diff options
Diffstat (limited to 'gitano-admin')
-rw-r--r-- | gitano-admin/rules/adminchecks.lace | 15 | ||||
-rw-r--r-- | gitano-admin/rules/aschecks.lace | 29 | ||||
-rw-r--r-- | gitano-admin/rules/core.lace | 23 | ||||
-rw-r--r-- | gitano-admin/rules/createrepo.lace | 19 | ||||
-rw-r--r-- | gitano-admin/rules/ct-project.lace | 20 | ||||
-rw-r--r-- | gitano-admin/rules/defines.lace | 34 | ||||
-rw-r--r-- | gitano-admin/rules/destroyrepo.lace | 16 | ||||
-rw-r--r-- | gitano-admin/rules/other-project.lace | 22 | ||||
-rw-r--r-- | gitano-admin/rules/project.lace | 32 | ||||
-rw-r--r-- | gitano-admin/rules/remoteconfigchecks.lace | 14 | ||||
-rw-r--r-- | gitano-admin/rules/renamerepo.lace | 17 | ||||
-rw-r--r-- | gitano-admin/rules/selfchecks.lace | 10 | ||||
-rw-r--r-- | gitano-admin/rules/siteadmin.lace | 36 | ||||
-rw-r--r-- | gitano-admin/rules/trove-project.lace | 28 |
14 files changed, 230 insertions, 85 deletions
diff --git a/gitano-admin/rules/adminchecks.lace b/gitano-admin/rules/adminchecks.lace index 9d4864b..ffe99a0 100644 --- a/gitano-admin/rules/adminchecks.lace +++ b/gitano-admin/rules/adminchecks.lace @@ -1,3 +1,11 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Core project administration rules # Called with ref known to be refs/gitano/admin @@ -8,11 +16,10 @@ deny "Non-administrators may not delete the admin ref" op_deleteref # Otherwise, the project's owner is allowed to alter the admin tree -allow "Project owner may alter the admin ref" is_owner +allow "Project owner may alter the admin ref" is_owner repo_is_personal -# Project admins may alter admin -allow "Project admins may alter the admin ref of project repos" repo_has_project_code ct_admin +# Project admins may alter admin refs +allow "Project admins may alter the admin ref of project repos" repo_is_local_project project_admin # Any other opportunities for altering the admin ref must be provided # by the project's rules -
\ No newline at end of file diff --git a/gitano-admin/rules/aschecks.lace b/gitano-admin/rules/aschecks.lace index 2fb2ae6..467e8a4 100644 --- a/gitano-admin/rules/aschecks.lace +++ b/gitano-admin/rules/aschecks.lace @@ -1,14 +1,29 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Rules for when we're running as another user. -# Only 'deny' things which are not allowed. -# If you 'allow' then it will allow the actual operation, not just -# fail to deny the fact that it's 'as' someone else. + +# Only 'deny' things which are not allowed. If you 'allow' then it will allow +# the actual operation, not just fail to deny the fact that it's 'as' someone +# else. define as_is_admin as_group gitano-admin -# ct-admin members are permitted to run sshkey and whoami on behalf of others -define as_is_ct_admin as_group ct-admin -define as_ct_admin_ok allof as_is_ct_admin op_self +# trove-admin members are permitted to run sshkey and whoami on behalf +# of others in order to check users and grant access + +define as_is_trove_admin as_group trove-admin +define as_trove_admin_ok allof as_is_trove_admin op_self -define as_is_ok anyof as_is_admin as_ct_admin_ok +# You are permitted to do things 'as' others if and only if the caller is +# either a member of the administration group, or else meets the above +# requirements. +define as_is_ok anyof as_is_admin as_trove_admin_ok +# Explicitly deny any impersonation operation which does not meet the above. deny "You may not run things as another user unless you are an admin" !as_is_ok diff --git a/gitano-admin/rules/core.lace b/gitano-admin/rules/core.lace index 351fbda..dab7cfb 100644 --- a/gitano-admin/rules/core.lace +++ b/gitano-admin/rules/core.lace @@ -1,10 +1,20 @@ -# Prepare the initial definitions - -default deny "The ruleset didn't provide access. Denying by default." +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core ruleset definitions for Trove. + +default deny "Trove ruleset failed to define result. Access denied." include global:defines -# Now, if we're in the admin group, we can always do stuff +# The users in the administration group (gitano-admin) may do anything +# they choose (providing they're not being impersonated). By default +# Only the user created as part of trove-setup has this level of access. allow "Administrators can do anything" is_admin !if_asanother # Now let's decide if we can use 'as' @@ -31,6 +41,7 @@ include global:project # Now the project rules themselves include main -# Now, if you want to allow anonymous access if the project doesn't prevent -# it, then you can uncomment the following: +# If you're running your access control somewhat more openly than most, You can +# now uncomment the following and allow git:// access to *everything* which is +# not the admin repository # allow "Anonymous access is okay" op_read !is_admin_repo diff --git a/gitano-admin/rules/createrepo.lace b/gitano-admin/rules/createrepo.lace index ef1bffc..045d7e7 100644 --- a/gitano-admin/rules/createrepo.lace +++ b/gitano-admin/rules/createrepo.lace @@ -1,15 +1,20 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Rules related to creating repositories # Administrators have already been permitted whatever they like -# so this is for non-admins. +# so this is for site-wide non-admins. -# Uncomment the following to allow repositories in personal/username/ +##PEOPLE_COMMENT##allow "Personal repo creation is okay" repo_is_personal -define repo_is_personal repository ~^people/${user}/ -allow "Personal repo creation is okay" repo_is_personal - -# Allow people in ctxxx-admins to create repositories under ctxxx -allow "Project admins may make project repositories" repo_has_project_code ct_admin +# Allow people in *-admins to create repositories under <foo> +allow "Project admins may make project repositories" repo_has_project_code project_admin # Otherwise the default is that non-admins can't create repositories deny "Repository creation is not permitted." diff --git a/gitano-admin/rules/ct-project.lace b/gitano-admin/rules/ct-project.lace deleted file mode 100644 index e1f6696..0000000 --- a/gitano-admin/rules/ct-project.lace +++ /dev/null @@ -1,20 +0,0 @@ -# Rules for ctxxx/... repositories - -# Reading the repository -allow "Readers gonna read" op_read ct_reader -deny "This repository not for you" op_read - -# Basic writes to the repo -allow "Writers gonna write" op_write ct_writer -deny "This repository not for you" op_write - -# Ref based rules for the repo - -## Master -allow "Master may be created" op_createref master_ref -allow "Master may be altered" op_is_update master_ref -deny "Master may not be deleted" op_deleteref master_ref - -## Anything else. -allow "Writers gonna write" op_is_reffy !master_ref - diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace index b6df4c5..402190e 100644 --- a/gitano-admin/rules/defines.lace +++ b/gitano-admin/rules/defines.lace @@ -1,4 +1,14 @@ -# A useful set of defines +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Core definitions for access control + +# Gitano provided definitions first # User/group related define is_admin group gitano-admin @@ -65,18 +75,26 @@ define is_admin_repo repository gitano-admin define is_gitano_ref ref ~^refs/gitano/ define is_admin_ref ref refs/gitano/admin -# Codethink defines: +# +# +# Trove definitions after here +# +# -define repo_has_project_code repository ~^ct[0-9]+/ +define repo_is_personal repository ~^##ESC_PERSONAL_PREFIX##/${user}/ +define repo_is_local_project repository ~^##ESC_PREFIX##/[^/]+/ -define ct_reader group ${repository/1}-readers -define ct_writer group ${repository/1}-writers -define ct_admin group ${repository/1}-admins +define project_reader group ${repository/2}-readers +define project_writer group ${repository/2}-writers +define project_admin group ${repository/2}-admins +define project_manager group ${repository/2}-managers define master_ref ref ~^refs/heads/master$ define op_is_reffy anyof op_is_normal op_forcedupdate -define ct_site_admin group ct-admin - +define trove_site_admin group trove-admin define target_group_gitano_admin targetgroup gitano-admin + +define is_lorry user lorry +define is_local_ref ref ~^refs/heads/##ESC_PREFIX##/ diff --git a/gitano-admin/rules/destroyrepo.lace b/gitano-admin/rules/destroyrepo.lace index fb2d494..0b83212 100644 --- a/gitano-admin/rules/destroyrepo.lace +++ b/gitano-admin/rules/destroyrepo.lace @@ -1,9 +1,17 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Rules related to the destroying of repositories -# For now, owners may destroy repositories -allow "You may destroy your own repositories" is_owner +# Owners may destroy personal repositories +allow "You may destroy your own repositories" is_owner repo_is_personal -# Admins may destroy repos inside their projects -allow "Project admins may destroy project repos" repo_has_project_code ct_admins +# Project admins may destroy repos inside their projects +allow "Project admins may destroy project repos" repo_is_local_project project_admin deny "You may not destroy repositories you do not own" diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace new file mode 100644 index 0000000..ad88098 --- /dev/null +++ b/gitano-admin/rules/other-project.lace @@ -0,0 +1,22 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules for any repository not under ##PREFIX## + +# This is, by default, /baserock/ and /delta/ + +# There are two classes of accessors here. Lorry and Others +allow "Anyone may read here" op_read +allow "Anyone may write here" op_write + +# Lorry can do anything reffy which is not inside the local refs +allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref + +# Everyone else can do reffy things inside refs/heads/##PREFIX## +allow "Project writers may alter any refs" op_is_reffy !is_lorry is_local_ref + diff --git a/gitano-admin/rules/project.lace b/gitano-admin/rules/project.lace index b09ad10..3144c64 100644 --- a/gitano-admin/rules/project.lace +++ b/gitano-admin/rules/project.lace @@ -1,10 +1,24 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Core project administration rules # Admins already got allowed, so this is for non-admin users only -allow "Owners can always read and write" op_is_basic is_owner +allow "Owners can always read and write" op_is_basic is_owner repo_is_personal -# Uncomment if you want to *force* anonymous access to all but gitano-admin -# allow "Anonymous access always allowed" op_read !is_admin_repo +# Force /baserock and /delta to always be anon-readable which means git:// will +# work. This is part of the core ruleset for Baserock because /baserock/ and +# /delta/ are always open source. +define is_baserock_repo repository ~^baserock/ +define is_delta_repo repository ~^delta/ +define is_opensource_repo anyof is_baserock_repo is_delta_repo + +allow "Anonymous access always allowed" op_read !is_admin_repo is_opensource_repo # Project remote-configuration rules (set-head etc) include global:remoteconfigchecks op_is_config @@ -12,11 +26,9 @@ include global:remoteconfigchecks op_is_config # Okay, if we're altering the admin ref, in we go include global:adminchecks is_admin_ref -# Now we're into branch operations. Owners can do any normal operation -# Normal ops are create/delete/fastforward on refs -allow "Owners can create refs" op_is_normal is_owner -# We don't enable non-fastforward updates by default. Projects must do -# this in their own rules if they want it. - +# Now we're into branch operations. +# Owners of personal repositories can do any reffy operation +allow "Owners can create refs" op_is_reffy is_owner repo_is_personal -include global:ct-project repo_has_project_code +include global:trove-project repo_is_local_project +include global:other-project !repo_is_personal !repo_is_local_project !is_admin_repo diff --git a/gitano-admin/rules/remoteconfigchecks.lace b/gitano-admin/rules/remoteconfigchecks.lace index 80cf802..d951f7a 100644 --- a/gitano-admin/rules/remoteconfigchecks.lace +++ b/gitano-admin/rules/remoteconfigchecks.lace @@ -1,9 +1,17 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Remote config checks # Owners may do any remote admin operation they choose -allow "Owners may remote-admin their repositories" is_owner +allow "Owners may remote-admin their repositories" is_owner repo_is_personal -# ctxxx-admins may remote-admin ctxxx repositories -allow "Project admins may admin project repos" repo_has_project_code ct_admins +# *-admins may remote-admin their project's repositories +allow "Project admins may admin project repos" repo_is_local_project project_admin deny "You may not configure this repository remotely" diff --git a/gitano-admin/rules/renamerepo.lace b/gitano-admin/rules/renamerepo.lace index 946d544..e4a51be 100644 --- a/gitano-admin/rules/renamerepo.lace +++ b/gitano-admin/rules/renamerepo.lace @@ -1,6 +1,19 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Rules related to renaming repositories -# For now, owners may rename their repositories -allow "Owners may rename repositories" op_renamerepo is_owner +# Owners may rename their own repositories +allow "Owners may rename repositories" op_renamerepo repo_is_personal is_owner + +# Project admins may rename repos provided they're admin of source *and* target +# Since the rename operation checks 'create' for the target, we can just +# check the source here +allow "Admins may rename project repositories" op_renamerepo repo_is_local_project project_admin deny "You may not rename a repository you do not own" diff --git a/gitano-admin/rules/selfchecks.lace b/gitano-admin/rules/selfchecks.lace index 300bb91..44e96bd 100644 --- a/gitano-admin/rules/selfchecks.lace +++ b/gitano-admin/rules/selfchecks.lace @@ -1,4 +1,12 @@ -# Checks against self +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Checks against self-like operations. allow "You may ask who you are" op_whoami diff --git a/gitano-admin/rules/siteadmin.lace b/gitano-admin/rules/siteadmin.lace index b3818ef..06c71bb 100644 --- a/gitano-admin/rules/siteadmin.lace +++ b/gitano-admin/rules/siteadmin.lace @@ -1,22 +1,32 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Site administration rules # You must explicitly allow site administration here for anyone who -# has the rights to do site admin but isn't a member of gitano-admin. +# has the rights to do site admin but isn't an administrator. -# ct_site_admin is a predicate which is for ct-admin -allow "CT Site Admins can manage users" ct_site_admin op_user -allow "CT Site Admins can manage groups other than gitano-admin" ct_site_admin op_group !target_group_gitano_admin +# trove_site_admin is a predicate which matches members of the trove-admin +# group (The site-wide user/group administration group which is not the full +# administration group) +allow "Trove Site Admins can manage users" trove_site_admin op_user +allow "Trove Site Admins can manage groups other than gitano-admin" trove_site_admin op_group !target_group_gitano_admin -# ctXXX-admins members are permitted to edit ctXXX-* groups -define ct_may_admin_target_group group ${targetgroup/prefix}-admins -define is_ct_project_target targetgroup ~^ct[0-9]+%- -allow "CT project admins can manage ctXXX- groups for their projects" op_group is_ct_project_target ct_may_admin_target_group +# XXX-managers members are permitted to edit XXX-* groups +define trove_may_admin_target_group group ${targetgroup/prefix}-managers +define target_group_has_hyphen targetgroup ~%- +allow "Trove project managers can manage the groups for their projects" op_group target_group_has_hyphen trove_may_admin_target_group -# Anyone is permitted to look at the people in ct-admin and ctXXX-admins -define ct_target_group_is_ct_admin targetgroup ct-admin -define ct_target_group_is_ctxxx_admins targetgroup ~^ct[0-9]+%-admins$ -define ct_show_target_ok anyof ct_target_group_is_ct_admin ct_target_group_is_ctxxx_admins -allow "Anyone may see admin groups" op_groupshow ct_show_target_ok +# Anyone is permitted to look at the people in trove-admin and *-managers +define trove_target_group_is_trove_admin targetgroup trove-admin +define trove_target_group_is_project_managers targetgroup ~^.+-managers$ +define trove_show_target_ok anyof trove_target_group_is_trove_admin trove_target_group_is_project_managers +allow "Anyone may see admin groups" op_groupshow trove_show_target_ok # Otherwise we always deny site administration deny "You may not perform site administration" diff --git a/gitano-admin/rules/trove-project.lace b/gitano-admin/rules/trove-project.lace new file mode 100644 index 0000000..86ff49b --- /dev/null +++ b/gitano-admin/rules/trove-project.lace @@ -0,0 +1,28 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules for ##PREFIX##/... repositories + +# Reading the repository +allow "Project readers may read" op_read ct_reader +deny "This repository is not for you" op_read + +# Basic writes to the repo +allow "Project writers may write" op_write ct_writer +deny "This repository is not for you" op_write + +# Ref based rules for the repo + +## Master +allow "Master may be created" op_createref master_ref +allow "Master may be altered" op_is_update master_ref +deny "Master may not be deleted" op_deleteref master_ref + +## Anything else. +allow "Project writers may alter any refs" op_is_reffy !master_ref + |