search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
markdown: update Markdown.pl and employ new features
[girocco.git] / hooks / update
blob637f57f77e222d5500db784200c5068f46e7c28a
1 #!/bin/sh
2 #
3 # Currently, we just confine the mob user to the mob branch here.
4 #
5 # TODO: Generalized branches push permissions support.
6
7 set -e
8
9 # Make sure the current directory is where we expect to be
10 [ "${GIT_DIR+set}" != "set" ] || { [ -n "$GIT_DIR" ] && [ -d "$GIT_DIR" ]; } || unset GIT_DIR
11 [ -n "$GIT_DIR" ] || GIT_DIR="$(git rev-parse --git-dir)"
12 [ -n "$GIT_DIR" ] && cd -P "${GIT_DIR:-.}" || exit 1
13 case "${PWD%/*}" in */worktrees)
14 # Gah!
15 if
16 # But it COULD just be a coincidence...
17 [ -s commondir ] && [ -s HEAD ] &&
18 _cmndir= && read -r _cmndir <commondir 2>/dev/null &&
19 [ -n "$_cmndir" ] && [ -d "$_cmndir" ]
20 then
21 # ...it is not, fix it!
22 cd -P "$_cmndir" || exit 1
23 fi
24 esac
25 GIT_DIR="." GIT_PREFIX= && export GIT_DIR
26
27 if ! [ -x @perlbin@ ]; then
28 # We are INSIDE the chroot
29
30 reporoot=/@jailreporoot@
31 reporoot="$(cd "$reporoot" && pwd -P)"
32 webadmurl=@webadmurl@
33 mob=@mob@
34 proj="$(pwd -P)"; proj="${proj#$reporoot/}"
35 mobdir=
36 case "$proj" in *?/mob)
37 mobdir=1
38 proj="${proj%/mob}"
39 esac
40 projbare="${proj%.git}"
41
42 if ! [ -f "$reporoot/$proj/.nofetch" ]; then
43 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
44 exit 3
45 fi
46
47 if [ -n "$mobdir" ] && [ "$mob" != "mob" ]; then
48 # Should only get here if there's a misconfiguration
49 echo "Personal mob branches are not supported" >&2
50 exit 3
51 fi
52 if [ -n "$mobdir" ] && [ "$LOGNAME" = "mob" ]; then
53 # Should only get here if there's a misconfiguration
54 echo "The mob user may not use personal mob branches" >&2
55 exit 3
56 fi
57 if [ -n "$mobdir" ] && ! [ -d "$reporoot/$proj/mob" ]; then
58 # Should only get here if there's a misconfiguration
59 echo "The project '$proj' does not support personal mob branches" >&2
60 exit 3
61 fi
62 if [ -n "$mobdir" ] && ! can_user_push "$projbare" mob; then
63 # Should only get here if there's a misconfiguration
64 echo "The user 'mob' does not have push permissions for project '$proj'" >&2
65 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
66 exit 3
67 fi
68 if [ -n "$mobdir" ]; then
69 # All personal mob refs must start with refs/heads/mob.$USER,
70 # refs/heads/mob_$USER/, refs/mob/mob.$USER or refs/mob/mob_$USER/
71 case "$1" in
72 "refs/heads/mob.$LOGNAME" | \
73 "refs/heads/mob_$LOGNAME/"?* | \
74 "refs/mob/mob.$LOGNAME" | \
75 "refs/mob/mob_$LOGNAME/"?* ) :;;
76 *)
77 echo "The user '$LOGNAME' does not have push permissions for project '$proj'." >&2
78 echo "However '$proj' allows pushes to personal mob branches w/o push perms." >&2
79 echo "The ref '$1' is not a valid personal mob branch ref name." >&2
80 echo "Valid personal mob branch ref names are one of the following:" >&2
81 echo " refs/heads/mob.$LOGNAME or refs/mob/mob.$LOGNAME" >&2
82 echo "or refs that start with one of the following:" >&2
83 echo " refs/heads/mob_$LOGNAME/ or refs/mob/mob_$LOGNAME/" >&2
84 echo "No other personal mob branch ref names may be pushed to, sorry." >&2
85 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
86 exit 3
87 esac
88 exit 0
89 fi
90
91 if ! can_user_push "$projbare"; then
92 echo "The user '$LOGNAME' does not have push permissions for project '$proj'" >&2
93 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
94 exit 3
95 fi
96
97 if [ "$mob" = "mob" ] && [ "$LOGNAME" = "mob" ]; then
98 if [ x"$1" != x"refs/heads/mob" ]; then
99 echo "The mob user may push only to the 'mob' branch, sorry" >&2
100 exit 1
101 fi
102 if [ x"$2" = x"0000000000000000000000000000000000000000" ]; then
103 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
104 exit 2
105 fi
106 if [ x"$3" = x"0000000000000000000000000000000000000000" ]; then
107 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
108 exit 3
109 fi
110 fi
111
112 if [ "$mob" = "mob" ]; then
113 case "$1" in
114 "refs/heads/mob."?* | "refs/heads/mob_"?*)
115 echo "Use of the ref '$1' is reserved for personal mob branch" >&2
116 echo "users who do not have push permission to project '$proj'." >&2
117 echo "Users with push permission may only access the personal" >&2
118 echo "mob branches using refs that start with 'refs/mob/'." >&2
119 exit 3
120 esac
121 fi
122
123 exit 0
124 fi
125
126 # We are NOT inside the chroot
127
128 . @basedir@/shlib.sh
129 reporoot="$cfg_reporoot"
130 v_get_proj_from_dir proj
131 projbare="${proj%.git}"
132
133 if [ "$cfg_permission_control" = "Hooks" ]; then
134 # We have some permission control to do!
135 # XXX: Sanity check on project name and $USER here? Seems superfluous.
136 if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$USER"; then
137 echo "The user '$USER' does not have push permissions for project '$proj'" >&2
138 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
139 exit 3
140 fi
141 fi
142
143 if [ -n "$GIT_PROJECT_ROOT" ]; then
144 # We are doing a smart HTTP push
145
146 mobdir=
147 case "$proj" in *?/mob)
148 mobdir=1
149 proj="${proj%/mob}"
150 projbare="${proj%.git}"
151 esac
152
153 if ! [ -f "$reporoot/$proj/.nofetch" ]; then
154 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
155 exit 3
156 fi
157
158 authuser="${REMOTE_USER#/UID=}"
159 authuser="${authuser#UID = }"
160 authuuid="$authuser"
161 authuser="${authuser%/dnQualifier=*}"
162 authuser="${authuser%, dnQualifier = *}"
163 authuuid="${authuuid#$authuser}"
164 authuuid="${authuuid#/dnQualifier=}"
165 authuuid="${authuuid#, dnQualifier = }"
166 if [ -z "$authuser" ]; then
167 echo "Only authenticated users may push, sorry" >&2
168 exit 3
169 fi
170 if [ "$authuser" != "mob" ] || [ "$cfg_mob" != "mob" ]; then
171 if ! useruuid="$("$cfg_basedir/bin/get_user_uuid" "$authuser")" || [ "$useruuid" != "$authuuid" ]; then
172 echo "The user '$authuser' certificate being used is no longer valid."
173 echo "You may download a new user certificate at $cfg_webadmurl/edituser.cgi"
174 exit 3
175 fi
176 fi
177
178 if [ -n "$mobdir" ] && [ "$cfg_mob" != "mob" ]; then
179 # Should only get here if there's a misconfiguration
180 echo "Personal mob branches are not supported" >&2
181 exit 3
182 fi
183 if [ -n "$mobdir" ] && [ "$authuser" = "mob" ]; then
184 # Should only get here if there's a misconfiguration
185 echo "The mob user may not use personal mob branches" >&2
186 exit 3
187 fi
188 if [ -n "$mobdir" ] && ! [ -d "$reporoot/$proj/mob" ]; then
189 # Should only get here if there's a misconfiguration
190 echo "The project '$proj' does not support personal mob branches" >&2
191 exit 3
192 fi
193 if [ -n "$mobdir" ] && ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "mob"; then
194 # Should only get here if there's a misconfiguration
195 echo "The user 'mob' does not have push permissions for project '$proj'" >&2
196 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
197 exit 3
198 fi
199 if [ -n "$mobdir" ]; then
200 # All personal mob refs must start with refs/heads/mob.$USER,
201 # refs/heads/mob_$USER/, refs/mob/mob.$USER or refs/mob/mob_$USER/
202 case "$1" in
203 "refs/heads/mob.$authuser" | \
204 "refs/heads/mob_$authuser/"?* | \
205 "refs/mob/mob.$authuser" | \
206 "refs/mob/mob_$authuser/"?* ) :;;
207 *)
208 echo "The user '$authuser' does not have push permissions for project '$proj'." >&2
209 echo "However '$proj' allows pushes to personal mob branches w/o push perms." >&2
210 echo "The ref '$1' is not a valid personal mob branch ref name." >&2
211 echo "Valid personal mob branch ref names are one of the following:" >&2
212 echo " refs/heads/mob.$authuser or refs/mob/mob.$authuser" >&2
213 echo "or refs that start with one of the following:" >&2
214 echo " refs/heads/mob_$authuser/ or refs/mob/mob_$authuser/" >&2
215 echo "No other personal mob branch ref names may be pushed to, sorry." >&2
216 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
217 exit 3
218 esac
219 exit 0
220 fi
221
222 if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$authuser"; then
223 echo "The user '$authuser' does not have push permissions for project '$proj'" >&2
224 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
225 exit 3
226 fi
227
228 if [ "$cfg_mob" = "mob" ] && [ "$authuser" = "mob" ]; then
229 if [ x"$1" != x"refs/heads/mob" ]; then
230 echo "The mob user may push only to the 'mob' branch, sorry" >&2
231 exit 1
232 fi
233 if [ x"$2" = x"0000000000000000000000000000000000000000" ]; then
234 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
235 exit 2
236 fi
237 if [ x"$3" = x"0000000000000000000000000000000000000000" ]; then
238 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
239 exit 3
240 fi
241 fi
242
243 if [ "$cfg_mob" = "mob" ]; then
244 case "$1" in
245 "refs/heads/mob."?* | "refs/heads/mob_"?*)
246 echo "Use of the ref '$1' is reserved for personal mob branch" >&2
247 echo "users who do not have push permission to project '$proj'." >&2
248 echo "Users with push permission may only access the personal" >&2
249 echo "mob branches using refs that start with 'refs/mob/'." >&2
250 exit 3
251 esac
252 fi
253 fi
254
255 exit 0
The repo.or.cz duct tape "Girocco"