deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
gitolite/hooks/common/update

116 lines
4.5 KiB
Plaintext
Raw Permalink Normal View History

use-warnings
2009-08-25 05:14:46 +02:00
#!/usr/bin/perl
add hook, the last piece
2009-08-23 18:10:03 +02:00
use strict;
use-warnings
2009-08-25 05:14:46 +02:00
use warnings;
add hook, the last piece
2009-08-23 18:10:03 +02:00
# === update ===
project renamed to gitolite
2009-08-26 02:47:27 +02:00
# this is gitolite's update hook
add hook, the last piece
2009-08-23 18:10:03 +02:00
project renamed to gitolite
2009-08-26 02:47:27 +02:00
# part of the gitolite (GL) suite
add hook, the last piece
2009-08-23 18:10:03 +02:00
# how run: via git, being copied as .git/hooks/update in every repo
# when: every push
# input:
# - see man githooks for STDIN
# - uses the compiled config file to get permissions info
# output: based on permissions etc., exit 0 or 1
# security:
# - none
# robustness:
# other notes:
# ----------------------------------------------------------------------------
# common definitions
# ----------------------------------------------------------------------------
allow user to define filenames that our hooks chain to (although the defaults are still update.secondary and post-update.secondary if you don't do anything)
2010-04-13 14:56:34 +02:00
our ($GL_CONF_COMPILED, $UPDATE_CHAINS_TO);
add hook, the last piece
2009-08-23 18:10:03 +02:00
our %repos;
bypass update hook if GL_BYPASS_UPDATE_HOOK is available in ENV people with shell access should be allowed to bypass the update hook, to allow them to clone locally and push. You can now do this by setting an env var that the ssh "front door" will never set, like so: GL_BYPASS_UPDATE_HOOK=1 git push Note that this will NOT work for the gitolite-admin repo, because the post-update hook on that one requires a bit more. If you really want to do that, try: GL_ADMINDIR=~/.gitolite GL_BINDIR=~/.gitolite/src GL_BYPASS_UPDATE_HOOK=1 git push (assuming default values in ~/.gitolite.rc)
2010-04-09 18:19:54 +02:00
# people with shell access should be allowed to bypass the update hook, simply
# by setting an env var that the ssh "front door" will never set
exit 0 if exists $ENV{GL_BYPASS_UPDATE_HOOK};
the rc file can now be in one of 2 places... Packaging gitolite for debian requires the rc file to be in /etc/gitolite. But non-root installs must still be supported, and they need it in $HOME. This means the rc file is no longer in a fixed place, which needs code to find the rc file first. See comments inside new file 'gitolite.pm' for details. The rest of the changes are in the other programs, to replace the hard-coded rc filename with a call to this new code.
2009-10-25 03:59:52 +01:00
# we should already have the GL_RC env var set when we enter this hook
die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
add hook, the last piece
2009-08-23 18:10:03 +02:00
auth/update-hook/pm: make &log() a common function
2010-01-31 18:40:12 +01:00
require "$ENV{GL_BINDIR}/gitolite.pm";
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
my ($perm, $creator, $wild) = &repo_rights($ENV{GL_REPO});
my $reported_repo = $ENV{GL_REPO} . ( $ENV{GL_REPOPATT} ? " ($ENV{GL_REPOPATT})" : "" );
add hook, the last piece
2009-08-23 18:10:03 +02:00
# ----------------------------------------------------------------------------
# start...
# ----------------------------------------------------------------------------
update hook now allows chaining to "update.secondary" the changes to cp/scp are because without "-p" they dont carry perms across to existing files. So if you forgot to chmod +x your custom hook and ran easy install, then after that you have to go to the server side to fix the perms...
2010-03-14 17:37:34 +01:00
my @saved_ARGV = @ARGV; # for chaining to another update hook at the end
add hook, the last piece
2009-08-23 18:10:03 +02:00
my $ref = shift;
my $oldsha = shift;
my $newsha = shift;
my $merge_base = '0' x 40;
update hook: squelch message for branch deletion Ilari pointed out that in case of branch deletion the *new* SHA could be 0, which causes an ugly fatal: Not a valid commit name 0000000000000000000000000000000000000000 Since we consider deletion an extreme form of rewind, the end result does not change ($merge_base will be unequal to $oldsha anyway), but we do need to squelch the ugly message.
2009-08-25 03:08:05 +02:00
# compute a merge-base if both SHAs are non-0, else leave it as '0'x40
# (i.e., for branch create or delete, merge_base == '0'x40)
add hook, the last piece
2009-08-23 18:10:03 +02:00
chomp($merge_base = `git merge-base $oldsha $newsha`)
update hook: squelch message for branch deletion Ilari pointed out that in case of branch deletion the *new* SHA could be 0, which causes an ugly fatal: Not a valid commit name 0000000000000000000000000000000000000000 Since we consider deletion an extreme form of rewind, the end result does not change ($merge_base will be unequal to $oldsha anyway), but we do need to squelch the ugly message.
2009-08-25 03:08:05 +02:00
unless $oldsha eq '0' x 40
or $newsha eq '0' x 40;
add hook, the last piece
2009-08-23 18:10:03 +02:00
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
# att_acc == attempted access -- what are you trying to do? (is it 'W' or '+'?)
my $att_acc = 'W';
update hook: squelch message for branch deletion Ilari pointed out that in case of branch deletion the *new* SHA could be 0, which causes an ugly fatal: Not a valid commit name 0000000000000000000000000000000000000000 Since we consider deletion an extreme form of rewind, the end result does not change ($merge_base will be unequal to $oldsha anyway), but we do need to squelch the ugly message.
2009-08-25 03:08:05 +02:00
# rewriting a tag is considered a rewind, in terms of permissions
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
$att_acc = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
update hook: using non-std branches revealed an unnecessary check for refs/heads/; removed
2009-08-28 17:11:21 +02:00
# non-ff push to ref
# notice that ref delete looks like a rewind, as it should
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
$att_acc = '+' if $oldsha ne $merge_base;
add hook, the last piece
2009-08-23 18:10:03 +02:00
compile/update: new "D" permission normally, RW+ means permission to rewind or delete. Now, if you use "D" permission anywhere in a repo config, that means "delete" and RW+ then means only "rewind", no delete.
2010-03-30 16:31:49 +02:00
# were any 'D' perms specified? If they were, it means we have to separate
# deletes from rewinds, so if the new sha is all 0's, change the '+' to a 'D'
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
$att_acc = 'D' if ( $repos{$ENV{GL_REPO}}{DELETE_IS_D} or $repos{'@all'}{DELETE_IS_D} ) and $newsha eq '0' x 40;
compile/update: new "D" permission normally, RW+ means permission to rewind or delete. Now, if you use "D" permission anywhere in a repo config, that means "delete" and RW+ then means only "rewind", no delete.
2010-03-30 16:31:49 +02:00
first production use: @all, leading slash I had to make two minor fixes while migrating my work repos: 1. I forgot to honor '@all'; oops! While I was about it, I also fixed the "access denied" message to show what rights were being tried when it failed. 2. I forgot that URLs can have leading slashes (I myself only use URLs like gs:reponame.git, where gs is an ssh stanza that describes the git server in question).
2009-08-27 09:44:47 +02:00
my @allowed_refs;
@all for repos is now much cleaner; a true @all... - no need to put it at the end of the config file now, yeaaay! - @all for @all is meaningless and not supported. People asking will be told to get a life or use git-daemon. - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-23 17:50:34 +01:00
# @all repos: see comments in similar code in check_access
compile/update hook: COMPILED FILE CHANGE -- PLEASE READ BELOW Summary: DONT forget to run src/gl-compile-conf as the last step in the upgrade Details: The compiled file format has changed quite a bit, to make it easier for the rebel edition coming up :-) compile: - we don't split RW/RW+ into individual perms anymore - we store the info required for the first level check separately now: (repo, R/W, user) - the order for second level check is now: repo, user, [{ref=>perms}...] (list of hashes) update hook logic: the first refex that: - matches the incoming ref, AND - contains the perm you're trying to use, causes the match loop to exit with success. Fallthrough is failure
2009-09-18 14:30:14 +02:00
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
@all for repos is now much cleaner; a true @all... - no need to put it at the end of the config file now, yeaaay! - @all for @all is meaningless and not supported. People asking will be told to get a life or use git-daemon. - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-23 17:50:34 +01:00
push @allowed_refs, @ { $repos{'@all'} {$ENV{GL_USER}} || [] };
compile/update hook: COMPILED FILE CHANGE -- PLEASE READ BELOW Summary: DONT forget to run src/gl-compile-conf as the last step in the upgrade Details: The compiled file format has changed quite a bit, to make it easier for the rebel edition coming up :-) compile: - we don't split RW/RW+ into individual perms anymore - we store the info required for the first level check separately now: (repo, R/W, user) - the order for second level check is now: repo, user, [{ref=>perms}...] (list of hashes) update hook logic: the first refex that: - matches the incoming ref, AND - contains the perm you're trying to use, causes the match loop to exit with success. Fallthrough is failure
2009-09-18 14:30:14 +02:00
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
update hook: 'sub check_ref' to prepare for rebel+ factor out the code to check $ref into a sub; will help rebel+, which wants (horrors!) to restrict based on PATH names too!
2009-11-16 14:55:34 +01:00
update hook: allow multiple "refs" to be checked
2009-11-16 17:15:55 +01:00
# prepare the list of refs to be checked
# previously, we just checked $ref -- the ref being updated, which is passed
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
# to us by git (see man githooks). Now we also have to treat each NAME being
# updated as a potential "ref" and check that, if NAME-based restrictions have
update hook: allow multiple "refs" to be checked
2009-11-16 17:15:55 +01:00
# been specified
my @refs = ($ref); # the first ref to check is the real one
@all for repos is now much cleaner; a true @all... - no need to put it at the end of the config file now, yeaaay! - @all for @all is meaningless and not supported. People asking will be told to get a life or use git-daemon. - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-23 17:50:34 +01:00
# because making it work screws up efficiency like no tomorrow...
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
update hook: allow multiple "refs" to be checked
2009-11-16 17:15:55 +01:00
# this is special to git -- the hash of an empty tree
my $empty='4b825dc642cb6eb9a060e54bf8d69288fbee4904';
# well they're not really "trees" but $empty is indeed the empty tree so
# we can just pretend $oldsha/$newsha are also trees, and anyway 'git
# diff' only wants trees
my $oldtree = $oldsha eq '0' x 40 ? $empty : $oldsha;
my $newtree = $newsha eq '0' x 40 ? $empty : $newsha;
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
push @refs, map { chomp; s/^/NAME\//; $_; } `git diff --name-only $oldtree $newtree`;
update hook: allow multiple "refs" to be checked
2009-11-16 17:15:55 +01:00
}
# and in this version, we have many "refs" to check. The one we print in the
# log is the *first* one (which is a *real* ref, like refs/heads/master),
NAME-based restrictions Gitolite allows you to restrict changes by file/dir name. The syntax for this used "PATH/" as a prefix to denote such file/dir patterns. This has now been changed to "NAME/" because PATH is potentially confusing. While this is technically a backward-incompatible change, the feature itself was hitherto undocumented, and only a few people were using it, so I guess it's not that bad... Also added documentation now.
2010-01-07 13:29:34 +01:00
# while all the rest (if they exist) are like NAME/something. So we do the
update hook: allow multiple "refs" to be checked
2009-11-16 17:15:55 +01:00
# first one separately to capture it, then run the rest (if any)
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
my $log_refex = check_ref(\@allowed_refs, $ENV{GL_REPO}, (shift @refs), $att_acc);
&check_ref (\@allowed_refs, $ENV{GL_REPO}, $_ , $att_acc) for @refs;
update hook: 'sub check_ref' to prepare for rebel+ factor out the code to check $ref into a sub; will help rebel+, which wants (horrors!) to restrict based on PATH names too!
2009-11-16 14:55:34 +01:00
update hook: allow multiple "refs" to be checked
2009-11-16 17:15:55 +01:00
# if we returned at all, all the checks succeeded, so we log the action and exit 0
update hook: 'sub check_ref' to prepare for rebel+ factor out the code to check $ref into a sub; will help rebel+, which wants (horrors!) to restrict based on PATH names too!
2009-11-16 14:55:34 +01:00
(big-config) the new "big-config" for large setups If you have many thousands of repos and users, neatly organised into groups, etc., the normal gitolite fails. (It actually runs out of memory very fast while doing the "compile" when you push the config, due to the number of combinations of repo/user being stored in the hash!) This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in the rc file. Some notes: - deny rules will still work but somewhat differently -- now they must be placed all together in one place to work like before. Ask me for details if you need to know before I get done with the docs - I've tested most of the important features, but not every single nuance - the update hook may be a tad less efficient now; we can try and tweak it later if needed but it shouldn't really hurt anything significantly even now - docs have not been written yet
2010-05-10 08:16:47 +02:00
&log_it("$ENV{GL_TS} $att_acc\t" .
update hook: 'sub check_ref' to prepare for rebel+ factor out the code to check $ref into a sub; will help rebel+, which wants (horrors!) to restrict based on PATH names too!
2009-11-16 14:55:34 +01:00
substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
Merge branch 'master' into wildrepos factor out log_it and check_ref; update hook now requires gitolite.pm Conflicts: src/hooks/update
2010-02-01 06:30:24 +01:00
"\t$reported_repo\t$ref\t$ENV{GL_USER}\t$log_refex\n");
update hook now allows chaining to "update.secondary" the changes to cp/scp are because without "-p" they dont carry perms across to existing files. So if you forgot to chmod +x your custom hook and ran easy install, then after that you have to go to the server side to fix the perms...
2010-03-14 17:37:34 +01:00
# now chain to the local admin defined update hook, if present
allow user to define filenames that our hooks chain to (although the defaults are still update.secondary and post-update.secondary if you don't do anything)
2010-04-13 14:56:34 +02:00
$UPDATE_CHAINS_TO ||= 'hooks/update.secondary';
exec $UPDATE_CHAINS_TO, @saved_ARGV
if -f $UPDATE_CHAINS_TO or -l $UPDATE_CHAINS_TO;
update hook now allows chaining to "update.secondary" the changes to cp/scp are because without "-p" they dont carry perms across to existing files. So if you forgot to chmod +x your custom hook and ran easy install, then after that you have to go to the server side to fix the perms...
2010-03-14 17:37:34 +01:00
update hook: 'sub check_ref' to prepare for rebel+ factor out the code to check $ref into a sub; will help rebel+, which wants (horrors!) to restrict based on PATH names too!
2009-11-16 14:55:34 +01:00
exit 0;
Reference in a new issue Copy permalink