From ce08e9956d757119fc6f757cfdef6a4ba4c973dc Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sat, 5 Oct 2013 21:48:02 +0100 Subject: Initial commit --- git.liw.fi.sh | 10 ++++ git.liw.fi.yarn | 166 +++++++++++++++++++++++++++++++++++++++++++++++++++ gitano-checklist.txt | 37 ++++++++++++ 3 files changed, 213 insertions(+) create mode 100644 git.liw.fi.sh create mode 100644 git.liw.fi.yarn create mode 100644 gitano-checklist.txt diff --git a/git.liw.fi.sh b/git.liw.fi.sh new file mode 100644 index 0000000..c893698 --- /dev/null +++ b/git.liw.fi.sh @@ -0,0 +1,10 @@ +gitano() +{ + ssh "$GITANO" "$@" +} + +die() +{ + echo "$@" 1>&2 + exit 1 +} \ No newline at end of file diff --git a/git.liw.fi.yarn b/git.liw.fi.yarn new file mode 100644 index 0000000..0db761b --- /dev/null +++ b/git.liw.fi.yarn @@ -0,0 +1,166 @@ +Test suite for ACL on git.liw.fi +================================ + +This is a test suite for my Gitano ACL setup on git.liw.fi. It is run +against either the real or a test instance of the setup. + +Fundamental concepts: + +* liw is my user account +* alice and bob are test accounts +* foo, private/foo and alice/foo are test repositories + +Here's a scenario for verifying that I can create and remove +users and accounts. + + SCENARIO git.liw.fi gitano ruleset testing + + GIVEN user alice does not exist + AND user bob does not exist + AND repository private/foo does not exist + AND repository foo does not exist + AND repository alice/foo does not exist + +I need to be able to create a user. + + WHEN liw creates user alice + THEN user alice exists + +However, nobody else should be able to do that. + + WHEN alice attempts to create user bob + THEN gitano gives an error matching "FIXME" + +I should be able to create a private repository. I should see it, +and be able to clone it over ssh, but not over git. Others should +not be able to see or clone it. Private repositories are those +under the private/ prefix. + + WHEN liw creates repository private/foo + THEN liw cannot clone private/foo using git + AND liw can clone private/foo using ssh + AND liw can see private/foo + AND alice cannot clone private/foo using git + AND alice cannot clone private/foo using ssh + AND alice cannot see private/foo + AND cgit does not allow viewing private/foo + +I should be able to change the private repository. Others can't, since +they can't clone it. (FIXME: What happens if it was public, but now +isn't?) + + WHEN liw makes change in cloned private/foo in master + THEN liw can push master in private/foo + +I should be able to create a public repository, and see it and coone +it over both git and ssh. So should others. + + WHEN liw creates repository foo + THEN liw can see foo + AND liw can clone foo using git + AND liw can clone foo using ssh + AND alice can see foo + AND alice can clone foo using git + AND alice can clone foo using ssh + AND cgit allows viewing foo + +I should be able to change the master branch. + + WHEN liw makes change in cloned foo in master + THEN liw can push master in foo + +Others mustn't be able to push a change to master. + + WHEN alice makes change in cloned foo in master + AND alice attempts to push master in foo + THEN gitano gives an error matching "FIXME" + +However, they can create a branch prefixed by their username +and a slash, and push that. + + WHEN alice creates branch alice/branch in foo + AND alice makes change in cloned foo in alice/branch + THEN alice can push alice/branch in foo + +Others mustn't be able to create repositories. I'm not running +a general git hosting service. + + WHEN alice attempts to create repository alice/bar + THEN gitano gives an error matching "FIXME" + +Some cleanup at the end. + + FINALLY remove user alice + AND remove user bob + AND remove repository foo + AND remove repository private/foo + AND remove repository alice/foo + +Implementations +--------------- + + IMPLEMENTS GIVEN user (\S+) does not exist + true + + IMPLEMENTS GIVEN repository (\S+) does not exist + true + + IMPLEMENTS WHEN (\S+) creates user (\S+) + true + + IMPLEMENTS THEN user (\S+) exists + true + + IMPLEMENTS WHEN (\S+) attempts to create user (\S+) + true + + IMPLEMENTS THEN gitano gives an error matching ".*"$ + true + + IMPLEMENTS WHEN (\S+) creates repository (\S+) + true + + IMPLEMENTS THEN (\S+) cannot clone (\S+) using git + true + + IMPLEMENTS THEN (\S+) cannot clone (\S+) using ssh + true + + IMPLEMENTS THEN (\S+) can clone (\S+) using git + true + + IMPLEMENTS THEN (\S+) can clone (\S+) using ssh + true + + IMPLEMENTS THEN (\S+) can see (\S+) + true + + IMPLEMENTS THEN (\S+) cannot see (\S+) + true + + IMPLEMENTS THEN cgit allows viewing (\S+) + true + + IMPLEMENTS THEN cgit does not allow viewing (\S+) + true + + IMPLEMENTS WHEN (\S+) makes change in cloned (\S+) in (\S+) + true + + IMPLEMENTS THEN (\S+) can push (\S+) in (\S+) + true + + IMPLEMENTS WHEN (\S+) attempts to push (\S+) in (\S+) + true + + IMPLEMENTS WHEN (\S+) creates branch (\S+) in (\S+) + true + + IMPLEMENTS WHEN (\S+) attempts to create repository (\S+) + true + + IMPLEMENTS FINALLY remove user (\S+) + true + + IMPLEMENTS FINALLY remove repository (\S+) + true diff --git a/gitano-checklist.txt b/gitano-checklist.txt new file mode 100644 index 0000000..a61bd3e --- /dev/null +++ b/gitano-checklist.txt @@ -0,0 +1,37 @@ +Setting up Gitano (with cgit and git daemon) on Debian wheezy +============================================================= + +* Obtain luxio and gitano-all built for wheezy. + - you may have to build them yourself + +* Install packages: + - luxio + - gitano (from gitano-all source package) + - lua-rex-pcre + - openbsd-inetd + +* adduser --disabled-password git + +* make sure your ssh public key is on the system; you'll need + it for gitano-setup + +* su - git + - run gitano-setup + - answer questions truthfully + +* from your own ssh account: ssh git@host whoami + +* edit /etc/inetd.conf to add: + + git stream tcp nowait nobody /usr/bin/git git daemon --inetd --interpolated-path=/home/git/repos/%D /home/git/repos + +* /etc/init.d/openbsd-inetd restart + +* git clone ssh://git@testgit2/gitano-admin + - edit rules/core.lace, uncomment the last line: + "allow "Anonymous access is okay" op_read !is_admin_repo" + - git commit -av + - git push origin HEAD + +* ssh git@host create foo + -- cgit v1.2.1