INSTALLER: make install and gitano-setup should work (mostly)

11 files changed, 193 insertions, 0 deletions

diff --git a/skel/gitano-admin/rules/adminchecks.lace b/skel/gitano-admin/rules/adminchecks.lace
new file mode 100644
index 0000000..75ca753
--- /dev/null
+++ b/skel/gitano-admin/rules/adminchecks.lace
@@ -0,0 +1,23 @@
+# Core project administration rules
+
+# Called with ref known to be refs/gitano/admin
+
+# Administrators already got to do anything, so this is for non-admins
+
+# Non-admin members may not delete the admin ref
+deny "Non-administrators may not delete the admin ref" op_deleteref
+
+# By default, you don't want anything but gitano-admin members to touch
+# anything in the hooks/ tree, so don't allow that
+define contains_hooks target_tree ~^hooks/
+define updates_hooks treediff/targets ~^hooks/
+
+deny "Attempt to create hooks" op_createref contains_hooks
+deny "Attempt to alter hooks" op_is_update updates_hooks
+
+# Otherwise, the project's owner is allowed to alter the admin tree
+allow "Project owner may alter the admin ref" is_owner
+
+# Any other opportunities for altering the admin ref must be provided
+# by the project's rules
+ 
\ No newline at end of file
diff --git a/skel/gitano-admin/rules/aschecks.lace b/skel/gitano-admin/rules/aschecks.lace
new file mode 100644
index 0000000..3623709
--- /dev/null
+++ b/skel/gitano-admin/rules/aschecks.lace
@@ -0,0 +1,8 @@
+# Rules for when we're running as another user.
+# Only 'deny' things which are not allowed.
+# If you 'allow' then it will allow the actual operation, not just
+# fail to deny the fact that it's 'as' someone else.
+
+define as_is_admin as_group gitano-admin
+
+deny "You may not run things as another user unless you are an admin" !as_is_admin
diff --git a/skel/gitano-admin/rules/core.lace b/skel/gitano-admin/rules/core.lace
new file mode 100644
index 0000000..c54dcba
--- /dev/null
+++ b/skel/gitano-admin/rules/core.lace
@@ -0,0 +1,36 @@
+# Prepare the initial definitions
+
+default deny "The ruleset didn't provide access.  Denying by default."
+
+include global:defines
+
+# Now, if we're in the admin group, we can always do stuff
+allow "Administrators can do anything" is_admin
+
+# Now let's decide if we can use 'as'
+include global:aschecks if_asanother
+
+# Operations which are against 'self' get checked next
+include global:selfchecks
+
+# Administration operations (users, groups) next
+include global:siteadmin op_is_admin
+
+# Site-defined rules for repository creation
+include global:createrepo op_createrepo
+
+# Site-defined rules for repository renaming
+include global:renamerepo op_renamerepo
+
+# Site-defined rules for repository destruction
+include global:destroyrepo op_destroyrepo
+
+# Site-defined rules for project repositories, including admin of them
+include global:project
+
+# Now the project rules themselves
+include main
+
+# Now, if you want to allow anonymous access if the project doesn't prevent
+# it, then you can uncomment the following:
+# allow "Anonymous access is okay" op_read !is_admin_repo
diff --git a/skel/gitano-admin/rules/createrepo.lace b/skel/gitano-admin/rules/createrepo.lace
new file mode 100644
index 0000000..9085706
--- /dev/null
+++ b/skel/gitano-admin/rules/createrepo.lace
@@ -0,0 +1,12 @@
+# Rules related to creating repositories
+
+# Administrators have already been permitted whatever they like
+# so this is for non-admins.
+
+# Uncomment the following to allow repositories in personal/username/
+
+# define repo_is_personal repository ~^personal/${user}/
+# allow "Personal repo creation is okay" repo_is_personal
+
+# Otherwise the default is that non-admins can't create repositories
+deny "Repository creation is not permitted."
diff --git a/skel/gitano-admin/rules/defines.lace b/skel/gitano-admin/rules/defines.lace
new file mode 100644
index 0000000..64af8ca
--- /dev/null
+++ b/skel/gitano-admin/rules/defines.lace
@@ -0,0 +1,65 @@
+# A useful set of defines
+
+# User/group related
+define is_admin group gitano-admin
+define is_owner owner ${user}
+
+define if_asanother as_user ~.
+
+# Self-related operations
+define op_whoami operation whoami
+define op_sshkey operation sshkey
+
+# Admin-related operations
+
+## Users
+define op_useradd operation useradd
+define op_userdel operation userdel
+define op_userlist operation userlist
+define op_useremail operation useremail
+define op_username operation username
+define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username
+
+## Groups
+define op_grouplist operation grouplist
+define op_groupshow operation groupshow
+define op_groupadd operation groupadd
+define op_groupdel operation groupdel
+define op_groupadduser operation groupadduser
+define op_groupdeluser operation groupdeluser
+define op_groupaddgroup operation groupaddgroup
+define op_groupdelgroup operation groupdelgroup
+define op_groupdescription operation groupdescription
+define op_group anyof op_grouplist op_groupshow op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription
+
+## Aggregation of admin ops
+define op_is_admin anyof op_user op_group
+
+# Primary repository-related operations
+define op_read operation read
+define op_write operation write
+define op_createrepo operation createrepo
+define op_renamerepo operation renamerepo
+define op_destroyrepo operation destroyrepo
+
+# Remote configuration operations
+define op_config_show operation config_show
+define op_config_set operation config_set
+define op_config_del operation config_del
+define op_is_config anyof op_config_show op_config_set op_config_del
+
+# Reference update related operations
+define op_createref operation createref
+define op_deleteref operation deleteref
+define op_fastforward operation updaterefff
+define op_forcedupdate operation updaterefnonff
+
+# Combinator operations
+define op_is_basic anyof op_read op_write
+define op_is_update anyof op_fastforward op_forcedupdate
+define op_is_normal anyof op_fastforward op_createref op_deleteref
+
+# Administration
+define is_admin_repo repository gitano-admin
+define is_gitano_ref ref ~^refs/gitano/
+define is_admin_ref ref refs/gitano/admin
diff --git a/skel/gitano-admin/rules/destroyrepo.lace b/skel/gitano-admin/rules/destroyrepo.lace
new file mode 100644
index 0000000..fd02547
--- /dev/null
+++ b/skel/gitano-admin/rules/destroyrepo.lace
@@ -0,0 +1,6 @@
+# Rules related to the destroying of repositories
+
+# For now, owners may destroy repositories
+allow "You may destroy your own repositories" op_destroyrepo is_owner
+
+deny "You may not destroy repositories you do not own"
diff --git a/skel/gitano-admin/rules/project.lace b/skel/gitano-admin/rules/project.lace
new file mode 100644
index 0000000..26729d6
--- /dev/null
+++ b/skel/gitano-admin/rules/project.lace
@@ -0,0 +1,19 @@
+# Core project administration rules
+
+# Admins already got allowed, so this is for non-admin users only
+allow "Owners can always read and write" op_is_basic is_owner
+
+# Uncomment if you want to *force* anonymous access to all but gitano-admin
+# allow "Anonymous access always allowed" op_read !is_admin_repo
+
+# Project remote-configuration rules (set-head etc)
+include global:remoteconfigchecks op_is_config
+
+# Okay, if we're altering the admin ref, in we go
+include global:adminchecks is_admin_ref
+
+# Now we're into branch operations.  Owners can do any normal operation
+# Normal ops are create/delete/fastforward on refs
+allow "Owners can create refs" op_is_normal is_owner
+# We don't enable non-fastforward updates by default.  Projects must do
+# this in their own rules if they want it.
diff --git a/skel/gitano-admin/rules/remoteconfigchecks.lace b/skel/gitano-admin/rules/remoteconfigchecks.lace
new file mode 100644
index 0000000..7c6a317
--- /dev/null
+++ b/skel/gitano-admin/rules/remoteconfigchecks.lace
@@ -0,0 +1,6 @@
+# Remote config checks
+
+# Owners may do any remote admin operation they choose
+allow "Owners may remote-admin their repositories" is_owner
+
+deny "You may not configure this repository remotely"
diff --git a/skel/gitano-admin/rules/renamerepo.lace b/skel/gitano-admin/rules/renamerepo.lace
new file mode 100644
index 0000000..946d544
--- /dev/null
+++ b/skel/gitano-admin/rules/renamerepo.lace
@@ -0,0 +1,6 @@
+# Rules related to renaming repositories
+
+# For now, owners may rename their repositories
+allow "Owners may rename repositories" op_renamerepo is_owner
+
+deny "You may not rename a repository you do not own"
diff --git a/skel/gitano-admin/rules/selfchecks.lace b/skel/gitano-admin/rules/selfchecks.lace
new file mode 100644
index 0000000..300bb91
--- /dev/null
+++ b/skel/gitano-admin/rules/selfchecks.lace
@@ -0,0 +1,5 @@
+# Checks against self
+
+allow "You may ask who you are" op_whoami
+
+allow "You may manage your own ssh keys" op_sshkey
diff --git a/skel/gitano-admin/rules/siteadmin.lace b/skel/gitano-admin/rules/siteadmin.lace
new file mode 100644
index 0000000..bf72bb2
--- /dev/null
+++ b/skel/gitano-admin/rules/siteadmin.lace
@@ -0,0 +1,7 @@
+# Site administration rules
+
+# You must explicitly allow site administration here for anyone who
+# has the rights to do site admin but isn't a member of gitano-admin.
+
+# Otherwise we always deny site administration
+deny "You may not perform site administration"