERMS_OVERRIDES_CONFIG;
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
# ok, we can finally populate the %repos hash
for my $repo (@repos) # each repo in the current stanza
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
{
compile: (large changes) parse delegated fragments if any [Note: this is a fairly involved commit, compared to most of the others. See doc/5-delegation.mkd for a user-level feature description.] parse delegated config fragments (found as conf/fragments/*.conf). Any repos being referenced within a fragment config *must* belong to the "@group" with the same name as the fragment. That is, a fragment called conf/fragments/abc.conf can only refer to repos that are members of the "@abc" repo group. It cannot specify access control for any other repos. If it does, those settings are ignored, and a warning message is produced. since the delegated config must have the flexibility of (re-)defining group names for internal convenience, and since all such definitions go into the same "groups" hash, it is quite easy for conf/fragments/abc.conf to write in its own (re-)definition of "@abc"! That would be a neat little security hole :) The way to close it is to consider only members of the "@abc" groupset defined in the main ("master") config file for this purpose.
2009-10-04 06:26:40 +02:00
# if we're processing a delegated config file (not the master
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
# config), we need to prevent attempts by that admin to obtain
# rights on stuff outside his domain
# trying to set access for $repo (='foo')...
if (
# processing the master config, not a fragment
( $fragment eq 'master' ) or
# fragment is also called 'foo' (you're allowed to have a
# fragment that is only concerned with one repo)
( $fragment eq $repo ) or
(big-config) compile: fragments in big-config Since it is possible to do all sorts of shenanigans with wildcards and repo groups, we - allow only a fragment called "foo" to set permissions for a group called "@foo", in addition to a repo called "foo" - forbid defining any groups within a fragment conf. All "@foo = bar baz" must be done in the main config file now. If this proves too limiting for anyone I'll worry about it then.
2010-05-12 18:39:51 +02:00
# same thing in big-config-land; foo is just @foo now
( $GL_BIG_CONFIG and "\@$fragment" eq $repo ) or
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
# fragment is called "bar" and "@bar = foo" has been
# defined in the master config
( ($groups{"\@$fragment"}{$repo} || '') eq 'master' )
) {
# all these are fine
} else {
# this is a little more complex
# fragment is called "bar", one or more "@bar = regex"
# have been specified in master, and "foo" matches some
# such "regex"
my @matched = grep { $repo =~ /^$_$/ }
grep { $groups{"\@$fragment"}{$_} eq 'master' }
sort keys %{ $groups{"\@$fragment"} };
if (@matched < 1) {
compile: (large changes) parse delegated fragments if any [Note: this is a fairly involved commit, compared to most of the others. See doc/5-delegation.mkd for a user-level feature description.] parse delegated config fragments (found as conf/fragments/*.conf). Any repos being referenced within a fragment config *must* belong to the "@group" with the same name as the fragment. That is, a fragment called conf/fragments/abc.conf can only refer to repos that are members of the "@abc" repo group. It cannot specify access control for any other repos. If it does, those settings are ignored, and a warning message is produced. since the delegated config must have the flexibility of (re-)defining group names for internal convenience, and since all such definitions go into the same "groups" hash, it is quite easy for conf/fragments/abc.conf to write in its own (re-)definition of "@abc"! That would be a neat little security hole :) The way to close it is to consider only members of the "@abc" groupset defined in the main ("master") config file for this purpose.
2009-10-04 06:26:40 +02:00
$ignored{$fragment}{$repo} = 1;
next;
}
}
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
for my $user (@users)
{
$user_list{$user}++; # only to catch lint, see later
compile: pubkey related linting added - warn about files in keydir/ that dont end with ".pub" - warn about pubkey files for which the user is not mentioned in config - warn more sternly about the opposite (user in config, no pubkey!) update hook: add reponame to message on deny auth: minor typo
2009-09-27 04:32:36 +02:00
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
# for 1st level check (see faq/tips doc)
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
$repos{$repo}{C}{$user} = 1, next if $perms eq 'C';
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
$repos{$repo}{R}{$user} = 1 if $perms =~ /R/;
compile/update: new "D" permission normally, RW+ means permission to rewind or delete. Now, if you use "D" permission anywhere in a repo config, that means "delete" and RW+ then means only "rewind", no delete.
2010-03-30 16:31:49 +02:00
$repos{$repo}{W}{$user} = 1 if $perms =~ /W|D/;
# if the user specified even a single 'D' anywhere, make
# that fact easy to find; this changes the meaning of RW+
# to no longer permit deletes (see update hook)
"D" must be combined with RW or RW+ (warning: minor backward compat breakage) Having to specify "D" separately from RW or RW+ was cumbersome, and although I don't actually use this feature, I can see the point. One way to think of this is: - RW and RW+ were the only existing branch level rights - it doesnt make sense to have D rights without W (hence RW) rights - so we simply suffix a D to these if required. Thus you can have RW, RW+, RWD, RW+D. I hope the (hopefully few) of you who have started to use this feature will convert your configs when you next upgrade to "pu". I now regret pushing the previous syntax to master too quickly -- lots of people use master only, and on the next promotion of pu the syntax will change. To reduce this exposure, this change will be promoted to master very soon.
2010-04-15 03:02:39 +02:00
$repos{$repo}{DELETE_IS_D} = 1 if $perms =~ /D/;
compile/update hook: COMPILED FILE CHANGE -- PLEASE READ BELOW Summary: DONT forget to run src/gl-compile-conf as the last step in the upgrade Details: The compiled file format has changed quite a bit, to make it easier for the rebel edition coming up :-) compile: - we don't split RW/RW+ into individual perms anymore - we store the info required for the first level check separately now: (repo, R/W, user) - the order for second level check is now: repo, user, [{ref=>perms}...] (list of hashes) update hook logic: the first refex that: - matches the incoming ref, AND - contains the perm you're trying to use, causes the match loop to exit with success. Fallthrough is failure
2009-09-18 14:30:14 +02:00
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
# for 2nd level check, store each "ref, perms" pair in order
for my $ref (@refs)
{
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
# checking NAME based restrictions is expensive for
compile: allow PATH/foo and populate the hash correctly
2009-11-16 15:35:08 +01:00
# the update hook (see the changes to src/hooks/update
# in this commit for why) so we would *very* much like
# to avoid doing it for the large majority of repos
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
# that do *not* use NAME limits. Setting a flag that
compile: allow PATH/foo and populate the hash correctly
2009-11-16 15:35:08 +01:00
# can be checked right away will help us do that
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
$repos{$repo}{NAME_LIMITS} = 1 if $ref =~ /^NAME\//;
(big one!) rule sequencing changes! There were 2 problems with rule sequencing. Eli had a use case where everyone is equal, but some are more equal than the others ;-) He wanted a way to say "everyone can create repos under their own names, but only some people should be able to rewind their branches". Something like this would be ideal (follow the rules in sequence for u1/u2/u3/u4, and you will see that the "deny" rule kicks in to prevent u1/u2 from being able to rewind, although they can certainly delete their branches): @private-owners = u1 u2 @experienced-private-owners = u3 u4 repo CREATOR/.* C = @private-owners @experienced-private-owners RWD = CREATOR RW = WRITERS R = READERS - = @private-owners RW+D = CREATOR In normal gitolite this doesn't work because the CREATOR rules (which get translated to "u1" at runtime) end up over-writing the "deny" rule when u1 or u2 are the creators. This over-writing happens directly at the "do compiled.pm" step. With big-config, this does not happen (because @private-owners does not get expanded to u1 and u2), but the problem remains: the order of picking up elements of repo_plus and user_plus is such that, again, the RW+D wins (it appears before the "-" rule). We fix all that by - making CREATOR complete to more than just the creator's name (for "u1", it now becomes "u1 - wild", which is actually illegal to use for real so there's no possibility of a name clash!) - maintaining a rule sequence number that is used to sort the rules eventually applied (this also resulted in the refex+perm hash becoming a list)
2010-05-18 11:27:14 +02:00
my $p_user = $user; $p_user =~ s/(creator|readers|writers)$/$1 - wild/;
push @{ $repos{$repo}{$p_user} }, [ $rule_seq++, $ref, $perms ]
unless $rurp_seen{$repo}{$p_user}{$ref}{$perms}++;
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
}
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
}
}
}
Add support for repo configurations Git repository configurations can be set/unset by declaring "config" lines in "repo" stanzas in gitolite.conf. For example: repo gitolite config hooks.mailinglist = gitolite-commits@example.tld config hooks.emailprefix = "[gitolite] " config foo.bar = "" config foo.baz = The firs two set (override) the values. Double quotes must be used to preserve preceding spaces. Third one sets an empty value and the last removes all keys. Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-07 21:20:29 +01:00
# configuration
elsif (/^config (.+) = ?(.*)/)
{
my ($key, $value) = ($1, $2);
compile: tighten up the 'git config' feature Gitolite allows you to set git repo options using the "config" keyword; see conf/example.conf for details and syntax. However, if you are in an installation where the repo admin does not (and should not) have shell access to the server, then allowing him to set arbitrary repo config options *may* be a security risk -- some config settings may allow executing arbitrary commands. This patch fixes it, introducing a new RC variable to control the behaviour. See conf/example.gitolite.rc for details
2010-02-07 08:39:16 +01:00
my @validkeys = split (' ', ($GL_GITCONFIG_KEYS || ''));
my @matched = grep { $key =~ /^$_$/ } @validkeys;
die "$ABRT git config $key not allowed\n" if (@matched < 1);
Add support for repo configurations Git repository configurations can be set/unset by declaring "config" lines in "repo" stanzas in gitolite.conf. For example: repo gitolite config hooks.mailinglist = gitolite-commits@example.tld config hooks.emailprefix = "[gitolite] " config foo.bar = "" config foo.baz = The firs two set (override) the values. Double quotes must be used to preserve preceding spaces. Third one sets an empty value and the last removes all keys. Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-07 21:20:29 +01:00
for my $repo (@repos) # each repo in the current stanza
{
$repo_config{$repo}{$key} = $value;
}
}
compile: support "include" definition Support config file including using: include "filename" If filename is not an absolute path, it is looked from the $GL_ADMINDIR/conf/ directory. For security reasons include is not allowed for fragments. Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-05 19:34:40 +01:00
# include
elsif (/^include "(.+)"/)
{
my $file = $1;
$file = "$GL_ADMINDIR/conf/$file" unless $file =~ /^\//;
die "$WARN $fragment attempting to include configuration\n" if $fragment ne 'master';
die "$ABRT included file not found: '$file'\n" unless -f $file;
parse_conf_file($file, $fragment);
}
compile: add owner field in the same line as the gitweb descriptions this goes into the project list
2009-11-27 08:53:48 +01:00
# very simple syntax for the gitweb description of repo; one of:
# reponame = "some description string"
# reponame "owner name" = "some description string"
elsif (/^(\S+)(?: "(.*?)")? = "(.*)"$/)
compile: added repo descriptions example line in config file: gitolite = "fast, secure, access control for git in a corporate environment"
2009-11-12 10:19:39 +01:00
{
compile: add owner field in the same line as the gitweb descriptions this goes into the project list
2009-11-27 08:53:48 +01:00
my ($repo, $owner, $desc) = ($1, $2, $3);
compile: added repo descriptions example line in config file: gitolite = "fast, secure, access control for git in a corporate environment"
2009-11-12 10:19:39 +01:00
die "$ABRT bad repo name $repo\n" unless $repo =~ $REPONAME_PATT;
die "$WARN $fragment attempting to set description for $repo\n" if
$fragment ne 'master' and $fragment ne $repo and ($groups{"\@$fragment"}{$repo} || '') ne 'master';
compile: add owner field in the same line as the gitweb descriptions this goes into the project list
2009-11-27 08:53:48 +01:00
$desc{"$repo.git"} = $desc;
$owner{"$repo.git"} = $owner || '';
compile: added repo descriptions example line in config file: gitolite = "fast, secure, access control for git in a corporate environment"
2009-11-12 10:19:39 +01:00
}
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
else
{
compile: death should be a little louder and clearer :)
2009-11-03 15:54:53 +01:00
die "$ABRT can't make head or tail of '$_'\n";
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
}
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
}
compile: (large changes) parse delegated fragments if any [Note: this is a fairly involved commit, compared to most of the others. See doc/5-delegation.mkd for a user-level feature description.] parse delegated config fragments (found as conf/fragments/*.conf). Any repos being referenced within a fragment config *must* belong to the "@group" with the same name as the fragment. That is, a fragment called conf/fragments/abc.conf can only refer to repos that are members of the "@abc" repo group. It cannot specify access control for any other repos. If it does, those settings are ignored, and a warning message is produced. since the delegated config must have the flexibility of (re-)defining group names for internal convenience, and since all such definitions go into the same "groups" hash, it is quite easy for conf/fragments/abc.conf to write in its own (re-)definition of "@abc"! That would be a neat little security hole :) The way to close it is to consider only members of the "@abc" groupset defined in the main ("master") config file for this purpose.
2009-10-04 06:26:40 +02:00
for my $ig (sort keys %ignored)
{
warn "\n\t\t***** WARNING *****\n" .
"\t$ig.conf attempting to set access for " .
join (", ", sort keys %{ $ignored{$ig} }) . "\n";
}
gl-compile-conf now has "compilation" of the conf file also
2009-08-23 10:16:45 +02:00
}
compile: (large changes) parse delegated fragments if any [Note: this is a fairly involved commit, compared to most of the others. See doc/5-delegation.mkd for a user-level feature description.] parse delegated config fragments (found as conf/fragments/*.conf). Any repos being referenced within a fragment config *must* belong to the "@group" with the same name as the fragment. That is, a fragment called conf/fragments/abc.conf can only refer to repos that are members of the "@abc" repo group. It cannot specify access control for any other repos. If it does, those settings are ignored, and a warning message is produced. since the delegated config must have the flexibility of (re-)defining group names for internal convenience, and since all such definitions go into the same "groups" hash, it is quite easy for conf/fragments/abc.conf to write in its own (re-)definition of "@abc"! That would be a neat little security hole :) The way to close it is to consider only members of the "@abc" groupset defined in the main ("master") config file for this purpose.
2009-10-04 06:26:40 +02:00
# parse the main config file
parse_conf_file($GL_CONF, 'master');
# parse any delegated fragments
wrap_chdir($GL_ADMINDIR);
for my $fragment_file (glob("conf/fragments/*.conf"))
{
compile: (oopsies...) plug security hole in delegation feature I was trying to determine how close gitolite can come to the ACL model of a proprietary product called codebeamer, and one of the items was how to make a "role" (like QA_Lead) have different "members" in different projects. I then realised delegation already does that! Which is great, but as I thought about it more, I realised... well, we'll let the in-code comments speak for themselves :-) Anyway, all it needed was a 1-line fix, luckily... <phew> And it would have only affected people who use delegation.
2009-11-23 18:15:00 +01:00
# we already check (elsewhere) that a fragment called "foo" will not try
# to specify access control for a repo whose name is not "foo" or is not
# part of a group called "foo" created by master
# meanwhile, I found a possible attack where the admin for group B creates
# a "convenience" group of (a subset of) his users, and then the admin for
# repo group A (alphabetically before B) adds himself to that same group
# in his own fragment.
# as a result, admin_A now has access to group B repos :(
# so now we lock the groups hash to the value it had after parsing
# "master", and localise any changes to it by this fragment so that they
# don't propagate to the next fragment. Thus, each fragment now has only
# those groups that are defined in "master" and itself
local %groups = %groups;
compile: (large changes) parse delegated fragments if any [Note: this is a fairly involved commit, compared to most of the others. See doc/5-delegation.mkd for a user-level feature description.] parse delegated config fragments (found as conf/fragments/*.conf). Any repos being referenced within a fragment config *must* belong to the "@group" with the same name as the fragment. That is, a fragment called conf/fragments/abc.conf can only refer to repos that are members of the "@abc" repo group. It cannot specify access control for any other repos. If it does, those settings are ignored, and a warning message is produced. since the delegated config must have the flexibility of (re-)defining group names for internal convenience, and since all such definitions go into the same "groups" hash, it is quite easy for conf/fragments/abc.conf to write in its own (re-)definition of "@abc"! That would be a neat little security hole :) The way to close it is to consider only members of the "@abc" groupset defined in the main ("master") config file for this purpose.
2009-10-04 06:26:40 +02:00
my $fragment = $fragment_file;
$fragment =~ s/^conf\/fragments\/(.*).conf$/$1/;
parse_conf_file($fragment_file, $fragment);
}
compile: make the parse a function instead of inline Again, prep for delegation, when we'll be reading fragments of config rules from various files and tacking them onto the %repos hash. note: this patch best viewed with "git diff -w", clicking "Ignore space change" in gitk, or eqvt :-)
2009-10-02 18:47:51 +02:00
compile: wrap the open call as well, plus better messages from both wrappers
2009-08-31 04:28:08 +02:00
my $compiled_fh = wrap_open( ">", $GL_CONF_COMPILED );
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
my $dumped_data = Data::Dumper->Dump([\%repos], [qw(*repos)]);
spelling cluestick... Ouch! How mortifying :) I'd always thought this was one of the Brit/US differences, but to find out that it really *isn't* a word... hmph! Anyway, in the interest of not breaking existing wild repos, the ownership file is still called "gl-creater". Everything else has been changed. (...thanks to Sverre)
2010-04-25 19:09:27 +02:00
# the dump uses single quotes, but we convert any strings containing $creator,
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
# $readers, $writers, to double quoted strings. A wee bit sneaky, but not too
# much...
allow setperms to override config file permissions
2010-05-14 07:22:58 +02:00
$dumped_data =~ s/'(?=[^']*\$(?:creator|readers|writers|gl_user))~*(.*?)'/"$1"/g;
wildrepos: teach compile the new syntax There's a new "C" permission to let someone *create* a repo that matches the pattern given in the "repo ..." line. If the word CREATER appears in the repo pattern, then that is forced to the actual user performing that operation. Something like this (we'll discuss READERS and WRITERS later): repo personal/CREATER/.+ C = @staff R [foo] = READERS RW [bar] = WRITERS ...various other permissions as usual... Delegation checking also changes quite a bit... see comments in code Implementation: there's also a sneaky little trick we're playing here with the dumped hash
2009-12-05 14:08:46 +01:00
print $compiled_fh $dumped_data;
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
print $compiled_fh Data::Dumper->Dump([\%groups], [qw(*groups)]) if $GL_BIG_CONFIG and %groups;
compile: death should be a little louder and clearer :)
2009-11-03 15:54:53 +01:00
close $compiled_fh or die "$ABRT close compiled-conf failed: $!\n";
gl-compile-conf changed (see below) and "rc" file added - factored out all the pathnames etc to an rc - taught it to create repos that dont exist but are mentioned - promoted user up one level (moving ref down) because gl-auth needs it - REPO_BASE no longer contains $HOME so that has to be added in manually - little bugs here and there, like in @refs
2009-08-23 11:25:50 +02:00
# ----------------------------------------------------------------------------
compile: pubkey related linting added - warn about files in keydir/ that dont end with ".pub" - warn about pubkey files for which the user is not mentioned in config - warn more sternly about the opposite (user in config, no pubkey!) update hook: add reponame to message on deny auth: minor typo
2009-09-27 04:32:36 +02:00
# any new repos to be created?
gl-compile-conf changed (see below) and "rc" file added - factored out all the pathnames etc to an rc - taught it to create repos that dont exist but are mentioned - promoted user up one level (moving ref down) because gl-auth needs it - REPO_BASE no longer contains $HOME so that has to be added in manually - little bugs here and there, like in @refs
2009-08-23 11:25:50 +02:00
# ----------------------------------------------------------------------------
# modern gits allow cloning from an empty repo, so we just create it. Gitosis
# did not have that luxury, so it was forced to detect the first push and
# create it then
compile+doc/3: deal with older gits - detect/warn git version < 1.6.2 - create documentation with details on client-side workaround - change the "git init --bare" to (older) "git --bare init", since the old syntax still works anyway
2009-09-21 04:18:30 +02:00
# but it turns out not everyone has "modern" gits :)
my $git_version = `git --version`;
(minor) helpful message when git isn't found in PATH on server
2010-04-20 17:46:24 +02:00
die "
*** ERROR ***
did not get a proper version number. Please see if git is in the PATH on
the server. If it is not, please edit ~/.gitolite.rc on the server and
set the \$GIT_PATH variable to the correct value\n
" unless $git_version;
compile+doc/3: deal with older gits - detect/warn git version < 1.6.2 - create documentation with details on client-side workaround - change the "git init --bare" to (older) "git --bare init", since the old syntax still works anyway
2009-09-21 04:18:30 +02:00
my ($gv_maj, $gv_min, $gv_patchrel) = ($git_version =~ m/git version (\d+)\.(\d+)\.(\d+)/);
compile: death should be a little louder and clearer :)
2009-11-03 15:54:53 +01:00
die "$ABRT I can't understand $git_version\n" unless ($gv_maj >= 1);
compile+doc/3: deal with older gits - detect/warn git version < 1.6.2 - create documentation with details on client-side workaround - change the "git init --bare" to (older) "git --bare init", since the old syntax still works anyway
2009-09-21 04:18:30 +02:00
$git_version = $gv_maj*10000 + $gv_min*100 + $gv_patchrel; # now it's "normalised"
(minor) move version check to the right place
2010-05-14 16:51:04 +02:00
die "\n\t\t***** AAARGH! *****\n" .
"\tyour git version is older than 1.6.2\n" .
"\tsince that is now more than one year old, and gitolite needs some of\n" .
"\tthe newer features, please upgrade.\n"
if $git_version < 10602; # that's 1.6.2 to you
compile: fix description and export-ok problem part of comment on b78a720ceeecf7db985dd8d013c08829ea8cfc81: The only reason it's getting into master is because it looks cool! I hate it when something that looks cool doesn't work right :( creating a repo on gitolite-admin push is *needed* in order to get descriptions and export-ok files to work right
2009-12-01 17:24:23 +01:00
# repo-base needs to be an absolute path for this loop to work right
# so if it was not already absolute, prefix $HOME.
my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" );
(big-config) compile: create new repos even if GL_BIG_CONFIG is set ...by expanding the groups of course
2010-05-14 17:10:59 +02:00
{
wrap_chdir("$repo_base_abs");
# autocreate repos. Start with the ones that are normal repos in %repos
my @repos = grep { $_ =~ $REPONAME_PATT and not /^@/ } sort keys %repos;
# then, for each repogroup, find the members of the group and add them in
map { push @repos, keys %{ $groups{$_} } } grep { /^@/ } keys %repos;
# weed out duplicates (the code in the loop below is disk activity!)
my %seen = map { $_ => 1 } @repos;
@repos = sort keys %seen;
for my $repo (sort @repos) {
next unless $repo =~ $REPONAME_PATT;
next if $repo =~ m(^\@|EXTCMD/); # these are not real repos
unless (-d "$repo.git") {
print STDERR "creating $repo...\n";
new_repo($repo, "$GL_ADMINDIR/hooks/common");
# new_repo would have chdir'd us away; come back
wrap_chdir("$repo_base_abs");
}
compile: make it easier to move repos into gitolite when repos are copied over from elsewhere, one had to run easy install once again to make the new (OS-copied) repo contain the proper update hook. We eliminate this step now, using a new, empty, "hook" as a sentinel and having "compile" check/fix all repos' hooks. Since you have to add the repos to conf anyway, this makes it as seamless as possible. The correct sequence now is - (server) copy the repo at the OS level - (admin clone) add it to conf/gitolite.conf, commit, push
2010-03-07 14:35:56 +01:00
(big-config) compile: create new repos even if GL_BIG_CONFIG is set ...by expanding the groups of course
2010-05-14 17:10:59 +02:00
# when repos are copied over from elsewhere, one had to run easy install
# once again to make the new (OS-copied) repo contain the proper update
# hook. Perhaps we can make this easier now, and eliminate the easy
# install, with a quick check (and a new, empty, "hook" as a sentinel)
unless (-l "$repo.git/hooks/gitolite-hooked") {
ln_sf("$GL_ADMINDIR/hooks/common", "*", "$repo.git/hooks");
# in case of package install, GL_ADMINDIR is no longer the top cop;
# override with the package hooks
ln_sf("$GL_PACKAGE_HOOKS/common", "*", "$repo.git/hooks") if $GL_PACKAGE_HOOKS;
}
compile: make it easier to move repos into gitolite when repos are copied over from elsewhere, one had to run easy install once again to make the new (OS-copied) repo contain the proper update hook. We eliminate this step now, using a new, empty, "hook" as a sentinel and having "compile" check/fix all repos' hooks. Since you have to add the repos to conf anyway, this makes it as seamless as possible. The correct sequence now is - (server) copy the repo at the OS level - (admin clone) add it to conf/gitolite.conf, commit, push
2010-03-07 14:35:56 +01:00
}
compile: fix description and export-ok problem part of comment on b78a720ceeecf7db985dd8d013c08829ea8cfc81: The only reason it's getting into master is because it looks cool! I hate it when something that looks cool doesn't work right :( creating a repo on gitolite-admin push is *needed* in order to get descriptions and export-ok files to work right
2009-12-01 17:24:23 +01:00
}
Add support for repo configurations Git repository configurations can be set/unset by declaring "config" lines in "repo" stanzas in gitolite.conf. For example: repo gitolite config hooks.mailinglist = gitolite-commits@example.tld config hooks.emailprefix = "[gitolite] " config foo.bar = "" config foo.baz = The firs two set (override) the values. Double quotes must be used to preserve preceding spaces. Third one sets an empty value and the last removes all keys. Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-07 21:20:29 +01:00
# ----------------------------------------------------------------------------
# update repo configurations
# ----------------------------------------------------------------------------
for my $repo (keys %repo_config) {
wrap_chdir("$repo_base_abs/$repo.git");
while ( my ($key, $value) = each(%{ $repo_config{$repo} }) ) {
if ($value) {
$value =~ s/^"(.*)"$/$1/;
system("git", "config", $key, $value);
} else {
system("git", "config", "--unset-all", $key);
}
}
}
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
# ----------------------------------------------------------------------------
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item
2009-09-25 08:47:33 +02:00
# handle gitweb and daemon
# ----------------------------------------------------------------------------
# How you specify gitweb and daemon access is quite different from gitosis. I
# just assume you'll never have any *real* users called "gitweb" or "daemon"
# :-) These are now "pseduo users" -- giving them "R" access to a repo is all
# you have to do
wrap_chdir("$repo_base_abs");
(big-config) update doc and rc, allow skipping gitweb/daemon skipping gitweb/daemon has an enormous impact on speed of an admin-push!
2010-05-16 02:48:08 +02:00
unless ($GL_NO_DAEMON_NO_GITWEB) {
# daemons first...
for my $repo (sort keys %repos) {
next unless $repo =~ $REPONAME_PATT;
next if $repo =~ m(^\@|EXTCMD/); # these are not real repos
my $export_ok = "$repo.git/git-daemon-export-ok";
if ($repos{$repo}{'R'}{'daemon'}) {
system("touch $export_ok");
} else {
unlink($export_ok);
}
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item
2009-09-25 08:47:33 +02:00
}
(big-config) update doc and rc, allow skipping gitweb/daemon skipping gitweb/daemon has an enormous impact on speed of an admin-push!
2010-05-16 02:48:08 +02:00
my %projlist = ();
# ...then gitwebs
for my $repo (sort keys %repos) {
next unless $repo =~ $REPONAME_PATT;
next if $repo =~ m(^\@|EXTCMD/); # these are not real repos
my $desc_file = "$repo.git/description";
# note: having a description also counts as enabling gitweb
if ($repos{$repo}{'R'}{'gitweb'} or $desc{"$repo.git"}) {
$projlist{"$repo.git"} = 1;
# add the description file; no messages to user or error checking :)
$desc{"$repo.git"} and open(DESC, ">", $desc_file) and print DESC $desc{"$repo.git"} . "\n" and close DESC;
if ($owner{"$repo.git"}) {
# set the repository owner
system("git", "--git-dir=$repo.git", "config", "gitweb.owner", $owner{"$repo.git"});
} else {
# remove the repository owner setting
system("git --git-dir=$repo.git config --unset-all gitweb.owner 2>/dev/null");
}
Tell gitweb about repo owner via git-config Gitolite uses projects.list to set the owners for gitweb's use. Unfortunately, this does not work for gitweb setups that set $projectroot to a directory, thus generating the list of repositories on the fly. This patch changes that: gitolite now writes the gitweb.owner configuration variable for each repository (and properly cleans up after itself if the owner is removed). The patch causes gitolite not to write the owner to projects.list anymore, as this would be redundant. The owner also needs no longer be escaped, so this patch removes the poor man's 's/ /+/g' escaping previously in place. Note that I am not a Perl coder. Thus there are probably better ways to implement this, but at least it works. Cc: Sitaram Chamarty <sitaramc@gmail.com> Signed-off-by: martin f. krafft <madduck@madduck.net>
2010-02-03 09:13:47 +01:00
} else {
(big-config) update doc and rc, allow skipping gitweb/daemon skipping gitweb/daemon has an enormous impact on speed of an admin-push!
2010-05-16 02:48:08 +02:00
# delete the description file; no messages to user or error checking :)
unlink $desc_file;
Tell gitweb about repo owner via git-config Gitolite uses projects.list to set the owners for gitweb's use. Unfortunately, this does not work for gitweb setups that set $projectroot to a directory, thus generating the list of repositories on the fly. This patch changes that: gitolite now writes the gitweb.owner configuration variable for each repository (and properly cleans up after itself if the owner is removed). The patch causes gitolite not to write the owner to projects.list anymore, as this would be redundant. The owner also needs no longer be escaped, so this patch removes the poor man's 's/ /+/g' escaping previously in place. Note that I am not a Perl coder. Thus there are probably better ways to implement this, but at least it works. Cc: Sitaram Chamarty <sitaramc@gmail.com> Signed-off-by: martin f. krafft <madduck@madduck.net>
2010-02-03 09:13:47 +01:00
# remove the repository owner setting
system("git --git-dir=$repo.git config --unset-all gitweb.owner 2>/dev/null");
}
(big-config) update doc and rc, allow skipping gitweb/daemon skipping gitweb/daemon has an enormous impact on speed of an admin-push!
2010-05-16 02:48:08 +02:00
# unless there are other gitweb.* keys set, remove the section to keep the
# config file clean
my $keys = `git --git-dir=$repo.git config --get-regexp '^gitweb\\.' 2>/dev/null`;
if (length($keys) == 0) {
system("git --git-dir=$repo.git config --remove-section gitweb 2>/dev/null");
}
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item
2009-09-25 08:47:33 +02:00
}
(big-config) update doc and rc, allow skipping gitweb/daemon skipping gitweb/daemon has an enormous impact on speed of an admin-push!
2010-05-16 02:48:08 +02:00
# update the project list
my $projlist_fh = wrap_open( ">", $PROJECTS_LIST);
for my $proj (sort keys %projlist) {
print $projlist_fh "$proj\n";
}
close $projlist_fh;
compile: add owner field in the same line as the gitweb descriptions this goes into the project list
2009-11-27 08:53:48 +01:00
}
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item
2009-09-25 08:47:33 +02:00
# ----------------------------------------------------------------------------
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
# "compile" ssh authorized_keys
# ----------------------------------------------------------------------------
compile: better message when authkeys absent for security reasons, we refuse to create ~/.ssh/authorized_keys if it doesn't exist. Explain this better and point to the documentation
2009-09-17 07:09:13 +02:00
my $authkeys_fh = wrap_open( "<", $ENV{HOME} . "/.ssh/authorized_keys",
"\tFor security reasons, gitolite will not *create* this file if it does\n" .
"\tnot already exist. Please see the \"admin\" document for details\n");
compile: wrap the open call as well, plus better messages from both wrappers
2009-08-31 04:28:08 +02:00
my $newkeys_fh = wrap_open( ">", $ENV{HOME} . "/.ssh/new_authkeys" );
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
# save existing authkeys minus the GL-added stuff
all: lexical file handles instead of bare
2009-08-25 06:27:19 +02:00
while (<$authkeys_fh>)
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
{
backward compat for marker lines in authkeys
2009-08-26 03:35:04 +02:00
print $newkeys_fh $_ unless (/^# gito(sis-)?lite start/../^# gito(sis-)?lite end/);
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
}
# add our "start" line, each key on its own line (prefixed by command and
# options, in the standard ssh authorized_keys format), then the "end" line.
project renamed to gitolite
2009-08-26 02:47:27 +02:00
print $newkeys_fh "# gitolite start\n";
compile: wrap the open call as well, plus better messages from both wrappers
2009-08-31 04:28:08 +02:00
wrap_chdir($GL_KEYDIR);
compile: recurse through keydir/ for pubkeys
2010-04-10 05:28:17 +02:00
for my $pubkey (`find . -type f`)
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
{
compile: recurse through keydir/ for pubkeys
2010-04-10 05:28:17 +02:00
chomp($pubkey); $pubkey =~ s(^\./)();
security: gitolite admin can get shell access by using screwy pubkey name example: keydir/sitaram@$(some-dangerous-command; echo hi).pub (still won't get the reward; that is only if a non-admin user gets privs!)
2010-04-09 13:18:46 +02:00
# security check (thanks to divVerent for catching this)
compile: recurse through keydir/ for pubkeys
2010-04-10 05:28:17 +02:00
unless ($pubkey =~ $REPONAME_PATT) {
security: gitolite admin can get shell access by using screwy pubkey name example: keydir/sitaram@$(some-dangerous-command; echo hi).pub (still won't get the reward; that is only if a non-admin user gets privs!)
2010-04-09 13:18:46 +02:00
print STDERR "$pubkey contains some unsavoury characters; ignored...\n";
next;
}
compile: pubkey related linting added - warn about files in keydir/ that dont end with ".pub" - warn about pubkey files for which the user is not mentioned in config - warn more sternly about the opposite (user in config, no pubkey!) update hook: add reponame to message on deny auth: minor typo
2009-09-27 04:32:36 +02:00
# lint check 1
unless ($pubkey =~ /\.pub$/)
{
print STDERR "WARNING: pubkey files should end with \".pub\", ignoring $pubkey\n";
next;
}
compile: recurse through keydir/ for pubkeys
2010-04-10 05:28:17 +02:00
my $user = $pubkey;
$user =~ s(.*/)(); # foo/bar/baz.pub -> baz.pub
$user =~ s/(\@[^.]+)?\.pub$//; # baz.pub, baz@home.pub -> baz
compile: pubkey related linting added - warn about files in keydir/ that dont end with ".pub" - warn about pubkey files for which the user is not mentioned in config - warn more sternly about the opposite (user in config, no pubkey!) update hook: add reponame to message on deny auth: minor typo
2009-09-27 04:32:36 +02:00
# lint check 2
print STDERR "WARNING: pubkey $pubkey exists but user $user not in config\n"
unless $user_list{$user};
$user_list{$user} = 'has pubkey';
compile: disallow multiple pubkeys in one file The way pubkey files are handled by gitolite, this could be used by a repo admin to get shell access. It's always been there as an undocumented emergency mechanism for an admin who lost his shell keys or overwrote them due to not understanding ssh well enough (and it has been so used at least once). But not any more... Like the @SHELL case, this reflects a shift away from treating people with repo admin rights as eqvt to people who have shell on the server, and systematically making the former lesser privileged than the latter. While in most cases (including my $DAYJOB) these two may be the same person, I am told that's not a valid assumption for others, and there've been requests to close this potential loophole.
2010-01-15 09:50:00 +01:00
# apparently some pubkeys don't end in a newline...
my $pubkey_content = `cat $pubkey`;
$pubkey_content =~ s/\s*$/\n/;
# don't trust files with multiple lines (i.e., something after a newline)
if ($pubkey_content =~ /\n./)
{
print STDERR "WARNING: a pubkey file can only have one line (key); ignoring $pubkey\n";
next;
}
(minor fixup)
2010-04-14 06:19:09 +02:00
print $newkeys_fh "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS ";
compile: (gh issue 2) apparently pubkeys don't always end in a newline I've never encountered this but it's an easy fix
2009-10-23 05:25:03 +02:00
print $newkeys_fh $pubkey_content;
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
}
compile: pubkey related linting added - warn about files in keydir/ that dont end with ".pub" - warn about pubkey files for which the user is not mentioned in config - warn more sternly about the opposite (user in config, no pubkey!) update hook: add reponame to message on deny auth: minor typo
2009-09-27 04:32:36 +02:00
# lint check 3; a little more severe than the first two I guess...
{
tone down the "ZOMG users without pubkeys" hysteria :)
2010-05-16 09:43:25 +02:00
my @no_pubkey =
grep { $_ !~ /^(gitweb|daemon|\@.*|~\$creator|\$readers|\$writers)$/ }
grep { $user_list{$_} ne 'has pubkey' }
keys %user_list;
if (@no_pubkey > 10) {
print STDERR "$WARN You have " . scalar(@no_pubkey) . " users WITHOUT pubkeys...!\n";
} elsif (@no_pubkey) {
print STDERR "$WARN the following users have no pubkeys:\n", join(",", sort @no_pubkey), "\n";
}
compile: pubkey related linting added - warn about files in keydir/ that dont end with ".pub" - warn about pubkey files for which the user is not mentioned in config - warn more sternly about the opposite (user in config, no pubkey!) update hook: add reponame to message on deny auth: minor typo
2009-09-27 04:32:36 +02:00
}
project renamed to gitolite
2009-08-26 02:47:27 +02:00
print $newkeys_fh "# gitolite end\n";
compile: death should be a little louder and clearer :)
2009-11-03 15:54:53 +01:00
close $newkeys_fh or die "$ABRT close newkeys failed: $!\n";
compile: fail/error checks: - don't update authkeys if parse fails (done by moving that code so it runs *after* the parse) - check group/usernames for sanity
2009-08-24 10:00:58 +02:00
# all done; overwrite the file (use cat to avoid perm changes)
compile: chmod internal, and save "old" authkeys
2009-09-01 16:10:42 +02:00
system("cat $ENV{HOME}/.ssh/authorized_keys > $ENV{HOME}/.ssh/old_authkeys");
compile: die on authkeys write failure
2010-02-04 18:25:11 +01:00
system("cat $ENV{HOME}/.ssh/new_authkeys > $ENV{HOME}/.ssh/authorized_keys")
and die "couldn't write authkeys file\n";
compile: another solaris compat fix, to do with "~" system("...") run from perl on sol does not seem to like "~" (regardless of what $SHELL is set to), so use $ENV{HOME} instead thanks again to evocallaghan
2009-08-30 17:44:15 +02:00
system("rm $ENV{HOME}/.ssh/new_authkeys");
Reference in a new issue Copy permalink