deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge branch 'master' into pu (svnserve contrib code)

Browse source 
Conflicts:
	src/gl-auth-command
This commit is contained in:
Sitaram Chamarty 2010-05-10 08:12:09 +05:30
parent f1a942b7f7 4ad9807225
commit 3d9f230b41
4 changed files with 54 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
conf/example.gitolite.rc
View file

@ -150,6 +150,20 @@ $RSYNC_BASE = "";
# $RSYNC_BASE = "/home/git/up-down"; # $RSYNC_BASE = "/home/git/up-down";
# $RSYNC_BASE = "/tmp/up-down"; # $RSYNC_BASE = "/tmp/up-down";
# --------------------------------------
# EXTERNAL COMMAND HELPER -- SVNSERVE
# security note: runs an external command (svnserve) with specific arguments,
# as specified below. %u is substituted with the username.
# This setting allows launching svnserve when requested by the ssh client.
# This allows using the same SSH setup (hostname/username/public key) for both
# SVN and git access. Leave it undefined or set to the empty string to disable
# svnserve access.
$SVNSERVE = "";
# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u";
# -------------------------------------- # --------------------------------------
# ALLOW REPO CONFIG TO USE WILDCARDS # ALLOW REPO CONFIG TO USE WILDCARDS

24
doc/3-faq-tips-etc.mkd
View file

@ -650,14 +650,34 @@ powerful feature. See `doc/admin-defined-commands.mkd`.
Gitolite now has a mechanism for allowing access control for arbitrary Gitolite now has a mechanism for allowing access control for arbitrary
external commands, as long as they are invoked via ssh and present a external commands, as long as they are invoked via ssh and present a
server-side command that contains enough information to make an access control server-side command that contains enough information to make an access control
decision. The first (and only, so far) such command implemented is rsync. decision.
Note that this is incompatible with giving people shell access as described in Note that this is incompatible with giving people shell access as described in
`doc/6-ssh-troubleshooting.mkd` -- people who have shell access are not `doc/6-ssh-troubleshooting.mkd` -- people who have shell access are not
subject to this mechanism (it wouldn't make sense to try and control someone subject to this mechanism (it wouldn't make sense to try and control someone
who has shell access anyway). who has shell access anyway).
Please see the config files (both of them) for examples and usage. In general, external commands require changes in one or both the config files;
the sample files in `conf/` double as documentation, so you should look there
for examples and usage.
Commands implemented so far are:
* rsync
* svnserve (see next section for a brief description; this has been
contributed by Simon and Vladimir)
<a name="svnserve"></a>
##### svnserve
If you are transitioning from SVN to gitolite, and have a lot of users using
public-key authentication with SVN, this feature may be useful to you. Once
you migrate all users' public keys into gitolite, you can set the `$SVNSERVE`
variable in `~/.gitolite.rc` to tie `svnserve` with gitolite's authentication
system. Assuming you installed gitolite to the same user as the one you used
for SVN, SVN connectivity will be retained, and users will be able to use
both SVN and git using the same SSH configuration.
## design choices ## design choices

17
src/gitolite.pm
View file

@ -411,7 +411,7 @@ sub cli_repo_rights {
sub special_cmd sub special_cmd
{ {
my ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE) = @_; my ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE, $SVNSERVE) = @_;
my $cmd = $ENV{SSH_ORIGINAL_COMMAND}; my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
my $user = $ENV{GL_USER}; my $user = $ENV{GL_USER};
@ -432,6 +432,8 @@ sub special_cmd
&ext_cmd_htpasswd($HTPASSWD_FILE); &ext_cmd_htpasswd($HTPASSWD_FILE);
} elsif ($RSYNC_BASE and $cmd =~ /^rsync /) { } elsif ($RSYNC_BASE and $cmd =~ /^rsync /) {
&ext_cmd_rsync($GL_CONF_COMPILED, $RSYNC_BASE, $cmd); &ext_cmd_rsync($GL_CONF_COMPILED, $RSYNC_BASE, $cmd);
} elsif ($SVNSERVE and $cmd eq 'svnserve -t') {
&ext_cmd_svnserve($SVNSERVE);
} else { } else {
# if the user is allowed a shell, just run the command # if the user is allowed a shell, just run the command
&log_it("$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$ENV{GL_USER}\n"); &log_it("$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$ENV{GL_USER}\n");
@ -528,4 +530,17 @@ EOFhtp
die "htpasswd command seems to have failed with $rc return code...\n" if $rc; die "htpasswd command seems to have failed with $rc return code...\n" if $rc;
} }
# ----------------------------------------------------------------------------
# external command helper: svnserve
# ----------------------------------------------------------------------------
sub ext_cmd_svnserve
{
my $SVNSERVE = shift;
$SVNSERVE =~ s/%u/$ENV{GL_USER}/g;
exec $SVNSERVE;
die "svnserve exec failed\n";
}
1; 1;

4
src/gl-auth-command
View file

@ -24,7 +24,7 @@ use warnings;
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# these are set by the "rc" file # these are set by the "rc" file
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_ADC_PATH); our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_ADC_PATH, $SVNSERVE);
# and these are set by gitolite.pm # and these are set by gitolite.pm
our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT); our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT);
our %repos; our %repos;
@ -167,7 +167,7 @@ if ($ENV{SSH_ORIGINAL_COMMAND} =~ $CUSTOM_COMMANDS) {
my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/); my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/);
unless ( $verb and ( $verb eq 'git-init' or $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) { unless ( $verb and ( $verb eq 'git-init' or $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
# ok, it's not a normal git command; call the special command helper # ok, it's not a normal git command; call the special command helper
&special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE); &special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE, $SVNSERVE);
exit; exit;
} }
die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/; die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;