##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

acl: add support for branch-based access control
Elifarley Callado Coelho Cruz -
r11092:2dd91779 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -7,9 +7,9 b''
7
7
8 '''hooks for controlling repository access
8 '''hooks for controlling repository access
9
9
10 This hook makes it possible to allow or deny write access to portions
10 This hook makes it possible to allow or deny write access to given branches and
11 of a repository when receiving incoming changesets via pretxnchangegroup and
11 paths of a repository when receiving incoming changesets via pretxnchangegroup
12 pretxncommit.
12 and pretxncommit.
13
13
14 The authorization is matched based on the local user name on the
14 The authorization is matched based on the local user name on the
15 system where the hook runs, and not the committer of the original
15 system where the hook runs, and not the committer of the original
@@ -22,26 +22,46 b' interactive shell access, as they can th'
22 Nor is it safe if remote users share an account, because then there
22 Nor is it safe if remote users share an account, because then there
23 is no way to distinguish them.
23 is no way to distinguish them.
24
24
25 The deny list is checked before the allow list.
25 The order in which access checks are performed is:
26 1) Deny list for branches (section [acl.deny.branches])
27 2) Allow list for branches (section [acl.allow.branches])
28 3) Deny list for paths (section [acl.deny])
29 4) Allow list for paths (section [acl.allow])
26
30
27 The allow and deny sections take key-value pairs, having a subtree pattern
31 The allow and deny sections take key-value pairs.
28 as key (with a glob syntax by default). The corresponding value can be either:
32
33 --- Branch-based Access Control ---
34
35 Use the [acl.deny.branches] and [acl.allow.branches] sections to have
36 branch-based access control.
29
37
30 1) an asterisk, to match everyone;
38 Keys in these sections can be either:
31 2) a comma-separated list containing users and groups.
39 1) a branch name
40 2) an asterisk, to match any branch;
41
42 The corresponding values can be either:
43 1) a comma-separated list containing users and groups.
44 2) an asterisk, to match anyone;
32
45
33 Group names must be prefixed with an ``@`` symbol.
46 --- Path-based Access Control ---
47
48 Use the [acl.deny] and [acl.allow] sections to have path-based access control.
49 Keys in these sections accept a subtree pattern (with a glob syntax by default).
50 The corresponding values follow the same syntax as the other sections above.
51
52 --- Groups ---
53
54 Group names must be prefixed with an @ symbol.
34 Specifying a group name has the same effect as specifying all the users in
55 Specifying a group name has the same effect as specifying all the users in
35 that group.
56 that group.
36
57 The set of users for a group is taken from "grp.getgrnam"
37 To use this hook, configure the acl extension in your hgrc like this::
58 (see http://docs.python.org/library/grp.html#grp.getgrnam).
38
59
39 [extensions]
60 --- Example Configuration ---
40 acl =
41
61
42 [hooks]
62 [hooks]
43
63
44 # Use this if you want to check access restrictions at commit time.
64 # Use this if you want to check access restrictions at commit time
45 pretxncommit.acl = python:hgext.acl.hook
65 pretxncommit.acl = python:hgext.acl.hook
46
66
47 # Use this if you want to check access restrictions for pull, push, bundle
67 # Use this if you want to check access restrictions for pull, push, bundle
@@ -49,15 +69,37 b' To use this hook, configure the acl exte'
49 pretxnchangegroup.acl = python:hgext.acl.hook
69 pretxnchangegroup.acl = python:hgext.acl.hook
50
70
51 [acl]
71 [acl]
52 # Check whether the source of incoming changes is in this list where
72 # Check whether the source of incoming changes is in this list
53 # "serve" == ssh or http, and "push", "pull" and "bundle" are the
73 # ("serve" == ssh or http, "push", "pull", "bundle")
54 # corresponding hg commands.
55 sources = serve
74 sources = serve
56
75
76 [acl.deny.branches]
77
78 # Everyone is denied to the frozen branch:
79 frozen-branch = *
80
81 # A bad user is denied on all branches:
82 * = bad-user
83
84 [acl.allow.branches]
85
86 # A few users are allowed on branch-a:
87 branch-a = user-1, user-2, user-3
88
89 # Only one user is allowed on branch-b:
90 branch-b = user-1
91
92 # The super user is allowed on any branch:
93 * = super-user
94
95 # Everyone is allowed on branch-for-tests:
96 branch-for-tests = *
97
57 [acl.deny]
98 [acl.deny]
58 # This list is checked first. If a match is found, 'acl.allow' will not be
99 # If a match is found, "acl.allow" will not be checked.
59 # checked. All users are granted access if acl.deny is not present.
100 # if acl.deny is not present, no users denied by default
60 # Format for both lists: glob pattern = user, ..., @group, ...
101 # empty acl.deny = all users allowed
102 # Format for both lists: glob pattern = user4, user5, @group1
61
103
62 # To match everyone, use an asterisk for the user:
104 # To match everyone, use an asterisk for the user:
63 # my/glob/pattern = *
105 # my/glob/pattern = *
@@ -84,7 +126,7 b' To use this hook, configure the acl exte'
84 images/** = jack, @designers
126 images/** = jack, @designers
85
127
86 # Everyone (except for "user6" - see "acl.deny" above) will have write access
128 # Everyone (except for "user6" - see "acl.deny" above) will have write access
87 # to any file under the "resources" folder (except for 1 file. See "acl.deny"):
129 to any file under the "resources" folder (except for 1 file. See "acl.deny"):
88 src/main/resources/** = *
130 src/main/resources/** = *
89
131
90 .hgtags = release_engineer
132 .hgtags = release_engineer
@@ -119,6 +161,12 b' def buildmatch(ui, repo, user, key):'
119 if _usermatch(user, users)]
161 if _usermatch(user, users)]
120 ui.debug('acl: %s enabled, %d entries for user %s\n' %
162 ui.debug('acl: %s enabled, %d entries for user %s\n' %
121 (key, len(pats), user))
163 (key, len(pats), user))
164
165 if not repo:
166 if pats:
167 return lambda b: '*' in pats or b in pats
168 return lambda b: False
169
122 if pats:
170 if pats:
123 return match.match(repo.root, '', pats)
171 return match.match(repo.root, '', pats)
124 return match.exact(repo.root, '', [])
172 return match.exact(repo.root, '', [])
@@ -144,12 +192,28 b' def hook(ui, repo, hooktype, node=None, '
144
192
145 cfg = ui.config('acl', 'config')
193 cfg = ui.config('acl', 'config')
146 if cfg:
194 if cfg:
147 ui.readconfig(cfg, sections = ['acl.allow', 'acl.deny'])
195 ui.readconfig(cfg, sections = ['acl.allow.branches',
196 'acl.deny.branches', 'acl.allow', 'acl.deny'])
197
198 allowbranches = buildmatch(ui, None, user, 'acl.allow.branches')
199 denybranches = buildmatch(ui, None, user, 'acl.deny.branches')
148 allow = buildmatch(ui, repo, user, 'acl.allow')
200 allow = buildmatch(ui, repo, user, 'acl.allow')
149 deny = buildmatch(ui, repo, user, 'acl.deny')
201 deny = buildmatch(ui, repo, user, 'acl.deny')
150
202
151 for rev in xrange(repo[node], len(repo)):
203 for rev in xrange(repo[node], len(repo)):
152 ctx = repo[rev]
204 ctx = repo[rev]
205 branch = ctx.branch()
206 if denybranches and denybranches(branch):
207 raise util.Abort(_('acl: user "%s" denied on branch "%s"'
208 ' (changeset "%s")')
209 % (user, branch, ctx))
210 if allowbranches and not allowbranches(branch):
211 raise util.Abort(_('acl: user "%s" not allowed on branch "%s"'
212 ' (changeset "%s")')
213 % (user, branch, ctx))
214 ui.debug('acl: branch access granted: "%s" on branch "%s"\n'
215 % (ctx, branch))
216
153 for f in ctx.files():
217 for f in ctx.files():
154 if deny and deny(f):
218 if deny and deny(f):
155 ui.debug('acl: user %s denied on %s\n' % (user, f))
219 ui.debug('acl: user %s denied on %s\n' % (user, f))
General Comments 0
You need to be logged in to leave comments. Login now