deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge branch 'master' into wildrepos

Browse source 
Conflicts:
	src/gitolite.pm
	src/gl-auth-command
This commit is contained in:
Sitaram Chamarty 2009-12-19 22:51:29 +05:30
parent ecdf6f2350 2cc19091ca
commit d49bb6b423
7 changed files with 56 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
doc/3-faq-tips-etc.mkd
View file

@ -102,10 +102,10 @@ normal way, since it's not empty anymore.
So at least one of your clients needs to have a recent git. Once at least So at least one of your clients needs to have a recent git. Once at least
one commit has been made, older clients can also use it one commit has been made, older clients can also use it
* when you clone an empty repo, git seems to complain about the remote * when you clone an empty repo, git seems to complain about `fatal: The
hanging up or something. I have no idea what that is, but it doesn't seem remote end hung up unexpectedly`. However, you can ignore this, since it
to hurt anything. This happens even in normal git, not just gitolite. doesn't seem to hurt anything. [Update 2009-09-14; this has been fixed in
[Update 2009-09-14; this has been fixed in git 1.6.4.3] git 1.6.4.3]
* gitweb not able to read your repos? You can change the umask for newly * gitweb not able to read your repos? You can change the umask for newly
created repos to something more relaxed -- see the `~/.gitolite.rc` file created repos to something more relaxed -- see the `~/.gitolite.rc` file

7
src/ga-post-update-hook
View file

@ -1,10 +1,7 @@
#!/bin/sh #!/bin/sh
# get this from your .gitolite.conf; and don't forget this is shell, while
# that is perl :-)
export GL_ADMINDIR; GL_ADMINDIR=$HOME/.gitolite
# checkout the master branch to $GL_ADMINDIR # checkout the master branch to $GL_ADMINDIR
# (the GL_ADMINDIR env var would have been set by gl-auth-command)
GIT_WORK_TREE=$GL_ADMINDIR git checkout -f master GIT_WORK_TREE=$GL_ADMINDIR git checkout -f master
# remove all fragments. otherwise, you get spurious error messages when you # remove all fragments. otherwise, you get spurious error messages when you
@ -31,4 +28,4 @@ do
done done
cd $GL_ADMINDIR cd $GL_ADMINDIR
src/gl-compile-conf $GL_BINDIR/gl-compile-conf

4
src/gitolite.pm
View file

@ -27,8 +27,8 @@ $W_COMMANDS=qr/^git[ -]receive-pack$/;
# note that REPONAME_PATT allows "/", while USERNAME_PATT does not # note that REPONAME_PATT allows "/", while USERNAME_PATT does not
# also, the reason REPONAME_PATT is a superset of USERNAME_PATT is (duh!) # also, the reason REPONAME_PATT is a superset of USERNAME_PATT is (duh!)
# because in this version, a repo can have "CREATER" in the name (see docs) # because in this version, a repo can have "CREATER" in the name (see docs)
$REPONAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@/-]*$); # very simple pattern $REPONAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@/+-]*$); # very simple pattern
$USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@-]*$); # very simple pattern $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@+-]*$); # very simple pattern
# same as REPONAME, plus some common regex metas # same as REPONAME, plus some common regex metas
$REPOPATT_PATT=qr(^\@?[0-9a-zA-Z][\\^.$|()[\]*+?{}0-9a-zA-Z._\@/-]*$); $REPOPATT_PATT=qr(^\@?[0-9a-zA-Z][\\^.$|()[\]*+?{}0-9a-zA-Z._\@/-]*$);

42
src/gl-auth-command
View file

@ -23,9 +23,8 @@ use warnings;
# common definitions # common definitions
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# these are set by the "rc" file # these are set by the "rc" file
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $GL_ADMINDIR); our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR);
# and these are set by gitolite.pm # and these are set by gitolite.pm
our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT); our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT);
our %repos; our %repos;
@ -39,13 +38,29 @@ require "$bindir/gitolite.pm";
&where_is_rc(); &where_is_rc();
die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC}; die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
# we need to pass GL_ADMINDIR and the bindir to the child hooks (well only the
# admin repo's post-update hook but still...)
$ENV{GL_ADMINDIR} = $GL_ADMINDIR;
$ENV{GL_BINDIR} = $bindir;
# add a custom path for git binaries, if specified # add a custom path for git binaries, if specified
$ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH; $ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH;
# set the umask before creating any files
umask($REPO_UMASK);
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# start... # start...
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# if the first argument is a "-s", this user is allowed to get a shell using
# this key
my $shell_allowed = 0;
if ($ARGV[0] eq '-s') {
$shell_allowed = 1;
shift;
}
# first, fix the biggest gripe I have with gitosis, a 1-line change # first, fix the biggest gripe I have with gitosis, a 1-line change
my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere! my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere!
@ -53,8 +68,14 @@ my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere!
# sanity checks on SSH_ORIGINAL_COMMAND # sanity checks on SSH_ORIGINAL_COMMAND
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# SSH_ORIGINAL_COMMAND must exist; if not, we die with a nice message # print basic access info if SSH_ORIGINAL_COMMAND does not exist
unless ($ENV{SSH_ORIGINAL_COMMAND}) { unless ($ENV{SSH_ORIGINAL_COMMAND}) {
# unless the user is allowed to use a shell
if ($shell_allowed) {
my $shell = $ENV{SHELL};
$shell =~ s/.*\//-/; # change "/bin/bash" to "-bash"
exec { $ENV{SHELL} } $shell;
}
&report_basic($GL_ADMINDIR, $GL_CONF_COMPILED, $user); &report_basic($GL_ADMINDIR, $GL_CONF_COMPILED, $user);
exit 1; exit 1;
} }
@ -87,6 +108,12 @@ if ($cmd =~ $CUSTOM_COMMANDS) {
exit 1; exit 1;
} }
# people allowed to get a shell can get basic access info by asking nicely
if ($shell_allowed and $cmd eq 'info') {
&report_basic($GL_ADMINDIR, $GL_CONF_COMPILED, $user);
exit 1;
}
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# normal (git) processing # normal (git) processing
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
@ -100,9 +127,12 @@ if ($cmd =~ $CUSTOM_COMMANDS) {
# including the single quotes # including the single quotes
my ($verb, $repo) = ($cmd =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:.git)?'/); my ($verb, $repo) = ($cmd =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:.git)?'/);
die "bad command: $cmd. Make sure the repo name is exactly as in your config\n" unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) # if the user is allowed a shell, just run the command
and $repo and $repo =~ $REPONAME_PATT ); exec $ENV{SHELL}, "-c", $ENV{SSH_ORIGINAL_COMMAND} if $shell_allowed;
# otherwise, whine
die "bad command: $cmd\n";
}
die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/; die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;
die "$repo has two consecutive periods; I don't like that\n" if $repo =~ /\.\./; die "$repo has two consecutive periods; I don't like that\n" if $repo =~ /\.\./;

11
src/gl-compile-conf
View file

@ -82,8 +82,9 @@ $ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH;
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# command and options for authorized_keys # command and options for authorized_keys
$AUTH_COMMAND="$GL_ADMINDIR/src/gl-auth-command"; $AUTH_COMMAND="$bindir/gl-auth-command";
$AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty"; $AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding";
# note, for most users there's also a "no-pty" added to this, see later
# groups can now represent user groups or repo groups. # groups can now represent user groups or repo groups.
@ -483,7 +484,11 @@ for my $pubkey (glob("*"))
print STDERR "WARNING: pubkey $pubkey exists but user $user not in config\n" print STDERR "WARNING: pubkey $pubkey exists but user $user not in config\n"
unless $user_list{$user}; unless $user_list{$user};
$user_list{$user} = 'has pubkey'; $user_list{$user} = 'has pubkey';
print $newkeys_fh "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS "; if ($groups{'@SHELL'}{$user}) {
print $newkeys_fh "command=\"$AUTH_COMMAND -s $user\",$AUTH_OPTIONS ";
} else {
print $newkeys_fh "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS,no-pty ";
}
# apparently some pubkeys don't end in a newline... # apparently some pubkeys don't end in a newline...
my $pubkey_content = `cat $pubkey`; my $pubkey_content = `cat $pubkey`;
$pubkey_content =~ s/\s*$/\n/; $pubkey_content =~ s/\s*$/\n/;

5
src/gl-easy-install
View file

@ -48,7 +48,7 @@ main() {
[[ $upgrade == 0 ]] && initial_conf_key [[ $upgrade == 0 ]] && initial_conf_key
# MANUAL: cd to $GL_ADMINDIR and run "src/gl-compile-conf" # MANUAL: cd to $GL_ADMINDIR and run "src/gl-compile-conf"
ssh -p $port $user@$host "cd $GL_ADMINDIR; src/gl-compile-conf $quiet" ssh -p $port $user@$host "cd $GL_ADMINDIR; \$PWD/src/gl-compile-conf $quiet"
setup_pta setup_pta
@ -361,6 +361,7 @@ run_install() {
# MANUAL: setup the initial config file. Edit $GL_ADMINDIR/conf/gitolite.conf # MANUAL: setup the initial config file. Edit $GL_ADMINDIR/conf/gitolite.conf
# and add at least the following lines to it: # and add at least the following lines to it:
# @SHELL = sitaram
# repo gitolite-admin # repo gitolite-admin
# RW+ = sitaram # RW+ = sitaram
@ -368,6 +369,8 @@ initial_conf_key() {
echo "#gitolite conf echo "#gitolite conf
# please see conf/example.conf for details on syntax and features # please see conf/example.conf for details on syntax and features
@SHELL = $admin_name
repo gitolite-admin repo gitolite-admin
RW+ = $admin_name RW+ = $admin_name

2
src/gl-install
View file

@ -79,8 +79,6 @@ for my $repo (`find . -type d -name "*.git"`) {
if ( -d "gitolite-admin.git/hooks" ) { if ( -d "gitolite-admin.git/hooks" ) {
print "copying post-update hook to gitolite-admin repo...\n"; print "copying post-update hook to gitolite-admin repo...\n";
system("cp $GL_ADMINDIR/src/ga-post-update-hook gitolite-admin.git/hooks/post-update"); system("cp $GL_ADMINDIR/src/ga-post-update-hook gitolite-admin.git/hooks/post-update");
system("perl", "-i", "-p", "-e", "s(GL_ADMINDIR=.*)(GL_ADMINDIR=$GL_ADMINDIR)",
"gitolite-admin.git/hooks/post-update");
chmod 0755, "gitolite-admin.git/hooks/post-update"; chmod 0755, "gitolite-admin.git/hooks/post-update";
} }