gitolite/src/hooks/update

129 lines
4.8 KiB
Plaintext
Raw Normal View History

2009-08-25 05:14:46 +02:00
#!/usr/bin/perl
2009-08-23 18:10:03 +02:00
use strict;
2009-08-25 05:14:46 +02:00
use warnings;
2009-08-23 18:10:03 +02:00
# === update ===
2009-08-26 02:47:27 +02:00
# this is gitolite's update hook
2009-08-23 18:10:03 +02:00
2009-08-26 02:47:27 +02:00
# part of the gitolite (GL) suite
2009-08-23 18:10:03 +02:00
# how run: via git, being copied as .git/hooks/update in every repo
# when: every push
# input:
# - see man githooks for STDIN
# - uses the compiled config file to get permissions info
# output: based on permissions etc., exit 0 or 1
# security:
# - none
# robustness:
# other notes:
# ----------------------------------------------------------------------------
# common definitions
# ----------------------------------------------------------------------------
our ($GL_CONF_COMPILED, $PERSONAL);
2009-08-23 18:10:03 +02:00
our %repos;
# we should already have the GL_RC env var set when we enter this hook
die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
# then "do" the compiled config file, whose name we now know
die "parse $GL_CONF_COMPILED failed: " . ($! or $@) unless do $GL_CONF_COMPILED;
2009-08-23 18:10:03 +02:00
# ----------------------------------------------------------------------------
# start...
# ----------------------------------------------------------------------------
my $ref = shift;
my $oldsha = shift;
my $newsha = shift;
my $merge_base = '0' x 40;
# compute a merge-base if both SHAs are non-0, else leave it as '0'x40
# (i.e., for branch create or delete, merge_base == '0'x40)
2009-08-23 18:10:03 +02:00
chomp($merge_base = `git merge-base $oldsha $newsha`)
unless $oldsha eq '0' x 40
or $newsha eq '0' x 40;
2009-08-23 18:10:03 +02:00
# what are you trying to do? (is it 'W' or '+'?)
my $perm = 'W';
# rewriting a tag is considered a rewind, in terms of permissions
2009-08-23 18:10:03 +02:00
$perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
# non-ff push to ref
# notice that ref delete looks like a rewind, as it should
$perm = '+' if $oldsha ne $merge_base;
2009-08-23 18:10:03 +02:00
my @allowed_refs;
# personal stuff -- right at the start in the new regime, I guess!
push @allowed_refs, { "$PERSONAL/$ENV{GL_USER}/" => "RW+" } if $PERSONAL;
# we want specific perms to override @all, so they come first
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
# prepare the list of refs to be checked
# previously, we just checked $ref -- the ref being updated, which is passed
# to us by git (see man githooks). Now we also have to treat each NAME being
# updated as a potential "ref" and check that, if NAME-based restrictions have
# been specified
my @refs = ($ref); # the first ref to check is the real one
if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
# this is special to git -- the hash of an empty tree
my $empty='4b825dc642cb6eb9a060e54bf8d69288fbee4904';
# well they're not really "trees" but $empty is indeed the empty tree so
# we can just pretend $oldsha/$newsha are also trees, and anyway 'git
# diff' only wants trees
my $oldtree = $oldsha eq '0' x 40 ? $empty : $oldsha;
my $newtree = $newsha eq '0' x 40 ? $empty : $newsha;
push @refs, map { chomp; s/^/NAME\//; $_; } `git diff --name-only $oldtree $newtree`;
}
my $refex = '';
# check one ref
sub check_ref {
# normally, the $ref will be whatever ref the commit is trying to update
# (like refs/heads/master or whatever). At least one of the refexes that
# pertain to this user must match this ref **and** the corresponding
# permission must also match the action (W or +) being attempted. If none
# of them match, the access is denied.
# Notice that the function DIES!!! Any future changes that require more
# work to be done *after* this, even on failure, can start using return
# codes etc., but for now we're happy to just die.
my $ref = shift;
for my $ar (@allowed_refs) {
$refex = (keys %$ar)[0];
# refex? sure -- a regex to match a ref against :)
next unless $ref =~ /^$refex/;
die "$perm $ref $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-';
# as far as *this* ref is concerned we're ok
return $refex if ($ar->{$refex} =~ /\Q$perm/);
2009-08-23 18:10:03 +02:00
}
die "$perm $ref $ENV{GL_REPO} $ENV{GL_USER} DENIED by fallthru\n";
2009-08-23 18:10:03 +02:00
}
# and in this version, we have many "refs" to check. The one we print in the
# log is the *first* one (which is a *real* ref, like refs/heads/master),
# while all the rest (if they exist) are like NAME/something. So we do the
# first one separately to capture it, then run the rest (if any)
my $log_refex = check_ref(shift @refs);
check_ref($_) for @refs;
# if we returned at all, all the checks succeeded, so we log the action and exit 0
# logging note: if log failure isn't important enough to block pushes, get rid
# of all the error checking
open my $log_fh, ">>", $ENV{GL_LOG} or die "open log failed: $!\n";
print $log_fh "$ENV{GL_TS} $perm\t" .
substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
"\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\t$log_refex\n";
close $log_fh or die "close log failed: $!\n";
exit 0;