upstream/mercurial-mirror Commit - r3436:f29989e9

use ui.readsections in the acl extension

Alexis S. L. Carvalho -

r3436:f29989e9 default

parent child

hgext/acl.py

0 +1 -1

             # acl.py - changeset access control for mercurial
             #
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms
             # of the GNU General Public License, incorporated herein by reference.
             #
             # this hook allows to allow or deny access to parts of a repo when
             # taking incoming changesets.
             #
             # authorization is against local user name on system where hook is
             # run, not committer of original changeset (since that is easy to
             # spoof).
             #
             # acl hook is best to use if you use hgsh to set up restricted shells
             # for authenticated users to only push to / pull from.  not safe if
             # user has interactive shell access, because they can disable hook.
             # also not safe if remote users share one local account, because then
             # no way to tell remote users apart.
             #
             # to use, configure acl extension in hgrc like this:
             #
             #   [extensions]
             #   hgext.acl =
             #
             #   [hooks]
             #   pretxnchangegroup.acl = python:hgext.acl.hook
             #
             #   [acl]
             #   sources = serve        # check if source of incoming changes in this list
             #                          # ("serve" == ssh or http, "push", "pull", "bundle")
             #
             # allow and deny lists have subtree pattern (default syntax is glob)
             # on left, user names on right. deny list checked before allow list.
             #
             #   [acl.allow]
             #   # if acl.allow not present, all users allowed by default
             #   # empty acl.allow = no users allowed
             #   docs/** = doc_writer
             #   .hgtags = release_engineer
             #
             #   [acl.deny]
             #   # if acl.deny not present, no users denied by default
             #   # empty acl.deny = all users allowed
             #   glob pattern = user4, user5
             #   ** = user6
             from mercurial.demandload import *
             from mercurial.i18n import gettext as _
             from mercurial.node import *
             demandload(globals(), 'getpass mercurial:util')
             class checker(object):
                 '''acl checker.'''
                 def buildmatch(self, key):
                     '''return tuple of (match function, list enabled).'''
                     if not self.ui.has_config(key):
                         self.ui.debug(_('acl: %s not enabled\n') % key)
                         return None, False
                     thisuser = self.getuser()
                     pats = [pat for pat, users in self.ui.configitems(key)
                             if thisuser in users.replace(',', ' ').split()]
                     self.ui.debug(_('acl: %s enabled, %d entries for user %s\n') %
                                   (key, len(pats), thisuser))
                     if pats:
                         match = util.matcher(self.repo.root, names=pats)[1]
                     else:
                         match = util.never
                     return match, True
                 def getuser(self):
                     '''return name of authenticated user.'''
                     return self.user
                 def __init__(self, ui, repo):
                     self.ui = ui
                     self.repo = repo
                     self.user = getpass.getuser()
                     cfg = self.ui.config('acl', 'config')
                     if cfg:
-                        self.ui.readconfig(cfg)
+                        self.ui.readsections(cfg, 'acl.allow', 'acl.deny')
                     self.allow, self.allowable = self.buildmatch('acl.allow')
                     self.deny, self.deniable = self.buildmatch('acl.deny')
                 def skipsource(self, source):
                     '''true if incoming changes from this source should be skipped.'''
                     ok_sources = self.ui.config('acl', 'sources', 'serve').split()
                     return source not in ok_sources
                 def check(self, node):
                     '''return if access allowed, raise exception if not.'''
                     files = self.repo.changelog.read(node)[3]
                     if self.deniable:
                         for f in files:
                             if self.deny(f):
                                 self.ui.debug(_('acl: user %s denied on %s\n') %
                                               (self.getuser(), f))
                                 raise util.Abort(_('acl: access denied for changeset %s') %
                                                  short(node))
                     if self.allowable:
                         for f in files:
                             if not self.allow(f):
                                 self.ui.debug(_('acl: user %s not allowed on %s\n') %
                                               (self.getuser(), f))
                                 raise util.Abort(_('acl: access denied for changeset %s') %
                                                  short(node))
                     self.ui.debug(_('acl: allowing changeset %s\n') % short(node))
             def hook(ui, repo, hooktype, node=None, source=None, **kwargs):
                 if hooktype != 'pretxnchangegroup':
                     raise util.Abort(_('config error - hook type "%s" cannot stop '
                                        'incoming changesets') % hooktype)
                 c = checker(ui, repo)
                 if c.skipsource(source):
                     ui.debug(_('acl: changes have source "%s" - skipping\n') % source)
                     return
                 start = repo.changelog.rev(bin(node))
                 end = repo.changelog.count()
                 for rev in xrange(start, end):
                     c.check(repo.changelog.node(rev))

tests/test-acl

0 +5 0

             #!/bin/sh
             do_push()
             {
                 user=$1
                 shift
                 echo "Pushing as user $user"
                 echo 'hgrc = """'
                 sed -e 1,2d b/.hg/hgrc
                 echo '"""'
                 if [ -e acl.config ]; then
             	echo 'acl.config = """'
             	cat acl.config
             	echo '"""'
                 fi
                 LOGNAME=$user hg --cwd a --debug push ../b
                 hg --cwd b rollback
                 hg --cwd b --quiet tip
                 echo
             }
             hg init a
             cd a
             mkdir foo foo/Bar quux
             echo 'in foo' > foo/file.txt
             echo 'in foo/Bar' > foo/Bar/file.txt
             echo 'in quux' > quux/file.py
             hg add
             hg ci -m 'add files' -d '1000000 0'
             echo >> foo/file.txt
             hg ci -m 'change foo/file' -d '1000001 0'
             echo >> foo/Bar/file.txt
             hg ci -m 'change foo/Bar/file' -d '1000002 0'
             echo >> quux/file.py
             hg ci -m 'change quux/file' -d '1000003 0'
             hg tip --quiet
             cd ..
             hg clone -r 0 a b
             echo '[extensions]' >> $HGRCPATH
             echo 'hgext.acl =' >> $HGRCPATH
             config=b/.hg/hgrc
             echo
             echo 'Extension disabled for lack of a hook'
             do_push fred
             echo '[hooks]' >> $config
             echo 'pretxnchangegroup.acl = python:hgext.acl.hook' >> $config
             echo 'Extension disabled for lack of acl.sources'
             do_push fred
             echo 'No [acl.allow]/[acl.deny]'
             echo '[acl]' >> $config
             echo 'sources = push' >> $config
             do_push fred
             echo 'Empty [acl.allow]'
             echo '[acl.allow]' >> $config
             do_push fred
             echo 'fred is allowed inside foo/'
             echo 'foo/** = fred' >> $config
             do_push fred
             echo 'Empty [acl.deny]'
             echo '[acl.deny]' >> $config
             do_push barney
             echo 'fred is allowed inside foo/, but not foo/bar/ (case matters)'
             echo 'foo/bar/** = fred' >> $config
             do_push fred
             echo 'fred is allowed inside foo/, but not foo/Bar/'
             echo 'foo/Bar/** = fred' >> $config
             do_push fred
             echo 'barney is not mentioned => not allowed anywhere'
             do_push barney
             echo 'barney is allowed everywhere'
             echo '[acl.allow]' >> $config
             echo '** = barney' >> $config
             do_push barney
             echo 'wilma can change files with a .txt extension'
             echo '**/*.txt = wilma' >> $config
             do_push wilma
             echo 'file specified by acl.config does not exist'
             echo '[acl]' >> $config
             echo 'config = ../acl.config' >> $config
             do_push barney
             echo 'betty is allowed inside foo/ by a acl.config file'
             echo '[acl.allow]' >> acl.config
             echo 'foo/** = betty' >> acl.config
             do_push betty
+            echo 'acl.config can set only [acl.allow]/[acl.deny]'
+            echo '[hooks]' >> acl.config
+            echo 'changegroup.acl = false' >> acl.config
+            do_push barney

tests/test-acl.out

0 +46 0

             adding foo/Bar/file.txt
             adding foo/file.txt
             adding quux/file.py
 :911600dab2ae
             requesting all changes
             adding changesets
             adding manifests
             adding file changes
             added 1 changesets with 3 changes to 3 files
 files updated, 0 files merged, 0 files removed, 0 files unresolved
             Extension disabled for lack of a hook
             Pushing as user fred
             hgrc = """
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             rolling back last transaction
 :6675d58eff77
             Extension disabled for lack of acl.sources
             Pushing as user fred
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow not enabled
             acl: acl.deny not enabled
             acl: changes have source "push" - skipping
             rolling back last transaction
 :6675d58eff77
             No [acl.allow]/[acl.deny]
             Pushing as user fred
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow not enabled
             acl: acl.deny not enabled
             acl: allowing changeset ef1ea85a6374
             acl: allowing changeset f9cafe1212c8
             acl: allowing changeset 911600dab2ae
             rolling back last transaction
 :6675d58eff77
             Empty [acl.allow]
             Pushing as user fred
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 0 entries for user fred
             acl: acl.deny not enabled
             acl: user fred not allowed on foo/file.txt
             error: pretxnchangegroup.acl hook failed: acl: access denied for changeset ef1ea85a6374
             abort: acl: access denied for changeset ef1ea85a6374
             transaction abort!
             rollback completed
             no rollback information available
 :6675d58eff77
             fred is allowed inside foo/
             Pushing as user fred
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 1 entries for user fred
             acl: acl.deny not enabled
             acl: allowing changeset ef1ea85a6374
             acl: allowing changeset f9cafe1212c8
             acl: user fred not allowed on quux/file.py
             error: pretxnchangegroup.acl hook failed: acl: access denied for changeset 911600dab2ae
             abort: acl: access denied for changeset 911600dab2ae
             transaction abort!
             rollback completed
             no rollback information available
 :6675d58eff77
             Empty [acl.deny]
             Pushing as user barney
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             [acl.deny]
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 0 entries for user barney
             acl: acl.deny enabled, 0 entries for user barney
             acl: user barney not allowed on foo/file.txt
             error: pretxnchangegroup.acl hook failed: acl: access denied for changeset ef1ea85a6374
             abort: acl: access denied for changeset ef1ea85a6374
             transaction abort!
             rollback completed
             no rollback information available
 :6675d58eff77
             fred is allowed inside foo/, but not foo/bar/ (case matters)
             Pushing as user fred
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             [acl.deny]
             foo/bar/** = fred
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 1 entries for user fred
             acl: acl.deny enabled, 1 entries for user fred
             acl: allowing changeset ef1ea85a6374
             acl: allowing changeset f9cafe1212c8
             acl: user fred not allowed on quux/file.py
             error: pretxnchangegroup.acl hook failed: acl: access denied for changeset 911600dab2ae
             abort: acl: access denied for changeset 911600dab2ae
             transaction abort!
             rollback completed
             no rollback information available
 :6675d58eff77
             fred is allowed inside foo/, but not foo/Bar/
             Pushing as user fred
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             [acl.deny]
             foo/bar/** = fred
             foo/Bar/** = fred
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 1 entries for user fred
             acl: acl.deny enabled, 2 entries for user fred
             acl: allowing changeset ef1ea85a6374
             acl: user fred denied on foo/Bar/file.txt
             error: pretxnchangegroup.acl hook failed: acl: access denied for changeset f9cafe1212c8
             abort: acl: access denied for changeset f9cafe1212c8
             transaction abort!
             rollback completed
             no rollback information available
 :6675d58eff77
             barney is not mentioned => not allowed anywhere
             Pushing as user barney
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             [acl.deny]
             foo/bar/** = fred
             foo/Bar/** = fred
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 0 entries for user barney
             acl: acl.deny enabled, 0 entries for user barney
             acl: user barney not allowed on foo/file.txt
             error: pretxnchangegroup.acl hook failed: acl: access denied for changeset ef1ea85a6374
             abort: acl: access denied for changeset ef1ea85a6374
             transaction abort!
             rollback completed
             no rollback information available
 :6675d58eff77
             barney is allowed everywhere
             Pushing as user barney
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             [acl.deny]
             foo/bar/** = fred
             foo/Bar/** = fred
             [acl.allow]
             ** = barney
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 1 entries for user barney
             acl: acl.deny enabled, 0 entries for user barney
             acl: allowing changeset ef1ea85a6374
             acl: allowing changeset f9cafe1212c8
             acl: allowing changeset 911600dab2ae
             rolling back last transaction
 :6675d58eff77
             wilma can change files with a .txt extension
             Pushing as user wilma
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             [acl.deny]
             foo/bar/** = fred
             foo/Bar/** = fred
             [acl.allow]
             ** = barney
             **/*.txt = wilma
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 1 entries for user wilma
             acl: acl.deny enabled, 0 entries for user wilma
             acl: allowing changeset ef1ea85a6374
             acl: allowing changeset f9cafe1212c8
             acl: user wilma not allowed on quux/file.py
             error: pretxnchangegroup.acl hook failed: acl: access denied for changeset 911600dab2ae
             abort: acl: access denied for changeset 911600dab2ae
             transaction abort!
             rollback completed
             no rollback information available
 :6675d58eff77
             file specified by acl.config does not exist
             Pushing as user barney
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             [acl.deny]
             foo/bar/** = fred
             foo/Bar/** = fred
             [acl.allow]
             ** = barney
             **/*.txt = wilma
             [acl]
             config = ../acl.config
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 1 entries for user barney
             acl: acl.deny enabled, 0 entries for user barney
             acl: allowing changeset ef1ea85a6374
             acl: allowing changeset f9cafe1212c8
             acl: allowing changeset 911600dab2ae
             rolling back last transaction
 :6675d58eff77
             betty is allowed inside foo/ by a acl.config file
             Pushing as user betty
             hgrc = """
             [hooks]
             pretxnchangegroup.acl = python:hgext.acl.hook
             [acl]
             sources = push
             [acl.allow]
             foo/** = fred
             [acl.deny]
             foo/bar/** = fred
             foo/Bar/** = fred
             [acl.allow]
             ** = barney
             **/*.txt = wilma
             [acl]
             config = ../acl.config
             """
             acl.config = """
             [acl.allow]
             foo/** = betty
             """
             pushing to ../b
             searching for changes
             common changesets up to 6675d58eff77
             adding changesets
             add changeset ef1ea85a6374
             add changeset f9cafe1212c8
             add changeset 911600dab2ae
             adding manifests
             adding file changes
             adding foo/Bar/file.txt revisions
             adding foo/file.txt revisions
             adding quux/file.py revisions
             added 3 changesets with 3 changes to 3 files
             calling hook pretxnchangegroup.acl: hgext.acl.hook
             acl: acl.allow enabled, 1 entries for user betty
             acl: acl.deny enabled, 0 entries for user betty
             acl: allowing changeset ef1ea85a6374
             acl: allowing changeset f9cafe1212c8
             acl: user betty not allowed on quux/file.py
             error: pretxnchangegroup.acl hook failed: acl: access denied for changeset 911600dab2ae
             abort: acl: access denied for changeset 911600dab2ae
             transaction abort!
             rollback completed
             no rollback information available
 :6675d58eff77
+            acl.config can set only [acl.allow]/[acl.deny]
+            Pushing as user barney
+            hgrc = """
+            [hooks]
+            pretxnchangegroup.acl = python:hgext.acl.hook
+            [acl]
+            sources = push
+            [acl.allow]
+            foo/** = fred
+            [acl.deny]
+            foo/bar/** = fred
+            foo/Bar/** = fred
+            [acl.allow]
+            ** = barney
+            **/*.txt = wilma
+            [acl]
+            config = ../acl.config
+            """
+            acl.config = """
+            [acl.allow]
+            foo/** = betty
+            [hooks]
+            changegroup.acl = false
+            """
+            pushing to ../b
+            searching for changes
+            common changesets up to 6675d58eff77
+            adding changesets
+            add changeset ef1ea85a6374
+            add changeset f9cafe1212c8
+            add changeset 911600dab2ae
+            adding manifests
+            adding file changes
+            adding foo/Bar/file.txt revisions
+            adding foo/file.txt revisions
+            adding quux/file.py revisions
+            added 3 changesets with 3 changes to 3 files
+            calling hook pretxnchangegroup.acl: hgext.acl.hook
+            acl: acl.allow enabled, 1 entries for user barney
+            acl: acl.deny enabled, 0 entries for user barney
+            acl: allowing changeset ef1ea85a6374
+            acl: allowing changeset f9cafe1212c8
+            acl: allowing changeset 911600dab2ae
+            rolling back last transaction
+:6675d58eff77

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages