acl.py
250 lines
| 8.2 KiB
| text/x-python
|
PythonLexer
/ hgext / acl.py
Vadim Gelfer
|
r2344 | # acl.py - changeset access control for mercurial | ||
# | ||||
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> | ||||
# | ||||
Martin Geisler
|
r8225 | # This software may be used and distributed according to the terms of the | ||
Matt Mackall
|
r10263 | # GNU General Public License version 2 or any later version. | ||
Dirkjan Ochtman
|
r8873 | |||
Dirkjan Ochtman
|
r8935 | '''hooks for controlling repository access | ||
Dirkjan Ochtman
|
r8873 | |||
Martin Geisler
|
r11095 | This hook makes it possible to allow or deny write access to given | ||
branches and paths of a repository when receiving incoming changesets | ||||
via pretxnchangegroup and pretxncommit. | ||||
Martin Geisler
|
r9250 | |||
The authorization is matched based on the local user name on the | ||||
system where the hook runs, and not the committer of the original | ||||
changeset (since the latter is merely informative). | ||||
Dirkjan Ochtman
|
r8873 | |||
Martin Geisler
|
r9250 | The acl hook is best used along with a restricted shell like hgsh, | ||
Martin Geisler
|
r11095 | preventing authenticating users from doing anything other than pushing | ||
or pulling. The hook is not safe to use if users have interactive | ||||
shell access, as they can then disable the hook. Nor is it safe if | ||||
remote users share an account, because then there is no way to | ||||
distinguish them. | ||||
Dirkjan Ochtman
|
r8873 | |||
Elifarley Callado Coelho Cruz
|
r11092 | The order in which access checks are performed is: | ||
Martin Geisler
|
r11094 | |||
1) Deny list for branches (section ``acl.deny.branches``) | ||||
2) Allow list for branches (section ``acl.allow.branches``) | ||||
3) Deny list for paths (section ``acl.deny``) | ||||
4) Allow list for paths (section ``acl.allow``) | ||||
Elifarley Callado Coelho Cruz
|
r11042 | |||
Elifarley Callado Coelho Cruz
|
r11092 | The allow and deny sections take key-value pairs. | ||
Martin Geisler
|
r11094 | Branch-based Access Control | ||
Erik Zielke
|
r12778 | ........................... | ||
Elifarley Callado Coelho Cruz
|
r11092 | |||
Martin Geisler
|
r11095 | Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to | ||
have branch-based access control. Keys in these sections can be | ||||
either: | ||||
Martin Geisler
|
r11057 | |||
Martin Geisler
|
r11095 | - a branch name, or | ||
- an asterisk, to match any branch; | ||||
Elifarley Callado Coelho Cruz
|
r11092 | |||
The corresponding values can be either: | ||||
Martin Geisler
|
r11094 | |||
Martin Geisler
|
r11095 | - a comma-separated list containing users and groups, or | ||
- an asterisk, to match anyone; | ||||
Elifarley Callado Coelho Cruz
|
r11042 | |||
Martin Geisler
|
r11094 | Path-based Access Control | ||
Erik Zielke
|
r12778 | ......................... | ||
Elifarley Callado Coelho Cruz
|
r11092 | |||
Martin Geisler
|
r11095 | Use the ``acl.deny`` and ``acl.allow`` sections to have path-based | ||
access control. Keys in these sections accept a subtree pattern (with | ||||
a glob syntax by default). The corresponding values follow the same | ||||
syntax as the other sections above. | ||||
Elifarley Callado Coelho Cruz
|
r11092 | |||
Martin Geisler
|
r11094 | Groups | ||
Erik Zielke
|
r12778 | ...... | ||
Elifarley Callado Coelho Cruz
|
r11092 | |||
Martin Geisler
|
r11095 | Group names must be prefixed with an ``@`` symbol. Specifying a group | ||
name has the same effect as specifying all the users in that group. | ||||
Dirkjan Ochtman
|
r8873 | |||
Elifarley Callado Coelho Cruz
|
r11115 | You can define group members in the ``acl.groups`` section. | ||
If a group name is not defined there, and Mercurial is running under | ||||
a Unix-like system, the list of users will be taken from the OS. | ||||
Otherwise, an exception will be raised. | ||||
Martin Geisler
|
r11094 | Example Configuration | ||
Erik Zielke
|
r12778 | ..................... | ||
Martin Geisler
|
r11094 | |||
:: | ||||
Dirkjan Ochtman
|
r8873 | |||
[hooks] | ||||
Elifarley Callado Coelho Cruz
|
r11042 | |||
Elifarley Callado Coelho Cruz
|
r11092 | # Use this if you want to check access restrictions at commit time | ||
Elifarley Callado Coelho Cruz
|
r11042 | pretxncommit.acl = python:hgext.acl.hook | ||
Martin Geisler
|
r11423 | |||
Martin Geisler
|
r11095 | # Use this if you want to check access restrictions for pull, push, | ||
# bundle and serve. | ||||
Dirkjan Ochtman
|
r8873 | pretxnchangegroup.acl = python:hgext.acl.hook | ||
[acl] | ||||
Patrick Mezard
|
r11131 | # Allow or deny access for incoming changes only if their source is | ||
# listed here, let them pass otherwise. Source is "serve" for all | ||||
# remote access (http or ssh), "push", "pull" or "bundle" when the | ||||
# related commands are run locally. | ||||
# Default: serve | ||||
Cédric Duval
|
r8893 | sources = serve | ||
Dirkjan Ochtman
|
r8873 | |||
Martin Geisler
|
r11423 | [acl.deny.branches] | ||
# Everyone is denied to the frozen branch: | ||||
frozen-branch = * | ||||
# A bad user is denied on all branches: | ||||
* = bad-user | ||||
[acl.allow.branches] | ||||
# A few users are allowed on branch-a: | ||||
branch-a = user-1, user-2, user-3 | ||||
# Only one user is allowed on branch-b: | ||||
branch-b = user-1 | ||||
# The super user is allowed on any branch: | ||||
* = super-user | ||||
# Everyone is allowed on branch-for-tests: | ||||
branch-for-tests = * | ||||
Elifarley Callado Coelho Cruz
|
r11092 | |||
Elifarley Callado Coelho Cruz
|
r11042 | [acl.deny] | ||
Martin Geisler
|
r11095 | # This list is checked first. If a match is found, acl.allow is not | ||
# checked. All users are granted access if acl.deny is not present. | ||||
# Format for both lists: glob pattern = user, ..., @group, ... | ||||
Elifarley Callado Coelho Cruz
|
r11042 | |||
# To match everyone, use an asterisk for the user: | ||||
# my/glob/pattern = * | ||||
# user6 will not have write access to any file: | ||||
** = user6 | ||||
# Group "hg-denied" will not have write access to any file: | ||||
** = @hg-denied | ||||
Martin Geisler
|
r11095 | # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite | ||
# everyone being able to change all other files. See below. | ||||
Elifarley Callado Coelho Cruz
|
r11042 | src/main/resources/DONT-TOUCH-THIS.txt = * | ||
Dirkjan Ochtman
|
r8873 | |||
[acl.allow] | ||||
Patrick Mezard
|
r11131 | # if acl.allow is not present, all users are allowed by default | ||
Elifarley Callado Coelho Cruz
|
r11042 | # empty acl.allow = no users allowed | ||
Martin Geisler
|
r11095 | # User "doc_writer" has write access to any file under the "docs" | ||
# folder: | ||||
Dirkjan Ochtman
|
r8873 | docs/** = doc_writer | ||
Elifarley Callado Coelho Cruz
|
r11042 | |||
Martin Geisler
|
r11095 | # User "jack" and group "designers" have write access to any file | ||
# under the "images" folder: | ||||
Elifarley Callado Coelho Cruz
|
r11042 | images/** = jack, @designers | ||
Martin Geisler
|
r11095 | # Everyone (except for "user6" - see acl.deny above) will have write | ||
# access to any file under the "resources" folder (except for 1 | ||||
# file. See acl.deny): | ||||
Elifarley Callado Coelho Cruz
|
r11042 | src/main/resources/** = * | ||
Dirkjan Ochtman
|
r8873 | .hgtags = release_engineer | ||
''' | ||||
Vadim Gelfer
|
r2344 | |||
Matt Mackall
|
r3891 | from mercurial.i18n import _ | ||
Matt Mackall
|
r8566 | from mercurial import util, match | ||
Patrick Mezard
|
r11138 | import getpass, urllib | ||
Elifarley Callado Coelho Cruz
|
r11041 | |||
Elifarley Callado Coelho Cruz
|
r11114 | def _getusers(ui, group): | ||
# First, try to use group definition from section [acl.groups] | ||||
hgrcusers = ui.configlist('acl.groups', group) | ||||
if hgrcusers: | ||||
return hgrcusers | ||||
ui.debug('acl: "%s" not defined in [acl.groups]\n' % group) | ||||
# If no users found in group definition, get users from OS-level group | ||||
Patrick Mezard
|
r11140 | try: | ||
return util.groupmembers(group) | ||||
except KeyError: | ||||
raise util.Abort(_("group '%s' is undefined") % group) | ||||
Elifarley Callado Coelho Cruz
|
r11041 | |||
Elifarley Callado Coelho Cruz
|
r11114 | def _usermatch(ui, user, usersorgroups): | ||
Elifarley Callado Coelho Cruz
|
r11041 | |||
if usersorgroups == '*': | ||||
return True | ||||
for ug in usersorgroups.replace(',', ' ').split(): | ||||
Elifarley Callado Coelho Cruz
|
r11114 | if user == ug or ug.find('@') == 0 and user in _getusers(ui, ug[1:]): | ||
Elifarley Callado Coelho Cruz
|
r11041 | return True | ||
return False | ||||
Vadim Gelfer
|
r2344 | |||
Matt Mackall
|
r6766 | def buildmatch(ui, repo, user, key): | ||
'''return tuple of (match function, list enabled).''' | ||||
if not ui.has_section(key): | ||||
Martin Geisler
|
r9467 | ui.debug('acl: %s not enabled\n' % key) | ||
Matt Mackall
|
r6766 | return None | ||
Vadim Gelfer
|
r2344 | |||
Matt Mackall
|
r6766 | pats = [pat for pat, users in ui.configitems(key) | ||
Elifarley Callado Coelho Cruz
|
r11114 | if _usermatch(ui, user, users)] | ||
Martin Geisler
|
r9467 | ui.debug('acl: %s enabled, %d entries for user %s\n' % | ||
Matt Mackall
|
r6766 | (key, len(pats), user)) | ||
Elifarley Callado Coelho Cruz
|
r11092 | |||
if not repo: | ||||
if pats: | ||||
return lambda b: '*' in pats or b in pats | ||||
return lambda b: False | ||||
Matt Mackall
|
r6766 | if pats: | ||
Matt Mackall
|
r8567 | return match.match(repo.root, '', pats) | ||
Matt Mackall
|
r8682 | return match.exact(repo.root, '', []) | ||
Matt Mackall
|
r8566 | |||
Vadim Gelfer
|
r2344 | |||
def hook(ui, repo, hooktype, node=None, source=None, **kwargs): | ||||
Elifarley Callado Coelho Cruz
|
r10955 | if hooktype not in ['pretxnchangegroup', 'pretxncommit']: | ||
Vadim Gelfer
|
r2344 | raise util.Abort(_('config error - hook type "%s" cannot stop ' | ||
Elifarley Callado Coelho Cruz
|
r10955 | 'incoming changesets nor commits') % hooktype) | ||
if (hooktype == 'pretxnchangegroup' and | ||||
source not in ui.config('acl', 'sources', 'serve').split()): | ||||
Martin Geisler
|
r9467 | ui.debug('acl: changes have source "%s" - skipping\n' % source) | ||
Vadim Gelfer
|
r2344 | return | ||
Henrik Stuart
|
r8846 | user = None | ||
if source == 'serve' and 'url' in kwargs: | ||||
url = kwargs['url'].split(':') | ||||
if url[0] == 'remote' and url[1].startswith('http'): | ||||
Henrik Stuart
|
r9018 | user = urllib.unquote(url[3]) | ||
Henrik Stuart
|
r8846 | |||
if user is None: | ||||
user = getpass.getuser() | ||||
Matt Mackall
|
r6766 | cfg = ui.config('acl', 'config') | ||
if cfg: | ||||
Elifarley Callado Coelho Cruz
|
r11114 | ui.readconfig(cfg, sections = ['acl.groups', 'acl.allow.branches', | ||
Elifarley Callado Coelho Cruz
|
r11092 | 'acl.deny.branches', 'acl.allow', 'acl.deny']) | ||
allowbranches = buildmatch(ui, None, user, 'acl.allow.branches') | ||||
denybranches = buildmatch(ui, None, user, 'acl.deny.branches') | ||||
Matt Mackall
|
r6766 | allow = buildmatch(ui, repo, user, 'acl.allow') | ||
deny = buildmatch(ui, repo, user, 'acl.deny') | ||||
for rev in xrange(repo[node], len(repo)): | ||||
ctx = repo[rev] | ||||
Elifarley Callado Coelho Cruz
|
r11092 | branch = ctx.branch() | ||
if denybranches and denybranches(branch): | ||||
raise util.Abort(_('acl: user "%s" denied on branch "%s"' | ||||
' (changeset "%s")') | ||||
% (user, branch, ctx)) | ||||
if allowbranches and not allowbranches(branch): | ||||
raise util.Abort(_('acl: user "%s" not allowed on branch "%s"' | ||||
' (changeset "%s")') | ||||
% (user, branch, ctx)) | ||||
ui.debug('acl: branch access granted: "%s" on branch "%s"\n' | ||||
% (ctx, branch)) | ||||
Matt Mackall
|
r6766 | for f in ctx.files(): | ||
if deny and deny(f): | ||||
Martin Geisler
|
r9467 | ui.debug('acl: user %s denied on %s\n' % (user, f)) | ||
Matt Mackall
|
r6766 | raise util.Abort(_('acl: access denied for changeset %s') % ctx) | ||
if allow and not allow(f): | ||||
Martin Geisler
|
r9467 | ui.debug('acl: user %s not allowed on %s\n' % (user, f)) | ||
Matt Mackall
|
r6766 | raise util.Abort(_('acl: access denied for changeset %s') % ctx) | ||
Martin Geisler
|
r9467 | ui.debug('acl: allowing changeset %s\n' % ctx) | ||