various: add read-only mode support
[girocco.git] / hooks / update
blob6259bdf4f313ef391c9ac6e1944e4722dd7aaa62
1 #!/bin/sh
3 # Currently, we just confine the mob user to the mob branch here.
5 # TODO: Generalized branches push permissions support.
7 set -e
9 if ! [ -x @perlbin@ ]; then
10 # We are INSIDE the chroot
11 PATH=/bin && export PATH
14 # Make sure the current directory is where we expect to be
15 [ "${GIT_DIR+set}" != "set" ] || { [ -n "$GIT_DIR" ] && [ -d "$GIT_DIR" ]; } || unset GIT_DIR
16 [ -n "$GIT_DIR" ] || GIT_DIR="$(git rev-parse --git-dir)"
17 [ -n "$GIT_DIR" ] && cd -P "${GIT_DIR:-.}" || exit 1
18 case "${PWD%/*}" in */worktrees)
19 # Gah!
21 # But it COULD just be a coincidence...
22 [ -s commondir ] && [ -s HEAD ] &&
23 _cmndir= && read -r _cmndir <commondir 2>/dev/null &&
24 [ -n "$_cmndir" ] && [ -d "$_cmndir" ]
25 then
26 # ...it is not, fix it!
27 cd -P "$_cmndir" || exit 1
29 esac
30 GIT_DIR="." GIT_PREFIX= && export GIT_DIR
32 if ! [ -x @perlbin@ ]; then
33 # We are INSIDE the chroot
34 reporoot=/@jailreporoot@
35 reporoot="$(cd "$reporoot" && pwd -P)"
36 webadmurl=@webadmurl@
37 mob=@mob@
38 proj="$(pwd -P)"; proj="${proj#$reporoot/}"
39 mobdir=
40 case "$proj" in *?/mob)
41 mobdir=1
42 proj="${proj%/mob}"
43 esac
44 projbare="${proj%.git}"
46 if ! [ -f "$reporoot/$proj/.nofetch" ]; then
47 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
48 exit 3
51 if [ -n "$mobdir" ] && [ "$mob" != "mob" ]; then
52 # Should only get here if there's a misconfiguration
53 echo "Personal mob branches are not supported" >&2
54 exit 3
56 if [ -n "$mobdir" ] && [ "$LOGNAME" = "mob" ]; then
57 # Should only get here if there's a misconfiguration
58 echo "The mob user may not use personal mob branches" >&2
59 exit 3
61 if [ -n "$mobdir" ] && ! [ -d "$reporoot/$proj/mob" ]; then
62 # Should only get here if there's a misconfiguration
63 echo "The project '$proj' does not support personal mob branches" >&2
64 exit 3
66 if [ -n "$mobdir" ] && ! can_user_push "$projbare" mob; then
67 # Should only get here if there's a misconfiguration
68 echo "The user 'mob' does not have push permissions for project '$proj'" >&2
69 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
70 exit 3
72 if [ -n "$mobdir" ]; then
73 # All personal mob refs must start with refs/heads/mob.$USER,
74 # refs/heads/mob_$USER/, refs/mob/mob.$USER or refs/mob/mob_$USER/
75 case "$1" in
76 "refs/heads/mob.$LOGNAME" | \
77 "refs/heads/mob_$LOGNAME/"?* | \
78 "refs/mob/mob.$LOGNAME" | \
79 "refs/mob/mob_$LOGNAME/"?* ) :;;
81 echo "The user '$LOGNAME' does not have push permissions for project '$proj'." >&2
82 echo "However '$proj' allows pushes to personal mob branches w/o push perms." >&2
83 echo "The ref '$1' is not a valid personal mob branch ref name." >&2
84 echo "Valid personal mob branch ref names are one of the following:" >&2
85 echo " refs/heads/mob.$LOGNAME or refs/mob/mob.$LOGNAME" >&2
86 echo "or refs that start with one of the following:" >&2
87 echo " refs/heads/mob_$LOGNAME/ or refs/mob/mob_$LOGNAME/" >&2
88 echo "No other personal mob branch ref names may be pushed to, sorry." >&2
89 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
90 exit 3
91 esac
92 exit 0
95 if ! can_user_push "$projbare"; then
96 echo "The user '$LOGNAME' does not have push permissions for project '$proj'" >&2
97 echo "You may adjust push permissions at $webadmurl/editproj.cgi?name=$proj" >&2
98 exit 3
101 if [ "$mob" = "mob" ] && [ "$LOGNAME" = "mob" ]; then
102 if [ x"$1" != x"refs/heads/mob" ]; then
103 echo "The mob user may push only to the 'mob' branch, sorry" >&2
104 exit 1
106 if [ x"$2" = x"0000000000000000000000000000000000000000" ]; then
107 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
108 exit 2
110 if [ x"$3" = x"0000000000000000000000000000000000000000" ]; then
111 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
112 exit 3
116 if [ "$mob" = "mob" ]; then
117 case "$1" in
118 "refs/heads/mob."?* | "refs/heads/mob_"?*)
119 echo "Use of the ref '$1' is reserved for personal mob branch" >&2
120 echo "users who do not have push permission to project '$proj'." >&2
121 echo "Users with push permission may only access the personal" >&2
122 echo "mob branches using refs that start with 'refs/mob/'." >&2
123 exit 3
124 esac
127 exit 0
130 # We are NOT inside the chroot
132 . @basedir@/shlib.sh
133 reporoot="$cfg_reporoot"
134 v_get_proj_from_dir proj
135 projbare="${proj%.git}"
137 if [ "$cfg_permission_control" = "Hooks" ]; then
138 # We have some permission control to do!
139 # XXX: Sanity check on project name and $USER here? Seems superfluous.
140 if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$USER"; then
141 echo "The user '$USER' does not have push permissions for project '$proj'" >&2
142 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
143 exit 3
147 if [ -n "$GIT_PROJECT_ROOT" ]; then
148 # We are doing a smart HTTP push
150 mobdir=
151 case "$proj" in *?/mob)
152 mobdir=1
153 proj="${proj%/mob}"
154 projbare="${proj%.git}"
155 esac
157 if ! [ -f "$reporoot/$proj/.nofetch" ]; then
158 echo "The $proj project is a mirror and may not be pushed to, sorry" >&2
159 exit 3
162 authuser="${REMOTE_USER#/UID=}"
163 authuser="${authuser#UID = }"
164 authuuid="$authuser"
165 authuser="${authuser%/dnQualifier=*}"
166 authuser="${authuser%, dnQualifier = *}"
167 authuuid="${authuuid#$authuser}"
168 authuuid="${authuuid#/dnQualifier=}"
169 authuuid="${authuuid#, dnQualifier = }"
170 if [ -z "$authuser" ]; then
171 echo "Only authenticated users may push, sorry" >&2
172 exit 3
174 if [ "$authuser" != "mob" ] || [ "$cfg_mob" != "mob" ]; then
175 if ! useruuid="$("$cfg_basedir/bin/get_user_uuid" "$authuser")" || [ "$useruuid" != "$authuuid" ]; then
176 echo "The user '$authuser' certificate being used is no longer valid."
177 echo "You may download a new user certificate at $cfg_webadmurl/edituser.cgi"
178 exit 3
182 if [ -n "$mobdir" ] && [ "$cfg_mob" != "mob" ]; then
183 # Should only get here if there's a misconfiguration
184 echo "Personal mob branches are not supported" >&2
185 exit 3
187 if [ -n "$mobdir" ] && [ "$authuser" = "mob" ]; then
188 # Should only get here if there's a misconfiguration
189 echo "The mob user may not use personal mob branches" >&2
190 exit 3
192 if [ -n "$mobdir" ] && ! [ -d "$reporoot/$proj/mob" ]; then
193 # Should only get here if there's a misconfiguration
194 echo "The project '$proj' does not support personal mob branches" >&2
195 exit 3
197 if [ -n "$mobdir" ] && ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "mob"; then
198 # Should only get here if there's a misconfiguration
199 echo "The user 'mob' does not have push permissions for project '$proj'" >&2
200 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
201 exit 3
203 if [ -n "$mobdir" ]; then
204 # All personal mob refs must start with refs/heads/mob.$USER,
205 # refs/heads/mob_$USER/, refs/mob/mob.$USER or refs/mob/mob_$USER/
206 case "$1" in
207 "refs/heads/mob.$authuser" | \
208 "refs/heads/mob_$authuser/"?* | \
209 "refs/mob/mob.$authuser" | \
210 "refs/mob/mob_$authuser/"?* ) :;;
212 echo "The user '$authuser' does not have push permissions for project '$proj'." >&2
213 echo "However '$proj' allows pushes to personal mob branches w/o push perms." >&2
214 echo "The ref '$1' is not a valid personal mob branch ref name." >&2
215 echo "Valid personal mob branch ref names are one of the following:" >&2
216 echo " refs/heads/mob.$authuser or refs/mob/mob.$authuser" >&2
217 echo "or refs that start with one of the following:" >&2
218 echo " refs/heads/mob_$authuser/ or refs/mob/mob_$authuser/" >&2
219 echo "No other personal mob branch ref names may be pushed to, sorry." >&2
220 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
221 exit 3
222 esac
223 exit 0
226 if ! "$cfg_basedir/bin/can_user_push_http" "$projbare" "$authuser"; then
227 echo "The user '$authuser' does not have push permissions for project '$proj'" >&2
228 echo "You may adjust push permissions at $cfg_webadmurl/editproj.cgi?name=$proj" >&2
229 exit 3
232 if [ "$cfg_mob" = "mob" ] && [ "$authuser" = "mob" ]; then
233 if [ x"$1" != x"refs/heads/mob" ]; then
234 echo "The mob user may push only to the 'mob' branch, sorry" >&2
235 exit 1
237 if [ x"$2" = x"0000000000000000000000000000000000000000" ]; then
238 echo "The mob user may not _create_ the 'mob' branch, sorry" >&2
239 exit 2
241 if [ x"$3" = x"0000000000000000000000000000000000000000" ]; then
242 echo "The mob user may not _delete_ the 'mob' branch, smch, sorry"
243 exit 3
247 if [ "$cfg_mob" = "mob" ]; then
248 case "$1" in
249 "refs/heads/mob."?* | "refs/heads/mob_"?*)
250 echo "Use of the ref '$1' is reserved for personal mob branch" >&2
251 echo "users who do not have push permission to project '$proj'." >&2
252 echo "Users with push permission may only access the personal" >&2
253 echo "mob branches using refs that start with 'refs/mob/'." >&2
254 exit 3
255 esac
259 exit 0