[aur-dev] [PATCH 1/2] git-update: Deny non-fast-forwards
To make sure we never lose any history, non-fast-forwards are forbidden. Instead of relying on receive.denyNonFastForwards, add a simple check to the update hook. This has the added benefit of more flexibility. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- INSTALL | 1 - git-interface/git-update.py | 9 +++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index 50405df..a2a6153 100644 --- a/INSTALL +++ b/INSTALL @@ -29,7 +29,6 @@ Setup on Arch Linux # cd /srv/http/aurweb/aur.git/ # git init --bare # ln -s ../../git-interface/git-update.py hooks/update - # git config --local receive.denyNonFastForwards true # chown -R aur . 7) Install the git-auth wrapper script: diff --git a/git-interface/git-update.py b/git-interface/git-update.py index 7898f39..3f6cfc1 100755 --- a/git-interface/git-update.py +++ b/git-interface/git-update.py @@ -178,6 +178,15 @@ if refname != "refs/heads/master": die("pushing to a branch other than master is restricted") repo = pygit2.Repository(repo_path) + +# Detect and deny non-fast-forwards. +if sha1_old != "0000000000000000000000000000000000000000": + walker = repo.walk(sha1_old, pygit2.GIT_SORT_TOPOLOGICAL) + walker.hide(sha1_new) + if next(walker, None) != None: + die("denying non-fast-forward (you should pull first)") + +# Prepare the walker that validates new commits. walker = repo.walk(sha1_new, pygit2.GIT_SORT_TOPOLOGICAL) if sha1_old != "0000000000000000000000000000000000000000": walker.hide(sha1_old) -- 2.4.2
Although we theoretically never want to lose history, there may be rare occasions when a forced push is required (e.g. if illegal data is pushed). Allow Trusted Users and Developers to perform non-fast-forward pushes. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- git-interface/git-update.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/git-interface/git-update.py b/git-interface/git-update.py index 3f6cfc1..d87fac7 100755 --- a/git-interface/git-update.py +++ b/git-interface/git-update.py @@ -179,23 +179,26 @@ if refname != "refs/heads/master": repo = pygit2.Repository(repo_path) +db = mysql.connector.connect(host=aur_db_host, user=aur_db_user, + passwd=aur_db_pass, db=aur_db_name, + unix_socket=aur_db_socket, buffered=True) +cur = db.cursor() + # Detect and deny non-fast-forwards. if sha1_old != "0000000000000000000000000000000000000000": walker = repo.walk(sha1_old, pygit2.GIT_SORT_TOPOLOGICAL) walker.hide(sha1_new) if next(walker, None) != None: - die("denying non-fast-forward (you should pull first)") + cur.execute("SELECT AccountTypeID FROM Users WHERE UserName = %s ", + [user]) + if cur.fetchone()[0] == 1: + die("denying non-fast-forward (you should pull first)") # Prepare the walker that validates new commits. walker = repo.walk(sha1_new, pygit2.GIT_SORT_TOPOLOGICAL) if sha1_old != "0000000000000000000000000000000000000000": walker.hide(sha1_old) -db = mysql.connector.connect(host=aur_db_host, user=aur_db_user, - passwd=aur_db_pass, db=aur_db_name, - unix_socket=aur_db_socket, buffered=True) -cur = db.cursor() - cur.execute("SELECT Name FROM PackageBlacklist") blacklist = [row[0] for row in cur.fetchall()] -- 2.4.2
participants (1)
-
Lukas Fleischer