deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
gitolite/src/gl-auth-command

196 lines
8 KiB
Plaintext
Raw Normal View History

use-warnings
2009-08-25 05:14:46 +02:00
#!/usr/bin/perl
auth: finally!
2009-08-23 14:54:37 +02:00
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
# ----------------------------------------------------------------------------
# ssh mode
# - started by sshd
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# - one optional flag, "-s", for "shell allowed" people
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
# - one argument, the "user" name
# - one env var, SSH_ORIGINAL_COMMAND, containing the command
# - command typically: git-(receive|upload)-pack 'reponame(.git)?'
# - special gitolite commands: info, expand, (get|set)(perms|desc)
# - other commands: anything in $GL_ADC_PATH if defined (see rc file)
#
# (smart) http mode
# - started by apache (httpd)
# - no arguments
# - REQUEST_URI contains verb and repo, REMOTE_USER contains username
# - REQUEST_URI looks like /path/reponame.git/(info/refs\?service=)?git-(receive|upload)-pack
# - no special processing commands currently handled
# ----------------------------------------------------------------------------
auth: finally!
2009-08-23 14:54:37 +02:00
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
use strict;
use warnings;
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# find the rc file, then pull the libraries in
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# this (gl-auth-command) is one of the two valid starting points for all of
# gitolite for normal operations (the other being gl-time). All other
# programs are invoked either from this, or from something else (typically
# git-*-pack) in between). They thus get the benefit of the environment
# variables that this code sets up.
BEGIN {
# find and set bin dir
$0 =~ m|^(/)?(.*)/| and $ENV{GL_BINDIR} = ($1 || "$ENV{PWD}/") . $2;
}
Add GL_WILDREPOS_DEFPERMS allows a default 'setperms' string to be set for new wildcard repositories. Also, fix a bug in the fork script where a failure in the git command would still cause the rest of the script to attempt to run.
2010-06-22 13:30:48 +02:00
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# our libraries are either in the same place the scripts are, or, as with
# RPM/DEB install, in some 'system' location that is already in perl's @INC
# anyway
use lib $ENV{GL_BINDIR};
auth: set umask when autoviv-ing repos Looks like I'd forgotten this when I did the autoviv code. Repos created via gl-compile (when you add a new repo to the config file and push) worked fine, but repos created via gl-auth (when you autoviv a repo, wild or not) did not. This *should* be merged into wildrepos soon after testing; wildrepos will have a lot more autoviv-ing than master.
2009-12-15 11:41:21 +01:00
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
use gitolite_rc; # this does a "do" of the rc file
use gitolite_env;
use gitolite;
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# start...
# ----------------------------------------------------------------------------
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# these two options are mutually exclusive. And this program is not supposed
# to be called manually anyway
my $shell_allowed = (@ARGV and $ARGV[0] eq '-s' and shift);
my $program = (@ARGV and $ARGV[0] eq '-e' and shift);
# setup the environment for the kids so they don't need to embark on the
# voyage of self-discovery above ;-) [environment also means things like
# nice, umask, etc., not just the environment *variables*]
setup_environment();
# if one of the other programs is being invoked (see doc/hacking.mkd), exec it
exec(@ARGV) if $program;
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
# ----------------------------------------------------------------------------
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# set up GL_USER and (if reqd) SSH_ORIGINAL_COMMAND and SSH_CONNECTION
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
# ----------------------------------------------------------------------------
move empty ARGV check down after "-s" check to make calling "gl-auth -s" (no username) work
2010-07-21 02:57:43 +02:00
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
my $user;
if ($ENV{REQUEST_URI}) {
(http) I'm sorry DAV, I can't let you do that...
2010-09-05 16:28:31 +02:00
die "fallback to DAV not supported\n" if $ENV{REQUEST_METHOD} eq 'PROPFIND';
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# fake out SSH_ORIGINAL_COMMAND and SSH_CONNECTION when called via http,
# so the rest of the code stays the same (except the exec at the end).
simulate_ssh_connection();
test smart http mode, update docs (including mob mode) - allow a mob username to be defined; all unauthenticated access will look to gitolite like this user (if you setup apache also properly) - update doc with more details (some repeat stuff from `man git-http-backend` but it's probably worth having everything in one place
2011-01-17 15:06:26 +01:00
$ENV{REMOTE_USER} ||= $GL_HTTP_ANON_USER; # see doc/http-backend.mkd
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
$user = $ENV{GL_USER} = $ENV{REMOTE_USER};
} else {
# no (more) arguments given in ssh mode? default user is $USER
# (fedorahosted works like this, and it is harmless for others)
@ARGV = ($ENV{USER}) unless @ARGV;
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
$user = $ENV{GL_USER} = shift;
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
}
auth: finally!
2009-08-23 14:54:37 +02:00
oops; logging bug
2010-02-01 12:24:39 +01:00
# ----------------------------------------------------------------------------
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# SSH_ORIGINAL_COMMAND
oops; logging bug
2010-02-01 12:24:39 +01:00
# ----------------------------------------------------------------------------
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# no SSH_ORIGINAL_COMMAND given: shell out or default to 'info'
auth, doc/3: print useful information when no command given
2009-10-28 09:03:24 +01:00
unless ($ENV{SSH_ORIGINAL_COMMAND}) {
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
shell_out() if $shell_allowed; # doesn't return ('exec's out)
auth: minor flow change when defaulting to "info"
2010-02-01 07:06:24 +01:00
$ENV{SSH_ORIGINAL_COMMAND} = 'info';
auth, doc/3: print useful information when no command given
2009-10-28 09:03:24 +01:00
}
don't allow newlines in ssh command (again, thanks to Dan Carpenter for catching this)
2011-10-01 09:32:23 +02:00
# quick sanity check for newlines; could be used to create fake log entries.
# Not an access violation but possibly an audit/compliance reporting violation
die "I don't like newlines in the command: $ENV{SSH_ORIGINAL_COMMAND}\n" if $ENV{SSH_ORIGINAL_COMMAND} =~ /[\n\r]/;
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# admin defined commands; please see doc/admin-defined-commands.mkd
(adc) admin-defined commands This commit series allows an admin to designate a set of commands that users can run. For example, he can allow users to delete a repo that they have created: ssh git@server rmrepo foo/me/bar or fork (to use github's terminology) a repo they have "R" access to, into a new one they have "C" access to: ssh git@server fork foo/someone-else/bar foo/me/bar Please see documentation for details ---- (this commit) - (rc) new variable $GL_ADC_PATH; without this none of this is enabled - (pm) new helper routine "cli_repo_rights" to get rights/ownership from outside - (auth) call $GL_ADC_PATH/$cmd if it exists
2010-04-24 14:46:13 +02:00
if ($GL_ADC_PATH and -d $GL_ADC_PATH) {
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
try_adc(); # if it succeeds, this also 'exec's out
(adc) admin-defined commands This commit series allows an admin to designate a set of commands that users can run. For example, he can allow users to delete a repo that they have created: ssh git@server rmrepo foo/me/bar or fork (to use github's terminology) a repo they have "R" access to, into a new one they have "C" access to: ssh git@server fork foo/someone-else/bar foo/me/bar Please see documentation for details ---- (this commit) - (rc) new variable $GL_ADC_PATH; without this none of this is enabled - (pm) new helper routine "cli_repo_rights" to get rights/ownership from outside - (auth) call $GL_ADC_PATH/$cmd if it exists
2010-04-24 14:46:13 +02:00
}
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# get/set perms/desc for wild repos; also the 'expand' command
auth: behave better when no argument supplied to wild commands expand gets a default '.*' argument others die with an error message
2010-02-18 14:50:46 +01:00
my $CUSTOM_COMMANDS=qr/^\s*(expand|(get|set)(perms|desc))\b/;
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
# note that all the subs called here chdir somewhere else and do not come
# back; they all blithely take advantage of the fact that processing custom
# commands is sort of a dead end for normal (git) processing
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
if ($ENV{SSH_ORIGINAL_COMMAND} =~ $CUSTOM_COMMANDS) {
(IMPORTANT; read this in full) no more "wildrepos" The wildrepos branch has been merged into master, and deleted. It will no longer exist as a separate branch. Instead, a new variable called $GL_WILDREPOS has been added which acts as a switch; when off (which is the default), many wildrepos features are disabled. (the "C" permissions, and the getperms (etc.) commands mainly). Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in the RC file when you upgrade to this version (or just before you do the upgrade).
2010-02-05 11:30:47 +01:00
die "wildrepos disabled, sorry\n" unless $GL_WILDREPOS;
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
run_custom_command($user);
Fix exit codes for allowed ssh commands gitolite specific ssh commands ("getperms", "setperms", "info" etc.) should exit with non-error code in case of success. Also "get/setperms" should print to STDOUT instead of STDERR. This change is specially needed for the gitolite-tools (http://github.com/tmatilai/gitolite-tools) to work. Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-08 13:05:11 +01:00
exit 0;
wildrepos: implement getperms and setperms
2009-12-06 10:09:40 +01:00
}
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# non-git commands: if the command does NOT fit the pattern of a normal git
# command, send it off somewhere else...
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# side notes on detecting a normal git command: the pattern we check allows
# old style as well as new style ("git-subcommand arg" or "git subcommand
(minor)
2010-05-21 18:02:33 +02:00
# arg"). Currently, this is how git sends across the command (including the
# single quotes):
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# git-receive-pack 'reponame.git'
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/);
(adc) auth: git-init subcommand added The "fork" adc cannot simply do a "git clone..."; hooks and gl-creater won't get set up. We need a way to initiate the *creation* of a repo from a shell command, and then fetch the refs over. For a long time, we used to trick gitolite into creating a repo for us by simply using "git ls-remote host:reponame" ;-) Now we have an actual command, so we can say "ssh git@server git-init \'reponame\'" Yes; those single quotes are required. Deal with it.
2010-04-25 01:25:43 +02:00
unless ( $verb and ( $verb eq 'git-init' or $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
special_cmd ($shell_allowed);
exit 0;
auth: (WDITOT?) allow special users to get a shell ".../gl-auth-command username" is the normal command that authkeys forces, and this prevents that key from being used to get a shell. We now allow the user to get a shell if the forced command has a "-s" before the "username", like ".../gl-auth-command -s sitaram". (Now that a plain "ssh gitolite" gets you a shell, there's a new "info" command that such privileged keys can use to get basic access info). Thanks to Jesse Keating for the idea! I can't believe this never occurred to me before, but I guess I was so enamoured of my "innovation" in converting what used to be an error into some useful info I didn't think a bit more :/
2009-12-19 16:22:30 +01:00
}
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# some final sanity checks
auth: dont allow trailing slash in reponames... ...like "git clone host:foo/", even if it matches "repo foo/.*" NOTE: I expect a few more of these special cases to be found as time goes on and people find new ways to abuse the regex system, whether it is done intentionally or not. Anything not fixable by changing the config file will be fixed in the code asap. This one, for instance, seems fixable by using "foo/.+" instead of "foo/.*". But it actually isn't; the user can do "git clone host:foo//" and bypass that :( Still I suspect most situations will get an entry in the "then don't do that" file :) ---- patient: "doc, it hurts when I do this" doc: "then don't do that"
2009-12-11 17:07:33 +01:00
die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;
auth: don't allow literal ".." in reponames thanks to Teemu for catching this
2009-12-13 08:13:44 +01:00
die "$repo has two consecutive periods; I don't like that\n" if $repo =~ /\.\./;
auth: finally!
2009-08-23 14:54:37 +02:00
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# save the reponame; too many things need this
Merge branch 'master' into wildrepos lots of conflicts, esp in gl-auth-command, due to refactoring the "special commands" stuff on master Conflicts: doc/3-faq-tips-etc.mkd src/gitolite.pm src/gl-auth-command src/gl-compile-conf
2010-02-04 10:12:10 +01:00
$ENV{GL_REPO}=$repo;
auth: finally!
2009-08-23 14:54:37 +02:00
auth: new subcommand "htpasswd" great idea by Robin Smidsrød: since users are already capable of authenticating themselves to gitolite via ssh keys, use that to let them set or change their own HTTP passwords (ie, run the "htpasswd" command with the correct parameters on behalf of the "git" user on the server) code, rc para, and documentation. In fact everything except... ahem... testing ;-) and while we're about it, we also reorganised the way these helper commands (including the venerable "info" are called)
2010-02-01 11:07:35 +01:00
# ----------------------------------------------------------------------------
# the real git commands (git-receive-pack, etc...)
# ----------------------------------------------------------------------------
(new mirroring) bulk of the changes are here: - post-receive now just calls mirror-push - mirror-push is a medium complex shell script (all that backgrounding etc., can't be done so easily in God's first language!) - mirror-shell is now a perl program that does a few different things (receive mirror-pushes, command line re-sync, re-sync requests from a slave, etc) - auth-command changes to reject/redirect non-native pushes
2011-08-12 18:38:28 +02:00
# we know the user and repo; we just need to know what perm he's trying for
# (aa == attempted access; setting this makes some later logic simpler)
my $aa = ($verb =~ $R_COMMANDS ? 'R' : 'W');
# writes may get redirected under certain conditions
(mirroring) reject non-local pushes if GL_HOSTNAME not set We previously said all mirroring features are disabled if GL_HOSTNAME is not set. But what if, after mirroring has been setup, and master/slaves defined for a repo, a slave admin fat-fingers the RC file and accidentally comments out GL_HOSTNAME? We might end up violating RULE NUMBER ONE!
2011-08-13 10:09:07 +02:00
if ( $aa eq 'W' and mirror_mode($repo) =~ /^slave of (\S+)/ ) {
(new mirroring) bulk of the changes are here: - post-receive now just calls mirror-push - mirror-push is a medium complex shell script (all that backgrounding etc., can't be done so easily in God's first language!) - mirror-shell is now a perl program that does a few different things (receive mirror-pushes, command line re-sync, re-sync requests from a slave, etc) - auth-command changes to reject/redirect non-native pushes
2011-08-12 18:38:28 +02:00
my $master = $1;
(mirroring) reject non-local pushes if GL_HOSTNAME not set We previously said all mirroring features are disabled if GL_HOSTNAME is not set. But what if, after mirroring has been setup, and master/slaves defined for a repo, a slave admin fat-fingers the RC file and accidentally comments out GL_HOSTNAME? We might end up violating RULE NUMBER ONE!
2011-08-13 10:09:07 +02:00
die "$ABRT GL_HOSTNAME not set; rejecting push to non-local repo\n" unless $GL_HOSTNAME;
(new mirroring) bulk of the changes are here: - post-receive now just calls mirror-push - mirror-push is a medium complex shell script (all that backgrounding etc., can't be done so easily in God's first language!) - mirror-shell is now a perl program that does a few different things (receive mirror-pushes, command line re-sync, re-sync requests from a slave, etc) - auth-command changes to reject/redirect non-native pushes
2011-08-12 18:38:28 +02:00
die "$ABRT $GL_HOSTNAME not the master, please push to $master\n" unless mirror_redirectOK($repo, $GL_HOSTNAME);
print STDERR "$GL_HOSTNAME ==== $user ($repo) ===> $master\n";
exec("ssh", $master, "USER=$user", "SOC=$ENV{SSH_ORIGINAL_COMMAND}");
}
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# first level permissions check
auth: finally!
2009-08-23 14:54:37 +02:00
new rc var: GL_ALL_READ_ALL
2011-01-01 15:18:18 +01:00
my ($perm, $creator, $wild);
make REPO_BASE absolute early $ENV{GL_REPO_BASE_ABS} is meant to point to the same directory as $REPO_BASE, except it is meant to be passed to hooks, ADCs and other child programs. And since you can't be sure where the child program starts in, this became an absolute path. Gradually, however, I started using it wherever I needed an absolute path (mostly in code that jumps around various directories to do stuff). Which is silly, because there's no reason $REPO_BASE cannot also be made an absolute, even if the rc file has a relative path. So that's what I did now: made $REPO_BASE absolute very early on, and then systematically changed all uses of the longer form to the shorter form when appropriate. And so the only thing we now use the longer one for is to pass to child programs. (Implementation note: The actual change is not very big, but while I was about it I decided to make the test suite able to test with an absolute REPO_BASE also, which is why the commit seems so large.) ---- This all started with a complaint from Damien Regad. He had an extremely odd setup where his bashrc changed PWD to something other than $HOME before anything else ran. This caused those two variables to beceom inconsistent, and he had a 1-line fix he wanted me to apply. I generally don't like making special fixes for for non-standard setups, and anyway all he had to do was set the full path to REPO_BASE in the rc file to get around this. Which is what I told him and he very politely left it at that. However, this did get me thinking, and I soon realised I was needlessly conflating "relative versus absolute" with "able to be passed to child programs". Fixing that solved his problem also, as a side-effect. So I guess this is all thanks to Damien!
2011-03-18 06:29:52 +01:00
if ( $GL_ALL_READ_ALL and $verb =~ $R_COMMANDS and -d "$REPO_BASE/$repo.git") {
new rc var: GL_ALL_READ_ALL
2011-01-01 15:18:18 +01:00
$perm = 'R';
} else {
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
($perm, $creator, $wild) = repo_rights($repo);
wildrepos: teach auth and update hook about wildcard repos - new_repo now takes a "creater" parameter; if given, this user is recorded (in a file called "gl-creater") as the creater of the repo. Only applicable to wildcards - repo_rights reads "gl-creater" and "gl-perms" to tell you who created it, and whether you (the $user) are in the list of READERS or WRITERS **NOTE** that the mechanism to create/update gl-perms has not been written yet... (as of this commit) - parse_acl takes 4 more arguments, all optional. The repo name we're interested in (set by all except the access reporting function), and the names to be interpolated as $creater, $readers, writers - report_basic now knows about the "C" permission and shows it - auth now autovivifies a repo if the user has "C" and it's a wildcard match, or (the old case) the user has "W" and it's not a wildcard. In the former case, the creater is also set IMPLEMENTATION NOTES: - the Dumper code now uses a custom hash key sort to make sure $creater etc land up at the *end* - a wee bit of duplication exists in the update hook; it borrows a little code from parse_acl. I dont (yet) want to include all of gitolite.pm for that little piece...
2009-12-05 18:09:56 +01:00
}
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
# it was missing, and you have create perms, so create it
new_wild_repo($repo, $user) if ($perm =~ /C/);
auth, compile, pm: good bit of refactoring all of this is prep for the upcoming, all-new, chrome-plated, "wildrepos" branch :) - many variables go to gitolite.pm now, and are "our"d into the other files as needed - new functions parse_acl, report_basic to replace inlined code
2009-12-04 05:21:22 +01:00
info leak prevention can be a little more friendly and acquire some German formality while you're about it ;-)
2010-10-08 01:38:13 +02:00
die "$aa access for $repo DENIED to $user
(Or there may be no repository at the given path. Did you spell it correctly?)\n" unless $perm =~ /$aa/;
auth: finally!
2009-08-23 14:54:37 +02:00
gitolite-down: disable write-access to take backups (we quietly do not document the 'able' adc, which is now the most "official" adc in the sense that it has a new test, t64-write-able!) other notes: fix bug in 'able' (not setting $loc)
2010-11-16 15:39:45 +01:00
# check if repo is write-enabled
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
check_repo_write_enabled($repo) if $aa eq 'W';
gitolite-down: disable write-access to take backups (we quietly do not document the 'able' adc, which is now the most "official" adc in the sense that it has a new test, t64-write-able!) other notes: fix bug in 'able' (not setting $loc)
2010-11-16 15:39:45 +01:00
gl-auth now checks for and run a hook called 'gl-pre-git' see sample code for motivation; other uses at your discretion
2011-03-04 02:14:06 +01:00
# run the pre-git hook if present (do this last, just before actually handing
# off to git). Force its output to go to STDERR so the git client does not
# get confused, in case the code in the pre-git hook forgot. To make it
# simple for the script, send in $aa (which will be 'R' or 'W') so now they
# have all three: GL_USER and GL_REPO in the env, and $aa as arg-1.
make REPO_BASE absolute early $ENV{GL_REPO_BASE_ABS} is meant to point to the same directory as $REPO_BASE, except it is meant to be passed to hooks, ADCs and other child programs. And since you can't be sure where the child program starts in, this became an absolute path. Gradually, however, I started using it wherever I needed an absolute path (mostly in code that jumps around various directories to do stuff). Which is silly, because there's no reason $REPO_BASE cannot also be made an absolute, even if the rc file has a relative path. So that's what I did now: made $REPO_BASE absolute very early on, and then systematically changed all uses of the longer form to the shorter form when appropriate. And so the only thing we now use the longer one for is to pass to child programs. (Implementation note: The actual change is not very big, but while I was about it I decided to make the test suite able to test with an absolute REPO_BASE also, which is why the commit seems so large.) ---- This all started with a complaint from Damien Regad. He had an extremely odd setup where his bashrc changed PWD to something other than $HOME before anything else ran. This caused those two variables to beceom inconsistent, and he had a 1-line fix he wanted me to apply. I generally don't like making special fixes for for non-standard setups, and anyway all he had to do was set the full path to REPO_BASE in the rc file to get around this. Which is what I told him and he very politely left it at that. However, this did get me thinking, and I soon realised I was needlessly conflating "relative versus absolute" with "able to be passed to child programs". Fixing that solved his problem also, as a side-effect. So I guess this is all thanks to Damien!
2011-03-18 06:29:52 +01:00
if (-x "$REPO_BASE/$repo.git/hooks/gl-pre-git") {
system("cd $REPO_BASE/$repo.git; hooks/gl-pre-git $aa >&2");
gl-auth now checks for and run a hook called 'gl-pre-git' see sample code for motivation; other uses at your discretion
2011-03-04 02:14:06 +01:00
die "gl-pre-git hook failed ($?)\n" if $?;
}
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
oops; logging bug
2010-02-01 12:24:39 +01:00
# over to git now
auth: finally!
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
if ($ENV{REQUEST_URI}) {
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
log_it($ENV{REQUEST_URI});
(http) auth: handle REQUEST_URI and friends TODO: if the verb doesn't actually contain "git-receive-pack", I am assuming it is some sort of read. The list in services[] in http-backend.c does not seem to look like any other verb is a "write"; need to check this with someone. For normal git commands: - PATH_INFO gives you the repo name - REQUEST_URI gives you the verb - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the processing does not have to change For our special commands: - PATH_INFO is actually the verb - QUERY_STRING has the parameters - we again fake out the SSH_ORIGINAL_COMMAND - we print the extra HTTP headers in anticipation of the actual output Either way, we also fake out the SSH_CONNECTION so that the IP address can get logged ok And of course REMOTE_USER is now the incoming userid Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 15:13:21 +02:00
exec $ENV{GIT_HTTP_BACKEND};
# the GIT_HTTP_BACKEND env var should be set either by the rc file, or as
# a SetEnv in the apache config somewhere
}
gitolite v2.0rc1 -- please see new developer-notes doc
2011-01-15 16:39:56 +01:00
log_it();
auth: finally!
2009-08-23 14:54:37 +02:00
$repo = "'$REPO_BASE/$repo.git'";
(adc) auth: git-init subcommand added The "fork" adc cannot simply do a "git clone..."; hooks and gl-creater won't get set up. We need a way to initiate the *creation* of a repo from a shell command, and then fetch the refs over. For a long time, we used to trick gitolite into creating a repo for us by simply using "git ls-remote host:reponame" ;-) Now we have an actual command, so we can say "ssh git@server git-init \'reponame\'" Yes; those single quotes are required. Deal with it.
2010-04-25 01:25:43 +02:00
exec("git", "shell", "-c", "$verb $repo") unless $verb eq 'git-init';
Reference in a new issue Copy permalink