##// END OF EJS Templates
branch-permissions: enabled branch permissions checks for SSH backend.
marcink -
r2982:9342a381 default
parent child Browse files
Show More
@@ -120,11 +120,25 b' class SshWrapper(object):'
120
120
121 return vcs_type, repo_name, mode
121 return vcs_type, repo_name, mode
122
122
123 def serve(self, vcs, repo, mode, user, permissions):
123 def serve(self, vcs, repo, mode, user, permissions, branch_permissions):
124 store = ScmModel().repos_path
124 store = ScmModel().repos_path
125
125
126 check_branch_perms = False
127 detect_force_push = False
128
129 if branch_permissions:
130 check_branch_perms = True
131 detect_force_push = True
132
126 log.debug(
133 log.debug(
127 'VCS detected:`%s` mode: `%s` repo_name: %s', vcs, mode, repo)
134 'VCS detected:`%s` mode: `%s` repo_name: %s, branch_permission_checks:%s',
135 vcs, mode, repo, check_branch_perms)
136
137 # detect if we have to check branch permissions
138 extras = {
139 'detect_force_push': detect_force_push,
140 'check_branch_perms': check_branch_perms,
141 }
128
142
129 if vcs == 'hg':
143 if vcs == 'hg':
130 server = MercurialServer(
144 server = MercurialServer(
@@ -132,7 +146,7 b' class SshWrapper(object):'
132 repo_name=repo, user=user,
146 repo_name=repo, user=user,
133 user_permissions=permissions, config=self.config, env=self.env)
147 user_permissions=permissions, config=self.config, env=self.env)
134 self.server_impl = server
148 self.server_impl = server
135 return server.run()
149 return server.run(tunnel_extras=extras)
136
150
137 elif vcs == 'git':
151 elif vcs == 'git':
138 server = GitServer(
152 server = GitServer(
@@ -140,7 +154,7 b' class SshWrapper(object):'
140 repo_name=repo, repo_mode=mode, user=user,
154 repo_name=repo, repo_mode=mode, user=user,
141 user_permissions=permissions, config=self.config, env=self.env)
155 user_permissions=permissions, config=self.config, env=self.env)
142 self.server_impl = server
156 self.server_impl = server
143 return server.run()
157 return server.run(tunnel_extras=extras)
144
158
145 elif vcs == 'svn':
159 elif vcs == 'svn':
146 server = SubversionServer(
160 server = SubversionServer(
@@ -148,7 +162,7 b' class SshWrapper(object):'
148 repo_name=None, user=user,
162 repo_name=None, user=user,
149 user_permissions=permissions, config=self.config, env=self.env)
163 user_permissions=permissions, config=self.config, env=self.env)
150 self.server_impl = server
164 self.server_impl = server
151 return server.run()
165 return server.run(tunnel_extras=extras)
152
166
153 else:
167 else:
154 raise Exception('Unrecognised VCS: {}'.format(vcs))
168 raise Exception('Unrecognised VCS: {}'.format(vcs))
@@ -188,10 +202,11 b' class SshWrapper(object):'
188
202
189 auth_user = user.AuthUser()
203 auth_user = user.AuthUser()
190 permissions = auth_user.permissions['repositories']
204 permissions = auth_user.permissions['repositories']
191
205 repo_branch_permissions = auth_user.get_branch_permissions(scm_repo)
192 try:
206 try:
193 exit_code, is_updated = self.serve(
207 exit_code, is_updated = self.serve(
194 scm_detected, scm_repo, scm_mode, user, permissions)
208 scm_detected, scm_repo, scm_mode, user, permissions,
209 repo_branch_permissions)
195 except Exception:
210 except Exception:
196 log.exception('Error occurred during execution of SshWrapper')
211 log.exception('Error occurred during execution of SshWrapper')
197 exit_code = -1
212 exit_code = -1
@@ -106,11 +106,15 b' class VcsServer(object):'
106 'make_lock': None,
106 'make_lock': None,
107 'locked_by': [None, None],
107 'locked_by': [None, None],
108 'server_url': None,
108 'server_url': None,
109 'is_shadow_repo': False,
109 'user_agent': 'ssh-user-agent',
110 'hooks_module': 'rhodecode.lib.hooks_daemon',
111 'hooks': ['push', 'pull'],
110 'hooks': ['push', 'pull'],
111 'hooks_module': 'rhodecode.lib.hooks_daemon',
112 'is_shadow_repo': False,
113 'detect_force_push': False,
114 'check_branch_perms': False,
115
112 'SSH': True,
116 'SSH': True,
113 'SSH_PERMISSIONS': self.user_permissions.get(self.repo_name)
117 'SSH_PERMISSIONS': self.user_permissions.get(self.repo_name),
114 }
118 }
115 if extras:
119 if extras:
116 scm_data.update(extras)
120 scm_data.update(extras)
@@ -139,8 +143,10 b' class VcsServer(object):'
139
143
140 return exit_code, action == "push"
144 return exit_code, action == "push"
141
145
142 def run(self):
146 def run(self, tunnel_extras=None):
147 tunnel_extras = tunnel_extras or {}
143 extras = {}
148 extras = {}
149 extras.update(tunnel_extras)
144
150
145 callback_daemon, extras = prepare_callback_daemon(
151 callback_daemon, extras = prepare_callback_daemon(
146 extras, protocol=vcs_settings.HOOKS_PROTOCOL,
152 extras, protocol=vcs_settings.HOOKS_PROTOCOL,
@@ -139,6 +139,9 b' class TestGitServer(object):'
139 'hooks': ['push', 'pull'],
139 'hooks': ['push', 'pull'],
140 'is_shadow_repo': False,
140 'is_shadow_repo': False,
141 'hooks_module': 'rhodecode.lib.hooks_daemon',
141 'hooks_module': 'rhodecode.lib.hooks_daemon',
142 'check_branch_perms': False,
143 'detect_force_push': False,
144 'user_agent': u'ssh-user-agent',
142 'SSH': True,
145 'SSH': True,
143 'SSH_PERMISSIONS': 'repository.admin',
146 'SSH_PERMISSIONS': 'repository.admin',
144 }
147 }
@@ -27,7 +27,7 b' class TestSSHWrapper(object):'
27 with pytest.raises(Exception) as exc_info:
27 with pytest.raises(Exception) as exc_info:
28 ssh_wrapper.serve(
28 ssh_wrapper.serve(
29 vcs='microsoft-tfs', repo='test-repo', mode=None, user='test',
29 vcs='microsoft-tfs', repo='test-repo', mode=None, user='test',
30 permissions={})
30 permissions={}, branch_permissions={})
31 assert exc_info.value.message == 'Unrecognised VCS: microsoft-tfs'
31 assert exc_info.value.message == 'Unrecognised VCS: microsoft-tfs'
32
32
33 def test_parse_config(self, ssh_wrapper):
33 def test_parse_config(self, ssh_wrapper):
@@ -1362,8 +1362,11 b' class AuthUser(object):'
1362
1362
1363 def get_branch_permissions(self, repo_name, perms=None):
1363 def get_branch_permissions(self, repo_name, perms=None):
1364 perms = perms or self.permissions_with_scope({'repo_name': repo_name})
1364 perms = perms or self.permissions_with_scope({'repo_name': repo_name})
1365 branch_perms = perms.get('repository_branches')
1365 branch_perms = perms.get('repository_branches', {})
1366 return branch_perms
1366 if not branch_perms:
1367 return {}
1368 repo_branch_perms = branch_perms.get(repo_name)
1369 return repo_branch_perms or {}
1367
1370
1368 def get_rule_and_branch_permission(self, repo_name, branch_name):
1371 def get_rule_and_branch_permission(self, repo_name, branch_name):
1369 """
1372 """
@@ -1373,11 +1376,7 b' class AuthUser(object):'
1373
1376
1374 rule = default_perm = ''
1377 rule = default_perm = ''
1375
1378
1376 branch_perms = self.get_branch_permissions(repo_name=repo_name)
1379 repo_branch_perms = self.get_branch_permissions(repo_name=repo_name)
1377 if not branch_perms:
1378 return rule, default_perm
1379
1380 repo_branch_perms = branch_perms.get(repo_name)
1381 if not repo_branch_perms:
1380 if not repo_branch_perms:
1382 return rule, default_perm
1381 return rule, default_perm
1383
1382
@@ -179,7 +179,9 b' def vcs_operation_context('
179 settings_model = VcsSettingsModel(repo=repo_name)
179 settings_model = VcsSettingsModel(repo=repo_name)
180 ui_settings = settings_model.get_ui_settings()
180 ui_settings = settings_model.get_ui_settings()
181
181
182 extras = {
182 # NOTE(marcink): This should be also in sync with
183 # rhodecode/apps/ssh_support/lib/backends/base.py:update_enviroment scm_data
184 scm_data = {
183 'ip': get_ip_addr(environ),
185 'ip': get_ip_addr(environ),
184 'username': username,
186 'username': username,
185 'user_id': user_id,
187 'user_id': user_id,
@@ -196,7 +198,7 b' def vcs_operation_context('
196 'detect_force_push': detect_force_push,
198 'detect_force_push': detect_force_push,
197 'check_branch_perms': check_branch_perms,
199 'check_branch_perms': check_branch_perms,
198 }
200 }
199 return extras
201 return scm_data
200
202
201
203
202 class BasicAuth(AuthBasicAuthenticator):
204 class BasicAuth(AuthBasicAuthenticator):
General Comments 0
You need to be logged in to leave comments. Login now