From 9e6f5e5fe3c9422f5ab7182e88e8cfd05470c86c Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Fri, 21 Jun 2013 16:47:52 +0300 Subject: gitaclhook: Implement test mode. --- gitaclhook | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 71 insertions(+), 5 deletions(-) (limited to 'gitaclhook') diff --git a/gitaclhook b/gitaclhook index dd31dd8..c2dfdb8 100755 --- a/gitaclhook +++ b/gitaclhook @@ -27,6 +27,8 @@ gitaclhook - control access to git repositories B I I I +B B<--test> I I I I + B =head1 DESCRIPTION @@ -173,6 +175,55 @@ from the environment variable B. =back +=head1 TEST MODE + +The B<--test> option provides a mechanism for testing access control lists +from the command line. When given this option, B expects four +arguments: + +=over 4 + +B B<--test> I I I I + +=back + +I is a pathname of the repository to test, I is the username, +I is the operation code and I is the reference. + +=head1 ENVIRONMENT + +The program uses following environment variables: + +=over 4 + +=item B + +When set to 1, enables debugging mode. The B +configuration variable overrides this setting. + +=item B + +Path to the affected repository. + +=back + +If updates are performed via HTTP or HTTPS and the B +configuration variable is set, the following two variables are used +to determine the identity of the user: + +=over 4 + +=item B + +If this variable is not set or set to an empty value, the program will +deny the update. + +=item B + +The authenticated name of the user. + +=back + =head1 SEE ALSO B(1). @@ -243,6 +294,13 @@ sub info($) { print STDERR "info: $_[0]\n" if $debug; } +sub project_name($) { + my $dir = shift; + + File::Spec->rel2abs($dir) =~ m,/([^/]+)(?:\.git|/\.git)$,; + return $1; +} + sub git_value(@) { my $fd; @@ -302,7 +360,7 @@ sub check_acl($$$) { unless ($x[0] eq 'allow' || $x[0] eq 'deny'); deny("malformed line", "$filename:$line") unless $#x >= 2; - + next if ($x[1] ne "*" and $x[1] ne $project); next unless match_user($x[2]); next if ($#x >= 3 && index(uc $x[3], $op) == -1); @@ -321,6 +379,16 @@ sub check_acl($$$) { # Sanity checks unless ($git_dir) { pod2usage(-exitstatus => 0, -verbose => 2) if ($ref eq "--help"); + if ($ref eq "--test") { + deny("--test requires four arguments") unless ($#ARGV == 4); + $ENV{GIT_DIR} = $ARGV[1]; + $user_name = $ARGV[2]; + $op = $ARGV[3]; + deny("invalid op") unless defined($opstr{$op}); + $ref = $ARGV[4]; + check_acl(project_name($ARGV[1]), $op, $ref); + exit(0); + } deny "try \"$0 --help\" for fore info" } @@ -333,7 +401,7 @@ $quiet = git_value('config', 'hooks.aclquiet') unless ($debug); my $httpdusr = git_value('config', 'hooks.httpd-user'); if (defined($httpdusr) and $user_name eq $httpdusr) { - deny "need authenticated user" unless defined($ENV{AUTH_TYPE}); + deny "need authenticated user" unless $ENV{AUTH_TYPE}; $user_name = $ENV{REMOTE_USER}; } @@ -344,9 +412,7 @@ deny "bad new value $new" unless $new =~ /^[a-z0-9]{40}$/; deny "no such user" unless $user_name; allow "no change requested" if $old eq $new; -$project_name = File::Spec->rel2abs($git_dir); -$project_name =~ m,/([^/]+)(?:\.git|/\.git)$,; -$project_name = $1; +$project_name = project_name($git_dir); if ($old =~ /^0{40}$/) { $op = 'C'; -- cgit v1.2.1