Update ruleset

14 files changed, 230 insertions, 85 deletions

diff --git a/gitano-admin/rules/adminchecks.lace b/gitano-admin/rules/adminchecks.lace
index 9d4864b..ffe99a0 100644
--- a/gitano-admin/rules/adminchecks.lace
+++ b/gitano-admin/rules/adminchecks.lace
@@ -1,3 +1,11 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
 # Core project administration rules
 
 # Called with ref known to be refs/gitano/admin
@@ -8,11 +16,10 @@
 deny "Non-administrators may not delete the admin ref" op_deleteref
 
 # Otherwise, the project's owner is allowed to alter the admin tree
-allow "Project owner may alter the admin ref" is_owner
+allow "Project owner may alter the admin ref" is_owner repo_is_personal
 
-# Project admins may alter admin
-allow "Project admins may alter the admin ref of project repos" repo_has_project_code ct_admin
+# Project admins may alter admin refs
+allow "Project admins may alter the admin ref of project repos" repo_is_local_project project_admin
 
 # Any other opportunities for altering the admin ref must be provided
 # by the project's rules
- 
\ No newline at end of file
diff --git a/gitano-admin/rules/aschecks.lace b/gitano-admin/rules/aschecks.lace
index 2fb2ae6..467e8a4 100644
--- a/gitano-admin/rules/aschecks.lace
+++ b/gitano-admin/rules/aschecks.lace
@@ -1,14 +1,29 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
 # Rules for when we're running as another user.
-# Only 'deny' things which are not allowed.
-# If you 'allow' then it will allow the actual operation, not just
-# fail to deny the fact that it's 'as' someone else.
+
+# Only 'deny' things which are not allowed.  If you 'allow' then it will allow
+# the actual operation, not just fail to deny the fact that it's 'as' someone
+# else.
 
 define as_is_admin as_group gitano-admin
 
-# ct-admin members are permitted to run sshkey and whoami on behalf of others
-define as_is_ct_admin as_group ct-admin
-define as_ct_admin_ok allof as_is_ct_admin op_self
+# trove-admin members are permitted to run sshkey and whoami on behalf
+# of others in order to check users and grant access
+
+define as_is_trove_admin as_group trove-admin
+define as_trove_admin_ok allof as_is_trove_admin op_self
 
-define as_is_ok anyof as_is_admin as_ct_admin_ok
+# You are permitted to do things 'as' others if and only if the caller is
+# either a member of the administration group, or else meets the above
+# requirements.
+define as_is_ok anyof as_is_admin as_trove_admin_ok
 
+# Explicitly deny any impersonation operation which does not meet the above.
 deny "You may not run things as another user unless you are an admin" !as_is_ok
diff --git a/gitano-admin/rules/core.lace b/gitano-admin/rules/core.lace
index 351fbda..dab7cfb 100644
--- a/gitano-admin/rules/core.lace
+++ b/gitano-admin/rules/core.lace
@@ -1,10 +1,20 @@
-# Prepare the initial definitions
-
-default deny "The ruleset didn't provide access.  Denying by default."
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Core ruleset definitions for Trove.
+
+default deny "Trove ruleset failed to define result.  Access denied."
 
 include global:defines
 
-# Now, if we're in the admin group, we can always do stuff
+# The users in the administration group (gitano-admin) may do anything
+# they choose (providing they're not being impersonated).  By default
+# Only the user created as part of trove-setup has this level of access.
 allow "Administrators can do anything" is_admin !if_asanother
 
 # Now let's decide if we can use 'as'
@@ -31,6 +41,7 @@ include global:project
 # Now the project rules themselves
 include main
 
-# Now, if you want to allow anonymous access if the project doesn't prevent
-# it, then you can uncomment the following:
+# If you're running your access control somewhat more openly than most, You can
+# now uncomment the following and allow git:// access to *everything* which is
+# not the admin repository
 # allow "Anonymous access is okay" op_read !is_admin_repo
diff --git a/gitano-admin/rules/createrepo.lace b/gitano-admin/rules/createrepo.lace
index ef1bffc..045d7e7 100644
--- a/gitano-admin/rules/createrepo.lace
+++ b/gitano-admin/rules/createrepo.lace
@@ -1,15 +1,20 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
 # Rules related to creating repositories
 
 # Administrators have already been permitted whatever they like
-# so this is for non-admins.
+# so this is for site-wide non-admins.
 
-# Uncomment the following to allow repositories in personal/username/
+##PEOPLE_COMMENT##allow "Personal repo creation is okay" repo_is_personal
 
-define repo_is_personal repository ~^people/${user}/
-allow "Personal repo creation is okay" repo_is_personal
-
-# Allow people in ctxxx-admins to create repositories under ctxxx
-allow "Project admins may make project repositories" repo_has_project_code ct_admin
+# Allow people in *-admins to create repositories under <foo>
+allow "Project admins may make project repositories" repo_has_project_code project_admin
 
 # Otherwise the default is that non-admins can't create repositories
 deny "Repository creation is not permitted."
diff --git a/gitano-admin/rules/ct-project.lace b/gitano-admin/rules/ct-project.lace
deleted file mode 100644
index e1f6696..0000000
--- a/gitano-admin/rules/ct-project.lace
+++ /dev/null
@@ -1,20 +0,0 @@
-# Rules for ctxxx/... repositories
-
-# Reading the repository
-allow "Readers gonna read" op_read ct_reader
-deny "This repository not for you" op_read
-
-# Basic writes to the repo
-allow "Writers gonna write" op_write ct_writer
-deny "This repository not for you" op_write
-
-# Ref based rules for the repo
-
-## Master
-allow "Master may be created" op_createref master_ref
-allow "Master may be altered" op_is_update master_ref
-deny "Master may not be deleted" op_deleteref master_ref
-
-## Anything else.
-allow "Writers gonna write" op_is_reffy !master_ref
-
diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace
index b6df4c5..402190e 100644
--- a/gitano-admin/rules/defines.lace
+++ b/gitano-admin/rules/defines.lace
@@ -1,4 +1,14 @@
-# A useful set of defines
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Core definitions for access control
+
+# Gitano provided definitions first
 
 # User/group related
 define is_admin group gitano-admin
@@ -65,18 +75,26 @@ define is_admin_repo repository gitano-admin
 define is_gitano_ref ref ~^refs/gitano/
 define is_admin_ref ref refs/gitano/admin
 
-# Codethink defines:
+#
+#
+# Trove definitions after here
+#
+#
 
-define repo_has_project_code repository ~^ct[0-9]+/
+define repo_is_personal repository ~^##ESC_PERSONAL_PREFIX##/${user}/
+define repo_is_local_project repository ~^##ESC_PREFIX##/[^/]+/
 
-define ct_reader group ${repository/1}-readers
-define ct_writer group ${repository/1}-writers
-define ct_admin  group ${repository/1}-admins
+define project_reader  group ${repository/2}-readers
+define project_writer  group ${repository/2}-writers
+define project_admin   group ${repository/2}-admins
+define project_manager group ${repository/2}-managers
 
 define master_ref ref ~^refs/heads/master$
 
 define op_is_reffy anyof op_is_normal op_forcedupdate
 
-define ct_site_admin group ct-admin
-
+define trove_site_admin group trove-admin
 define target_group_gitano_admin targetgroup gitano-admin
+
+define is_lorry user lorry
+define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/
diff --git a/gitano-admin/rules/destroyrepo.lace b/gitano-admin/rules/destroyrepo.lace
index fb2d494..0b83212 100644
--- a/gitano-admin/rules/destroyrepo.lace
+++ b/gitano-admin/rules/destroyrepo.lace
@@ -1,9 +1,17 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
 # Rules related to the destroying of repositories
 
-# For now, owners may destroy repositories
-allow "You may destroy your own repositories" is_owner
+# Owners may destroy personal repositories
+allow "You may destroy your own repositories" is_owner repo_is_personal
 
-# Admins may destroy repos inside their projects
-allow "Project admins may destroy project repos" repo_has_project_code ct_admins
+# Project admins may destroy repos inside their projects
+allow "Project admins may destroy project repos" repo_is_local_project project_admin
 
 deny "You may not destroy repositories you do not own"
diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace
new file mode 100644
index 0000000..ad88098
--- /dev/null
+++ b/gitano-admin/rules/other-project.lace
@@ -0,0 +1,22 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Rules for any repository not under ##PREFIX##
+
+# This is, by default, /baserock/ and /delta/
+
+# There are two classes of accessors here.  Lorry and Others
+allow "Anyone may read here" op_read
+allow "Anyone may write here" op_write
+
+# Lorry can do anything reffy which is not inside the local refs
+allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref
+
+# Everyone else can do reffy things inside refs/heads/##PREFIX##
+allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref
+
diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace
index b09ad10..3144c64 100644
--- a/gitano-admin/rules/project.lace
+++ b/gitano-admin/rules/project.lace
@@ -1,10 +1,24 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
 # Core project administration rules
 
 # Admins already got allowed, so this is for non-admin users only
-allow "Owners can always read and write" op_is_basic is_owner
+allow "Owners can always read and write" op_is_basic is_owner repo_is_personal
 
-# Uncomment if you want to *force* anonymous access to all but gitano-admin
-# allow "Anonymous access always allowed" op_read !is_admin_repo
+# Force /baserock and /delta to always be anon-readable which means git:// will
+# work.  This is part of the core ruleset for Baserock because /baserock/ and
+# /delta/ are always open source.
+define is_baserock_repo repository ~^baserock/
+define is_delta_repo repository ~^delta/
+define is_opensource_repo anyof is_baserock_repo is_delta_repo
+
+allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo
 
 # Project remote-configuration rules (set-head etc)
 include global:remoteconfigchecks op_is_config
@@ -12,11 +26,9 @@ include global:remoteconfigchecks op_is_config
 # Okay, if we're altering the admin ref, in we go
 include global:adminchecks is_admin_ref
 
-# Now we're into branch operations.  Owners can do any normal operation
-# Normal ops are create/delete/fastforward on refs
-allow "Owners can create refs" op_is_normal is_owner
-# We don't enable non-fastforward updates by default.  Projects must do
-# this in their own rules if they want it.
-
+# Now we're into branch operations.
+# Owners of personal repositories can do any reffy operation
+allow "Owners can create refs" op_is_reffy is_owner repo_is_personal
 
-include global:ct-project repo_has_project_code
+include global:trove-project repo_is_local_project
+include global:other-project !repo_is_personal !repo_is_local_project !is_admin_repo
diff --git a/gitano-admin/rules/remoteconfigchecks.lace b/gitano-admin/rules/remoteconfigchecks.lace
index 80cf802..d951f7a 100644
--- a/gitano-admin/rules/remoteconfigchecks.lace
+++ b/gitano-admin/rules/remoteconfigchecks.lace
@@ -1,9 +1,17 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
 # Remote config checks
 
 # Owners may do any remote admin operation they choose
-allow "Owners may remote-admin their repositories" is_owner
+allow "Owners may remote-admin their repositories" is_owner repo_is_personal
 
-# ctxxx-admins may remote-admin ctxxx repositories
-allow "Project admins may admin project repos" repo_has_project_code ct_admins
+# *-admins may remote-admin their project's repositories
+allow "Project admins may admin project repos" repo_is_local_project project_admin
 
 deny "You may not configure this repository remotely"
diff --git a/gitano-admin/rules/renamerepo.lace b/gitano-admin/rules/renamerepo.lace
index 946d544..e4a51be 100644
--- a/gitano-admin/rules/renamerepo.lace
+++ b/gitano-admin/rules/renamerepo.lace
@@ -1,6 +1,19 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
 # Rules related to renaming repositories
 
-# For now, owners may rename their repositories
-allow "Owners may rename repositories" op_renamerepo is_owner
+# Owners may rename their own repositories
+allow "Owners may rename repositories" op_renamerepo repo_is_personal is_owner
+
+# Project admins may rename repos provided they're admin of source *and* target
+# Since the rename operation checks 'create' for the target, we can just
+# check the source here
+allow "Admins may rename project repositories" op_renamerepo repo_is_local_project project_admin
 
 deny "You may not rename a repository you do not own"
diff --git a/gitano-admin/rules/selfchecks.lace b/gitano-admin/rules/selfchecks.lace
index 300bb91..44e96bd 100644
--- a/gitano-admin/rules/selfchecks.lace
+++ b/gitano-admin/rules/selfchecks.lace
@@ -1,4 +1,12 @@
-# Checks against self
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Checks against self-like operations.
 
 allow "You may ask who you are" op_whoami
 
diff --git a/gitano-admin/rules/siteadmin.lace b/gitano-admin/rules/siteadmin.lace
index b3818ef..06c71bb 100644
--- a/gitano-admin/rules/siteadmin.lace
+++ b/gitano-admin/rules/siteadmin.lace
@@ -1,22 +1,32 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
 # Site administration rules
 
 # You must explicitly allow site administration here for anyone who
-# has the rights to do site admin but isn't a member of gitano-admin.
+# has the rights to do site admin but isn't an administrator.
 
-# ct_site_admin is a predicate which is for ct-admin
-allow "CT Site Admins can manage users" ct_site_admin op_user
-allow "CT Site Admins can manage groups other than gitano-admin" ct_site_admin op_group !target_group_gitano_admin
+# trove_site_admin is a predicate which matches members of the trove-admin
+# group (The site-wide user/group administration group which is not the full
+# administration group)
+allow "Trove Site Admins can manage users" trove_site_admin op_user
+allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin
 
-# ctXXX-admins members are permitted to edit ctXXX-* groups
-define ct_may_admin_target_group group ${targetgroup/prefix}-admins
-define is_ct_project_target targetgroup ~^ct[0-9]+%-
-allow "CT project admins can manage ctXXX- groups for their projects" op_group is_ct_project_target ct_may_admin_target_group
+# XXX-managers members are permitted to edit XXX-* groups
+define trove_may_admin_target_group group ${targetgroup/prefix}-managers
+define target_group_has_hyphen targetgroup ~%-
+allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group
 
-# Anyone is permitted to look at the people in ct-admin and ctXXX-admins
-define ct_target_group_is_ct_admin targetgroup ct-admin
-define ct_target_group_is_ctxxx_admins targetgroup ~^ct[0-9]+%-admins$
-define ct_show_target_ok anyof ct_target_group_is_ct_admin ct_target_group_is_ctxxx_admins
-allow "Anyone may see admin groups" op_groupshow ct_show_target_ok
+# Anyone is permitted to look at the people in trove-admin and *-managers
+define trove_target_group_is_trove_admin targetgroup trove-admin
+define trove_target_group_is_project_managers targetgroup ~^.+-managers$
+define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers
+allow "Anyone may see admin groups" op_groupshow trove_show_target_ok
 
 # Otherwise we always deny site administration
 deny "You may not perform site administration"
diff --git a/gitano-admin/rules/trove-project.lace b/gitano-admin/rules/trove-project.lace
new file mode 100644
index 0000000..86ff49b
--- /dev/null
+++ b/gitano-admin/rules/trove-project.lace
@@ -0,0 +1,28 @@
+#  _____                   
+# |_   _| __ _____   _____ 
+#   | || '__/ _ \ \ / / _ \
+#   | || | | (_) \ V /  __/
+#   |_||_|  \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Rules for ##PREFIX##/... repositories
+
+# Reading the repository
+allow "Project readers may read" op_read ct_reader
+deny "This repository is not for you" op_read
+
+# Basic writes to the repo
+allow "Project writers may write" op_write ct_writer
+deny "This repository is not for you" op_write
+
+# Ref based rules for the repo
+
+## Master
+allow "Master may be created" op_createref master_ref
+allow "Master may be altered" op_is_update master_ref
+deny "Master may not be deleted" op_deleteref master_ref
+
+## Anything else.
+allow "Project writers may alter any refs" op_is_reffy !master_ref
+