diff options
author | Daniel Silverstone <dsilvers@digital-scurf.org> | 2012-08-30 18:37:59 +0100 |
---|---|---|
committer | Daniel Silverstone <dsilvers@digital-scurf.org> | 2012-08-30 18:37:59 +0100 |
commit | d2732c73915f3bec423dc89d3b3d185b6b7917e3 (patch) | |
tree | 7c70dae1c4f0df070e36ebc3f4be98da201bd798 /skel | |
parent | 56048c5a7f47f915ed7506779fd8f75bb90bee78 (diff) | |
download | gitano-d2732c73915f3bec423dc89d3b3d185b6b7917e3.tar.gz |
INSTALLER: make install and gitano-setup should work (mostly)
Diffstat (limited to 'skel')
-rw-r--r-- | skel/gitano-admin/rules/adminchecks.lace | 23 | ||||
-rw-r--r-- | skel/gitano-admin/rules/aschecks.lace | 8 | ||||
-rw-r--r-- | skel/gitano-admin/rules/core.lace | 36 | ||||
-rw-r--r-- | skel/gitano-admin/rules/createrepo.lace | 12 | ||||
-rw-r--r-- | skel/gitano-admin/rules/defines.lace | 65 | ||||
-rw-r--r-- | skel/gitano-admin/rules/destroyrepo.lace | 6 | ||||
-rw-r--r-- | skel/gitano-admin/rules/project.lace | 19 | ||||
-rw-r--r-- | skel/gitano-admin/rules/remoteconfigchecks.lace | 6 | ||||
-rw-r--r-- | skel/gitano-admin/rules/renamerepo.lace | 6 | ||||
-rw-r--r-- | skel/gitano-admin/rules/selfchecks.lace | 5 | ||||
-rw-r--r-- | skel/gitano-admin/rules/siteadmin.lace | 7 |
11 files changed, 193 insertions, 0 deletions
diff --git a/skel/gitano-admin/rules/adminchecks.lace b/skel/gitano-admin/rules/adminchecks.lace new file mode 100644 index 0000000..75ca753 --- /dev/null +++ b/skel/gitano-admin/rules/adminchecks.lace @@ -0,0 +1,23 @@ +# Core project administration rules + +# Called with ref known to be refs/gitano/admin + +# Administrators already got to do anything, so this is for non-admins + +# Non-admin members may not delete the admin ref +deny "Non-administrators may not delete the admin ref" op_deleteref + +# By default, you don't want anything but gitano-admin members to touch +# anything in the hooks/ tree, so don't allow that +define contains_hooks target_tree ~^hooks/ +define updates_hooks treediff/targets ~^hooks/ + +deny "Attempt to create hooks" op_createref contains_hooks +deny "Attempt to alter hooks" op_is_update updates_hooks + +# Otherwise, the project's owner is allowed to alter the admin tree +allow "Project owner may alter the admin ref" is_owner + +# Any other opportunities for altering the admin ref must be provided +# by the project's rules +
\ No newline at end of file diff --git a/skel/gitano-admin/rules/aschecks.lace b/skel/gitano-admin/rules/aschecks.lace new file mode 100644 index 0000000..3623709 --- /dev/null +++ b/skel/gitano-admin/rules/aschecks.lace @@ -0,0 +1,8 @@ +# Rules for when we're running as another user. +# Only 'deny' things which are not allowed. +# If you 'allow' then it will allow the actual operation, not just +# fail to deny the fact that it's 'as' someone else. + +define as_is_admin as_group gitano-admin + +deny "You may not run things as another user unless you are an admin" !as_is_admin diff --git a/skel/gitano-admin/rules/core.lace b/skel/gitano-admin/rules/core.lace new file mode 100644 index 0000000..c54dcba --- /dev/null +++ b/skel/gitano-admin/rules/core.lace @@ -0,0 +1,36 @@ +# Prepare the initial definitions + +default deny "The ruleset didn't provide access. Denying by default." + +include global:defines + +# Now, if we're in the admin group, we can always do stuff +allow "Administrators can do anything" is_admin + +# Now let's decide if we can use 'as' +include global:aschecks if_asanother + +# Operations which are against 'self' get checked next +include global:selfchecks + +# Administration operations (users, groups) next +include global:siteadmin op_is_admin + +# Site-defined rules for repository creation +include global:createrepo op_createrepo + +# Site-defined rules for repository renaming +include global:renamerepo op_renamerepo + +# Site-defined rules for repository destruction +include global:destroyrepo op_destroyrepo + +# Site-defined rules for project repositories, including admin of them +include global:project + +# Now the project rules themselves +include main + +# Now, if you want to allow anonymous access if the project doesn't prevent +# it, then you can uncomment the following: +# allow "Anonymous access is okay" op_read !is_admin_repo diff --git a/skel/gitano-admin/rules/createrepo.lace b/skel/gitano-admin/rules/createrepo.lace new file mode 100644 index 0000000..9085706 --- /dev/null +++ b/skel/gitano-admin/rules/createrepo.lace @@ -0,0 +1,12 @@ +# Rules related to creating repositories + +# Administrators have already been permitted whatever they like +# so this is for non-admins. + +# Uncomment the following to allow repositories in personal/username/ + +# define repo_is_personal repository ~^personal/${user}/ +# allow "Personal repo creation is okay" repo_is_personal + +# Otherwise the default is that non-admins can't create repositories +deny "Repository creation is not permitted." diff --git a/skel/gitano-admin/rules/defines.lace b/skel/gitano-admin/rules/defines.lace new file mode 100644 index 0000000..64af8ca --- /dev/null +++ b/skel/gitano-admin/rules/defines.lace @@ -0,0 +1,65 @@ +# A useful set of defines + +# User/group related +define is_admin group gitano-admin +define is_owner owner ${user} + +define if_asanother as_user ~. + +# Self-related operations +define op_whoami operation whoami +define op_sshkey operation sshkey + +# Admin-related operations + +## Users +define op_useradd operation useradd +define op_userdel operation userdel +define op_userlist operation userlist +define op_useremail operation useremail +define op_username operation username +define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username + +## Groups +define op_grouplist operation grouplist +define op_groupshow operation groupshow +define op_groupadd operation groupadd +define op_groupdel operation groupdel +define op_groupadduser operation groupadduser +define op_groupdeluser operation groupdeluser +define op_groupaddgroup operation groupaddgroup +define op_groupdelgroup operation groupdelgroup +define op_groupdescription operation groupdescription +define op_group anyof op_grouplist op_groupshow op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription + +## Aggregation of admin ops +define op_is_admin anyof op_user op_group + +# Primary repository-related operations +define op_read operation read +define op_write operation write +define op_createrepo operation createrepo +define op_renamerepo operation renamerepo +define op_destroyrepo operation destroyrepo + +# Remote configuration operations +define op_config_show operation config_show +define op_config_set operation config_set +define op_config_del operation config_del +define op_is_config anyof op_config_show op_config_set op_config_del + +# Reference update related operations +define op_createref operation createref +define op_deleteref operation deleteref +define op_fastforward operation updaterefff +define op_forcedupdate operation updaterefnonff + +# Combinator operations +define op_is_basic anyof op_read op_write +define op_is_update anyof op_fastforward op_forcedupdate +define op_is_normal anyof op_fastforward op_createref op_deleteref + +# Administration +define is_admin_repo repository gitano-admin +define is_gitano_ref ref ~^refs/gitano/ +define is_admin_ref ref refs/gitano/admin diff --git a/skel/gitano-admin/rules/destroyrepo.lace b/skel/gitano-admin/rules/destroyrepo.lace new file mode 100644 index 0000000..fd02547 --- /dev/null +++ b/skel/gitano-admin/rules/destroyrepo.lace @@ -0,0 +1,6 @@ +# Rules related to the destroying of repositories + +# For now, owners may destroy repositories +allow "You may destroy your own repositories" op_destroyrepo is_owner + +deny "You may not destroy repositories you do not own" diff --git a/skel/gitano-admin/rules/project.lace b/skel/gitano-admin/rules/project.lace new file mode 100644 index 0000000..26729d6 --- /dev/null +++ b/skel/gitano-admin/rules/project.lace @@ -0,0 +1,19 @@ +# Core project administration rules + +# Admins already got allowed, so this is for non-admin users only +allow "Owners can always read and write" op_is_basic is_owner + +# Uncomment if you want to *force* anonymous access to all but gitano-admin +# allow "Anonymous access always allowed" op_read !is_admin_repo + +# Project remote-configuration rules (set-head etc) +include global:remoteconfigchecks op_is_config + +# Okay, if we're altering the admin ref, in we go +include global:adminchecks is_admin_ref + +# Now we're into branch operations. Owners can do any normal operation +# Normal ops are create/delete/fastforward on refs +allow "Owners can create refs" op_is_normal is_owner +# We don't enable non-fastforward updates by default. Projects must do +# this in their own rules if they want it. diff --git a/skel/gitano-admin/rules/remoteconfigchecks.lace b/skel/gitano-admin/rules/remoteconfigchecks.lace new file mode 100644 index 0000000..7c6a317 --- /dev/null +++ b/skel/gitano-admin/rules/remoteconfigchecks.lace @@ -0,0 +1,6 @@ +# Remote config checks + +# Owners may do any remote admin operation they choose +allow "Owners may remote-admin their repositories" is_owner + +deny "You may not configure this repository remotely" diff --git a/skel/gitano-admin/rules/renamerepo.lace b/skel/gitano-admin/rules/renamerepo.lace new file mode 100644 index 0000000..946d544 --- /dev/null +++ b/skel/gitano-admin/rules/renamerepo.lace @@ -0,0 +1,6 @@ +# Rules related to renaming repositories + +# For now, owners may rename their repositories +allow "Owners may rename repositories" op_renamerepo is_owner + +deny "You may not rename a repository you do not own" diff --git a/skel/gitano-admin/rules/selfchecks.lace b/skel/gitano-admin/rules/selfchecks.lace new file mode 100644 index 0000000..300bb91 --- /dev/null +++ b/skel/gitano-admin/rules/selfchecks.lace @@ -0,0 +1,5 @@ +# Checks against self + +allow "You may ask who you are" op_whoami + +allow "You may manage your own ssh keys" op_sshkey diff --git a/skel/gitano-admin/rules/siteadmin.lace b/skel/gitano-admin/rules/siteadmin.lace new file mode 100644 index 0000000..bf72bb2 --- /dev/null +++ b/skel/gitano-admin/rules/siteadmin.lace @@ -0,0 +1,7 @@ +# Site administration rules + +# You must explicitly allow site administration here for anyone who +# has the rights to do site admin but isn't a member of gitano-admin. + +# Otherwise we always deny site administration +deny "You may not perform site administration" |