Controlando los Permisos via Hooks

Ejercicio 13.38.1   Restrinja los accesos de un compañero a un proyecto situado en su repositorio. Para ello siga estos pasos:

1. Ejemplo de un ejecutable pre-commit:

   -bash-3.2$ uname -a
   Linux banot.etsii.ull.es 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:37:14 EDT 2010 i686 i686 i386 GNU/Linux
   -bash-3.2$ pwd
   /home/casiano/newrepository/hooks
   -bash-3.2$ ls -l pre-commit
   -rwxr-xr-x 1 casiano apache 281 abr 20 17:17 pre-commit
   -bash-3.2$
   -bash-3.2$ cat pre-commit
   #!/bin/sh
   
   REPOS="$1"
   TXN="$2"
   
   perl -I/home/casiano/perl5/lib/perl5/site_perl/5.8.8/ /home/casiano/newrepository/hooks/commit-access-control.pl \
                              "$REPOS" "$TXN" /home/casiano/newrepository/hooks/commit-access-control.cfg || exit 1
   
   # All checks passed, so allow the commit.
   exit 0
   -bash-3.2$
   

   En /home/casiano/perl5/lib/perl5/site_perl/5.8.8/ se encuentra la librería Config::IniFiles usada por commit-access-control.pl para parsear el fichero de configuración.

2. Asegúrese que otro compañero puede acceder a su repositorio usando el protocolo svn+ssh. Para ello, si no lo ha hecho ya, genere una pareja de claves y publique la clave en el servidor subversion. Recuerde el formato en el fichero authorized_keys para identificarle:

   -bash-3.2$ cat ~/.ssh/authorized_keys                                        
   .............................................................
   
   # key for subversion
   command="/usr/bin/svnserve -t -r /home/casiano/newrepository/ --tunnel-user=aluXXXX",no-port-forwarding ssh-dss AAAAB...................= myfriend key
   

3. Restrinja los accesos de ese compañero editando el fichero de configuración:

   -bash-3.2$ cat commit-access-control.cfg
   [Make everything read-only for all users]
           match   = .*
           access  = read-only
   
   [project1 aluXXXX permissions]
           match  = ^project1/trunk
           users  = myfriend
           access = read-write
   
   [casiano permissions]
           match  = .*
           users  = casiano
           access = read-write
   

4. Compruebe que su compañero tiene el acceso limitado a las correspondientes partes del proyecto. El compañero crea una entrada en su configuración ssh para facilitar el acceso via svn al repositorio:

   aluXXXX@nereida:/tmp$ sed -ne '/svn/,//p' /home/aluXXXX/.ssh/config 
   Host svn                                                    
   HostName banot.etsii.ull.es                                 
   user casiano                                                
   IdentityFile /home/aluXXXX/.ssh/id_dsa_svn
   

   A continuación descarga los proyectos en los que está interesado:

   aluXXXX@nereida:/tmp$ svn ls svn+ssh://svn/
   project1/                              
   project2/                              
   aluXXXX@nereida:/tmp$ svn checkout svn+ssh://svn/
   A    svn/project1                            
   A    svn/project1/trunk                      
   A    svn/project1/trunk/t                    
   A    svn/project1/trunk/t/project1.t         
   A    svn/project1/trunk/MANIFEST             
   A    svn/project1/trunk/lib                  
   A    svn/project1/trunk/lib/project1.pm      
   A    svn/project1/trunk/Makefile.PL          
   A    svn/project1/trunk/Changes              
   A    svn/project1/trunk/README               
   A    svn/project1/branches
   A    svn/project1/branches/branch1
   A    svn/project1/branches/branch1/t
   A    svn/project1/branches/branch1/t/project1.t
   A    svn/project1/branches/branch1/MANIFEST
   A    svn/project1/branches/branch1/lib
   A    svn/project1/branches/branch1/lib/project1.pm
   A    svn/project1/branches/branch1/Makefile.PL
   A    svn/project1/branches/branch1/Changes
   A    svn/project1/branches/branch1/README
   A    svn/project2
   A    svn/project2/trunk
   A    svn/project2/trunk/t
   A    svn/project2/trunk/t/project2.t
   A    svn/project2/trunk/MANIFEST
   A    svn/project2/trunk/lib
   A    svn/project2/trunk/lib/project2.pm
   A    svn/project2/trunk/Makefile.PL
   A    svn/project2/trunk/Changes
   A    svn/project2/trunk/README
   Revisión obtenida: 24
   

   Hace modificaciones e intenta un commit en la zona prohibida:

   aluXXXX@nereida:/tmp$ cd svn/project1/branches/branch1
   aluXXXX@nereida:/tmp/svn/project1/branches/branch1$ echo '# comentario'>>Makefile.PL
   aluXXXX@nereida:/tmp/svn/project1/branches/branch1$ svn commit -m 'checking permits'
   Enviando       branch1/Makefile.PL
   Transmitiendo contenido de archivos .svn: Falló el commit (detalles a continuación):
   svn: El hook 'pre-commit' falló con la siguiente salida de error:
   /home/casiano/newrepository/hooks/commit-access-control.pl: user `aluXXXX' does not have permission to commit to these paths:
     project1/branches/branch1
     project1/branches/branch1/Makefile.PL
   

   Veamos que ocurre en la zona en la que tiene permisos de escritura:

   aluXXXX@nereida:/tmp/svn/project1/branches/branch1$ cd /tmp/svn/project1/trunk/
   aluXXXX@nereida:/tmp/svn/project1/trunk$ echo '# comentario'>>Makefile.PL
   aluXXXX@nereida:/tmp/svn/project1/trunk$ svn commit -m 'checking permits'
   Enviando       trunk/Makefile.PL
   Transmitiendo contenido de archivos .
   Commit de la revisión 25.
   aluXXXX@nereida:/tmp/svn/project1/trunk$
   

Véanse:

• Subversion Permissions using commit-access-control.pl pre-commit hook
• Fichero /usr/share/doc/subversion-1.4.2/tools/hook-scripts/commit-access-control.pl en banot y en https://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/commit-access-control.pl.in (Para entender el código necesitará repasar las secciones , y )
• Fichero de configuración (Véase también Subversion Repositories: Governing Commit Permissons):

  A sample configuration might look like the following, in which users mother, father, dick, jane, and spot (along with any other users who have unix-file-permission access to the repository) have read-access on testproj-a and testproj-b; but only dick and jane can write (commit) to testproj-a. Only spot can write (commit) to any part of testproj-b, but father can commit to the bbq directory of testproj-b, in the branches, tags, and/or trunk directories of that project.

  Note the special case login, mother, who can write to all directories and files in this repository - including SVN/ which is where the commit permission configuration file is versioned. Some account with this level of privilege is necessary if new projects are to be created in the repository (as siblings - if you will - to testproj-a and testproj-b). It is mother who would import the new projects and, presumably, modify the commit access configuration file to allow write access on the new project to appropriate users.

          [Make everything read-only for all users]
          match   = .*
          access  = read-only
  
          [REPOSITORY WRITE EVERYTHING]
          match   = .*
          access  = read-write
          users   = mother
          
          [SVN - config modification permissions]
          match   = ^SVN
          access  = read-write
          users   = mother
          
          [testproj-a commit permissions]
          match  = ^testproj-a/(branches|tags|trunk)
          users  = dick jane
          access = read-write
          
          [testproj-b commit permissions]
          match  = ^testproj-b/(branches|tags|trunk)
          users  = spot
          access = read-write
  
          [testproj-b/bbq commit permissions]
          match  = ^testproj-b/(branches|tags|trunk)/bbq
          users  = father
          access = read-write