src/commands/config

   1 #!/usr/bin/perl
   2 use 5.10.0;
   3
   4 # ---- WARNING ----
   5
   6 # If your site makes a distinction between "right to push the admin repo" and
   7 # "right to run arbitrary commands on the server" (i.e., if not all of your
   8 # "admins" have shell access to the server), this is a security risk. If that
   9 # is the case, DO NOT ENABLE THIS COMMAND.
  10
  11 # ----------------------------------------------------------------------
  12 # gitolite command to allow "git config" on repos (with some restrictions)
  13
  14 # (Not to be confused with the 'git-config' command, which is used only in
  15 # server-side scripts, not remotely.)
  16
  17 # setup:
  18 #   1.  Enable the command by adding it to the COMMANDS section in the ENABLE
  19 #       list in the rc file.  (Have you read the warning above?)
  20 #
  21 #   2.  Specify configs allowed to be changed by the user.  This is a space
  22 #       separated regex list.  For example:
  23
  24 #           repo ...
  25 #               ... (various rules) ...
  26 #               option user-configs = hook\..* foo.bar[0-9].*
  27
  28 use strict;
  29 use warnings;
  30
  31 use lib $ENV{GL_LIBDIR};
  32 use Gitolite::Easy;
  33 use Gitolite::Common;
  34
  35 # ----------------------------------------------------------------------
  36 # usage
  37
  38 =for usage
  39 Usage:    ssh git@host config <repo> [git config options]
  40
  41 Runs "git config" in the repo.  Only the following 3 syntaxes are supported
  42 (see 'man git-config'):
  43
  44           --add name value
  45       --get-all name
  46     --unset-all name
  47          --list
  48
  49 Your administrator should tell you what keys are allowed for the "name".
  50 =cut
  51
  52 # ----------------------------------------------------------------------
  53 # arg checks
  54
  55 my %nargs = qw(
  56           --add 3
  57       --get-all 2
  58     --unset-all 2
  59          --list 1
  60      );
  61
  62 usage() if not @ARGV or $ARGV[0] eq '-h';
  63
  64 my $repo = shift;
  65
  66 my $op = shift;
  67 usage() unless $op and exists $nargs{$op};
  68
  69 # ----------------------------------------------------------------------
  70 # authorisation checks
  71
  72 die "sorry, you are not authorised\n" unless
  73     owns($repo)
  74         or
  75     ( ( $op eq '--get-all' or $op eq '--list' )
  76         ? can_read($repo)
  77         : ( can_write($repo) and option( $repo, 'writer-is-owner' ) )
  78     );
  79
  80 # ----------------------------------------------------------------------
  81 # key validity checks
  82
  83 unless ($op eq '--list') {
  84     my $key = shift;
  85
  86     my $val = '';
  87     $val = join(" ", @ARGV) if @ARGV;
  88     # values with spaces embedded get flattened by sshd when it passes
  89     # SSH_ORIGINAL_COMMAND to gitolite.  In this specific instance, we will
  90     # pretend we know what the user meant, and join up the last 1+ args into
  91     # one space-separated arg.
  92
  93     my $user_configs = option( $repo, 'user-configs' );
  94     # this is a space separated list of allowed config keys
  95     my @validkeys = split( ' ', ( $user_configs || '' ) );
  96     my @matched = grep { $key =~ /^$_$/i } @validkeys;
  97     _die "config '$key' not allowed\n" if ( @matched < 1 );
  98
  99     @ARGV = ($key);
 100     push @ARGV, $val if $val;
 101 }
 102
 103 # ----------------------------------------------------------------------
 104 # go!
 105
 106 unshift @ARGV, $op;
 107 usage() unless @ARGV == $nargs{$op};
 108
 109 _chdir("$rc{GL_REPO_BASE}/$repo.git");
 110 _system( "git", "config", @ARGV );