diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-29 20:07:44 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-29 20:07:44 +0300 |
commit | b73431421025660d28198955c15356c086f5223f (patch) | |
tree | 8115c2a20986b61fac58dd0d3fc302c896262fee /lib/GitACL.pm | |
parent | d745c522f462e01aa576c6f93b94cbad6c631f73 (diff) | |
download | gitaclhook-b73431421025660d28198955c15356c086f5223f.tar.gz gitaclhook-b73431421025660d28198955c15356c086f5223f.tar.bz2 |
Separate rules for the same user name coming from different IP addresses.
* Makefile.PL: Add Net::CIDR to the list of prerequisites.
* gitaclhook: Document user@CIDRLIST syntax and the hooks.acl.ip-env-var
variable.
* lib/GitACL.pm: Use Net::CIDR
(match_host): New sub.
(match_user): Check IP against cidr part (if defined).
(new): Get remote IP address from environment.
Diffstat (limited to 'lib/GitACL.pm')
-rw-r--r-- | lib/GitACL.pm | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/GitACL.pm b/lib/GitACL.pm index cde9624..4214b3f 100644 --- a/lib/GitACL.pm +++ b/lib/GitACL.pm @@ -18,6 +18,7 @@ package GitACL; use strict; use File::Spec; +use Net::CIDR qw (cidrlookup); my %opstr = ('C' => 'create', 'D' => 'delete', @@ -116,10 +117,20 @@ sub match_primary_group($$) { return 0; } +sub match_host($$) { + my ($ip,$iplist) = @_; + return 0 unless defined($ip); + return cidrlookup($ip, split /,/, $iplist); +} + sub match_user($$) { my ($self, $expr) = @_; return 1 if ($expr eq 'all'); return 0 if ($expr eq 'none'); + if ($expr =~ /(.+)@(.+)/) { + return 0 unless match_host($self->{ip}, $2); + $expr = $1; + } if ($expr =~ /^%(.+)/) { return 1 if match_primary_group($self->{user_name}, $1); my ($name,$passwd,$gid,$members) = getgrnam($1) or return 0; @@ -220,6 +231,13 @@ sub new { if (defined($httpdusr) and $obj->{user_name} eq $httpdusr) { $obj->deny("need authenticated user") unless $ENV{AUTH_TYPE}; $obj->{user_name} = $ENV{REMOTE_USER}; + $obj->{ip} = $ENV{REMOTE_ADDR}; + } else { + my $ipvar = git_value('config', 'hooks.acl.ip-env-var') or 'SSH_CLIENT'; + if (defined($ENV{$ipvar})) { + my @a = split /\S/, $ENV{$ipvar}, 2; + $obj->{ip} = $a[0]; + } } $obj->{project_name} = get_project_name($obj->{git_dir}); |