gitolite/contrib/adc/rsync

64 lines
2.2 KiB
Plaintext
Raw Normal View History

#!/usr/bin/perl
# 'rsync' helper ADC. See bottom of this file for more info
use strict;
use warnings;
BEGIN {
die "ENV GL_RC not set\n" unless $ENV{GL_RC};
die "ENV GL_BINDIR not set\n" unless $ENV{GL_BINDIR};
unshift @INC, $ENV{GL_BINDIR};
}
use gitolite_rc;
use gitolite;
my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
# test the command patterns; reject if they don't fit. Rsync sends
# commands that looks like one of these to the server (the first one is
# for a read, the second for a write)
# rsync --server --sender -some.flags . some/path
# rsync --server -some.flags . some/path
die "bad rsync command: $cmd"
unless $cmd =~ /^rsync --server( --sender)? -[\w.]+(?: --(?:delete|partial))* \. (\S+)$/;
my $perm = "W";
$perm = "R" if $1;
my $path = $2;
die "I dont like some of the characters in $path\n" unless $path =~ $REPONAME_PATT;
# XXX make a better pattern for this if people complain ;-)
die "I dont like absolute paths in $cmd\n" if $path =~ /^\//;
die "I dont like '..' paths in $cmd\n" if $path =~ /\.\./;
# ok now check if we're permitted to execute a $perm action on $path
# (taken as a refex) using rsync.
check_access('EXTCMD/rsync', "NAME/$path", $perm);
# that should "die" if there's a problem
wrap_chdir($RSYNC_BASE);
log_it();
exec $ENV{SHELL}, "-c", $ENV{SSH_ORIGINAL_COMMAND};
__END__
This is an rsync helper ADC. It is an example of using gitolite's config
language, combined with the 'check_access()' function, to implement access
control for non-git software using a "fake" repo. For historical reasons,
fake repos start with "EXTCMD/". Gitolite does not auto-create fake repos, so
you can use those as namespaces to hold collections of rules for various
purposes.
So here's a fake git repository to collect rsync rules in one place. It grant
permissions to files/dirs within the $RSYNC_BASE tree. A leading NAME/ is
required as a prefix; the actual path starts after that. Matching follows the
same rules as given in "FILE/DIR NAME BASED RESTRICTIONS" elsewhere in the
gitolite documentation.
repo EXTCMD/rsync
RW NAME/ = sitaram
RW NAME/foo/ = user1
R NAME/bar/ = user2
RW NAME/baz/.*/.*\.c$ = user3