|  | #!/usr/bin/perl | 
|  |  | 
|  | use strict; | 
|  | use File::Spec; | 
|  |  | 
|  | $ENV{PATH}     = '/opt/git/bin'; | 
|  | my $acl_git    = '/vcs/acls.git'; | 
|  | my $acl_branch = 'refs/heads/master'; | 
|  | my $debug      = 0; | 
|  |  | 
|  | =doc | 
|  | Invoked as: update refname old-sha1 new-sha1 | 
|  |  | 
|  | This script is run by git-receive-pack once for each ref that the | 
|  | client is trying to modify.  If we exit with a non-zero exit value | 
|  | then the update for that particular ref is denied, but updates for | 
|  | other refs in the same run of receive-pack may still be allowed. | 
|  |  | 
|  | We are run after the objects have been uploaded, but before the | 
|  | ref is actually modified.  We take advantage of that fact when we | 
|  | look for "new" commits and tags (the new objects won't show up in | 
|  | `rev-list --all`). | 
|  |  | 
|  | This script loads and parses the content of the config file | 
|  | "users/$this_user.acl" from the $acl_branch commit of $acl_git ODB. | 
|  | The acl file is a git-config style file, but uses a slightly more | 
|  | restricted syntax as the Perl parser contained within this script | 
|  | is not nearly as permissive as git-config. | 
|  |  | 
|  | Example: | 
|  |  | 
|  | [user] | 
|  | committer = John Doe <john.doe@example.com> | 
|  | committer = John R. Doe <john.doe@example.com> | 
|  |  | 
|  | [repository "acls"] | 
|  | allow = heads/master | 
|  | allow = CDUR for heads/jd/ | 
|  | allow = C    for ^tags/v\\d+$ | 
|  |  | 
|  | For all new commit or tag objects the committer (or tagger) line | 
|  | within the object must exactly match one of the user.committer | 
|  | values listed in the acl file ("HEAD:users/$this_user.acl"). | 
|  |  | 
|  | For a branch to be modified an allow line within the matching | 
|  | repository section must be matched for both the refname and the | 
|  | opcode. | 
|  |  | 
|  | Repository sections are matched on the basename of the repository | 
|  | (after removing the .git suffix). | 
|  |  | 
|  | The opcode abbrevations are: | 
|  |  | 
|  | C: create new ref | 
|  | D: delete existing ref | 
|  | U: fast-forward existing ref (no commit loss) | 
|  | R: rewind/rebase existing ref (commit loss) | 
|  |  | 
|  | if no opcodes are listed before the "for" keyword then "U" (for | 
|  | fast-forward update only) is assumed as this is the most common | 
|  | usage. | 
|  |  | 
|  | Refnames are matched by always assuming a prefix of "refs/". | 
|  | This hook forbids pushing or deleting anything not under "refs/". | 
|  |  | 
|  | Refnames that start with ^ are Perl regular expressions, and the ^ | 
|  | is kept as part of the regexp.  \\ is needed to get just one \, so | 
|  | \\d expands to \d in Perl.  The 3rd allow line above is an example. | 
|  |  | 
|  | Refnames that don't start with ^ but that end with / are prefix | 
|  | matches (2nd allow line above); all other refnames are strict | 
|  | equality matches (1st allow line). | 
|  |  | 
|  | Anything pushed to "heads/" (ok, really "refs/heads/") must be | 
|  | a commit.  Tags are not permitted here. | 
|  |  | 
|  | Anything pushed to "tags/" (err, really "refs/tags/") must be an | 
|  | annotated tag.  Commits, blobs, trees, etc. are not permitted here. | 
|  | Annotated tag signatures aren't checked, nor are they required. | 
|  |  | 
|  | The special subrepository of 'info/new-commit-check' can | 
|  | be created and used to allow users to push new commits and | 
|  | tags from another local repository to this one, even if they | 
|  | aren't the committer/tagger of those objects.  In a nut shell | 
|  | the info/new-commit-check directory is a Git repository whose | 
|  | objects/info/alternates file lists this repository and all other | 
|  | possible sources, and whose refs subdirectory contains symlinks | 
|  | to this repository's refs subdirectory, and to all other possible | 
|  | sources refs subdirectories.  Yes, this means that you cannot | 
|  | use packed-refs in those repositories as they won't be resolved | 
|  | correctly. | 
|  |  | 
|  | =cut | 
|  |  | 
|  | my $git_dir = $ENV{GIT_DIR}; | 
|  | my $new_commit_check = "$git_dir/info/new-commit-check"; | 
|  | my $ref = $ARGV[0]; | 
|  | my $old = $ARGV[1]; | 
|  | my $new = $ARGV[2]; | 
|  | my $new_type; | 
|  | my ($this_user) = getpwuid $<; # REAL_USER_ID | 
|  | my $repository_name; | 
|  | my %user_committer; | 
|  | my @allow_rules; | 
|  | my @path_rules; | 
|  | my %diff_cache; | 
|  |  | 
|  | sub deny ($) { | 
|  | print STDERR "-Deny-    $_[0]\n" if $debug; | 
|  | print STDERR "\ndenied: $_[0]\n\n"; | 
|  | exit 1; | 
|  | } | 
|  |  | 
|  | sub grant ($) { | 
|  | print STDERR "-Grant-   $_[0]\n" if $debug; | 
|  | exit 0; | 
|  | } | 
|  |  | 
|  | sub info ($) { | 
|  | print STDERR "-Info-    $_[0]\n" if $debug; | 
|  | } | 
|  |  | 
|  | sub git_value (@) { | 
|  | open(T,'-|','git',@_); local $_ = <T>; chop; close T; $_; | 
|  | } | 
|  |  | 
|  | sub match_string ($$) { | 
|  | my ($acl_n, $ref) = @_; | 
|  | ($acl_n eq $ref) | 
|  | || ($acl_n =~ m,/$, && substr($ref,0,length $acl_n) eq $acl_n) | 
|  | || ($acl_n =~ m,^\^, && $ref =~ m:$acl_n:); | 
|  | } | 
|  |  | 
|  | sub parse_config ($$$$) { | 
|  | my $data = shift; | 
|  | local $ENV{GIT_DIR} = shift; | 
|  | my $br = shift; | 
|  | my $fn = shift; | 
|  | return unless git_value('rev-list','--max-count=1',$br,'--',$fn); | 
|  | info "Loading $br:$fn"; | 
|  | open(I,'-|','git','cat-file','blob',"$br:$fn"); | 
|  | my $section = ''; | 
|  | while (<I>) { | 
|  | chomp; | 
|  | if (/^\s*$/ || /^\s*#/) { | 
|  | } elsif (/^\[([a-z]+)\]$/i) { | 
|  | $section = lc $1; | 
|  | } elsif (/^\[([a-z]+)\s+"(.*)"\]$/i) { | 
|  | $section = join('.',lc $1,$2); | 
|  | } elsif (/^\s*([a-z][a-z0-9]+)\s*=\s*(.*?)\s*$/i) { | 
|  | push @{$data->{join('.',$section,lc $1)}}, $2; | 
|  | } else { | 
|  | deny "bad config file line $. in $br:$fn"; | 
|  | } | 
|  | } | 
|  | close I; | 
|  | } | 
|  |  | 
|  | sub all_new_committers () { | 
|  | local $ENV{GIT_DIR} = $git_dir; | 
|  | $ENV{GIT_DIR} = $new_commit_check if -d $new_commit_check; | 
|  |  | 
|  | info "Getting committers of new commits."; | 
|  | my %used; | 
|  | open(T,'-|','git','rev-list','--pretty=raw',$new,'--not','--all'); | 
|  | while (<T>) { | 
|  | next unless s/^committer //; | 
|  | chop; | 
|  | s/>.*$/>/; | 
|  | info "Found $_." unless $used{$_}++; | 
|  | } | 
|  | close T; | 
|  | info "No new commits." unless %used; | 
|  | keys %used; | 
|  | } | 
|  |  | 
|  | sub all_new_taggers () { | 
|  | my %exists; | 
|  | open(T,'-|','git','for-each-ref','--format=%(objectname)','refs/tags'); | 
|  | while (<T>) { | 
|  | chop; | 
|  | $exists{$_} = 1; | 
|  | } | 
|  | close T; | 
|  |  | 
|  | info "Getting taggers of new tags."; | 
|  | my %used; | 
|  | my $obj = $new; | 
|  | my $obj_type = $new_type; | 
|  | while ($obj_type eq 'tag') { | 
|  | last if $exists{$obj}; | 
|  | $obj_type = ''; | 
|  | open(T,'-|','git','cat-file','tag',$obj); | 
|  | while (<T>) { | 
|  | chop; | 
|  | if (/^object ([a-z0-9]{40})$/) { | 
|  | $obj = $1; | 
|  | } elsif (/^type (.+)$/) { | 
|  | $obj_type = $1; | 
|  | } elsif (s/^tagger //) { | 
|  | s/>.*$/>/; | 
|  | info "Found $_." unless $used{$_}++; | 
|  | last; | 
|  | } | 
|  | } | 
|  | close T; | 
|  | } | 
|  | info "No new tags." unless %used; | 
|  | keys %used; | 
|  | } | 
|  |  | 
|  | sub check_committers (@) { | 
|  | my @bad; | 
|  | foreach (@_) { push @bad, $_ unless $user_committer{$_}; } | 
|  | if (@bad) { | 
|  | print STDERR "\n"; | 
|  | print STDERR "You are not $_.\n" foreach (sort @bad); | 
|  | deny "You cannot push changes not committed by you."; | 
|  | } | 
|  | } | 
|  |  | 
|  | sub load_diff ($) { | 
|  | my $base = shift; | 
|  | my $d = $diff_cache{$base}; | 
|  | unless ($d) { | 
|  | local $/ = "\0"; | 
|  | my %this_diff; | 
|  | if ($base =~ /^0{40}$/) { | 
|  | # Don't load the diff at all; we are making the | 
|  | # branch and have no base to compare to in this | 
|  | # case.  A file level ACL makes no sense in this | 
|  | # context.  Having an empty diff will allow the | 
|  | # branch creation. | 
|  | # | 
|  | } else { | 
|  | open(T,'-|','git','diff-tree', | 
|  | '-r','--name-status','-z', | 
|  | $base,$new) or return undef; | 
|  | while (<T>) { | 
|  | my $op = $_; | 
|  | chop $op; | 
|  |  | 
|  | my $path = <T>; | 
|  | chop $path; | 
|  |  | 
|  | $this_diff{$path} = $op; | 
|  | } | 
|  | close T or return undef; | 
|  | } | 
|  | $d = \%this_diff; | 
|  | $diff_cache{$base} = $d; | 
|  | } | 
|  | return $d; | 
|  | } | 
|  |  | 
|  | deny "No GIT_DIR inherited from caller" unless $git_dir; | 
|  | deny "Need a ref name" unless $ref; | 
|  | deny "Refusing funny ref $ref" unless $ref =~ s,^refs/,,; | 
|  | deny "Bad old value $old" unless $old =~ /^[a-z0-9]{40}$/; | 
|  | deny "Bad new value $new" unless $new =~ /^[a-z0-9]{40}$/; | 
|  | deny "Cannot determine who you are." unless $this_user; | 
|  | grant "No change requested." if $old eq $new; | 
|  |  | 
|  | $repository_name = File::Spec->rel2abs($git_dir); | 
|  | $repository_name =~ m,/([^/]+)(?:\.git|/\.git)$,; | 
|  | $repository_name = $1; | 
|  | info "Updating in '$repository_name'."; | 
|  |  | 
|  | my $op; | 
|  | if    ($old =~ /^0{40}$/) { $op = 'C'; } | 
|  | elsif ($new =~ /^0{40}$/) { $op = 'D'; } | 
|  | else                      { $op = 'R'; } | 
|  |  | 
|  | # This is really an update (fast-forward) if the | 
|  | # merge base of $old and $new is $old. | 
|  | # | 
|  | $op = 'U' if ($op eq 'R' | 
|  | && $ref =~ m,^heads/, | 
|  | && $old eq git_value('merge-base',$old,$new)); | 
|  |  | 
|  | # Load the user's ACL file. Expand groups (user.memberof) one level. | 
|  | { | 
|  | my %data = ('user.committer' => []); | 
|  | parse_config(\%data,$acl_git,$acl_branch,"external/$repository_name.acl"); | 
|  |  | 
|  | %data = ( | 
|  | 'user.committer' => $data{'user.committer'}, | 
|  | 'user.memberof' => [], | 
|  | ); | 
|  | parse_config(\%data,$acl_git,$acl_branch,"users/$this_user.acl"); | 
|  |  | 
|  | %user_committer = map {$_ => $_} @{$data{'user.committer'}}; | 
|  | my $rule_key = "repository.$repository_name.allow"; | 
|  | my $rules = $data{$rule_key} || []; | 
|  |  | 
|  | foreach my $group (@{$data{'user.memberof'}}) { | 
|  | my %g; | 
|  | parse_config(\%g,$acl_git,$acl_branch,"groups/$group.acl"); | 
|  | my $group_rules = $g{$rule_key}; | 
|  | push @$rules, @$group_rules if $group_rules; | 
|  | } | 
|  |  | 
|  | RULE: | 
|  | foreach (@$rules) { | 
|  | while (/\${user\.([a-z][a-zA-Z0-9]+)}/) { | 
|  | my $k = lc $1; | 
|  | my $v = $data{"user.$k"}; | 
|  | next RULE unless defined $v; | 
|  | next RULE if @$v != 1; | 
|  | next RULE unless defined $v->[0]; | 
|  | s/\${user\.$k}/$v->[0]/g; | 
|  | } | 
|  |  | 
|  | if (/^([AMD ]+)\s+of\s+([^\s]+)\s+for\s+([^\s]+)\s+diff\s+([^\s]+)$/) { | 
|  | my ($ops, $pth, $ref, $bst) = ($1, $2, $3, $4); | 
|  | $ops =~ s/ //g; | 
|  | $pth =~ s/\\\\/\\/g; | 
|  | $ref =~ s/\\\\/\\/g; | 
|  | push @path_rules, [$ops, $pth, $ref, $bst]; | 
|  | } elsif (/^([AMD ]+)\s+of\s+([^\s]+)\s+for\s+([^\s]+)$/) { | 
|  | my ($ops, $pth, $ref) = ($1, $2, $3); | 
|  | $ops =~ s/ //g; | 
|  | $pth =~ s/\\\\/\\/g; | 
|  | $ref =~ s/\\\\/\\/g; | 
|  | push @path_rules, [$ops, $pth, $ref, $old]; | 
|  | } elsif (/^([CDRU ]+)\s+for\s+([^\s]+)$/) { | 
|  | my $ops = $1; | 
|  | my $ref = $2; | 
|  | $ops =~ s/ //g; | 
|  | $ref =~ s/\\\\/\\/g; | 
|  | push @allow_rules, [$ops, $ref]; | 
|  | } elsif (/^for\s+([^\s]+)$/) { | 
|  | # Mentioned, but nothing granted? | 
|  | } elsif (/^[^\s]+$/) { | 
|  | s/\\\\/\\/g; | 
|  | push @allow_rules, ['U', $_]; | 
|  | } | 
|  | } | 
|  | } | 
|  |  | 
|  | if ($op ne 'D') { | 
|  | $new_type = git_value('cat-file','-t',$new); | 
|  |  | 
|  | if ($ref =~ m,^heads/,) { | 
|  | deny "$ref must be a commit." unless $new_type eq 'commit'; | 
|  | } elsif ($ref =~ m,^tags/,) { | 
|  | deny "$ref must be an annotated tag." unless $new_type eq 'tag'; | 
|  | } | 
|  |  | 
|  | check_committers (all_new_committers); | 
|  | check_committers (all_new_taggers) if $new_type eq 'tag'; | 
|  | } | 
|  |  | 
|  | info "$this_user wants $op for $ref"; | 
|  | foreach my $acl_entry (@allow_rules) { | 
|  | my ($acl_ops, $acl_n) = @$acl_entry; | 
|  | next unless $acl_ops =~ /^[CDRU]+$/; # Uhh.... shouldn't happen. | 
|  | next unless $acl_n; | 
|  | next unless $op =~ /^[$acl_ops]$/; | 
|  | next unless match_string $acl_n, $ref; | 
|  |  | 
|  | # Don't test path rules on branch deletes. | 
|  | # | 
|  | grant "Allowed by: $acl_ops for $acl_n" if $op eq 'D'; | 
|  |  | 
|  | # Aggregate matching path rules; allow if there aren't | 
|  | # any matching this ref. | 
|  | # | 
|  | my %pr; | 
|  | foreach my $p_entry (@path_rules) { | 
|  | my ($p_ops, $p_n, $p_ref, $p_bst) = @$p_entry; | 
|  | next unless $p_ref; | 
|  | push @{$pr{$p_bst}}, $p_entry if match_string $p_ref, $ref; | 
|  | } | 
|  | grant "Allowed by: $acl_ops for $acl_n" unless %pr; | 
|  |  | 
|  | # Allow only if all changes against a single base are | 
|  | # allowed by file path rules. | 
|  | # | 
|  | my @bad; | 
|  | foreach my $p_bst (keys %pr) { | 
|  | my $diff_ref = load_diff $p_bst; | 
|  | deny "Cannot difference trees." unless ref $diff_ref; | 
|  |  | 
|  | my %fd = %$diff_ref; | 
|  | foreach my $p_entry (@{$pr{$p_bst}}) { | 
|  | my ($p_ops, $p_n, $p_ref, $p_bst) = @$p_entry; | 
|  | next unless $p_ops =~ /^[AMD]+$/; | 
|  | next unless $p_n; | 
|  |  | 
|  | foreach my $f_n (keys %fd) { | 
|  | my $f_op = $fd{$f_n}; | 
|  | next unless $f_op; | 
|  | next unless $f_op =~ /^[$p_ops]$/; | 
|  | delete $fd{$f_n} if match_string $p_n, $f_n; | 
|  | } | 
|  | last unless %fd; | 
|  | } | 
|  |  | 
|  | if (%fd) { | 
|  | push @bad, [$p_bst, \%fd]; | 
|  | } else { | 
|  | # All changes relative to $p_bst were allowed. | 
|  | # | 
|  | grant "Allowed by: $acl_ops for $acl_n diff $p_bst"; | 
|  | } | 
|  | } | 
|  |  | 
|  | foreach my $bad_ref (@bad) { | 
|  | my ($p_bst, $fd) = @$bad_ref; | 
|  | print STDERR "\n"; | 
|  | print STDERR "Not allowed to make the following changes:\n"; | 
|  | print STDERR "(base: $p_bst)\n"; | 
|  | foreach my $f_n (sort keys %$fd) { | 
|  | print STDERR "  $fd->{$f_n} $f_n\n"; | 
|  | } | 
|  | } | 
|  | deny "You are not permitted to $op $ref"; | 
|  | } | 
|  | close A; | 
|  | deny "You are not permitted to $op $ref"; |