compile/update hook: COMPILED FILE CHANGE -- PLEASE READ BELOW
Summary: DONT forget to run src/gl-compile-conf as the last step in the upgrade Details: The compiled file format has changed quite a bit, to make it easier for the rebel edition coming up :-) compile: - we don't split RW/RW+ into individual perms anymore - we store the info required for the first level check separately now: (repo, R/W, user) - the order for second level check is now: repo, user, [{ref=>perms}...] (list of hashes) update hook logic: the first refex that: - matches the incoming ref, AND - contains the perm you're trying to use, causes the match loop to exit with success. Fallthrough is failure
This commit is contained in:
parent
2285e75c22
commit
978046acb9
|
@ -42,6 +42,12 @@ And you're done.
|
||||||
If any extra steps beyond the generic ones above are needed, they will be
|
If any extra steps beyond the generic ones above are needed, they will be
|
||||||
listed here, newest first.
|
listed here, newest first.
|
||||||
|
|
||||||
|
#### upgrading from 86faae4
|
||||||
|
|
||||||
|
Between 86faae4 and this version, gitolite had a *major* change in the
|
||||||
|
*internal* format of the compiled config file. Please do not omit step 5 in
|
||||||
|
the generic instructions above.
|
||||||
|
|
||||||
#### upgrading from 5758f69
|
#### upgrading from 5758f69
|
||||||
|
|
||||||
Between 5758f69 and this version, gitolite learnt to allow "groupnames" for
|
Between 5758f69 and this version, gitolite learnt to allow "groupnames" for
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
use strict;
|
use strict;
|
||||||
use warnings;
|
use warnings;
|
||||||
use Data::Dumper;
|
use Data::Dumper;
|
||||||
|
$Data::Dumper::Indent = 1;
|
||||||
|
|
||||||
# === add-auth-keys ===
|
# === add-auth-keys ===
|
||||||
|
|
||||||
|
@ -146,8 +147,7 @@ while (<$conf_fh>)
|
||||||
# actual permission line
|
# actual permission line
|
||||||
elsif (/^(R|RW|RW\+) (.* )?= (.+)/)
|
elsif (/^(R|RW|RW\+) (.* )?= (.+)/)
|
||||||
{
|
{
|
||||||
# split perms to separate out R, W, and +
|
my $perms = $1;
|
||||||
my @perms = split //, $1;
|
|
||||||
my @refs; @refs = split(' ', $2) if $2;
|
my @refs; @refs = split(' ', $2) if $2;
|
||||||
my @users = split ' ', $3;
|
my @users = split ' ', $3;
|
||||||
|
|
||||||
|
@ -165,11 +165,16 @@ while (<$conf_fh>)
|
||||||
# ok, we can finally populate the %repos hash
|
# ok, we can finally populate the %repos hash
|
||||||
for my $repo (@repos) # each repo in the current stanza
|
for my $repo (@repos) # each repo in the current stanza
|
||||||
{
|
{
|
||||||
for my $perm (@perms)
|
for my $user (@users)
|
||||||
{
|
{
|
||||||
for my $user (@users)
|
# for 1st level check (see faq/tips doc)
|
||||||
|
$repos{$repo}{R}{$user} = 1 if $perms =~ /R/;
|
||||||
|
$repos{$repo}{W}{$user} = 1 if $perms =~ /W/;
|
||||||
|
|
||||||
|
# for 2nd level check, store each "ref, perms" pair in order
|
||||||
|
for my $ref (@refs)
|
||||||
{
|
{
|
||||||
push @{ $repos{$repo}{$perm}{$user} }, @refs;
|
push @{ $repos{$repo}{$user} }, { $ref => $perms };
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -58,13 +58,17 @@ $perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
|
||||||
$perm = '+' if $oldsha ne $merge_base;
|
$perm = '+' if $oldsha ne $merge_base;
|
||||||
|
|
||||||
my @allowed_refs;
|
my @allowed_refs;
|
||||||
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$perm}{$ENV{GL_USER}} || [] };
|
# personal stuff -- right at the start in the new regime, I guess!
|
||||||
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$perm}{'@all'} || [] };
|
push @allowed_refs, { "$PERSONAL/$ENV{GL_USER}/" => "RW+" } if $PERSONAL;
|
||||||
push @allowed_refs, "$PERSONAL/$ENV{GL_USER}/" if $PERSONAL;
|
# we want specific perms to override @all, so they come first
|
||||||
for my $refex (@allowed_refs)
|
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
|
||||||
# refex? sure -- a regex to match a ref against :)
|
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
|
||||||
|
for my $ar (@allowed_refs)
|
||||||
{
|
{
|
||||||
if ($ref =~ /$refex/)
|
my $refex = (keys %$ar)[0];
|
||||||
|
# refex? sure -- a regex to match a ref against :)
|
||||||
|
next unless $ref =~ /$refex/;
|
||||||
|
if ($ar->{$refex} =~ /\Q$perm/)
|
||||||
{
|
{
|
||||||
# if log failure isn't important enough to block pushes, get rid of
|
# if log failure isn't important enough to block pushes, get rid of
|
||||||
# all the error checking
|
# all the error checking
|
||||||
|
@ -72,9 +76,9 @@ for my $refex (@allowed_refs)
|
||||||
or die "open log failed: $!\n";
|
or die "open log failed: $!\n";
|
||||||
print $log_fh "$ENV{GL_TS} $perm\t" .
|
print $log_fh "$ENV{GL_TS} $perm\t" .
|
||||||
substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
|
substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
|
||||||
"\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\n";
|
"\t$ENV{GL_REPO}\t$ref\t$ENV{GL_USER}\t$refex\n";
|
||||||
close $log_fh or die "close log failed: $!\n";
|
close $log_fh or die "close log failed: $!\n";
|
||||||
exit 0;
|
exit 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
exit 1;
|
die "$perm $ref $ENV{GL_USER} DENIED by fallthru\n";
|
||||||
|
|
Loading…
Reference in a new issue