search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
perms: make '-c' required for batch mode
[gitolite.git] / src / commands / perms
blobbe7be6948d11e0f636670a5bfb2e019485d73007
1 #!/usr/bin/perl
2 use strict;
3 use warnings;
4
5 use lib $ENV{GL_LIBDIR};
6 use Gitolite::Rc;
7 use Gitolite::Common;
8 use Gitolite::Easy;
9
10 =for usage
11 perms -- list or set permissions for user-created ("wild") repo.
12
13 Usage summary:
14 ssh git@host perms <repo> -l
15 # list current permissions on repo
16 ssh git@host perms <repo> -lr
17 # list available roles and their access rights
18
19 ssh git@host perms <repo> + <rolename> <username>
20 # change permissions: add a user to a role
21 ssh git@host perms <repo> - <rolename> <username>
22 # change permissions: remove a user from a role
23
24 Examples:
25 ssh git@host perms my/repo + READERS alice
26 ssh git@host perms my/repo + WRITERS bob
27
28 ----
29 There is also a batch mode useful for scripting and bulk loading; see the
30 source code of the perms command for details.
31 =cut
32
33 # BATCH MODE: DO NOT combine this with the +/- mode above. This mode also
34 # creates the repo if it does not already exist (assuming $GL_USER has
35 # permissions to create it).
36 #
37 # Example:
38 # cat copy-of-backed-up-gl-perms | ssh git@host perms -c <repo>
39
40 usage() if not @ARGV or $ARGV[0] eq '-h' or @ARGV < 2;
41
42 $ENV{GL_USER} or _die "GL_USER not set";
43
44 my $generic_error = "repo does not exist, or you are not authorised";
45
46 if ( $ARGV[1] eq '-l' ) {
47 getperms($ARGV[0]); # doesn't return
48 }
49
50 # auto-create the repo if -c passed and repo doesn't exist
51 if ( $ARGV[0] eq '-c' ) {
52 shift;
53 my $repo = $ARGV[0] or usage();
54 _die "invalid repo '$repo'" unless $repo =~ $REPONAME_PATT;
55
56 if ( not -d "$rc{GL_REPO_BASE}/$repo.git" ) {
57 unless ($ENV{GL_BYPASS_CREATOR_CHECK}) {
58 my $ret = Gitolite::Conf::Load::access( $repo, $ENV{GL_USER}, '^C', 'any' );
59 _die $generic_error if $ret =~ /DENIED/;
60 }
61
62 require Gitolite::Conf::Store;
63 Gitolite::Conf::Store->import;
64 new_wild_repo( $repo, $ENV{GL_USER}, 'perms-c' );
65 gl_log( 'create', $repo, $ENV{GL_USER}, 'perms-c' );
66 }
67 }
68
69 my $repo = shift;
70
71 if ( @ARGV and $ARGV[0] eq '-lr' ) {
72 list_roles();
73 exit 0;
74 } else {
75 setperms(@ARGV);
76 }
77
78 # cache control
79 if ($rc{CACHE}) {
80 require Gitolite::Cache;
81 Gitolite::Cache::cache_control('flush', $repo);
82 }
83
84 _system( "gitolite", "trigger", "POST_CREATE", $repo, $ENV{GL_USER}, 'perms' );
85
86 # ----------------------------------------------------------------------
87
88 sub getperms {
89 my $repo = shift;
90 _die $generic_error if not owns($repo);
91 my $pf = "$rc{GL_REPO_BASE}/$repo.git/gl-perms";
92
93 print slurp($pf) if -f $pf;
94
95 exit 0;
96 }
97
98 sub setperms {
99 _die $generic_error if not owns($repo);
100 my $pf = "$rc{GL_REPO_BASE}/$repo.git/gl-perms";
101
102 if ( not @_ ) {
103 # legacy mode; pipe data in
104 print STDERR "'batch' mode started, waiting for input (run with '-h' for details).\n";
105 print STDERR "Please enter 'cancel' to abort if you did not intend to do this.\n";
106 @ARGV = ();
107 my @a;
108 while (<>) {
109 _die "CANCELLED" if /^\s*cancel\s*$/i;
110 invalid_role($1) if /(\S+)/ and not $rc{ROLES}{$1};
111 push @a, $_;
112 }
113
114 _print( $pf, @a );
115 return;
116 }
117
118 _die "Invalid syntax. Please re-run with '-h' for detailed usage" if @_ != 3;
119 my ( $op, $role, $user ) = @_;
120 _die "Invalid syntax. Please re-run with '-h' for detailed usage" if $op ne '+' and $op ne '-';
121 _die "Invalid user '$user'" if not $user =~ $USERNAME_PATT;
122
123 my $text = '';
124 my @text = slurp($pf) if -f $pf;
125
126 my $present = grep { $_ eq "$role $user\n" } @text;
127
128 if ( $op eq '-' ) {
129 if ( not $present ) {
130 _warn "'$role $user' was not present in file";
131 } else {
132 @text = grep { $_ ne "$role $user\n" } @text;
133 _print( $pf, @text );
134 }
135 } else {
136 invalid_role($role) unless grep { $_->[3] eq $role } load_roles();
137 if ($present) {
138 _warn "'$role $user' already present in file";
139 } else {
140 push @text, "$role $user\n";
141 @text = sort @text;
142 _print( $pf, @text );
143 }
144 }
145 }
146
147 my @rules;
148
149 sub load_roles {
150 return @rules if @rules;
151
152 require Gitolite::Conf::Load;
153 Gitolite::Conf::Load::load($repo);
154
155 my %repos = %Gitolite::Conf::Load::repos;
156 my @repo_memberships = Gitolite::Conf::Load::memberships('repo', $repo);
157
158 for my $rp (@repo_memberships) {
159 my $hr = $repos{$rp};
160 for my $r ( keys %$hr ) {
161 next unless $r =~ s/^@//;
162 next unless $rc{ROLES}{$r};
163 map { $_->[3] = $r } @{ $hr->{"\@$r"} };
164 push @rules, @{ $hr->{"\@$r"} };
165 }
166 }
167 return @rules;
168 }
169
170 sub invalid_role {
171 my $role = shift;
172
173 print STDERR "Invalid role '$role'; valid roles for this repo:\n";
174 open(STDOUT, '>&', \*STDERR); # make list_roles print to STDERR
175 list_roles();
176 exit 1;
177 }
178
179 sub list_roles {
180
181 my @rules = sort { $a->[0] <=> $b->[0] } load_roles();
182
183 for (@rules) {
184 $_->[2] =~ s(^refs/heads/)();
185 $_->[2] = '--any--' if $_->[2] eq 'refs/.*';
186 }
187
188 my $max = 0;
189 map { $max = $_ if $_ > $max } map { length($_->[2]) } @rules;
190 printf("\t%s\t%*s\t \t%s\n", "perm", -$max, "ref", "role");
191 printf("\t%s\t%*s\t \t%s\n", "----", -$max, "---", "----");
192 printf("\t%s\t%*s\t=\t%s\n", $_->[1], -$max, $_->[2], $_->[3]) for @rules;
193 }