diff options
| author | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-29 20:07:44 +0300 |
|---|---|---|
| committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2014-07-29 20:07:44 +0300 |
| commit | b73431421025660d28198955c15356c086f5223f (patch) | |
| tree | 8115c2a20986b61fac58dd0d3fc302c896262fee /lib | |
| parent | d745c522f462e01aa576c6f93b94cbad6c631f73 (diff) | |
| download | gitaclhook-b73431421025660d28198955c15356c086f5223f.tar.gz gitaclhook-b73431421025660d28198955c15356c086f5223f.tar.bz2 | |
Separate rules for the same user name coming from different IP addresses.
* Makefile.PL: Add Net::CIDR to the list of prerequisites.
* gitaclhook: Document user@CIDRLIST syntax and the hooks.acl.ip-env-var
variable.
* lib/GitACL.pm: Use Net::CIDR
(match_host): New sub.
(match_user): Check IP against cidr part (if defined).
(new): Get remote IP address from environment.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/GitACL.pm | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/GitACL.pm b/lib/GitACL.pm index cde9624..4214b3f 100644 --- a/lib/GitACL.pm +++ b/lib/GitACL.pm @@ -15,12 +15,13 @@ # along with gitaclhook. If not, see <http://www.gnu.org/licenses/>. package GitACL; use strict; use File::Spec; +use Net::CIDR qw (cidrlookup); my %opstr = ('C' => 'create', 'D' => 'delete', 'U' => 'update', 'R' => 'rewind/rebase'); @@ -113,16 +114,26 @@ sub match_primary_group($$) { my ($name,$passwd,$uid,$gid) = getpwnam($user_name) or return 0; ($name) = getgrgid($gid) or return 0; return 1 if $name eq $group_name; return 0; } +sub match_host($$) { + my ($ip,$iplist) = @_; + return 0 unless defined($ip); + return cidrlookup($ip, split /,/, $iplist); +} + sub match_user($$) { my ($self, $expr) = @_; return 1 if ($expr eq 'all'); return 0 if ($expr eq 'none'); + if ($expr =~ /(.+)@(.+)/) { + return 0 unless match_host($self->{ip}, $2); + $expr = $1; + } if ($expr =~ /^%(.+)/) { return 1 if match_primary_group($self->{user_name}, $1); my ($name,$passwd,$gid,$members) = getgrnam($1) or return 0; my @a = split(/\s+/,$members); for (my $i = 0; $i <= $#a; $i++) { return 1 if $a[$i] eq $self->{user_name}; @@ -217,12 +228,19 @@ sub new { } $obj->deny("no such user") unless $obj->{user_name}; my $httpdusr = git_value('config', 'hooks.acl.httpd-user'); if (defined($httpdusr) and $obj->{user_name} eq $httpdusr) { $obj->deny("need authenticated user") unless $ENV{AUTH_TYPE}; $obj->{user_name} = $ENV{REMOTE_USER}; + $obj->{ip} = $ENV{REMOTE_ADDR}; + } else { + my $ipvar = git_value('config', 'hooks.acl.ip-env-var') or 'SSH_CLIENT'; + if (defined($ENV{$ipvar})) { + my @a = split /\S/, $ENV{$ipvar}, 2; + $obj->{ip} = $a[0]; + } } $obj->{project_name} = get_project_name($obj->{git_dir}); $obj->deny("need a ref name") unless defined($args{ref}); $obj->deny("bogus ref $args{ref}") unless $args{ref} =~ s,^refs/,,; $obj->{ref} = $args{ref}; |