From d2732c73915f3bec423dc89d3b3d185b6b7917e3 Mon Sep 17 00:00:00 2001 From: Daniel Silverstone Date: Thu, 30 Aug 2012 18:37:59 +0100 Subject: INSTALLER: make install and gitano-setup should work (mostly) --- example/gitano-admin/groups/gitano-admin.conf | 4 -- example/gitano-admin/rules/adminchecks.lace | 23 -------- example/gitano-admin/rules/aschecks.lace | 8 --- example/gitano-admin/rules/core.lace | 36 ------------ example/gitano-admin/rules/createrepo.lace | 12 ---- example/gitano-admin/rules/defines.lace | 65 ---------------------- example/gitano-admin/rules/destroyrepo.lace | 6 -- example/gitano-admin/rules/project.lace | 19 ------- example/gitano-admin/rules/remoteconfigchecks.lace | 6 -- example/gitano-admin/rules/renamerepo.lace | 6 -- example/gitano-admin/rules/selfchecks.lace | 5 -- example/gitano-admin/rules/siteadmin.lace | 7 --- example/gitano-admin/site.conf | 5 -- example/gitano-admin/users/dsilvers/torpor.key | 1 - example/gitano-admin/users/dsilvers/user.conf | 2 - 15 files changed, 205 deletions(-) delete mode 100644 example/gitano-admin/groups/gitano-admin.conf delete mode 100644 example/gitano-admin/rules/adminchecks.lace delete mode 100644 example/gitano-admin/rules/aschecks.lace delete mode 100644 example/gitano-admin/rules/core.lace delete mode 100644 example/gitano-admin/rules/createrepo.lace delete mode 100644 example/gitano-admin/rules/defines.lace delete mode 100644 example/gitano-admin/rules/destroyrepo.lace delete mode 100644 example/gitano-admin/rules/project.lace delete mode 100644 example/gitano-admin/rules/remoteconfigchecks.lace delete mode 100644 example/gitano-admin/rules/renamerepo.lace delete mode 100644 example/gitano-admin/rules/selfchecks.lace delete mode 100644 example/gitano-admin/rules/siteadmin.lace delete mode 100644 example/gitano-admin/site.conf delete mode 100644 example/gitano-admin/users/dsilvers/torpor.key delete mode 100644 example/gitano-admin/users/dsilvers/user.conf (limited to 'example') diff --git a/example/gitano-admin/groups/gitano-admin.conf b/example/gitano-admin/groups/gitano-admin.conf deleted file mode 100644 index 959690d..0000000 --- a/example/gitano-admin/groups/gitano-admin.conf +++ /dev/null @@ -1,4 +0,0 @@ -description = "Gitano Administrators" -members = { "dsilvers" } -subgroups = {} - diff --git a/example/gitano-admin/rules/adminchecks.lace b/example/gitano-admin/rules/adminchecks.lace deleted file mode 100644 index 75ca753..0000000 --- a/example/gitano-admin/rules/adminchecks.lace +++ /dev/null @@ -1,23 +0,0 @@ -# Core project administration rules - -# Called with ref known to be refs/gitano/admin - -# Administrators already got to do anything, so this is for non-admins - -# Non-admin members may not delete the admin ref -deny "Non-administrators may not delete the admin ref" op_deleteref - -# By default, you don't want anything but gitano-admin members to touch -# anything in the hooks/ tree, so don't allow that -define contains_hooks target_tree ~^hooks/ -define updates_hooks treediff/targets ~^hooks/ - -deny "Attempt to create hooks" op_createref contains_hooks -deny "Attempt to alter hooks" op_is_update updates_hooks - -# Otherwise, the project's owner is allowed to alter the admin tree -allow "Project owner may alter the admin ref" is_owner - -# Any other opportunities for altering the admin ref must be provided -# by the project's rules - \ No newline at end of file diff --git a/example/gitano-admin/rules/aschecks.lace b/example/gitano-admin/rules/aschecks.lace deleted file mode 100644 index 3623709..0000000 --- a/example/gitano-admin/rules/aschecks.lace +++ /dev/null @@ -1,8 +0,0 @@ -# Rules for when we're running as another user. -# Only 'deny' things which are not allowed. -# If you 'allow' then it will allow the actual operation, not just -# fail to deny the fact that it's 'as' someone else. - -define as_is_admin as_group gitano-admin - -deny "You may not run things as another user unless you are an admin" !as_is_admin diff --git a/example/gitano-admin/rules/core.lace b/example/gitano-admin/rules/core.lace deleted file mode 100644 index c54dcba..0000000 --- a/example/gitano-admin/rules/core.lace +++ /dev/null @@ -1,36 +0,0 @@ -# Prepare the initial definitions - -default deny "The ruleset didn't provide access. Denying by default." - -include global:defines - -# Now, if we're in the admin group, we can always do stuff -allow "Administrators can do anything" is_admin - -# Now let's decide if we can use 'as' -include global:aschecks if_asanother - -# Operations which are against 'self' get checked next -include global:selfchecks - -# Administration operations (users, groups) next -include global:siteadmin op_is_admin - -# Site-defined rules for repository creation -include global:createrepo op_createrepo - -# Site-defined rules for repository renaming -include global:renamerepo op_renamerepo - -# Site-defined rules for repository destruction -include global:destroyrepo op_destroyrepo - -# Site-defined rules for project repositories, including admin of them -include global:project - -# Now the project rules themselves -include main - -# Now, if you want to allow anonymous access if the project doesn't prevent -# it, then you can uncomment the following: -# allow "Anonymous access is okay" op_read !is_admin_repo diff --git a/example/gitano-admin/rules/createrepo.lace b/example/gitano-admin/rules/createrepo.lace deleted file mode 100644 index 9085706..0000000 --- a/example/gitano-admin/rules/createrepo.lace +++ /dev/null @@ -1,12 +0,0 @@ -# Rules related to creating repositories - -# Administrators have already been permitted whatever they like -# so this is for non-admins. - -# Uncomment the following to allow repositories in personal/username/ - -# define repo_is_personal repository ~^personal/${user}/ -# allow "Personal repo creation is okay" repo_is_personal - -# Otherwise the default is that non-admins can't create repositories -deny "Repository creation is not permitted." diff --git a/example/gitano-admin/rules/defines.lace b/example/gitano-admin/rules/defines.lace deleted file mode 100644 index 64af8ca..0000000 --- a/example/gitano-admin/rules/defines.lace +++ /dev/null @@ -1,65 +0,0 @@ -# A useful set of defines - -# User/group related -define is_admin group gitano-admin -define is_owner owner ${user} - -define if_asanother as_user ~. - -# Self-related operations -define op_whoami operation whoami -define op_sshkey operation sshkey - -# Admin-related operations - -## Users -define op_useradd operation useradd -define op_userdel operation userdel -define op_userlist operation userlist -define op_useremail operation useremail -define op_username operation username -define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username - -## Groups -define op_grouplist operation grouplist -define op_groupshow operation groupshow -define op_groupadd operation groupadd -define op_groupdel operation groupdel -define op_groupadduser operation groupadduser -define op_groupdeluser operation groupdeluser -define op_groupaddgroup operation groupaddgroup -define op_groupdelgroup operation groupdelgroup -define op_groupdescription operation groupdescription -define op_group anyof op_grouplist op_groupshow op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription - -## Aggregation of admin ops -define op_is_admin anyof op_user op_group - -# Primary repository-related operations -define op_read operation read -define op_write operation write -define op_createrepo operation createrepo -define op_renamerepo operation renamerepo -define op_destroyrepo operation destroyrepo - -# Remote configuration operations -define op_config_show operation config_show -define op_config_set operation config_set -define op_config_del operation config_del -define op_is_config anyof op_config_show op_config_set op_config_del - -# Reference update related operations -define op_createref operation createref -define op_deleteref operation deleteref -define op_fastforward operation updaterefff -define op_forcedupdate operation updaterefnonff - -# Combinator operations -define op_is_basic anyof op_read op_write -define op_is_update anyof op_fastforward op_forcedupdate -define op_is_normal anyof op_fastforward op_createref op_deleteref - -# Administration -define is_admin_repo repository gitano-admin -define is_gitano_ref ref ~^refs/gitano/ -define is_admin_ref ref refs/gitano/admin diff --git a/example/gitano-admin/rules/destroyrepo.lace b/example/gitano-admin/rules/destroyrepo.lace deleted file mode 100644 index fd02547..0000000 --- a/example/gitano-admin/rules/destroyrepo.lace +++ /dev/null @@ -1,6 +0,0 @@ -# Rules related to the destroying of repositories - -# For now, owners may destroy repositories -allow "You may destroy your own repositories" op_destroyrepo is_owner - -deny "You may not destroy repositories you do not own" diff --git a/example/gitano-admin/rules/project.lace b/example/gitano-admin/rules/project.lace deleted file mode 100644 index 26729d6..0000000 --- a/example/gitano-admin/rules/project.lace +++ /dev/null @@ -1,19 +0,0 @@ -# Core project administration rules - -# Admins already got allowed, so this is for non-admin users only -allow "Owners can always read and write" op_is_basic is_owner - -# Uncomment if you want to *force* anonymous access to all but gitano-admin -# allow "Anonymous access always allowed" op_read !is_admin_repo - -# Project remote-configuration rules (set-head etc) -include global:remoteconfigchecks op_is_config - -# Okay, if we're altering the admin ref, in we go -include global:adminchecks is_admin_ref - -# Now we're into branch operations. Owners can do any normal operation -# Normal ops are create/delete/fastforward on refs -allow "Owners can create refs" op_is_normal is_owner -# We don't enable non-fastforward updates by default. Projects must do -# this in their own rules if they want it. diff --git a/example/gitano-admin/rules/remoteconfigchecks.lace b/example/gitano-admin/rules/remoteconfigchecks.lace deleted file mode 100644 index 7c6a317..0000000 --- a/example/gitano-admin/rules/remoteconfigchecks.lace +++ /dev/null @@ -1,6 +0,0 @@ -# Remote config checks - -# Owners may do any remote admin operation they choose -allow "Owners may remote-admin their repositories" is_owner - -deny "You may not configure this repository remotely" diff --git a/example/gitano-admin/rules/renamerepo.lace b/example/gitano-admin/rules/renamerepo.lace deleted file mode 100644 index 946d544..0000000 --- a/example/gitano-admin/rules/renamerepo.lace +++ /dev/null @@ -1,6 +0,0 @@ -# Rules related to renaming repositories - -# For now, owners may rename their repositories -allow "Owners may rename repositories" op_renamerepo is_owner - -deny "You may not rename a repository you do not own" diff --git a/example/gitano-admin/rules/selfchecks.lace b/example/gitano-admin/rules/selfchecks.lace deleted file mode 100644 index 300bb91..0000000 --- a/example/gitano-admin/rules/selfchecks.lace +++ /dev/null @@ -1,5 +0,0 @@ -# Checks against self - -allow "You may ask who you are" op_whoami - -allow "You may manage your own ssh keys" op_sshkey diff --git a/example/gitano-admin/rules/siteadmin.lace b/example/gitano-admin/rules/siteadmin.lace deleted file mode 100644 index bf72bb2..0000000 --- a/example/gitano-admin/rules/siteadmin.lace +++ /dev/null @@ -1,7 +0,0 @@ -# Site administration rules - -# You must explicitly allow site administration here for anyone who -# has the rights to do site admin but isn't a member of gitano-admin. - -# Otherwise we always deny site administration -deny "You may not perform site administration" diff --git a/example/gitano-admin/site.conf b/example/gitano-admin/site.conf deleted file mode 100644 index bec6f3e..0000000 --- a/example/gitano-admin/site.conf +++ /dev/null @@ -1,5 +0,0 @@ --- Sample configuration for Gitano -site_name = "Gitano pre-alpha repository server (Laced)" -repository_root = "/home/gitano/repos" -bin_path = "/home/gitano/bin" -graveyard_root = "/home/gitano/graveyard" diff --git a/example/gitano-admin/users/dsilvers/torpor.key b/example/gitano-admin/users/dsilvers/torpor.key deleted file mode 100644 index 973e0f9..0000000 --- a/example/gitano-admin/users/dsilvers/torpor.key +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmFPyhleGHuoWGgMWZWxZujNM6S4gwxx/FZw94d5ZBiRAQ2miKemdhQxoPnVhzLzx4CX0sFfU1P7HUEx+6xigf8EjrHxBYTgjh7JSCR0apcExoAVihVG+pnMDCf+CqueIbUMVRm7PEmTcg4NNMx7f60Y0zrUa3iNnU8flA+28IkrCz0RVycAKT418337PqRBaXBbnCprNkF2gOHj1mLymsE0ehwiQOd2+ocjHdxSwDayJ2OwNAIdPcb/78RixH12d5F7r3cdNNFjuXuXwSrG+ILEtbXFJEvEXnccOARMeW7uzlZsSkfeNivU3nyxJ8ZxDAFSL8JHi8edBwON6qr7+r danielsilverstone@torpor diff --git a/example/gitano-admin/users/dsilvers/user.conf b/example/gitano-admin/users/dsilvers/user.conf deleted file mode 100644 index 971d92d..0000000 --- a/example/gitano-admin/users/dsilvers/user.conf +++ /dev/null @@ -1,2 +0,0 @@ -real_name = "Daniel Silverstone" -email_address = "dsilvers@digital-scurf.org" -- cgit v1.2.1