From e6ba17fc527c1c3aba06bf00e3be51bf277327b1 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Mon, 19 Mar 2012 14:50:48 +0530 Subject: [PATCH] "deny-rules" (used to be called "deny-repo" in g2) --- src/Gitolite/Conf/Load.pm | 3 +- t/deny-rules-2.t | 172 ++++++++++++++++++++++++++++++++++++++ t/deny-rules.t | 67 +++++++++++++++ 3 files changed, 241 insertions(+), 1 deletion(-) create mode 100755 t/deny-rules-2.t create mode 100755 t/deny-rules.t diff --git a/src/Gitolite/Conf/Load.pm b/src/Gitolite/Conf/Load.pm index f1d342c..42a4294 100644 --- a/src/Gitolite/Conf/Load.pm +++ b/src/Gitolite/Conf/Load.pm @@ -63,6 +63,7 @@ my $last_repo = ''; sub access { my ( $repo, $user, $aa, $ref ) = @_; + my $deny_rules = option($repo, 'deny-rules'); load($repo); # when a real repo doesn't exist, ^C is a pre-requisite for any other @@ -81,7 +82,7 @@ sub access { trace( 3, "perm=$perm, refex=$refex" ); # skip 'deny' rules if the ref is not (yet) known - next if $perm eq '-' and $ref eq 'any'; + next if $perm eq '-' and $ref eq 'any' and not $deny_rules; # rule matches if ref matches or ref is any (see gitolite-shell) next unless $ref =~ /^$refex/ or $ref eq 'any'; diff --git a/t/deny-rules-2.t b/t/deny-rules-2.t new file mode 100755 index 0000000..d59f144 --- /dev/null +++ b/t/deny-rules-2.t @@ -0,0 +1,172 @@ +#!/usr/bin/perl +use strict; +use warnings; + +# this is hardcoded; change it if needed +use lib "src"; +use Gitolite::Test; + +# more on deny-rules +# ---------------------------------------------------------------------- + +try "plan 126"; + +try " + DEF GOOD = /refs/\\.\\*/ + DEF BAD = /DENIED/ + + DEF Ryes = gitolite access %1 %2 R any; ok; GOOD + DEF Rno = gitolite access %1 %2 R any; !ok; BAD + + DEF Wyes = gitolite access %1 %2 W any; ok; GOOD + DEF Wno = gitolite access %1 %2 W any; !ok; BAD + + DEF GWyes = Ryes %1 gitweb + DEF GWno = Rno %1 gitweb + + DEF GDyes = Ryes %1 daemon + DEF GDno = Rno %1 daemon +"; + +confreset;confadd ' + repo one + RW+ = u1 + R = u2 + - = u2 u3 + R = @all +'; + +try "ADMIN_PUSH set1; !/FATAL/" or die text(); + +try " + Wyes one u1 + + Ryes one u2 + Wno one u2 + + Ryes one u3 + Wno one u3 + + Ryes one u6 + Wno one u6 + + GDyes one + GWyes one +"; + +confadd ' + option deny-rules = 1 +'; + +try "ADMIN_PUSH set1; !/FATAL/" or die text(); + +try " + Wyes one u1 + + Ryes one u2 + Wno one u2 + + Rno one u3 + + Ryes one u6 + Wno one u6 + + GDyes one + GWyes one +"; + +confadd ' + repo two + RW+ = u1 + R = u2 + - = u2 u3 gitweb daemon + R = @all +'; + +try "ADMIN_PUSH set1; !/FATAL/" or die text(); + +try " + GWyes two + GDyes two +"; + +confadd ' + option deny-rules = 1 +'; + +try "ADMIN_PUSH set1; !/FATAL/" or die text(); + +try " + GWno two + GDno two +"; + +# set 3 -- allow gitweb to all but admin repo + +confadd ' + repo gitolite-admin + - = gitweb daemon + option deny-rules = 1 + + repo three + RW+ = u3 + R = gitweb daemon +'; + +try "ADMIN_PUSH set1; !/FATAL/" or die text(); + +try " + GDyes three + GWyes three + GDno gitolite-admin + GWno gitolite-admin +"; + +# set 4 -- allow gitweb to all but admin repo + +confadd ' + repo four + RW+ = u4 + - = gitweb daemon + + repo @all + R = @all +'; +try "ADMIN_PUSH set1; !/FATAL/" or die text(); + +try " + GDyes four + GWyes four + GDno gitolite-admin + GWno gitolite-admin +"; + +# set 5 -- go wild + +confreset; confadd ' + repo foo/..* + C = u1 + RW+ = CREATOR + - = gitweb daemon + R = @all + + repo bar/..* + C = u2 + RW+ = CREATOR + - = gitweb daemon + R = @all + option deny-rules = 1 +'; +try "ADMIN_PUSH set1; !/FATAL/" or die text(); + +try " + glt ls-remote u1 file:///foo/one + glt ls-remote u2 file:///bar/two + Wyes foo/one u1 + Wyes bar/two u2 + + GDyes foo/one + GDyes foo/one + GWno bar/two + GWno bar/two +"; diff --git a/t/deny-rules.t b/t/deny-rules.t new file mode 100755 index 0000000..2492887 --- /dev/null +++ b/t/deny-rules.t @@ -0,0 +1,67 @@ +#!/usr/bin/perl +use strict; +use warnings; + +# this is hardcoded; change it if needed +use lib "src"; +use Gitolite::Test; + +# branch permissions test +# ---------------------------------------------------------------------- + +try "plan 11"; + +confreset;confadd ' + # start with... + + repo gitolite-admin + - = gitweb daemon + option deny-rules = 1 + + # main ruleset goes here + + @ga = a + @gb = b + @gc = c + + # and end with + + repo @ga + RW = u1 + - = @all + option deny-rules = 1 + + repo @gb + RW = u2 + - = daemon + option deny-rules = 1 + + repo @gc + RW = u3 + + repo @all + R = @all + +'; + +try "ADMIN_PUSH set1; !/FATAL/" or die text(); + +my $rb = `gitolite query-rc -n GL_REPO_BASE`; +try " + cat $ENV{HOME}/projects.list; ok +"; +cmp 'b.git +c.git +testing.git +'; + +try " + cd .. + cd .. + echo $rb + find $rb -name git-daemon-export-ok | sort + perl s,$rb/,,g +"; +cmp 'c.git/git-daemon-export-ok +testing.git/git-daemon-export-ok +'