Show More
@@ -7,9 +7,9 b'' | |||||
7 |
|
7 | |||
8 | '''hooks for controlling repository access |
|
8 | '''hooks for controlling repository access | |
9 |
|
9 | |||
10 |
This hook makes it possible to allow or deny write access to |
|
10 | This hook makes it possible to allow or deny write access to given branches and | |
11 |
of a repository when receiving incoming changesets via pretxnchangegroup |
|
11 | paths of a repository when receiving incoming changesets via pretxnchangegroup | |
12 | pretxncommit. |
|
12 | and pretxncommit. | |
13 |
|
13 | |||
14 | The authorization is matched based on the local user name on the |
|
14 | The authorization is matched based on the local user name on the | |
15 | system where the hook runs, and not the committer of the original |
|
15 | system where the hook runs, and not the committer of the original | |
@@ -22,26 +22,46 b' interactive shell access, as they can th' | |||||
22 | Nor is it safe if remote users share an account, because then there |
|
22 | Nor is it safe if remote users share an account, because then there | |
23 | is no way to distinguish them. |
|
23 | is no way to distinguish them. | |
24 |
|
24 | |||
25 | The deny list is checked before the allow list. |
|
25 | The order in which access checks are performed is: | |
|
26 | 1) Deny list for branches (section [acl.deny.branches]) | |||
|
27 | 2) Allow list for branches (section [acl.allow.branches]) | |||
|
28 | 3) Deny list for paths (section [acl.deny]) | |||
|
29 | 4) Allow list for paths (section [acl.allow]) | |||
26 |
|
30 | |||
27 |
The allow and deny sections take key-value pairs |
|
31 | The allow and deny sections take key-value pairs. | |
28 | as key (with a glob syntax by default). The corresponding value can be either: |
|
32 | ||
|
33 | --- Branch-based Access Control --- | |||
|
34 | ||||
|
35 | Use the [acl.deny.branches] and [acl.allow.branches] sections to have | |||
|
36 | branch-based access control. | |||
29 |
|
37 | |||
30 | 1) an asterisk, to match everyone; |
|
38 | Keys in these sections can be either: | |
31 | 2) a comma-separated list containing users and groups. |
|
39 | 1) a branch name | |
|
40 | 2) an asterisk, to match any branch; | |||
|
41 | ||||
|
42 | The corresponding values can be either: | |||
|
43 | 1) a comma-separated list containing users and groups. | |||
|
44 | 2) an asterisk, to match anyone; | |||
32 |
|
45 | |||
33 | Group names must be prefixed with an ``@`` symbol. |
|
46 | --- Path-based Access Control --- | |
|
47 | ||||
|
48 | Use the [acl.deny] and [acl.allow] sections to have path-based access control. | |||
|
49 | Keys in these sections accept a subtree pattern (with a glob syntax by default). | |||
|
50 | The corresponding values follow the same syntax as the other sections above. | |||
|
51 | ||||
|
52 | --- Groups --- | |||
|
53 | ||||
|
54 | Group names must be prefixed with an @ symbol. | |||
34 | Specifying a group name has the same effect as specifying all the users in |
|
55 | Specifying a group name has the same effect as specifying all the users in | |
35 | that group. |
|
56 | that group. | |
36 |
|
57 | The set of users for a group is taken from "grp.getgrnam" | ||
37 | To use this hook, configure the acl extension in your hgrc like this:: |
|
58 | (see http://docs.python.org/library/grp.html#grp.getgrnam). | |
38 |
|
59 | |||
39 | [extensions] |
|
60 | --- Example Configuration --- | |
40 | acl = |
|
|||
41 |
|
61 | |||
42 | [hooks] |
|
62 | [hooks] | |
43 |
|
63 | |||
44 |
# Use this if you want to check access restrictions at commit time |
|
64 | # Use this if you want to check access restrictions at commit time | |
45 | pretxncommit.acl = python:hgext.acl.hook |
|
65 | pretxncommit.acl = python:hgext.acl.hook | |
46 |
|
66 | |||
47 | # Use this if you want to check access restrictions for pull, push, bundle |
|
67 | # Use this if you want to check access restrictions for pull, push, bundle | |
@@ -49,15 +69,37 b' To use this hook, configure the acl exte' | |||||
49 | pretxnchangegroup.acl = python:hgext.acl.hook |
|
69 | pretxnchangegroup.acl = python:hgext.acl.hook | |
50 |
|
70 | |||
51 | [acl] |
|
71 | [acl] | |
52 |
# Check whether the source of incoming changes is in this list |
|
72 | # Check whether the source of incoming changes is in this list | |
53 |
# "serve" == ssh or http, |
|
73 | # ("serve" == ssh or http, "push", "pull", "bundle") | |
54 | # corresponding hg commands. |
|
|||
55 | sources = serve |
|
74 | sources = serve | |
56 |
|
75 | |||
|
76 | [acl.deny.branches] | |||
|
77 | ||||
|
78 | # Everyone is denied to the frozen branch: | |||
|
79 | frozen-branch = * | |||
|
80 | ||||
|
81 | # A bad user is denied on all branches: | |||
|
82 | * = bad-user | |||
|
83 | ||||
|
84 | [acl.allow.branches] | |||
|
85 | ||||
|
86 | # A few users are allowed on branch-a: | |||
|
87 | branch-a = user-1, user-2, user-3 | |||
|
88 | ||||
|
89 | # Only one user is allowed on branch-b: | |||
|
90 | branch-b = user-1 | |||
|
91 | ||||
|
92 | # The super user is allowed on any branch: | |||
|
93 | * = super-user | |||
|
94 | ||||
|
95 | # Everyone is allowed on branch-for-tests: | |||
|
96 | branch-for-tests = * | |||
|
97 | ||||
57 | [acl.deny] |
|
98 | [acl.deny] | |
58 |
# |
|
99 | # If a match is found, "acl.allow" will not be checked. | |
59 | # checked. All users are granted access if acl.deny is not present. |
|
100 | # if acl.deny is not present, no users denied by default | |
60 | # Format for both lists: glob pattern = user, ..., @group, ... |
|
101 | # empty acl.deny = all users allowed | |
|
102 | # Format for both lists: glob pattern = user4, user5, @group1 | |||
61 |
|
103 | |||
62 | # To match everyone, use an asterisk for the user: |
|
104 | # To match everyone, use an asterisk for the user: | |
63 | # my/glob/pattern = * |
|
105 | # my/glob/pattern = * | |
@@ -84,7 +126,7 b' To use this hook, configure the acl exte' | |||||
84 | images/** = jack, @designers |
|
126 | images/** = jack, @designers | |
85 |
|
127 | |||
86 | # Everyone (except for "user6" - see "acl.deny" above) will have write access |
|
128 | # Everyone (except for "user6" - see "acl.deny" above) will have write access | |
87 |
|
|
129 | to any file under the "resources" folder (except for 1 file. See "acl.deny"): | |
88 | src/main/resources/** = * |
|
130 | src/main/resources/** = * | |
89 |
|
131 | |||
90 | .hgtags = release_engineer |
|
132 | .hgtags = release_engineer | |
@@ -119,6 +161,12 b' def buildmatch(ui, repo, user, key):' | |||||
119 | if _usermatch(user, users)] |
|
161 | if _usermatch(user, users)] | |
120 | ui.debug('acl: %s enabled, %d entries for user %s\n' % |
|
162 | ui.debug('acl: %s enabled, %d entries for user %s\n' % | |
121 | (key, len(pats), user)) |
|
163 | (key, len(pats), user)) | |
|
164 | ||||
|
165 | if not repo: | |||
|
166 | if pats: | |||
|
167 | return lambda b: '*' in pats or b in pats | |||
|
168 | return lambda b: False | |||
|
169 | ||||
122 | if pats: |
|
170 | if pats: | |
123 | return match.match(repo.root, '', pats) |
|
171 | return match.match(repo.root, '', pats) | |
124 | return match.exact(repo.root, '', []) |
|
172 | return match.exact(repo.root, '', []) | |
@@ -144,12 +192,28 b' def hook(ui, repo, hooktype, node=None, ' | |||||
144 |
|
192 | |||
145 | cfg = ui.config('acl', 'config') |
|
193 | cfg = ui.config('acl', 'config') | |
146 | if cfg: |
|
194 | if cfg: | |
147 |
ui.readconfig(cfg, sections = ['acl.allow', |
|
195 | ui.readconfig(cfg, sections = ['acl.allow.branches', | |
|
196 | 'acl.deny.branches', 'acl.allow', 'acl.deny']) | |||
|
197 | ||||
|
198 | allowbranches = buildmatch(ui, None, user, 'acl.allow.branches') | |||
|
199 | denybranches = buildmatch(ui, None, user, 'acl.deny.branches') | |||
148 | allow = buildmatch(ui, repo, user, 'acl.allow') |
|
200 | allow = buildmatch(ui, repo, user, 'acl.allow') | |
149 | deny = buildmatch(ui, repo, user, 'acl.deny') |
|
201 | deny = buildmatch(ui, repo, user, 'acl.deny') | |
150 |
|
202 | |||
151 | for rev in xrange(repo[node], len(repo)): |
|
203 | for rev in xrange(repo[node], len(repo)): | |
152 | ctx = repo[rev] |
|
204 | ctx = repo[rev] | |
|
205 | branch = ctx.branch() | |||
|
206 | if denybranches and denybranches(branch): | |||
|
207 | raise util.Abort(_('acl: user "%s" denied on branch "%s"' | |||
|
208 | ' (changeset "%s")') | |||
|
209 | % (user, branch, ctx)) | |||
|
210 | if allowbranches and not allowbranches(branch): | |||
|
211 | raise util.Abort(_('acl: user "%s" not allowed on branch "%s"' | |||
|
212 | ' (changeset "%s")') | |||
|
213 | % (user, branch, ctx)) | |||
|
214 | ui.debug('acl: branch access granted: "%s" on branch "%s"\n' | |||
|
215 | % (ctx, branch)) | |||
|
216 | ||||
153 | for f in ctx.files(): |
|
217 | for f in ctx.files(): | |
154 | if deny and deny(f): |
|
218 | if deny and deny(f): | |
155 | ui.debug('acl: user %s denied on %s\n' % (user, f)) |
|
219 | ui.debug('acl: user %s denied on %s\n' % (user, f)) |
General Comments 0
You need to be logged in to leave comments.
Login now