diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-29 17:08:50 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-29 18:16:23 +0300 |
commit | d745c522f462e01aa576c6f93b94cbad6c631f73 (patch) | |
tree | 854738e411b0f993ecaea3d5d3fb05280a621642 | |
parent | ba7a48a2b88b33c6c49511fd4422d255264fac98 (diff) | |
download | gitaclhook-d745c522f462e01aa576c6f93b94cbad6c631f73.tar.gz gitaclhook-d745c522f462e01aa576c6f93b94cbad6c631f73.tar.bz2 |
Change namespace for the configuration variables: hooks.acl.*
-rwxr-xr-x | gitaclhook | 30 | ||||
-rw-r--r-- | lib/GitACL.pm | 14 | ||||
-rw-r--r-- | lib/GitACL/File.pm | 2 | ||||
-rw-r--r-- | lib/GitACL/LDAP.pm | 2 |
4 files changed, 24 insertions, 24 deletions
@@ -44,20 +44,20 @@ the update depending on their settings. If no storage engine is defined update is allowed unconditionally. If it is defined, but is not available (e.g. the disk file does not exist or the LDAP server cannot be reached, the update is denied. Two storage engines are supported: B<File>, which reads access control lists from a disk file, and B<LDAP>, which obtains them from LDAP. -The engine to use is defined by the B<hooks.acltype> configuration keyword. +The engine to use is defined by the B<hooks.acl.type> configuration keyword. The default is B<File>. =head1 ACL FILE The ACL file is used when the B<File> storage engine is requested. The -path to the file must be given via the B<hooks.aclfile> configuration -keyword. If B<hooks.aclfile> is not defined, update is allowed +path to the file must be given via the B<hooks.acl.file> configuration +keyword. If B<hooks.acl.file> is not defined, update is allowed unconditionally. The ACL file has the usual line-oriented syntax. Comments are introduced by the # sign and extend to the end of the physical line. Comments and empty lines are ignored. @@ -140,13 +140,13 @@ Otherwise, it must match exactly the affected ref. The rule applies only if its I<PROJECT> and I<USER> parts match the project which is being updated and the user who requests the update, its I<OP> contains the opcode of the requested operation and I<REF> matches the affected ref. Missing I<REF> and/or I<OP> are treated as a match. If no rule applies, the operation is denied. This can be changed by setting -B<hooks.acldefault = allow> in Git configuration file. +B<hooks.acl.default = allow> in Git configuration file. For example, assume you have the following ACL file: allow myprog %devel U heads/master allow myprog %pm CDUR heads/ allow myprog %pm C ^heads/tags/v\\d+$ @@ -165,13 +165,13 @@ update that repository. The LDAP storage engine is requested by the following configuration statement: [hooks] acltype = LDAP The URI of the LDAP server to use and other data necessary to access it -are read from the file name given in the B<hooks.aclldapconf> variable, +are read from the file name given in the B<hooks.acl.ldapconf> variable, or from B</etc/ldap.conf>, if it is not defined. LDAP access control entries are similar to the plaintext file ACLs. Each entry has the following attrubutes: =over 4 @@ -218,44 +218,44 @@ all project names. If no matching entry is found, the update is allowed. =head1 CONFIGURATION SETTINGS =over 4 -=item B<hooks.acltype> STRING +=item B<hooks.acl.type> STRING Type of the storage engine. Valid values are B<File> (default) and B<LDAP>. -=item B<hooks.aclfile> STRING +=item B<hooks.acl.file> STRING For the B<File> storage engine, name of the ACL file. -=item B<hooks.aclldapconf> STRING +=item B<hooks.acl.ldapconf> STRING For the B<LDAP> storage engine, the name of the configuration file to use instead of B</etc/ldap.conf>. -=item B<hooks.acllog> STRING +=item B<hooks.acl.log> STRING Send log info to this file. -=item B<hooks.acldebug> NUMBER +=item B<hooks.acl.debug> NUMBER Enable debugging. The bigger the number, the more debugging info will be displayed. -=item B<hooks.aclquiet> BOOL +=item B<hooks.acl.quiet> BOOL Suppress diagnostics on stderr. -=item B<hooks.acldefault> B<allow>|B<deny> +=item B<hooks.acl.default> B<allow>|B<deny> Sets the default rule, i.e. the one that will be executed if no other rule matched the request. Unless defined, B<deny> is assumed. -=item B<hooks.httpd-user> STRING +=item B<hooks.acl.httpd-user> STRING Name of the user httpd runs as. Define it if the repository can be accessed via HTTP(S). If B<gitaclhook> is run as this user, it will get the name of the user on behalf of which the update is performed from the environment variable B<REMOTE_USER>. @@ -282,22 +282,22 @@ Optional B<--debug> (B<-d>) options increment the debugging level. The program uses following environment variables: =over 4 =item B<GIT_UPDATE_DEBUG> -When set to 1, enables debugging mode. The B<hooks.acldebug> +When set to 1, enables debugging mode. The B<hooks.acl.debug> configuration variable overrides this setting. =item B<GIT_DIR> Path to the affected repository. =back -If updates are performed via HTTP or HTTPS and the B<hooks.httpd-user> +If updates are performed via HTTP or HTTPS and the B<hooks.acl.httpd-user> configuration variable is set, the following two variables are used to determine the identity of the user: =over 4 =item B<AUTH_TYPE> diff --git a/lib/GitACL.pm b/lib/GitACL.pm index 9cd381d..cde9624 100644 --- a/lib/GitACL.pm +++ b/lib/GitACL.pm @@ -70,13 +70,13 @@ sub allow($$) { $self->debug(1, "allow $loc"); exit 0; } sub default_rule($) { my $self = shift; - my $def = GitACL::git_value('config', 'hooks.acldefault'); + my $def = GitACL::git_value('config', 'hooks.acl.default'); my $msg = "default rule"; if (defined($def)) { if ($def eq "allow") { $self->allow($msg); } elsif ($def ne "deny") { $msg .= " (warning: hooks.acldefault has invalid value)"; @@ -107,13 +107,13 @@ sub git_value(@) { close($fd); return $_; } sub match_primary_group($$) { my ($user_name,$group_name) = @_; - my ($name,$passwd,$uid,$gid,$members) = getpwnam($user_name) or return 0; + my ($name,$passwd,$uid,$gid) = getpwnam($user_name) or return 0; ($name) = getgrgid($gid) or return 0; return 1 if $name eq $group_name; return 0; } sub match_user($$) { @@ -187,39 +187,39 @@ sub new { $obj->deny("no GIT_DIR"); } if (defined($args{debug})) { $obj->{debug} = $args{debug}; } else { - $obj->{debug} = git_value('config', '--bool', 'hooks.acldebug') || + $obj->{debug} = git_value('config', '--bool', 'hooks.acl.debug') || $ENV{GIT_UPDATE_DEBUG} > 0; } if (defined($args{logfile})) { $obj->{logfile} = $args{logfile}; } else { - $obj->{logfile} = git_value('config', 'hooks.acllog'); + $obj->{logfile} = git_value('config', 'hooks.acl.log'); } if ($obj->{logfile} && $obj->{logfile} !~ /[>|]/) { $obj->{logfile} = ">>$obj->{logfile}"; } if (defined($args{quiet})) { $obj->{quiet} = $args{quiet}; } elsif (!$obj->{debug}) { - $obj->{quiet} = git_value('config', 'hooks.aclquiet'); + $obj->{quiet} = git_value('config', 'hooks.acl.quiet'); } if (defined($args{user})) { $obj->{user_name} = $args{user}; } else { my ($u) = getpwuid $<; $obj->{user_name} = $u; } $obj->deny("no such user") unless $obj->{user_name}; - my $httpdusr = git_value('config', 'hooks.httpd-user'); + my $httpdusr = git_value('config', 'hooks.acl.httpd-user'); if (defined($httpdusr) and $obj->{user_name} eq $httpdusr) { $obj->deny("need authenticated user") unless $ENV{AUTH_TYPE}; $obj->{user_name} = $ENV{REMOTE_USER}; } $obj->{project_name} = get_project_name($obj->{git_dir}); @@ -258,13 +258,13 @@ sub new { sub check { my $self = shift; $self->info("$self->{user_name} requested $opstr{$self->{op}} ". "on $self->{ref} in $self->{project_name}"); - my $type = git_value('config', 'hooks.acltype'); + my $type = git_value('config', 'hooks.acl.type'); $type = "File" unless $type; my $r = eval("use GitACL::$type; GitACL::$type->new(\$self);"); $self->deny("unsupported acltype: $@") unless $r; $r->check_acl; diff --git a/lib/GitACL/File.pm b/lib/GitACL/File.pm index efabfd4..f72c16d 100644 --- a/lib/GitACL/File.pm +++ b/lib/GitACL/File.pm @@ -20,13 +20,13 @@ use parent 'GitACL'; sub check_acl { my $self = shift; my $fd; my $line = 0; my @ret; - my $filename = GitACL::git_value('config', 'hooks.aclfile'); + my $filename = GitACL::git_value('config', 'hooks.acl.file'); $self->allow("no ACL configured for ".$self->{project_name}) unless defined($filename); open($fd, "<", $filename) or $self->deny("cannot open configuration file: $!"); while (<$fd>) { diff --git a/lib/GitACL/LDAP.pm b/lib/GitACL/LDAP.pm index 22bfd8d..ac8fd06 100644 --- a/lib/GitACL/LDAP.pm +++ b/lib/GitACL/LDAP.pm @@ -18,13 +18,13 @@ package GitACL::LDAP; use parent 'GitACL'; use strict; use Net::LDAP; sub parse_ldap_conf { my $self = shift; - my $filename = GitACL::git_value('config', 'hooks.aclldapconf') || + my $filename = GitACL::git_value('config', 'hooks.acl.ldapconf') || "/etc/ldap.conf"; my $fd; open($fd, "<", $filename) or $self->deny("cannot open file $filename: $!"); while (<$fd>) { |