[gentoo-commits] proj/gitolite-gentoo:upstream commit in: src/

[gentoo-commits] proj/gitolite-gentoo:upstream commit in: src/

[Christian Ruppert]

commit:     e98bde322e8ea0e4013d2b4acc3e5063c9268e1d
Author:     Sitaram Chamarty <sitaram <AT> atc <DOT> tcs <DOT> com>
AuthorDate: Tue Dec 28 08:28:53 2010 +0000
Commit:     Christian Ruppert <idl0r <AT> gentoo <DOT> org>
CommitDate: Tue Dec 28 08:28:53 2010 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/gitolite-gentoo.git;a=commit;h=e98bde32

allow gitolite to be used when the users already have real IDs

Fedora (for example) runs like this:

  * each user has his own userid and login
  * his/her ~/.ssh/authkeys file (containing only his/her key) has a
    "command=" clause invoking just "gl-auth-command"
  * trusted users have "gl-auth-command -s" meaning they can get a shell if
    they want to

As a result, there is no specific $HOME where you can look for
.gitolite.rc.  Hence this patch

----

Side note: in addition, Fedora may have one or more of the following
characteristics (writing them here for convenience; they're not directly
relevant to this patch):

  * actual git repos are under "git" (or some such), and include the chmod g+s
    (git init --shared) unix perms tricks for shared access

  * but since they're coming through gl-auth, branch-level acls are in effect

  * the gitolite config file is generated from some database and compiled (all
    via cron)

  * they keydir/ is empty; in fact they probably don't use the admin repo at
    all, AFAIK

---
 src/gitolite.pm |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/gitolite.pm b/src/gitolite.pm
index 7eaebae..baaf112 100644
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -265,8 +265,15 @@ sub where_is_rc
 
     return if $ENV{GL_RC};
 
-    my $glrc = $ENV{HOME} . "/.gitolite.rc";
-    $ENV{GL_RC} = $glrc if (-f $glrc);
+    # Fedora doesn't actually have a "hosting user" at all (yeah -- bet you
+    # didn't know gitolite was *that* flexible!), so there's no fixed $HOME,
+    # and they prefer to keep their RC file in /etc/gitolite.
+    for my $glrc ( $ENV{HOME} . "/.gitolite.rc", "/etc/gitolite/gitolite.rc" ) {
+        if (-f $glrc) {
+            $ENV{GL_RC} = $glrc;
+            last;
+        }
+    }
 }
 
 # ----------------------------------------------------------------------------

[gentoo-commits] proj/gitolite-gentoo:upstream commit in: src/

[Christian Ruppert]

commit:     d8789a3af0caca5896202cf7a3cc6f7bfee96cb1
Author:     Sitaram Chamarty <sitaram <AT> atc <DOT> tcs <DOT> com>
AuthorDate: Tue Jan 11 16:57:22 2011 +0000
Commit:     Christian Ruppert <idl0r <AT> gentoo <DOT> org>
CommitDate: Tue Jan 11 19:07:09 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/gitolite-gentoo.git;a=commit;h=d8789a3a

get rid of wasted parse in wild_repo_rights

---
 src/gitolite.pm |   21 ++++++++++++---------
 1 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/gitolite.pm b/src/gitolite.pm
index 38dd13a..53368e9 100644
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -307,16 +307,10 @@ sub new_repo
 # ----------------------------------------------------------------------------
 
 {
-    # the following sub needs some persistent data, so we make a closure
+    # the following subs need some persistent data, so we make a closure
     my $cache_filled = 0;
     my %cached_groups;
-
-    # "who created this repo", "am I on the R list", and "am I on the RW list"?
-    sub wild_repo_rights
-    {
-        # set default categories
-        $GL_WILDREPOS_PERM_CATS ||= "READERS WRITERS";
-        my ($repo, $user) = @_;
+    sub fill_cache {
         # pull in basic group info
         unless ($cache_filled) {
             local(%repos, %groups);
@@ -328,10 +322,18 @@ sub new_repo
             # really care; we just pull it in once and save it for the rest of
             # the run
             do $GL_CONF_COMPILED;
-            add_repo_conf($repo) if $repo;
             %cached_groups = %groups;
             $cache_filled++;
         }
+    }
+
+    # "who created this repo", "am I on the R list", and "am I on the RW list"?
+    sub wild_repo_rights
+    {
+        # set default categories
+        $GL_WILDREPOS_PERM_CATS ||= "READERS WRITERS";
+        my ($repo, $user) = @_;
+
         # creator
         my $c = '';
         if (                     -f "$ENV{GL_REPO_BASE_ABS}/$repo.git/gl-creater") {
@@ -360,6 +362,7 @@ sub new_repo
             # file).  We replace each @foo with $user if $cached_groups{'@foo'}{$user}
             # exists (i.e., $user is a member of @foo)
             for my $g ($perms =~ /\s(\@\S+)/g) {
+                fill_cache();   # get %cached_groups
                 $perms =~ s/ $g(?!\S)/ $user/ if $cached_groups{$g}{$user};
             }
             # now setup the perm_cats hash to be returned

[gentoo-commits] proj/gitolite-gentoo:upstream commit in: src/

[Christian Ruppert]

commit:     4ce00aef84d1ff7c35f7adbbb99a6241cfda00cc
Author:     Sitaram Chamarty <sitaram <AT> atc <DOT> tcs <DOT> com>
AuthorDate: Tue Feb 15 09:28:42 2011 +0000
Commit:     Christian Ruppert <idl0r <AT> gentoo <DOT> org>
CommitDate: Tue Feb 15 09:28:42 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/gitolite-gentoo.git;a=commit;h=4ce00aef

security fix for optional ADC (admin-defined command) feature

Thanks to Dylan Simon for catching it...

---
 src/gl-auth-command |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/gl-auth-command b/src/gl-auth-command
index 1af4232..f3449a5 100755
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@@ -154,6 +154,7 @@ die "server is in slave mode; you can only fetch\n"
 if ($GL_ADC_PATH and -d $GL_ADC_PATH) {
     my ($cmd, @args) = split ' ', $ENV{SSH_ORIGINAL_COMMAND};
     if (-x "$GL_ADC_PATH/$cmd") {
+        die "I don't like $cmd\n" if $cmd =~ /\.\./;
         # yes this is rather strict, sorry.
         do { die "I don't like $_\n" unless $_ =~ $ADC_CMD_ARGS_PATT } for ($cmd, @args);
         &log_it("$GL_ADC_PATH/$ENV{SSH_ORIGINAL_COMMAND}");