Commit graph

84 commits

Author SHA1 Message Date
Sitaram Chamarty 3cf2970e0e info leak prevention can be a little more friendly
and acquire some German formality while you're about it ;-)
2010-10-08 05:45:26 +05:30
Sitaram Chamarty db0485fa7e new method for passing usergroup info (warning: minor backward compat breakage)
The old method of passing in usergroup info had some problems, which are
now fixed.  It is also much easier to use now -- no more "wrapper"
script, plus it should work identially whether you use sshd or httpd.

See doc/big-config.mkd for details on the new method.

----

Notes on problems with the old method:

The old method for passing in usergroup info consisted of tacking them
on as extra arguments to gl-auth-command, after the username.

However, there are some problems with this method.

Some actions in gitolite look for permissions for users other than the
invoking user.  Determining permissions for gitweb and daemon is one.
An admin asking for "info" on some other user, is another.

However, the list of groups sent in via the command line
pertains only to the invoking user, so these actions don't work
correctly.  They may even pick up the wrong permissions.

What it all boils down to is that we need group information for any user
dynamically, instead of being passed a (static) list just for the
invoking user.
2010-10-07 20:20:39 +05:30
Sitaram Chamarty 8a980a60bb tighten up argument handling in ADCs even more
More and more people are using ADCs, which I originally wrote just for
adventure-loving people ;-)
2010-10-06 21:30:17 +05:30
Sitaram Chamarty b6c93c7ce8 (http) I'm sorry DAV, I can't let you do that... 2010-09-05 21:04:39 +05:30
Sitaram Chamarty 370135d230 (http) better guess at reponame 2010-09-05 21:04:39 +05:30
Sitaram Chamarty 52e0ed3488 (http) auth: handle REQUEST_URI and friends
TODO: if the verb doesn't actually contain "git-receive-pack", I am
assuming it is some sort of read.  The list in services[] in
http-backend.c does not seem to look like any other verb is a "write";
need to check this with someone.

For normal git commands:
  - PATH_INFO gives you the repo name
  - REQUEST_URI gives you the verb
  - we construct a fake SSH_ORIGINAL_COMMAND so the rest of the
    processing does not have to change

For our special commands:
  - PATH_INFO is actually the verb
  - QUERY_STRING has the parameters
  - we again fake out the SSH_ORIGINAL_COMMAND
  - we print the extra HTTP headers in anticipation of the actual output

Either way, we also fake out the SSH_CONNECTION so that the IP address
can get logged ok

And of course REMOTE_USER is now the incoming userid

Finally, at the end, we exec GIT_HTTP_BACKEND instead of the normal one
2010-09-05 20:47:01 +05:30
Sitaram Chamarty 5188ec48ed fix a comment typo which totally changed the meaning! 2010-09-03 09:02:43 +05:30
Sitaram Chamarty 3a8f32ac9b minor fixups to the "gitweb/daemon from setperms" code...
- fork was not printing a newline after the permissions
  - "add_del_line" to properly handle that damn projects.list file!
2010-08-20 23:09:11 +05:30
Sitaram Chamarty 648676faec gitweb and daemon should now work even from within setperms
modifications:

  - call setup_gitweb_access and setup_daemon_access from with
    get_set_perms so when the user sets a perm explicitly it works
  - in setup_gitweb_access, do not delete description file or
    gitweb.owner if the repo is wild
  - make the "fork" adc set gitweb.owner *and* call setperms using
    GL_WILDREPOS_DEFPERMS
  - add tests

bug fixes:

  - gl-auth did not even *look* at GL_WILDREPOS_DEFPERMS when
    auto-"C"reating a wild repo; fixed
  - setup_gitweb_access did not delete the description file as
    consistently as it deleted the owner

what will NOT work:

  - removing gitweb permissions does not clear the name from
    "projects.list".  That's complicated, so just wait till the next
    "compile" to make this happen

(thanks to Jefferai for driving this...)

----

mildly puzzling:

    for some strange reason, after a "git ls-remote ...try3" in t58,
    instead of not creating a "description" file, we started seeing a
    73-byte file containing this message:

    Unnamed repository; edit this file 'description' to name the repository.
2010-08-20 21:02:18 +05:30
Sitaram Chamarty da210f21bd log elapsed time
I'm an idiot.  I say I won't do it, then I go and do it anyway.

Fortunately, in this case, the code and execution remain exactly the
same for people who do not set $GL_PERFLOGT in the rc file, so it's
tolerable.

<evil grin> People who want even more than this can contact Greg Lonnon
(see the mailing list archives at
http://groups.google.com/group/gitolite for an obfuscated but easy to
guess email address) ;-)
2010-08-17 22:35:16 +05:30
Sitaram Chamarty f21e7780a1 fix up gitweb, daemon, for wild + big-config
Implementation notes:

  - %repo_config is now "our", not "my"
  - collect_repo_patts now uses repo_rights to get the name of the wild
    card repo (if any) that pertains to the physical $repo, instead of
    all that new code (duh!)
  - new "can_read(repo, user)" sub (to help daemon and gitweb use)
  - the "convenience copy on steroids" thing now copies %repo_config
    also, not just %repos.  This makes setup_repo_configs simpler
  - $creator gets substituted into %groups also; we need that now that
    we (%repos and %groups) are working closer together :)
2010-08-11 22:38:16 +05:30
Sitaram Chamarty 509c73b888 gitweb/daemon now work for wild repos also
(thanks to Kevin Fleming for the need/use case)

TODO: tests
TODO: proper documentation; meanwhile, just read this:

  - you can give gitweb and daemon read rights to wild card repos also,
    and it'll all just work -- when a new repo is 'C'reated, it'll pick
    up those rights etc

  - you can assign descriptions (and owners) to individual repos as
    before, except now you can assign them to repos that actually were
    created from wild card patterns.  So for example, you can define
    rules for

        repo foo/..*

    and then assign descriptions like

        foo/repo1 = "repo one"
        foo/repo2 = "repo two"
        foo/dil "scott" = "scott's dilbert repo"

    However, this only works for repos that already exist, and only when
    you push the admin repo.

    Thumb rule: have the user create his wild repo, *then* add and push
    the admin config file with the description.  Not the other way
    around.

implementation notes:

  - wildcard support for git config revamped, refactored...

    it's not just git config that needs wildcard support.  daemon and
    gitweb access also will be needing it soon, so we start by factoring
    out the part that finds the "pattern" given a "real" repo name.

  - GL_NO_DAEMON_NO_GITWEB now gates more than just those two things;
    see doc/big-config.mkd for details

  - we trawl through $GL_REPO_BASE_ABS *once* only, collecting repo
    names and tying them to either the same name or to a wild pattern
    that the repo name was created from

  - nice little subs to setup gitweb, daemon, and git config

  - god bless $GL_REPOPATT and the day I decided to set that env var
    whenever a user hits a wild repo in any way :-)

  - the code in gl-compile-conf is very simple now.  Much nicer than
    before
2010-08-11 22:38:16 +05:30
Sitaram Chamarty 61802045d9 (mini refactor) clean up the repo_base_abs stuff
make it a sort of "super global" (an ENV var) all through, because
*everyone* seems to need it *and* this variable is pretty much constant
for the entire install
2010-08-11 22:38:16 +05:30
Sitaram Chamarty ad64f99522 git config settings in wild repos: part 2
call it after the new_repo in auth also
2010-08-11 22:38:15 +05:30
Sitaram Chamarty fda10c2805 mirroring support...
conf/example.gitolite.rc
  - "slave mode" flag to disable pushes and "list of slaves"

hooks/common/post-receive.mirrorpush
  - code to push to the mirror, creating the repo if needed

src/mirror-shell
  - shell for master pushing to a slave, because we don't actually want
    to go through gitolite itself, yet we have to take care of
    $REPO_BASE being wherever.  And of course we have to set
    GL_BYPASS_UPDATE_HOOK to 1 for the push to happen!

src/gl-mirror-sync
  - manually runnable program to sync from current server to another
2010-08-11 22:37:35 +05:30
Sitaram Chamarty bdb7cd6903 move empty ARGV check down after "-s" check
to make calling "gl-auth -s" (no username) work
2010-07-21 06:27:43 +05:30
Jeff Mitchell 38403c354f Add GL_WILDREPOS_DEFPERMS
allows a default 'setperms' string to be set for new wildcard
repositories.

Also, fix a bug in the fork script where a failure in the git command
would still cause the rest of the script to attempt to run.
2010-06-22 17:20:23 +05:30
Sitaram Chamarty 0f5f82e4f5 log message changes (warning: minor backward compat breakage)
The log message format has changed.  All log messages now have a common
prefix (timestamp, user, IP).  This is followed by $SSH_ORIGINAL_COMMAND
(or, in one special case, the name of the user's login shell).  Any
further text appears after this (currently this only happens in the case
of a successful push -- one for each ref pushed successfully)
2010-06-16 17:22:37 +05:30
Sitaram Chamarty 025de395dc (minor) 2010-05-21 21:32:55 +05:30
Sitaram Chamarty 8da223f92a (big-config) allow usergroup information to be passed in from outside
[Please NOTE: this is all about *user* groups, not *repo* groups]

SUMMARY: gl-auth-commmand can now take an optional list of usergroup
names after the first argument (which is the username).

See doc/big-config.mkd in the next commit or so
2010-05-14 21:44:51 +05:30
Sitaram Chamarty cf0e568c89 (big-config) the new "big-config" for large setups
If you have many thousands of repos and users, neatly organised into
groups, etc., the normal gitolite fails.  (It actually runs out of
memory very fast while doing the "compile" when you push the config, due
to the number of combinations of repo/user being stored in the hash!)

This commit series will stop doing that if you set $GL_BIG_CONFIG = 1 in
the rc file.

Some notes:

  - deny rules will still work but somewhat differently -- now they must
    be placed all together in one place to work like before.  Ask me for
    details if you need to know before I get done with the docs

  - I've tested most of the important features, but not every single
    nuance

  - the update hook may be a tad less efficient now; we can try and
    tweak it later if needed but it shouldn't really hurt anything
    significantly even now

  - docs have not been written yet
2010-05-14 20:43:13 +05:30
Sitaram Chamarty 3d9f230b41 Merge branch 'master' into pu (svnserve contrib code)
Conflicts:
	src/gl-auth-command
2010-05-10 08:12:09 +05:30
Vladimir Panteleev cf9bb98e87 tweaked and documented svnserve support 2010-05-10 07:01:50 +05:30
Sitaram Chamarty c4cbfabd4c spelling cluestick...
Ouch!  How mortifying :)  I'd always thought this was one of the Brit/US
differences, but to find out that it really *isn't* a word... hmph!

Anyway, in the interest of not breaking existing wild repos, the
ownership file is still called "gl-creater".  Everything else has been
changed.

(...thanks to Sverre)
2010-04-29 19:25:39 +05:30
Sitaram Chamarty 30bfeb8810 (adc) clean up and extend logging 2010-04-25 13:21:16 +05:30
Sitaram Chamarty 9d0a208b26 (adc) auth: git-init subcommand added
The "fork" adc cannot simply do a "git clone..."; hooks and gl-creater
won't get set up.  We need a way to initiate the *creation* of a repo
from a shell command, and then fetch the refs over.

For a long time, we used to trick gitolite into creating a repo for us
by simply using "git ls-remote host:reponame" ;-)  Now we have an actual
command, so we can say "ssh git@server git-init \'reponame\'"

Yes; those single quotes are required.  Deal with it.
2010-04-25 13:21:16 +05:30
Sitaram Chamarty 567e70ba40 (adc) admin-defined commands
This commit series allows an admin to designate a set of commands that
users can run.  For example, he can allow users to delete a repo that
they have created:

    ssh git@server rmrepo foo/me/bar

or fork (to use github's terminology) a repo they have "R" access to,
into a new one they have "C" access to:

    ssh git@server fork foo/someone-else/bar foo/me/bar

Please see documentation for details

----

(this commit)

  - (rc) new variable $GL_ADC_PATH; without this none of this is enabled
  - (pm) new helper routine "cli_repo_rights" to get rights/ownership
    from outside
  - (auth) call $GL_ADC_PATH/$cmd if it exists
2010-04-25 13:21:16 +05:30
Sitaram Chamarty 6be0946aee (rrq) gl-auth-command uses new repo_rights sub 2010-04-25 13:21:15 +05:30
Sitaram Chamarty 90e141cd61 (rrq) refactor all the rights querying
This commit series refactors all the rights querying logic.

  - old repo_rights sub renamed to wild_repo_rights
  - new repo_rights sub to be a single entry point for most rights
    queries
      - callable from gl-auth-command and expand_wild
      - callable from *outside* too, as long as $ENV{GL_USER} is set
  - the format of the returned permissions contains C, R, and W as
    applicable, with sigils reflecting the 3 possible ways in which you
    can get R or W perms (2 ways for C):
        @R  means @all users have the same access
        #R  means you're a "super user" (think root's shell prompt) so
            you can see all repos
         R  is the normal, explicit, access
2010-04-25 13:21:15 +05:30
Sitaram Chamarty 34aad34478 make "expand" also print version, like "info" does
(thanks to Ilari for catching this)
2010-04-16 19:23:18 +05:30
Sitaram Chamarty 72b63abaf2 auth, gitolite.pm: do not leak info about repo existence
All this is about a user trying to look if a repo exists or not, when he
does not have any access to that repo.  Ideally, "repo does not exist"
should be indistinguishable from "you dont have perms to that repo".

(1) if $GL_WILDREPOS is not set, you either get a permissions error, or
    a "$repo not found in compiled config" death.  Fixed.

(2) if $GL_WILDREPOS is set, you either get either a permissions error,
    or a "$repo has no matches" death.  Fixed.

(3) The following combination leaks info about repo existence:

      - actual repo doesn't exist
      - spying user don't have C perms
      - repo patt doesn't contain CREATER
      - RW+ = CREATER is specified (as is normal)

    In such case, the "convenience copy" of the ACL that parse_acl
    makes, coupled with substituting CREATER for the invoking user means
    $repos{$actual_repo} has RW+ for the spying user.  This means the
    access denied doesn't happen, and control passes to git, which
    promptly expresses it unhappiness and angst over being given a repo
    that 'does not appear to be a git repository'

    This doesn't happen if all those conditions are not met:

      - if repo exists, CREATER is set to the real creater, so RW+ =
        CREATER does not gain spying user anything
      - if spying user has C perms it just gets created, because he has
        rights.  This is also info leak but we can't prevent it; tighten
        the config (maybe by including CREATER in repo pattern) if this
        is not wanted
      - if repo patt contains CREATER it will never match someone else's
        repo anyway!
2010-03-29 21:18:39 +05:30
Sitaram Chamarty a45d2d9912 auth: do not implicitly assign RW access for creaters
a configuration like this:

    repo CREATER/.*
        C       =   CREATER
        RW+     =   WRITERS

was buggy; CREATER was implicitly part of WRITERS so he got RW
permissions implicitly, so the push went through
2010-03-27 22:55:58 +05:30
Sitaram Chamarty 7bfb3676b7 @all for repos is now much cleaner; a true @all...
- no need to put it at the end of the config file now, yeaaay!
  - @all for @all is meaningless and not supported.  People asking will
    be told to get a life or use git-daemon.
  - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-26 21:36:05 +05:30
Sitaram Chamarty 6dbaa0d325 auth: expand etc. *may* have single-quotes around reponame 2010-03-01 20:34:25 +05:30
Teemu Matilainen deda3da182 auth: do not anchor the pattern given for expand
Currently the pattern of expand command is line anchored.  This is
different than in e.g. grep, and causes extra work to add '.*' prefix
and/or suffix in many use cases.

The new semantics now mean you might get more matches than you would
have gotten earlier.  However, the expand command is still totally
undocumented, so I think it is acceptable to change the functionality.
;)

This patch removes the anchoring.  So for earlier behavior the specified
pattern needs be in form of '^<pattern>$'.  The default pattern is also
changed from '.*' to '^', so there might be even a small speed
improvement. =)

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-27 12:30:39 +05:30
Sitaram Chamarty ea123bbfb4 Merge branch 'dps' into master
Conflicts:
	doc/0-INSTALL.mkd
2010-02-25 20:28:02 +05:30
Sitaram Chamarty 1de9e963f0 auth: behave better when no argument supplied to wild commands
expand gets a default '.*' argument
others die with an error message
2010-02-18 19:20:46 +05:30
Sitaram Chamarty 74d70e3b9f move hooks out of src
src/hooks is now hooks/common
src/ga... is now hooks/gitolite-admin/post-update
2010-02-13 13:02:24 +05:30
Sitaram Chamarty 65b8c0c48a make $bindir absolute 2010-02-13 13:02:21 +05:30
Sitaram Chamarty 388f4d873d (IMPORTANT; read this in full) no more "wildrepos"
The wildrepos branch has been merged into master, and deleted.  It will no
longer exist as a separate branch.  Instead, a new variable
called $GL_WILDREPOS has been added which acts as a switch; when
off (which is the default), many wildrepos features are disabled.
(the "C" permissions, and the getperms (etc.) commands mainly).

Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in
the RC file when you upgrade to this version (or just before you do the
upgrade).
2010-02-07 13:22:43 +05:30
Sitaram Chamarty fc0b627f55 Merge branch 'master' into wildrepos
Conflicts:
	src/gitolite.pm
2010-02-05 07:05:43 +05:30
Sitaram Chamarty 767657c187 Merge teemu/topic/wildrepo_description_and_owner into wildrepos 2010-02-05 06:32:30 +05:30
Teemu Matilainen fa65d719a8 Enable setting desription for wildrepos
Allow users to set and display description (for gitweb) for their
own wildcard repositories using ssh commands:
  setdesc <repo>
  getdesc <repo>

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-05 06:32:04 +05:30
Sitaram Chamarty 86166f7adc $shell_allowed needs to be passed to specal_cmds
brought on by realising that you lost $shell_allowed when refactoring
(previous commit) but perl hadn't caught it because -- damn -- you
didn't have "use strict" in gitolite.pm
2010-02-04 15:25:22 +05:30
Sitaram Chamarty c43560d2ef Merge branch 'master' into wildrepos
lots of conflicts, esp in gl-auth-command, due to refactoring the
"special commands" stuff on master

Conflicts:
	doc/3-faq-tips-etc.mkd
	src/gitolite.pm
	src/gl-auth-command
	src/gl-compile-conf
2010-02-04 14:42:10 +05:30
Sitaram Chamarty 67c10a34fe auth: new subcommand "htpasswd"
great idea by Robin Smidsrød: since users are already capable of
authenticating themselves to gitolite via ssh keys, use that to let them
set or change their own HTTP passwords (ie, run the "htpasswd" command
with the correct parameters on behalf of the "git" user on the server)

code, rc para, and documentation.  In fact everything except... ahem...
testing ;-)

and while we're about it, we also reorganised the way these helper
commands (including the venerable "info" are called)
2010-02-04 11:55:24 +05:30
Sitaram Chamarty 2d9c4c4ae9 oops; logging bug 2010-02-01 16:54:39 +05:30
Sitaram Chamarty 43da598c08 auth: minor flow change when defaulting to "info" 2010-02-01 15:59:03 +05:30
Sitaram Chamarty 98a4c79dce (read this in full) access control for non-git commands running over ssh
This is actually a pretty big deal, and I am seriously starting wonder
if calling this "gito*lite*" is justified anymore.

Anyway, in for a penny, in for a pound...

This patch implements a generic way to allow access control for external
commands, as long as they are invoked via ssh and present a server-side
command that contains enough information to make an access control
decision.

The first (and only, so far) such command implemented is rsync.

Please read the changes in this commit (at least the ones in conf/ and
doc/) carefully.
2010-02-01 11:49:21 +05:30
Sitaram Chamarty 17c8075de7 Merge branch 'master' into wildrepos
factor out log_it and check_ref; update hook now requires gitolite.pm

Conflicts:
	src/hooks/update
2010-02-01 11:00:44 +05:30