Commit graph

91 commits

Author SHA1 Message Date
Sitaram Chamarty 83a017f884 htpassword: disallow empty passwords
[TODO: allow a callback for a password checking function, such as
"passwd_policy_check".  Question is where the function would go.
~/.gitolite.rc is the only possible place among the current set of files
but I'd rather leave that as a list of simple name=value lines for all
sorts of reasons.  So maybe something like ~/.gitolite.pm (analogous to
the "gitolite.pm" in the sources I supply), which would get "require'd"
if found, and would contain all user-defined functions like this one...
needs some thinking about]
2010-02-14 09:51:51 +05:30
Sitaram Chamarty e674a7c64a (package maintainers read this) install doc updated
(about this commit)

    The install doc now describes both the ways of installing gitolite.
    It also has a handy appendix for package maintainers describing what
    they need to do.

(about the "dps" -- distro packaging support -- commit series)

    This commit is the last in the chain meant to make gitolite more
    friendly for package maintainers.

    Frankly, I never really thought gitolite would get big enough or
    important enough for someone to package it, and I always did just
    the bare minimum I needed to get it working, first for myself, then
    anyone who hopped onto #git and asked.  As a result, it had some
    quirks in terms of what is expected where and so on...

    Luckily, it didn't take a lot of changes to fix it, and this series
    of commits should help make it very easy to package gitolite for
    system-wide use.
2010-02-13 13:02:25 +05:30
Sitaram Chamarty 06d8ab4c18 make VERSION work in both types of setups
The old install method will now use conf/VERSION instead of src/VERSION everywhere.

The new one, if you use the builtin make file to "make branch.tar" will also create just such a file
2010-02-13 13:02:25 +05:30
Sitaram Chamarty 1f9fbfa71e get "info" for users other than yourself
if you have read access to the admin repo, you can say

    ssh git@server info user1 [...]

Original idea and code by Karteek E.  The motivation is to quickly and
easily check what perms a user has.  Technically nothing that you can't
glean from the config file itself but it serves as a double check or a
mild debugging aid perhaps.

However note that the branch level rules are much more complex and they
do not, as yet, have any such "helpful" aids.  Life is like that
sometimes.
2010-02-07 19:23:08 +05:30
Sitaram Chamarty b299ff09c3 rsync: restrict the "path" part of the received command
Although I have washed my hands off the security aspect if you use
external commands, that doesn't mean I won't make them as tight as I can
;-)  Right now, this is just a place holder -- if people use it and
complain that the pattern is too restrictive, I'll change it.
2010-02-07 13:23:07 +05:30
Sitaram Chamarty 388f4d873d (IMPORTANT; read this in full) no more "wildrepos"
The wildrepos branch has been merged into master, and deleted.  It will no
longer exist as a separate branch.  Instead, a new variable
called $GL_WILDREPOS has been added which acts as a switch; when
off (which is the default), many wildrepos features are disabled.
(the "C" permissions, and the getperms (etc.) commands mainly).

Important: if you are using wildrepos, please set "$GL_WILDREPOS = 1;" in
the RC file when you upgrade to this version (or just before you do the
upgrade).
2010-02-07 13:22:43 +05:30
Sitaram Chamarty fc0b627f55 Merge branch 'master' into wildrepos
Conflicts:
	src/gitolite.pm
2010-02-05 07:05:43 +05:30
Sitaram Chamarty 85cc31c771 install/pm: turn hooks from copies to symlinks 2010-02-05 06:49:07 +05:30
Sitaram Chamarty 767657c187 Merge teemu/topic/wildrepo_description_and_owner into wildrepos 2010-02-05 06:32:30 +05:30
Teemu Matilainen fa65d719a8 Enable setting desription for wildrepos
Allow users to set and display description (for gitweb) for their
own wildcard repositories using ssh commands:
  setdesc <repo>
  getdesc <repo>

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-05 06:32:04 +05:30
Teemu Matilainen 00b793f5e6 Set gitweb.owner config for new wildrepos
When creating new wildrepos, add git config to tell gitweb
the owner of the repository.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-05 00:04:08 +02:00
Sitaram Chamarty 86166f7adc $shell_allowed needs to be passed to specal_cmds
brought on by realising that you lost $shell_allowed when refactoring
(previous commit) but perl hadn't caught it because -- damn -- you
didn't have "use strict" in gitolite.pm
2010-02-04 15:25:22 +05:30
Sitaram Chamarty c43560d2ef Merge branch 'master' into wildrepos
lots of conflicts, esp in gl-auth-command, due to refactoring the
"special commands" stuff on master

Conflicts:
	doc/3-faq-tips-etc.mkd
	src/gitolite.pm
	src/gl-auth-command
	src/gl-compile-conf
2010-02-04 14:42:10 +05:30
Sitaram Chamarty 67c10a34fe auth: new subcommand "htpasswd"
great idea by Robin Smidsrød: since users are already capable of
authenticating themselves to gitolite via ssh keys, use that to let them
set or change their own HTTP passwords (ie, run the "htpasswd" command
with the correct parameters on behalf of the "git" user on the server)

code, rc para, and documentation.  In fact everything except... ahem...
testing ;-)

and while we're about it, we also reorganised the way these helper
commands (including the venerable "info" are called)
2010-02-04 11:55:24 +05:30
Sitaram Chamarty b1659db742 more fixes to wildcard reporting...
(thank God I don't warrant this part of gitolite ;-)
2010-02-01 23:32:03 +05:30
Sitaram Chamarty 20c29c0145 rsync: log the command used 2010-02-01 15:59:00 +05:30
Sitaram Chamarty 18312de77a rsync: add support for delete/partial 2010-02-01 11:50:33 +05:30
Sitaram Chamarty 98a4c79dce (read this in full) access control for non-git commands running over ssh
This is actually a pretty big deal, and I am seriously starting wonder
if calling this "gito*lite*" is justified anymore.

Anyway, in for a penny, in for a pound...

This patch implements a generic way to allow access control for external
commands, as long as they are invoked via ssh and present a server-side
command that contains enough information to make an access control
decision.

The first (and only, so far) such command implemented is rsync.

Please read the changes in this commit (at least the ones in conf/ and
doc/) carefully.
2010-02-01 11:49:21 +05:30
Sitaram Chamarty 17c8075de7 Merge branch 'master' into wildrepos
factor out log_it and check_ref; update hook now requires gitolite.pm

Conflicts:
	src/hooks/update
2010-02-01 11:00:44 +05:30
Sitaram Chamarty 7f203fc020 update-hook/pm: made check_ref a common sub 2010-02-01 10:52:55 +05:30
Sitaram Chamarty 0b960cfae2 auth/update-hook/pm: make &log() a common function 2010-02-01 10:52:55 +05:30
Sitaram Chamarty bc0a478e64 auth: minor fix to reporting on wildcard repos
Mpenz asked what would happen if the config looked like

    repo foo/abc
        R   sitaram

    repo foo/.*
        RW  sitaram

If you asked for an expand of '.*', it would pick up permissions from
the second set (i.e., "RW") and print them against "foo/abc".

This is misleading, since those are not the permissions that will
actually be *used*.  Gitolite always uses the more specific form if it
is given, which means your actual permissions are just "R".

This patch is to prevent that misleading reporting in this corner case.
2010-01-30 05:06:16 +05:30
Sitaram Chamarty 4142be4e59 auth: reporting changes for wildcard-created repos
- see *all* wildcard repos you have access to (this uses line-anchored
    regexes as described in doc/4).  Examples:
        ssh git@server expand '.*'
        ssh git@server expand 'assignment.*'

  - show perms like the info command does

Please see comments against 02cee1d for more details and caveats.
2010-01-29 16:37:34 +05:30
Teemu Matilainen 9c171d166d "expand" should print to SDTOUT instead of STDERR
Other ssh commands where fixed in 15475f666c,
but "expand" was somehow missed.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-28 22:18:12 +02:00
Teemu Matilainen 15475f666c Fix exit codes for allowed ssh commands
gitolite specific ssh commands ("getperms", "setperms", "info" etc.)
should exit with non-error code in case of success.

Also "get/setperms" should print to STDOUT instead of STDERR.

This change is specially needed for the gitolite-tools
(http://github.com/tmatilai/gitolite-tools) to work.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-10 11:24:57 +05:30
Sitaram Chamarty 03babe7772 parse_acl (gitolite.pm): minor convenience added 2009-12-21 19:59:26 +05:30
Sitaram Chamarty 6fb2296e2c autoviv new repos by user only on "C" access
we've removed the facility of auto-viving "W" access repos when they are
not wildcards.  A wildcard pattern like foo/CREATER was
indistinguishable from a non-wildcard repo, and resolving it was
becoming kludgier and kludgier.  (See the revert in the commit before
this one for details).

As a side effect of not being able to distinguish wildcard repos from
real repos easily, the expand command now works for a normal repo too
(because we have to make it work for "foo/CREATER")
2009-12-21 19:58:36 +05:30
Sitaram Chamarty 981d693dec Revert "compile, parse_acl: treat foo/CREATER (no regex metas) correctly"
This reverts commit 33fc0a7e9f.

Was causing too much trouble with access reporting (basic and expanded)
because of the extra ^ at the start...

The paranoia referred to in that commit was this sequence:

  - admin creates a named (non wildcard) repo using config file push
  - somehow that gets deleted (OS error, corruption, ...)
  - admin just asks anyone with a current repo to push it to auto-revive
    it (because we allow people with "W" access to non-wildcard repos to
    auto-viv repos)
  - if you're treating this the same as a wildcard creation, you end up
    making this guy the "creater" of that repo, which means he can add
    users etc...

We resolve that paranois by disallowing autoviv of "W" access repos at
all...  Only "C" access repos can be autovived by a user (this will be
in the next commit)
2009-12-21 17:39:33 +05:30
Sitaram Chamarty d49bb6b423 Merge branch 'master' into wildrepos
Conflicts:
	src/gitolite.pm
	src/gl-auth-command
2009-12-20 06:58:33 +05:30
Sitaram Chamarty b679bbb56b allow '+' as valid character in user/reponames 2009-12-18 10:15:35 +05:30
Sitaram Chamarty 3eb29e17fc allow @ in repo names and patterns
stuff like "repo foo/CREATER/.+" means the reponame has to be a superset
of the username in terms of allowed characters
2009-12-12 10:11:34 +05:30
Sitaram Chamarty ff28acb059 Merge branch 'master' into wildrepos
master brought in:

  - full email addresses as usernames
  - repo-specific git config

Conflicts:
	doc/3-faq-tips-etc.mkd
	src/gitolite.pm
	src/gl-compile-conf
2009-12-11 11:23:26 +05:30
Sitaram Chamarty 33fc0a7e9f compile, parse_acl: treat foo/CREATER (no regex metas) correctly
Teemu's testing brought up a situtation I had not anticipated:
"repo foo/CREATER" looks like a non-regex, and its creation then (a)
goes by "W" permissions instead of "C" permissions, and (b) the
creater's name does not get recorded (no gl-creater file).

    SIDE NOTE: one way is to reduce the paranoia, and just put the
    creater name in anyway.  Treat a repo created from gl-auth as a
    wildcard-matched autovivified repo, because the *other* kind would
    have actually got created by gl-compile anyway.

    However, I can think of *one* very far-out situation where this
    could backfire on an unwary admin, and I'm paranoid :-)

So we need to force it to look like a regex.  Moving the line-anchoring
from `parse_acl` to gl-compile sounded fine, until I realised that the
"$" isn't easy.  Backslashitis, bigtime, plus the single/double quote
tricks we're playing with the dumped hash adds its own complexities.

Best of both worlds, promote the "^" to gl-compile, keep the "$" where
it is...!
2009-12-11 10:51:37 +05:30
Sitaram Chamarty 4441ed82e4 compile: allow full email addresses as usernames
we had usurped the email style syntax to separate multiple keys
belonging to the same person, like sitaram@desktop.pub and
sitaram@laptop.pub.  If you have so many users that you need the full
email address to disambiguate some of them (or you want to do it for
just plain convenience), you couldn't.

This patch fixes that in a backward compatible way.  See
doc/3-faq-tips-etc.mkd for details.
2009-12-08 15:14:05 +05:30
Sitaram Chamarty 02cee1d5cf wildrepos: expanded access reporting
This feature has *no* warranty, and so no documentation.  Not more than
this transcript anyway.

config file:

    @prof = u1
    @TAs = u2 u3
    @students = u4 u5 u6

    repo    assignments/CREATER/a[0-9][0-9]
        C   =   @students
        RW+ =   CREATER
        RW  =   WRITERS @TAs
        R   =   READERS @prof

session:

as user "u4":
    # check your permissions
    $ ssh git@server
    PTY allocation request failed on channel 0
    hello u4, the gitolite version here is v0.95-31-gbcb14ca
    you have the following permissions:
     C      assignments/CREATER/a[0-9][0-9]
       @ @  testing
    Connection to localhost closed.

    # autovivify repos for assignment 12 and 24
    $ git clone git@server:assignments/u4/a12 a12
    Initialized empty Git repository in /home/sitaram/t/a12/.git/
    Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a12.git/
    warning: You appear to have cloned an empty repository.
    $ git clone git@server:assignments/u4/a24 a24
    Initialized empty Git repository in /home/sitaram/t/a24/.git/
    Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a24.git/
    warning: You appear to have cloned an empty repository.

    # check what repos you autovivified
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12
    (u4)    assignments/u4/a24

as user "u5":
    # check your basic permissions
    $ ssh git@server
    PTY allocation request failed on channel 0
    hello u5, the gitolite version here is v0.95-31-gbcb14ca
    you have the following permissions:
     C      assignments/CREATER/a[0-9][0-9]
       @ @  testing
    Connection to localhost closed.

    # see if you have access to any of u4's repos
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    # (no output produced)

as user "u4":
    # allow "u5" read access to assignment 12
    # note you type in "R u5", hit enter, then hit Ctrl-D.  Gitolite
    # then produces a confirmation message starting "New perms are:"
    $ ssh git@server setperms assignments/u4/a12
    R u5
    New perms are:
    R u5

as user "u5":
    # again see if you have access to any u4 repos
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12

as user "u4":
    # check what permissions you gave to assignment 12
    $ ssh git@server getperms assignments/u4/a12
    R u5

    # add RW access to "u6" to assignment 12
    # again, type 'em in, then hit Ctrl-D; and note each time you run
    # this you're starting from scratch -- you can't "add to" the
    # permissions.  Deal with it...
    $ ssh git@server setperms assignments/u4/a12
    R u5
    RW u6
    New perms are:
    R u5
    RW u6

as user "u6":
    # check what u4 stuff you have access to
    $ ssh git@server expand assignments/u4/a[0-9][0-9]
    (u4)    assignments/u4/a12
2009-12-06 20:36:16 +05:30
Sitaram Chamarty f620044156 wildrepos: implement getperms and setperms 2009-12-06 20:36:15 +05:30
Sitaram Chamarty f49eddd660 wildrepos: teach auth and update hook about wildcard repos
- new_repo now takes a "creater" parameter; if given, this user is
    recorded (in a file called "gl-creater") as the creater of the repo.
    Only applicable to wildcards

  - repo_rights reads "gl-creater" and "gl-perms" to tell you who
    created it, and whether you (the $user) are in the list of READERS
    or WRITERS

    **NOTE** that the mechanism to create/update gl-perms has not been
    written yet... (as of this commit)

  - parse_acl takes 4 more arguments, all optional.  The repo name we're
    interested in (set by all except the access reporting function), and
    the names to be interpolated as $creater, $readers, writers

  - report_basic now knows about the "C" permission and shows it

  - auth now autovivifies a repo if the user has "C" and it's a wildcard
    match, or (the old case) the user has "W" and it's not a wildcard.
    In the former case, the creater is also set

IMPLEMENTATION NOTES:

  - the Dumper code now uses a custom hash key sort to make sure
    $creater etc land up at the *end*

  - a wee bit of duplication exists in the update hook; it borrows a
    little code from parse_acl.  I dont (yet) want to include all of
    gitolite.pm for that little piece...
2009-12-06 14:00:21 +05:30
Sitaram Chamarty 77306567e9 wildrepos: teach compile the new syntax
There's a new "C" permission to let someone *create* a repo that matches
the pattern given in the "repo ..." line.  If the word CREATER appears
in the repo pattern, then that is forced to the actual user performing
that operation.

Something like this (we'll discuss READERS and WRITERS later):

    repo personal/CREATER/.+
    C           =   @staff
    R   [foo]   =   READERS
    RW  [bar]   =   WRITERS
    ...various other permissions as usual...

Delegation checking also changes quite a bit... see comments in code

Implementation: there's also a sneaky little trick we're playing here
with the dumped hash
2009-12-05 18:42:02 +05:30
Sitaram Chamarty e6da853082 auth, compile, pm: good bit of refactoring
all of this is prep for the upcoming, all-new, chrome-plated,
"wildrepos" branch :)

  - many variables go to gitolite.pm now, and are "our"d into the other
    files as needed
  - new functions parse_acl, report_basic to replace inlined code
2009-12-05 14:14:37 +05:30
Sitaram Chamarty c3b5e3b1af compile, pm: factor out new repo creation
...also wrap_chdir, wrap_open, $ABRT, and $WARN
2009-11-27 23:06:47 +05:30
Sitaram Chamarty 78d02e1437 the rc file can now be in one of 2 places...
Packaging gitolite for debian requires the rc file to be in /etc/gitolite.
But non-root installs must still be supported, and they need it in $HOME.

This means the rc file is no longer in a fixed place, which needs code to find
the rc file first.  See comments inside new file 'gitolite.pm' for details.

The rest of the changes are in the other programs, to replace the hard-coded
rc filename with a call to this new code.
2009-10-25 12:45:45 +05:30