tags:

views:

66

answers:

1
+3  Q: 

Rejecting a push based on commiter name.

I've recently set up a mercurial repsoitory. All pusing is done via ssh. Currently only users with an LDAP account can push changes to the repository. However, given that when commiting to a local repository any commiter name can be used using the --user. It is possible to have the situation where a commiter name does not match the LDAP account name. I want to avoid this.

What would be the best way to ensure this does not happen? Would a hook be the best way to deal with this problem? I would not want this to be a local hook, but hook that would live on same machine as the repository. It would need to check whether a commiter name matched the LDAP account on the event of a push, and if it doesn't send an appropriate error message back.

Does this seem like a sensible way to proceed or am I going about the problem in the wrong way?

+1  A: 

Hello,

If you just want to check that the username is correct, it should be possible when using Mercurial Server because every push is authenticated with a user's ssh key and you will find the key name in the $REMOTE_USER environment variable, so a hook of type pretxncommit (i.e., after changes have been applied) can check that the author name and the key name match and then can reject and rollback the commit if it doesn't.

E.g., if you have the convention of having all the keys stored in paths like: coders/"name"_rsa.pub

then this code should do the check:

if [ "$REMOTE_USER" != "coders/`hg tip --template "{author}\n"`_rsa.pub" ]
   then
      echo "reject msg.." ; exit 1
fi

However, there might be a problem when a user has just pulled changes from an other repository (i.e., commits that were made by other people) and pushes them to your repository with his/her key. Then the hook will reject them even if the usernames were correct in the first commits.. with hg, we can forward changesets between repositories even with a list of various usernames.. But if this is not a case you will encounter then you might try this..

Hope it'll help.

Cheers,
Christophe.

= "It's not my fault that Buttle's heart condition didn't appear on Tuttle's file!" -- Jack (Brazil) =

Christophe Muller  2010-06-30 08:29:28
Hi.Thanks for the reply. You're answer has clarified what I'm actually trying to achieve.All I need any hook to do is check whether the committers associated with puash are all members of the LDAP group. As you say, you could have commits from a number of users in your local repository so the remote user isn't really important. Therefore, in any hook I would need to be able to check all the commiters associated with a push and reject if any of those committers are not in the LDAP group.Is it possible to access this information in a pre push hook?Thanks again for the reply. Matt.
Sigmoidal  2010-06-30 09:48:29
Are you trying to setup a rights management system? like in svn where you specify who has read rights or wrire rights to what part of the code?
Christophe Muller  2010-07-01 05:23:31
Not exactly. I want to ensure there are always sensible committer names associated with a push. Currently only users with an LDAP account can push. I just want to make sure that all the committers associated with that push are also part of this group. I realise this means that anyone can commit as anyone else in the group but I don't see this as a problem. Thanks again. Matt.
Sigmoidal  2010-07-01 08:45:31
Then like I suggested above, if the same user commits _and_ push, you can compare hg author (what has been specified at commit time with --user) with either $REMOTE_USER or even $AUTHENTICATED_UID which seems to be set by Apache after LDAP auth. But if you want to allow somebody to push "other committers" work, then it'll be a bit more complex, you need to write a script which will extract the author's name and check that it is in the LDAP group (e.g., by using ldapsearch -h HOST -D BIND_DN -b BASE etc. I am not an LDAP guru so I can't help you very much there.. :-)). Hope it'll help.
Christophe Muller  2010-07-01 11:13:05
That's exactly it. I need to pull out all the authers associated with push and then verifiy each against the ldap group. If I can access this information via a hook then I can solve my problem. I'll post if I solve it. Thanks again for the replies.
Sigmoidal  2010-07-01 12:34:13

related questions

User Control Public Shared Variables in ASP.NET 1.1 Not Working As Expected
Best place to save user information xp and vista
Training Users In Security
User Groups Management Implemenation for Desktop Application Question (C#) ?
iPhone application : is-it possible to use a "double" slider to select a price range
Getting multiple UI threads in Windows Forms
How do you store/share online your personal documents ?
Using windows authentication to log on to site using c#
What is the best way to add users to multiple groups in a database?
Unix Proc Directory
Have you ever faced an ethical issue when creating an application?
PostgreSQL 8.3 privileges not updated - wrong usage?
Hierarchical Group Permissions Theory/Resources?
Beta Test Guidelines / Agreement
Getting user photo from SPUser using WSS Object model
Do you know a service like uservoice.com for bug reports?
Multiple permission types (roles) stored in database as single decimal
Best Way to Unit Test a Website With Multiple User Types with PHPUnit
Average User Download Speeds
Passing switches to Xcode 3.1 user scripts
How do I add a user in Ubuntu?
Enumerate Windows user group members on remote system using c#
Should menu items always be enabled? And how do you tell the user?
What do you look for from a User Group?
How to make subdomain user accounts in a webapp