wildrepos: expanded access reporting

This feature has *no* warranty, and so no documentation.  Not more than
this transcript anyway.

config file:

    @prof = u1
    @TAs = u2 u3
    @students = u4 u5 u6

    repo    assignments/CREATER/a[0-9][0-9]
        C   =   @students
        RW+ =   CREATER
        RW  =   WRITERS @TAs
        R   =   READERS @prof

session:

as user "u4":
    # check your permissions
    $ ssh git@server
    PTY allocation request failed on channel 0
    hello u4, the gitolite version here is v0.95-31-gbcb14ca
    you have the following permissions:
     C      assignments/CREATER/a[0-9][0-9]
       @ @  testing
    Connection to localhost closed.

    # autovivify repos for assignment 12 and 24
    $ git clone git@server:assignments/u4/a12 a12
    Initialized empty Git repository in /home/sitaram/t/a12/.git/
    Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a12.git/
    warning: You appear to have cloned an empty repository.
    $ git clone git@server:assignments/u4/a24 a24
    Initialized empty Git repository in /home/sitaram/t/a24/.git/
    Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a24.git/
    warning: You appear to have cloned an empty repository.

    # check what repos you autovivified
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12
    (u4)    assignments/u4/a24

as user "u5":
    # check your basic permissions
    $ ssh git@server
    PTY allocation request failed on channel 0
    hello u5, the gitolite version here is v0.95-31-gbcb14ca
    you have the following permissions:
     C      assignments/CREATER/a[0-9][0-9]
       @ @  testing
    Connection to localhost closed.

    # see if you have access to any of u4's repos
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    # (no output produced)

as user "u4":
    # allow "u5" read access to assignment 12
    # note you type in "R u5", hit enter, then hit Ctrl-D.  Gitolite
    # then produces a confirmation message starting "New perms are:"
    $ ssh git@server setperms assignments/u4/a12
    R u5
    New perms are:
    R u5

as user "u5":
    # again see if you have access to any u4 repos
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12

as user "u4":
    # check what permissions you gave to assignment 12
    $ ssh git@server getperms assignments/u4/a12
    R u5

    # add RW access to "u6" to assignment 12
    # again, type 'em in, then hit Ctrl-D; and note each time you run
    # this you're starting from scratch -- you can't "add to" the
    # permissions.  Deal with it...
    $ ssh git@server setperms assignments/u4/a12
    R u5
    RW u6
    New perms are:
    R u5
    RW u6

as user "u6":
    # check what u4 stuff you have access to
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12
This commit is contained in:
Sitaram Chamarty 2009-12-06 15:26:53 +05:30
parent f620044156
commit 02cee1d5cf
3 changed files with 42 additions and 17 deletions

View file

@ -134,23 +134,23 @@ cumbersome for non-secret environments.
Create a small text file that contains the permissions you desire: Create a small text file that contains the permissions you desire:
$ cat > myperms $ cat > myperms
R user1 user3 R u5
RW user2 RW u6
(hit ctrl-d here) (hit ctrl-d here)
...and use the new "getperms" command to set permissions for your repo: ...and use the new "getperms" command to set permissions for your repo:
$ ssh git@server setperms XXX/XXX/XXX < myperms $ ssh git@server setperms assignments/u4/a12 < myperms
New perms are: New perms are:
R user1 user3 R u5
RW user2 RW u6
'setperms' will helpfully print what the new permissions are but you can also 'setperms' will helpfully print what the new permissions are but you can also
use 'getperms' to check: use 'getperms' to check:
$ ssh git@server getperms XXX/XXX/XXX $ ssh git@server getperms assignments/u4/a12
R user1 user3 R u5
RW user2 RW u6
The following points are important: The following points are important:
@ -172,11 +172,6 @@ This still works, except the format is a little more compressed to accommodate
a new column (at the start) for "C" permissions, which indicate that you are a new column (at the start) for "C" permissions, which indicate that you are
allowed to *create* repos matching that pattern. allowed to *create* repos matching that pattern.
In addition, there's a second level of reporting now, which is used to find
what *actual* repos are available when you supply a pattern.
XXX to be done XXX
### Other issues and discussion ### Other issues and discussion
* *what if the repo name being pushed matches more than one pattern*? * *what if the repo name being pushed matches more than one pattern*?

View file

@ -156,8 +156,8 @@ sub parse_acl
# void $r if same as $w (otherwise "readers" overrides "writers"; this is # void $r if same as $w (otherwise "readers" overrides "writers"; this is
# the same problem that needed a sort sub for the Dumper in the compile # the same problem that needed a sort sub for the Dumper in the compile
# script, but localised to just $readers and $writers) # script, but in this case it's limited to just $readers and $writers)
$r = "" if $r eq $w; $r = "NOBODY" if $r eq $w;
# set up the variables for a parse to interpolate stuff from the dumped # set up the variables for a parse to interpolate stuff from the dumped
# hash (remember the selective conversion of single to double quotes?). # hash (remember the selective conversion of single to double quotes?).
@ -209,5 +209,35 @@ sub report_basic
print "$perm\t$r\n\r" if $perm =~ /\S/; print "$perm\t$r\n\r" if $perm =~ /\S/;
} }
} }
1;
# ----------------------------------------------------------------------------
# print a report of $user's basic permissions
# ----------------------------------------------------------------------------
sub expand_wild
{
my($GL_CONF_COMPILED, $repo_base_abs, $repo, $user) = @_;
# display matching repos (from *all* the repos in the system) that $user
# has at least "R" access to
chdir("$repo_base_abs") or die "chdir $repo_base_abs failed: $!\n";
for my $actual_repo (`find . -type d -name "*.git"|sort`) {
chomp ($actual_repo);
$actual_repo =~ s/^\.\///;
$actual_repo =~ s/\.git$//;
# it has to match the pattern being expanded
next unless $actual_repo =~ /^$repo$/;
# find the creater and subsitute in repos
my ($creater, $read, $write) = &repo_rights($repo_base_abs, $actual_repo, $user);
# get access list with this
&parse_acl($GL_CONF_COMPILED, "", $creater, $read || "NOBODY", $write || "NOBODY");
# you need a minimum of "R" access to the regex we're talking about
next unless $repos{$repo}{R}{'@all'} or $repos{$repo}{R}{$user};
print STDERR "($creater)\t$actual_repo\n";
}
}
1;

View file

@ -80,7 +80,7 @@ if ($cmd =~ $CUSTOM_COMMANDS) {
} }
elsif ($repo !~ $REPONAME_PATT and $verb eq 'expand') { elsif ($repo !~ $REPONAME_PATT and $verb eq 'expand') {
# with a wildcard, you can "expand" it to see what repos actually match # with a wildcard, you can "expand" it to see what repos actually match
die "not implemented yet\n"; expand_wild($GL_CONF_COMPILED, $repo_base_abs, $repo, $user);
} else { } else {
die "$cmd doesn't make sense to me\n"; die "$cmd doesn't make sense to me\n";
} }