diff options
| author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-07-14 15:10:09 +0000 |
|---|---|---|
| committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-07-14 15:10:09 +0000 |
| commit | 160fd3f2f1d372751836c0073bdc944df1cfbb91 (patch) | |
| tree | d6b46ce1ec600400883e53b82e12b390fa73f262 /share | |
| parent | eafba37e2bfc3897e3e7f65f2ce087fbee358f43 (diff) | |
| parent | d349c9a35d3d53ebfc9f26df373e84fa5986a1b6 (diff) | |
| download | trove-setup-160fd3f2f1d372751836c0073bdc944df1cfbb91.tar.gz | |
Merge branch 'baserock/pedroalvarez/trove-ansible3'
Reviewed-by: Richard Maw
Reviewed-by: Lars Wirzenius
Diffstat (limited to 'share')
32 files changed, 638 insertions, 139 deletions
diff --git a/share/README.lorry-controller b/share/README.lorry-controller index 1c70617..3bd0a90 100644 --- a/share/README.lorry-controller +++ b/share/README.lorry-controller @@ -14,5 +14,5 @@ scenarios regarding adding external software to your Trove before attempting to add any additional configuration to this repository. Remember, the Lorry tool is not permitted to manage repositories inside your -prefix which is ##PREFIX##. +prefix which is {{ TROVE_ID }}. diff --git a/share/etc/cgitrc b/share/etc/cgitrc new file mode 100644 index 0000000..28540dd --- /dev/null +++ b/share/etc/cgitrc @@ -0,0 +1,26 @@ +clone-prefix=git://{{ TROVE_HOSTNAME }} http://{{ TROVE_HOSTNAME }}/git https://{{ TROVE_HOSTNAME }}/git ssh://git@{{ TROVE_HOSTNAME }} +strict-export=git-daemon-export-ok + +css=/cgit/cgit.css +logo=/trove.png + +head-include=/etc/cgit-trove-head.inc +footer=/etc/cgit-trove-footer.inc + +enable-index-links=1 +root-title={{ TROVE_ID }} Git Repositories +root-desc=Baserock Trove -- For {{ TROVE_COMPANY }} +snapshots=tar.gz +enable-commit-graph=1 +enable-log-filecount=1 +enable-log-linecount=1 + +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + +scan-path=/home/git/repos/ diff --git a/share/etc/gitano-setup.clod b/share/etc/gitano-setup.clod new file mode 100644 index 0000000..511479f --- /dev/null +++ b/share/etc/gitano-setup.clod @@ -0,0 +1,19 @@ +-- Configuration for gitano-setup + +paths.home "/home/git" +paths.ssh "/home/git/.ssh" +paths.pubkey "/home/git/.ssh/id_rsa.pub" +paths.repos "/home/git/repos" +paths.skel "/etc/gitano/skel/gitano-admin" + +admin.username "trove" +admin.realname "Trove Instance Administrator" +admin.email "trove@trove-instance" +admin.keyname "trove" + +site.name "{{ TROVE_ID }} for {{ TROVE_COMPANY }}" +log.prefix "{{ TROVE_ID }}" + +use.htpasswd "yes" + +setup.batch = true diff --git a/share/etc/lorry-controller/minion.conf b/share/etc/lorry-controller/minion.conf new file mode 100644 index 0000000..99abdba --- /dev/null +++ b/share/etc/lorry-controller/minion.conf @@ -0,0 +1,6 @@ +[config] +log = syslog +log-level = debug +webapp-host = localhost +webapp-port = 12765 +webapp-timeout = 3600 diff --git a/share/etc/lorry-controller/webapp.conf b/share/etc/lorry-controller/webapp.conf new file mode 100644 index 0000000..2e9df0d --- /dev/null +++ b/share/etc/lorry-controller/webapp.conf @@ -0,0 +1,12 @@ +[config] +log = /home/lorry/webapp.log +log-max = 100M +log-keep = 10 +log-level = debug +statedb = /home/lorry/webapp.db +configuration-directory = /home/lorry/confgit +status-html = /home/lorry/lc-status.html +wsgi = yes +debug-port = 12765 +templates = /usr/share/lorry-controller/templates +confgit-url = ssh://git@localhost/{{ TROVE_ID }}/local-config/lorries diff --git a/share/etc/lorry.conf b/share/etc/lorry.conf new file mode 100644 index 0000000..cc94e8d --- /dev/null +++ b/share/etc/lorry.conf @@ -0,0 +1,11 @@ +[config] +mirror-base-url-push = ssh://git@localhost +mirror-base-url-fetch = git://{{ TROVE_HOSTNAME }} +bundle = never +bundle-dest = /home/lorry/bundles +tarball = always +tarball-dest = /home/lorry/tarballs +working-area = /home/lorry/working-area +verbose = yes +log = /dev/stdout +log-level = debug diff --git a/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua b/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua new file mode 100644 index 0000000..c7ab051 --- /dev/null +++ b/share/gitano/skel/gitano-admin/global-hooks/post-receive.lua @@ -0,0 +1,105 @@ +-- mason-notify.post-receive.lua +-- +-- Global post-receive hook which notifies Mason of any and all refs updates +-- (except refs/gitano/*) which happen. +-- +-- It notifies Mason *before* passing the updates on to the project hook. +-- +-- Copyright 2012 Codethink Limited +-- +-- This is a part of Trove and re-use is limited to Baserock systems only. +-- + +local project_hook, repo, updates = ... + +local EMPTY_SHA = ("0"):rep(40) + +local masonhost = "{{ MASON_ID }}:{{ MASON_PORT }}" +local basepath = "/1.0" +local urlbases = { + "git://{{ TROVE_HOSTNAME }}/", + "ssh://git@{{ TROVE_HOSTNAME }}/", +} + +local notify_mason = false + +for ref in pairs(updates) do + if not ref:match("^refs/gitano/") then + notify_mason = true + end +end + +if notify_mason and repo.name ~= "gitano-admin" then + -- Build the report... + local masoninfo, indent_level = {}, 0 + local function _(...) + masoninfo[#masoninfo+1] = (" "):rep(indent_level) .. table.concat({...}) + end + local function indent() + indent_level = indent_level + 1 + end + local function dedent() + indent_level = indent_level - 1 + end + _ "{" indent() + + _ '"urls": [' indent() + + for i = 1, #urlbases do + local comma = (i==#urlbases) and "" or "," + _(("%q,"):format(urlbases[i] .. repo.name)) + _(("%q%s"):format(urlbases[i] .. repo.name .. ".git", comma)) + end + + dedent() _ "]," + + _ '"changes": [' indent() + + local toreport = {} + for ref, info in pairs(updates) do + if not ref:match("^refs/gitano") then + local action + if info.oldsha == EMPTY_SHA then + action = "create" + elseif info.newsha == EMPTY_SHA then + action = "delete" + else + action = "update" + end + toreport[#toreport+1] = { + ('"ref": %q,'):format(ref), + ('"action": %q,'):format(action), + ('"old": %q,'):format(info.oldsha), + ('"new": %q'):format(info.newsha) + } + end + end + for i = 1, #toreport do + local comma = (i==#toreport) and "" or "," + _ "{" indent() + for __, ent in ipairs(toreport[i]) do + _(ent) + end + dedent() _("}", comma) + end + dedent() _ "]" + + dedent() _ "}" + + -- And finalise the JSON object + _("") + masoninfo = table.concat(masoninfo, "\n") + log.state("Notifying Mason of changes...") + + local code, msg, headers, content = + http.post(masonhost, basepath, "application/json", masoninfo) + if code ~= "200" then + log.state("Notification failed somehow") + end + for line in content:gmatch("([^\r\n]*)\r?\n") do + log.state("Mason: " .. line) + end +end + +-- Finally, chain to the project hook +return project_hook(repo, updates) diff --git a/share/gitano/skel/gitano-admin/groups/local-config-admins.conf b/share/gitano/skel/gitano-admin/groups/local-config-admins.conf new file mode 100644 index 0000000..435a297 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/local-config-admins.conf @@ -0,0 +1 @@ +description "Users who are permitted to administer the local-config project" diff --git a/share/gitano/skel/gitano-admin/groups/local-config-managers.conf b/share/gitano/skel/gitano-admin/groups/local-config-managers.conf new file mode 100644 index 0000000..711be8f --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/local-config-managers.conf @@ -0,0 +1,3 @@ +description "Users who are permitted to manage the local-config project" + +subgroups["*"] "local-config-admins" diff --git a/share/gitano/skel/gitano-admin/groups/local-config-readers.conf b/share/gitano/skel/gitano-admin/groups/local-config-readers.conf new file mode 100644 index 0000000..63e6bb3 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/local-config-readers.conf @@ -0,0 +1,5 @@ +description "Users who are permitted to read from the local-config project" + +members["*"] "lorry" + +subgroups["*"] "local-config-writers" diff --git a/share/gitano/skel/gitano-admin/groups/local-config-writers.conf b/share/gitano/skel/gitano-admin/groups/local-config-writers.conf new file mode 100644 index 0000000..9bbff24 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/local-config-writers.conf @@ -0,0 +1,3 @@ +description "Users who are permitted to write to the local-config project" + +subgroups["*"] "local-config-managers" diff --git a/share/gitano/skel/gitano-admin/groups/trove-admin.conf b/share/gitano/skel/gitano-admin/groups/trove-admin.conf new file mode 100644 index 0000000..e912653 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/trove-admin.conf @@ -0,0 +1 @@ +description "Trove-local administration" diff --git a/share/gitano/skel/gitano-admin/groups/workers.conf b/share/gitano/skel/gitano-admin/groups/workers.conf new file mode 100644 index 0000000..5586538 --- /dev/null +++ b/share/gitano/skel/gitano-admin/groups/workers.conf @@ -0,0 +1,4 @@ +description "Workers who have read-access to everything" + +members["*"] "distbuild" +members["*"] "mason" diff --git a/share/gitano/skel/gitano-admin/rules/adminchecks.lace b/share/gitano/skel/gitano-admin/rules/adminchecks.lace new file mode 100644 index 0000000..ffe99a0 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/adminchecks.lace @@ -0,0 +1,25 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core project administration rules + +# Called with ref known to be refs/gitano/admin + +# Administrators already got to do anything, so this is for non-admins + +# Non-admin members may not delete the admin ref +deny "Non-administrators may not delete the admin ref" op_deleteref + +# Otherwise, the project's owner is allowed to alter the admin tree +allow "Project owner may alter the admin ref" is_owner repo_is_personal + +# Project admins may alter admin refs +allow "Project admins may alter the admin ref of project repos" repo_is_local_project project_admin + +# Any other opportunities for altering the admin ref must be provided +# by the project's rules diff --git a/share/gitano/skel/gitano-admin/rules/aschecks.lace b/share/gitano/skel/gitano-admin/rules/aschecks.lace new file mode 100644 index 0000000..fc76440 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/aschecks.lace @@ -0,0 +1,30 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules for when we're running as another user. + +# Only 'deny' things which are not allowed. If you 'allow' then it will allow +# the actual operation, not just fail to deny the fact that it's 'as' someone +# else. + +define as_is_admin as_group gitano-admin + +# trove-admin members are permitted to run sshkey and whoami on behalf +# of others in order to check users and grant access, providing the target +# user is not part of the gitano-admin group. + +define as_is_trove_admin as_group trove-admin +define as_trove_admin_ok allof as_is_trove_admin !is_admin op_self + +# You are permitted to do things 'as' others if and only if the caller is +# either a member of the administration group, or else meets the above +# requirements. +define as_is_ok anyof as_is_admin as_trove_admin_ok + +# Explicitly deny any impersonation operation which does not meet the above. +deny "You may not run things as another user unless you are an admin" !as_is_ok diff --git a/share/gitano/skel/gitano-admin/rules/core.lace b/share/gitano/skel/gitano-admin/rules/core.lace new file mode 100644 index 0000000..dab7cfb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/core.lace @@ -0,0 +1,47 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core ruleset definitions for Trove. + +default deny "Trove ruleset failed to define result. Access denied." + +include global:defines + +# The users in the administration group (gitano-admin) may do anything +# they choose (providing they're not being impersonated). By default +# Only the user created as part of trove-setup has this level of access. +allow "Administrators can do anything" is_admin !if_asanother + +# Now let's decide if we can use 'as' +include global:aschecks if_asanother + +# Operations which are against 'self' get checked next +include global:selfchecks + +# Administration operations (users, groups) next +include global:siteadmin op_is_admin + +# Site-defined rules for repository creation +include global:createrepo op_createrepo + +# Site-defined rules for repository renaming +include global:renamerepo op_renamerepo + +# Site-defined rules for repository destruction +include global:destroyrepo op_destroyrepo + +# Site-defined rules for project repositories, including admin of them +include global:project + +# Now the project rules themselves +include main + +# If you're running your access control somewhat more openly than most, You can +# now uncomment the following and allow git:// access to *everything* which is +# not the admin repository +# allow "Anonymous access is okay" op_read !is_admin_repo diff --git a/share/gitano/skel/gitano-admin/rules/createrepo.lace b/share/gitano/skel/gitano-admin/rules/createrepo.lace new file mode 100644 index 0000000..a07a744 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/createrepo.lace @@ -0,0 +1,23 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to creating repositories + +# Administrators have already been permitted whatever they like +# so this is for site-wide non-admins. + +{{ PEOPLE_COMMENT }}allow "Personal repo creation is okay" repo_is_personal + +# Allow people in *-admins to create repositories under <foo> +allow "Project admins may make project repositories" repo_is_local_project project_admin + +# Allow lorry to create repositories anywhere but the local project root +allow "Lorry may create lorryable repos" is_lorry lorryable_repo + +# Otherwise the default is that non-admins can't create repositories +deny "Repository creation is not permitted." diff --git a/share/gitano/skel/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace new file mode 100644 index 0000000..466ac6f --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/defines.lace @@ -0,0 +1,106 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Core definitions for access control + +# Gitano provided definitions first + +# User/group related +define is_admin group gitano-admin +define is_owner owner ${user} +define is_anonymous user gitano/anonymous + +define if_asanother as_user ~. + +# Self-related operations +define op_whoami operation whoami +define op_sshkey operation sshkey +define op_passwd operation passwd +define op_self anyof op_whoami op_sshkey op_passwd + +# Admin-related operations + +## Users +define op_useradd operation useradd +define op_userdel operation userdel +define op_userlist operation userlist +define op_useremail operation useremail +define op_username operation username +define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username + +## Groups +define op_grouplist operation grouplist +define op_groupshow operation groupshow +define op_groupadd operation groupadd +define op_groupdel operation groupdel +define op_groupadduser operation groupadduser +define op_groupdeluser operation groupdeluser +define op_groupaddgroup operation groupaddgroup +define op_groupdelgroup operation groupdelgroup +define op_groupdescription operation groupdescription +define op_group anyof op_grouplist op_groupshow op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription + +## Aggregation of admin ops +define op_is_admin anyof op_user op_group + +# Primary repository-related operations +define op_read operation read +define op_write operation write +define op_createrepo operation createrepo +define op_renamerepo operation renamerepo +define op_destroyrepo operation destroyrepo + +# Remote configuration operations +define op_config_show operation config_show +define op_config_set operation config_set +define op_config_del operation config_del +define op_is_config anyof op_config_show op_config_set op_config_del + +# Reference update related operations +define op_createref operation createref +define op_deleteref operation deleteref +define op_fastforward operation updaterefff +define op_forcedupdate operation updaterefnonff + +# Combinator operations +define op_is_basic anyof op_read op_write +define op_is_update anyof op_fastforward op_forcedupdate +define op_is_normal anyof op_fastforward op_createref op_deleteref + +# Administration +define is_admin_repo repository gitano-admin +define is_gitano_ref ref ~^refs/gitano/ +define is_admin_ref ref refs/gitano/admin + +# +# +# Trove definitions after here +# +# + +define repo_is_personal repository ~^{{ ESC_PERSONAL_PREFIX }}/${user}/ +define ref_is_personal ref ~^refs/heads/{{ ESC_PREFIX }}/${user}/ +define repo_is_local_project repository ~^{{ ESC_PREFIX }}/[^/]+/ + +define project_reader group ${repository/2}-readers +define project_writer group ${repository/2}-writers +define project_admin group ${repository/2}-admins +define project_manager group ${repository/2}-managers + +define master_ref ref ~^refs/heads/master$ + +define op_is_reffy anyof op_is_normal op_forcedupdate + +define trove_site_admin group trove-admin +define target_group_gitano_admin targetgroup gitano-admin + +define is_lorry user lorry +define is_local_ref ref ~^refs/heads/{{ ESC_PREFIX }}/ +define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo + +define is_worker group workers diff --git a/share/gitano/skel/gitano-admin/rules/destroyrepo.lace b/share/gitano/skel/gitano-admin/rules/destroyrepo.lace new file mode 100644 index 0000000..6e6b446 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/destroyrepo.lace @@ -0,0 +1,20 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to the destroying of repositories + +# Owners may destroy personal repositories +allow "You may destroy your own repositories" is_owner repo_is_personal + +# Project admins may destroy repos inside their projects +allow "Project admins may destroy project repos" repo_is_local_project project_admin + +# Allow lorry to destroy repositories anywhere but the local project root +allow "Lorry may destroy lorryable repos" is_lorry lorryable_repo + +deny "You may not destroy repositories you do not own" diff --git a/share/gitano/skel/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace new file mode 100644 index 0000000..e5f05be --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/other-project.lace @@ -0,0 +1,25 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Rules for any repository not under {{ TROVE_ID }} + +# This is, by default, /baserock/ and /delta/ + +# There are two classes of accessors here. Lorry and Others +allow "Anyone may read here" op_read +allow "Anyone may write here" op_write !is_anonymous + +# Lorry can do anything reffy which is not inside the local refs +allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_ref + +# Noone can rewind/rebase outside of their personal refs +deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal + +# Everyone else can do reffy things inside refs/heads/{{ TROVE_ID }} +allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref + diff --git a/share/gitano/skel/gitano-admin/rules/project.lace b/share/gitano/skel/gitano-admin/rules/project.lace new file mode 100644 index 0000000..aa5e1e2 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/project.lace @@ -0,0 +1,38 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core project administration rules + +# Admins already got allowed, so this is for non-admin users only +allow "Owners can always read and write" op_is_basic is_owner repo_is_personal + +# Any non-gitano-admin repo is readable to the lorry user and the worker group +allow "Lorry may read" op_read is_lorry lorryable_repo +allow "Workers may read" op_read !is_admin_repo is_worker + +# Force /baserock and /delta to always be anon-readable which means git:// will +# work. This is part of the core ruleset for Baserock because /baserock/ and +# /delta/ are always open source. +define is_baserock_repo repository ~^baserock/ +define is_delta_repo repository ~^delta/ +define is_opensource_repo anyof is_baserock_repo is_delta_repo + +allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo + +# Project remote-configuration rules (set-head etc) +include global:remoteconfigchecks op_is_config + +# Okay, if we're altering the admin ref, in we go +include global:adminchecks is_admin_ref + +# Now we're into branch operations. +# Owners of personal repositories can do any reffy operation +allow "Owners can create refs" op_is_reffy is_owner repo_is_personal + +include global:trove-project repo_is_local_project +include global:other-project lorryable_repo diff --git a/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace b/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace new file mode 100644 index 0000000..6f88f5f --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace @@ -0,0 +1,20 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Remote config checks + +# Owners may do any remote admin operation they choose +allow "Owners may remote-admin their repositories" is_owner repo_is_personal + +# *-admins may remote-admin their project's repositories +allow "Project admins may admin project repos" repo_is_local_project project_admin + +# lorry may remote-admin lorryable repositories +allow "Lorry may admin lorry repos" is_lorry lorryable_repo + +deny "You may not configure this repository remotely" diff --git a/share/gitano/skel/gitano-admin/rules/renamerepo.lace b/share/gitano/skel/gitano-admin/rules/renamerepo.lace new file mode 100644 index 0000000..e4a51be --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/renamerepo.lace @@ -0,0 +1,19 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to renaming repositories + +# Owners may rename their own repositories +allow "Owners may rename repositories" op_renamerepo repo_is_personal is_owner + +# Project admins may rename repos provided they're admin of source *and* target +# Since the rename operation checks 'create' for the target, we can just +# check the source here +allow "Admins may rename project repositories" op_renamerepo repo_is_local_project project_admin + +deny "You may not rename a repository you do not own" diff --git a/share/gitano/skel/gitano-admin/rules/selfchecks.lace b/share/gitano/skel/gitano-admin/rules/selfchecks.lace new file mode 100644 index 0000000..83ef778 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/selfchecks.lace @@ -0,0 +1,15 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Checks against self-like operations. + +allow "You may ask who you are" op_whoami + +allow "You may manage your own ssh keys" op_sshkey + +allow "You may change your own password" op_passwd diff --git a/share/gitano/skel/gitano-admin/rules/siteadmin.lace b/share/gitano/skel/gitano-admin/rules/siteadmin.lace new file mode 100644 index 0000000..06c71bb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/siteadmin.lace @@ -0,0 +1,32 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Site administration rules + +# You must explicitly allow site administration here for anyone who +# has the rights to do site admin but isn't an administrator. + +# trove_site_admin is a predicate which matches members of the trove-admin +# group (The site-wide user/group administration group which is not the full +# administration group) +allow "Trove Site Admins can manage users" trove_site_admin op_user +allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin + +# XXX-managers members are permitted to edit XXX-* groups +define trove_may_admin_target_group group ${targetgroup/prefix}-managers +define target_group_has_hyphen targetgroup ~%- +allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group + +# Anyone is permitted to look at the people in trove-admin and *-managers +define trove_target_group_is_trove_admin targetgroup trove-admin +define trove_target_group_is_project_managers targetgroup ~^.+-managers$ +define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers +allow "Anyone may see admin groups" op_groupshow trove_show_target_ok + +# Otherwise we always deny site administration +deny "You may not perform site administration" diff --git a/share/gitano/skel/gitano-admin/rules/trove-project.lace b/share/gitano/skel/gitano-admin/rules/trove-project.lace new file mode 100644 index 0000000..c13b307 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/trove-project.lace @@ -0,0 +1,29 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Rules for {{ TROVE_ID }}/... repositories + +# Reading the repository +allow "Project readers may read" op_read project_reader +deny "This repository is not for you" op_read + +# Basic writes to the repo +allow "Project writers may write" op_write project_writer +deny "This repository is not for you" op_write + +# Ref based rules for the repo +deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !ref_is_personal + +## Master +allow "Master may be created" op_createref master_ref +allow "Master may be altered" op_is_update master_ref +deny "Master may not be deleted" op_deleteref master_ref + +## Anything else. +allow "Project writers may alter any refs" op_is_reffy !master_ref project_writer + diff --git a/share/gitano/skel/gitano-admin/users/distbuild/user.conf b/share/gitano/skel/gitano-admin/users/distbuild/user.conf new file mode 100644 index 0000000..6954826 --- /dev/null +++ b/share/gitano/skel/gitano-admin/users/distbuild/user.conf @@ -0,0 +1,2 @@ +email_address "distbuild@{{ TROVE_HOSTNAME }}" +real_name "Baserock Distributed Build Service" diff --git a/share/gitano/skel/gitano-admin/users/lorry/user.conf b/share/gitano/skel/gitano-admin/users/lorry/user.conf new file mode 100644 index 0000000..d00b635 --- /dev/null +++ b/share/gitano/skel/gitano-admin/users/lorry/user.conf @@ -0,0 +1,2 @@ +email_address "lorry@{{ TROVE_HOSTNAME }}" +real_name "Source Code Lorry Service" diff --git a/share/gitano/skel/gitano-admin/users/mason/user.conf b/share/gitano/skel/gitano-admin/users/mason/user.conf new file mode 100644 index 0000000..3139295 --- /dev/null +++ b/share/gitano/skel/gitano-admin/users/mason/user.conf @@ -0,0 +1,2 @@ +email_address "mason@{{ TROVE_HOSTNAME }}" +real_name "Baserock Continuous Integration Service" diff --git a/share/lorry-controller.conf b/share/lorry-controller.conf index bdbbbd5..0c90cc4 100644 --- a/share/lorry-controller.conf +++ b/share/lorry-controller.conf @@ -1,9 +1,9 @@ [ { "type": "trove", - "uuid": "##PREFIX##/initial", + "uuid": "{{ TROVE_ID }}/initial", "serial": 1, - "trovehost": "##UPSTREAM_TROVE##", + "trovehost": "{{ UPSTREAM_TROVE }}", "protocol": "ssh", "ls-interval": "4H", "interval": "2H", @@ -21,7 +21,7 @@ }, { "type": "lorries", - "uuid": "##PREFIX##/open-source-lorries", + "uuid": "{{ TROVE_ID }}/open-source-lorries", "serial": 1, "interval": "6H", "create": "always", @@ -35,7 +35,7 @@ }, { "type": "lorries", - "uuid": "##PREFIX##/closed-source-lorries", + "uuid": "{{ TROVE_ID }}/closed-source-lorries", "serial": 1, "interval": "6H", "create": "always", diff --git a/share/releases-repo-README b/share/releases-repo-README index d3f872b..69ee875 100644 --- a/share/releases-repo-README +++ b/share/releases-repo-README @@ -2,10 +2,10 @@ site/releases repository ------------------------ This is a special repository for distributing release binaries over HTTP. -Visit http://##PREFIX##/releases/ to browse content. +Visit http://{{ TROVE_ID }}/releases/ to browse content. To add a release to this repository, you need to be a member of the Gitano group site-writers. With the correct permissions, you can push releases to the repository by doing: - rsync $RELEASE git@##PREFIX##:##PREFIX##/site/releases + rsync $RELEASE git@{{ TROVE_HOSTNAME }}:{{ TROVE_ID }}/site/releases diff --git a/share/releases-repo-migration.sh b/share/releases-repo-migration.sh deleted file mode 100755 index 654da0c..0000000 --- a/share/releases-repo-migration.sh +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/bash - -function create_readers_group() -{ - set +e - ( - set -e - ssh localhost group add site-readers \ - 'Users with read access to the site project' - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-readers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-readers $token - fi - return $ret -} - -function create_writers_group() -{ - set +e - ( - set -e - ssh localhost group add site-writers \ - 'Users with write access to the site project' - create_readers_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-writers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-writers $token - fi - return $ret -} - -function create_admins_group() -{ - set +e - ( - set -e - ssh localhost group add site-admins \ - 'Users with admin access to the site project' - create_writers_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-admins 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-admins $token - fi - return $ret -} - -function create_managers_group() -{ - set +e - ( - set -e - ssh localhost group add site-managers \ - 'Users with manager access to the site project' - create_admins_group - ) - local ret="$?" - if [ "$ret" != 0 ]; then - token=$(ssh localhost group del site-managers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-managers $token - fi - return $ret -} - -function link_groups() -{ - set -e - ssh localhost group addgroup site-admins site-managers - ssh localhost group addgroup site-writers site-admins - ssh localhost group addgroup site-readers site-writers -} - -function delete_groups() -{ - token=$(ssh localhost group del site-managers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-managers $token - token=$(ssh localhost group del site-admins 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-admins $token - token=$(ssh localhost group del site-writers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-writers $token - token=$(ssh localhost group del site-readers 2>&1 | tail -1 | \ - cut -d' ' -f 2) - ssh localhost group del site-readers $token -} - -function create_groups() -{ - # call managers_group which calls admin_group and so on... - create_managers_group - set +e - ( - set -e - link_groups - ) - local ret="$?" - if [ "$ret" != 0 ]; then - delete_groups - fi -} - -site_groups=$(ssh localhost group list | grep -cE "site-[[:alnum:]]+") -if [ "$site_groups" == 0 ]; then - create_groups -fi -ssh localhost create "##PREFIX##/site/releases" -description="This is a special repository for distributing release binaries -over HTTP. Visit http://##PREFIX##/releases/ to browse content." -ssh localhost config "##PREFIX##/site/releases" \ - set project.description "$description" - -# add a readme to the repository -repo=$(mktemp -d) -git clone ssh://localhost/##PREFIX##/site/releases $repo -cp /usr/share/trove-setup/releases-repo-README $repo/README -cd $repo -git add $repo/README -git commit -m 'Add README' -git push origin master -cd - -rm -Rf $repo |