Merge branch 'master' into wildrepos

factor out log_it and check_ref; update hook now requires gitolite.pm Conflicts: src/hooks/update
2010-02-01 11:00:24 +05:30 · 2010-02-01 11:00:24 +05:30 · 17c8075de7
parent 29260476fb 7f203fc020
commit 17c8075de7
3 changed files with 42 additions and 44 deletions
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@ -46,6 +46,38 @@ sub wrap_open {
    return $fh;
 }

+sub log_it {
+    open my $log_fh, ">>", $ENV{GL_LOG} or die "open log failed: $!\n";
+    print $log_fh @_;
+    close $log_fh or die "close log failed: $!\n";
+}
+
+# check one ref
+sub check_ref {
+
+    # normally, the $ref will be whatever ref the commit is trying to update
+    # (like refs/heads/master or whatever).  At least one of the refexes that
+    # pertain to this user must match this ref **and** the corresponding
+    # permission must also match the action (W or +) being attempted.  If none
+    # of them match, the access is denied.
+
+    # Notice that the function DIES!!!  Any future changes that require more
+    # work to be done *after* this, even on failure, can start using return
+    # codes etc., but for now we're happy to just die.
+
+    my ($allowed_refs, $repo, $ref, $perm) = @_;
+    for my $ar (@{$allowed_refs}) {
+        my $refex = (keys %$ar)[0];
+        # refex?  sure -- a regex to match a ref against :)
+        next unless $ref =~ /^$refex/;
+        die "$perm $ref $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-';
+
+        # as far as *this* ref is concerned we're ok
+        return $refex if ($ar->{$refex} =~ /\Q$perm/);
+    }
+    die "$perm $ref $repo $ENV{GL_USER} DENIED by fallthru\n";
+}
+
 # ----------------------------------------------------------------------------
 #       where is the rc file hiding?
 # ----------------------------------------------------------------------------
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@ -38,8 +38,7 @@ require "$bindir/gitolite.pm";
 &where_is_rc();
 die "parse $ENV{GL_RC} failed: "       . ($! or $@) unless do $ENV{GL_RC};

-# we need to pass GL_ADMINDIR and the bindir to the child hooks (well only the
-# admin repo's post-update hook but still...)
+# we need to pass GL_ADMINDIR and the bindir to the child hooks
 $ENV{GL_ADMINDIR} = $GL_ADMINDIR;
 $ENV{GL_BINDIR} = $bindir;

@ -185,12 +184,7 @@ $GL_LOGT =~ s/%m/$m/g;
 $GL_LOGT =~ s/%d/$d/g;
 $ENV{GL_LOG} = $GL_LOGT;

-# if log failure isn't important enough to block access, get rid of all the
-# error checking
-open my $log_fh, ">>", $ENV{GL_LOG}
-    or die "open log failed: $!\n";
-print $log_fh "$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n";
-close $log_fh or die "close log failed: $!\n";
+&log_it("$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n");

 # ----------------------------------------------------------------------------
 #       over to git now
--- a/src/hooks/update
+++ b/src/hooks/update
@ -46,6 +46,10 @@ die "parse $ENV{GL_RC} failed: "       . ($! or $@) unless do $ENV{GL_RC};
 }
 my $reported_repo = $ENV{GL_REPO} . ( $ENV{GL_REPOPATT} ? " ($ENV{GL_REPOPATT})" : "" );

+# we've started to need some common subs in what used to be a small, cute,
+# little script that barely spanned a few lines :(
+require "$ENV{GL_BINDIR}/gitolite.pm";
+
 # ----------------------------------------------------------------------------
 #       start...
 # ----------------------------------------------------------------------------
@ -94,48 +98,16 @@ if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
    push @refs, map { chomp; s/^/NAME\//; $_; } `git diff --name-only $oldtree $newtree`;
 }

-my $refex = '';
-
-# check one ref
-sub check_ref {
-
-    # normally, the $ref will be whatever ref the commit is trying to update
-    # (like refs/heads/master or whatever).  At least one of the refexes that
-    # pertain to this user must match this ref **and** the corresponding
-    # permission must also match the action (W or +) being attempted.  If none
-    # of them match, the access is denied.
-
-    # Notice that the function DIES!!!  Any future changes that require more
-    # work to be done *after* this, even on failure, can start using return
-    # codes etc., but for now we're happy to just die.
-
-    my $ref = shift;
-    for my $ar (@allowed_refs) {
-        $refex = (keys %$ar)[0];
-        # refex?  sure -- a regex to match a ref against :)
-        next unless $ref =~ /^$refex/;
-        die "$perm $ref $reported_repo $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-';
-
-        # as far as *this* ref is concerned we're ok
-        return $refex if ($ar->{$refex} =~ /\Q$perm/);
-    }
-    die "$perm $ref $reported_repo $ENV{GL_USER} DENIED by fallthru\n";
-}
-
 # and in this version, we have many "refs" to check.  The one we print in the
 # log is the *first* one (which is a *real* ref, like refs/heads/master),
 # while all the rest (if they exist) are like NAME/something.  So we do the
 # first one separately to capture it, then run the rest (if any)
-my $log_refex = check_ref(shift @refs);
-check_ref($_) for @refs;
+my $log_refex = check_ref(\@allowed_refs, $ENV{GL_REPO}, (shift @refs), $perm);
+&check_ref               (\@allowed_refs, $ENV{GL_REPO}, $_           , $perm) for @refs;

 # if we returned at all, all the checks succeeded, so we log the action and exit 0

-# logging note: if log failure isn't important enough to block pushes, get rid
-# of all the error checking
-open my $log_fh, ">>", $ENV{GL_LOG} or die "open log failed: $!\n";
-print $log_fh "$ENV{GL_TS}  $perm\t" .
+&log_it("$ENV{GL_TS}  $perm\t" .
    substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
-    "\t$reported_repo\t$ref\t$ENV{GL_USER}\t$log_refex\n";
-close $log_fh or die "close log failed: $!\n";
+    "\t$reported_repo\t$ref\t$ENV{GL_USER}\t$log_refex\n");
 exit 0;