| blob | 150a89c33e540204b76fd28b5db37877b116b481 |
3 # load conf data from stored files
4 # ----------------------------------------------------------------------
7 load
9 access
10 git_config
11 env_options
13 option
14 repo_missing
15 creator
17 vrefs
18 lister_dispatch
30 # ----------------------------------------------------------------------
32 # our variables, because they get loaded by a 'do'
50 );
52 # helps maintain the "cache" in both "load_common" and "load_1"
55 # ----------------------------------------------------------------------
57 {
64 load_common();
67 }
68 }
69 }
85 # sanity check the only piece the user can control
86 _die "invalid characters in ref or filename: '$ref'\n" unless $ref =~ m(^VREF/NAME/) or $ref =~ $REF_OR_FILENAME_PATT;
87 # apparently we can't always force sanity; at least what we *return*
88 # should be sane/safe. This pattern is based on REF_OR_FILENAME_PATT.
92 # when a real repo doesn't exist, ^C is a pre-requisite for any other
93 # check to give valid results.
98 }
99 # similarly, ^C must be denied if the repo exists
103 }
116 # skip 'deny' rules if the ref is not (yet) known
120 # rule matches if ref matches or ref is any (see gitolite-shell)
127 # For repo creation, perm will be C and aa will be "^C". For branch
128 # access, $perm can be RW\+?(C|D|CD|DC)?M?, and $aa can be W, +, C or
129 # D, or any of these followed by "M".
131 # We need to turn $aa into a regex that can match a suitable $perm.
132 # This is trivially true for "^C", "W" and "D", but the others (+, C,
133 # M) need some tweaking.
135 # first, quote the '+':
137 # if aa is just "C", the user is trying to create a *branch* (not a
138 # *repo*), so let's make the pattern clearer to reflect that.
140 # if the aa is, say "WM", make this "W.*M" because the perm could be
141 # 'RW+M', 'RW+CDM' etc, and they are all valid:
146 # as far as *this* ref is concerned we're ok
150 }
155 }
157 # cache control
161 }
168 load_common();
171 }
173 # read comments bottom up
175 # and take the second and third elements to make up your new hash
177 # keep only the ones where the second element matches your key
179 # sort this list of listrefs by the first element in each list ref'd to
181 # dereference it (into a list of listrefs)
183 # take the value of that entry
185 # if it has an entry in %configs
187 # for each "repo" that represents us
190 # %configs looks like this (for each 'foo' that is in memberships())
191 # 'foo' => [ [ 6, 'foo.bar', 'repo' ], [ 7, 'foodbar', 'repoD' ], [ 8, 'foo.czar', 'jule' ] ],
192 # the first map gets you the value
193 # [ [ 6, 'foo.bar', 'repo' ], [ 7, 'foodbar', 'repoD' ], [ 8, 'foo.czar', 'jule' ] ],
194 # the deref gets you
195 # [ 6, 'foo.bar', 'repo' ], [ 7, 'foodbar', 'repoD' ], [ 8, 'foo.czar', 'jule' ]
196 # the sort rearranges it (in this case it's already sorted but anyway...)
197 # the grep gets you this, assuming the key is foo.bar (and "." is regex ".')
198 # [ 6, 'foo.bar', 'repo' ], [ 7, 'foodbar', 'repoD' ]
199 # and the final map does this:
200 # 'foo.bar'=>'repo' , 'foodbar'=>'repoD'
202 # now some of these will have an empty key; we need to delete them unless
203 # we're told empty values are OK
208 }
209 }
217 }
221 }
225 # prevent catch-22 during initial install
235 }
238 }
246 }
257 }
264 }
266 # ----------------------------------------------------------------------
272 # we take an unusual approach to caching this function!
273 # (requires that first call to load_common is before first call to load_1)
278 }
288 }
289 }
299 }
306 }
319 }
320 }
322 {
342 }
343 }
351 # however if the repo was missing, invalidate the cache
355 }
359 # fill the cache if needed
365 }
366 }
378 # first, if a repo, say, pub/sitaram/project, has a gl-creator file
379 # that says "sitaram", find memberships for pub/CREATOR/project also
382 # second, you need to check in %repos also
386 }
387 }
389 # add in any group names explicitly given in (GIT_DIR)/gl-repo-groups
395 }
400 # regexes can only be used for repos, not for users
404 }
405 }
406 }
411 # find the roles this user has when accessing this repo and add those
412 # in as groupnames he is a member of. You need the already existing
413 # memberships for this; see below this function for an example
415 }
420 }
422 =for example
424 conf/gitolite.conf:
425 @g1 = u1
426 @g2 = u1
427 # now user is a member of both g1 and g2
429 gl-perms for repo being accessed:
430 READERS @g1
432 This should result in @READERS being added to the memberships that u1 has
433 (when accessing this repo). So we send the current list (@g1, @g2) to
434 user_roles(), otherwise it has to redo that logic.
436 =cut
440 }
445 # eg == existing groups (that user is already known to be a member of)
454 }
457 # READERS u3 u4 @g1
462 # role = READERS, members = u3, u4, @g1
466 }
471 }
472 # if user eq u3/u4, or is a member of @g1, he has role READERS
474 }
475 }
478 }
485 # get the creator name. For not-yet-born repos this is $ENV{GL_USER},
486 # which should be set in all cases that we care about, viz., where we are
487 # checking ^C permissions before new_wild_repo(), and the info command.
488 # In particular, 'gitolite access' can't be used to check ^C perms on wild
489 # repos that contain "CREATOR" if GL_USER is not set.
497 }
508 }
510 {
521 }
522 }
524 # ----------------------------------------------------------------------
525 # api functions
526 # ----------------------------------------------------------------------
533 }
535 =for list_groups
536 Usage: gitolite list-groups
538 - lists all group names in conf
539 - no options, no flags
540 =cut
545 load_common();
550 }
552 }
554 =for list_users
555 Usage: gitolite list-users [<repo name pattern>]
557 List all users and groups explicitly named in a rule.
559 - you will have to run 'list-members' on each group name to expand it -- for
560 details and caveats on that please see its help message.
561 - User names not mentioned in an access rule will not show up at all (for
562 example, if you have users who only have access via an '@all' rule).
564 WARNING: may be slow if you have thousands of repos. The optional repo name
565 pattern is an unanchored regex; it can speed things up if you're interested
566 only in users of a matching set of repos. This is only an optimisation, not
567 an actual access list; you will still have to pipe it to 'gitolite access'
568 with appropriate arguments to get an actual access list.
570 NOTE: If you're running in ssh mode, it may be simpler to parse the authorized
571 keys file in ~/.ssh, like so:
572 perl -lne '/ ([a-z0-9]+)"/; print $1 if $1' < ~/.ssh/authorized_keys | sort -u
573 If you're running in http mode, only your web server knows all the potential
574 user names.
575 =cut
583 load_common();
592 }
595 }
597 =for list_repos
598 Usage: gitolite list-repos
600 - lists all repos/repo groups in conf
601 - no options, no flags
602 =cut
607 load_common();
613 }
615 =for list_memberships
616 Usage: gitolite list-memberships -u|-r <name>
618 List all groups a name is a member of. One of the flags '-u' or '-r' is
619 mandatory, to specify if the name is a user or a repo.
621 For users, the output includes the result from GROUPLIST_PGM, if it is
622 defined. For repos, the output includes any repo patterns that the repo name
623 matches, as well as any groups that contain those patterns.
624 =cut
636 );
639 load_common();
643 # unsupported/undocumented except via "in_role()" in Easy.pm
649 }
653 }
655 =for list_members
656 Usage: gitolite list-members <group name>
658 - list all members of a group
659 - takes one group name
661 '@all' is not expandable in this context. Also, if you have GROUPLIST_PGM set
662 in your rc file[1], gitolite cannot expand group names completely; only your
663 external database can.
665 [1]: http://gitolite.com/gitolite/conf.html#getting-user-group-info-from-ldap
667 =cut
674 load_common();
680 }
681 }
684 }
686 # ----------------------------------------------------------------------
688 {
695 }
700 }
701 }