Commit graph

359 commits

Author SHA1 Message Date
Sitaram Chamarty 78444c2e76 gl-system-install: optional 4th arg to help packagers
(buildroot in RPM-speak, DESTDIR in DEB-speak)

based on a patch sent by Francis Galiegue (fgaliegue at gmail)
2011-04-03 21:23:16 +05:30
Sitaram Chamarty 1006eba2fc allow the include statement to use globs
(bonus: we now have a test case for "include" itself, should it ever
decide to take an unplanned vacation!)
2011-04-01 16:11:59 +05:30
Dylan Simon 58064b8e20 Make limit on number of repos displayed by info with GL_BIG_CONFIG configurable
[doc added by Sitaram]
2011-03-30 20:27:12 +05:30
Sitaram Chamarty 0f377a7679 new doc on gitolite without ssh, plus some minor docfixes 2011-03-30 18:42:39 +05:30
Jos Houtman afc3a06c56 mirror-shell fix: setup GL_RC; post-update needs it 2011-03-21 07:51:24 +05:30
Sitaram Chamarty 6539009cb5 make REPO_BASE absolute early
$ENV{GL_REPO_BASE_ABS} is meant to point to the same directory as
$REPO_BASE, except it is meant to be passed to hooks, ADCs and other
child programs.  And since you can't be sure where the child program
starts in, this became an absolute path.

Gradually, however, I started using it wherever I needed an absolute
path (mostly in code that jumps around various directories to do stuff).
Which is silly, because there's no reason $REPO_BASE cannot also be made
an absolute, even if the rc file has a relative path.

So that's what I did now: made $REPO_BASE absolute very early on, and
then systematically changed all uses of the longer form to the shorter
form when appropriate.  And so the only thing we now use the longer one
for is to pass to child programs.

(Implementation note: The actual change is not very big, but while I was
about it I decided to make the test suite able to test with an absolute
REPO_BASE also, which is why the commit seems so large.)

----

This all started with a complaint from Damien Regad.  He had an
extremely odd setup where his bashrc changed PWD to something other than
$HOME before anything else ran.  This caused those two variables to
beceom inconsistent, and he had a 1-line fix he wanted me to apply.

I generally don't like making special fixes for for non-standard setups,
and anyway all he had to do was set the full path to REPO_BASE in the rc
file to get around this.  Which is what I told him and he very politely
left it at that.

However, this did get me thinking, and I soon realised I was needlessly
conflating "relative versus absolute" with "able to be passed to child
programs".  Fixing that solved his problem also, as a side-effect.

So I guess this is all thanks to Damien!
2011-03-21 07:51:10 +05:30
Sitaram Chamarty 32646e9cf0 (minor) make it clearer when easy install aborts
Technically this does not add any new information, but I'm hoping it
will help the folks just won't read what's on the screen otherwise.

The main impetus this time is git 1.7.4, which is strict about
user.email and user.name and rejects commits when those config variables
are not set.  As a result, the number of times gl-easy-install hits a
fatal error and bombs out without completing its job, has increased
drastically.
2011-03-13 09:37:50 +05:30
Sitaram Chamarty 3677bc5a4d one more slurp
see 9ad7ea4 -- "(minor) some changes to system(), ``, etc."
2011-03-12 04:52:34 +05:30
Sitaram Chamarty b7944ed4d1 (minor) do not purge projects.list if GL_NO_DAEMON_NO_GITWEB set
The code that sets %projlist doesn't even run if GL_NO_DAEMON_NO_GITWEB
is set, so it doesn't make sense to then *use* that (empty) variable and
effectively wipe out the projects.list file.

Thanks to m0 for asking...
2011-03-10 22:12:42 +05:30
Sitaram Chamarty 9ad7ea4e19 (minor) some changes to system(), ``, etc.
(suggested by cmyers and ryan_c on #gitolite)

Between wrap_print(), which now takes a list, and the new slurp(),
pretty much everything to do with 'cat' or 'echo' has been converted to
pure perl.

----

Personally, I consider these changes to be somewhat gratuitous, because
none of these had a security *or* a performance concern.  But since the
amount of new perl code was not too high (just the slurp() function,
really), I figure it's not a big deal to do it.
2011-03-09 20:11:30 +05:30
Sitaram Chamarty 91a8379f9f change some 'warn's to 'print STDERR' and vice versa
with warns now being logged, it's nice to make sure that anything that
could even vaguely be considered someone playing with the system, *or*
is otherwise noteworthy, be emitted as a 'warn' instead of as a 'print
STDERR'.  Similarly stuff that is clearly a syntactic warning or typo
should come from 'print STDERR', instead of from a 'warn'.
2011-03-08 14:20:35 +05:30
Carl Myers 59a1855e38 Added handler to ensure warn and die are logged
(with some extra changes by Sitaram)
2011-03-08 14:20:35 +05:30
Sitaram Chamarty 396bfaa3b9 gl-auth now checks for and run a hook called 'gl-pre-git'
see sample code for motivation; other uses at your discretion
2011-03-05 12:23:17 +05:30
Sitaram Chamarty ca913af6cd for cool 'cat's who use 'putty' :-)
ryan-c on #gitolite (ryan.castellucci@gmail.com) found that if a user
types in
        ssh git@server `echo -e "\033[2J"`
or eqvt, he can get raw ASCII control characters into gitolite's log
file.  Then if a gitolite admin 'cat's the log file (instead of using a
pager, or uses a pager in raw mode like 'less -r'), those control
characters hit his screen and do stuff.

While clearing the screen etc is probably harmless and I would not have
bothered, we know that the old vt100 would allow the keyboard to be
remapped by the server sending control codes, and we're not really sure
which of the currently in use terminals emulate this.

And finally, I found somewhere that "PuTTY allows the server to send
control codes that let it take over the mouse".  Scary...

(...of course, I hate putty/plink so I was sorely tempted to leave this
as is to punish people who use it <grin> but not really; I'd joke about
it but won't actually *do* it!)
2011-03-05 05:56:58 +05:30
Sitaram Chamarty 46528f0cc7 squelch useless "undefined" warnings
Normal users will never need this change but the big boys like to play
on the server side directly... and sometimes the SSH_CONNECTION var is
not set
2011-02-25 20:39:59 +05:30
Sitaram Chamarty 9a49487d0a minor bug in data format fixup code
Earlier, it wasn't as critical for gl-setup to be run with the full
path; the BINDIR deduction used to happen in almost every program.  Now
it's a lot more important.

Apparently I never noticed that "/bin/bash -l gl-setup" does not set $0
to the correct, fq path.  Adding a "-c" does, however...

[thanks to Jeff from the KDE team for finding this]
2011-02-25 06:20:41 +05:30
Sitaram Chamarty bc5e995078 reach out and touch someone
This shaves 3 seconds off of KDE's config compile time :-)

Yes, I know wrap_print has that extra print statement, but otherwise it
was lying around not earning its keep so I gave it a little side job :-)
2011-02-22 13:28:02 +05:30
Sitaram Chamarty dfdab0f3c8 allow gitolite_rc.mkd values to be overridden by ~/.gitolite.rc
you might wonder why these are different from all the other variables in
the rc file... it's just that I never thought people would want to
change these!
2011-02-15 15:10:29 +05:30
Sitaram Chamarty a33f0f8504 security fix for optional ADC (admin-defined command) feature
Thanks to Dylan Simon for catching it...
2011-02-13 08:15:01 +05:30
Sitaram Chamarty 1c1ae6061d "git config foo.bar = 0" was not working; fixed
(because perl treats 0 as false and I'd not accounted for that)

thanks to idl0r for catching this
2011-02-06 07:14:25 +05:30
Sitaram Chamarty d2cef2d05e doc fixes related to conf and rc getting their own doc files 2011-01-29 17:07:57 +05:30
Sitaram Chamarty 1fce051ea1 add -prune to find commands
Apparently it makes a huge difference with some kinds of network drives
(guess which company's software ;-)

http://groups.google.com/group/gitolite/browse_thread/thread/66b888f11dc5a365
2011-01-28 04:55:04 +05:30
Sitaram Chamarty 0360dc9f3f test smart http mode, update docs (including mob mode)
- allow a mob username to be defined; all unauthenticated access will
    look to gitolite like this user (if you setup apache also properly)

  - update doc with more details (some repeat stuff from `man
    git-http-backend` but it's probably worth having everything in one
    place
2011-01-17 22:04:10 +05:30
Sitaram Chamarty 3c1633c659 (minor) gl-setup learns "-q"
suppresses popping an editor when run for the first time
2011-01-16 14:42:11 +05:30
Sitaram Chamarty 692552d146 gitolite v2.0rc1 -- please see new developer-notes doc 2011-01-16 07:26:13 +05:30
Sitaram Chamarty d8789a3af0 get rid of wasted parse in wild_repo_rights 2011-01-12 00:37:09 +05:30
Sitaram Chamarty 10a30c961d (major change in big-config mode) split the compiled config file
Fedora's config has over 11,000 repositories and the compiled config
file is over 20 MB in size.  Although negligible on a server class
machine, on my laptop just parsing this file takes a good 2.5 seconds.

Even if you use GL_ALL_READ_ALL (see a couple of commits before this
one) to remove the overhead for 'read's, that's still a pretty big
overhead for writes.  And GL_ALL_READ_ALL is not really a solution for
most people anyway.

With this commit, using GL_BIG_CONFIG adds another optimisation; see
doc/big-config.mkd for details (look for the word "split config" to find
the section that talks about it).

----

Implementation notes:

  - the check for GL_NO_CREATE_REPOS has moved *into* the loop (which it
    completely bypassed earlier) so that write_1_compiled_conf can be
    called on each item
2011-01-02 11:30:29 +05:30
Sitaram Chamarty 7fc1e9459f (data format change) fix misnamed 'repo_config' to 'git_configs'
this change includes a minor data format change.  This should be mostly
transparent for upgrades though.
2011-01-02 10:21:39 +05:30
Sitaram Chamarty 27081ad1c1 new rc var: GL_ALL_READ_ALL 2011-01-02 10:21:39 +05:30
Sitaram Chamarty e98bde322e allow gitolite to be used when the users already have real IDs
Fedora (for example) runs like this:

  * each user has his own userid and login
  * his/her ~/.ssh/authkeys file (containing only his/her key) has a
    "command=" clause invoking just "gl-auth-command"
  * trusted users have "gl-auth-command -s" meaning they can get a shell if
    they want to

As a result, there is no specific $HOME where you can look for
.gitolite.rc.  Hence this patch

----

Side note: in addition, Fedora may have one or more of the following
characteristics (writing them here for convenience; they're not directly
relevant to this patch):

  * actual git repos are under "git" (or some such), and include the chmod g+s
    (git init --shared) unix perms tricks for shared access

  * but since they're coming through gl-auth, branch-level acls are in effect

  * the gitolite config file is generated from some database and compiled (all
    via cron)

  * they keydir/ is empty; in fact they probably don't use the admin repo at
    all, AFAIK
2010-12-28 13:58:53 +05:30
Sitaram Chamarty 5b9bf700cc allow access checks from ADC or hook
For sample code see new file contrib/adc/get-rights-and-owner.in-perl.
Despite the name, you can use similar code in a hook also -- comments in
that file will tell you how.

implementation notes:

  - check_access now takes an optional last arg "dry_run", which is also
    passes through to check_ref
  - check_ref returns a "DENIED by ..." instead of die-ing if dry_run is
    passed in

  - as a side effect, cli_repo_rights is now just a stub calling
    check_access (we kept it hanging around for backward compat -- too
    much adc pain for too many people if we change it now)
2010-12-25 12:40:41 +05:30
Sitaram Chamarty 975a0d05b0 minor fix to mirror-shell...
needed if $REPO_BASE contains slashes.

(reported/code sent by Dylan Simon)
2010-12-25 05:58:26 +05:30
Sitaram Chamarty 45a696c419 fine tune "no pubkeys" warning
perm categories (like READERS and WRITERS, or whatever you put in your
$GL_WILDREPOS_PERM_CATS) are *supposed* to "have no pubkeys"; don't warn
about them
2010-12-25 05:58:26 +05:30
Sitaram Chamarty 2bbcc8239c tighten up pattern to check rsync arguments
thanks to Joe Schaefer at the ASF for catching it.  Note that this new
pattern *may* be too restrictive -- if you're using this feature and
have a problem with the new pattern please email me.

See email to gitolite mailing list around this date (2010-11-28) for
more details.
2010-11-28 20:12:39 +05:30
Sitaram Chamarty db97c5a40a (minor) indentation fix
been meaning to do it for a while, but I got a push:

http://colabti.org/irclogger/irclogger_log/git?date=2010-11-26#l622

----

If I had been on the channel at that time I may have quoted Emerson on
"consistency" just for the fun of it...  ;-)
2010-11-28 09:34:47 +05:30
Teemu Matilainen 21a00bd6a9 gl-setup: Replace similar long one-liners with functions 2010-11-21 19:16:52 +05:30
Teemu Matilainen b0d641ef48 gl-setup: Avoid stupid "cd -" simulation tricks
They don't work if someone calls the script for example
    su - gitolite -c gl-setup <key>
from a directory where "gitolite" user does not have permissions (e.g.
0700), then 'cd $od' fails and we stay in gitolite's $HOME.

[commit message changed by committer; author was more polite ;-)]
2010-11-20 22:18:16 +05:30
Teemu Matilainen d8179f09bf Print to STDERR when dying
Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-11-20 21:54:56 +05:30
Sitaram Chamarty c1b27eae22 stick to regex metas that come with perl 5.8
we have a stated aim to work with any perl that git is happy with, which
means it should work with perl 5.8.  At least :)
2010-11-18 19:23:13 +05:30
Sitaram Chamarty 7313d48247 gitolite-down: disable write-access to take backups
(we quietly do not document the 'able' adc, which is now the most
"official" adc in the sense that it has a new test, t64-write-able!)

other notes: fix bug in 'able' (not setting $loc)
2010-11-16 22:57:23 +05:30
Sitaram Chamarty acfaa421d1 BSD compat changes
- openssh 5.6 doesn't like "ssh user@host" with no command following
    it, because they changed the rules for pty allocation failure.

    I'm calling this a BSD compat change because BSD hit it first, but
    really, the "ssh -T" will eventually be needed by Linuxes also, as
    they start upgrading to openssh 5.6

  - FreeBSD (and I presume the other BSDs also) *require* a "-t"
    argument to mktemp (thanks to matias for finding this).

    Note that on FreeBSD, -t is a prefix (the X's are taken literally,
    and the real random stuff gets appended to the prefix), while on
    Linux, it is a template (the X's are converted to random
    characters).  Thus, on BSD you will get names like
    /tmp/tmp.XXXXXXXXXX.1BAEGkHm, whereas on Linux you'll get
    /tmp/tmp.Aq7vbdNpGp or something.
2010-11-15 05:25:19 +05:30
Sitaram Chamarty 0b6edbf7c2 (minor) fix doc refs missed when we renamed some doc files 2010-11-15 05:25:18 +05:30
Sitaram Chamarty 270e0b9157 (minor) support saying 'repo.git' in the config file
but complain loudly so they stop doing this... :-)
2010-11-10 18:07:58 +05:30
Teemu Matilainen 6eb8558e8d compile: Allow empty @group definitions
Use case: group information is generated from an external system and
because of synchronization or authorization restrictions some groups
can be empty.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-11-10 12:38:15 +05:30
Sitaram Chamarty 047790140a custom perm categories in setperms (WARNING: PLEASE READ FULL COMMIT MESSAGE)
THE COMPILED CONFIG FILE FORMAT CHANGES WITH THIS VERSION.  PLEASE DO
NOT MIX VERSIONS OR DOWNGRADE.  Upgrading using normal gitolite upgrade
means should be fine, though.

Originally, we only allowed "R" and "RW" as categories of users supplied
to the `setperms` command.  These map respectively to "READERS" and
"WRITERS" in the access rules.

Now:

  - we prefer READERS instead of R and WRITERS instead of RW
  - we allow the admin to define other categories as she wishes
    (example: MANAGERS, TESTERS, etc).  These do not have abbreviations,
    however, so they must be supplied in full.

PLEASE, *PLEASE*, read the section in doc/wildcard-repositories.mkd for
more info.  This is a VERY powerful feature and if you're not careful
you could mess up the ACLs nicely.

Backward compat note: you can continue to use the "R" and "RW"
categories when running the "setperms" command, and gitolite will
internally convert them to READERS and WRITERS categories.

----

implementation notes:

  - new RC var called GL_WILDREPOS_PERM_CATS that is a space-sep list of
    the allowed categories in a gl-perms file; defaults to "R RW" if not
    specified

  - wild_repo_rights no longer returns $c, $r, $wC, where $r = $user if
    "R $user", $r = '@all' if "R @all", and similarly with $w and "RW".

    Instead it returns $c and a new hash that effectively gives the same
    info, but expanded to include any other valid categories (listed in
    GL_WILDREPOS_PERM_CATS)

  - consequently, the arguments that parse_acl takes also change the
    same way

  - (side note: R and RW are quietly converted to READERS and WRITERS;
    however, new categories that you define yourself do not have
    abbreviations)

  - setperms validates perms to make sure only allowed categories are
    used; however even if someone changed them behind the scenes,
    wild_repo_rights will also check.  This is necessary in case the
    admin tightened up GL_WILDREPOS_PERM_CATS after someone had already
    setperms-d his repos.

  - as a bonus, we eliminate all the post-Dumper shenanigans, at least
    for READERS and WRITERS.  Those two now look, to the compile script,
    just like any other usernames.
2010-11-06 21:03:34 +05:30
Sitaram Chamarty 7ddc3ea4c6 gl-setup should not assume $PWD is writable
noticed by idl0r when running it via cfengine
2010-11-04 13:24:41 +05:30
Sitaram Chamarty 6386d8ca2f gl-reflog adc gains 'usage', loses some crappy warnings
(actually these warnings can come in many other situations; I just
noticed them when testing this adc)
2010-10-28 19:34:46 +05:30
Sitaram Chamarty 84fe767b64 pubkeys and the pareto principle! 2010-10-26 20:30:10 +05:30
Sitaram Chamarty 8202ad6d8a (minor) allow @all to be combined with other items
This was a very old quirk/oddity.  Doing

    R       =   @all alice

would fail, but you could still do

    R       =   @all
    R       =   alice

Now we fixed it so it's consistent.

----

This also fixed a curious bug that no one ever caught:

    @all = u1 u2        # yes -- there was no check on redefining @all
    repo foo
        R   =   @all u3 # now would not fail because of defining @all

would have given only those 3 users R access to foo, not really @all
users!  This was because the previous failure message was an artifact of
not finding an expansion for @all, not a genuine "why are you saying
@all and then specifying some user explicitly" warning!
2010-10-24 18:27:56 +05:30
Sitaram Chamarty cd0eac8c3f (minor) a slew of little docfixes 2010-10-23 23:01:12 +05:30