brought on by realising that you lost $shell_allowed when refactoring
(previous commit) but perl hadn't caught it because -- damn -- you
didn't have "use strict" in gitolite.pm
lots of conflicts, esp in gl-auth-command, due to refactoring the
"special commands" stuff on master
Conflicts:
doc/3-faq-tips-etc.mkd
src/gitolite.pm
src/gl-auth-command
src/gl-compile-conf
great idea by Robin Smidsrød: since users are already capable of
authenticating themselves to gitolite via ssh keys, use that to let them
set or change their own HTTP passwords (ie, run the "htpasswd" command
with the correct parameters on behalf of the "git" user on the server)
code, rc para, and documentation. In fact everything except... ahem...
testing ;-)
and while we're about it, we also reorganised the way these helper
commands (including the venerable "info" are called)
This is actually a pretty big deal, and I am seriously starting wonder
if calling this "gito*lite*" is justified anymore.
Anyway, in for a penny, in for a pound...
This patch implements a generic way to allow access control for external
commands, as long as they are invoked via ssh and present a server-side
command that contains enough information to make an access control
decision.
The first (and only, so far) such command implemented is rsync.
Please read the changes in this commit (at least the ones in conf/ and
doc/) carefully.
- see *all* wildcard repos you have access to (this uses line-anchored
regexes as described in doc/4). Examples:
ssh git@server expand '.*'
ssh git@server expand 'assignment.*'
- show perms like the info command does
Please see comments against 02cee1d for more details and caveats.
gitolite specific ssh commands ("getperms", "setperms", "info" etc.)
should exit with non-error code in case of success.
Also "get/setperms" should print to STDOUT instead of STDERR.
This change is specially needed for the gitolite-tools
(http://github.com/tmatilai/gitolite-tools) to work.
Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
for those not yet able to upgrade (or until I merge this into the branch
you care about), if you have a repo called, say "bk2git", just refer to
it as "bk2git.git" in the clone command!
[Thanks to Mark Frazer for finding this...]
we've removed the facility of auto-viving "W" access repos when they are
not wildcards. A wildcard pattern like foo/CREATER was
indistinguishable from a non-wildcard repo, and resolving it was
becoming kludgier and kludgier. (See the revert in the commit before
this one for details).
As a side effect of not being able to distinguish wildcard repos from
real repos easily, the expand command now works for a normal repo too
(because we have to make it work for "foo/CREATER")
".../gl-auth-command username" is the normal command that authkeys
forces, and this prevents that key from being used to get a shell.
We now allow the user to get a shell if the forced command has a "-s"
before the "username", like ".../gl-auth-command -s sitaram".
(Now that a plain "ssh gitolite" gets you a shell, there's a new "info"
command that such privileged keys can use to get basic access info).
Thanks to Jesse Keating for the idea! I can't believe this never
occurred to me before, but I guess I was so enamoured of my "innovation"
in converting what used to be an error into some useful info I didn't
think a bit more :/
Looks like I'd forgotten this when I did the autoviv code. Repos
created via gl-compile (when you add a new repo to the config file and
push) worked fine, but repos created via gl-auth (when you autoviv a
repo, wild or not) did not.
This *should* be merged into wildrepos soon after testing; wildrepos
will have a lot more autoviv-ing than master.
The admin repo's post-update hook needs to know where $GL_ADMINDIR is,
and we had a weird way of doing that which depended on gl-install
actually munging the hook code.
We also always assumed the binaries are in GL_ADMINDIR/src.
We now use an env var to pass both these values. This removes the weird
dependency on gl-install that the post-update hook had, as well as make
running other programs easier due to the new $GL_BINDIR env var.
...like "git clone host:foo/", even if it matches "repo foo/.*"
NOTE: I expect a few more of these special cases to be found as time
goes on and people find new ways to abuse the regex system, whether it
is done intentionally or not. Anything not fixable by changing the
config file will be fixed in the code asap.
This one, for instance, seems fixable by using "foo/.+" instead of
"foo/.*". But it actually isn't; the user can do "git clone host:foo//"
and bypass that :(
Still I suspect most situations will get an entry in the "then don't do
that" file :)
----
patient: "doc, it hurts when I do this"
doc: "then don't do that"
This feature has *no* warranty, and so no documentation. Not more than
this transcript anyway.
config file:
@prof = u1
@TAs = u2 u3
@students = u4 u5 u6
repo assignments/CREATER/a[0-9][0-9]
C = @students
RW+ = CREATER
RW = WRITERS @TAs
R = READERS @prof
session:
as user "u4":
# check your permissions
$ ssh git@server
PTY allocation request failed on channel 0
hello u4, the gitolite version here is v0.95-31-gbcb14ca
you have the following permissions:
C assignments/CREATER/a[0-9][0-9]
@ @ testing
Connection to localhost closed.
# autovivify repos for assignment 12 and 24
$ git clone git@server:assignments/u4/a12 a12
Initialized empty Git repository in /home/sitaram/t/a12/.git/
Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a12.git/
warning: You appear to have cloned an empty repository.
$ git clone git@server:assignments/u4/a24 a24
Initialized empty Git repository in /home/sitaram/t/a24/.git/
Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a24.git/
warning: You appear to have cloned an empty repository.
# check what repos you autovivified
$ ssh git@server expand assignments/u4/a[0-9][0-9]
(u4) assignments/u4/a12
(u4) assignments/u4/a24
as user "u5":
# check your basic permissions
$ ssh git@server
PTY allocation request failed on channel 0
hello u5, the gitolite version here is v0.95-31-gbcb14ca
you have the following permissions:
C assignments/CREATER/a[0-9][0-9]
@ @ testing
Connection to localhost closed.
# see if you have access to any of u4's repos
$ ssh git@server expand assignments/u4/a[0-9][0-9]
# (no output produced)
as user "u4":
# allow "u5" read access to assignment 12
# note you type in "R u5", hit enter, then hit Ctrl-D. Gitolite
# then produces a confirmation message starting "New perms are:"
$ ssh git@server setperms assignments/u4/a12
R u5
New perms are:
R u5
as user "u5":
# again see if you have access to any u4 repos
$ ssh git@server expand assignments/u4/a[0-9][0-9]
(u4) assignments/u4/a12
as user "u4":
# check what permissions you gave to assignment 12
$ ssh git@server getperms assignments/u4/a12
R u5
# add RW access to "u6" to assignment 12
# again, type 'em in, then hit Ctrl-D; and note each time you run
# this you're starting from scratch -- you can't "add to" the
# permissions. Deal with it...
$ ssh git@server setperms assignments/u4/a12
R u5
RW u6
New perms are:
R u5
RW u6
as user "u6":
# check what u4 stuff you have access to
$ ssh git@server expand assignments/u4/a[0-9][0-9]
(u4) assignments/u4/a12
- new_repo now takes a "creater" parameter; if given, this user is
recorded (in a file called "gl-creater") as the creater of the repo.
Only applicable to wildcards
- repo_rights reads "gl-creater" and "gl-perms" to tell you who
created it, and whether you (the $user) are in the list of READERS
or WRITERS
**NOTE** that the mechanism to create/update gl-perms has not been
written yet... (as of this commit)
- parse_acl takes 4 more arguments, all optional. The repo name we're
interested in (set by all except the access reporting function), and
the names to be interpolated as $creater, $readers, writers
- report_basic now knows about the "C" permission and shows it
- auth now autovivifies a repo if the user has "C" and it's a wildcard
match, or (the old case) the user has "W" and it's not a wildcard.
In the former case, the creater is also set
IMPLEMENTATION NOTES:
- the Dumper code now uses a custom hash key sort to make sure
$creater etc land up at the *end*
- a wee bit of duplication exists in the update hook; it borrows a
little code from parse_acl. I dont (yet) want to include all of
gitolite.pm for that little piece...
all of this is prep for the upcoming, all-new, chrome-plated,
"wildrepos" branch :)
- many variables go to gitolite.pm now, and are "our"d into the other
files as needed
- new functions parse_acl, report_basic to replace inlined code
the "create a new repo" code moves from compile to auth.
Only someone who has W access can create it, but he can do so even on a
"R" operation (like clone or ls-remote).
This is a pre-requisite for rebel's wildcard repos, where
autovivification is the only way you can create arbitrary repos matching
a pattern.
The only reason it's getting into master is because it looks cool!
----
OK that's a lie; the real reason is to keep the two branches as similar
as possible, though they;ve diverged quite a bit since the "only
one-line difference" days where "rebel" just meant "deny/exclude"
rules!)
I don't have a use for "@all" at all (pun not intended!) other than the
"testing" repo, but <teemu dot matilainen at iki dot fi> sent in a patch
to mark those repos with "R" and "W" in the permissions list, and I
started thinking about it.
This could actually be useful if we *differentiated* such access from
normal (explicit username) access. From the "corporate environment"
angle, it would be nice if a project manager could quickly check if any
of his projects have erroneously been made accessible by @all.
So what we do now is print "@" in the corresponding column if "@all" has
the corresponding access.
Also, when someone has access both as himself *and* via @all, we print
the "@"; printing the "R" or "W" would hide the "@", and wouldn't
correctly satisfy the use case described above.
Packaging gitolite for debian requires the rc file to be in /etc/gitolite.
But non-root installs must still be supported, and they need it in $HOME.
This means the rc file is no longer in a fixed place, which needs code to find
the rc file first. See comments inside new file 'gitolite.pm' for details.
The rest of the changes are in the other programs, to replace the hard-coded
rc filename with a call to this new code.
- warn about files in keydir/ that dont end with ".pub"
- warn about pubkey files for which the user is not mentioned in config
- warn more sternly about the opposite (user in config, no pubkey!)
update hook: add reponame to message on deny
auth: minor typo
(thanks to SethX for feedback)
- install: a little more verbosity in the mkdir
- install and example conf: some of the help text made more clear
- auth: error message on bad $cmd is now clearer, plus no perl-warnings to
confuse people
- logs go into $GL_ADMINDIR/logs by default, named by year-month
- logfile name template (including dir prefix) now in $GL_LOGT
- two new env vars passed down: GL_TS and GL_LOG (timestamp, logfilename)
- log messages timestamps more compact, fields tab-delimited
- old and new SHAs cut to 14 characters