ACCESS_CHECK split into ACCESS_1 and ACCESS_2; docs updated

This commit is contained in:
Sitaram Chamarty 2012-03-27 16:18:25 +05:30
parent fd98b21bf2
commit 1cf062fad5
4 changed files with 68 additions and 43 deletions

View file

@ -2,7 +2,7 @@
## intro and sample rc excerpt ## intro and sample rc excerpt
Gitolite fires off external commands at six different times. The [rc][] file Gitolite fires off external commands at 7 different times. The [rc][] file
specifies what commands to run at each trigger point, but for illustration, specifies what commands to run at each trigger point, but for illustration,
here's an excerpt: here's an excerpt:
@ -58,43 +58,51 @@ Triggers receive the following arguments:
## trigger-specific details ## trigger-specific details
Here's all you need to know about each specific trigger. Here's a brief "when" and "with what arguments" for each trigger.
* `ACCESS_CHECK`: this fires once after each access check. The first is * `ACCESS_1` runs after the first access check. Arguments:
just before invoking git-receive-pack or git-upload-pack. The second, * repo
which only applies to "write" operations, is from git's own 'update' hook. * user
* 'R' or 'W'
* 'any'
* result: this is the result of the access() function. If it contains
the uppercase word "DENIED", the access was rejected. Otherwise
result contains the refex that caused the access to succeed.
Arguments: repo name, user name, [attempted access][perm], the ref being * `ACCESS_2` runs after the second access check, in the update hook.
updated, and the result of the access check. Arguments:
* repo
* user
* any of W, +, C, D, WM, +M, CM, DM
* the ref being updated (e.g., 'refs/heads/master')
* result (see above)
The 'ref' is `any` for the first check, because at that point we don't * `PRE_GIT` runs just before running the git command. Arguments:
know what the actual ref is. For the second check it could be, say, * repo
`refs/heads/master` or some such. * user
* 'R' or 'W'
* 'any'
* the git command ('git-receive-pack', 'git-upload-pack', or
'git-upload-archive') being invoked.
The result is a text field that the `access()` function returned. * `POST_GIT` runs after the git command returns. Arguments:
Programmatically, the only thing you should rely on is that if it contains * repo
the upper case word "DENIED" then access was denied, otherwise it was * user
allowed. * 'R' or 'W'
* 'any'
* the git command ('git-receive-pack', 'git-upload-pack', or
* `PRE_GIT`: before running the git command. These are followed by the output of the perl function "times" (i.e., 4 CPU
times: user, system, cumulative user, cumulative system) so that's 9
arguments in total
Arguments: repo name, user name, [attempted access][perm], the string * `PRE_CREATE` and `POST_CREATE` run just before and after a new "[wild][]"
`any`, and the git command ('git-receive-pack', 'git-upload-pack', or repo is created by user action. Arguments:
'git-upload-archive') being invoked. * repo
* user
* `POST_GIT`: after the git command returns. * `POST_COMPILE` runs after an admin push has successfully "compiled" the
config file. By default, the next thing is to update the ssh authkeys
file, then all the 'git-config's, gitweb access, and daemon access.
Arguments: same as for `PRE_GIT`, followed by the output of the perl No arguments.
function "times" (i.e., 4 CPU times: user, system, cumulative user,
cumulative system)
* `POST_COMPILE`: after an admin push has successfully "compiled" the config
file. By default, the next thing is to update the ssh authkeys file, then
all the 'git-config's, gitweb access, and daemon access.
Programs run by this trigger receive no extra arguments.
* `PRE_CREATE` and `POST_CREATE`: before and after a new "[wild][]" repo is
created by user action.
Arguments: repo name, user name.

View file

@ -28,7 +28,7 @@ sub update {
my $ret = access( $ENV{GL_REPO}, $ENV{GL_USER}, $aa, $ref ); my $ret = access( $ENV{GL_REPO}, $ENV{GL_USER}, $aa, $ref );
trace( 1, "access($ENV{GL_REPO}, $ENV{GL_USER}, $aa, $ref)", "-> $ret" ); trace( 1, "access($ENV{GL_REPO}, $ENV{GL_USER}, $aa, $ref)", "-> $ret" );
trigger( 'ACCESS_CHECK', $ENV{GL_REPO}, $ENV{GL_USER}, $aa, $ref, $ret ); trigger( 'ACCESS_2', $ENV{GL_REPO}, $ENV{GL_USER}, $aa, $ref, $ret );
_die $ret if $ret =~ /DENIED/; _die $ret if $ret =~ /DENIED/;
check_vrefs( $ref, $oldsha, $newsha, $oldtree, $newtree, $aa ); check_vrefs( $ref, $oldsha, $newsha, $oldtree, $newtree, $aa );

View file

@ -52,7 +52,6 @@ $UNSAFE_PATT = qr([`~#\$\&()|;<>]);
# find the rc file and 'do' it # find the rc file and 'do' it
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
my $current_data_version = "3.0"; my $current_data_version = "3.0";
my $rc = glrc('filename'); my $rc = glrc('filename');
@ -64,11 +63,17 @@ if ( defined($GL_ADMINDIR) ) {
exit 1; exit 1;
} }
# let values specified in rc file override our internal ones # let values specified in rc file override our internal ones
# ----------------------------------------------------------------------
@rc{ keys %RC } = values %RC; @rc{ keys %RC } = values %RC;
# (testing only) testing sometimes requires all of it to be overridden # add internal triggers
# silently; use an env var that is highly unlikely to appear in real life :) # ----------------------------------------------------------------------
# (testing only) override the rc file silently
# ----------------------------------------------------------------------
# use an env var that is highly unlikely to appear in real life :)
do $ENV{G3T_RC} if exists $ENV{G3T_RC} and -r $ENV{G3T_RC}; do $ENV{G3T_RC} if exists $ENV{G3T_RC} and -r $ENV{G3T_RC};
# fix some env vars, setup gitolite internal "env" vars (aka rc vars) # fix some env vars, setup gitolite internal "env" vars (aka rc vars)
@ -277,6 +282,12 @@ __DATA__
# 'continuation-lines', # 'continuation-lines',
], ],
# comment out or uncomment as needed
# these will run in sequence just after the first access check is done
ACCESS_1 =>
[
],
# comment out or uncomment as needed # comment out or uncomment as needed
# these will run in sequence at the start, before a git operation has started # these will run in sequence at the start, before a git operation has started
PRE_GIT => PRE_GIT =>
@ -288,6 +299,12 @@ __DATA__
# 'partial-copy', # 'partial-copy',
], ],
# comment out or uncomment as needed
# these will run in sequence just after the second access check is done
ACCESS_2 =>
[
],
# comment out or uncomment as needed # comment out or uncomment as needed
# these will run in sequence at the end, after a git operation has ended # these will run in sequence at the end, after a git operation has ended
POST_GIT => POST_GIT =>
@ -297,19 +314,19 @@ __DATA__
], ],
# comment out or uncomment as needed # comment out or uncomment as needed
# these will run in sequence after post-update # these will run in sequence after a new wild repo is created
POST_COMPILE => POST_CREATE =>
[ [
'post-compile/ssh-authkeys',
'post-compile/update-git-configs', 'post-compile/update-git-configs',
'post-compile/update-gitweb-access-list', 'post-compile/update-gitweb-access-list',
'post-compile/update-git-daemon-access-list', 'post-compile/update-git-daemon-access-list',
], ],
# comment out or uncomment as needed # comment out or uncomment as needed
# these will run in sequence after a new wild repo is created # these will run in sequence after post-update
POST_CREATE => POST_COMPILE =>
[ [
'post-compile/ssh-authkeys',
'post-compile/update-git-configs', 'post-compile/update-git-configs',
'post-compile/update-gitweb-access-list', 'post-compile/update-gitweb-access-list',
'post-compile/update-git-daemon-access-list', 'post-compile/update-git-daemon-access-list',

View file

@ -91,7 +91,7 @@ sub main {
my $ret = access( $repo, $user, $aa, 'any' ); my $ret = access( $repo, $user, $aa, 'any' );
trace( 1, "access($repo, $user, $aa, 'any')", "-> $ret" ); trace( 1, "access($repo, $user, $aa, 'any')", "-> $ret" );
gl_log( 'check1', $repo, $user, $aa, 'any', '->', $ret ); gl_log( 'check1', $repo, $user, $aa, 'any', '->', $ret );
trigger( 'ACCESS_CHECK', $repo, $user, $aa, 'any', $ret ); trigger( 'ACCESS_1', $repo, $user, $aa, 'any', $ret );
_die $ret . "\n(or you mis-spelled the reponame)" if $ret =~ /DENIED/; _die $ret . "\n(or you mis-spelled the reponame)" if $ret =~ /DENIED/;
check_repo_write_enabled($repo) if $aa eq 'W'; check_repo_write_enabled($repo) if $aa eq 'W';