From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PpO0y-0004kO-7P for garchives@archives.gentoo.org; Tue, 15 Feb 2011 16:44:36 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6EFD4E08D3; Tue, 15 Feb 2011 16:42:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 1BBDAE08D3 for ; Tue, 15 Feb 2011 16:42:09 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 837571B4148 for ; Tue, 15 Feb 2011 16:42:08 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id E05EC8006D for ; Tue, 15 Feb 2011 16:42:07 +0000 (UTC) From: "Christian Ruppert" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Christian Ruppert" Message-ID: Subject: [gentoo-commits] proj/gitolite-gentoo:t/export-key-metadata commit in: / X-VCS-Repository: proj/gitolite-gentoo X-VCS-Committer: idl0r X-VCS-Committer-Name: Christian Ruppert X-VCS-Revision: e24d0debc5565599c4eef70f6a3be602977d0f02 Date: Tue, 15 Feb 2011 16:42:07 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: a60cc99be230958911cf6f9c087c5b72 commit: e24d0debc5565599c4eef70f6a3be602977d0f02 Author: Christian Ruppert gentoo org> AuthorDate: Tue Feb 15 16:35:55 2011 +0000 Commit: Christian Ruppert gentoo org> CommitDate: Tue Feb 15 16:35:55 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/gitolite-gent= oo.git;a=3Dcommit;h=3De24d0deb Merge commit 'refs/top-bases/t/export-key-metadata' into t/export-key-met= adata Conflicts: conf/example.gitolite.rc src/gl-auth-command conf/example.conf | 3 - conf/example.gitolite.rc | 334 +++------------= ----- contrib/adc/get-rights-and-owner.in-perl | 41 +++ contrib/ldap/README.mkd | 18 ++ contrib/ldap/ldap-query-example.pl | 80 +++++ contrib/ldap/ldap-query-example.sh | 68 +++++ contrib/ldap/passwd | 112 +++++++ doc/CHANGELOG | 22 ++ doc/big-config.mkd | 229 ++++++++++---- doc/delegation.mkd | 2 +- doc/gitolite.rc.mkd | 332 +++++++++++++++= +++++ doc/install-transcript.mkd | 2 +- doc/overkill.mkd | 8 +- doc/progit-article.mkd | 2 +- doc/ssh-troubleshooting.mkd | 2 +- doc/who-uses-it.mkd | 5 + src/gitolite.pm | 124 +++++---- src/gl-auth-command | 14 +- src/gl-compile-conf | 164 +++++++---- t/out/t01-repo-groups.1 | 2 +- t/out/t01-repo-groups.1b | 2 +- t/out/{t01-repo-groups.1b =3D> t01-repo-groups.1bs} | 33 ++- t/out/t01-repo-groups.2 | 28 ++- t/out/t02-user-groups.1 | 2 +- t/out/t02-user-groups.1b | 2 +- t/out/{t02-user-groups.1b =3D> t02-user-groups.1bs} | 35 +-- t/out/t02-user-groups.2 | 2 +- t/out/{t02-user-groups.2 =3D> t02-user-groups.2bs} | 49 ++-- t/t01-repo-groups | 6 +- t/t02-user-groups | 8 +- t/t59-repo-not-on-disk | 12 +- t/test-driver.sh | 7 + 32 files changed, 1198 insertions(+), 552 deletions(-) diff --cc conf/example.gitolite.rc index 211b7cb,9ee7840..6f57994 --- a/conf/example.gitolite.rc +++ b/conf/example.gitolite.rc @@@ -61,260 -14,65 +14,73 @@@ $GL_ADMINDIR=3D$ENV{HOME} . "/.gitolite" $GL_CONF=3D"$GL_ADMINDIR/conf/gitolite.conf"; $GL_KEYDIR=3D"$GL_ADMINDIR/keydir"; $GL_CONF_COMPILED=3D"$GL_ADMINDIR/conf/gitolite.conf-compiled.pm"; + # DO NOT CHANGE THE NEXT TWO LINES UNLESS YOU REALLY KNOW WHAT YOU'RE D= OING. + # These variables are set automatically by the install method you choos= e. + # $GL_PACKAGE_CONF =3D ""; + # $GL_PACKAGE_HOOKS =3D ""; =20 - # -------------------------------------- -=20 - # if git on your server is on a standard path (that is - # ssh git@server git --version - # works), leave this setting as is. Otherwise, choose one of the - # alternatives, or write your own -=20 - $GIT_PATH=3D""; - # $GIT_PATH=3D"/opt/bin/"; -=20 - # -------------------------------------- -=20 - # ---------------------------------------------------------------------= - - # BIG CONFIG SETTINGS -=20 - # Please read doc/big-config.mkd for details + # ---------------------------------------------------------------------= --------- + # most often used/changed variables + # ---------------------------------------------------------------------= --------- + $GL_WILDREPOS =3D 0; + $PROJECTS_LIST =3D $ENV{HOME} . "/projects.list"; + $REPO_UMASK =3D 0077; =20 + # ---------------------------------------------------------------------= --------- + # variables with an efficiency impact + # ---------------------------------------------------------------------= --------- $GL_BIG_CONFIG =3D 0; $GL_NO_DAEMON_NO_GITWEB =3D 0; - $GL_NO_CREATE_REPOS =3D 0; - $GL_NO_SETUP_AUTHKEYS =3D 0; -=20 - # ---------------------------------------------------------------------= - - # SECURITY SENSITIVE SETTINGS - # - # Settings below this point may have security implications. That - # usually means that I have not thought hard enough about all the - # possible ways to crack security if these settings are enabled. -=20 - # Please see details on each setting for specifics, if any. - # ---------------------------------------------------------------------= - -=20 =20 +# Define which metadata variables shall be exported to the gitolite env= ironment. +# Those variables can be used in hooks, e.g. for cia.vc +# A pubkey file might contain one or more of those variable. +# They can be defined by e.g:"# git-username: idl0r" +# Each '-' (dash) will be replaced by an '_' (underscore). - @GL_METADATA =3D ( "git-username", "git-email", "git-realname", "git-re= alname-ascii", "cia-vc-username" ); - @GL_METADATA_REQUIRED =3D ( "git-username", "git-email", "git-realname"= ); -=20 - # -------------------------------------- - # ALLOW REPO ADMIN TO SET GITCONFIG KEYS - # - # Gitolite allows you to set git repo options using the "config" keywor= d; see - # conf/example.conf for details and syntax. - # - # However, if you are in an installation where the repo admin does not = (and - # should not) have shell access to the server, then allowing him to set - # arbitrary repo config options *may* be a security risk -- some config - # settings may allow executing arbitrary commands. - # - # You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, whi= ch - # completely disables this feature (meaning you cannot set git configs = from - # the repo config). -=20 ++#@GL_METADATA =3D ( "git-username", "git-email", "git-realname", "git-r= ealname-ascii", "cia-vc-username" ); ++#@GL_METADATA_REQUIRED =3D ( "git-username", "git-email", "git-realname= " ); ++ + # ---------------------------------------------------------------------= --------- + # VARIABLES WITH A SECURITY IMPACT. READ DOC WELL BEFORE CHANGING THES= E. + # http://github.com/sitaramc/gitolite/blob/pu/doc/gitolite.rc.mkd#_vari= ables_with_a_security_impact + # ---------------------------------------------------------------------= --------- + # $GL_ALL_READ_ALL =3D 0; + $GIT_PATH=3D""; $GL_GITCONFIG_KEYS =3D ""; -=20 - # The second choice is to give it a space separated list of settings yo= u - # consider safe. (These are actually treated as a set of regular expre= ssion - # patterns, and any one of them must match). For example: - # $GL_GITCONFIG_KEYS =3D "core\.logAllRefUpdates core\..*compression"; - # allows repo admins to set one of those 3 config keys (yes, that secon= d - # pattern matches two settings from "man git-config", if you look) - # - # The third choice (which you may have guessed already if you're famili= ar with - # regular expressions) is to allow anything and everything: - # $GL_GITCONFIG_KEYS =3D ".*"; -=20 - # NOTE that due to some quoting and interpolation issues I have not bee= n able - # to look at, a literal "." needs to be specified in this string as \\.= (two - # backslashes and a dot). So this is how you'd allow any keys in the "= foo" - # category: - # $GL_GITCONFIG_KEYS =3D "foo\\..*"; -=20 - # -------------------------------------- - # ALLOW GITCONFIG KEYS EVEN FOR WILD REPOS - # - # This is an efficiency issue more than a security issue, since this re= quires - # trawling through all of $REPO_BASE looking for stuff :) -=20 # $GL_GITCONFIG_WILD =3D 0; -=20 - # -------------------------------------- - # EXTERNAL COMMAND HELPER -- HTPASSWD -=20 - # security note: runs an external command (htpasswd) with specific argu= ments, - # including a user-chosen "password". -=20 - # if you want to enable the "htpasswd" command, give this the absolute = path to - # whatever file apache (etc) expect to find the passwords in. -=20 + $GL_NO_CREATE_REPOS =3D 0; + $GL_NO_SETUP_AUTHKEYS =3D 0; + # $GL_WILDREPOS_DEFPERMS =3D 'R @all'; $HTPASSWD_FILE =3D ""; -=20 - # Look in doc/3 ("easier to link gitweb authorisation with gitolite" se= ction) - # for more details on using this feature. -=20 - # -------------------------------------- - # EXTERNAL COMMAND HELPER -- RSYNC -=20 - # security note: runs an external command (rsync) with specific argumen= ts, all - # presumably filled in correctly by the client-side rsync. -=20 - # base path of all the files that are accessible via rsync. Must be an - # absolute path. Leave it undefined or set to the empty string to disa= ble the - # rsync helper. -=20 $RSYNC_BASE =3D ""; -=20 - # $RSYNC_BASE =3D "/home/git/up-down"; - # $RSYNC_BASE =3D "/tmp/up-down"; -=20 - # -------------------------------------- - # EXTERNAL COMMAND HELPER -- SVNSERVE -=20 - # security note: runs an external command (svnserve) with specific argu= ments, - # as specified below. %u is substituted with the username. -=20 - # This setting allows launching svnserve when requested by the ssh clie= nt. - # This allows using the same SSH setup (hostname/username/public key) f= or both - # SVN and git access. Leave it undefined or set to the empty string to = disable - # svnserve access. -=20 $SVNSERVE =3D ""; - # $SVNSERVE =3D "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=3D%u"; -=20 - # -------------------------------------- - # ALLOW REPO CONFIG TO USE WILDCARDS -=20 - # security note: this used to in a separate "wildrepos" branch. You ca= n - # create repositories based on wild cards, give "ownership" to the spec= ific - # user who created it, allow him/her to hand out R and RW permissions t= o other - # users to collaborate, etc. This is powerful stuff, and I've made it = as - # secure as I can, but it hasn't had the kind of rigorous line-by-line - # analysis that the old "master" branch had. -=20 - # This has now been rolled into master, with all the functionality gate= d by - # this variable. Set this to 1 if you want to enable the wildrepos fea= tures. - # Please see doc/wildcard-repositories.mkd for details. -=20 - $GL_WILDREPOS =3D 0; -=20 - # -------------------------------------- - # DEFAULT WILDCARD PERMISSIONS -=20 - # If set, this value will be used as the default user-level permission = rule of - # new wildcard repositories. The user can change this value with the se= tperms command - # as desired after repository creation; it is only a default. Note that= @all can be - # used here but is special; no other groups can be used in user-level p= ermissions. -=20 - # $GL_WILDREPOS_DEFPERMS =3D 'R @all'; -=20 - # -------------------------------------- - # WILDREPOS PERMS CATEGORIES -=20 - # Originally, we only allowed "R" and "RW" in the setperms command. No= w we - # allow the admin to define other categories as she wishes (example: MA= NAGERS, - # TESTERS, etc). -=20 - # This variable is a space-sep list of the allowed categories. -=20 - # PLEASE, *PLEASE*, read the section in doc/wildcard-repositories.mkd f= or - # caveats and warnings. This is a VERY powerful feature and if you're = not - # careful you could mess up the ACLs nicely. -=20 - # this is the internal default if you don't set it (like if you didn't = update - # your ~/.gitolite.rc with new variables when you upgraded gitolite): - $GL_WILDREPOS_PERM_CATS =3D "READERS WRITERS"; -=20 - # you can use your own categories in addition to the standard ones; I s= uggest - # you include READERS and WRITERS for backward compat though: - # $GL_WILDREPOS_PERM_CATS =3D "READERS WRITERS MANAGERS"; - # $GL_WILDREPOS_PERM_CATS =3D "READERS WRITERS MANAGERS TESTERS"; -=20 - # -------------------------------------- - # HOOK CHAINING -=20 - # by default, the update hook in every repo chains to "update.secondary= ". - # Similarly, the post-update hook in the admin repo chains to - # "post-update.secondary". If you're fine with the defaults, there's n= o need - # to do anything here. However, if you want to use different names or = paths, - # change these variables -=20 # $UPDATE_CHAINS_TO =3D "hooks/update.secondary"; # $ADMIN_POST_UPDATE_CHAINS_TO =3D "hooks/post-update.secondary"; -=20 - # -------------------------------------- - # ADMIN DEFINED COMMANDS -=20 - # WARNING: Use this feature only if (a) you really really know what you= 're - # doing or (b) you really don't care too much about security. Please r= ead - # doc/admin-defined-commands.mkd for details. -=20 # $GL_ADC_PATH =3D ""; + # $GL_GET_MEMBERSHIPS_PGM =3D "/usr/local/bin/expand-ldap-user-to-group= s" =20 - # -------------------------------------- - # SITE-SPECIFIC INFORMATION -=20 - # Some installations would like to give their users customised informat= ion - # (like a link to their own websites, for example) so that each end use= r does - # not have to grok all the gitolite documentation. -=20 - # If this variable is defined, the "info" command will print it at the = end of - # the listing. + # ---------------------------------------------------------------------= --------- + # less used/changed variables + # ---------------------------------------------------------------------= --------- + # $GL_ALL_INCLUDES_SPECIAL =3D 0; + # $GL_SLAVE_MODE =3D 0; + # $ENV{GL_SLAVES} =3D 'gitolite@server2 gitolite@server3'; + # PLEASE USE SINGLE QUOTES ABOVE, NOT DOUBLE QUOTES + $GL_WILDREPOS_PERM_CATS =3D "READERS WRITERS"; =20 - # $GL_SITE_INFO =3D ""; + # ---------------------------------------------------------------------= --------- + # rarely changed variables + # ---------------------------------------------------------------------= --------- + $GL_LOGT=3D"$GL_ADMINDIR/logs/gitolite-%y-%m.log"; + # $GL_PERFLOGT=3D"$GL_ADMINDIR/logs/perf-gitolite-%y-%m.log"; # $GL_SITE_INFO =3D "XYZ.COM DEVELOPERS: PLEASE SEE http://xyz.com/gito= lite/help first"; =20 - # -------------------------------------- - # USERGROUP HANDLING -=20 - # Some sites would like to store group membership outside gitolite, bec= ause - # they already have it in (usually) their LDAP server, and it doesn't m= ake - # sense to be forced to duplicate this information. -=20 - # Set the following variable to the name of a script that, given a user= name as - # argument, will return a list of groups that she is a member of. -=20 - # $GL_GET_MEMBERSHIPS_PGM =3D "/usr/local/bin/expand-ldap-user-to-group= s" + # ---------------------------------------------------------------------= --------- + # variables that should NOT be changed after the install step completes + # ---------------------------------------------------------------------= --------- + $REPO_BASE=3D"repositories"; =20 - # -------------------------------------- + # ---------------------------------------------------------------------= --------- # per perl rules, this should be the last line in such a file: 1; =20 diff --cc src/gitolite.pm index 7a36858,64bab29..83bf535 --- a/src/gitolite.pm +++ b/src/gitolite.pm @@@ -43,12 -43,17 +43,17 @@@ our $REPOPATT_PATT=3Dqr(^\@?[0-9a-zA-Z[][ our $ADC_CMD_ARGS_PATT=3Dqr(^[0-9a-zA-Z._\@/+:-]*$); =20 # these come from the RC file -our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS, $= REPO_BASE, $GL_CONF_COMPILED, $GL_BIG_CONFIG, $GL_PERFLOGT, $PROJECTS_LIS= T, $GL_ALL_INCLUDES_SPECIAL, $GL_SITE_INFO, $GL_GET_MEMBERSHIPS_PGM, $GL_= WILDREPOS_PERM_CATS, $GL_KEYDIR, @GL_METADATA); +our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS, $= REPO_BASE, $GL_CONF_COMPILED, $GL_BIG_CONFIG, $GL_PERFLOGT, $PROJECTS_LIS= T, $GL_ALL_INCLUDES_SPECIAL, $GL_SITE_INFO, $GL_GET_MEMBERSHIPS_PGM, $GL_= WILDREPOS_PERM_CATS, $GL_KEYDIR, @GL_METADATA, @GL_METADATA_REQUIRED); our %repos; our %groups; - our %repo_config; + our %git_configs; + our %split_conf;; our $data_version; - our $current_data_version =3D '1.6'; + our $current_data_version =3D '1.7'; +=20 + # the following are read in from individual repo's gl-conf files, if pr= esent + our %one_repo; + our %one_git_config; =20 # ---------------------------------------------------------------------= ------- # convenience subs diff --cc src/gl-auth-command index dffdb62,1af4232..9bfca63 --- a/src/gl-auth-command +++ b/src/gl-auth-command @@@ -32,7 -32,7 +32,7 @@@ use warnings # ---------------------------------------------------------------------= ------- =20 # these are set by the "rc" file - our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $= GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_WILDREPOS_DE= FPERMS, $GL_ADC_PATH, $SVNSERVE, $PROJECTS_LIST, $GL_SLAVE_MODE, $GL_PERF= LOGT, @GL_METADATA); -our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $= GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_WILDREPOS_DE= FPERMS, $GL_ADC_PATH, $SVNSERVE, $PROJECTS_LIST, $GL_SLAVE_MODE, $GL_PERF= LOGT, $GL_ALL_READ_ALL); ++our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $= GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_WILDREPOS_DE= FPERMS, $GL_ADC_PATH, $SVNSERVE, $PROJECTS_LIST, $GL_SLAVE_MODE, $GL_PERF= LOGT, $GL_ALL_READ_ALL, @GL_METADATA); # and these are set by gitolite.pm our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT, $ADC_CMD= _ARGS_PATT); our %repos; From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Ppjxp-0004r2-3m for garchives@archives.gentoo.org; Wed, 16 Feb 2011 16:10:49 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E079B1C01F; Wed, 16 Feb 2011 16:07:41 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6C7FE1C01F for ; Wed, 16 Feb 2011 16:07:41 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6A5FF1B419B for ; Wed, 16 Feb 2011 16:07:40 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id BC0FA80079 for ; Wed, 16 Feb 2011 16:07:39 +0000 (UTC) From: "Christian Ruppert" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Christian Ruppert" Message-ID: Subject: [gentoo-commits] proj/gitolite-gentoo:master commit in: / X-VCS-Repository: proj/gitolite-gentoo X-VCS-Committer: idl0r X-VCS-Committer-Name: Christian Ruppert X-VCS-Revision: e24d0debc5565599c4eef70f6a3be602977d0f02 Date: Wed, 16 Feb 2011 16:07:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 2236de34e91b0343c26ffa3bae271abd Message-ID: <20110216160739.hzoHTn_azgllBeQ5Z91UPAciRddoEQjhQrHmiNmW2Ng@z> commit: e24d0debc5565599c4eef70f6a3be602977d0f02 Author: Christian Ruppert gentoo org> AuthorDate: Tue Feb 15 16:35:55 2011 +0000 Commit: Christian Ruppert gentoo org> CommitDate: Tue Feb 15 16:35:55 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/gitolite-gent= oo.git;a=3Dcommit;h=3De24d0deb Merge commit 'refs/top-bases/t/export-key-metadata' into t/export-key-met= adata Conflicts: conf/example.gitolite.rc src/gl-auth-command conf/example.conf | 3 - conf/example.gitolite.rc | 334 +++------------= ----- contrib/adc/get-rights-and-owner.in-perl | 41 +++ contrib/ldap/README.mkd | 18 ++ contrib/ldap/ldap-query-example.pl | 80 +++++ contrib/ldap/ldap-query-example.sh | 68 +++++ contrib/ldap/passwd | 112 +++++++ doc/CHANGELOG | 22 ++ doc/big-config.mkd | 229 ++++++++++---- doc/delegation.mkd | 2 +- doc/gitolite.rc.mkd | 332 +++++++++++++++= +++++ doc/install-transcript.mkd | 2 +- doc/overkill.mkd | 8 +- doc/progit-article.mkd | 2 +- doc/ssh-troubleshooting.mkd | 2 +- doc/who-uses-it.mkd | 5 + src/gitolite.pm | 124 +++++---- src/gl-auth-command | 14 +- src/gl-compile-conf | 164 +++++++---- t/out/t01-repo-groups.1 | 2 +- t/out/t01-repo-groups.1b | 2 +- t/out/{t01-repo-groups.1b =3D> t01-repo-groups.1bs} | 33 ++- t/out/t01-repo-groups.2 | 28 ++- t/out/t02-user-groups.1 | 2 +- t/out/t02-user-groups.1b | 2 +- t/out/{t02-user-groups.1b =3D> t02-user-groups.1bs} | 35 +-- t/out/t02-user-groups.2 | 2 +- t/out/{t02-user-groups.2 =3D> t02-user-groups.2bs} | 49 ++-- t/t01-repo-groups | 6 +- t/t02-user-groups | 8 +- t/t59-repo-not-on-disk | 12 +- t/test-driver.sh | 7 + 32 files changed, 1198 insertions(+), 552 deletions(-) diff --cc conf/example.gitolite.rc index 211b7cb,9ee7840..6f57994 --- a/conf/example.gitolite.rc +++ b/conf/example.gitolite.rc @@@ -61,260 -14,65 +14,73 @@@ $GL_ADMINDIR=3D$ENV{HOME} . "/.gitolite" $GL_CONF=3D"$GL_ADMINDIR/conf/gitolite.conf"; $GL_KEYDIR=3D"$GL_ADMINDIR/keydir"; $GL_CONF_COMPILED=3D"$GL_ADMINDIR/conf/gitolite.conf-compiled.pm"; + # DO NOT CHANGE THE NEXT TWO LINES UNLESS YOU REALLY KNOW WHAT YOU'RE D= OING. + # These variables are set automatically by the install method you choos= e. + # $GL_PACKAGE_CONF =3D ""; + # $GL_PACKAGE_HOOKS =3D ""; =20 - # -------------------------------------- -=20 - # if git on your server is on a standard path (that is - # ssh git@server git --version - # works), leave this setting as is. Otherwise, choose one of the - # alternatives, or write your own -=20 - $GIT_PATH=3D""; - # $GIT_PATH=3D"/opt/bin/"; -=20 - # -------------------------------------- -=20 - # ---------------------------------------------------------------------= - - # BIG CONFIG SETTINGS -=20 - # Please read doc/big-config.mkd for details + # ---------------------------------------------------------------------= --------- + # most often used/changed variables + # ---------------------------------------------------------------------= --------- + $GL_WILDREPOS =3D 0; + $PROJECTS_LIST =3D $ENV{HOME} . "/projects.list"; + $REPO_UMASK =3D 0077; =20 + # ---------------------------------------------------------------------= --------- + # variables with an efficiency impact + # ---------------------------------------------------------------------= --------- $GL_BIG_CONFIG =3D 0; $GL_NO_DAEMON_NO_GITWEB =3D 0; - $GL_NO_CREATE_REPOS =3D 0; - $GL_NO_SETUP_AUTHKEYS =3D 0; -=20 - # ---------------------------------------------------------------------= - - # SECURITY SENSITIVE SETTINGS - # - # Settings below this point may have security implications. That - # usually means that I have not thought hard enough about all the - # possible ways to crack security if these settings are enabled. -=20 - # Please see details on each setting for specifics, if any. - # ---------------------------------------------------------------------= - -=20 =20 +# Define which metadata variables shall be exported to the gitolite env= ironment. +# Those variables can be used in hooks, e.g. for cia.vc +# A pubkey file might contain one or more of those variable. +# They can be defined by e.g:"# git-username: idl0r" +# Each '-' (dash) will be replaced by an '_' (underscore). - @GL_METADATA =3D ( "git-username", "git-email", "git-realname", "git-re= alname-ascii", "cia-vc-username" ); - @GL_METADATA_REQUIRED =3D ( "git-username", "git-email", "git-realname"= ); -=20 - # -------------------------------------- - # ALLOW REPO ADMIN TO SET GITCONFIG KEYS - # - # Gitolite allows you to set git repo options using the "config" keywor= d; see - # conf/example.conf for details and syntax. - # - # However, if you are in an installation where the repo admin does not = (and - # should not) have shell access to the server, then allowing him to set - # arbitrary repo config options *may* be a security risk -- some config - # settings may allow executing arbitrary commands. - # - # You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, whi= ch - # completely disables this feature (meaning you cannot set git configs = from - # the repo config). -=20 ++#@GL_METADATA =3D ( "git-username", "git-email", "git-realname", "git-r= ealname-ascii", "cia-vc-username" ); ++#@GL_METADATA_REQUIRED =3D ( "git-username", "git-email", "git-realname= " ); ++ + # ---------------------------------------------------------------------= --------- + # VARIABLES WITH A SECURITY IMPACT. READ DOC WELL BEFORE CHANGING THES= E. + # http://github.com/sitaramc/gitolite/blob/pu/doc/gitolite.rc.mkd#_vari= ables_with_a_security_impact + # ---------------------------------------------------------------------= --------- + # $GL_ALL_READ_ALL =3D 0; + $GIT_PATH=3D""; $GL_GITCONFIG_KEYS =3D ""; -=20 - # The second choice is to give it a space separated list of settings yo= u - # consider safe. (These are actually treated as a set of regular expre= ssion - # patterns, and any one of them must match). For example: - # $GL_GITCONFIG_KEYS =3D "core\.logAllRefUpdates core\..*compression"; - # allows repo admins to set one of those 3 config keys (yes, that secon= d - # pattern matches two settings from "man git-config", if you look) - # - # The third choice (which you may have guessed already if you're famili= ar with - # regular expressions) is to allow anything and everything: - # $GL_GITCONFIG_KEYS =3D ".*"; -=20 - # NOTE that due to some quoting and interpolation issues I have not bee= n able - # to look at, a literal "." needs to be specified in this string as \\.= (two - # backslashes and a dot). So this is how you'd allow any keys in the "= foo" - # category: - # $GL_GITCONFIG_KEYS =3D "foo\\..*"; -=20 - # -------------------------------------- - # ALLOW GITCONFIG KEYS EVEN FOR WILD REPOS - # - # This is an efficiency issue more than a security issue, since this re= quires - # trawling through all of $REPO_BASE looking for stuff :) -=20 # $GL_GITCONFIG_WILD =3D 0; -=20 - # -------------------------------------- - # EXTERNAL COMMAND HELPER -- HTPASSWD -=20 - # security note: runs an external command (htpasswd) with specific argu= ments, - # including a user-chosen "password". -=20 - # if you want to enable the "htpasswd" command, give this the absolute = path to - # whatever file apache (etc) expect to find the passwords in. -=20 + $GL_NO_CREATE_REPOS =3D 0; + $GL_NO_SETUP_AUTHKEYS =3D 0; + # $GL_WILDREPOS_DEFPERMS =3D 'R @all'; $HTPASSWD_FILE =3D ""; -=20 - # Look in doc/3 ("easier to link gitweb authorisation with gitolite" se= ction) - # for more details on using this feature. -=20 - # -------------------------------------- - # EXTERNAL COMMAND HELPER -- RSYNC -=20 - # security note: runs an external command (rsync) with specific argumen= ts, all - # presumably filled in correctly by the client-side rsync. -=20 - # base path of all the files that are accessible via rsync. Must be an - # absolute path. Leave it undefined or set to the empty string to disa= ble the - # rsync helper. -=20 $RSYNC_BASE =3D ""; -=20 - # $RSYNC_BASE =3D "/home/git/up-down"; - # $RSYNC_BASE =3D "/tmp/up-down"; -=20 - # -------------------------------------- - # EXTERNAL COMMAND HELPER -- SVNSERVE -=20 - # security note: runs an external command (svnserve) with specific argu= ments, - # as specified below. %u is substituted with the username. -=20 - # This setting allows launching svnserve when requested by the ssh clie= nt. - # This allows using the same SSH setup (hostname/username/public key) f= or both - # SVN and git access. Leave it undefined or set to the empty string to = disable - # svnserve access. -=20 $SVNSERVE =3D ""; - # $SVNSERVE =3D "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=3D%u"; -=20 - # -------------------------------------- - # ALLOW REPO CONFIG TO USE WILDCARDS -=20 - # security note: this used to in a separate "wildrepos" branch. You ca= n - # create repositories based on wild cards, give "ownership" to the spec= ific - # user who created it, allow him/her to hand out R and RW permissions t= o other - # users to collaborate, etc. This is powerful stuff, and I've made it = as - # secure as I can, but it hasn't had the kind of rigorous line-by-line - # analysis that the old "master" branch had. -=20 - # This has now been rolled into master, with all the functionality gate= d by - # this variable. Set this to 1 if you want to enable the wildrepos fea= tures. - # Please see doc/wildcard-repositories.mkd for details. -=20 - $GL_WILDREPOS =3D 0; -=20 - # -------------------------------------- - # DEFAULT WILDCARD PERMISSIONS -=20 - # If set, this value will be used as the default user-level permission = rule of - # new wildcard repositories. The user can change this value with the se= tperms command - # as desired after repository creation; it is only a default. Note that= @all can be - # used here but is special; no other groups can be used in user-level p= ermissions. -=20 - # $GL_WILDREPOS_DEFPERMS =3D 'R @all'; -=20 - # -------------------------------------- - # WILDREPOS PERMS CATEGORIES -=20 - # Originally, we only allowed "R" and "RW" in the setperms command. No= w we - # allow the admin to define other categories as she wishes (example: MA= NAGERS, - # TESTERS, etc). -=20 - # This variable is a space-sep list of the allowed categories. -=20 - # PLEASE, *PLEASE*, read the section in doc/wildcard-repositories.mkd f= or - # caveats and warnings. This is a VERY powerful feature and if you're = not - # careful you could mess up the ACLs nicely. -=20 - # this is the internal default if you don't set it (like if you didn't = update - # your ~/.gitolite.rc with new variables when you upgraded gitolite): - $GL_WILDREPOS_PERM_CATS =3D "READERS WRITERS"; -=20 - # you can use your own categories in addition to the standard ones; I s= uggest - # you include READERS and WRITERS for backward compat though: - # $GL_WILDREPOS_PERM_CATS =3D "READERS WRITERS MANAGERS"; - # $GL_WILDREPOS_PERM_CATS =3D "READERS WRITERS MANAGERS TESTERS"; -=20 - # -------------------------------------- - # HOOK CHAINING -=20 - # by default, the update hook in every repo chains to "update.secondary= ". - # Similarly, the post-update hook in the admin repo chains to - # "post-update.secondary". If you're fine with the defaults, there's n= o need - # to do anything here. However, if you want to use different names or = paths, - # change these variables -=20 # $UPDATE_CHAINS_TO =3D "hooks/update.secondary"; # $ADMIN_POST_UPDATE_CHAINS_TO =3D "hooks/post-update.secondary"; -=20 - # -------------------------------------- - # ADMIN DEFINED COMMANDS -=20 - # WARNING: Use this feature only if (a) you really really know what you= 're - # doing or (b) you really don't care too much about security. Please r= ead - # doc/admin-defined-commands.mkd for details. -=20 # $GL_ADC_PATH =3D ""; + # $GL_GET_MEMBERSHIPS_PGM =3D "/usr/local/bin/expand-ldap-user-to-group= s" =20 - # -------------------------------------- - # SITE-SPECIFIC INFORMATION -=20 - # Some installations would like to give their users customised informat= ion - # (like a link to their own websites, for example) so that each end use= r does - # not have to grok all the gitolite documentation. -=20 - # If this variable is defined, the "info" command will print it at the = end of - # the listing. + # ---------------------------------------------------------------------= --------- + # less used/changed variables + # ---------------------------------------------------------------------= --------- + # $GL_ALL_INCLUDES_SPECIAL =3D 0; + # $GL_SLAVE_MODE =3D 0; + # $ENV{GL_SLAVES} =3D 'gitolite@server2 gitolite@server3'; + # PLEASE USE SINGLE QUOTES ABOVE, NOT DOUBLE QUOTES + $GL_WILDREPOS_PERM_CATS =3D "READERS WRITERS"; =20 - # $GL_SITE_INFO =3D ""; + # ---------------------------------------------------------------------= --------- + # rarely changed variables + # ---------------------------------------------------------------------= --------- + $GL_LOGT=3D"$GL_ADMINDIR/logs/gitolite-%y-%m.log"; + # $GL_PERFLOGT=3D"$GL_ADMINDIR/logs/perf-gitolite-%y-%m.log"; # $GL_SITE_INFO =3D "XYZ.COM DEVELOPERS: PLEASE SEE http://xyz.com/gito= lite/help first"; =20 - # -------------------------------------- - # USERGROUP HANDLING -=20 - # Some sites would like to store group membership outside gitolite, bec= ause - # they already have it in (usually) their LDAP server, and it doesn't m= ake - # sense to be forced to duplicate this information. -=20 - # Set the following variable to the name of a script that, given a user= name as - # argument, will return a list of groups that she is a member of. -=20 - # $GL_GET_MEMBERSHIPS_PGM =3D "/usr/local/bin/expand-ldap-user-to-group= s" + # ---------------------------------------------------------------------= --------- + # variables that should NOT be changed after the install step completes + # ---------------------------------------------------------------------= --------- + $REPO_BASE=3D"repositories"; =20 - # -------------------------------------- + # ---------------------------------------------------------------------= --------- # per perl rules, this should be the last line in such a file: 1; =20 diff --cc src/gitolite.pm index 7a36858,64bab29..83bf535 --- a/src/gitolite.pm +++ b/src/gitolite.pm @@@ -43,12 -43,17 +43,17 @@@ our $REPOPATT_PATT=3Dqr(^\@?[0-9a-zA-Z[][ our $ADC_CMD_ARGS_PATT=3Dqr(^[0-9a-zA-Z._\@/+:-]*$); =20 # these come from the RC file -our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS, $= REPO_BASE, $GL_CONF_COMPILED, $GL_BIG_CONFIG, $GL_PERFLOGT, $PROJECTS_LIS= T, $GL_ALL_INCLUDES_SPECIAL, $GL_SITE_INFO, $GL_GET_MEMBERSHIPS_PGM, $GL_= WILDREPOS_PERM_CATS, $GL_KEYDIR, @GL_METADATA); +our ($REPO_UMASK, $GL_WILDREPOS, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS, $= REPO_BASE, $GL_CONF_COMPILED, $GL_BIG_CONFIG, $GL_PERFLOGT, $PROJECTS_LIS= T, $GL_ALL_INCLUDES_SPECIAL, $GL_SITE_INFO, $GL_GET_MEMBERSHIPS_PGM, $GL_= WILDREPOS_PERM_CATS, $GL_KEYDIR, @GL_METADATA, @GL_METADATA_REQUIRED); our %repos; our %groups; - our %repo_config; + our %git_configs; + our %split_conf;; our $data_version; - our $current_data_version =3D '1.6'; + our $current_data_version =3D '1.7'; +=20 + # the following are read in from individual repo's gl-conf files, if pr= esent + our %one_repo; + our %one_git_config; =20 # ---------------------------------------------------------------------= ------- # convenience subs diff --cc src/gl-auth-command index dffdb62,1af4232..9bfca63 --- a/src/gl-auth-command +++ b/src/gl-auth-command @@@ -32,7 -32,7 +32,7 @@@ use warnings # ---------------------------------------------------------------------= ------- =20 # these are set by the "rc" file - our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $= GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_WILDREPOS_DE= FPERMS, $GL_ADC_PATH, $SVNSERVE, $PROJECTS_LIST, $GL_SLAVE_MODE, $GL_PERF= LOGT, @GL_METADATA); -our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $= GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_WILDREPOS_DE= FPERMS, $GL_ADC_PATH, $SVNSERVE, $PROJECTS_LIST, $GL_SLAVE_MODE, $GL_PERF= LOGT, $GL_ALL_READ_ALL); ++our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $= GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_WILDREPOS_DE= FPERMS, $GL_ADC_PATH, $SVNSERVE, $PROJECTS_LIST, $GL_SLAVE_MODE, $GL_PERF= LOGT, $GL_ALL_READ_ALL, @GL_METADATA); # and these are set by gitolite.pm our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT, $ADC_CMD= _ARGS_PATT); our %repos;