diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2017-06-29 14:04:29 -0700 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2017-06-29 14:04:29 -0700 |
| commit | 6b0f07aad4500c37b610a372aa34d95afe0e93d8 (patch) | |
| tree | 667c75a57b46721a953cbe57d7a25aa282ad364b | |
| parent | Merge tag 'v3.6.5' (diff) | |
| parent | v3.6.6 (diff) | |
| download | gitolite-gentoo-6b0f07aad4500c37b610a372aa34d95afe0e93d8.tar.gz gitolite-gentoo-6b0f07aad4500c37b610a372aa34d95afe0e93d8.tar.bz2 gitolite-gentoo-6b0f07aad4500c37b610a372aa34d95afe0e93d8.zip | |
Merge tag 'v3.6.6'gitolite-gentoo-3.6.6
v3.6.6
| -rw-r--r-- | CHANGELOG | 10 | ||||
| -rw-r--r-- | README.markdown | 6 | ||||
| -rwxr-xr-x | src/commands/1plus1 | 1 | ||||
| -rwxr-xr-x | src/commands/access | 11 | ||||
| -rwxr-xr-x | src/commands/create | 46 | ||||
| -rwxr-xr-x | src/commands/perms | 21 | ||||
| -rw-r--r-- | src/lib/Gitolite/Common.pm | 3 | ||||
| -rw-r--r-- | src/lib/Gitolite/Conf/Load.pm | 2 | ||||
| -rw-r--r-- | src/lib/Gitolite/Hooks/PostUpdate.pm | 1 | ||||
| -rw-r--r-- | src/lib/Gitolite/Setup.pm | 26 | ||||
| -rw-r--r-- | src/lib/Gitolite/Test/Tsh.pm | 2 | ||||
| -rw-r--r-- | src/lib/Gitolite/Triggers/TProxy.pm | 2 | ||||
| -rwxr-xr-x | src/triggers/post-compile/ssh-authkeys | 2 | ||||
| -rwxr-xr-x | src/triggers/post-compile/ssh-authkeys-split | 4 | ||||
| -rwxr-xr-x | src/triggers/repo-specific-hooks | 4 | ||||
| -rwxr-xr-x | src/triggers/set-default-roles | 2 | ||||
| -rwxr-xr-x | t/access.t | 17 | ||||
| -rwxr-xr-x | t/perm-default-roles.t | 2 | ||||
| -rwxr-xr-x | t/perm-roles.t | 12 | ||||
| -rwxr-xr-x | t/perms-groups.t | 6 | ||||
| -rwxr-xr-x | t/sequence.t | 4 |
21 files changed, 122 insertions, 62 deletions
@@ -1,3 +1,13 @@ +2016-09-08 v3.6.6 simple but important fix for a future perl deprecation + (perl will be removing "." from @INC in 5.24) + + 'perms' now requires a '-c' to activate batch mode + (should not affect interactive use but check your scripts + perhaps?) + + gitolite setup now accepts a '-m' option to supply a + custom message (useful when it is used by a script) + 2016-02-20 v3.6.5 allow creator check to be bypassed during mirroring handle new style ssh fingerprinting correctly (thanks to diff --git a/README.markdown b/README.markdown index a211fab..411b0bb 100644 --- a/README.markdown +++ b/README.markdown @@ -7,14 +7,14 @@ Gitolite README **This is a minimal README for gitolite**, so you can quickly get started with: -* installing gitolite on a fresh userid on a Unix(-like) machine +* installing gitolite on a fresh userid on a Unix(-like) machine, using ssh * learning enough to do some basic access control **For anything more, you need to look at the complete documentation, at: <http://gitolite.com/gitolite>**. Please go there for what/why/how, concepts, background, troubleshooting, more details on what is covered here, advanced -features not covered here, migration from older gitolite, and many more -topics. +features not covered here, migration from older gitolite, running gitolite +over http (rather than ssh), and many more topics. <!-- --------------------------------------------------------------------- --> diff --git a/src/commands/1plus1 b/src/commands/1plus1 index ef37a24..897d235 100755 --- a/src/commands/1plus1 +++ b/src/commands/1plus1 @@ -1,7 +1,6 @@ #!/usr/bin/perl use strict; use warnings; -use 5.10.0; # import LOCK_* use Fcntl qw(:flock); diff --git a/src/commands/access b/src/commands/access index 4209b7e..f02e533 100755 --- a/src/commands/access +++ b/src/commands/access @@ -57,7 +57,7 @@ my $ret = ''; if ( $repo ne '%' and $user ne '%' ) { # single repo, single user; no STDIN - $ret = access( $repo, $user, $aa, $ref ); + $ret = access( $repo, $user, adjust_aa($repo, $aa), $ref ); show($ret) if $s; @@ -79,10 +79,17 @@ while (<>) { my @in = split; my $r = $repo || shift @in; my $u = $user || shift @in; - $ret = access( $r, $u, $aa, $ref ); + $ret = access( $r, $u, adjust_aa($r, $aa), $ref ); print "$r\t$u\t$ret\n"; } +sub adjust_aa { + my ($repo, $aa) = @_; + $aa = '+' if $aa eq 'C' and not option($repo, 'CREATE_IS_C'); + $aa = '+' if $aa eq 'D' and not option($repo, 'DELETE_IS_D'); + return $aa; +} + sub show { my $ret = shift; die "repo already exists; ^C won't work\n" if $ret =~ /DENIED by existence/; diff --git a/src/commands/create b/src/commands/create index d35c4a8..8565e68 100755 --- a/src/commands/create +++ b/src/commands/create @@ -1,17 +1,29 @@ -#!/bin/sh - -# Usage: ssh git@host create <repo> -# -# Create wild repo. - -die() { echo "$@" >&2; exit 1; } -usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; } -[ -z "$1" ] && usage -[ -z "$2" ] || usage -[ "$1" = "-h" ] && usage -[ -z "$GL_USER" ] && die GL_USER not set - -# ---------------------------------------------------------------------- -perms=$(gitolite git-config -r $1 gitolite-options.default.roles | sort | cut -f3 | - perl -pe 's/(\s)CREATOR(\s|$)/$1$ENV{GL_USER}$1/') -echo "$perms" | $GL_BINDIR/commands/perms -c "$@" +#!/usr/bin/perl +use strict; +use warnings; + +use lib $ENV{GL_LIBDIR}; +use Gitolite::Rc; +use Gitolite::Common; +use Gitolite::Conf::Load; +use Gitolite::Conf::Store; + +=for usage +create -- create a wild repo. + +Usage: + ssh git@host create <repo> +=cut + +usage() if @ARGV != 1 or $ARGV[0] eq '-h'; + +$ENV{GL_USER} or _die "GL_USER not set"; + +my $repo = shift; +_die "invalid repo '$repo'" unless $repo =~ $REPONAME_PATT; + +my $ret = access( $repo, $ENV{GL_USER}, '^C', 'any' ); +_die "repo already exists or you are not authorised to create it" if $ret =~ /DENIED/; + +new_wild_repo( $repo, $ENV{GL_USER}, 'create' ); +gl_log( 'create', $repo, $ENV{GL_USER}, 'create' ); diff --git a/src/commands/perms b/src/commands/perms index 66ae885..be7be69 100755 --- a/src/commands/perms +++ b/src/commands/perms @@ -26,23 +26,24 @@ Examples: ssh git@host perms my/repo + WRITERS bob ---- -There is also a batch mode useful for scripting and bulk loading. Do not -combine this with the +/- mode above. This mode also accepts an optional "-c" -flag to create the repo if it does not already exist (assuming $GL_USER has -permissions to create it). - -Examples: - cat copy-of-backed-up-gl-perms | ssh git@host perms <repo> - cat copy-of-backed-up-gl-perms | ssh git@host perms -c <repo> +There is also a batch mode useful for scripting and bulk loading; see the +source code of the perms command for details. =cut -usage() if not @ARGV or $ARGV[0] eq '-h'; +# BATCH MODE: DO NOT combine this with the +/- mode above. This mode also +# creates the repo if it does not already exist (assuming $GL_USER has +# permissions to create it). +# +# Example: +# cat copy-of-backed-up-gl-perms | ssh git@host perms -c <repo> + +usage() if not @ARGV or $ARGV[0] eq '-h' or @ARGV < 2; $ENV{GL_USER} or _die "GL_USER not set"; my $generic_error = "repo does not exist, or you are not authorised"; -if ( @ARGV >= 2 and $ARGV[1] eq '-l' ) { +if ( $ARGV[1] eq '-l' ) { getperms($ARGV[0]); # doesn't return } diff --git a/src/lib/Gitolite/Common.pm b/src/lib/Gitolite/Common.pm index d59118c..166a4df 100644 --- a/src/lib/Gitolite/Common.pm +++ b/src/lib/Gitolite/Common.pm @@ -235,7 +235,8 @@ sub cleanup_conf_line { chomp($repo); $repo =~ s/\.git$//; $repo =~ s(^\./)(); - push @phy_repos, $repo; + push @phy_repos, $repo unless $repo =~ m(/$); + # tolerate bare repos within ~/repositories but silently ignore them } trace( 3, scalar(@phy_repos) . " physical repos found" ); return sort_u( \@phy_repos ); diff --git a/src/lib/Gitolite/Conf/Load.pm b/src/lib/Gitolite/Conf/Load.pm index c25a93e..15b1d03 100644 --- a/src/lib/Gitolite/Conf/Load.pm +++ b/src/lib/Gitolite/Conf/Load.pm @@ -316,7 +316,7 @@ sub load_common { return; } - my $cc = "conf/gitolite.conf-compiled.pm"; + my $cc = "./conf/gitolite.conf-compiled.pm"; _die "parse '$cc' failed: " . ( $! or $@ ) unless do $cc; diff --git a/src/lib/Gitolite/Hooks/PostUpdate.pm b/src/lib/Gitolite/Hooks/PostUpdate.pm index 2eeefcc..a76d1d9 100644 --- a/src/lib/Gitolite/Hooks/PostUpdate.pm +++ b/src/lib/Gitolite/Hooks/PostUpdate.pm @@ -20,6 +20,7 @@ use warnings; sub post_update { trace( 3, 'post-up', @ARGV ); + exit 0 unless grep( m(^refs/heads/master$), @ARGV ); # this is the *real* post_update hook for gitolite tsh_try("git ls-tree --name-only master"); diff --git a/src/lib/Gitolite/Setup.pm b/src/lib/Gitolite/Setup.pm index 57f8712..69a9be0 100644 --- a/src/lib/Gitolite/Setup.pm +++ b/src/lib/Gitolite/Setup.pm @@ -12,6 +12,7 @@ propagate hooks. -a, --admin <name> admin name -pk, --pubkey <file> pubkey file name -ho, --hooks-only skip other steps and just propagate hooks + -m, --message set setup commit message First run: either the pubkey or the admin name is *required*, depending on whether you're using ssh mode or http mode. @@ -30,6 +31,9 @@ Subsequent runs: - '-a' is ignored + - '-m' can be used to replace default commit message "gitolite setup $argv" + with a custom message (e.g. "Setting up your repository mgmt"). + =cut # ---------------------------------------------------------------------- @@ -50,11 +54,11 @@ use warnings; # ---------------------------------------------------------------------- sub setup { - my ( $admin, $pubkey, $h_only, $argv ) = args(); + my ( $admin, $pubkey, $h_only, $message ) = args(); unless ($h_only) { setup_glrc(); - setup_gladmin( $admin, $pubkey, $argv ); + setup_gladmin( $admin, $pubkey, $message ); _system("gitolite compile"); _system("gitolite trigger POST_COMPILE"); @@ -66,16 +70,18 @@ sub setup { # ---------------------------------------------------------------------- sub args { - my $admin = ''; - my $pubkey = ''; - my $h_only = 0; - my $help = 0; - my $argv = join( " ", @ARGV ); + my $admin = ''; + my $pubkey = ''; + my $message = ''; + my $h_only = 0; + my $help = 0; + my $argv = join( " ", @ARGV ); require Getopt::Long; Getopt::Long::GetOptions( 'admin|a=s' => \$admin, 'pubkey|pk=s' => \$pubkey, + 'message|m=s' => \$message, 'hooks-only|ho' => \$h_only, 'help|h' => \$help, ) or usage(); @@ -98,7 +104,7 @@ sub args { } - return ( $admin || '', $pubkey || '', $h_only || 0, $argv ); + return ( $admin || '', $pubkey || '', $h_only || 0, $message || "gitolite setup $argv"); } sub setup_glrc { @@ -106,7 +112,7 @@ sub setup_glrc { } sub setup_gladmin { - my ( $admin, $pubkey, $argv ) = @_; + my ( $admin, $pubkey, $message ) = @_; _die "'-pk' or '-a' required; see 'gitolite setup -h' for more" if not $admin and not -f "$rc{GL_ADMIN_BASE}/conf/gitolite.conf"; @@ -155,7 +161,7 @@ sub setup_gladmin { tsh_try("git config --get user.email") or tsh_run( "git config user.email $ENV{USER}\@" . `hostname` ); tsh_try("git config --get user.name") or tsh_run( "git config user.name '$ENV{USER} on '" . `hostname` ); tsh_try("git diff --cached --quiet") - or tsh_try("git commit -am 'gitolite setup $argv'") + or tsh_try("git commit -am '$message'") or _die "setup failed to commit to the admin repo"; delete $ENV{GIT_WORK_TREE}; } diff --git a/src/lib/Gitolite/Test/Tsh.pm b/src/lib/Gitolite/Test/Tsh.pm index 670178f..6861960 100644 --- a/src/lib/Gitolite/Test/Tsh.pm +++ b/src/lib/Gitolite/Test/Tsh.pm @@ -238,7 +238,9 @@ sub rc_lines { local $_ = shift @lines; chomp; $_ = trim_ws($_); + no warnings; $line++; + use warnings; # this also sets $testname next if is_comment_or_empty($_); diff --git a/src/lib/Gitolite/Triggers/TProxy.pm b/src/lib/Gitolite/Triggers/TProxy.pm index 8cf0e8d..b2ab8df 100644 --- a/src/lib/Gitolite/Triggers/TProxy.pm +++ b/src/lib/Gitolite/Triggers/TProxy.pm @@ -95,3 +95,5 @@ sub input { # redirect to upstream exec( "ssh", $rc{TPROXY_FORWARDS_TO}, "TPROXY_FOR=$user", "SOC=$ENV{SSH_ORIGINAL_COMMAND}" ); } + +1; diff --git a/src/triggers/post-compile/ssh-authkeys b/src/triggers/post-compile/ssh-authkeys index fe1e7c1..a95018d 100755 --- a/src/triggers/post-compile/ssh-authkeys +++ b/src/triggers/post-compile/ssh-authkeys @@ -29,7 +29,7 @@ my $kfn = ''; GetOptions( 'key-file-name|kfn' => \$kfn, ); tsh_try("sestatus"); -my $selinux = ( tsh_text() =~ /enabled/ ); +my $selinux = ( tsh_text() =~ /enforcing/ ); my $ab = $rc{GL_ADMIN_BASE}; trace( 1, "'keydir' not found in '$ab'; exiting" ), exit if not -d "$ab/keydir"; diff --git a/src/triggers/post-compile/ssh-authkeys-split b/src/triggers/post-compile/ssh-authkeys-split index bf8c8e7..cd9a603 100755 --- a/src/triggers/post-compile/ssh-authkeys-split +++ b/src/triggers/post-compile/ssh-authkeys-split @@ -50,7 +50,9 @@ find . -type f -name "*.pub" | while read k do # do we need to split? lines=`wc -l < $k` - [ "$lines" = "1" ] && continue + case $lines in + (0|1) continue + esac # is it sane to split? base=`basename $k .pub` diff --git a/src/triggers/repo-specific-hooks b/src/triggers/repo-specific-hooks index 1158ff5..7ed28e5 100755 --- a/src/triggers/repo-specific-hooks +++ b/src/triggers/repo-specific-hooks @@ -34,6 +34,9 @@ while (<>) { $hook =~ s/^gitolite-options\.hook\.//; $hook =~ s/\..*//; + my @codes = split /\s+/, $codes; + next unless @codes; + # this is a special case if ( $repo eq 'gitolite-admin' and $hook eq 'post-update' ) { _warn "repo-specific-hooks: ignoring attempts to set post-update hook for the admin repo"; @@ -46,7 +49,6 @@ while (<>) { next; } - my @codes = split /\s+/, $codes; push @{ $repo_hooks{$repo}{$hook} }, @codes if @codes; } diff --git a/src/triggers/set-default-roles b/src/triggers/set-default-roles index 18ac28b..dbbcc92 100755 --- a/src/triggers/set-default-roles +++ b/src/triggers/set-default-roles @@ -6,7 +6,7 @@ # skip if arg-1 is POST_CREATE and no arg-3 (user name) exists (i.e., it's not # a wild repo) [ "$1" = "POST_CREATE" ] && [ -z "$3" ] && exit 0; -[ "$4" = "R" ] || [ "$4" = "W" ] || [ "$4" = "perms-c" ] || [ "$4" = "fork" ] || exit 0 +[ "$4" = "R" ] || [ "$4" = "W" ] || [ "$4" = "perms-c" ] || [ "$4" = "create" ] || [ "$4" = "fork" ] || exit 0 die() { echo "$@" >&2; exit 1; } @@ -9,7 +9,7 @@ use Gitolite::Test; # test 'gitolite access' # ---------------------------------------------------------------------- -try "plan 208"; +try "plan 216"; confreset;confadd ' @admins = admin dev1 @@ -162,6 +162,12 @@ confreset;confadd ' repo @all R = gitweb + + repo c0 + RW+ = @all + repo c1 + RWC = u1 + RW+ = @all '; try "ADMIN_PUSH set4; !/FATAL/" or die text(); @@ -184,4 +190,13 @@ try " gitolite access foo u3 R; ok gitolite access foo u4 R; !ok gitolite access foo gitweb R; ok + + gitolite access c0 u1 +; ok + gitolite access c0 u1 C; ok + gitolite access c0 u2 +; ok + gitolite access c0 u2 C; ok + gitolite access c1 u1 +; ok + gitolite access c1 u1 C; ok + gitolite access c1 u2 +; ok + gitolite access c1 u2 C; !ok "; diff --git a/t/perm-default-roles.t b/t/perm-default-roles.t index 1a56ff8..c417903 100755 --- a/t/perm-default-roles.t +++ b/t/perm-default-roles.t @@ -139,7 +139,7 @@ try "cd $od"; # add perms to an old repo try " -echo WRITERS \@h1 | glt perms u1 foo/u1/u1r1 +echo WRITERS \@h1 | glt perms u1 -c foo/u1/u1r1 "; try "cd $rb; find . -name gl-perms"; diff --git a/t/perm-roles.t b/t/perm-roles.t index 03403d6..c4d017f 100755 --- a/t/perm-roles.t +++ b/t/perm-roles.t @@ -63,7 +63,7 @@ glt push u1 file:///foo/u1/u1r1 t1 POK; /\\[new tag\\] t1 -> t1/ # add u2 to WRITERS -echo WRITERS \@g2 | glt perms u1 foo/u1/u1r1 +echo WRITERS \@g2 | glt perms u1 -c foo/u1/u1r1 glt perms u1 foo/u1/u1r1 -l /WRITERS \@g2/ @@ -95,7 +95,7 @@ glt push u2 file:///foo/u1/u1r1 t2 reject # change u2 to READERS -echo READERS u2 | glt perms u1 foo/u1/u1r1 +echo READERS u2 | glt perms u1 -c foo/u1/u1r1 glt perms u1 foo/u1/u1r1 -l /READERS u2/ @@ -108,7 +108,7 @@ glt push u2 file:///foo/u1/u1r1 master:master /W any foo/u1/u1r1 u2 DENIED by fallthru/ # add invalid category MANAGERS - /usr/bin/printf 'READERS u6\\nMANAGERS u2\\n' | glt perms u1 foo/u1/u1r1 + /usr/bin/printf 'READERS u6\\nMANAGERS u2\\n' | glt perms u1 -c foo/u1/u1r1 !ok /Invalid role 'MANAGERS'/ "; @@ -120,7 +120,7 @@ put "$ENV{HOME}/g3trc", "\$rc{ROLES}{MANAGERS} = 1;\n"; try " ENV G3T_RC=$ENV{HOME}/g3trc gitolite compile; ok or die compile failed - /usr/bin/printf 'READERS u6\\nMANAGERS u2\\n' | glt perms u1 foo/u1/u1r1 + /usr/bin/printf 'READERS u6\\nMANAGERS u2\\n' | glt perms u1 -c foo/u1/u1r1 ok; !/Invalid role 'MANAGERS'/ glt perms u1 foo/u1/u1r1 -l "; @@ -156,7 +156,7 @@ glt push u2 file:///foo/u1/u1r1 t3 POK; /\\[new tag\\] t3 -> t3/ # add invalid category TESTERS -echo TESTERS u2 | glt perms u1 foo/u1/u1r1 +echo TESTERS u2 | glt perms u1 -c foo/u1/u1r1 !ok /Invalid role 'TESTERS'/ "; @@ -167,7 +167,7 @@ put "|cat >> $ENV{HOME}/g3trc", "\$rc{ROLES}{TESTERS} = 1;\n"; try " gitolite compile; ok or die compile failed # add u2 to now valid TESTERS -echo TESTERS u2 | glt perms u1 foo/u1/u1r1 +echo TESTERS u2 | glt perms u1 -c foo/u1/u1r1 !/Invalid role 'TESTERS'/ glt perms u1 foo/u1/u1r1 -l "; diff --git a/t/perms-groups.t b/t/perms-groups.t index 5de75be..eb51bc7 100755 --- a/t/perms-groups.t +++ b/t/perms-groups.t @@ -41,7 +41,7 @@ try " !/R W *\tbar/u1/try1\tu1/ # \@leads can RW try1 - echo WRITERS \@leads | glt perms u1 bar/u1/try1; ok + echo WRITERS \@leads | glt perms u1 -c bar/u1/try1; ok glt info u1 -lc /R W *\tbar/u1/try1\tu1/ glt info u2 -lc @@ -50,7 +50,7 @@ try " !/R W *\tbar/u1/try1\tu1/ # \@devs can R try1 - echo READERS \@devs | glt perms u1 bar/u1/try1; ok + echo READERS \@devs | glt perms u1 -c bar/u1/try1; ok glt perms u1 bar/u1/try1 -l /READERS \@devs/ !/WRITERS \@leads/ @@ -67,7 +67,7 @@ try " /R *\tbar/u1/try1\tu1/ # combo of previous 2 - /usr/bin/printf 'READERS \@devs\\nWRITERS \@leads\\n' | glt perms u1 bar/u1/try1; ok + /usr/bin/printf 'READERS \@devs\\nWRITERS \@leads\\n' | glt perms u1 -c bar/u1/try1; ok glt perms u1 bar/u1/try1 -l /READERS \@devs/ /WRITERS \@leads/ diff --git a/t/sequence.t b/t/sequence.t index 81fabfc..8d66d03 100755 --- a/t/sequence.t +++ b/t/sequence.t @@ -33,7 +33,7 @@ try " glt push u1 origin master /To file:///foo/u1/bar/ /\\[new branch\\] master -> master/ - echo WRITERS u2 | glt perms u1 foo/u1/bar + echo WRITERS u2 | glt perms u1 -c foo/u1/bar glt perms u1 foo/u1/bar -l /WRITERS u2/ # expand @@ -77,7 +77,7 @@ try " glt push u1 origin master /To file:///foo/u1/bar/ /\\[new branch\\] master -> master/ - echo WRITERS u2 | glt perms u1 foo/u1/bar + echo WRITERS u2 | glt perms u1 -c foo/u1/bar glt perms u1 foo/u1/bar -l /WRITERS u2/ # expand |