Show More
| @@ -7,9 +7,9 b'' | |||
|
|
7 | 7 | |
|
|
8 | 8 | '''hooks for controlling repository access |
|
|
9 | 9 | |
|
|
10 |
This hook makes it possible to allow or deny write access to |
|
|
|
11 |
of a repository when receiving incoming changesets via pretxnchangegroup |
|
|
|
12 | pretxncommit. | |
|
|
10 | This hook makes it possible to allow or deny write access to given branches and | |
|
|
11 | paths of a repository when receiving incoming changesets via pretxnchangegroup | |
|
|
12 | and pretxncommit. | |
|
|
13 | 13 | |
|
|
14 | 14 | The authorization is matched based on the local user name on the |
|
|
15 | 15 | system where the hook runs, and not the committer of the original |
| @@ -22,26 +22,46 b' interactive shell access, as they can th' | |||
|
|
22 | 22 | Nor is it safe if remote users share an account, because then there |
|
|
23 | 23 | is no way to distinguish them. |
|
|
24 | 24 | |
|
|
25 | The deny list is checked before the allow list. | |
|
|
25 | The order in which access checks are performed is: | |
|
|
26 | 1) Deny list for branches (section [acl.deny.branches]) | |
|
|
27 | 2) Allow list for branches (section [acl.allow.branches]) | |
|
|
28 | 3) Deny list for paths (section [acl.deny]) | |
|
|
29 | 4) Allow list for paths (section [acl.allow]) | |
|
|
26 | 30 | |
|
|
27 |
The allow and deny sections take key-value pairs |
|
|
|
28 | as key (with a glob syntax by default). The corresponding value can be either: | |
|
|
31 | The allow and deny sections take key-value pairs. | |
|
|
32 | ||
|
|
33 | --- Branch-based Access Control --- | |
|
|
34 | ||
|
|
35 | Use the [acl.deny.branches] and [acl.allow.branches] sections to have | |
|
|
36 | branch-based access control. | |
|
|
29 | 37 | |
|
|
30 | 1) an asterisk, to match everyone; | |
|
|
31 | 2) a comma-separated list containing users and groups. | |
|
|
38 | Keys in these sections can be either: | |
|
|
39 | 1) a branch name | |
|
|
40 | 2) an asterisk, to match any branch; | |
|
|
41 | ||
|
|
42 | The corresponding values can be either: | |
|
|
43 | 1) a comma-separated list containing users and groups. | |
|
|
44 | 2) an asterisk, to match anyone; | |
|
|
32 | 45 | |
|
|
33 | Group names must be prefixed with an ``@`` symbol. | |
|
|
46 | --- Path-based Access Control --- | |
|
|
47 | ||
|
|
48 | Use the [acl.deny] and [acl.allow] sections to have path-based access control. | |
|
|
49 | Keys in these sections accept a subtree pattern (with a glob syntax by default). | |
|
|
50 | The corresponding values follow the same syntax as the other sections above. | |
|
|
51 | ||
|
|
52 | --- Groups --- | |
|
|
53 | ||
|
|
54 | Group names must be prefixed with an @ symbol. | |
|
|
34 | 55 | Specifying a group name has the same effect as specifying all the users in |
|
|
35 | 56 | that group. |
|
|
36 | ||
|
|
37 | To use this hook, configure the acl extension in your hgrc like this:: | |
|
|
57 | The set of users for a group is taken from "grp.getgrnam" | |
|
|
58 | (see http://docs.python.org/library/grp.html#grp.getgrnam). | |
|
|
38 | 59 | |
|
|
39 | [extensions] | |
|
|
40 | acl = | |
|
|
60 | --- Example Configuration --- | |
|
|
41 | 61 | |
|
|
42 | 62 | [hooks] |
|
|
43 | 63 | |
|
|
44 |
# Use this if you want to check access restrictions at commit time |
|
|
|
64 | # Use this if you want to check access restrictions at commit time | |
|
|
45 | 65 | pretxncommit.acl = python:hgext.acl.hook |
|
|
46 | 66 | |
|
|
47 | 67 | # Use this if you want to check access restrictions for pull, push, bundle |
| @@ -49,15 +69,37 b' To use this hook, configure the acl exte' | |||
|
|
49 | 69 | pretxnchangegroup.acl = python:hgext.acl.hook |
|
|
50 | 70 | |
|
|
51 | 71 | [acl] |
|
|
52 |
# Check whether the source of incoming changes is in this list |
|
|
|
53 |
# "serve" == ssh or http, |
|
|
|
54 | # corresponding hg commands. | |
|
|
72 | # Check whether the source of incoming changes is in this list | |
|
|
73 | # ("serve" == ssh or http, "push", "pull", "bundle") | |
|
|
55 | 74 | sources = serve |
|
|
56 | 75 | |
|
|
76 | [acl.deny.branches] | |
|
|
77 | ||
|
|
78 | # Everyone is denied to the frozen branch: | |
|
|
79 | frozen-branch = * | |
|
|
80 | ||
|
|
81 | # A bad user is denied on all branches: | |
|
|
82 | * = bad-user | |
|
|
83 | ||
|
|
84 | [acl.allow.branches] | |
|
|
85 | ||
|
|
86 | # A few users are allowed on branch-a: | |
|
|
87 | branch-a = user-1, user-2, user-3 | |
|
|
88 | ||
|
|
89 | # Only one user is allowed on branch-b: | |
|
|
90 | branch-b = user-1 | |
|
|
91 | ||
|
|
92 | # The super user is allowed on any branch: | |
|
|
93 | * = super-user | |
|
|
94 | ||
|
|
95 | # Everyone is allowed on branch-for-tests: | |
|
|
96 | branch-for-tests = * | |
|
|
97 | ||
|
|
57 | 98 | [acl.deny] |
|
|
58 |
# |
|
|
|
59 | # checked. All users are granted access if acl.deny is not present. | |
|
|
60 | # Format for both lists: glob pattern = user, ..., @group, ... | |
|
|
99 | # If a match is found, "acl.allow" will not be checked. | |
|
|
100 | # if acl.deny is not present, no users denied by default | |
|
|
101 | # empty acl.deny = all users allowed | |
|
|
102 | # Format for both lists: glob pattern = user4, user5, @group1 | |
|
|
61 | 103 | |
|
|
62 | 104 | # To match everyone, use an asterisk for the user: |
|
|
63 | 105 | # my/glob/pattern = * |
| @@ -84,7 +126,7 b' To use this hook, configure the acl exte' | |||
|
|
84 | 126 | images/** = jack, @designers |
|
|
85 | 127 | |
|
|
86 | 128 | # Everyone (except for "user6" - see "acl.deny" above) will have write access |
|
|
87 |
|
|
|
|
129 | to any file under the "resources" folder (except for 1 file. See "acl.deny"): | |
|
|
88 | 130 | src/main/resources/** = * |
|
|
89 | 131 | |
|
|
90 | 132 | .hgtags = release_engineer |
| @@ -119,6 +161,12 b' def buildmatch(ui, repo, user, key):' | |||
|
|
119 | 161 | if _usermatch(user, users)] |
|
|
120 | 162 | ui.debug('acl: %s enabled, %d entries for user %s\n' % |
|
|
121 | 163 | (key, len(pats), user)) |
|
|
164 | ||
|
|
165 | if not repo: | |
|
|
166 | if pats: | |
|
|
167 | return lambda b: '*' in pats or b in pats | |
|
|
168 | return lambda b: False | |
|
|
169 | ||
|
|
122 | 170 | if pats: |
|
|
123 | 171 | return match.match(repo.root, '', pats) |
|
|
124 | 172 | return match.exact(repo.root, '', []) |
| @@ -144,12 +192,28 b' def hook(ui, repo, hooktype, node=None, ' | |||
|
|
144 | 192 | |
|
|
145 | 193 | cfg = ui.config('acl', 'config') |
|
|
146 | 194 | if cfg: |
|
|
147 |
ui.readconfig(cfg, sections = ['acl.allow', |
|
|
|
195 | ui.readconfig(cfg, sections = ['acl.allow.branches', | |
|
|
196 | 'acl.deny.branches', 'acl.allow', 'acl.deny']) | |
|
|
197 | ||
|
|
198 | allowbranches = buildmatch(ui, None, user, 'acl.allow.branches') | |
|
|
199 | denybranches = buildmatch(ui, None, user, 'acl.deny.branches') | |
|
|
148 | 200 | allow = buildmatch(ui, repo, user, 'acl.allow') |
|
|
149 | 201 | deny = buildmatch(ui, repo, user, 'acl.deny') |
|
|
150 | 202 | |
|
|
151 | 203 | for rev in xrange(repo[node], len(repo)): |
|
|
152 | 204 | ctx = repo[rev] |
|
|
205 | branch = ctx.branch() | |
|
|
206 | if denybranches and denybranches(branch): | |
|
|
207 | raise util.Abort(_('acl: user "%s" denied on branch "%s"' | |
|
|
208 | ' (changeset "%s")') | |
|
|
209 | % (user, branch, ctx)) | |
|
|
210 | if allowbranches and not allowbranches(branch): | |
|
|
211 | raise util.Abort(_('acl: user "%s" not allowed on branch "%s"' | |
|
|
212 | ' (changeset "%s")') | |
|
|
213 | % (user, branch, ctx)) | |
|
|
214 | ui.debug('acl: branch access granted: "%s" on branch "%s"\n' | |
|
|
215 | % (ctx, branch)) | |
|
|
216 | ||
|
|
153 | 217 | for f in ctx.files(): |
|
|
154 | 218 | if deny and deny(f): |
|
|
155 | 219 | ui.debug('acl: user %s denied on %s\n' % (user, f)) |
General Comments 0
You need to be logged in to leave comments.
Login now