deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
gitolite/src/gl-auth-command

230 lines
8.7 KiB
Plaintext
Raw Normal View History

use-warnings
2009-08-25 05:14:46 +02:00
#!/usr/bin/perl
auth: finally!
2009-08-23 14:54:37 +02:00
use strict;
use-warnings
2009-08-25 05:14:46 +02:00
use warnings;
auth: finally!
2009-08-23 14:54:37 +02:00
# === auth-command ===
# the command that GL users actually run
project renamed to gitolite
2009-08-26 02:47:27 +02:00
# part of the gitolite (GL) suite
auth: finally!
2009-08-23 14:54:37 +02:00
# how run: via sshd, being listed in "command=" in ssh authkeys
# when: every login by a GL user
# input: $1 is GL username, plus $SSH_ORIGINAL_COMMAND
# output:
# security:
# robustness:
# other notes:
# ----------------------------------------------------------------------------
# common definitions
# ----------------------------------------------------------------------------
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
# these are set by the "rc" file
gitweb/daemon now work for wild repos also (thanks to Kevin Fleming for the need/use case) TODO: tests TODO: proper documentation; meanwhile, just read this: - you can give gitweb and daemon read rights to wild card repos also, and it'll all just work -- when a new repo is 'C'reated, it'll pick up those rights etc - you can assign descriptions (and owners) to individual repos as before, except now you can assign them to repos that actually were created from wild card patterns. So for example, you can define rules for repo foo/..* and then assign descriptions like foo/repo1 = "repo one" foo/repo2 = "repo two" foo/dil "scott" = "scott's dilbert repo" However, this only works for repos that already exist, and only when you push the admin repo. Thumb rule: have the user create his wild repo, *then* add and push the admin config file with the description. Not the other way around. implementation notes: - wildcard support for git config revamped, refactored... it's not just git config that needs wildcard support. daemon and gitweb access also will be needing it soon, so we start by factoring out the part that finds the "pattern" given a "real" repo name. - GL_NO_DAEMON_NO_GITWEB now gates more than just those two things; see doc/big-config.mkd for details - we trawl through $GL_REPO_BASE_ABS *once* only, collecting repo names and tying them to either the same name or to a wild pattern that the repo name was created from - nice little subs to setup gitweb, daemon, and git config - god bless $GL_REPOPATT and the day I decided to set that env var whenever a user hits a wild repo in any way :-) - the code in gl-compile-conf is very simple now. Much nicer than before
2010-07-16 19:31:34 +02:00
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_WILDREPOS_DEFPERMS, $GL_ADC_PATH, $SVNSERVE, $PROJECTS_LIST, $GL_SLAVE_MODE);
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
# and these are set by gitolite.pm
auth: reporting changes for wildcard-created repos - see *all* wildcard repos you have access to (this uses line-anchored regexes as described in doc/4). Examples: ssh git@server expand '.*' ssh git@server expand 'assignment.*' - show perms like the info command does Please see comments against 02cee1d for more details and caveats.
2010-01-29 10:09:03 +01:00
our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT);
auth: finally!
2009-08-23 14:54:37 +02:00
our %repos;
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
our %groups;
git config settings in wild repos: part 2 call it after the new_repo in auth also
2010-06-26 01:51:57 +02:00
our %repo_config;
auth: finally!
2009-08-23 14:54:37 +02:00
the rc file can now be in one of 2 places... Packaging gitolite for debian requires the rc file to be in /etc/gitolite. But non-root installs must still be supported, and they need it in $HOME. This means the rc file is no longer in a fixed place, which needs code to find the rc file first. See comments inside new file 'gitolite.pm' for details. The rest of the changes are in the other programs, to replace the hard-coded rc filename with a call to this new code.
2009-10-25 03:59:52 +01:00
# the common setup module is in the same directory as this running program is
my $bindir = $0;
$bindir =~ s/\/[^\/]+$//;
make $bindir absolute
2010-02-09 12:30:01 +01:00
$bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//;
the rc file can now be in one of 2 places... Packaging gitolite for debian requires the rc file to be in /etc/gitolite. But non-root installs must still be supported, and they need it in $HOME. This means the rc file is no longer in a fixed place, which needs code to find the rc file first. See comments inside new file 'gitolite.pm' for details. The rest of the changes are in the other programs, to replace the hard-coded rc filename with a call to this new code.
2009-10-25 03:59:52 +01:00
require "$bindir/gitolite.pm";
# ask where the rc file is, get it, and "do" it
&where_is_rc();
die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
auth: finally!
2009-08-23 14:54:37 +02:00
auth/update-hook/pm: make &log() a common function
2010-01-31 18:40:12 +01:00
# we need to pass GL_ADMINDIR and the bindir to the child hooks
auth/install/pu-hook: pass ADMINDIR and BINDIR via ENV The admin repo's post-update hook needs to know where $GL_ADMINDIR is, and we had a weird way of doing that which depended on gl-install actually munging the hook code. We also always assumed the binaries are in GL_ADMINDIR/src. We now use an env var to pass both these values. This removes the weird dependency on gl-install that the post-update hook had, as well as make running other programs easier due to the new $GL_BINDIR env var.
2009-12-15 08:05:48 +01:00
$ENV{GL_ADMINDIR} = $GL_ADMINDIR;
$ENV{GL_BINDIR} = $bindir;
support git installed outside default $PATH (also some minor fixes to doc/3)
2009-10-13 06:32:45 +02:00
# add a custom path for git binaries, if specified
$ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH;
Add GL_WILDREPOS_DEFPERMS allows a default 'setperms' string to be set for new wildcard repositories. Also, fix a bug in the fork script where a failure in the git command would still cause the rest of the script to attempt to run.
2010-06-22 13:30:48 +02:00
# set default permission of wildcard repositories
$ENV{GL_WILDREPOS_DEFPERMS} = $GL_WILDREPOS_DEFPERMS if $GL_WILDREPOS_DEFPERMS;
auth: set umask when autoviv-ing repos Looks like I'd forgotten this when I did the autoviv code. Repos created via gl-compile (when you add a new repo to the config file and push) worked fine, but repos created via gl-auth (when you autoviv a repo, wild or not) did not. This *should* be merged into wildrepos soon after testing; wildrepos will have a lot more autoviv-ing than master.
2009-12-15 11:41:21 +01:00
# set the umask before creating any files
umask($REPO_UMASK);
(mini refactor) clean up the repo_base_abs stuff make it a sort of "super global" (an ENV var) all through, because *everyone* seems to need it *and* this variable is pretty much constant for the entire install
2010-06-29 07:25:36 +02:00
$ENV{GL_REPO_BASE_ABS} = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" );
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# start...
# ----------------------------------------------------------------------------
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
# if the first argument is a "-s", this user is allowed to get a shell using
# this key
my $shell_allowed = 0;
move empty ARGV check down after "-s" check to make calling "gl-auth -s" (no username) work
2010-07-21 02:57:43 +02:00
if (@ARGV and $ARGV[0] eq '-s') {
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
$shell_allowed = 1;
shift;
}
move empty ARGV check down after "-s" check to make calling "gl-auth -s" (no username) work
2010-07-21 02:57:43 +02:00
# no (more) arguments given? default user is $USER (fedorahosted works like
# this, and it is harmless for others)
@ARGV = ($ENV{USER}) unless @ARGV;
auth: finally!
2009-08-23 14:54:37 +02:00
# first, fix the biggest gripe I have with gitosis, a 1-line change
my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere!
(big-config) allow usergroup information to be passed in from outside [Please NOTE: this is all about *user* groups, not *repo* groups] SUMMARY: gl-auth-commmand can now take an optional list of usergroup names after the first argument (which is the username). See doc/big-config.mkd in the next commit or so
2010-05-14 13:05:37 +02:00
# if there are any more arguments, they're a list of group names that the user
# is a member of
$ENV{GL_GROUP_LIST} = join(" ", @ARGV) if @ARGV;
oops; logging bug
2010-02-01 12:24:39 +01:00
# ----------------------------------------------------------------------------
# logging, timestamp env vars
# ----------------------------------------------------------------------------
# timestamp
my ($s, $min, $h, $d, $m, $y) = (localtime)[0..5];
$y += 1900; $m++; # usual adjustments
for ($s, $min, $h, $d, $m) {
$_ = "0$_" if $_ < 10;
}
$ENV{GL_TS} = "$y-$m-$d.$h:$min:$s";
# substitute template parameters and set the logfile name
$GL_LOGT =~ s/%y/$y/g;
$GL_LOGT =~ s/%m/$m/g;
$GL_LOGT =~ s/%d/$d/g;
$ENV{GL_LOG} = $GL_LOGT;
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# sanity checks on SSH_ORIGINAL_COMMAND
# ----------------------------------------------------------------------------
auth: minor flow change when defaulting to "info"
2010-02-01 07:06:24 +01:00
# no SSH_ORIGINAL_COMMAND given...
auth, doc/3: print useful information when no command given
2009-10-28 09:03:24 +01:00
unless ($ENV{SSH_ORIGINAL_COMMAND}) {
auth: minor flow change when defaulting to "info"
2010-02-01 07:06:24 +01:00
# if the user is allowed to use a shell, give him one
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
if ($shell_allowed) {
my $shell = $ENV{SHELL};
$shell =~ s/.*\//-/; # change "/bin/bash" to "-bash"
log message changes (warning: minor backward compat breakage) The log message format has changed. All log messages now have a common prefix (timestamp, user, IP). This is followed by $SSH_ORIGINAL_COMMAND (or, in one special case, the name of the user's login shell). Any further text appears after this (currently this only happens in the case of a successful push -- one for each ref pushed successfully)
2010-06-16 03:50:12 +02:00
&log_it($shell);
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
exec { $ENV{SHELL} } $shell;
}
auth: minor flow change when defaulting to "info"
2010-02-01 07:06:24 +01:00
# otherwise, pretend he typed in "info" and carry on...
$ENV{SSH_ORIGINAL_COMMAND} = 'info';
auth, doc/3: print useful information when no command given
2009-10-28 09:03:24 +01:00
}
mirroring support... conf/example.gitolite.rc - "slave mode" flag to disable pushes and "list of slaves" hooks/common/post-receive.mirrorpush - code to push to the mirror, creating the repo if needed src/mirror-shell - shell for master pushing to a slave, because we don't actually want to go through gitolite itself, yet we have to take care of $REPO_BASE being wherever. And of course we have to set GL_BYPASS_UPDATE_HOOK to 1 for the push to happen! src/gl-mirror-sync - manually runnable program to sync from current server to another
2010-08-10 10:12:52 +02:00
# ----------------------------------------------------------------------------
# slave mode should not do much
# ----------------------------------------------------------------------------
die "server is in slave mode; you can only fetch\n"
if ($GL_SLAVE_MODE and $ENV{SSH_ORIGINAL_COMMAND} !~ /^(info|expand|get|git-upload-)/);
(adc) admin-defined commands This commit series allows an admin to designate a set of commands that users can run. For example, he can allow users to delete a repo that they have created: ssh git@server rmrepo foo/me/bar or fork (to use github's terminology) a repo they have "R" access to, into a new one they have "C" access to: ssh git@server fork foo/someone-else/bar foo/me/bar Please see documentation for details ---- (this commit) - (rc) new variable $GL_ADC_PATH; without this none of this is enabled - (pm) new helper routine "cli_repo_rights" to get rights/ownership from outside - (auth) call $GL_ADC_PATH/$cmd if it exists
2010-04-24 14:46:13 +02:00
# ----------------------------------------------------------------------------
# admin defined commands
# ----------------------------------------------------------------------------
# please see doc/admin-defined-commands.mkd for details
if ($GL_ADC_PATH and -d $GL_ADC_PATH) {
my ($cmd, @args) = split ' ', $ENV{SSH_ORIGINAL_COMMAND};
if (-x "$GL_ADC_PATH/$cmd") {
# yes this is rather strict, sorry.
do { die "I don't like $_\n" unless $_ =~ $REPOPATT_PATT } for ($cmd, @args);
log message changes (warning: minor backward compat breakage) The log message format has changed. All log messages now have a common prefix (timestamp, user, IP). This is followed by $SSH_ORIGINAL_COMMAND (or, in one special case, the name of the user's login shell). Any further text appears after this (currently this only happens in the case of a successful push -- one for each ref pushed successfully)
2010-06-16 03:50:12 +02:00
&log_it("$GL_ADC_PATH/$ENV{SSH_ORIGINAL_COMMAND}");
(adc) admin-defined commands This commit series allows an admin to designate a set of commands that users can run. For example, he can allow users to delete a repo that they have created: ssh git@server rmrepo foo/me/bar or fork (to use github's terminology) a repo they have "R" access to, into a new one they have "C" access to: ssh git@server fork foo/someone-else/bar foo/me/bar Please see documentation for details ---- (this commit) - (rc) new variable $GL_ADC_PATH; without this none of this is enabled - (pm) new helper routine "cli_repo_rights" to get rights/ownership from outside - (auth) call $GL_ADC_PATH/$cmd if it exists
2010-04-24 14:46:13 +02:00
exec("$GL_ADC_PATH/$cmd", @args);
}
}
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# ----------------------------------------------------------------------------
# get and set perms for actual repo created by wildcard-autoviv
# ----------------------------------------------------------------------------
auth: behave better when no argument supplied to wild commands expand gets a default '.*' argument others die with an error message
2010-02-18 14:50:46 +01:00
my $CUSTOM_COMMANDS=qr/^\s*(expand|(get|set)(perms|desc))\b/;
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# note that all the subs called here chdir somewhere else and do not come
# back; they all blithely take advantage of the fact that processing custom
# commands is sort of a dead end for normal (git) processing
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
if ($ENV{SSH_ORIGINAL_COMMAND} =~ $CUSTOM_COMMANDS) {
(IMPORTANT; read this in full) no more "wildrepos" The wildrepos branch has been merged into master, and deleted. It will no longer exist as a separate branch. Instead, a new variable called $GL_WILDREPOS has been added which acts as a switch; when off (which is the default), many wildrepos features are disabled. (the "C" permissions, and the getperms (etc.) commands mainly). Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in the RC file when you upgrade to this version (or just before you do the upgrade).
2010-02-05 11:30:47 +01:00
die "wildrepos disabled, sorry\n" unless $GL_WILDREPOS;
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
auth: expand etc. *may* have single-quotes around reponame
2010-03-01 16:02:54 +01:00
my ($verb, $repo) = ($cmd =~ /^\s*(\S+)(?:\s+'?\/?(.*?)(?:\.git)?'?)?$/);
auth: behave better when no argument supplied to wild commands expand gets a default '.*' argument others die with an error message
2010-02-18 14:50:46 +01:00
# deal with "no argument" cases
auth: do not anchor the pattern given for expand Currently the pattern of expand command is line anchored. This is different than in e.g. grep, and causes extra work to add '.*' prefix and/or suffix in many use cases. The new semantics now mean you might get more matches than you would have gotten earlier. However, the expand command is still totally undocumented, so I think it is acceptable to change the functionality. ;) This patch removes the anchoring. So for earlier behavior the specified pattern needs be in form of '^<pattern>$'. The default pattern is also changed from '.*' to '^', so there might be even a small speed improvement. =) Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-26 15:55:28 +01:00
$verb eq 'expand' ? $repo = '^' : die "$verb needs an argument\n" unless $repo;
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
if ($repo =~ $REPONAME_PATT and $verb =~ /getperms|setperms/) {
# with an actual reponame, you can "getperms" or "setperms"
(mini refactor) clean up the repo_base_abs stuff make it a sort of "super global" (an ENV var) all through, because *everyone* seems to need it *and* this variable is pretty much constant for the entire install
2010-06-29 07:25:36 +02:00
get_set_perms($repo, $verb, $user);
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
}
Enable setting desription for wildrepos Allow users to set and display description (for gitweb) for their own wildcard repositories using ssh commands: setdesc <repo> getdesc <repo> Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-04 22:40:13 +01:00
elsif ($repo =~ $REPONAME_PATT and $verb =~ /(get|set)desc/) {
# with an actual reponame, you can "getdesc" or "setdesc"
(mini refactor) clean up the repo_base_abs stuff make it a sort of "super global" (an ENV var) all through, because *everyone* seems to need it *and* this variable is pretty much constant for the entire install
2010-06-29 07:25:36 +02:00
get_set_desc($repo, $verb, $user);
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
}
autoviv new repos by user only on "C" access we've removed the facility of auto-viving "W" access repos when they are not wildcards. A wildcard pattern like foo/CREATER was indistinguishable from a non-wildcard repo, and resolving it was becoming kludgier and kludgier. (See the revert in the commit before this one for details). As a side effect of not being able to distinguish wildcard repos from real repos easily, the expand command now works for a normal repo too (because we have to make it work for "foo/CREATER")
2009-12-21 13:19:21 +01:00
elsif ($verb eq 'expand') {
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# with a wildcard, you can "expand" it to see what repos actually match
auth: reporting changes for wildcard-created repos - see *all* wildcard repos you have access to (this uses line-anchored regexes as described in doc/4). Examples: ssh git@server expand '.*' ssh git@server expand 'assignment.*' - show perms like the info command does Please see comments against 02cee1d for more details and caveats.
2010-01-29 10:09:03 +01:00
die "$repo has invalid characters" unless "x$repo" =~ $REPOPATT_PATT;
(mini refactor) clean up the repo_base_abs stuff make it a sort of "super global" (an ENV var) all through, because *everyone* seems to need it *and* this variable is pretty much constant for the entire install
2010-06-29 07:25:36 +02:00
expand_wild($GL_ADMINDIR, $GL_CONF_COMPILED, $repo, $user);
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
} else {
die "$cmd doesn't make sense to me\n";
}
Fix exit codes for allowed ssh commands gitolite specific ssh commands ("getperms", "setperms", "info" etc.) should exit with non-error code in case of success. Also "get/setperms" should print to STDOUT instead of STDERR. This change is specially needed for the gitolite-tools (http://github.com/tmatilai/gitolite-tools) to work. Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-08 13:05:11 +01:00
exit 0;
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
}
# ----------------------------------------------------------------------------
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# non-git commands
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# ----------------------------------------------------------------------------
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# if the command does NOT fit the pattern of a normal git command, send it off
# somewhere else...
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# side notes on detecting a normal git command: the pattern we check allows
# old style as well as new style ("git-subcommand arg" or "git subcommand
(minor)
2010-05-21 18:02:33 +02:00
# arg"). Currently, this is how git sends across the command (including the
# single quotes):
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# git-receive-pack 'reponame.git'
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/);
(adc) auth: git-init subcommand added The "fork" adc cannot simply do a "git clone..."; hooks and gl-creater won't get set up. We need a way to initiate the *creation* of a repo from a shell command, and then fetch the refs over. For a long time, we used to trick gitolite into creating a repo for us by simply using "git ls-remote host:reponame" ;-) Now we have an actual command, so we can say "ssh git@server git-init \'reponame\'" Yes; those single quotes are required. Deal with it.
2010-04-25 01:25:43 +02:00
unless ( $verb and ( $verb eq 'git-init' or $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# ok, it's not a normal git command; call the special command helper
tweaked and documented svnserve support
2010-05-09 17:04:55 +02:00
&special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE, $SVNSERVE);
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
exit;
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
}
auth: dont allow trailing slash in reponames... ...like "git clone host:foo/", even if it matches "repo foo/.*" NOTE: I expect a few more of these special cases to be found as time goes on and people find new ways to abuse the regex system, whether it is done intentionally or not. Anything not fixable by changing the config file will be fixed in the code asap. This one, for instance, seems fixable by using "foo/.+" instead of "foo/.*". But it actually isn't; the user can do "git clone host:foo//" and bypass that :( Still I suspect most situations will get an entry in the "then don't do that" file :) ---- patient: "doc, it hurts when I do this" doc: "then don't do that"
2009-12-11 17:07:33 +01:00
die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;
auth: don't allow literal ".." in reponames thanks to Teemu for catching this
2009-12-13 08:13:44 +01:00
die "$repo has two consecutive periods; I don't like that\n" if $repo =~ /\.\./;
auth: finally!
2009-08-23 14:54:37 +02:00
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
# reponame
$ENV{GL_REPO}=$repo;
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# ----------------------------------------------------------------------------
# the real git commands (git-receive-pack, etc...)
# ----------------------------------------------------------------------------
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# first level permissions check
# ----------------------------------------------------------------------------
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
my ($perm, $creator, $wild) = &repo_rights($repo);
(rrq) gl-auth-command uses new repo_rights sub
2010-04-24 09:44:16 +02:00
if ($perm =~ /C/) {
# it was missing, and you have create perms
(mini refactor) clean up the repo_base_abs stuff make it a sort of "super global" (an ENV var) all through, because *everyone* seems to need it *and* this variable is pretty much constant for the entire install
2010-06-29 07:25:36 +02:00
wrap_chdir("$ENV{GL_REPO_BASE_ABS}");
(rrq) gl-auth-command uses new repo_rights sub
2010-04-24 09:44:16 +02:00
new_repo($repo, "$GL_ADMINDIR/hooks/common", $user);
gitweb/daemon now work for wild repos also (thanks to Kevin Fleming for the need/use case) TODO: tests TODO: proper documentation; meanwhile, just read this: - you can give gitweb and daemon read rights to wild card repos also, and it'll all just work -- when a new repo is 'C'reated, it'll pick up those rights etc - you can assign descriptions (and owners) to individual repos as before, except now you can assign them to repos that actually were created from wild card patterns. So for example, you can define rules for repo foo/..* and then assign descriptions like foo/repo1 = "repo one" foo/repo2 = "repo two" foo/dil "scott" = "scott's dilbert repo" However, this only works for repos that already exist, and only when you push the admin repo. Thumb rule: have the user create his wild repo, *then* add and push the admin config file with the description. Not the other way around. implementation notes: - wildcard support for git config revamped, refactored... it's not just git config that needs wildcard support. daemon and gitweb access also will be needing it soon, so we start by factoring out the part that finds the "pattern" given a "real" repo name. - GL_NO_DAEMON_NO_GITWEB now gates more than just those two things; see doc/big-config.mkd for details - we trawl through $GL_REPO_BASE_ABS *once* only, collecting repo names and tying them to either the same name or to a wild pattern that the repo name was created from - nice little subs to setup gitweb, daemon, and git config - god bless $GL_REPOPATT and the day I decided to set that env var whenever a user hits a wild repo in any way :-) - the code in gl-compile-conf is very simple now. Much nicer than before
2010-07-16 19:31:34 +02:00
&setup_repo_configs($repo, $ENV{GL_REPOPATT}, \%repo_config);
&setup_daemon_access($repo, $repos{$ENV{GL_REPOPATT}}{'R'}{'daemon'} || '');
&setup_gitweb_access($repo, $repos{$ENV{GL_REPOPATT}}{'R'}{'gitweb'} || '', '', '');
system("echo $repo.git >> $PROJECTS_LIST");
(rrq) gl-auth-command uses new repo_rights sub
2010-04-24 09:44:16 +02:00
wrap_chdir($ENV{HOME});
wildrepos: teach auth and update hook about wildcard repos - new_repo now takes a "creater" parameter; if given, this user is recorded (in a file called "gl-creater") as the creater of the repo. Only applicable to wildcards - repo_rights reads "gl-creater" and "gl-perms" to tell you who created it, and whether you (the $user) are in the list of READERS or WRITERS **NOTE** that the mechanism to create/update gl-perms has not been written yet... (as of this commit) - parse_acl takes 4 more arguments, all optional. The repo name we're interested in (set by all except the access reporting function), and the names to be interpolated as $creater, $readers, writers - report_basic now knows about the "C" permission and shows it - auth now autovivifies a repo if the user has "C" and it's a wildcard match, or (the old case) the user has "W" and it's not a wildcard. In the former case, the creater is also set IMPLEMENTATION NOTES: - the Dumper code now uses a custom hash key sort to make sure $creater etc land up at the *end* - a wee bit of duplication exists in the update hook; it borrows a little code from parse_acl. I dont (yet) want to include all of gitolite.pm for that little piece...
2009-12-05 18:09:56 +01:00
}
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
auth: tighten up 2 regexes; one minor code clarity fix
2009-08-25 05:51:07 +02:00
# we know the user and repo; we just need to know what perm he's trying
(rrq) gl-auth-command uses new repo_rights sub
2010-04-24 09:44:16 +02:00
# aa == attempted access
my $aa = ($verb =~ $R_COMMANDS ? 'R' : 'W');
die "$aa access for $repo DENIED to $user\n" unless $perm =~ /$aa/;
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
oops; logging bug
2010-02-01 12:24:39 +01:00
# over to git now
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
log message changes (warning: minor backward compat breakage) The log message format has changed. All log messages now have a common prefix (timestamp, user, IP). This is followed by $SSH_ORIGINAL_COMMAND (or, in one special case, the name of the user's login shell). Any further text appears after this (currently this only happens in the case of a successful push -- one for each ref pushed successfully)
2010-06-16 03:50:12 +02:00
&log_it();
auth: finally!
2009-08-23 14:54:37 +02:00
$repo = "'$REPO_BASE/$repo.git'";
(adc) auth: git-init subcommand added The "fork" adc cannot simply do a "git clone..."; hooks and gl-creater won't get set up. We need a way to initiate the *creation* of a repo from a shell command, and then fetch the refs over. For a long time, we used to trick gitolite into creating a repo for us by simply using "git ls-remote host:reponame" ;-) Now we have an actual command, so we can say "ssh git@server git-init \'reponame\'" Yes; those single quotes are required. Deal with it.
2010-04-25 01:25:43 +02:00
exec("git", "shell", "-c", "$verb $repo") unless $verb eq 'git-init';
Reference in a new issue Copy permalink