diff options
Diffstat (limited to 'share/gitano/skel/gitano-admin/rules')
13 files changed, 429 insertions, 0 deletions
diff --git a/share/gitano/skel/gitano-admin/rules/adminchecks.lace b/share/gitano/skel/gitano-admin/rules/adminchecks.lace new file mode 100644 index 0000000..ffe99a0 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/adminchecks.lace @@ -0,0 +1,25 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core project administration rules + +# Called with ref known to be refs/gitano/admin + +# Administrators already got to do anything, so this is for non-admins + +# Non-admin members may not delete the admin ref +deny "Non-administrators may not delete the admin ref" op_deleteref + +# Otherwise, the project's owner is allowed to alter the admin tree +allow "Project owner may alter the admin ref" is_owner repo_is_personal + +# Project admins may alter admin refs +allow "Project admins may alter the admin ref of project repos" repo_is_local_project project_admin + +# Any other opportunities for altering the admin ref must be provided +# by the project's rules diff --git a/share/gitano/skel/gitano-admin/rules/aschecks.lace b/share/gitano/skel/gitano-admin/rules/aschecks.lace new file mode 100644 index 0000000..fc76440 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/aschecks.lace @@ -0,0 +1,30 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules for when we're running as another user. + +# Only 'deny' things which are not allowed. If you 'allow' then it will allow +# the actual operation, not just fail to deny the fact that it's 'as' someone +# else. + +define as_is_admin as_group gitano-admin + +# trove-admin members are permitted to run sshkey and whoami on behalf +# of others in order to check users and grant access, providing the target +# user is not part of the gitano-admin group. + +define as_is_trove_admin as_group trove-admin +define as_trove_admin_ok allof as_is_trove_admin !is_admin op_self + +# You are permitted to do things 'as' others if and only if the caller is +# either a member of the administration group, or else meets the above +# requirements. +define as_is_ok anyof as_is_admin as_trove_admin_ok + +# Explicitly deny any impersonation operation which does not meet the above. +deny "You may not run things as another user unless you are an admin" !as_is_ok diff --git a/share/gitano/skel/gitano-admin/rules/core.lace b/share/gitano/skel/gitano-admin/rules/core.lace new file mode 100644 index 0000000..dab7cfb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/core.lace @@ -0,0 +1,47 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core ruleset definitions for Trove. + +default deny "Trove ruleset failed to define result. Access denied." + +include global:defines + +# The users in the administration group (gitano-admin) may do anything +# they choose (providing they're not being impersonated). By default +# Only the user created as part of trove-setup has this level of access. +allow "Administrators can do anything" is_admin !if_asanother + +# Now let's decide if we can use 'as' +include global:aschecks if_asanother + +# Operations which are against 'self' get checked next +include global:selfchecks + +# Administration operations (users, groups) next +include global:siteadmin op_is_admin + +# Site-defined rules for repository creation +include global:createrepo op_createrepo + +# Site-defined rules for repository renaming +include global:renamerepo op_renamerepo + +# Site-defined rules for repository destruction +include global:destroyrepo op_destroyrepo + +# Site-defined rules for project repositories, including admin of them +include global:project + +# Now the project rules themselves +include main + +# If you're running your access control somewhat more openly than most, You can +# now uncomment the following and allow git:// access to *everything* which is +# not the admin repository +# allow "Anonymous access is okay" op_read !is_admin_repo diff --git a/share/gitano/skel/gitano-admin/rules/createrepo.lace b/share/gitano/skel/gitano-admin/rules/createrepo.lace new file mode 100644 index 0000000..a07a744 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/createrepo.lace @@ -0,0 +1,23 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to creating repositories + +# Administrators have already been permitted whatever they like +# so this is for site-wide non-admins. + +{{ PEOPLE_COMMENT }}allow "Personal repo creation is okay" repo_is_personal + +# Allow people in *-admins to create repositories under <foo> +allow "Project admins may make project repositories" repo_is_local_project project_admin + +# Allow lorry to create repositories anywhere but the local project root +allow "Lorry may create lorryable repos" is_lorry lorryable_repo + +# Otherwise the default is that non-admins can't create repositories +deny "Repository creation is not permitted." diff --git a/share/gitano/skel/gitano-admin/rules/defines.lace b/share/gitano/skel/gitano-admin/rules/defines.lace new file mode 100644 index 0000000..466ac6f --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/defines.lace @@ -0,0 +1,106 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Core definitions for access control + +# Gitano provided definitions first + +# User/group related +define is_admin group gitano-admin +define is_owner owner ${user} +define is_anonymous user gitano/anonymous + +define if_asanother as_user ~. + +# Self-related operations +define op_whoami operation whoami +define op_sshkey operation sshkey +define op_passwd operation passwd +define op_self anyof op_whoami op_sshkey op_passwd + +# Admin-related operations + +## Users +define op_useradd operation useradd +define op_userdel operation userdel +define op_userlist operation userlist +define op_useremail operation useremail +define op_username operation username +define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username + +## Groups +define op_grouplist operation grouplist +define op_groupshow operation groupshow +define op_groupadd operation groupadd +define op_groupdel operation groupdel +define op_groupadduser operation groupadduser +define op_groupdeluser operation groupdeluser +define op_groupaddgroup operation groupaddgroup +define op_groupdelgroup operation groupdelgroup +define op_groupdescription operation groupdescription +define op_group anyof op_grouplist op_groupshow op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription + +## Aggregation of admin ops +define op_is_admin anyof op_user op_group + +# Primary repository-related operations +define op_read operation read +define op_write operation write +define op_createrepo operation createrepo +define op_renamerepo operation renamerepo +define op_destroyrepo operation destroyrepo + +# Remote configuration operations +define op_config_show operation config_show +define op_config_set operation config_set +define op_config_del operation config_del +define op_is_config anyof op_config_show op_config_set op_config_del + +# Reference update related operations +define op_createref operation createref +define op_deleteref operation deleteref +define op_fastforward operation updaterefff +define op_forcedupdate operation updaterefnonff + +# Combinator operations +define op_is_basic anyof op_read op_write +define op_is_update anyof op_fastforward op_forcedupdate +define op_is_normal anyof op_fastforward op_createref op_deleteref + +# Administration +define is_admin_repo repository gitano-admin +define is_gitano_ref ref ~^refs/gitano/ +define is_admin_ref ref refs/gitano/admin + +# +# +# Trove definitions after here +# +# + +define repo_is_personal repository ~^{{ ESC_PERSONAL_PREFIX }}/${user}/ +define ref_is_personal ref ~^refs/heads/{{ ESC_PREFIX }}/${user}/ +define repo_is_local_project repository ~^{{ ESC_PREFIX }}/[^/]+/ + +define project_reader group ${repository/2}-readers +define project_writer group ${repository/2}-writers +define project_admin group ${repository/2}-admins +define project_manager group ${repository/2}-managers + +define master_ref ref ~^refs/heads/master$ + +define op_is_reffy anyof op_is_normal op_forcedupdate + +define trove_site_admin group trove-admin +define target_group_gitano_admin targetgroup gitano-admin + +define is_lorry user lorry +define is_local_ref ref ~^refs/heads/{{ ESC_PREFIX }}/ +define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo + +define is_worker group workers diff --git a/share/gitano/skel/gitano-admin/rules/destroyrepo.lace b/share/gitano/skel/gitano-admin/rules/destroyrepo.lace new file mode 100644 index 0000000..6e6b446 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/destroyrepo.lace @@ -0,0 +1,20 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to the destroying of repositories + +# Owners may destroy personal repositories +allow "You may destroy your own repositories" is_owner repo_is_personal + +# Project admins may destroy repos inside their projects +allow "Project admins may destroy project repos" repo_is_local_project project_admin + +# Allow lorry to destroy repositories anywhere but the local project root +allow "Lorry may destroy lorryable repos" is_lorry lorryable_repo + +deny "You may not destroy repositories you do not own" diff --git a/share/gitano/skel/gitano-admin/rules/other-project.lace b/share/gitano/skel/gitano-admin/rules/other-project.lace new file mode 100644 index 0000000..e5f05be --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/other-project.lace @@ -0,0 +1,25 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Rules for any repository not under {{ TROVE_ID }} + +# This is, by default, /baserock/ and /delta/ + +# There are two classes of accessors here. Lorry and Others +allow "Anyone may read here" op_read +allow "Anyone may write here" op_write !is_anonymous + +# Lorry can do anything reffy which is not inside the local refs +allow "Lorry may touch everything but refs/heads/{{ TROVE_ID }}" op_is_reffy is_lorry !is_local_ref + +# Noone can rewind/rebase outside of their personal refs +deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal + +# Everyone else can do reffy things inside refs/heads/{{ TROVE_ID }} +allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref + diff --git a/share/gitano/skel/gitano-admin/rules/project.lace b/share/gitano/skel/gitano-admin/rules/project.lace new file mode 100644 index 0000000..aa5e1e2 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/project.lace @@ -0,0 +1,38 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core project administration rules + +# Admins already got allowed, so this is for non-admin users only +allow "Owners can always read and write" op_is_basic is_owner repo_is_personal + +# Any non-gitano-admin repo is readable to the lorry user and the worker group +allow "Lorry may read" op_read is_lorry lorryable_repo +allow "Workers may read" op_read !is_admin_repo is_worker + +# Force /baserock and /delta to always be anon-readable which means git:// will +# work. This is part of the core ruleset for Baserock because /baserock/ and +# /delta/ are always open source. +define is_baserock_repo repository ~^baserock/ +define is_delta_repo repository ~^delta/ +define is_opensource_repo anyof is_baserock_repo is_delta_repo + +allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo + +# Project remote-configuration rules (set-head etc) +include global:remoteconfigchecks op_is_config + +# Okay, if we're altering the admin ref, in we go +include global:adminchecks is_admin_ref + +# Now we're into branch operations. +# Owners of personal repositories can do any reffy operation +allow "Owners can create refs" op_is_reffy is_owner repo_is_personal + +include global:trove-project repo_is_local_project +include global:other-project lorryable_repo diff --git a/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace b/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace new file mode 100644 index 0000000..6f88f5f --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/remoteconfigchecks.lace @@ -0,0 +1,20 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Remote config checks + +# Owners may do any remote admin operation they choose +allow "Owners may remote-admin their repositories" is_owner repo_is_personal + +# *-admins may remote-admin their project's repositories +allow "Project admins may admin project repos" repo_is_local_project project_admin + +# lorry may remote-admin lorryable repositories +allow "Lorry may admin lorry repos" is_lorry lorryable_repo + +deny "You may not configure this repository remotely" diff --git a/share/gitano/skel/gitano-admin/rules/renamerepo.lace b/share/gitano/skel/gitano-admin/rules/renamerepo.lace new file mode 100644 index 0000000..e4a51be --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/renamerepo.lace @@ -0,0 +1,19 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules related to renaming repositories + +# Owners may rename their own repositories +allow "Owners may rename repositories" op_renamerepo repo_is_personal is_owner + +# Project admins may rename repos provided they're admin of source *and* target +# Since the rename operation checks 'create' for the target, we can just +# check the source here +allow "Admins may rename project repositories" op_renamerepo repo_is_local_project project_admin + +deny "You may not rename a repository you do not own" diff --git a/share/gitano/skel/gitano-admin/rules/selfchecks.lace b/share/gitano/skel/gitano-admin/rules/selfchecks.lace new file mode 100644 index 0000000..83ef778 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/selfchecks.lace @@ -0,0 +1,15 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Checks against self-like operations. + +allow "You may ask who you are" op_whoami + +allow "You may manage your own ssh keys" op_sshkey + +allow "You may change your own password" op_passwd diff --git a/share/gitano/skel/gitano-admin/rules/siteadmin.lace b/share/gitano/skel/gitano-admin/rules/siteadmin.lace new file mode 100644 index 0000000..06c71bb --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/siteadmin.lace @@ -0,0 +1,32 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Site administration rules + +# You must explicitly allow site administration here for anyone who +# has the rights to do site admin but isn't an administrator. + +# trove_site_admin is a predicate which matches members of the trove-admin +# group (The site-wide user/group administration group which is not the full +# administration group) +allow "Trove Site Admins can manage users" trove_site_admin op_user +allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin + +# XXX-managers members are permitted to edit XXX-* groups +define trove_may_admin_target_group group ${targetgroup/prefix}-managers +define target_group_has_hyphen targetgroup ~%- +allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group + +# Anyone is permitted to look at the people in trove-admin and *-managers +define trove_target_group_is_trove_admin targetgroup trove-admin +define trove_target_group_is_project_managers targetgroup ~^.+-managers$ +define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers +allow "Anyone may see admin groups" op_groupshow trove_show_target_ok + +# Otherwise we always deny site administration +deny "You may not perform site administration" diff --git a/share/gitano/skel/gitano-admin/rules/trove-project.lace b/share/gitano/skel/gitano-admin/rules/trove-project.lace new file mode 100644 index 0000000..c13b307 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/trove-project.lace @@ -0,0 +1,29 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012,2013 Codethink Limited +# +# Rules for {{ TROVE_ID }}/... repositories + +# Reading the repository +allow "Project readers may read" op_read project_reader +deny "This repository is not for you" op_read + +# Basic writes to the repo +allow "Project writers may write" op_write project_writer +deny "This repository is not for you" op_write + +# Ref based rules for the repo +deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !ref_is_personal + +## Master +allow "Master may be created" op_createref master_ref +allow "Master may be altered" op_is_update master_ref +deny "Master may not be deleted" op_deleteref master_ref + +## Anything else. +allow "Project writers may alter any refs" op_is_reffy !master_ref project_writer + |