ó œt•Pc@sxdZddlmZddlmZmZddlZddlZdZd„Z d„Z d„Z ddd „Z dS( shooks for controlling repository access This hook makes it possible to allow or deny write access to given branches and paths of a repository when receiving incoming changesets via pretxnchangegroup and pretxncommit. The authorization is matched based on the local user name on the system where the hook runs, and not the committer of the original changeset (since the latter is merely informative). The acl hook is best used along with a restricted shell like hgsh, preventing authenticating users from doing anything other than pushing or pulling. The hook is not safe to use if users have interactive shell access, as they can then disable the hook. Nor is it safe if remote users share an account, because then there is no way to distinguish them. The order in which access checks are performed is: 1) Deny list for branches (section ``acl.deny.branches``) 2) Allow list for branches (section ``acl.allow.branches``) 3) Deny list for paths (section ``acl.deny``) 4) Allow list for paths (section ``acl.allow``) The allow and deny sections take key-value pairs. Branch-based Access Control --------------------------- Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to have branch-based access control. Keys in these sections can be either: - a branch name, or - an asterisk, to match any branch; The corresponding values can be either: - a comma-separated list containing users and groups, or - an asterisk, to match anyone; You can add the "!" prefix to a user or group name to invert the sense of the match. Path-based Access Control ------------------------- Use the ``acl.deny`` and ``acl.allow`` sections to have path-based access control. Keys in these sections accept a subtree pattern (with a glob syntax by default). The corresponding values follow the same syntax as the other sections above. Groups ------ Group names must be prefixed with an ``@`` symbol. Specifying a group name has the same effect as specifying all the users in that group. You can define group members in the ``acl.groups`` section. If a group name is not defined there, and Mercurial is running under a Unix-like system, the list of users will be taken from the OS. Otherwise, an exception will be raised. Example Configuration --------------------- :: [hooks] # Use this if you want to check access restrictions at commit time pretxncommit.acl = python:hgext.acl.hook # Use this if you want to check access restrictions for pull, push, # bundle and serve. pretxnchangegroup.acl = python:hgext.acl.hook [acl] # Allow or deny access for incoming changes only if their source is # listed here, let them pass otherwise. Source is "serve" for all # remote access (http or ssh), "push", "pull" or "bundle" when the # related commands are run locally. # Default: serve sources = serve [acl.deny.branches] # Everyone is denied to the frozen branch: frozen-branch = * # A bad user is denied on all branches: * = bad-user [acl.allow.branches] # A few users are allowed on branch-a: branch-a = user-1, user-2, user-3 # Only one user is allowed on branch-b: branch-b = user-1 # The super user is allowed on any branch: * = super-user # Everyone is allowed on branch-for-tests: branch-for-tests = * [acl.deny] # This list is checked first. If a match is found, acl.allow is not # checked. All users are granted access if acl.deny is not present. # Format for both lists: glob pattern = user, ..., @group, ... # To match everyone, use an asterisk for the user: # my/glob/pattern = * # user6 will not have write access to any file: ** = user6 # Group "hg-denied" will not have write access to any file: ** = @hg-denied # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite # everyone being able to change all other files. See below. src/main/resources/DONT-TOUCH-THIS.txt = * [acl.allow] # if acl.allow is not present, all users are allowed by default # empty acl.allow = no users allowed # User "doc_writer" has write access to any file under the "docs" # folder: docs/** = doc_writer # User "jack" and group "designers" have write access to any file # under the "images" folder: images/** = jack, @designers # Everyone (except for "user6" and "@hg-denied" - see acl.deny above) # will have write access to any file under the "resources" folder # (except for 1 file. See acl.deny): src/main/resources/** = * .hgtags = release_engineer Examples using the "!" prefix ............................. Suppose there's a branch that only a given user (or group) should be able to push to, and you don't want to restrict access to any other branch that may be created. The "!" prefix allows you to prevent anyone except a given user or group to push changesets in a given branch or path. In the examples below, we will: 1) Deny access to branch "ring" to anyone but user "gollum" 2) Deny access to branch "lake" to anyone but members of the group "hobbit" 3) Deny access to a file to anyone but user "gollum" :: [acl.allow.branches] # Empty [acl.deny.branches] # 1) only 'gollum' can commit to branch 'ring'; # 'gollum' and anyone else can still commit to any other branch. ring = !gollum # 2) only members of the group 'hobbit' can commit to branch 'lake'; # 'hobbit' members and anyone else can still commit to any other branch. lake = !@hobbit # You can also deny access based on file paths: [acl.allow] # Empty [acl.deny] # 3) only 'gollum' can change the file below; # 'gollum' and anyone else can still change any other file. /misty/mountains/cave/ring = !gollum iÿÿÿÿ(t_(tutiltmatchNtinternalcCso|jd|ƒ}|r|S|jd|ƒytj|ƒSWn*tk rjtjtdƒ|ƒ‚nXdS(Ns acl.groupss&acl: "%s" not defined in [acl.groups] sgroup '%s' is undefined(t configlisttdebugRt groupmemberstKeyErrortAbortR(tuitgroupt hgrcusers((s-/sys/lib/python2.7/site-packages/hgext/acl.pyt _getusersÈs c CsÓ|dkrtSx¼|jddƒjƒD]¢}|jdƒr“|d}|jdƒ rd||ksŒ|jdƒrË|t||dƒkrËtSq)||ksÇ|jdƒr)|t||dƒkr)tSq)WtS(Nt*t,t t!it@(tTruetreplacetsplitt startswithR tFalse(R tusert usersorgroupstug((s-/sys/lib/python2.7/site-packages/hgext/acl.pyt _usermatchÖs  ( (csÔ|j|ƒs$|jd|ƒdSg|j|ƒD]$\}}t|||ƒr4|^q4‰|jd|tˆƒ|fƒ|s±ˆrªdˆkrtjS‡fd†StjSˆrÍt j |j dˆƒStjS(s/return tuple of (match function, list enabled).sacl: %s not enabled s(acl: %s enabled, %d entries for user %s R cs |ˆkS(N((tb(tpats(s-/sys/lib/python2.7/site-packages/hgext/acl.pytstN( t has_sectionRtNonet configitemsRtlenRtalwaystneverRtroot(R trepoRtkeytpattusers((Rs-/sys/lib/python2.7/site-packages/hgext/acl.pyt buildmatchïs    cKsï|dkr(tjtdƒ|ƒ‚n|dkrj||jdddƒjƒkrj|jd|ƒdSd}|dkr×d|kr×|djd ƒ}|d d kr×|d jd ƒr×tj |dƒ}q×n|dkròt j ƒ}n|jd|ƒ|jddƒ}|r@|j |ddddddgƒnt |d|dƒ} t |d|dƒ} t |||dƒ} t |||dƒ} xTt||t|ƒƒD]9} || }|jƒ}| r| |ƒrtjtdƒ|||fƒ‚n| r9| |ƒ r9tjtdƒ|||fƒ‚n|jd||fƒxƒ|jƒD]u}| rš| |ƒrštjtdƒ|||fƒ‚n| r]| |ƒ r]tjtdƒ|||fƒ‚q]q]W|jd|ƒq®WdS(Ntpretxnchangegroupt pretxncommitsIconfig error - hook type "%s" cannot stop incoming changesets nor commitstacltsourcestserves)acl: changes have source "%s" - skipping turlt:itremoteithttpis#acl: checking access for user "%s" tconfigtsectionss acl.groupssacl.allow.branchessacl.deny.branchess acl.allowsacl.denys5acl: user "%s" denied on branch "%s" (changeset "%s")s:acl: user "%s" not allowed on branch "%s" (changeset "%s")s0acl: branch access granted: "%s" on branch "%s" s.acl: user "%s" denied on "%s" (changeset "%s")s3acl: user "%s" not allowed on "%s" (changeset "%s")sacl: path access granted: "%s" (R+R,(RRRR4RRR Rturllibtunquotetgetpasstgetusert readconfigR*txrangeR"tbranchtfiles(R R&thooktypetnodetsourcetkwargsRR0tcfgt allowbranchest denybranchestallowtdenytrevtctxR<tf((s-/sys/lib/python2.7/site-packages/hgext/acl.pythook sT   !#     (t__doc__tmercurial.i18nRt mercurialRRR8R6t testedwithR RR*R RJ(((s-/sys/lib/python2.7/site-packages/hgext/acl.pytÀs