diff options
-rw-r--r-- | lang/en.lua | 4 | ||||
-rw-r--r-- | lib/gitano/lace.lua | 13 | ||||
-rw-r--r-- | testing/01-basics.yarn | 2 |
3 files changed, 19 insertions, 0 deletions
diff --git a/lang/en.lua b/lang/en.lua index 2f1b76b..ded6ba6 100644 --- a/lang/en.lua +++ b/lang/en.lua @@ -172,6 +172,10 @@ example administration repository rules and an admin user and group. ERROR_UNEXPECTED_ADDITIONAL_ARGUMENT = "Unexpected additional argument", ERROR_MISSING_MATCHTYPE_OR_VALUE = "Missing match type or value", ERROR_UNKNOWN_MATCHTYPE = "Unknown match type", + LACE_BYPASS_BANNER_HEADER = "**** DANGER **** SOMETHING RISKY HAPPENING **** DANGER ****", + LACE_BYPASS_ALERT_MESSAGE = "**** An ACL check was bypassed thanks to gitano-bypass ****", + LACE_BYPASS_BANNER_FOOTER = "**** DANGER **** ACL BYPASS IS VERY RISKY **** DANGER ****", + LACE_BYPASSED = "ACL check bypassed because caller is gitano-bypass", -- Messages from the plugin module WARN_UNABLE_SCAN_PLUGINDIR = "Unable to scan plugin directory '${dir}': ${reason}", diff --git a/lib/gitano/lace.lua b/lib/gitano/lace.lua index 6d9c0bf..59c5a7a 100644 --- a/lib/gitano/lace.lua +++ b/lib/gitano/lace.lua @@ -209,6 +209,19 @@ local function compile_ruleset(repo, adminsha, globaladminsha) end local function run_ruleset(ruleset, ctx) + -- First check if we're running as bypass + if ctx.as_user == "gitano-bypass" then + log.stdout(i18n.expand("LACE_BYPASS_BANNER_HEADER")) + log.stdout(i18n.expand("LACE_BYPASS_ALERT_MESSAGE")) + log.stdout(i18n.expand("LACE_BYPASS_BANNER_FOOTER")) + return "allow", i18n.expand("LACE_BYPASSED") + end + if ctx.as_user == nil and ctx.user == "gitano-bypass" then + log.stdout(i18n.expand("LACE_BYPASS_BANNER_HEADER")) + log.stdout(i18n.expand("LACE_BYPASS_ALERT_MESSAGE")) + log.stdout(i18n.expand("LACE_BYPASS_BANNER_FOOTER")) + return "allow", i18n.expand("LACE_BYPASSED") + end return lace.engine.run(ruleset, ctx) end diff --git a/testing/01-basics.yarn b/testing/01-basics.yarn index 76c492b..7ab9668 100644 --- a/testing/01-basics.yarn +++ b/testing/01-basics.yarn @@ -130,3 +130,5 @@ in order to discourage the human from automating bypasses instead. WHEN testinstance bypasskey runs ls THEN stdout contains ALERT AND stdout contains DO NOT DO THIS + AND stdout contains DANGER + AND stdout contains VERY RISKY |