[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Monotone-commits-diffs] net.venge.monotone: 614e77089113eba5870347b055
From: |
code |
Subject: |
[Monotone-commits-diffs] net.venge.monotone: 614e77089113eba5870347b0558c555cf78417a7 |
Date: |
Thu, 25 Nov 2010 15:45:28 GMT |
revision: 614e77089113eba5870347b0558c555cf78417a7
date: 2010-11-25T15:44:41
author: Richard Levitte <address@hidden>
branch: net.venge.monotone
changelog:
Add a server hook to authenticate remote automate operations, either
by matching a key identity with patterns in the file
remote-automate-permissions, or matching the command with a configured
list of safe remote automate commands (configured through the variable
ARA_safe_commands, which can be set up anywhere before this hook is
loaded).
manifest:
format_version "1"
new_manifest [bd068eaaad9a34d476669d6e0e9a1b0e1ef38e5b]
old_revision [046b3d9c482da33053f4f97221237d0d1498b72f]
add_file "contrib/authorize_remote_automate.lua"
content [524e291413561068423348e2403cf44635d74e9b]
============================================================
--- /dev/null
+++ contrib/authorize_remote_automate.lua 524e291413561068423348e2403cf44635d74e9b
@@ -0,0 +1,68 @@
+-- Copyright (c) 2010, Thomas Keller <address@hidden>
+-- Richard Levitte <address@hidden>
+--
+-- This script reads key identities from a file "remote-automate-permissions"
+-- in the configuration directory and permits those authenticating with one
+-- of those keys to perform dangerous (read/write) remote automate operations.
+-- The format of the file is very simple, one key identity on every line.
+-- Lines starting with # are ignore, as well as empty lines.
+--
+-- It's possible to configure this script to allow the performance of some
+-- remote automate commands anonymously, through the variable
+-- ARA_safe_commands, which has to be a table of commands as strings.
+-- One example configuration, taken from the setup at code.monotone.ca, could
+-- be this:
+--
+-- ARA_safe_commands = {
+-- "get_corresponding_path", "get_content_changed", "tags", "branches",
+-- "common_ancestors", "packet_for_fdelta", "packet_for_fdata",
+-- "packets_for_certs", "packet_for_rdata", "get_manifest_of",
+-- "get_revision", "select", "graph", "children", "parents", "roots",
+-- "leaves", "ancestry_difference", "toposort", "erase_ancestors",
+-- "descendents", "ancestors", "heads", "get_file_of", "get_file",
+-- "interface_version", "get_attributes", "content_diff",
+-- "file_merge", "show_conflicts", "certs", "keys", "get_extended_manifest_of"
+-- }
+
+do
+ local _safe_commands = {}
+ if ARA_safe_commands then
+ _safe_commands = ARA_safe_commands
+ end
+
+ local _save_get_remote_automate_permitted = get_remote_automate_permitted
+ function get_remote_automate_permitted(key_identity, command, options)
+ local permfile =
+ io.open(get_confdir() .. "/remote-automate-permissions", "r")
+ if (permfile == nil) then
+ return false
+ end
+
+ -- See if the incoming key matches any of the key identities or
+ -- patterns found in the permissions file.
+ local matches = false
+ local line = permfile:read()
+ while (not matches and line ~= nil) do
+ if not globish_match("#*", line) then
+ local _, _, ln = string.find(line, "%s*([^%s]*)%s*")
+ if ln == "*" then matches = true end
+ if ln == ident.id then matches = true end
+ if globish_match(ln, ident.name) then matches = true end
+ line = permfile:read()
+ end
+ end
+ io.close(permfile)
+ if matches then return true end
+
+ -- No matching key found, let's see if the command matches one the
+ -- admin allowed to be performed anonymously
+ for _,v in ipairs(_safe_commands) do
+ if (v == command[1]) then
+ return true
+ end
+ end
+
+ -- No matches found anywhere, then don't permit this operation
+ return false
+ end
+end
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Monotone-commits-diffs] net.venge.monotone: 614e77089113eba5870347b0558c555cf78417a7,
code <=