Commit graph

249 commits

Author SHA1 Message Date
Sitaram Chamarty a45d2d9912 auth: do not implicitly assign RW access for creaters
a configuration like this:

    repo CREATER/.*
        C       =   CREATER
        RW+     =   WRITERS

was buggy; CREATER was implicitly part of WRITERS so he got RW
permissions implicitly, so the push went through
2010-03-27 22:55:58 +05:30
Sitaram Chamarty 6e17c74abf silly little PATH bug...
what this means is that until now, everyone who used easy-install
(without needing to set $GIT_PATH in the rc file) had a client-side PATH
that was perfectly valid on the server side also!
2010-03-26 21:36:28 +05:30
Sitaram Chamarty 7bfb3676b7 @all for repos is now much cleaner; a true @all...
- no need to put it at the end of the config file now, yeaaay!
  - @all for @all is meaningless and not supported.  People asking will
    be told to get a life or use git-daemon.
  - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-26 21:36:05 +05:30
Sitaram Chamarty a3f1258a0a reduce a bit of code duplication in check_access; make it call check_ref 2010-03-23 14:59:33 +05:30
Sitaram Chamarty bad0723974 allow @all to be used as a "user" in setperms 2010-03-18 22:06:25 +05:30
Sitaram Chamarty f282b8f926 gl-setup: dash-compat
before someone runs it on the new Ubuntu :)
2010-03-18 20:48:43 +05:30
Sitaram Chamarty bfc9c7aeb5 minor fixup; spurious error killed 2010-03-17 20:43:20 +05:30
Sitaram Chamarty 412a691810 compile: remove the sortsub for data dumper
Data dumper was failing (returning an empty string!) on an input config
file of about 350 lines or so (output 2400 lines or so).

Removing the sort sub fixed the problem.

To recap why that sub was put in (see deleted lines in this commit for
details), what we really want is that $creater must appear *last* in the
resulting dump.

So we trick it.  "man ascii" tells you that ~ is the highest valued
ASCII character (yes, I know, not utf-8 safe etc... I'll deal with that
if and when needed or punt!).  So we just put that in front of $creater
and remove it later...

You *don't* want to do this for $readers and $writers -- then they will
once again sort *after* $creater, which would be a bad thing.  Also,
it's probably better this way, because now the order of the hash keys
will be: $readers, $writers, any actual users listed, and then $creater.

This means the effective access rights will be:

1.  if you are the creater you get CREATER's rights
2.  else if your userid is listed *explicitly* in the config, you get
    those rights
3.  else if you've been setperm'd as a writer, you get WRITERS rights
4.  else if you've been setperm'd as a reader, you get READERS rights

This is different from what used to happen till now; READERS and WRITERS
used to trump explicitly given rights.  I'd been meaning to fix that
somehow, but never got around to it, until this DDD (damn Data Dumper!)
forced my hand :)
2010-03-17 19:30:14 +05:30
Sitaram Chamarty 83884aa758 compile/update hook: enable new style personal branches
The new style personal branches work by interpreting the special
sequence /USER/ (including the slashes) in a refname.  Docs should be in
the next commit...
2010-03-16 18:27:22 +05:30
Sitaram Chamarty ed5c78349e update hook now allows chaining to "update.secondary"
the changes to cp/scp are because without "-p" they dont carry perms
across to existing files.  So if you forgot to chmod +x your custom
hook and ran easy install, then after that you have to go to the server
side to fix the perms...
2010-03-14 22:48:25 +05:30
Sitaram Chamarty 367e8f8932 minor LFCR -> CRLF fix 2010-03-12 11:08:51 +05:30
Sitaram Chamarty 7588c8cf54 dps: gl-setup may have to create ~/.ssh and touch the authkeys file...
I've been unwilling to create the authkeys file if it does not already
exist, because it represents a significant change in accessibility for
that account.

However, in the "distro package" scenario, one wants to make it as easy
as possible for the end-user (who is actually an admin for the gitolite
being hosted on his account, let's not forget) to use.

And it seems that in some cases that might mean he does not (yet) have a
~/.ssh even...
2010-03-12 09:16:39 +05:30
Sitaram Chamarty 4b7d144971 easy install: suppress that misleading "fatal"
get rid of the "fatal: No HEAD commit to compare with (yet)" message
2010-03-09 22:17:17 +05:30
Sitaram Chamarty 369ff45d92 easy install seemed to out of the GIT_PATH loop
for some reason, I apparently did not test easy install with a
non-standard path!  Fixed...
2010-03-09 22:12:29 +05:30
Sitaram Chamarty 08811fa9c2 easy install: update ending message when non-std ssh port used 2010-03-07 19:33:33 +05:30
Sitaram Chamarty de0ecd0431 compile: make it easier to move repos into gitolite
when repos are copied over from elsewhere, one had to run easy install
once again to make the new (OS-copied) repo contain the proper update
hook.

We eliminate this step now, using a new, empty, "hook" as a sentinel and
having "compile" check/fix all repos' hooks.

Since you have to add the repos to conf anyway, this makes it as
seamless as possible.  The correct sequence now is

  - (server) copy the repo at the OS level
  - (admin clone) add it to conf/gitolite.conf, commit, push
2010-03-07 19:05:56 +05:30
Sitaram Chamarty 6dbaa0d325 auth: expand etc. *may* have single-quotes around reponame 2010-03-01 20:34:25 +05:30
Teemu Matilainen deda3da182 auth: do not anchor the pattern given for expand
Currently the pattern of expand command is line anchored.  This is
different than in e.g. grep, and causes extra work to add '.*' prefix
and/or suffix in many use cases.

The new semantics now mean you might get more matches than you would
have gotten earlier.  However, the expand command is still totally
undocumented, so I think it is acceptable to change the functionality.
;)

This patch removes the anchoring.  So for earlier behavior the specified
pattern needs be in form of '^<pattern>$'.  The default pattern is also
changed from '.*' to '^', so there might be even a small speed
improvement. =)

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-27 12:30:39 +05:30
Sitaram Chamarty de74e8d343 Merge branch 'master' into pu (damn!)
stupid me; committed the easy install patch on master *and* pushed,
instead of on pu...

Since I dont want to rewind master, we end up with this completely
unnecessary merge.
2010-02-26 07:29:18 +05:30
Sitaram Chamarty 42cc720eaa easy install: be more specific about NOT adding repos manually 2010-02-26 07:13:19 +05:30
Sitaram Chamarty ea123bbfb4 Merge branch 'dps' into master
Conflicts:
	doc/0-INSTALL.mkd
2010-02-25 20:28:02 +05:30
Sitaram Chamarty 1de9e963f0 auth: behave better when no argument supplied to wild commands
expand gets a default '.*' argument
others die with an error message
2010-02-18 19:20:46 +05:30
Sitaram Chamarty 8054a9e6d5 Merge branch 'teemu/topic/expand_all_repos' into pu 2010-02-18 18:44:58 +05:30
Teemu Matilainen e7ac085d61 List also non-wildcard repos in expand_wild
List also all matching and accessible non-wildcard repositories
in ssh expand command.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-18 13:50:18 +02:00
Sitaram Chamarty 16cea9bf8c compile: move checking of reponame/repopatt/username out of expand_list
let expand_list be just that "expand a list", and leave checking to be
done outside.

otherwise, commit 690604d79 has the side effect of restricting refs to
$REPOPATT_PATT, and so for instance barfing on the perfectly valid

    RW+ refs/(?!heads/master) = alice bob

(thanks to Teemu for catching this)
2010-02-18 06:10:08 +05:30
Sitaram Chamarty 83a017f884 htpassword: disallow empty passwords
[TODO: allow a callback for a password checking function, such as
"passwd_policy_check".  Question is where the function would go.
~/.gitolite.rc is the only possible place among the current set of files
but I'd rather leave that as a list of simple name=value lines for all
sorts of reasons.  So maybe something like ~/.gitolite.pm (analogous to
the "gitolite.pm" in the sources I supply), which would get "require'd"
if found, and would contain all user-defined functions like this one...
needs some thinking about]
2010-02-14 09:51:51 +05:30
Sitaram Chamarty 690604d79a compile: users and repos have groups... why not refs?
this came up in some other discussion with bremner.  As usual I said no
I won't do it because I don't see any real need.

...then I realised it's just one line :)
2010-02-13 20:07:29 +05:30
Sitaram Chamarty e674a7c64a (package maintainers read this) install doc updated
(about this commit)

    The install doc now describes both the ways of installing gitolite.
    It also has a handy appendix for package maintainers describing what
    they need to do.

(about the "dps" -- distro packaging support -- commit series)

    This commit is the last in the chain meant to make gitolite more
    friendly for package maintainers.

    Frankly, I never really thought gitolite would get big enough or
    important enough for someone to package it, and I always did just
    the bare minimum I needed to get it working, first for myself, then
    anyone who hopped onto #git and asked.  As a result, it had some
    quirks in terms of what is expected where and so on...

    Luckily, it didn't take a lot of changes to fix it, and this series
    of commits should help make it very easy to package gitolite for
    system-wide use.
2010-02-13 13:02:25 +05:30
Sitaram Chamarty 06d8ab4c18 make VERSION work in both types of setups
The old install method will now use conf/VERSION instead of src/VERSION everywhere.

The new one, if you use the builtin make file to "make branch.tar" will also create just such a file
2010-02-13 13:02:25 +05:30
Sitaram Chamarty e11f9521fe added server-side setup script 2010-02-13 13:02:25 +05:30
Sitaram Chamarty 927b6bb1aa dps: make install aware of distro-based setup
gl-install copies
  - the initial rc file to ~/.gitolite.rc if it doesn't exist
  - src and hooks to GL_ADMINDIR

Make it aware of a package-based setup sequence, where the above two
change somewhat; see code diff.

This should be the last bit of change needed to prepare gitolite setup
so that a distro package maintainer does not have to fiddle too much
with code inside.

(What remains is docs, and a setup script for server-side use, to
replace the latter part of easy install)
2010-02-13 13:02:25 +05:30
Sitaram Chamarty 59004b87a1 install: initial create of glrc should not assume PWD is project root
make it work regardless of how it is invoked, though we *do* assume
../conf/example.gitolite.rc exists
2010-02-13 13:02:24 +05:30
Sitaram Chamarty 74d70e3b9f move hooks out of src
src/hooks is now hooks/common
src/ga... is now hooks/gitolite-admin/post-update
2010-02-13 13:02:24 +05:30
Sitaram Chamarty 65b8c0c48a make $bindir absolute 2010-02-13 13:02:21 +05:30
Sitaram Chamarty 72bac2a21a dps: (distro packaging support) dont let install copy the sample conf 2010-02-08 16:46:30 +05:30
Sitaram Chamarty 1f9fbfa71e get "info" for users other than yourself
if you have read access to the admin repo, you can say

    ssh git@server info user1 [...]

Original idea and code by Karteek E.  The motivation is to quickly and
easily check what perms a user has.  Technically nothing that you can't
glean from the config file itself but it serves as a double check or a
mild debugging aid perhaps.

However note that the branch level rules are much more complex and they
do not, as yet, have any such "helpful" aids.  Life is like that
sometimes.
2010-02-07 19:23:08 +05:30
Sitaram Chamarty a472bf30df compile: tighten up the 'git config' feature
Gitolite allows you to set git repo options using the "config" keyword;
see conf/example.conf for details and syntax.

However, if you are in an installation where the repo admin does not
(and should not) have shell access to the server, then allowing him to
set arbitrary repo config options *may* be a security risk -- some
config settings may allow executing arbitrary commands.

This patch fixes it, introducing a new RC variable to control the
behaviour.  See conf/example.gitolite.rc for details
2010-02-07 13:23:07 +05:30
Sitaram Chamarty b299ff09c3 rsync: restrict the "path" part of the received command
Although I have washed my hands off the security aspect if you use
external commands, that doesn't mean I won't make them as tight as I can
;-)  Right now, this is just a place holder -- if people use it and
complain that the pattern is too restrictive, I'll change it.
2010-02-07 13:23:07 +05:30
Sitaram Chamarty 388f4d873d (IMPORTANT; read this in full) no more "wildrepos"
The wildrepos branch has been merged into master, and deleted.  It will no
longer exist as a separate branch.  Instead, a new variable
called $GL_WILDREPOS has been added which acts as a switch; when
off (which is the default), many wildrepos features are disabled.
(the "C" permissions, and the getperms (etc.) commands mainly).

Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in
the RC file when you upgrade to this version (or just before you do the
upgrade).
2010-02-07 13:22:43 +05:30
Sitaram Chamarty fc0b627f55 Merge branch 'master' into wildrepos
Conflicts:
	src/gitolite.pm
2010-02-05 07:05:43 +05:30
Sitaram Chamarty 85cc31c771 install/pm: turn hooks from copies to symlinks 2010-02-05 06:49:07 +05:30
Sitaram Chamarty 767657c187 Merge teemu/topic/wildrepo_description_and_owner into wildrepos 2010-02-05 06:32:30 +05:30
Teemu Matilainen fa65d719a8 Enable setting desription for wildrepos
Allow users to set and display description (for gitweb) for their
own wildcard repositories using ssh commands:
  setdesc <repo>
  getdesc <repo>

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-05 06:32:04 +05:30
Teemu Matilainen 00b793f5e6 Set gitweb.owner config for new wildrepos
When creating new wildrepos, add git config to tell gitweb
the owner of the repository.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-05 00:04:08 +02:00
Sitaram Chamarty 55a71f00e1 compile: die on authkeys write failure 2010-02-04 22:57:20 +05:30
Sitaram Chamarty 86166f7adc $shell_allowed needs to be passed to specal_cmds
brought on by realising that you lost $shell_allowed when refactoring
(previous commit) but perl hadn't caught it because -- damn -- you
didn't have "use strict" in gitolite.pm
2010-02-04 15:25:22 +05:30
Sitaram Chamarty c43560d2ef Merge branch 'master' into wildrepos
lots of conflicts, esp in gl-auth-command, due to refactoring the
"special commands" stuff on master

Conflicts:
	doc/3-faq-tips-etc.mkd
	src/gitolite.pm
	src/gl-auth-command
	src/gl-compile-conf
2010-02-04 14:42:10 +05:30
Sitaram Chamarty 67c10a34fe auth: new subcommand "htpasswd"
great idea by Robin Smidsrød: since users are already capable of
authenticating themselves to gitolite via ssh keys, use that to let them
set or change their own HTTP passwords (ie, run the "htpasswd" command
with the correct parameters on behalf of the "git" user on the server)

code, rc para, and documentation.  In fact everything except... ahem...
testing ;-)

and while we're about it, we also reorganised the way these helper
commands (including the venerable "info" are called)
2010-02-04 11:55:24 +05:30
martin f. krafft 0a7fa6c6b5 Tell gitweb about repo owner via git-config
Gitolite uses projects.list to set the owners for gitweb's use.
Unfortunately, this does not work for gitweb setups that set
$projectroot to a directory, thus generating the list of
repositories on the fly.

This patch changes that: gitolite now writes the gitweb.owner
configuration variable for each repository (and properly cleans up after
itself if the owner is removed).

The patch causes gitolite not to write the owner to projects.list
anymore, as this would be redundant.

The owner also needs no longer be escaped, so this patch removes the
poor man's 's/ /+/g' escaping previously in place.

Note that I am not a Perl coder. Thus there are probably better ways to
implement this, but at least it works.

Cc: Sitaram Chamarty <sitaramc@gmail.com>
Signed-off-by: martin f. krafft <madduck@madduck.net>
2010-02-03 15:51:04 +05:30
Sitaram Chamarty b1659db742 more fixes to wildcard reporting...
(thank God I don't warrant this part of gitolite ;-)
2010-02-01 23:32:03 +05:30
Sitaram Chamarty 2d9c4c4ae9 oops; logging bug 2010-02-01 16:54:39 +05:30
Sitaram Chamarty 43da598c08 auth: minor flow change when defaulting to "info" 2010-02-01 15:59:03 +05:30
Sitaram Chamarty 20c29c0145 rsync: log the command used 2010-02-01 15:59:00 +05:30
Sitaram Chamarty 18312de77a rsync: add support for delete/partial 2010-02-01 11:50:33 +05:30
Sitaram Chamarty 98a4c79dce (read this in full) access control for non-git commands running over ssh
This is actually a pretty big deal, and I am seriously starting wonder
if calling this "gito*lite*" is justified anymore.

Anyway, in for a penny, in for a pound...

This patch implements a generic way to allow access control for external
commands, as long as they are invoked via ssh and present a server-side
command that contains enough information to make an access control
decision.

The first (and only, so far) such command implemented is rsync.

Please read the changes in this commit (at least the ones in conf/ and
doc/) carefully.
2010-02-01 11:49:21 +05:30
Sitaram Chamarty 17c8075de7 Merge branch 'master' into wildrepos
factor out log_it and check_ref; update hook now requires gitolite.pm

Conflicts:
	src/hooks/update
2010-02-01 11:00:44 +05:30
Sitaram Chamarty 7f203fc020 update-hook/pm: made check_ref a common sub 2010-02-01 10:52:55 +05:30
Sitaram Chamarty 0b960cfae2 auth/update-hook/pm: make &log() a common function 2010-02-01 10:52:55 +05:30
Sitaram Chamarty bc0a478e64 auth: minor fix to reporting on wildcard repos
Mpenz asked what would happen if the config looked like

    repo foo/abc
        R   sitaram

    repo foo/.*
        RW  sitaram

If you asked for an expand of '.*', it would pick up permissions from
the second set (i.e., "RW") and print them against "foo/abc".

This is misleading, since those are not the permissions that will
actually be *used*.  Gitolite always uses the more specific form if it
is given, which means your actual permissions are just "R".

This patch is to prevent that misleading reporting in this corner case.
2010-01-30 05:06:16 +05:30
Sitaram Chamarty 4142be4e59 auth: reporting changes for wildcard-created repos
- see *all* wildcard repos you have access to (this uses line-anchored
    regexes as described in doc/4).  Examples:
        ssh git@server expand '.*'
        ssh git@server expand 'assignment.*'

  - show perms like the info command does

Please see comments against 02cee1d for more details and caveats.
2010-01-29 16:37:34 +05:30
Sitaram Chamarty 76f8615a92 Merge branch 'pu' into pu-wildrepos 2010-01-29 09:12:24 +05:30
Teemu Matilainen 9c171d166d "expand" should print to SDTOUT instead of STDERR
Other ssh commands where fixed in 15475f666c,
but "expand" was somehow missed.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-28 22:18:12 +02:00
Sitaram Chamarty 98d73965b6 easy install: two rc file update bugs fixed
The "msysgit doesnt have 'comm'" commit (from 2 days ago), had 2 bugs:

  - (smaller) the "+++" which was part of the diff header was triggering
    a spurious rc file "new variables" warning, but there were no actual
    variables to update
  - (bigger) worse, the grep command, when there were no matches,
    coupled with the "set -e" to kill the program right there (ouch!)
2010-01-27 19:42:58 +05:30
Sitaram Chamarty 0fbe739772 (rats! msysgit doesnt have 'comm'...) 2010-01-25 14:36:02 +05:30
Sitaram Chamarty c3ec349721 sshkeys-lint: new program
run without arguments for usage
2010-01-25 13:17:14 +05:30
Sitaram Chamarty c8d4aef460 compile: allow "#" in *simple* strings
like: config notify.ircChannel = "#foo"

(thanks, jhelwig)
2010-01-23 16:56:04 +05:30
Sitaram Chamarty 716681a0ce Merge branch 'master' into wildrepos
major changes brought in:

    compile: disallow multiple pubkeys in one file
2010-01-17 16:47:34 +05:30
Sitaram Chamarty 645ab77af5 compile: disallow multiple pubkeys in one file
The way pubkey files are handled by gitolite, this could be used by a
repo admin to get shell access.  It's always been there as an
undocumented emergency mechanism for an admin who lost his shell keys or
overwrote them due to not understanding ssh well enough (and it has been
so used at least once).

But not any more...

Like the @SHELL case, this reflects a shift away from treating people
with repo admin rights as eqvt to people who have shell on the server,
and systematically making the former lesser privileged than the latter.

While in most cases (including my $DAYJOB) these two may be the same
person, I am told that's not a valid assumption for others, and there've
been requests to close this potential loophole.
2010-01-17 16:31:47 +05:30
Sitaram Chamarty bede47e2db Merge branch 'master' into wildrepos
Conflicts:
	src/hooks/update
2010-01-14 20:47:04 +05:30
Sitaram Chamarty ecfd20e793 @SHELL is now $SHELL_USERS in the rc file (warning: backward compat breakage)
Stop conflating the privilege to push changes to the admin repo with the
privilege to get a shell on the server.

Please read doc/6 carefully before upgrading to this version.  Also
please ensure that the gitolite key is *not* your only means to get a
command line on the server
2010-01-14 19:35:46 +05:30
Sitaram Chamarty a9824464e5 update hook: anchor refex with ^ when matching refs
Currently, a line like

    RW  foo =   user1

allows user1 to push any ref that contains the string refs/heads/foo.
This includes refs like

    refs/heads/foo
    refs/heads/foobar
    refs/heads/foo/bar

which is fine; that is what is intended.  (You can always use foo$
instead of foo if you want to prevent the latter two).

Similarly,

    RW  refs/foo    =   user1

allows

    refs/foo
    refs/foobar
    refs/foo/bar

Now, I don't see this as a "security risk" but the fact is that this
allows someone to clutter your repo with junk like

    refs/bar/refs/heads/foo
    refs/heads/bar/refs/heads/foo

(or, with the second config line example,

    refs/bar/refs/foo
    refs/heads/bar/refs/foo
)

My personal advice is if you find someone doing that intentionally, you
should probably take him out and shoot him [*], but since now *two*
people have complained about this, here goes...

----

[*]     you don't have to take him out if you don't want to
2010-01-13 15:17:55 +05:30
Teemu Matilainen 15475f666c Fix exit codes for allowed ssh commands
gitolite specific ssh commands ("getperms", "setperms", "info" etc.)
should exit with non-error code in case of success.

Also "get/setperms" should print to STDOUT instead of STDERR.

This change is specially needed for the gitolite-tools
(http://github.com/tmatilai/gitolite-tools) to work.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-10 11:24:57 +05:30
Teemu Matilainen 6c38e30e9a compile: support "include" definition
Support config file including using:
include "filename"

If filename is not an absolute path, it is looked from the
$GL_ADMINDIR/conf/ directory.

For security reasons include is not allowed for fragments.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-10 09:50:20 +05:30
Sitaram Chamarty 839027f7a7 change delegation to NAME/ style (warning: backward compat breakage)
This is a backward incompatible change.  If you are using delegation and
you upgrade to this version, please do the following:

  * change your gitolite.conf file to use the new syntax (see
    doc/5-delegation.mkd in this commit)

  * for each branch "foo" in the gitolite-admin repo, do this:

        # (on "master" branch)
        git checkout foo -- conf/fragments/foo.conf

  * git add all those new fragments and commit to master

  * delete all the branches on your clone and the server

        # again, for each branch foo
        git branch -D foo
        git push origin :foo
2010-01-10 09:50:08 +05:30
Sitaram Chamarty 08ef3555a1 deprecation warning about old style PATH/ syntax
(this commit will probably get reverted after a suitable period has
elapsed and no one is likely to still be using the old syntax).

Forgetting to change it to NAME/ after is a security issue -- you end up
permitting stuff you don't want to!

This commit allows the old syntax but prints a warning
2010-01-09 20:31:07 +05:30
Sitaram Chamarty 7124faa9f3 NAME-based restrictions
Gitolite allows you to restrict changes by file/dir name.  The syntax
for this used "PATH/" as a prefix to denote such file/dir patterns.
This has now been changed to "NAME/" because PATH is potentially
confusing.

While this is technically a backward-incompatible change, the feature
itself was hitherto undocumented, and only a few people were using it,
so I guess it's not that bad...

Also added documentation now.
2010-01-09 20:30:53 +05:30
Sitaram Chamarty ab3c861241 Revert "easy install: needs a minor fix to accommodate auto-vivification"
This reverts commit 6576e82e33.

On oddball configs, where the shell key is reused as the gitolite key by
smart( people|-alecks), the ls-remote stops the program dead, preventing
the "git add" and "git commit" that seed the admin repo.

This makes extra work in terms of fixing it after the fact; removing it
makes the install go further, and all you need to do is (1) delete the
first line from ~/.ssh/authorized_keys on the server and (2) back on the
client do a "git clone gitolite:gitolite-admin".

OK so it needs to be removed.  Explaining that was the easy part!  The
hard part is explaining why removing it is harmless.

Look at the commit tree around that commit, and see that the commit
before that (b78a720) was partially reverted in e7e6085.  b78a720
removed the new_repo call from compile, forcing it to happen only on
auth, which forced this workaround for seeding the admin repo.

Since e7e6085 reverted that part of b78a720, giving back new_repo
functions to compile, this line of code wasn't doing any good.  QED and
all that :)
2009-12-30 22:15:58 +05:30
Sitaram Chamarty 79647078a3 auth: regex goof on my part
for those not yet able to upgrade (or until I merge this into the branch
you care about), if you have a repo called, say "bk2git", just refer to
it as "bk2git.git" in the clone command!

[Thanks to Mark Frazer for finding this...]
2009-12-25 01:13:31 +05:30
Sitaram Chamarty 1a80f0182d Merge branch 'master' into wildrepos 2009-12-23 20:00:56 +05:30
Sitaram Chamarty b0ce84d47f document @SHELL feature, allow "info" for all,
...but still distinguish shell folks with a small extra line telling
them they have shell access
2009-12-23 19:57:36 +05:30
Sitaram Chamarty 9c3abb20e1 easy install: minor user message change for first-time install 2009-12-22 14:33:47 +05:30
Sitaram Chamarty 203d5690be Merge branch '@all-for-repos' into wildrepos
Conflicts:
	src/gl-compile-conf
2009-12-21 23:02:02 +05:30
Teemu Matilainen f37fb45144 compile: support "repo @all" definitions
"repo @all" can be used to set permissions or configurations for all
already defined repos.  (A repository is defined if it has permission
rules associated, empty "repo" stanza or "@group=..." line is not enough.)

For example to allow a backup user to clone all repos:

  # All other configuration
  [...]
  repo @all
       R = backup

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-21 22:11:21 +05:30
Sitaram Chamarty 03babe7772 parse_acl (gitolite.pm): minor convenience added 2009-12-21 19:59:26 +05:30
Sitaram Chamarty 6fb2296e2c autoviv new repos by user only on "C" access
we've removed the facility of auto-viving "W" access repos when they are
not wildcards.  A wildcard pattern like foo/CREATER was
indistinguishable from a non-wildcard repo, and resolving it was
becoming kludgier and kludgier.  (See the revert in the commit before
this one for details).

As a side effect of not being able to distinguish wildcard repos from
real repos easily, the expand command now works for a normal repo too
(because we have to make it work for "foo/CREATER")
2009-12-21 19:58:36 +05:30
Sitaram Chamarty 981d693dec Revert "compile, parse_acl: treat foo/CREATER (no regex metas) correctly"
This reverts commit 33fc0a7e9f.

Was causing too much trouble with access reporting (basic and expanded)
because of the extra ^ at the start...

The paranoia referred to in that commit was this sequence:

  - admin creates a named (non wildcard) repo using config file push
  - somehow that gets deleted (OS error, corruption, ...)
  - admin just asks anyone with a current repo to push it to auto-revive
    it (because we allow people with "W" access to non-wildcard repos to
    auto-viv repos)
  - if you're treating this the same as a wildcard creation, you end up
    making this guy the "creater" of that repo, which means he can add
    users etc...

We resolve that paranois by disallowing autoviv of "W" access repos at
all...  Only "C" access repos can be autovived by a user (this will be
in the next commit)
2009-12-21 17:39:33 +05:30
Sitaram Chamarty d49bb6b423 Merge branch 'master' into wildrepos
Conflicts:
	src/gitolite.pm
	src/gl-auth-command
2009-12-20 06:58:33 +05:30
Sitaram Chamarty 2cc19091ca compile: gitolite key as good as shell key for users in @SHELL group
done by inserting a "-s" into the authkey forced command.

(They also lose the "no-pty" restriction, for good measure!)
2009-12-19 22:47:16 +05:30
Sitaram Chamarty 75de6c0438 auth: (WDITOT?) allow special users to get a shell
".../gl-auth-command username" is the normal command that authkeys
forces, and this prevents that key from being used to get a shell.

We now allow the user to get a shell if the forced command has a "-s"
before the "username", like ".../gl-auth-command -s sitaram".

(Now that a plain "ssh gitolite" gets you a shell, there's a new "info"
command that such privileged keys can use to get basic access info).

Thanks to Jesse Keating for the idea!  I can't believe this never
occurred to me before, but I guess I was so enamoured of my "innovation"
in converting what used to be an error into some useful info I didn't
think a bit more :/
2009-12-19 22:47:11 +05:30
Sitaram Chamarty b679bbb56b allow '+' as valid character in user/reponames 2009-12-18 10:15:35 +05:30
Sitaram Chamarty 512fc4a0a5 auth: set umask when autoviv-ing repos
Looks like I'd forgotten this when I did the autoviv code.  Repos
created via gl-compile (when you add a new repo to the config file and
push) worked fine, but repos created via gl-auth (when you autoviv a
repo, wild or not) did not.

This *should* be merged into wildrepos soon after testing; wildrepos
will have a lot more autoviv-ing than master.
2009-12-17 14:11:58 +05:30
Sitaram Chamarty b7404aa772 auth/install/pu-hook: pass ADMINDIR and BINDIR via ENV
The admin repo's post-update hook needs to know where $GL_ADMINDIR is,
and we had a weird way of doing that which depended on gl-install
actually munging the hook code.

We also always assumed the binaries are in GL_ADMINDIR/src.

We now use an env var to pass both these values.  This removes the weird
dependency on gl-install that the post-update hook had, as well as make
running other programs easier due to the new $GL_BINDIR env var.
2009-12-17 14:11:55 +05:30
Sitaram Chamarty ecdf6f2350 auth: don't allow literal ".." in reponames
thanks to Teemu for catching this
2009-12-13 12:43:44 +05:30
Sitaram Chamarty 3eb29e17fc allow @ in repo names and patterns
stuff like "repo foo/CREATER/.+" means the reponame has to be a superset
of the username in terms of allowed characters
2009-12-12 10:11:34 +05:30
Sitaram Chamarty a15e910cf8 auth: dont allow trailing slash in reponames...
...like "git clone host:foo/", even if it matches "repo foo/.*"

NOTE: I expect a few more of these special cases to be found as time
goes on and people find new ways to abuse the regex system, whether it
is done intentionally or not.  Anything not fixable by changing the
config file will be fixed in the code asap.

This one, for instance, seems fixable by using "foo/.+" instead of
"foo/.*".  But it actually isn't; the user can do "git clone host:foo//"
and bypass that :(

Still I suspect most situations will get an entry in the "then don't do
that" file :)

----

    patient: "doc, it hurts when I do this"
    doc:     "then don't do that"
2009-12-11 21:37:33 +05:30
Sitaram Chamarty ff28acb059 Merge branch 'master' into wildrepos
master brought in:

  - full email addresses as usernames
  - repo-specific git config

Conflicts:
	doc/3-faq-tips-etc.mkd
	src/gitolite.pm
	src/gl-compile-conf
2009-12-11 11:23:26 +05:30
Sitaram Chamarty 33fc0a7e9f compile, parse_acl: treat foo/CREATER (no regex metas) correctly
Teemu's testing brought up a situtation I had not anticipated:
"repo foo/CREATER" looks like a non-regex, and its creation then (a)
goes by "W" permissions instead of "C" permissions, and (b) the
creater's name does not get recorded (no gl-creater file).

    SIDE NOTE: one way is to reduce the paranoia, and just put the
    creater name in anyway.  Treat a repo created from gl-auth as a
    wildcard-matched autovivified repo, because the *other* kind would
    have actually got created by gl-compile anyway.

    However, I can think of *one* very far-out situation where this
    could backfire on an unwary admin, and I'm paranoid :-)

So we need to force it to look like a regex.  Moving the line-anchoring
from `parse_acl` to gl-compile sounded fine, until I realised that the
"$" isn't easy.  Backslashitis, bigtime, plus the single/double quote
tricks we're playing with the dumped hash adds its own complexities.

Best of both worlds, promote the "^" to gl-compile, keep the "$" where
it is...!
2009-12-11 10:51:37 +05:30
Teemu Matilainen 3403d40d0e Add support for repo configurations
Git repository configurations can be set/unset by declaring "config"
lines in "repo" stanzas in gitolite.conf. For example:

repo gitolite
	config hooks.mailinglist = gitolite-commits@example.tld
	config hooks.emailprefix = "[gitolite] "
	config foo.bar = ""
	config foo.baz =

The firs two set (override) the values. Double quotes must be used to
preserve preceding spaces. Third one sets an empty value and the last
removes all keys.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-09 07:12:01 +05:30
Sitaram Chamarty 38255e4096 merge "allow full email addresses as usernames"
Merge branch 'pu'
2009-12-08 15:14:29 +05:30
Sitaram Chamarty 4441ed82e4 compile: allow full email addresses as usernames
we had usurped the email style syntax to separate multiple keys
belonging to the same person, like sitaram@desktop.pub and
sitaram@laptop.pub.  If you have so many users that you need the full
email address to disambiguate some of them (or you want to do it for
just plain convenience), you couldn't.

This patch fixes that in a backward compatible way.  See
doc/3-faq-tips-etc.mkd for details.
2009-12-08 15:14:05 +05:30