deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge branch 'dps' into master

Browse source 
Conflicts:
	doc/0-INSTALL.mkd
This commit is contained in:
Sitaram Chamarty 2010-02-25 20:26:33 +05:30
commit ea123bbfb4
10 changed files with 244 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/ga-post-update-hook
View file

@ -1,8 +0,0 @@
#!/bin/sh
# checkout the master branch to $GL_ADMINDIR
# (the GL_ADMINDIR env var would have been set by gl-auth-command)
GIT_WORK_TREE=$GL_ADMINDIR git checkout -f master
cd $GL_ADMINDIR
$GL_BINDIR/gl-compile-conf

7
src/gitolite.pm
View file

@ -34,7 +34,7 @@ our $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@+-]*$); # very simple patter
our $REPOPATT_PATT=qr(^\@?[0-9a-zA-Z][\\^.$|()[\]*+?{}0-9a-zA-Z._\@/-]*$);
# these come from the RC file
our ($REPO_UMASK, $GL_WILDREPOS);
our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS);
our %repos;
# ----------------------------------------------------------------------------
@ -148,6 +148,9 @@ sub new_repo
}
# propagate our own, plus any local admin-defined, hooks
ln_sf($hooks_dir, "*", "hooks");
# in case of package install, GL_ADMINDIR is no longer the top cop;
# override with the package hooks
ln_sf("$GL_PACKAGE_HOOKS/common", "*", "hooks") if $GL_PACKAGE_HOOKS;
chmod 0755, "hooks/update";
}
@ -282,7 +285,7 @@ sub report_basic
# send back some useful info if no command was given
print "hello $user, the gitolite version here is ";
system("cat", "$GL_ADMINDIR/src/VERSION");
system("cat", ($GL_PACKAGE_CONF || "$GL_ADMINDIR/conf") . "/VERSION");
print "\ryou have the following permissions:\n\r";
for my $r (sort keys %repos) {
my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' : ( $repos{$r}{C}{$user} ? ' C' : ' ' ) );

3
src/gl-auth-command
View file

@ -32,6 +32,7 @@ our %repos;
# the common setup module is in the same directory as this running program is
my $bindir = $0;
$bindir =~ s/\/[^\/]+$//;
$bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//;
require "$bindir/gitolite.pm";
# ask where the rc file is, get it, and "do" it
@ -177,7 +178,7 @@ if ( -d "$repo_base_abs/$repo.git" ) {
# auto-vivify new repo if you have C access (and wildrepos is on)
if ( $GL_WILDREPOS and $repos{$repo}{C}{$user} || $repos{$repo}{C}{'@all'} ) {
wrap_chdir("$repo_base_abs");
new_repo($repo, "$GL_ADMINDIR/src/hooks", $user);
new_repo($repo, "$GL_ADMINDIR/hooks/common", $user);
wrap_chdir($ENV{HOME});
}
}

3
src/gl-compile-conf
View file

@ -68,6 +68,7 @@ our ($REPONAME_PATT, $REPOPATT_PATT, $USERNAME_PATT, $AUTH_COMMAND, $AUTH_OPTION
# the common setup module is in the same directory as this running program is
my $bindir = $0;
$bindir =~ s/\/[^\/]+$//;
$bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//;
require "$bindir/gitolite.pm";
# ask where the rc file is, get it, and "do" it
@ -395,7 +396,7 @@ for my $repo (sort keys %repos) {
next if $repo =~ m(^EXTCMD/); # these are not real repos
unless (-d "$repo.git") {
print STDERR "creating $repo...\n";
new_repo($repo, "$GL_ADMINDIR/src/hooks");
new_repo($repo, "$GL_ADMINDIR/hooks/common");
# new_repo would have chdir'd us away; come back
wrap_chdir("$repo_base_abs");
}

13
src/gl-easy-install
View file

@ -169,12 +169,12 @@ basic_sanity() {
# MANUAL: make sure you're in the gitolite directory, at the top level.
# The following files should all be visible:
ls src/ga-post-update-hook \
ls hooks/gitolite-admin/post-update \
hooks/common/update \
src/gitolite.pm \
src/gl-install \
src/gl-auth-command \
src/gl-compile-conf \
src/hooks/update \
conf/example.conf \
conf/example.gitolite.rc >/dev/null ||
die "cant find at least some files in gitolite sources/config; aborting"
@ -196,12 +196,12 @@ version_info() {
# MANUAL: if needed, make a note of the version you are upgrading from, and to
# record which version is being sent across; we assume it's HEAD
git describe --tags --long HEAD 2>/dev/null > src/VERSION || echo '(unknown)' > src/VERSION
git describe --tags --long HEAD 2>/dev/null > conf/VERSION || echo '(unknown)' > conf/VERSION
# what was the old version there?
export upgrade_details="you are upgrading \
$(ssh -p $port $user@$host cat gitolite-install/src/VERSION 2>/dev/null || echo '(or installing first-time)' ) \
to $(cat src/VERSION)"
$(ssh -p $port $user@$host cat gitolite-install/conf/VERSION 2>/dev/null || echo '(or installing first-time)' ) \
to $(cat conf/VERSION)"
prompt "$upgrade_details" "$v_upgrade_details"
}
@ -282,8 +282,7 @@ copy_gl() {
# have to create the directory first.
ssh -p $port $user@$host mkdir -p gitolite-install
scp $quiet -P $port -r src conf doc $user@$host:gitolite-install/
rm -f src/VERSION
scp $quiet -P $port -r src conf doc hooks $user@$host:gitolite-install/
# MANUAL: now log on to the server (ssh git@server) and get a command
# line. This step is for your convenience; the script does it all from

44
src/gl-install
View file

@ -3,7 +3,7 @@
use strict;
use warnings;
our ($REPO_BASE, $GL_ADMINDIR, $GL_CONF, $GIT_PATH);
our ($REPO_BASE, $GL_ADMINDIR, $GL_CONF, $GIT_PATH, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS);
# setup quiet mode if asked; please do not use this when running manually
open STDOUT, ">", "/dev/null" if (@ARGV and shift eq '-q');
@ -31,7 +31,11 @@ require "$bindir/gitolite.pm";
unless ($ENV{GL_RC}) {
# doesn't exist. Copy it across, tell user to edit it and come back
my $glrc = $ENV{HOME} . "/.gitolite.rc";
system("cp conf/example.gitolite.rc $glrc");
if ($GL_PACKAGE_CONF) {
system("cp $GL_PACKAGE_CONF/example.gitolite.rc $glrc");
} else {
system("cp $bindir/../conf/example.gitolite.rc $glrc");
}
print "created $glrc\n";
print "please edit it, change the paths if you wish to, and RERUN THIS SCRIPT\n";
exit;
@ -48,21 +52,28 @@ my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE"
wrap_mkdir($repo_base_abs);
wrap_mkdir($GL_ADMINDIR);
# mkdir $GL_ADMINDIR's subdirs
for my $dir qw(conf doc keydir logs src) {
for my $dir qw(conf doc keydir logs src hooks hooks/common hooks/gitolite-admin) {
# some of them will stay empty; too lazy to fix right now ;-)
wrap_mkdir("$GL_ADMINDIR/$dir");
}
# "src" and "doc" will be overwritten on each install, but not conf
system("cp -R src doc $GL_ADMINDIR");
if ($GL_PACKAGE_HOOKS) {
system("cp -R $GL_PACKAGE_HOOKS $GL_ADMINDIR");
} else {
system("cp -R $bindir/../src $bindir/../doc $bindir/../hooks $GL_ADMINDIR");
system("cp $bindir/../conf/VERSION $GL_ADMINDIR/conf");
}
unless (-f $GL_CONF) {
system("cp conf/example.conf $GL_CONF");
unless (-f $GL_CONF or $GL_PACKAGE_CONF) {
print <<EOF;
created $GL_CONF
please edit it, then run these two commands:
cd $GL_ADMINDIR
src/gl-compile-conf
(the "admin" document should help here...)
please do the following:
1. create and edit $GL_CONF to contain something like this:
repo gitolite-admin
RW+ = yourname
2. copy "yourname.pub" to $GL_ADMINDIR/keydir
3. run this command
$GL_ADMINDIR/src/gl-compile-conf
EOF
}
@ -71,7 +82,10 @@ chdir("$repo_base_abs") or die "chdir $repo_base_abs failed: $!\n";
for my $repo (`find . -type d -name "*.git"`) {
chomp ($repo);
# propagate our own, plus any local admin-defined, hooks
ln_sf("$GL_ADMINDIR/src/hooks", "*", "$repo/hooks");
ln_sf("$GL_ADMINDIR/hooks/common", "*", "$repo/hooks");
# in case of package install, GL_ADMINDIR is no longer the top cop;
# override with the package hooks
ln_sf("$GL_PACKAGE_HOOKS/common", "*", "$repo/hooks") if $GL_PACKAGE_HOOKS;
chmod 0755, "$repo/hooks/update";
}
@ -79,13 +93,15 @@ for my $repo (`find . -type d -name "*.git"`) {
if ( -d "gitolite-admin.git/hooks" ) {
print "copying post-update hook to gitolite-admin repo...\n";
unlink "gitolite-admin.git/hooks/post-update";
symlink "$GL_ADMINDIR/src/ga-post-update-hook", "gitolite-admin.git/hooks/post-update"
symlink "$GL_ADMINDIR/hooks/gitolite-admin/post-update", "gitolite-admin.git/hooks/post-update"
or die "could not symlink post-update hook\n";
# ditto... (see previous block)
ln_sf("$GL_PACKAGE_HOOKS/gitolite-admin", "post-update", "gitolite-admin.git/hooks") if $GL_PACKAGE_HOOKS;
chmod 0755, "gitolite-admin.git/hooks/post-update";
}
# fixup program renames
for my $oldname qw(pta-hook.sh conf-convert.pl 00-easy-install.sh 99-emergency-addkey.sh install.pl update-hook.pl) {
for my $oldname qw(pta-hook.sh conf-convert.pl 00-easy-install.sh 99-emergency-addkey.sh install.pl update-hook.pl hooks/update ga-post-update-hook VERSION) {
unlink "$GL_ADMINDIR/src/$oldname";
unlink "$ENV{HOME}/gitolite-install/src/$oldname";
}

83
src/gl-setup Executable file
View file

@ -0,0 +1,83 @@
#!/bin/sh
GL_PACKAGE_CONF=/tmp/share/gitolite/conf
# must be the same as the value for the same variable in
# $GL_PACKAGE_CONF/example.gitolite.rc. Sorry about the catch-22 :)
# TODO need to fix for portability to ksh and so on
# TODO need to get the version in there somehow
# This program is meant to be completely non-interactive, suitable for running
# server-side from a "post RPM/DEB install" script, or manually by users.
# Please see the doc/0-user-setup.mkd for details.
# usage:
# $0 [foo.pub]
# The pubkey filename must end with ".pub" and is mandatory when you first run
# this command. Otherwise it is optional, and can be used to override a
# pubkey file if you happen to have lost all gitolite-access to the repos (but
# do have shell access via some other means)
die() { echo "$@"; echo death at line number ${BASH_LINENO[0]}; exit 1; }
pubkey_file=$1
admin_name=
if [[ -n $pubkey_file ]]
then
[[ $pubkey_file =~ .pub$ ]] || die "$pubkey_file must end in .pub"
[[ -f $pubkey_file ]] || die "cant find $pubkey_file"
admin_name=$(basename $pubkey_file .pub)
fi
if [[ -f ~/.gitolite.rc ]]
then
perl -ne 's/^\s+//; s/[\s=].*//; print if /^\$/;' < $GL_PACKAGE_CONF/example.gitolite.rc | sort > .newvars
perl -ne 's/^\s+//; s/[\s=].*//; print if /^\$/;' < ~/.gitolite.rc | sort > .oldvars
comm -23 .newvars .oldvars > .diffvars
if [[ -s .diffvars ]]
then
cp $GL_PACKAGE_CONF/example.gitolite.rc ~/.gitolite.rc.new
echo new version of the rc file saved in ~/.gitolite.rc.new
echo
echo please update ~/.gitolite.rc manually if you need features
echo controlled by any of the following variables:
echo ----
sed -e 's/^/ /' < .diffvars
echo ----
fi
rm -f .newvars .oldvars .diffvars
else
[[ -n $pubkey_file ]] || die "looks like first run -- I need a pubkey file"
cp $GL_PACKAGE_CONF/example.gitolite.rc ~/.gitolite.rc
fi
gl-install -q
GL_ADMINDIR=$(cd;perl -e 'do ".gitolite.rc"; print $GL_ADMINDIR')
REPO_BASE=$( cd;perl -e 'do ".gitolite.rc"; print $REPO_BASE' )
[[ -f $GL_ADMINDIR/conf/gitolite.conf ]] || {
cat <<EOF > $GL_ADMINDIR/conf/gitolite.conf
repo gitolite-admin
RW+ = $admin_name
repo testing
RW+ = @all
EOF
}
[[ -n $pubkey_file ]] && cp $pubkey_file $GL_ADMINDIR/keydir
touch $HOME/.ssh/authorized_keys
gl-compile-conf -q
# setup push-to-admin
od=$PWD
cd; cd $REPO_BASE/gitolite-admin.git
GIT_WORK_TREE=$GL_ADMINDIR git add conf/gitolite.conf keydir
GIT_WORK_TREE=$GL_ADMINDIR git diff --cached --quiet || GIT_WORK_TREE=$GL_ADMINDIR git commit -am start
cd $od
# now that the admin repo is created, you have to set the hooks properly; best
# do it by running install again
gl-install -q

113
src/hooks/update
View file

@ -1,113 +0,0 @@
#!/usr/bin/perl
use strict;
use warnings;
# === update ===
# this is gitolite's update hook
# part of the gitolite (GL) suite
# how run: via git, being copied as .git/hooks/update in every repo
# when: every push
# input:
# - see man githooks for STDIN
# - uses the compiled config file to get permissions info
# output: based on permissions etc., exit 0 or 1
# security:
# - none
# robustness:
# other notes:
# ----------------------------------------------------------------------------
# common definitions
# ----------------------------------------------------------------------------
our ($GL_CONF_COMPILED, $PERSONAL);
our %repos;
# we should already have the GL_RC env var set when we enter this hook
die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
# then "do" the compiled config file, whose name we now know. Before doing
# that we setup the creater etc from environment variables so that the parse
# interpolates them. We've minimised the duplication but this *does*
# duplicate a bit of parse_acl from gitolite.pm; we don't want to include that
# file here just for that little bit
{
our $creater = $ENV{GL_CREATER};
our $readers = $ENV{GL_READERS};
our $writers = $ENV{GL_WRITERS};
die "parse $GL_CONF_COMPILED failed: " . ($! or $@) unless do $GL_CONF_COMPILED;
$repos{$ENV{GL_REPO}} = $repos{$ENV{GL_REPOPATT}} if ( $ENV{GL_REPOPATT} );
}
my $reported_repo = $ENV{GL_REPO} . ( $ENV{GL_REPOPATT} ? " ($ENV{GL_REPOPATT})" : "" );
# we've started to need some common subs in what used to be a small, cute,
# little script that barely spanned a few lines :(
require "$ENV{GL_BINDIR}/gitolite.pm";
# ----------------------------------------------------------------------------
# start...
# ----------------------------------------------------------------------------
my $ref = shift;
my $oldsha = shift;
my $newsha = shift;
my $merge_base = '0' x 40;
# compute a merge-base if both SHAs are non-0, else leave it as '0'x40
# (i.e., for branch create or delete, merge_base == '0'x40)
chomp($merge_base = `git merge-base $oldsha $newsha`)
unless $oldsha eq '0' x 40
or $newsha eq '0' x 40;
# what are you trying to do? (is it 'W' or '+'?)
my $perm = 'W';
# rewriting a tag is considered a rewind, in terms of permissions
$perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
# non-ff push to ref
# notice that ref delete looks like a rewind, as it should
$perm = '+' if $oldsha ne $merge_base;
my @allowed_refs;
# personal stuff -- right at the start in the new regime, I guess!
push @allowed_refs, { "$PERSONAL/$ENV{GL_USER}/" => "RW+" } if $PERSONAL;
# we want specific perms to override @all, so they come first
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
# prepare the list of refs to be checked
# previously, we just checked $ref -- the ref being updated, which is passed
# to us by git (see man githooks). Now we also have to treat each NAME being
# updated as a potential "ref" and check that, if NAME-based restrictions have
# been specified
my @refs = ($ref); # the first ref to check is the real one
if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
# this is special to git -- the hash of an empty tree
my $empty='4b825dc642cb6eb9a060e54bf8d69288fbee4904';
# well they're not really "trees" but $empty is indeed the empty tree so
# we can just pretend $oldsha/$newsha are also trees, and anyway 'git
# diff' only wants trees
my $oldtree = $oldsha eq '0' x 40 ? $empty : $oldsha;
my $newtree = $newsha eq '0' x 40 ? $empty : $newsha;
push @refs, map { chomp; s/^/NAME\//; $_; } `git diff --name-only $oldtree $newtree`;
}
# and in this version, we have many "refs" to check. The one we print in the
# log is the *first* one (which is a *real* ref, like refs/heads/master),
# while all the rest (if they exist) are like NAME/something. So we do the
# first one separately to capture it, then run the rest (if any)
my $log_refex = check_ref(\@allowed_refs, $ENV{GL_REPO}, (shift @refs), $perm);
&check_ref (\@allowed_refs, $ENV{GL_REPO}, $_ , $perm) for @refs;
# if we returned at all, all the checks succeeded, so we log the action and exit 0
&log_it("$ENV{GL_TS} $perm\t" .
substr($oldsha, 0, 14) . "\t" . substr($newsha, 0, 14) .
"\t$reported_repo\t$ref\t$ENV{GL_USER}\t$log_refex\n");
exit 0;