deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
gitolite/src/gl-auth-command

206 lines
7.8 KiB
Plaintext
Raw Normal View History

use-warnings
2009-08-25 05:14:46 +02:00
#!/usr/bin/perl
auth: finally!
2009-08-23 14:54:37 +02:00
use strict;
use-warnings
2009-08-25 05:14:46 +02:00
use warnings;
auth: finally!
2009-08-23 14:54:37 +02:00
# === auth-command ===
# the command that GL users actually run
project renamed to gitolite
2009-08-26 02:47:27 +02:00
# part of the gitolite (GL) suite
auth: finally!
2009-08-23 14:54:37 +02:00
# how run: via sshd, being listed in "command=" in ssh authkeys
# when: every login by a GL user
# input: $1 is GL username, plus $SSH_ORIGINAL_COMMAND
# output:
# security:
# - currently, we just make some basic checks, copied from gitosis
# robustness:
# other notes:
# ----------------------------------------------------------------------------
# common definitions
# ----------------------------------------------------------------------------
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
# these are set by the "rc" file
(IMPORTANT; read this in full) no more "wildrepos" The wildrepos branch has been merged into master, and deleted. It will no longer exist as a separate branch. Instead, a new variable called $GL_WILDREPOS has been added which acts as a switch; when off (which is the default), many wildrepos features are disabled. (the "C" permissions, and the getperms (etc.) commands mainly). Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in the RC file when you upgrade to this version (or just before you do the upgrade).
2010-02-05 11:30:47 +01:00
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS);
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
# and these are set by gitolite.pm
auth: reporting changes for wildcard-created repos - see *all* wildcard repos you have access to (this uses line-anchored regexes as described in doc/4). Examples: ssh git@server expand '.*' ssh git@server expand 'assignment.*' - show perms like the info command does Please see comments against 02cee1d for more details and caveats.
2010-01-29 10:09:03 +01:00
our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT);
auth: finally!
2009-08-23 14:54:37 +02:00
our %repos;
the rc file can now be in one of 2 places... Packaging gitolite for debian requires the rc file to be in /etc/gitolite. But non-root installs must still be supported, and they need it in $HOME. This means the rc file is no longer in a fixed place, which needs code to find the rc file first. See comments inside new file 'gitolite.pm' for details. The rest of the changes are in the other programs, to replace the hard-coded rc filename with a call to this new code.
2009-10-25 03:59:52 +01:00
# the common setup module is in the same directory as this running program is
my $bindir = $0;
$bindir =~ s/\/[^\/]+$//;
make $bindir absolute
2010-02-09 12:30:01 +01:00
$bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//;
the rc file can now be in one of 2 places... Packaging gitolite for debian requires the rc file to be in /etc/gitolite. But non-root installs must still be supported, and they need it in $HOME. This means the rc file is no longer in a fixed place, which needs code to find the rc file first. See comments inside new file 'gitolite.pm' for details. The rest of the changes are in the other programs, to replace the hard-coded rc filename with a call to this new code.
2009-10-25 03:59:52 +01:00
require "$bindir/gitolite.pm";
# ask where the rc file is, get it, and "do" it
&where_is_rc();
die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
auth: finally!
2009-08-23 14:54:37 +02:00
auth/update-hook/pm: make &log() a common function
2010-01-31 18:40:12 +01:00
# we need to pass GL_ADMINDIR and the bindir to the child hooks
auth/install/pu-hook: pass ADMINDIR and BINDIR via ENV The admin repo's post-update hook needs to know where $GL_ADMINDIR is, and we had a weird way of doing that which depended on gl-install actually munging the hook code. We also always assumed the binaries are in GL_ADMINDIR/src. We now use an env var to pass both these values. This removes the weird dependency on gl-install that the post-update hook had, as well as make running other programs easier due to the new $GL_BINDIR env var.
2009-12-15 08:05:48 +01:00
$ENV{GL_ADMINDIR} = $GL_ADMINDIR;
$ENV{GL_BINDIR} = $bindir;
support git installed outside default $PATH (also some minor fixes to doc/3)
2009-10-13 06:32:45 +02:00
# add a custom path for git binaries, if specified
$ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH;
auth: set umask when autoviv-ing repos Looks like I'd forgotten this when I did the autoviv code. Repos created via gl-compile (when you add a new repo to the config file and push) worked fine, but repos created via gl-auth (when you autoviv a repo, wild or not) did not. This *should* be merged into wildrepos soon after testing; wildrepos will have a lot more autoviv-ing than master.
2009-12-15 11:41:21 +01:00
# set the umask before creating any files
umask($REPO_UMASK);
(rrq) refactor all the rights querying This commit series refactors all the rights querying logic. - old repo_rights sub renamed to wild_repo_rights - new repo_rights sub to be a single entry point for most rights queries - callable from gl-auth-command and expand_wild - callable from *outside* too, as long as $ENV{GL_USER} is set - the format of the returned permissions contains C, R, and W as applicable, with sigils reflecting the 3 possible ways in which you can get R or W perms (2 ways for C): @R means @all users have the same access #R means you're a "super user" (think root's shell prompt) so you can see all repos R is the normal, explicit, access
2010-04-24 09:20:54 +02:00
my $repo_base_abs = $ENV{GL_REPO_BASE_ABS} = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" );
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# start...
# ----------------------------------------------------------------------------
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
# if the first argument is a "-s", this user is allowed to get a shell using
# this key
my $shell_allowed = 0;
if ($ARGV[0] eq '-s') {
$shell_allowed = 1;
shift;
}
auth: finally!
2009-08-23 14:54:37 +02:00
# first, fix the biggest gripe I have with gitosis, a 1-line change
my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere!
oops; logging bug
2010-02-01 12:24:39 +01:00
# ----------------------------------------------------------------------------
# logging, timestamp env vars
# ----------------------------------------------------------------------------
# timestamp
my ($s, $min, $h, $d, $m, $y) = (localtime)[0..5];
$y += 1900; $m++; # usual adjustments
for ($s, $min, $h, $d, $m) {
$_ = "0$_" if $_ < 10;
}
$ENV{GL_TS} = "$y-$m-$d.$h:$min:$s";
# substitute template parameters and set the logfile name
$GL_LOGT =~ s/%y/$y/g;
$GL_LOGT =~ s/%m/$m/g;
$GL_LOGT =~ s/%d/$d/g;
$ENV{GL_LOG} = $GL_LOGT;
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# sanity checks on SSH_ORIGINAL_COMMAND
# ----------------------------------------------------------------------------
auth: minor flow change when defaulting to "info"
2010-02-01 07:06:24 +01:00
# no SSH_ORIGINAL_COMMAND given...
auth, doc/3: print useful information when no command given
2009-10-28 09:03:24 +01:00
unless ($ENV{SSH_ORIGINAL_COMMAND}) {
auth: minor flow change when defaulting to "info"
2010-02-01 07:06:24 +01:00
# if the user is allowed to use a shell, give him one
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
if ($shell_allowed) {
my $shell = $ENV{SHELL};
$shell =~ s/.*\//-/; # change "/bin/bash" to "-bash"
exec { $ENV{SHELL} } $shell;
}
auth: minor flow change when defaulting to "info"
2010-02-01 07:06:24 +01:00
# otherwise, pretend he typed in "info" and carry on...
$ENV{SSH_ORIGINAL_COMMAND} = 'info';
auth, doc/3: print useful information when no command given
2009-10-28 09:03:24 +01:00
}
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# ----------------------------------------------------------------------------
# get and set perms for actual repo created by wildcard-autoviv
# ----------------------------------------------------------------------------
auth: behave better when no argument supplied to wild commands expand gets a default '.*' argument others die with an error message
2010-02-18 14:50:46 +01:00
my $CUSTOM_COMMANDS=qr/^\s*(expand|(get|set)(perms|desc))\b/;
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# note that all the subs called here chdir somewhere else and do not come
# back; they all blithely take advantage of the fact that processing custom
# commands is sort of a dead end for normal (git) processing
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
if ($ENV{SSH_ORIGINAL_COMMAND} =~ $CUSTOM_COMMANDS) {
(IMPORTANT; read this in full) no more "wildrepos" The wildrepos branch has been merged into master, and deleted. It will no longer exist as a separate branch. Instead, a new variable called $GL_WILDREPOS has been added which acts as a switch; when off (which is the default), many wildrepos features are disabled. (the "C" permissions, and the getperms (etc.) commands mainly). Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in the RC file when you upgrade to this version (or just before you do the upgrade).
2010-02-05 11:30:47 +01:00
die "wildrepos disabled, sorry\n" unless $GL_WILDREPOS;
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
auth: expand etc. *may* have single-quotes around reponame
2010-03-01 16:02:54 +01:00
my ($verb, $repo) = ($cmd =~ /^\s*(\S+)(?:\s+'?\/?(.*?)(?:\.git)?'?)?$/);
auth: behave better when no argument supplied to wild commands expand gets a default '.*' argument others die with an error message
2010-02-18 14:50:46 +01:00
# deal with "no argument" cases
auth: do not anchor the pattern given for expand Currently the pattern of expand command is line anchored. This is different than in e.g. grep, and causes extra work to add '.*' prefix and/or suffix in many use cases. The new semantics now mean you might get more matches than you would have gotten earlier. However, the expand command is still totally undocumented, so I think it is acceptable to change the functionality. ;) This patch removes the anchoring. So for earlier behavior the specified pattern needs be in form of '^<pattern>$'. The default pattern is also changed from '.*' to '^', so there might be even a small speed improvement. =) Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-26 15:55:28 +01:00
$verb eq 'expand' ? $repo = '^' : die "$verb needs an argument\n" unless $repo;
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
if ($repo =~ $REPONAME_PATT and $verb =~ /getperms|setperms/) {
# with an actual reponame, you can "getperms" or "setperms"
get_set_perms($repo_base_abs, $repo, $verb, $user);
}
Enable setting desription for wildrepos Allow users to set and display description (for gitweb) for their own wildcard repositories using ssh commands: setdesc <repo> getdesc <repo> Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-04 22:40:13 +01:00
elsif ($repo =~ $REPONAME_PATT and $verb =~ /(get|set)desc/) {
# with an actual reponame, you can "getdesc" or "setdesc"
get_set_desc($repo_base_abs, $repo, $verb, $user);
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
}
autoviv new repos by user only on "C" access we've removed the facility of auto-viving "W" access repos when they are not wildcards. A wildcard pattern like foo/CREATER was indistinguishable from a non-wildcard repo, and resolving it was becoming kludgier and kludgier. (See the revert in the commit before this one for details). As a side effect of not being able to distinguish wildcard repos from real repos easily, the expand command now works for a normal repo too (because we have to make it work for "foo/CREATER")
2009-12-21 13:19:21 +01:00
elsif ($verb eq 'expand') {
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# with a wildcard, you can "expand" it to see what repos actually match
auth: reporting changes for wildcard-created repos - see *all* wildcard repos you have access to (this uses line-anchored regexes as described in doc/4). Examples: ssh git@server expand '.*' ssh git@server expand 'assignment.*' - show perms like the info command does Please see comments against 02cee1d for more details and caveats.
2010-01-29 10:09:03 +01:00
die "$repo has invalid characters" unless "x$repo" =~ $REPOPATT_PATT;
make "expand" also print version, like "info" does (thanks to Ilari for catching this)
2010-04-16 15:49:50 +02:00
expand_wild($GL_ADMINDIR, $GL_CONF_COMPILED, $repo_base_abs, $repo, $user);
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
} else {
die "$cmd doesn't make sense to me\n";
}
Fix exit codes for allowed ssh commands gitolite specific ssh commands ("getperms", "setperms", "info" etc.) should exit with non-error code in case of success. Also "get/setperms" should print to STDOUT instead of STDERR. This change is specially needed for the gitolite-tools (http://github.com/tmatilai/gitolite-tools) to work. Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-08 13:05:11 +01:00
exit 0;
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
}
# ----------------------------------------------------------------------------
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# non-git commands
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# ----------------------------------------------------------------------------
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# if the command does NOT fit the pattern of a normal git command, send it off
# somewhere else...
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# side notes on detecting a normal git command: the pattern we check allows
# old style as well as new style ("git-subcommand arg" or "git subcommand
# arg"), just like gitosis does, although I'm not sure how necessary that is.
# Currently, this is how git sends across the command (including the single
# quotes):
# git-receive-pack 'reponame.git'
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/);
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# ok, it's not a normal git command; call the special command helper
$shell_allowed needs to be passed to specal_cmds brought on by realising that you lost $shell_allowed when refactoring (previous commit) but perl hadn't caught it because -- damn -- you didn't have "use strict" in gitolite.pm
2010-02-04 10:46:47 +01:00
&special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE);
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
exit;
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
}
auth: dont allow trailing slash in reponames... ...like "git clone host:foo/", even if it matches "repo foo/.*" NOTE: I expect a few more of these special cases to be found as time goes on and people find new ways to abuse the regex system, whether it is done intentionally or not. Anything not fixable by changing the config file will be fixed in the code asap. This one, for instance, seems fixable by using "foo/.+" instead of "foo/.*". But it actually isn't; the user can do "git clone host:foo//" and bypass that :( Still I suspect most situations will get an entry in the "then don't do that" file :) ---- patient: "doc, it hurts when I do this" doc: "then don't do that"
2009-12-11 17:07:33 +01:00
die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;
auth: don't allow literal ".." in reponames thanks to Teemu for catching this
2009-12-13 08:13:44 +01:00
die "$repo has two consecutive periods; I don't like that\n" if $repo =~ /\.\./;
auth: finally!
2009-08-23 14:54:37 +02:00
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
# reponame
$ENV{GL_REPO}=$repo;
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# ----------------------------------------------------------------------------
# the real git commands (git-receive-pack, etc...)
# ----------------------------------------------------------------------------
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# first level permissions check
# ----------------------------------------------------------------------------
wildrepos: teach auth and update hook about wildcard repos - new_repo now takes a "creater" parameter; if given, this user is recorded (in a file called "gl-creater") as the creater of the repo. Only applicable to wildcards - repo_rights reads "gl-creater" and "gl-perms" to tell you who created it, and whether you (the $user) are in the list of READERS or WRITERS **NOTE** that the mechanism to create/update gl-perms has not been written yet... (as of this commit) - parse_acl takes 4 more arguments, all optional. The repo name we're interested in (set by all except the access reporting function), and the names to be interpolated as $creater, $readers, writers - report_basic now knows about the "C" permission and shows it - auth now autovivifies a repo if the user has "C" and it's a wildcard match, or (the old case) the user has "W" and it's not a wildcard. In the former case, the creater is also set IMPLEMENTATION NOTES: - the Dumper code now uses a custom hash key sort to make sure $creater etc land up at the *end* - a wee bit of duplication exists in the update hook; it borrows a little code from parse_acl. I dont (yet) want to include all of gitolite.pm for that little piece...
2009-12-05 18:09:56 +01:00
if ( -d "$repo_base_abs/$repo.git" ) {
# existing repo
(rrq) refactor all the rights querying This commit series refactors all the rights querying logic. - old repo_rights sub renamed to wild_repo_rights - new repo_rights sub to be a single entry point for most rights queries - callable from gl-auth-command and expand_wild - callable from *outside* too, as long as $ENV{GL_USER} is set - the format of the returned permissions contains C, R, and W as applicable, with sigils reflecting the 3 possible ways in which you can get R or W perms (2 ways for C): @R means @all users have the same access #R means you're a "super user" (think root's shell prompt) so you can see all repos R is the normal, explicit, access
2010-04-24 09:20:54 +02:00
my ($creater, $user_R, $user_W) = &wild_repo_rights($repo_base_abs, $repo, $user);
autoviv new repos by user only on "C" access we've removed the facility of auto-viving "W" access repos when they are not wildcards. A wildcard pattern like foo/CREATER was indistinguishable from a non-wildcard repo, and resolving it was becoming kludgier and kludgier. (See the revert in the commit before this one for details). As a side effect of not being able to distinguish wildcard repos from real repos easily, the expand command now works for a normal repo too (because we have to make it work for "foo/CREATER")
2009-12-21 13:19:21 +01:00
&parse_acl($GL_CONF_COMPILED, $repo, $creater, $user_R, $user_W);
wildrepos: teach auth and update hook about wildcard repos - new_repo now takes a "creater" parameter; if given, this user is recorded (in a file called "gl-creater") as the creater of the repo. Only applicable to wildcards - repo_rights reads "gl-creater" and "gl-perms" to tell you who created it, and whether you (the $user) are in the list of READERS or WRITERS **NOTE** that the mechanism to create/update gl-perms has not been written yet... (as of this commit) - parse_acl takes 4 more arguments, all optional. The repo name we're interested in (set by all except the access reporting function), and the names to be interpolated as $creater, $readers, writers - report_basic now knows about the "C" permission and shows it - auth now autovivifies a repo if the user has "C" and it's a wildcard match, or (the old case) the user has "W" and it's not a wildcard. In the former case, the creater is also set IMPLEMENTATION NOTES: - the Dumper code now uses a custom hash key sort to make sure $creater etc land up at the *end* - a wee bit of duplication exists in the update hook; it borrows a little code from parse_acl. I dont (yet) want to include all of gitolite.pm for that little piece...
2009-12-05 18:09:56 +01:00
} else {
auth: do not implicitly assign RW access for creaters a configuration like this: repo CREATER/.* C = CREATER RW+ = WRITERS was buggy; CREATER was implicitly part of WRITERS so he got RW permissions implicitly, so the push went through
2010-03-27 18:01:10 +01:00
&parse_acl($GL_CONF_COMPILED, $repo, $user, "NOBODY", "NOBODY");
autoviv new repos by user only on "C" access we've removed the facility of auto-viving "W" access repos when they are not wildcards. A wildcard pattern like foo/CREATER was indistinguishable from a non-wildcard repo, and resolving it was becoming kludgier and kludgier. (See the revert in the commit before this one for details). As a side effect of not being able to distinguish wildcard repos from real repos easily, the expand command now works for a normal repo too (because we have to make it work for "foo/CREATER")
2009-12-21 13:19:21 +01:00
(IMPORTANT; read this in full) no more "wildrepos" The wildrepos branch has been merged into master, and deleted. It will no longer exist as a separate branch. Instead, a new variable called $GL_WILDREPOS has been added which acts as a switch; when off (which is the default), many wildrepos features are disabled. (the "C" permissions, and the getperms (etc.) commands mainly). Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in the RC file when you upgrade to this version (or just before you do the upgrade).
2010-02-05 11:30:47 +01:00
# auto-vivify new repo if you have C access (and wildrepos is on)
if ( $GL_WILDREPOS and $repos{$repo}{C}{$user} || $repos{$repo}{C}{'@all'} ) {
wildrepos: teach auth and update hook about wildcard repos - new_repo now takes a "creater" parameter; if given, this user is recorded (in a file called "gl-creater") as the creater of the repo. Only applicable to wildcards - repo_rights reads "gl-creater" and "gl-perms" to tell you who created it, and whether you (the $user) are in the list of READERS or WRITERS **NOTE** that the mechanism to create/update gl-perms has not been written yet... (as of this commit) - parse_acl takes 4 more arguments, all optional. The repo name we're interested in (set by all except the access reporting function), and the names to be interpolated as $creater, $readers, writers - report_basic now knows about the "C" permission and shows it - auth now autovivifies a repo if the user has "C" and it's a wildcard match, or (the old case) the user has "W" and it's not a wildcard. In the former case, the creater is also set IMPLEMENTATION NOTES: - the Dumper code now uses a custom hash key sort to make sure $creater etc land up at the *end* - a wee bit of duplication exists in the update hook; it borrows a little code from parse_acl. I dont (yet) want to include all of gitolite.pm for that little piece...
2009-12-05 18:09:56 +01:00
wrap_chdir("$repo_base_abs");
move hooks out of src src/hooks is now hooks/common src/ga... is now hooks/gitolite-admin/post-update
2010-02-09 15:07:37 +01:00
new_repo($repo, "$GL_ADMINDIR/hooks/common", $user);
wildrepos: teach auth and update hook about wildcard repos - new_repo now takes a "creater" parameter; if given, this user is recorded (in a file called "gl-creater") as the creater of the repo. Only applicable to wildcards - repo_rights reads "gl-creater" and "gl-perms" to tell you who created it, and whether you (the $user) are in the list of READERS or WRITERS **NOTE** that the mechanism to create/update gl-perms has not been written yet... (as of this commit) - parse_acl takes 4 more arguments, all optional. The repo name we're interested in (set by all except the access reporting function), and the names to be interpolated as $creater, $readers, writers - report_basic now knows about the "C" permission and shows it - auth now autovivifies a repo if the user has "C" and it's a wildcard match, or (the old case) the user has "W" and it's not a wildcard. In the former case, the creater is also set IMPLEMENTATION NOTES: - the Dumper code now uses a custom hash key sort to make sure $creater etc land up at the *end* - a wee bit of duplication exists in the update hook; it borrows a little code from parse_acl. I dont (yet) want to include all of gitolite.pm for that little piece...
2009-12-05 18:09:56 +01:00
wrap_chdir($ENV{HOME});
auth, gitolite.pm: do not leak info about repo existence All this is about a user trying to look if a repo exists or not, when he does not have any access to that repo. Ideally, "repo does not exist" should be indistinguishable from "you dont have perms to that repo". (1) if $GL_WILDREPOS is not set, you either get a permissions error, or a "$repo not found in compiled config" death. Fixed. (2) if $GL_WILDREPOS is set, you either get either a permissions error, or a "$repo has no matches" death. Fixed. (3) The following combination leaks info about repo existence: - actual repo doesn't exist - spying user don't have C perms - repo patt doesn't contain CREATER - RW+ = CREATER is specified (as is normal) In such case, the "convenience copy" of the ACL that parse_acl makes, coupled with substituting CREATER for the invoking user means $repos{$actual_repo} has RW+ for the spying user. This means the access denied doesn't happen, and control passes to git, which promptly expresses it unhappiness and angst over being given a repo that 'does not appear to be a git repository' This doesn't happen if all those conditions are not met: - if repo exists, CREATER is set to the real creater, so RW+ = CREATER does not gain spying user anything - if spying user has C perms it just gets created, because he has rights. This is also info leak but we can't prevent it; tighten the config (maybe by including CREATER in repo pattern) if this is not wanted - if repo patt contains CREATER it will never match someone else's repo anyway!
2010-03-28 20:14:37 +02:00
} else {
# repo didn't exist, and you didn't have perms to create it. Delete
# the "convenience" copy of the ACL that parse_acl makes for us
delete $repos{$repo};
wildrepos: teach auth and update hook about wildcard repos - new_repo now takes a "creater" parameter; if given, this user is recorded (in a file called "gl-creater") as the creater of the repo. Only applicable to wildcards - repo_rights reads "gl-creater" and "gl-perms" to tell you who created it, and whether you (the $user) are in the list of READERS or WRITERS **NOTE** that the mechanism to create/update gl-perms has not been written yet... (as of this commit) - parse_acl takes 4 more arguments, all optional. The repo name we're interested in (set by all except the access reporting function), and the names to be interpolated as $creater, $readers, writers - report_basic now knows about the "C" permission and shows it - auth now autovivifies a repo if the user has "C" and it's a wildcard match, or (the old case) the user has "W" and it's not a wildcard. In the former case, the creater is also set IMPLEMENTATION NOTES: - the Dumper code now uses a custom hash key sort to make sure $creater etc land up at the *end* - a wee bit of duplication exists in the update hook; it borrows a little code from parse_acl. I dont (yet) want to include all of gitolite.pm for that little piece...
2009-12-05 18:09:56 +01:00
}
}
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
auth: tighten up 2 regexes; one minor code clarity fix
2009-08-25 05:51:07 +02:00
# we know the user and repo; we just need to know what perm he's trying
my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');
minor doc/message updates/clarifications
2009-11-22 05:51:22 +01:00
die "$perm access for $repo DENIED to $user\n"
first production use: @all, leading slash I had to make two minor fixes while migrating my work repos: 1. I forgot to honor '@all'; oops! While I was about it, I also fixed the "access denied" message to show what rights were being tried when it failed. 2. I forgot that URLs can have leading slashes (I myself only use URLs like gs:reponame.git, where gs is an ssh stanza that describes the git server in question).
2009-08-27 09:44:47 +02:00
unless $repos{$repo}{$perm}{$user}
@all for repos is now much cleaner; a true @all... - no need to put it at the end of the config file now, yeaaay! - @all for @all is meaningless and not supported. People asking will be told to get a life or use git-daemon. - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-23 17:50:34 +01:00
or $repos{'@all'}{$perm}{$user} # new: access to @all repos
first production use: @all, leading slash I had to make two minor fixes while migrating my work repos: 1. I forgot to honor '@all'; oops! While I was about it, I also fixed the "access denied" message to show what rights were being tried when it failed. 2. I forgot that URLs can have leading slashes (I myself only use URLs like gs:reponame.git, where gs is an ssh stanza that describes the git server in question).
2009-08-27 09:44:47 +02:00
or $repos{$repo}{$perm}{'@all'};
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
oops; logging bug
2010-02-01 12:24:39 +01:00
# over to git now
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
auth/update-hook/pm: make &log() a common function
2010-01-31 18:40:12 +01:00
&log_it("$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n");
auth: finally!
2009-08-23 14:54:37 +02:00
$repo = "'$REPO_BASE/$repo.git'";
exec("git", "shell", "-c", "$verb $repo");
Reference in a new issue Copy permalink