diff options
| author | Richard Maw <richard.maw@gmail.com> | 2017-08-02 19:28:24 +0100 |
|---|---|---|
| committer | Richard Maw <richard.maw@gmail.com> | 2017-08-03 14:26:13 +0100 |
| commit | 4ee7ecc2f735188b0aa06c87f4f62279b328b116 (patch) | |
| tree | f13b4e08174eb3574477b9493682eaad05cc203c | |
| parent | 0440e6e4bd2b616552c611f2b118cfeb23b2b0ac (diff) | |
| download | gitano-4ee7ecc2f735188b0aa06c87f4f62279b328b116.tar.gz | |
Yarn for config auth
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | testing/03-config-user-whitelist.yarn | 54 | ||||
| -rw-r--r-- | testing/library.yarn | 8 |
3 files changed, 60 insertions, 4 deletions
@@ -40,7 +40,7 @@ TESTS := 01-basics 01-hooks 02-commands-as 02-commands-config 02-commands-copy 02-commands-ls 02-commands-rename 02-commands-rsync \ 02-commands-sshkey 02-commands-user 02-commands-whoami 03-cgit-support \ 03-shallow-push 03-treedelta-rules 03-force-pushing \ - 03-dangling-HEAD + 03-dangling-HEAD 03-config-user-whitelist MODS := gitano \ diff --git a/testing/03-config-user-whitelist.yarn b/testing/03-config-user-whitelist.yarn new file mode 100644 index 0000000..720a84a --- /dev/null +++ b/testing/03-config-user-whitelist.yarn @@ -0,0 +1,54 @@ +Access control by configuration keys +------------------------------------ + +While Gitano allows arbitrarily complex accss control via Lace, and supports +group and repository prefix matching to manage large projects, these approaches +are often overkill for installations with small numbers of repositories, users, +and permission grants. + +Instead, the default ruleset for Gitano also supports adding users, by name, to the +config lists "project.readers" and "project.writers" allowing a much simpler +per-repository configuration approach. + +Note: This lookup is linear time, so it won't scale to a large number of users. +Also it doesn't automatically get updated if users are added/deleted/renamed. +If any of that concerns you, take the time to use a proper group and Lace approach. + + SCENARIO Access controlled by configuration keys + + GIVEN a standard instance + AND testinstance using adminkey, adds a new user alice, with a key called main + +By default users may not read repositories they are not owners to, +so cloning fails. + + WHEN testinstance adminkey runs create testrepo + AND alice, using main, expecting failure, clones testrepo as testrepo + THEN stderr contains \(FATAL: Not authorised\|The requested URL returned error: 403\) + +When the user is added to the project.reader config then cloning works. + + WHEN testinstance adminkey runs config testrepo set project.readers.* alice + AND alice, using main, clones testrepo as testrepo + THEN alice has a clone of testrepo + +Pushing any content fails however. + + WHEN alice using main pushes an empty commit in testrepo + THEN stderr contains \(FATAL: Not authorised\|The requested URL returned error: 403\) + +Pushing works once the user is added to project.writers. + + WHEN testinstance adminkey runs config testrepo set project.writers.* alice + AND alice applies add-a-FOO.patch in testrepo + AND alice, using main, pushes testrepo to testrepo.git + AND server-side testrepo reads git object HEAD + THEN stdout contains Apply add-a-FOO.patch content change + +Being a project writer implies also being a project reader. + + WHEN testinstance adminkey runs config testrepo del project.readers.i_1 + AND alice, using main, clones testrepo as testrepo2 + THEN alice has a clone of testrepo2 + + FINALLY the instance is torn down diff --git a/testing/library.yarn b/testing/library.yarn index e25f6ac..cc03122 100644 --- a/testing/library.yarn +++ b/testing/library.yarn @@ -71,9 +71,11 @@ of the user inside Gitano. Repository access ----------------- - IMPLEMENTS WHEN ([a-z][a-z0-9]*),? using ([a-z][a-z0-9]*),? clones ([^ ]+) as ([^ ]+)( with depth (\d+))? - $GTT clone "$MATCH_1" "$MATCH_2" "$MATCH_3" "$MATCH_4" ${MATCH_5:+ --no-local --depth="$MATCH_6"} \ - >"$DATADIR/stdout" 2>"$DATADIR/stderr" + IMPLEMENTS WHEN ([a-z][a-z0-9]*),? using ([a-z][a-z0-9]*),? (expecting failure,? )?clones ([^ ]+) as ([^ ]+)( with depth (\d+))? + if $GTT clone "$MATCH_1" "$MATCH_2" "$MATCH_4" "$MATCH_5" ${MATCH_6:+ --no-local --depth="$MATCH_7"} \ + >"$DATADIR/stdout" 2>"$DATADIR/stderr"; then + test "$MATCH_3" = "" + fi IMPLEMENTS WHEN ([a-z][a-z0-9]*),? using ([a-z][a-z0-9]*),? (expecting failure,? )?(force.)?pushes ([^ ]+) to ([^ ]+) if $GTT push "$MATCH_1" "$MATCH_2" "$MATCH_5" "$MATCH_6" ${MATCH_4:+--force} \ |