blob: e91c59ef5de6f25cb84434ce15240d0b9c3bedf4 (
plain)
1 #!/usr/bin/env bash
2 #
3 # Gitaccess implements basic access controls for git.
4 # Copyright (C) 2015 Aaron Ball <nullspoon@iohq.net>
5 #
6 # This program is free software; you can redistribute it and/or modify it under
7 # the terms of the GNU General Public License as published by the Free Software
8 # Foundation; either version 2 of the License, or (at your option) any later
9 # version.
10 #
11 # This program is distributed in the hope that it will be useful, but WITHOUT
12 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
13 # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
14 # details.
15 #
16 # You should have received a copy of the GNU General Public License along with
17 # this program; if not, write to the Free Software Foundation, Inc., 51
18 # Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 #
20
21 #
22 # Description
23 # -----------
24 #
25 # This is the pre-receive hook which allows for user filtering to the current
26 # working repo.
27 #
28 # Not that this REQUIRES the GIT_USER variable to be set. This is set by the
29 # gitaccess script.
30 #
31 # This script reads in the user's name as passed by the GIT_USER variable, and
32 # checks a users file (one user per line) for the given username. These
33 # usernames are directly associated with ssh keys used to log in.
34 #
35 # If the user is found, git proceeds as normal with a "user permitted" message.
36 #
37 # If the user is not found in the users file, an error message is printed and
38 # the git push is aborted.
39 #
40
41 # Log whatever we want to
42 function log {
43 d=$(date '+%s')
44 echo "${d}: ${@}" >> ~/git.log
45 }
46
47 # Read STDIN pre-receive arguments
48 read oldrev newrev refname
49
50 # Determine the branch and repo names for better logging
51 branch=$(basename "${refname}")
52 repo=$(basename "$(pwd)")
53
54 commit_dest_str="repo '${repo}', branch '${branch}'"
55
56 # Check if user variable is set. Abort if it is not.
57 if [[ -z ${GIT_USER} ]]; then
58 echo "Error: Unknown ssh key. Rejecting push."
59 exit 1
60 fi
61
62 log "Attempted login for user ${GIT_USER} on ${commit_dest_str}"
63
64 # See if user is permitted access to this repo
65 grep -v '^#' users | grep "^${GIT_USER}\$" 2>&1 1>/dev/null
66
67 if [[ $? != 0 ]]; then
68 log "User is not permitted access to repo $(pwd)"
69 echo "Error: Permission denied for user ${GIT_USER} on ${commit_dest_str}."
70 echo "Aborting."
71 exit 1
72 else
73 echo "User ${GIT_USER} accepted for ${commit_dest_str}. Allowing push."
74 fi
|
