update

   1 #!/bin/bash
   2 #
   3 # Original version by Junio C Hamano <junkio@cox.net> and i
   4 # Carl Baldwin <cnb@fc.hp.com>. The original version is available at
   5 # http://kernel.org/pub/software/scm/git/docs/howto/update-hook-example.txt
   6 #
   7 # Modified by Jonas Juselius <jonas.juselius@chem.uit.no>
   8 #
   9
  10 umask 002
  11
  12 # If you are having trouble with this access control hook script
  13 # you can try setting this to true.  It will tell you exactly
  14 # why a user is being allowed/denied access.
  15
  16 verbose=true
  17
  18 # Default shell globbing messes things up downstream
  19 GLOBIGNORE=*
  20
  21 function grant {
  22   $verbose && echo >&2 "-Grant-         $1"
  23   echo grant
  24   exit 0
  25 }
  26
  27 function deny {
  28   $verbose && echo >&2 "-Deny-          $1"
  29   echo deny
  30   exit 1
  31 }
  32
  33 function info {
  34   $verbose && echo >&2 "-Info-          $1"
  35 }
  36
  37 # Implement generic branch and tag policies.
  38 # - Tags should not be updated once created.
  39 # - Branches should only be fast-forwarded.
  40 case "$1" in
  41   refs/tags/*)
  42     [ -f "$GIT_DIR/$1" ] &&
  43     deny >/dev/null "You can't overwrite an existing tag"
  44     ;;
  45   refs/heads/*)
  46     # No rebasing or rewinding
  47     if expr "$2" : '0*$' >/dev/null; then
  48       info "The branch '$1' is new..."
  49     else
  50       # updating -- make sure it is a fast forward
  51       mb=$(git-merge-base "$2" "$3")
  52       case "$mb,$2" in
  53         "$2,$mb") info "Update is fast-forward" ;;
  54         "$2,$mb") info "Update is fast-forward" ;;
  55         ",$2") echo "$3" | grep -q '^0\+$'
  56                 if [ $? = 0 ]; then
  57                         info "Deleting branch"
  58                 else
  59                         deny >/dev/null  "This is not a fast-forward update."
  60                 fi ;;
  61         *)        deny >/dev/null  "This is not a fast-forward update." ;;
  62       esac
  63     fi
  64     ;;
  65 #  *)
  66 #    deny >/dev/null \
  67 #    "Branch is not under refs/heads or refs/tags.  What are you trying to do?"
  68 #    ;
  69 esac
  70
  71 # Implement per-branch controls based on username
  72 allowed_users_file=$GIT_DIR/info/allowed-users
  73 username=$(id -u -n)
  74 info "The user is: '$username'"
  75
  76 if [ -f "$allowed_users_file" ]; then
  77   rc=$(cat $allowed_users_file | grep -v '^#' | grep -v '^$' |
  78     while read head_pattern user_patterns; do
  79       head_pattern=`eval "echo $head_pattern"`
  80       user_patterns=`eval "echo $user_patterns"`
  81       matchlen=$(expr "$1" : "$head_pattern")
  82       if [ "$matchlen" == "${#1}" ]; then
  83         info "Found matching head pattern: '$head_pattern'"
  84         for user_pattern in $user_patterns; do
  85           info "Checking user: '$username' against pattern: '$user_pattern'"
  86           matchlen=$(expr "$username" : "$user_pattern")
  87           if [ "$matchlen" == "${#username}" ]; then
  88             grant "Allowing user: '$username' with pattern: '$user_pattern'"
  89           fi
  90         done
  91         deny "The user is not in the access list for this branch"
  92       fi
  93     done
  94   )
  95   status="user_$rc"
  96   case "$rc" in
  97     grant) grant >/dev/null "Granting access based on $allowed_users_file" ;;
  98 #    deny)  deny  >/dev/null "Denying  access based on $allowed_users_file" ;;
  99 #    *) ;;
 100   esac
 101 fi
 102
 103 allowed_groups_file=$GIT_DIR/info/allowed-groups
 104 groups=$(id -G -n)
 105 info "The user belongs to the following groups:"
 106 info "'$groups'"
 107
 108 if [ -f "$allowed_groups_file" ]; then
 109   rc=$(cat $allowed_groups_file | grep -v '^#' | grep -v '^$' |
 110     while read head_pattern group_patterns; do
 111       matchlen=$(expr "$1" : "$head_pattern")
 112       if [ "$matchlen" == "${#1}" ]; then
 113         info "Found matching head pattern: '$head_pattern'"
 114         for group_pattern in $group_patterns; do
 115           for groupname in $groups; do
 116             info "Checking group: '$groupname' against pattern: '$group_pattern'"
 117             matchlen=$(expr "$groupname" : "$group_pattern")
 118             if [ "$matchlen" == "${#groupname}" ]; then
 119               grant "Allowing group: '$groupname' with pattern: '$group_pattern'"
 120             fi
 121           done
 122         done
 123         deny "None of the user's groups are in the access list for this
 124 branch"
 125       fi
 126     done
 127   )
 128   status="group_$rc"
 129   case "$rc" in
 130     grant) grant >/dev/null "Granting access based on $allowed_groups_file" ;;
 131 #    deny)  deny  >/dev/null "Denying  access based on $allowed_groups_file" ;;
 132 #    *) ;;
 133   esac
 134 fi
 135
 136 case "$status" in
 137   user_grant)
 138      grant >/dev/null "Granting access based on $allowed_users_file" ;;
 139   user_deny)
 140      deny  >/dev/null "Denying  access based on $allowed_users_file" ;;
 141   group_grant)
 142      grant >/dev/null "Granting access based on $allowed_groups_file" ;;
 143   group_deny)
 144      deny  >/dev/null "Denying  access based on $allowed_groups_file" ;;
 145   *) deny >/dev/null "There are no more rules to check.  Denying access" ;;
 146 esac
 147
 148
 149
 150