update

   1 #!/bin/bash
   2
   3 umask 002
   4
   5 # If you are having trouble with this access control hook script
   6 # you can try setting this to true.  It will tell you exactly
   7 # why a user is being allowed/denied access.
   8
   9 verbose=true
  10
  11 # Default shell globbing messes things up downstream
  12 GLOBIGNORE=*
  13
  14 function grant {
  15   $verbose && echo >&2 "-Grant-         $1"
  16   echo grant
  17   exit 0
  18 }
  19
  20 function deny {
  21   $verbose && echo >&2 "-Deny-          $1"
  22   echo deny
  23   exit 1
  24 }
  25
  26 function info {
  27   $verbose && echo >&2 "-Info-          $1"
  28 }
  29
  30 info "Committing $1"
  31
  32 # Implement generic branch and tag policies.
  33 # - Tags should not be updated once created.
  34 # - Branches should only be fast-forwarded.
  35 case "$1" in
  36   refs/tags/*)
  37     [ -f "$GIT_DIR/$1" ] &&
  38     deny >/dev/null "You can't overwrite an existing tag"
  39     ;;
  40   refs/heads/*)
  41     # No rebasing or rewinding
  42     if expr "$2" : '0*$' >/dev/null; then
  43       info "The branch '$1' is new..."
  44     else
  45       # updating -- make sure it is a fast forward
  46       mb=$(git-merge-base "$2" "$3")
  47       case "$mb,$2" in
  48         "$2,$mb") info "Update is fast-forward" ;;
  49         *)        deny >/dev/null  "This is not a fast-forward update." ;;
  50       esac
  51     fi
  52     ;;
  53   *)
  54     deny >/dev/null \
  55     "Branch is not under refs/heads or refs/tags.  What are you trying to do?"
  56     ;;
  57 esac
  58
  59 # Implement per-branch controls based on username
  60 allowed_users_file=$GIT_DIR/info/allowed-users
  61 username=$(id -u -n)
  62
  63 if [ -f "$allowed_users_file" ]; then
  64   rc=$(cat $allowed_users_file | grep -v '^#' | grep -v '^$' |
  65     while read head_pattern user_patterns; do
  66       matchlen=$(expr "$1" : "$head_pattern")
  67       if [ "$matchlen" == "${#1}" ]; then
  68         info "Found matching head pattern: '$head_pattern'"
  69         for user_pattern in $user_patterns; do
  70           info "Checking user: '$username' against pattern: '$user_pattern'"
  71           matchlen=$(expr "$username" : "$user_pattern")
  72           if [ "$matchlen" == "${#username}" ]; then
  73             grant "Allowing user: '$username' with pattern: '$user_pattern'"
  74           fi
  75         done
  76         deny "The user is not in the access list for this branch"
  77       fi
  78     done
  79   )
  80   case "$rc" in
  81     grant) grant >/dev/null "Granting access based on $allowed_users_file" ;;
  82     deny)  deny  >/dev/null "Denying  access based on $allowed_users_file" ;;
  83     *) ;;
  84   esac
  85 fi
  86
  87 # Then based on group
  88 allowed_groups_file=$GIT_DIR/info/allowed-groups
  89 groups=$(id -G -n)
  90 info "The user belongs to the following groups:"
  91 info "'$groups'"
  92
  93 if [ -f "$allowed_groups_file" ]; then
  94   rc=$(cat $allowed_groups_file | grep -v '^#' | grep -v '^$' |
  95     while read head_pattern group_patterns; do
  96       matchlen=$(expr "$1" : "$head_pattern")
  97       if [ "$matchlen" == "${#1}" ]; then
  98         info "Found matching head pattern: '$head_pattern'"
  99         for group_pattern in $group_patterns; do
 100           for groupname in $groups; do
 101             info "Checking group: '$groupname' against pattern: '$group_pattern'"
 102             matchlen=$(expr "$groupname" : "$group_pattern")
 103             if [ "$matchlen" == "${#groupname}" ]; then
 104               grant "Allowing group: '$groupname' with pattern: '$group_pattern'"
 105             fi
 106           done
 107         done
 108         deny "None of the user's groups are in the access list for this branch"
 109       fi
 110     done
 111   )
 112   case "$rc" in
 113     grant) grant >/dev/null "Granting access based on $allowed_groups_file" ;;
 114     deny)  deny  >/dev/null "Denying  access based on $allowed_groups_file" ;;
 115     *) ;;
 116   esac
 117 fi
 118
 119 # Who can create tags
 120 tagmatch=$(expr "$1" : "refs/tags")
 121 info "\$1 = $1, tagmatch = $tagmatch"
 122
 123 if [ "$tagmatch" == "9" ]; then
 124         # We are creating a tag
 125         if [ -f "$allowed_users_file" ]; then
 126                 rc=$(cat $allowed_users_file | grep -v '^#' | grep -v '^$' |
 127                 while read head_pattern user_patterns; do
 128                 matchlen=$(expr "refs/tags" : "$head_pattern")
 129                 if [ "$matchlen" == "9" ]; then
 130                         info "Found matching tag pattern: '$head_pattern'"
 131                         for user_pattern in $user_patterns; do
 132                         info "Checking user: '$username' against pattern: '$user_pattern'"
 133                         matchlen=$(expr "$username" : "$user_pattern")
 134                         if [ "$matchlen" == "${#username}" ]; then
 135                         grant "Allowing user: '$username' with pattern: '$user_pattern'"
 136                         fi
 137                         done
 138                         deny "The user is not in the access list for refs/tags "
 139                 fi
 140                 done
 141                 )
 142                 case "$rc" in
 143                 grant) grant >/dev/null "Granting access based on $allowed_users_file" ;;
 144                 deny)  deny  >/dev/null "Denying  access based on $allowed_users_file" ;;
 145                 *) ;;
 146                 esac
 147         fi
 148 fi
 149
 150 deny >/dev/null "There are no more rules to check.  Denying access"