diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-06-17 10:06:13 +0000 |
---|---|---|
committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-06-17 11:12:35 +0000 |
commit | 54e3fbd49d10b70d04e03a646a494ec29a49ffc3 (patch) | |
tree | e7d955af0c4ea29f032709fe06f208509fccaa99 /gitano-admin/rules | |
parent | 5b0245acc1b5b1c520db847d70b1b81bafb4d0c2 (diff) | |
download | trove-setup-54e3fbd49d10b70d04e03a646a494ec29a49ffc3.tar.gz |
Move gitano skeleton to /usr/share/trove-setup/
Diffstat (limited to 'gitano-admin/rules')
-rw-r--r-- | gitano-admin/rules/adminchecks.lace | 25 | ||||
-rw-r--r-- | gitano-admin/rules/aschecks.lace | 30 | ||||
-rw-r--r-- | gitano-admin/rules/core.lace | 47 | ||||
-rw-r--r-- | gitano-admin/rules/createrepo.lace | 23 | ||||
-rw-r--r-- | gitano-admin/rules/defines.lace | 106 | ||||
-rw-r--r-- | gitano-admin/rules/destroyrepo.lace | 20 | ||||
-rw-r--r-- | gitano-admin/rules/other-project.lace | 25 | ||||
-rw-r--r-- | gitano-admin/rules/project.lace | 38 | ||||
-rw-r--r-- | gitano-admin/rules/remoteconfigchecks.lace | 20 | ||||
-rw-r--r-- | gitano-admin/rules/renamerepo.lace | 19 | ||||
-rw-r--r-- | gitano-admin/rules/selfchecks.lace | 15 | ||||
-rw-r--r-- | gitano-admin/rules/siteadmin.lace | 32 | ||||
-rw-r--r-- | gitano-admin/rules/trove-project.lace | 29 |
13 files changed, 0 insertions, 429 deletions
diff --git a/gitano-admin/rules/adminchecks.lace b/gitano-admin/rules/adminchecks.lace deleted file mode 100644 index ffe99a0..0000000 --- a/gitano-admin/rules/adminchecks.lace +++ /dev/null @@ -1,25 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Core project administration rules - -# Called with ref known to be refs/gitano/admin - -# Administrators already got to do anything, so this is for non-admins - -# Non-admin members may not delete the admin ref -deny "Non-administrators may not delete the admin ref" op_deleteref - -# Otherwise, the project's owner is allowed to alter the admin tree -allow "Project owner may alter the admin ref" is_owner repo_is_personal - -# Project admins may alter admin refs -allow "Project admins may alter the admin ref of project repos" repo_is_local_project project_admin - -# Any other opportunities for altering the admin ref must be provided -# by the project's rules diff --git a/gitano-admin/rules/aschecks.lace b/gitano-admin/rules/aschecks.lace deleted file mode 100644 index fc76440..0000000 --- a/gitano-admin/rules/aschecks.lace +++ /dev/null @@ -1,30 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules for when we're running as another user. - -# Only 'deny' things which are not allowed. If you 'allow' then it will allow -# the actual operation, not just fail to deny the fact that it's 'as' someone -# else. - -define as_is_admin as_group gitano-admin - -# trove-admin members are permitted to run sshkey and whoami on behalf -# of others in order to check users and grant access, providing the target -# user is not part of the gitano-admin group. - -define as_is_trove_admin as_group trove-admin -define as_trove_admin_ok allof as_is_trove_admin !is_admin op_self - -# You are permitted to do things 'as' others if and only if the caller is -# either a member of the administration group, or else meets the above -# requirements. -define as_is_ok anyof as_is_admin as_trove_admin_ok - -# Explicitly deny any impersonation operation which does not meet the above. -deny "You may not run things as another user unless you are an admin" !as_is_ok diff --git a/gitano-admin/rules/core.lace b/gitano-admin/rules/core.lace deleted file mode 100644 index dab7cfb..0000000 --- a/gitano-admin/rules/core.lace +++ /dev/null @@ -1,47 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Core ruleset definitions for Trove. - -default deny "Trove ruleset failed to define result. Access denied." - -include global:defines - -# The users in the administration group (gitano-admin) may do anything -# they choose (providing they're not being impersonated). By default -# Only the user created as part of trove-setup has this level of access. -allow "Administrators can do anything" is_admin !if_asanother - -# Now let's decide if we can use 'as' -include global:aschecks if_asanother - -# Operations which are against 'self' get checked next -include global:selfchecks - -# Administration operations (users, groups) next -include global:siteadmin op_is_admin - -# Site-defined rules for repository creation -include global:createrepo op_createrepo - -# Site-defined rules for repository renaming -include global:renamerepo op_renamerepo - -# Site-defined rules for repository destruction -include global:destroyrepo op_destroyrepo - -# Site-defined rules for project repositories, including admin of them -include global:project - -# Now the project rules themselves -include main - -# If you're running your access control somewhat more openly than most, You can -# now uncomment the following and allow git:// access to *everything* which is -# not the admin repository -# allow "Anonymous access is okay" op_read !is_admin_repo diff --git a/gitano-admin/rules/createrepo.lace b/gitano-admin/rules/createrepo.lace deleted file mode 100644 index bf4683e..0000000 --- a/gitano-admin/rules/createrepo.lace +++ /dev/null @@ -1,23 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules related to creating repositories - -# Administrators have already been permitted whatever they like -# so this is for site-wide non-admins. - -##PEOPLE_COMMENT##allow "Personal repo creation is okay" repo_is_personal - -# Allow people in *-admins to create repositories under <foo> -allow "Project admins may make project repositories" repo_is_local_project project_admin - -# Allow lorry to create repositories anywhere but the local project root -allow "Lorry may create lorryable repos" is_lorry lorryable_repo - -# Otherwise the default is that non-admins can't create repositories -deny "Repository creation is not permitted." diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace deleted file mode 100644 index 380948a..0000000 --- a/gitano-admin/rules/defines.lace +++ /dev/null @@ -1,106 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012,2013 Codethink Limited -# -# Core definitions for access control - -# Gitano provided definitions first - -# User/group related -define is_admin group gitano-admin -define is_owner owner ${user} -define is_anonymous user gitano/anonymous - -define if_asanother as_user ~. - -# Self-related operations -define op_whoami operation whoami -define op_sshkey operation sshkey -define op_passwd operation passwd -define op_self anyof op_whoami op_sshkey op_passwd - -# Admin-related operations - -## Users -define op_useradd operation useradd -define op_userdel operation userdel -define op_userlist operation userlist -define op_useremail operation useremail -define op_username operation username -define op_user anyof op_userlist op_useradd op_userdel op_useremail op_username - -## Groups -define op_grouplist operation grouplist -define op_groupshow operation groupshow -define op_groupadd operation groupadd -define op_groupdel operation groupdel -define op_groupadduser operation groupadduser -define op_groupdeluser operation groupdeluser -define op_groupaddgroup operation groupaddgroup -define op_groupdelgroup operation groupdelgroup -define op_groupdescription operation groupdescription -define op_group anyof op_grouplist op_groupshow op_groupadd op_groupdel op_groupadduser op_groupdeluser op_groupaddgroup op_groupdelgroup op_groupdescription - -## Aggregation of admin ops -define op_is_admin anyof op_user op_group - -# Primary repository-related operations -define op_read operation read -define op_write operation write -define op_createrepo operation createrepo -define op_renamerepo operation renamerepo -define op_destroyrepo operation destroyrepo - -# Remote configuration operations -define op_config_show operation config_show -define op_config_set operation config_set -define op_config_del operation config_del -define op_is_config anyof op_config_show op_config_set op_config_del - -# Reference update related operations -define op_createref operation createref -define op_deleteref operation deleteref -define op_fastforward operation updaterefff -define op_forcedupdate operation updaterefnonff - -# Combinator operations -define op_is_basic anyof op_read op_write -define op_is_update anyof op_fastforward op_forcedupdate -define op_is_normal anyof op_fastforward op_createref op_deleteref - -# Administration -define is_admin_repo repository gitano-admin -define is_gitano_ref ref ~^refs/gitano/ -define is_admin_ref ref refs/gitano/admin - -# -# -# Trove definitions after here -# -# - -define repo_is_personal repository ~^##ESC_PERSONAL_PREFIX##/${user}/ -define ref_is_personal ref ~^refs/heads/##ESC_PREFIX##/${user}/ -define repo_is_local_project repository ~^##ESC_PREFIX##/[^/]+/ - -define project_reader group ${repository/2}-readers -define project_writer group ${repository/2}-writers -define project_admin group ${repository/2}-admins -define project_manager group ${repository/2}-managers - -define master_ref ref ~^refs/heads/master$ - -define op_is_reffy anyof op_is_normal op_forcedupdate - -define trove_site_admin group trove-admin -define target_group_gitano_admin targetgroup gitano-admin - -define is_lorry user lorry -define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/ -define lorryable_repo allof !repo_is_local_project !repo_is_personal !is_admin_repo - -define is_worker group workers diff --git a/gitano-admin/rules/destroyrepo.lace b/gitano-admin/rules/destroyrepo.lace deleted file mode 100644 index 6e6b446..0000000 --- a/gitano-admin/rules/destroyrepo.lace +++ /dev/null @@ -1,20 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules related to the destroying of repositories - -# Owners may destroy personal repositories -allow "You may destroy your own repositories" is_owner repo_is_personal - -# Project admins may destroy repos inside their projects -allow "Project admins may destroy project repos" repo_is_local_project project_admin - -# Allow lorry to destroy repositories anywhere but the local project root -allow "Lorry may destroy lorryable repos" is_lorry lorryable_repo - -deny "You may not destroy repositories you do not own" diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace deleted file mode 100644 index 7bc80cc..0000000 --- a/gitano-admin/rules/other-project.lace +++ /dev/null @@ -1,25 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012,2013 Codethink Limited -# -# Rules for any repository not under ##PREFIX## - -# This is, by default, /baserock/ and /delta/ - -# There are two classes of accessors here. Lorry and Others -allow "Anyone may read here" op_read -allow "Anyone may write here" op_write !is_anonymous - -# Lorry can do anything reffy which is not inside the local refs -allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref - -# Noone can rewind/rebase outside of their personal refs -deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !is_lorry !ref_is_personal - -# Everyone else can do reffy things inside refs/heads/##PREFIX## -allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref - diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace deleted file mode 100644 index aa5e1e2..0000000 --- a/gitano-admin/rules/project.lace +++ /dev/null @@ -1,38 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Core project administration rules - -# Admins already got allowed, so this is for non-admin users only -allow "Owners can always read and write" op_is_basic is_owner repo_is_personal - -# Any non-gitano-admin repo is readable to the lorry user and the worker group -allow "Lorry may read" op_read is_lorry lorryable_repo -allow "Workers may read" op_read !is_admin_repo is_worker - -# Force /baserock and /delta to always be anon-readable which means git:// will -# work. This is part of the core ruleset for Baserock because /baserock/ and -# /delta/ are always open source. -define is_baserock_repo repository ~^baserock/ -define is_delta_repo repository ~^delta/ -define is_opensource_repo anyof is_baserock_repo is_delta_repo - -allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo - -# Project remote-configuration rules (set-head etc) -include global:remoteconfigchecks op_is_config - -# Okay, if we're altering the admin ref, in we go -include global:adminchecks is_admin_ref - -# Now we're into branch operations. -# Owners of personal repositories can do any reffy operation -allow "Owners can create refs" op_is_reffy is_owner repo_is_personal - -include global:trove-project repo_is_local_project -include global:other-project lorryable_repo diff --git a/gitano-admin/rules/remoteconfigchecks.lace b/gitano-admin/rules/remoteconfigchecks.lace deleted file mode 100644 index 6f88f5f..0000000 --- a/gitano-admin/rules/remoteconfigchecks.lace +++ /dev/null @@ -1,20 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Remote config checks - -# Owners may do any remote admin operation they choose -allow "Owners may remote-admin their repositories" is_owner repo_is_personal - -# *-admins may remote-admin their project's repositories -allow "Project admins may admin project repos" repo_is_local_project project_admin - -# lorry may remote-admin lorryable repositories -allow "Lorry may admin lorry repos" is_lorry lorryable_repo - -deny "You may not configure this repository remotely" diff --git a/gitano-admin/rules/renamerepo.lace b/gitano-admin/rules/renamerepo.lace deleted file mode 100644 index e4a51be..0000000 --- a/gitano-admin/rules/renamerepo.lace +++ /dev/null @@ -1,19 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules related to renaming repositories - -# Owners may rename their own repositories -allow "Owners may rename repositories" op_renamerepo repo_is_personal is_owner - -# Project admins may rename repos provided they're admin of source *and* target -# Since the rename operation checks 'create' for the target, we can just -# check the source here -allow "Admins may rename project repositories" op_renamerepo repo_is_local_project project_admin - -deny "You may not rename a repository you do not own" diff --git a/gitano-admin/rules/selfchecks.lace b/gitano-admin/rules/selfchecks.lace deleted file mode 100644 index 83ef778..0000000 --- a/gitano-admin/rules/selfchecks.lace +++ /dev/null @@ -1,15 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Checks against self-like operations. - -allow "You may ask who you are" op_whoami - -allow "You may manage your own ssh keys" op_sshkey - -allow "You may change your own password" op_passwd diff --git a/gitano-admin/rules/siteadmin.lace b/gitano-admin/rules/siteadmin.lace deleted file mode 100644 index 06c71bb..0000000 --- a/gitano-admin/rules/siteadmin.lace +++ /dev/null @@ -1,32 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Site administration rules - -# You must explicitly allow site administration here for anyone who -# has the rights to do site admin but isn't an administrator. - -# trove_site_admin is a predicate which matches members of the trove-admin -# group (The site-wide user/group administration group which is not the full -# administration group) -allow "Trove Site Admins can manage users" trove_site_admin op_user -allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin - -# XXX-managers members are permitted to edit XXX-* groups -define trove_may_admin_target_group group ${targetgroup/prefix}-managers -define target_group_has_hyphen targetgroup ~%- -allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group - -# Anyone is permitted to look at the people in trove-admin and *-managers -define trove_target_group_is_trove_admin targetgroup trove-admin -define trove_target_group_is_project_managers targetgroup ~^.+-managers$ -define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers -allow "Anyone may see admin groups" op_groupshow trove_show_target_ok - -# Otherwise we always deny site administration -deny "You may not perform site administration" diff --git a/gitano-admin/rules/trove-project.lace b/gitano-admin/rules/trove-project.lace deleted file mode 100644 index 383ba98..0000000 --- a/gitano-admin/rules/trove-project.lace +++ /dev/null @@ -1,29 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012,2013 Codethink Limited -# -# Rules for ##PREFIX##/... repositories - -# Reading the repository -allow "Project readers may read" op_read project_reader -deny "This repository is not for you" op_read - -# Basic writes to the repo -allow "Project writers may write" op_write project_writer -deny "This repository is not for you" op_write - -# Ref based rules for the repo -deny "Non-personal branches may not be rewound/rebased" op_forcedupdate !ref_is_personal - -## Master -allow "Master may be created" op_createref master_ref -allow "Master may be altered" op_is_update master_ref -deny "Master may not be deleted" op_deleteref master_ref - -## Anything else. -allow "Project writers may alter any refs" op_is_reffy !master_ref project_writer - |