* [gentoo-commits] repo/gentoo:master commit in: dev-util/kup/, dev-util/kup/files/
@ 2022-04-21 23:43 Robin H. Johnson
0 siblings, 0 replies; only message in thread
From: Robin H. Johnson @ 2022-04-21 23:43 UTC (permalink / raw
To: gentoo-commits
commit: 192b57063e09431f7d1b39c58ab0c137eac680ec
Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
AuthorDate: Thu Apr 21 23:43:32 2022 +0000
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Thu Apr 21 23:43:43 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=192b5706
dev-util/kup: add gitolite support from upstream kup & gitolite
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
.../kup/files/kup-server-gitolite-subcmd.patch | 242 +++++++++++++++++++++
dev-util/kup/kup-0.3.6-r1.ebuild | 38 ++++
dev-util/kup/metadata.xml | 6 +
3 files changed, 286 insertions(+)
diff --git a/dev-util/kup/files/kup-server-gitolite-subcmd.patch b/dev-util/kup/files/kup-server-gitolite-subcmd.patch
new file mode 100644
index 000000000000..89ea3ff02bf3
--- /dev/null
+++ b/dev-util/kup/files/kup-server-gitolite-subcmd.patch
@@ -0,0 +1,242 @@
+Upstream kup provided this patch, that was apparently written by the Gitolite
+author.
+
+--- standard/kup-server 2017-03-28 13:01:24.000000000 -0400
++++ gitolite/kup-server 2018-03-26 15:01:20.000000000 -0400
+@@ -1,4 +1,4 @@
+-#!/usr/bin/perl -T
++#!/usr/bin/perl
+ ## -----------------------------------------------------------------------
+ ##
+ ## Copyright 2011 Intel Corporation; author: H. Peter Anvin
+@@ -68,12 +68,20 @@
+
+ use Digest::SHA;
+
+-my $VERSION = '0.3.6';
+-
+-# Scrub the environment completely
+-%ENV = ('PATH' => '/bin:/usr/bin',
+- 'LANG' => 'C',
+- 'SHELL' => '/bin/false'); # Nothing in this program should shell out
++use lib $ENV{GL_LIBDIR};
++use Gitolite::Easy;
++use Gitolite::Conf::Load;
++
++my $VERSION = '0.3.6 (gitolite integrated)';
++
++# Scrub the environment completely, except gitolite variables and HOME
++{
++ my %env = %ENV;
++ %ENV = ('PATH' => '/bin:/usr/bin',
++ 'LANG' => 'C',
++ 'SHELL' => '/bin/false'); # Nothing in this program should shell out
++ $ENV{$_} = $env{$_} for ('HOME', grep(/^GL_/, keys %env));
++}
+
+ # The standard function to call on bail
+ sub fatal($) {
+@@ -88,16 +96,7 @@
+ }
+
+ sub my_username() {
+- my $whoami = getuid();
+- my ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) = getpwuid($whoami);
+-
+- if (!defined($name) || $whoami != $uid) {
+- # We haven't called openlog() yet so we need to do it here
+- openlog("kup-server($whoami)", 'ndelay,pid', LOG_LOCAL5);
+- fatal("You don't exist, go away!");
+- }
+-
+- return (defined($name) && $whoami == $uid) ? $name : $whoami;
++ return $ENV{GL_USER};
+ }
+
+ my $user_name = my_username();
+@@ -106,7 +105,7 @@
+
+
+ # Get config values from kup-server.cfg
+-my $cfg_file = '/etc/kup/kup-server.cfg';
++my $cfg_file = '/var/lib/gitolite3/.gitolite/local-code/configs/kup-server.cfg';
+
+ my $cfg = new Config::Simple($cfg_file);
+
+@@ -371,6 +370,51 @@
+ return 1;
+ }
+
++# kup-server may "read" files from the kup data_path, or repos. If a repo is
++# supplied, we assume it's a gitolite repo and check access accordingly (while
++# remembering that kup seems to add a leading slash). If a repo is *not*
++# supplied, we assume we're talking about the kup data_path, which means we
++# make gitolite access rules from the "fake" repo called "@kup-server"
++sub read_allowed
++{
++ Gitolite::Common::trace( 1, 'read_allowed', @_ );
++ my $repo = shift || '@kup-server';
++
++ # gitolite expects a "normalised" repo name; no leading slash, no trailing ".git"
++ $repo =~ s(^/)(); $repo =~ s/\.git$//;
++
++ return can_read($repo);
++}
++
++# kup-server does not write to normal repos, it only writes to files in the
++# kup data_path. So we don't have to worry about any repo other than
++# "@kup-server", which is therefore hardcoded in here.
++sub write_allowed
++{
++ Gitolite::Common::trace( 1, 'write_allowed', @_ );
++ my($path, $perm) = @_;
++
++ # other values for perm are + (rm) and C (mkdir), analogous to gitolite's
++ # "+ means delete or rewind branch, C means create branch"
++ $perm ||= 'W';
++
++ my $repo = '@kup-server';
++
++ # the paths that gitolite expects start with "refs/heads/", since we are
++ # simply re-using the existing ACL for this. (But remember $path, in
++ # kup-land, already starts with a "/".)
++ $path = "refs/heads" . $path;
++
++ return can_write($repo, $perm, $path) ||
++ can_write($repo, $perm, "$path/");
++ # the second check is because, when specifying a permission on a directory
++ # in gitolite, you end with a "/", say "RW+C foo/ = user". To exercise
++ # that right, the user runs "kup mkdir foo" or "kup rm foo". This fails,
++ # because the regex "foo/" won't match. (In a *git* repo it doesn't
++ # matter, because git doesn't allow empty directories, so it never
++ # happens).
++}
++
+ # Return a percentage, valid even if the denominator is zero
+ sub percentage($$)
+ {
+@@ -526,6 +570,10 @@
+ fatal("Invalid pathname in TAR command");
+ }
+
++ if (!read_allowed($tree)) {
++ fatal("Read access denied");
++ }
++
+ if (!is_clean_string($prefix)) {
+ fatal("Invalid prefix string");
+ }
+@@ -569,6 +617,10 @@
+ fatal("Invalid pathname in DIFF command");
+ }
+
++ if (!read_allowed($tree)) {
++ fatal("Read access denied");
++ }
++
+ if ($tree !~ /\.git$/ || ! -d $git_path.$tree ||
+ ! -d $git_path.$tree.'/objects') {
+ fatal("No such git tree");
+@@ -788,8 +840,13 @@
+ or fatal("dup error");
+ close($devnull);
+
++ my $gpgvbin = '/opt/gnupg22/bin/gpgv';
++ if ( ! -x $gpgvbin) {
++ $gpgvbin = '/usr/bin/gpgv';
++ }
++
+ my $status =
+- system('/usr/bin/gpgv',
++ system($gpgvbin,
+ '--quiet',
+ '--homedir', $tmpdir,
+ '--keyring', $pgp_path."/${user_name}.gpg",
+@@ -839,6 +896,10 @@
+ fatal("Invalid filename in PUT command");
+ }
+
++ if (!write_allowed($file)) {
++ fatal("Write access denied");
++ }
++
+ my @install_ext;
+ my @conflic_ext;
+ my $stem;
+@@ -917,6 +978,10 @@
+ fatal("Invalid filename in MKDIR command");
+ }
+
++ if (!write_allowed($file, 'C')) {
++ fatal("MKDIR access denied");
++ }
++
+ my @badext = ('.sign', keys(%zformats));
+
+ foreach my $e (@badext) {
+@@ -991,6 +1056,16 @@
+ fatal("Invalid filename in $cmd command");
+ }
+
++ if ($cmd eq 'MOVE') {
++ if (!write_allowed($from, '+')) {
++ fatal("Delete (as part of MOVE) access denied");
++ }
++ }
++
++ if (!write_allowed($to)) {
++ fatal("Write access denied");
++ }
++
+ if ($from =~ /\.gz$/) {
+ if ($to !~ /\.gz$/) {
+ fatal("$cmd of .gz file must itself end in .gz");
+@@ -1093,6 +1168,10 @@
+ fatal("Invalid pathname in DELETE command");
+ }
+
++ if (!write_allowed($file, "+")) {
++ fatal("Delete access denied");
++ }
++
+ if ($file !~ /\.gz$/ &&
+ has_extension($file, '.sign', keys(%zformats))) {
+ fatal("DELETE of auxiliary files not supported");
+@@ -1222,6 +1301,10 @@
+
+ my($dir) = @args;
+
++ if (!read_allowed()) {
++ fatal("Read access denied");
++ }
++
+ # DIR / is permitted unlike any other command
+ $dir =~ s:/$::g;
+ if ($dir ne '' && !is_valid_filename($dir)) {
+@@ -1261,7 +1344,25 @@
+
+ sub do_info()
+ {
+- print "kup-server $VERSION\n";
++ print "kup-server $VERSION\n\n";
++
++ my %xlat = (
++ R => 'ls',
++ RW => 'put',
++ 'RW+' => 'put/rm/mv',
++ 'RWC' => 'put/mkdir',
++ 'RW+C' => 'put/rm/mv/mkdir',
++ '-' => '(denied)',
++ );
++ Gitolite::Conf::Load::load('@kup-server');
++ my @rules = Gitolite::Conf::Load::rules('@kup-server', $ENV{GL_USER});
++ for my $r (@rules) {
++ my ($dummy, $perm, $ref) = @$r;
++ $ref =~ s(^refs/heads/)();
++ $ref =~ s(/USER/)(/$ENV{GL_USER}/);
++ $ref = ($ref eq 'refs/.*') ? '/*' : '/' . $ref . '*';
++ printf "%-24s %s\n", ($xlat{$perm} || $perm), $ref;
++ }
+ }
+
+ sub get_command()
diff --git a/dev-util/kup/kup-0.3.6-r1.ebuild b/dev-util/kup/kup-0.3.6-r1.ebuild
new file mode 100644
index 000000000000..2dbef2793236
--- /dev/null
+++ b/dev-util/kup/kup-0.3.6-r1.ebuild
@@ -0,0 +1,38 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+DESCRIPTION="kernel.org uploader tool"
+HOMEPAGE="https://www.kernel.org/pub/software/network/kup"
+SRC_URI="https://www.kernel.org/pub/software/network/kup/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+RDEPEND="
+ dev-lang/perl
+ dev-perl/BSD-Resource
+ dev-perl/Config-Simple"
+IUSE='gitolite'
+
+DOCS=( README )
+
+src_prepare() {
+ if use gitolite; then
+ cp -f "${S}/${PN}-server" "${S}/${PN}-server-gitolite"
+ patch "${S}/${PN}-server-gitolite" <"${FILESDIR}"/${PN}-server-gitolite-subcmd.patch || die
+ fi
+ default
+}
+
+src_install() {
+ dobin "${PN}" "${PN}-server" gpg-sign-all
+ doman "${PN}.1"
+ einstalldocs
+ if use gitolite; then
+ exeinto /usr/libexec/gitolite/commands/
+ newexe ${PN}-server-gitolite ${PN}-server
+ fi
+}
diff --git a/dev-util/kup/metadata.xml b/dev-util/kup/metadata.xml
index 2e859f1becb2..5a770bec41a7 100644
--- a/dev-util/kup/metadata.xml
+++ b/dev-util/kup/metadata.xml
@@ -4,4 +4,10 @@
<maintainer type="person">
<email>monsieurp@gentoo.org</email>
</maintainer>
+ <upstream>
+ <remote-id type="github">mricon/kup</remote-id>
+ </upstream>
+ <use>
+ <flag name="gitolite">Enable support for dev-vcs/gitolite in kup-server</flag>
+ </use>
</pkgmetadata>
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-04-21 23:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-21 23:43 [gentoo-commits] repo/gentoo:master commit in: dev-util/kup/, dev-util/kup/files/ Robin H. Johnson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox