wildrepos: expanded access reporting

This feature has *no* warranty, and so no documentation.  Not more than
this transcript anyway.

config file:

    @prof = u1
    @TAs = u2 u3
    @students = u4 u5 u6

    repo    assignments/CREATER/a[0-9][0-9]
        C   =   @students
        RW+ =   CREATER
        RW  =   WRITERS @TAs
        R   =   READERS @prof

session:

as user "u4":
    # check your permissions
    $ ssh git@server
    PTY allocation request failed on channel 0
    hello u4, the gitolite version here is v0.95-31-gbcb14ca
    you have the following permissions:
     C      assignments/CREATER/a[0-9][0-9]
       @ @  testing
    Connection to localhost closed.

    # autovivify repos for assignment 12 and 24
    $ git clone git@server:assignments/u4/a12 a12
    Initialized empty Git repository in /home/sitaram/t/a12/.git/
    Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a12.git/
    warning: You appear to have cloned an empty repository.
    $ git clone git@server:assignments/u4/a24 a24
    Initialized empty Git repository in /home/sitaram/t/a24/.git/
    Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a24.git/
    warning: You appear to have cloned an empty repository.

    # check what repos you autovivified
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12
    (u4)    assignments/u4/a24

as user "u5":
    # check your basic permissions
    $ ssh git@server
    PTY allocation request failed on channel 0
    hello u5, the gitolite version here is v0.95-31-gbcb14ca
    you have the following permissions:
     C      assignments/CREATER/a[0-9][0-9]
       @ @  testing
    Connection to localhost closed.

    # see if you have access to any of u4's repos
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    # (no output produced)

as user "u4":
    # allow "u5" read access to assignment 12
    # note you type in "R u5", hit enter, then hit Ctrl-D.  Gitolite
    # then produces a confirmation message starting "New perms are:"
    $ ssh git@server setperms assignments/u4/a12
    R u5
    New perms are:
    R u5

as user "u5":
    # again see if you have access to any u4 repos
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12

as user "u4":
    # check what permissions you gave to assignment 12
    $ ssh git@server getperms assignments/u4/a12
    R u5

    # add RW access to "u6" to assignment 12
    # again, type 'em in, then hit Ctrl-D; and note each time you run
    # this you're starting from scratch -- you can't "add to" the
    # permissions.  Deal with it...
    $ ssh git@server setperms assignments/u4/a12
    R u5
    RW u6
    New perms are:
    R u5
    RW u6

as user "u6":
    # check what u4 stuff you have access to
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12
This commit is contained in:
Sitaram Chamarty 2009-12-06 15:26:53 +05:30
parent f620044156
commit 02cee1d5cf
3 changed files with 42 additions and 17 deletions

View file

@ -134,23 +134,23 @@ cumbersome for non-secret environments.
Create a small text file that contains the permissions you desire:
$ cat > myperms
R user1 user3
RW user2
R u5
RW u6
(hit ctrl-d here)
...and use the new "getperms" command to set permissions for your repo:
$ ssh git@server setperms XXX/XXX/XXX < myperms
$ ssh git@server setperms assignments/u4/a12 < myperms
New perms are:
R user1 user3
RW user2
R u5
RW u6
'setperms' will helpfully print what the new permissions are but you can also
use 'getperms' to check:
$ ssh git@server getperms XXX/XXX/XXX
R user1 user3
RW user2
$ ssh git@server getperms assignments/u4/a12
R u5
RW u6
The following points are important:
@ -172,11 +172,6 @@ This still works, except the format is a little more compressed to accommodate
a new column (at the start) for "C" permissions, which indicate that you are
allowed to *create* repos matching that pattern.
In addition, there's a second level of reporting now, which is used to find
what *actual* repos are available when you supply a pattern.
XXX to be done XXX
### Other issues and discussion
* *what if the repo name being pushed matches more than one pattern*?

View file

@ -156,8 +156,8 @@ sub parse_acl
# void $r if same as $w (otherwise "readers" overrides "writers"; this is
# the same problem that needed a sort sub for the Dumper in the compile
# script, but localised to just $readers and $writers)
$r = "" if $r eq $w;
# script, but in this case it's limited to just $readers and $writers)
$r = "NOBODY" if $r eq $w;
# set up the variables for a parse to interpolate stuff from the dumped
# hash (remember the selective conversion of single to double quotes?).
@ -209,5 +209,35 @@ sub report_basic
print "$perm\t$r\n\r" if $perm =~ /\S/;
}
}
1;
# ----------------------------------------------------------------------------
# print a report of $user's basic permissions
# ----------------------------------------------------------------------------
sub expand_wild
{
my($GL_CONF_COMPILED, $repo_base_abs, $repo, $user) = @_;
# display matching repos (from *all* the repos in the system) that $user
# has at least "R" access to
chdir("$repo_base_abs") or die "chdir $repo_base_abs failed: $!\n";
for my $actual_repo (`find . -type d -name "*.git"|sort`) {
chomp ($actual_repo);
$actual_repo =~ s/^\.\///;
$actual_repo =~ s/\.git$//;
# it has to match the pattern being expanded
next unless $actual_repo =~ /^$repo$/;
# find the creater and subsitute in repos
my ($creater, $read, $write) = &repo_rights($repo_base_abs, $actual_repo, $user);
# get access list with this
&parse_acl($GL_CONF_COMPILED, "", $creater, $read || "NOBODY", $write || "NOBODY");
# you need a minimum of "R" access to the regex we're talking about
next unless $repos{$repo}{R}{'@all'} or $repos{$repo}{R}{$user};
print STDERR "($creater)\t$actual_repo\n";
}
}
1;

View file

@ -80,7 +80,7 @@ if ($cmd =~ $CUSTOM_COMMANDS) {
}
elsif ($repo !~ $REPONAME_PATT and $verb eq 'expand') {
# with a wildcard, you can "expand" it to see what repos actually match
die "not implemented yet\n";
expand_wild($GL_CONF_COMPILED, $repo_base_abs, $repo, $user);
} else {
die "$cmd doesn't make sense to me\n";
}