From 0b960cfae2d89e4bd3cdc1b56823ed34d90e5567 Mon Sep 17 00:00:00 2001
From: Sitaram Chamarty <sitaram@sita-lt.atc.tcs.com>
Date: Sun, 31 Jan 2010 23:10:12 +0530
Subject: [PATCH 1/2] auth/update-hook/pm: make &log() a common function

---
 src/gitolite.pm     |  6 ++++++
 src/gl-auth-command | 10 ++--------
 src/hooks/update    | 12 ++++++------
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/gitolite.pm b/src/gitolite.pm
index d905a72..84dfc9a 100644
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -42,6 +42,12 @@ sub wrap_open {
     return $fh;
 }
 
+sub log_it {
+    open my $log_fh, ">>", $ENV{GL_LOG} or die "open log failed: $!\n";
+    print $log_fh @_;
+    close $log_fh or die "close log failed: $!\n";
+}
+
 # ----------------------------------------------------------------------------
 #       where is the rc file hiding?
 # ----------------------------------------------------------------------------
diff --git a/src/gl-auth-command b/src/gl-auth-command
index d6482ed..f494cc8 100755
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@@ -38,8 +38,7 @@ require "$bindir/gitolite.pm";
 &where_is_rc();
 die "parse $ENV{GL_RC} failed: "       . ($! or $@) unless do $ENV{GL_RC};
 
-# we need to pass GL_ADMINDIR and the bindir to the child hooks (well only the
-# admin repo's post-update hook but still...)
+# we need to pass GL_ADMINDIR and the bindir to the child hooks
 $ENV{GL_ADMINDIR} = $GL_ADMINDIR;
 $ENV{GL_BINDIR} = $bindir;
 
@@ -149,12 +148,7 @@ $GL_LOGT =~ s/%m/$m/g;
 $GL_LOGT =~ s/%d/$d/g;
 $ENV{GL_LOG} = $GL_LOGT;
 
-# if log failure isn't important enough to block access, get rid of all the
-# error checking
-open my $log_fh, ">>", $ENV{GL_LOG}
-    or die "open log failed: $!\n";
-print $log_fh "$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n";
-close $log_fh or die "close log failed: $!\n";
+&log_it("$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n");
 
 # ----------------------------------------------------------------------------
 #       over to git now
diff --git a/src/hooks/update b/src/hooks/update
index c1ff18f..a68ce18 100755
--- a/src/hooks/update
+++ b/src/hooks/update
@@ -33,6 +33,10 @@ die "parse $ENV{GL_RC} failed: "       . ($! or $@) unless do $ENV{GL_RC};
 # then "do" the compiled config file, whose name we now know
 die "parse $GL_CONF_COMPILED failed: " . ($! or $@) unless do $GL_CONF_COMPILED;
 
+# we've started to need some common subs in what used to be a small, cute,
+# little script that barely spanned a few lines :(
+require "$ENV{GL_BINDIR}/gitolite.pm";
+
 # ----------------------------------------------------------------------------
 #       start...
 # ----------------------------------------------------------------------------
@@ -118,11 +122,7 @@ check_ref($_) for @refs;
 
 # if we returned at all, all the checks succeeded, so we log the action and exit 0
 
-# logging note: if log failure isn't important enough to block pushes, get rid
-# of all the error checking
-open my $log_fh, ">>", $ENV{GL_LOG} or die "open log failed: $!\n";
-print $log_fh "$ENV{GL_TS}  $perm\t" .
+&log_it("$ENV{GL_TS}  $perm\t" .
     substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
-    "\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\t$log_refex\n";
-close $log_fh or die "close log failed: $!\n";
+    "\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\t$log_refex\n");
 exit 0;

From 7f203fc020858a01c39caa2a45587c6b3efa836e Mon Sep 17 00:00:00 2001
From: Sitaram Chamarty <sitaram@sita-lt.atc.tcs.com>
Date: Sun, 31 Jan 2010 23:56:58 +0530
Subject: [PATCH 2/2] update-hook/pm: made check_ref a common sub

---
 src/gitolite.pm  | 26 ++++++++++++++++++++++++++
 src/hooks/update | 32 ++------------------------------
 2 files changed, 28 insertions(+), 30 deletions(-)

diff --git a/src/gitolite.pm b/src/gitolite.pm
index 84dfc9a..8ad5567 100644
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -48,6 +48,32 @@ sub log_it {
     close $log_fh or die "close log failed: $!\n";
 }
 
+# check one ref
+sub check_ref {
+
+    # normally, the $ref will be whatever ref the commit is trying to update
+    # (like refs/heads/master or whatever).  At least one of the refexes that
+    # pertain to this user must match this ref **and** the corresponding
+    # permission must also match the action (W or +) being attempted.  If none
+    # of them match, the access is denied.
+
+    # Notice that the function DIES!!!  Any future changes that require more
+    # work to be done *after* this, even on failure, can start using return
+    # codes etc., but for now we're happy to just die.
+
+    my ($allowed_refs, $repo, $ref, $perm) = @_;
+    for my $ar (@{$allowed_refs}) {
+        my $refex = (keys %$ar)[0];
+        # refex?  sure -- a regex to match a ref against :)
+        next unless $ref =~ /^$refex/;
+        die "$perm $ref $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-';
+
+        # as far as *this* ref is concerned we're ok
+        return $refex if ($ar->{$refex} =~ /\Q$perm/);
+    }
+    die "$perm $ref $repo $ENV{GL_USER} DENIED by fallthru\n";
+}
+
 # ----------------------------------------------------------------------------
 #       where is the rc file hiding?
 # ----------------------------------------------------------------------------
diff --git a/src/hooks/update b/src/hooks/update
index a68ce18..876f46b 100755
--- a/src/hooks/update
+++ b/src/hooks/update
@@ -85,40 +85,12 @@ if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
     push @refs, map { chomp; s/^/NAME\//; $_; } `git diff --name-only $oldtree $newtree`;
 }
 
-my $refex = '';
-
-# check one ref
-sub check_ref {
-
-    # normally, the $ref will be whatever ref the commit is trying to update
-    # (like refs/heads/master or whatever).  At least one of the refexes that
-    # pertain to this user must match this ref **and** the corresponding
-    # permission must also match the action (W or +) being attempted.  If none
-    # of them match, the access is denied.
-
-    # Notice that the function DIES!!!  Any future changes that require more
-    # work to be done *after* this, even on failure, can start using return
-    # codes etc., but for now we're happy to just die.
-
-    my $ref = shift;
-    for my $ar (@allowed_refs) {
-        $refex = (keys %$ar)[0];
-        # refex?  sure -- a regex to match a ref against :)
-        next unless $ref =~ /^$refex/;
-        die "$perm $ref $ENV{GL_USER} DENIED by $refex\n" if $ar->{$refex} eq '-';
-
-        # as far as *this* ref is concerned we're ok
-        return $refex if ($ar->{$refex} =~ /\Q$perm/);
-    }
-    die "$perm $ref $ENV{GL_REPO} $ENV{GL_USER} DENIED by fallthru\n";
-}
-
 # and in this version, we have many "refs" to check.  The one we print in the
 # log is the *first* one (which is a *real* ref, like refs/heads/master),
 # while all the rest (if they exist) are like NAME/something.  So we do the
 # first one separately to capture it, then run the rest (if any)
-my $log_refex = check_ref(shift @refs);
-check_ref($_) for @refs;
+my $log_refex = check_ref(\@allowed_refs, $ENV{GL_REPO}, (shift @refs), $perm);
+&check_ref               (\@allowed_refs, $ENV{GL_REPO}, $_           , $perm) for @refs;
 
 # if we returned at all, all the checks succeeded, so we log the action and exit 0