hgext/acl.py
author Bryan O'Sullivan <bos@serpentine.com>
Tue, 11 Mar 2008 11:30:42 -0700
changeset 6225 595a69a01129
parent 6211 f89fd07fc51d
child 6747 f6c00b17387c
permissions -rw-r--r--
fetch: rename --force-editor option to --edit, for consistency

# acl.py - changeset access control for mercurial
#
# Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
#
# This software may be used and distributed according to the terms
# of the GNU General Public License, incorporated herein by reference.
#
# this hook allows to allow or deny access to parts of a repo when
# taking incoming changesets.
#
# authorization is against local user name on system where hook is
# run, not committer of original changeset (since that is easy to
# spoof).
#
# acl hook is best to use if you use hgsh to set up restricted shells
# for authenticated users to only push to / pull from.  not safe if
# user has interactive shell access, because they can disable hook.
# also not safe if remote users share one local account, because then
# no way to tell remote users apart.
#
# to use, configure acl extension in hgrc like this:
#
#   [extensions]
#   hgext.acl =
#
#   [hooks]
#   pretxnchangegroup.acl = python:hgext.acl.hook
#
#   [acl]
#   sources = serve        # check if source of incoming changes in this list
#                          # ("serve" == ssh or http, "push", "pull", "bundle")
#
# allow and deny lists have subtree pattern (default syntax is glob)
# on left, user names on right. deny list checked before allow list.
#
#   [acl.allow]
#   # if acl.allow not present, all users allowed by default
#   # empty acl.allow = no users allowed
#   docs/** = doc_writer
#   .hgtags = release_engineer
#
#   [acl.deny]
#   # if acl.deny not present, no users denied by default
#   # empty acl.deny = all users allowed
#   glob pattern = user4, user5
#   ** = user6

from mercurial.i18n import _
from mercurial.node import bin, short
from mercurial import util
import getpass

class checker(object):
    '''acl checker.'''

    def buildmatch(self, key):
        '''return tuple of (match function, list enabled).'''
        if not self.ui.has_section(key):
            self.ui.debug(_('acl: %s not enabled\n') % key)
            return None, False

        thisuser = self.getuser()
        pats = [pat for pat, users in self.ui.configitems(key)
                if thisuser in users.replace(',', ' ').split()]
        self.ui.debug(_('acl: %s enabled, %d entries for user %s\n') %
                      (key, len(pats), thisuser))
        if pats:
            match = util.matcher(self.repo.root, names=pats)[1]
        else:
            match = util.never
        return match, True

    def getuser(self):
        '''return name of authenticated user.'''
        return self.user

    def __init__(self, ui, repo):
        self.ui = ui
        self.repo = repo
        self.user = getpass.getuser()
        cfg = self.ui.config('acl', 'config')
        if cfg:
            self.ui.readsections(cfg, 'acl.allow', 'acl.deny')
        self.allow, self.allowable = self.buildmatch('acl.allow')
        self.deny, self.deniable = self.buildmatch('acl.deny')

    def skipsource(self, source):
        '''true if incoming changes from this source should be skipped.'''
        ok_sources = self.ui.config('acl', 'sources', 'serve').split()
        return source not in ok_sources

    def check(self, node):
        '''return if access allowed, raise exception if not.'''
        files = self.repo.changectx(node).files()
        if self.deniable:
            for f in files:
                if self.deny(f):
                    self.ui.debug(_('acl: user %s denied on %s\n') %
                                  (self.getuser(), f))
                    raise util.Abort(_('acl: access denied for changeset %s') %
                                     short(node))
        if self.allowable:
            for f in files:
                if not self.allow(f):
                    self.ui.debug(_('acl: user %s not allowed on %s\n') %
                                  (self.getuser(), f))
                    raise util.Abort(_('acl: access denied for changeset %s') %
                                     short(node))
        self.ui.debug(_('acl: allowing changeset %s\n') % short(node))

def hook(ui, repo, hooktype, node=None, source=None, **kwargs):
    if hooktype != 'pretxnchangegroup':
        raise util.Abort(_('config error - hook type "%s" cannot stop '
                           'incoming changesets') % hooktype)

    c = checker(ui, repo)
    if c.skipsource(source):
        ui.debug(_('acl: changes have source "%s" - skipping\n') % source)
        return

    start = repo.changelog.rev(bin(node))
    end = repo.changelog.count()
    for rev in xrange(start, end):
        c.check(repo.changelog.node(rev))