contrib/triggers/IP-check

   1 #!/bin/bash
   2
   3 # Check an IP before allowing access.
   4
   5 # This is also a generic example of how to add arbitrary checks at the PRE_GIT
   6 # stage, in order to control fetch/clone as well, not just push operations
   7 # (VREFs, in contrast, only work for pushes).
   8
   9 # Notice how repo-specific information is being passed to this code (bullet 3
  10 # below).  For more on that, see:
  11 # https://gitolite.com/gitolite/dev-notes#appendix-1-repo-specific-environment-variables
  12
  13 # Instructions:
  14
  15 #   1.  put this in an appropriate triggers directory (read about non-core
  16 #       code at http://gitolite.com/gitolite/non-core for more on this; the
  17 #       cookbook may also help here).
  18
  19 #   2.  add a line:
  20 #           PRE_GIT => [ 'IP-check' ],
  21 #       just before the "ENABLE" line in the rc file
  22
  23 #   3.  add a line like this to the "repo ..." section in gitolite.conf:
  24 #           option ENV.IP_allowed   =   1.2.3.0/24
  25 #       take care that this expression is valid, in the sense that passing it
  26 #       to 'ipcalc -n' will return the part before the "/".  I.e., in this
  27 #       example, 'ipcalc -n 1.2.3.0/24' should (and does) return 1.2.3.0.
  28
  29 # ----
  30
  31 [ -n "$GL_OPTION_IP_allowed" ] || exit 0
  32
  33 expected=${GL_OPTION_IP_allowed%/*}
  34     mask=${GL_OPTION_IP_allowed#*/}
  35
  36 current_ip=${SSH_CONNECTION%% *}
  37
  38 eval `ipcalc -n $current_ip/$mask`
  39
  40 [ "$expected" == "$NETWORK" ] && exit 0
  41
  42 echo >&2 "IP $current_ip does not match allowed block $GL_OPTION_IP_allowed"
  43 exit 1