[thirdparty/git.git] / Documentation / howto / update-hook-example.txt

From: Junio C Hamano <gitster@pobox.com> and Carl Baldwin <cnb@fc.hp.com>
Subject: control access to branches.
Date: Thu, 17 Nov 2005 23:55:32 -0800
Message-ID: <7vfypumlu3.fsf@assigned-by-dhcp.cox.net>
Abstract: An example hooks/update script is presented to
 implement repository maintenance policies, such as who can push
 into which branch and who can make a tag.

When your developer runs git-push into the repository,
git-receive-pack is run (either locally or over ssh) as that
developer, so is hooks/update script.  Quoting from the relevant
section of the documentation:

    Before each ref is updated, if $GIT_DIR/hooks/update file exists
    and executable, it is called with three parameters:

           $GIT_DIR/hooks/update refname sha1-old sha1-new

    The refname parameter is relative to $GIT_DIR; e.g. for the
    master head this is "refs/heads/master".  Two sha1 are the
    object names for the refname before and after the update.  Note
    that the hook is called before the refname is updated, so either
    sha1-old is 0{40} (meaning there is no such ref yet), or it
    should match what is recorded in refname.

So if your policy is (1) always require fast-forward push
(i.e. never allow "git-push repo +branch:branch"), (2) you
have a list of users allowed to update each branch, and (3) you
do not let tags to be overwritten, then you can use something
like this as your hooks/update script.

[jc: editorial note.  This is a much improved version by Carl
since I posted the original outline]

-- >8 -- beginning of script -- >8 --

#!/bin/bash

umask 002

# If you are having trouble with this access control hook script
# you can try setting this to true.  It will tell you exactly
# why a user is being allowed/denied access.

verbose=false

# Default shell globbing messes things up downstream
GLOBIGNORE=*

function grant {
  $verbose && echo >&2 "-Grant-		$1"
  echo grant
  exit 0
}

function deny {
  $verbose && echo >&2 "-Deny-		$1"
  echo deny
  exit 1
}

function info {
  $verbose && echo >&2 "-Info-		$1"
}

# Implement generic branch and tag policies.
# - Tags should not be updated once created.
# - Branches should only be fast-forwarded unless their pattern starts with '+'
case "$1" in
  refs/tags/*)
    git rev-parse --verify -q "$1" &&
    deny >/dev/null "You can't overwrite an existing tag"
    ;;
  refs/heads/*)
    # No rebasing or rewinding
    if expr "$2" : '0*$' >/dev/null; then
      info "The branch '$1' is new..."
    else
      # updating -- make sure it is a fast-forward
      mb=$(git-merge-base "$2" "$3")
      case "$mb,$2" in
        "$2,$mb") info "Update is fast-forward" ;;
	*)	  noff=y; info "This is not a fast-forward update.";;
      esac
    fi
    ;;
  *)
    deny >/dev/null \
    "Branch is not under refs/heads or refs/tags.  What are you trying to do?"
    ;;
esac

# Implement per-branch controls based on username
allowed_users_file=$GIT_DIR/info/allowed-users
username=$(id -u -n)
info "The user is: '$username'"

if test -f "$allowed_users_file"
then
  rc=$(cat $allowed_users_file | grep -v '^#' | grep -v '^$' |
    while read heads user_patterns
    do
      # does this rule apply to us?
      head_pattern=${heads#+}
      matchlen=$(expr "$1" : "${head_pattern#+}")
      test "$matchlen" = ${#1} || continue

      # if non-ff, $heads must be with the '+' prefix
      test -n "$noff" &&
      test "$head_pattern" = "$heads" && continue

      info "Found matching head pattern: '$head_pattern'"
      for user_pattern in $user_patterns; do
	info "Checking user: '$username' against pattern: '$user_pattern'"
	matchlen=$(expr "$username" : "$user_pattern")
	if test "$matchlen" = "${#username}"
	then
	  grant "Allowing user: '$username' with pattern: '$user_pattern'"
	fi
      done
      deny "The user is not in the access list for this branch"
    done
  )
  case "$rc" in
    grant) grant >/dev/null "Granting access based on $allowed_users_file" ;;
    deny)  deny  >/dev/null "Denying  access based on $allowed_users_file" ;;
    *) ;;
  esac
fi

allowed_groups_file=$GIT_DIR/info/allowed-groups
groups=$(id -G -n)
info "The user belongs to the following groups:"
info "'$groups'"

if test -f "$allowed_groups_file"
then
  rc=$(cat $allowed_groups_file | grep -v '^#' | grep -v '^$' |
    while read heads group_patterns
    do
      # does this rule apply to us?
      head_pattern=${heads#+}
      matchlen=$(expr "$1" : "${head_pattern#+}")
      test "$matchlen" = ${#1} || continue

      # if non-ff, $heads must be with the '+' prefix
      test -n "$noff" &&
      test "$head_pattern" = "$heads" && continue

      info "Found matching head pattern: '$head_pattern'"
      for group_pattern in $group_patterns; do
	for groupname in $groups; do
	  info "Checking group: '$groupname' against pattern: '$group_pattern'"
	  matchlen=$(expr "$groupname" : "$group_pattern")
	  if test "$matchlen" = "${#groupname}"
	  then
	    grant "Allowing group: '$groupname' with pattern: '$group_pattern'"
	  fi
        done
      done
      deny "None of the user's groups are in the access list for this branch"
    done
  )
  case "$rc" in
    grant) grant >/dev/null "Granting access based on $allowed_groups_file" ;;
    deny)  deny  >/dev/null "Denying  access based on $allowed_groups_file" ;;
    *) ;;
  esac
fi

deny >/dev/null "There are no more rules to check.  Denying access"

-- >8 -- end of script -- >8 --

This uses two files, $GIT_DIR/info/allowed-users and
allowed-groups, to describe which heads can be pushed into by
whom.  The format of each file would look like this:

        refs/heads/master	junio
	+refs/heads/pu		junio
        refs/heads/cogito$	pasky
        refs/heads/bw/.*	linus
        refs/heads/tmp/.*	.*
        refs/tags/v[0-9].*	junio

With this, Linus can push or create "bw/penguin" or "bw/zebra"
or "bw/panda" branches, Pasky can do only "cogito", and JC can
do master and pu branches and make versioned tags.  And anybody
can do tmp/blah branches. The '+' sign at the pu record means
that JC can make non-fast-forward pushes on it.

------------
Commit	Line	Data
59eb68aa	1	From: Junio C Hamano <gitster@pobox.com> and Carl Baldwin <cnb@fc.hp.com>
13cfdfd5 JH	2	Subject: control access to branches.
	3	Date: Thu, 17 Nov 2005 23:55:32 -0800
	4	Message-ID: <7vfypumlu3.fsf@assigned-by-dhcp.cox.net>
	5	Abstract: An example hooks/update script is presented to
	6	implement repository maintenance policies, such as who can push
	7	into which branch and who can make a tag.
	8
	9	When your developer runs git-push into the repository,
	10	git-receive-pack is run (either locally or over ssh) as that
	11	developer, so is hooks/update script. Quoting from the relevant
	12	section of the documentation:
	13
	14	Before each ref is updated, if $GIT_DIR/hooks/update file exists
	15	and executable, it is called with three parameters:
	16
	17	$GIT_DIR/hooks/update refname sha1-old sha1-new
	18
	19	The refname parameter is relative to $GIT_DIR; e.g. for the
	20	master head this is "refs/heads/master". Two sha1 are the
	21	object names for the refname before and after the update. Note
	22	that the hook is called before the refname is updated, so either
	23	sha1-old is 0{40} (meaning there is no such ref yet), or it
	24	should match what is recorded in refname.
	25
	26	So if your policy is (1) always require fast-forward push
	27	(i.e. never allow "git-push repo +branch:branch"), (2) you
	28	have a list of users allowed to update each branch, and (3) you
dc5f9239 JH	29	do not let tags to be overwritten, then you can use something
	30	like this as your hooks/update script.
	31
	32	[jc: editorial note. This is a much improved version by Carl
	33	since I posted the original outline]
	34
	35	-- >8 -- beginning of script -- >8 --
	36
	37	#!/bin/bash
	38
	39	umask 002
	40
	41	# If you are having trouble with this access control hook script
	42	# you can try setting this to true. It will tell you exactly
	43	# why a user is being allowed/denied access.
	44
	45	verbose=false
	46
	47	# Default shell globbing messes things up downstream
	48	GLOBIGNORE=*
	49
	50	function grant {
	51	$verbose && echo >&2 "-Grant- $1"
	52	echo grant
	53	exit 0
	54	}
	55
	56	function deny {
	57	$verbose && echo >&2 "-Deny- $1"
	58	echo deny
	59	exit 1
	60	}
	61
	62	function info {
	63	$verbose && echo >&2 "-Info- $1"
	64	}
	65
	66	# Implement generic branch and tag policies.
	67	# - Tags should not be updated once created.
f9a08f61	68	# - Branches should only be fast-forwarded unless their pattern starts with '+'
dc5f9239 JH	69	case "$1" in
dc5f9239 JH	70	refs/tags/*)
df79b9fd	71	git rev-parse --verify -q "$1" &&
dc5f9239 JH	72	deny >/dev/null "You can't overwrite an existing tag"
	73	;;
	74	refs/heads/*)
	75	# No rebasing or rewinding
	76	if expr "$2" : '0*$' >/dev/null; then
	77	info "The branch '$1' is new..."
	78	else
a75d7b54	79	# updating -- make sure it is a fast-forward
dc5f9239 JH	80	mb=$(git-merge-base "$2" "$3")
	81	case "$mb,$2" in
	82	"$2,$mb") info "Update is fast-forward" ;;
f9a08f61	83	*) noff=y; info "This is not a fast-forward update.";;
dc5f9239 JH	84	esac
	85	fi
	86	;;
	87	*)
	88	deny >/dev/null \
	89	"Branch is not under refs/heads or refs/tags. What are you trying to do?"
	90	;;
	91	esac
	92
	93	# Implement per-branch controls based on username
	94	allowed_users_file=$GIT_DIR/info/allowed-users
	95	username=$(id -u -n)
	96	info "The user is: '$username'"
	97
f9a08f61 DP	98	if test -f "$allowed_users_file"
f9a08f61 DP	99	then
dc5f9239	100	rc=$(cat $allowed_users_file \| grep -v '^#' \| grep -v '^$' \|
f9a08f61 DP	101	while read heads user_patterns
	102	do
	103	# does this rule apply to us?
	104	head_pattern=${heads#+}
	105	matchlen=$(expr "$1" : "${head_pattern#+}")
	106	test "$matchlen" = ${#1} \|\| continue
	107
	108	# if non-ff, $heads must be with the '+' prefix
	109	test -n "$noff" &&
	110	test "$head_pattern" = "$heads" && continue
	111
	112	info "Found matching head pattern: '$head_pattern'"
	113	for user_pattern in $user_patterns; do
	114	info "Checking user: '$username' against pattern: '$user_pattern'"
	115	matchlen=$(expr "$username" : "$user_pattern")
	116	if test "$matchlen" = "${#username}"
	117	then
	118	grant "Allowing user: '$username' with pattern: '$user_pattern'"
	119	fi
	120	done
	121	deny "The user is not in the access list for this branch"
dc5f9239 JH	122	done
	123	)
	124	case "$rc" in
	125	grant) grant >/dev/null "Granting access based on $allowed_users_file" ;;
	126	deny) deny >/dev/null "Denying access based on $allowed_users_file" ;;
	127	*) ;;
	128	esac
	129	fi
	130
	131	allowed_groups_file=$GIT_DIR/info/allowed-groups
	132	groups=$(id -G -n)
	133	info "The user belongs to the following groups:"
	134	info "'$groups'"
	135
f9a08f61 DP	136	if test -f "$allowed_groups_file"
f9a08f61 DP	137	then
dc5f9239	138	rc=$(cat $allowed_groups_file \| grep -v '^#' \| grep -v '^$' \|
f9a08f61 DP	139	while read heads group_patterns
	140	do
	141	# does this rule apply to us?
	142	head_pattern=${heads#+}
	143	matchlen=$(expr "$1" : "${head_pattern#+}")
	144	test "$matchlen" = ${#1} \|\| continue
	145
	146	# if non-ff, $heads must be with the '+' prefix
	147	test -n "$noff" &&
	148	test "$head_pattern" = "$heads" && continue
	149
	150	info "Found matching head pattern: '$head_pattern'"
	151	for group_pattern in $group_patterns; do
	152	for groupname in $groups; do
	153	info "Checking group: '$groupname' against pattern: '$group_pattern'"
	154	matchlen=$(expr "$groupname" : "$group_pattern")
	155	if test "$matchlen" = "${#groupname}"
	156	then
	157	grant "Allowing group: '$groupname' with pattern: '$group_pattern'"
	158	fi
dc5f9239	159	done
f9a08f61 DP	160	done
f9a08f61 DP	161	deny "None of the user's groups are in the access list for this branch"
dc5f9239 JH	162	done
	163	)
	164	case "$rc" in
	165	grant) grant >/dev/null "Granting access based on $allowed_groups_file" ;;
	166	deny) deny >/dev/null "Denying access based on $allowed_groups_file" ;;
	167	*) ;;
	168	esac
	169	fi
	170
	171	deny >/dev/null "There are no more rules to check. Denying access"
	172
	173	-- >8 -- end of script -- >8 --
	174
	175	This uses two files, $GIT_DIR/info/allowed-users and
	176	allowed-groups, to describe which heads can be pushed into by
	177	whom. The format of each file would look like this:
13cfdfd5	178
8ae67495	179	refs/heads/master junio
f9a08f61	180	+refs/heads/pu junio
13cfdfd5	181	refs/heads/cogito$ pasky
8ae67495 VJ	182	refs/heads/bw/.* linus
	183	refs/heads/tmp/.* .*
	184	refs/tags/v[0-9].* junio
13cfdfd5 JH	185
13cfdfd5 JH	186	With this, Linus can push or create "bw/penguin" or "bw/zebra"
dc5f9239	187	or "bw/panda" branches, Pasky can do only "cogito", and JC can
f9a08f61 DP	188	do master and pu branches and make versioned tags. And anybody
	189	can do tmp/blah branches. The '+' sign at the pu record means
	190	that JC can make non-fast-forward pushes on it.
13cfdfd5	191
dc5f9239	192	------------