views:

393

answers:

5

I have set up an SVN repository from scratch, and I have successfully tagged some of my releases using the SVN copy command.

I used the SSPI auth plugin for apache, so our developers just hit the server with their network credentials, and everything works nicely.

I have created an AuthZ authorization file, added our developers to groups in the file, and have granted them write access to the root. I also have granted anonymous users read-only access to the root.

I then locked down the /svn/ directory with: Require-group "CORP\CKAN0BlahBlah"

This effectively limits new developers in the security group to read-only access until they are granted access through the aAuthZ config file.

Now, I have a couple of questions:

  1. What is the proper way (other than the honor system) to prevent users from commiting changes to any of the "tags" directories?

  2. Is it possible to use SSPI to pass the members of the groups to AuthZ, rather than listing the members individually in the configuration file?

+6  A: 

1 - You can use the pre-commit hook to prevent commits, see SVN pre-commit hook for avoiding changes to tags subdirectories.

Edit: To do this on Windows, try the following:

Save this as a file named pre-commit.bat in the hooks folder of your repo:

@echo off
set REPOSITORY=%1
echo %REPOSITORY% | find /I "tags"
if errorlevel 1 goto done
echo You tried to commit to %REPOSITORY% >&2
echo Committing to tags is not allowed >&2
exit 1
:done

Note, this will prevent commiting to any repository path that contains the substring tags. Modify according to your needs.

RedFilter
Is there a way to do this on windows?
John Gietzen
Hooks are on the server side, so it can be done with a compiled app, shell script, command file, etc. that is native to the host platform.
crashmstr
so, i've been googling around for a .bat pre-commit script and almost all of them call a Perl script. I don't thik i can get permission to install perl on this server, so do you know of a pure .bat version?
John Gietzen
Edited my answer to include a .bat example.
RedFilter
I'm +1 here, even though I'm pretty sure your script won't work. Specifically, you need to use the SVNLOOK utility to detect changes, rather then just checking against the Repository name. I posted my code as an answer.
John Gietzen
Yes, you are almost certainly right - this is untested code from memory, am not able to test against a repo right now. Use svnlook to get the proper working path. Do you need help with that? The primary intent of my code was to show how to do substring search and return correct errorlevel.
RedFilter
Oh, I see by your example you have the svnlook covered.
RedFilter
+2  A: 

There's no "proper" way. Tags are a convention and developers should learn and follow it. Barring that, a fail-safe can be implemented using Subversion hooks. See this page for a nice tutorial.

ASk
+1  A: 

This seems to me to be a matter of education and process. If your developers understand the purpose of your SVN tags, it seems a lot less likely that you'll have people (intentionally) doing commits to a tag. What I found to be indispensable to communicating these processes effectively is up to date, written documentation. My team uses a wiki to store documentation about our processes (specifically, we use MediaWiki). The wiki approach seems to make things a lot more accessible and easier to keep up to date than something like storing versioned MS Office documents in sharepoint.

Paul Morie
I am one of the developers, and I would actually rather have this implemented as a hard-and-fast rule.
John Gietzen
Fair enough. Can I ask why? Obviously, accidents happen, and that's one use-case where a hard-and-fast rule is useful. Is that why you want it?
Paul Morie
Yes. And there may be some of my peers that I don't trust to understand the policy.
John Gietzen
That's rough. I'm a believe that everyone with commit access is in a highly trusted position. Perhaps you should talk to your management if you can't trust someone to follow a pretty basic process. After all, if you can't even trust them to check their code into the right place, what does that say about the quality of their work?
Paul Morie
There happen to be a lot of politics around this. Normally I would agree with you, but I don't want to be a martyr.
John Gietzen
I have a pretty good idea of what you're talking about. That said, if the commits from these individuals starting failing, it might give Them stabble-stabble points on you for that.Good luck!
Paul Morie
Thanks! Anyways, since this is a fresh install, I don't think they will know that it was a modification rather than a part of the product.
John Gietzen
+2  A: 

For Question #1, I developed for this:

@echo off
SET SVNLOOK=C:\Program Files\CollabNet Subversion Server\svnlook.exe
SET GREP=D:\SVN\Repo\hooks\grep.exe
SET LOG=D:\SVN\Repo Logs.txt

>>"%LOG%" echo ==== commit %1 %2 ====
>>"%LOG%" "%svnlook%" changed -t %2 %1

("%svnlook%" changed -t %2 %1 | "%grep%" "^U.*/tags/") && (echo Cannot commit to tags.>&2 && exit 1)
("%svnlook%" log -t %2 %1 | "%grep%" "[a-zA-Z0-9]") || (echo You must specify a comment.>&2 && exit 1)

exit 0

Grabbed the grep tool from http://sourceforge.net/projects/unxutils


For Question #2, the answer is NO, you cannot check against AD security groups in the AuthZ config file.

Thanks for your help, everyone.

John Gietzen
I am pretty sure you could use the native findstr instead of grep...
RedFilter
Thanks, I'll look in to that.
John Gietzen
this is cool windows scripting ;) question: in your script I can ADD new files to tags.. do you know a solution to avoid this(I am searching for such a solution)?
Peter Parker
Yes, you can copy the first line that contains the "(%svnlook%" text, and change the "^U.*" to "^A.*" However, be warned that you will be entirely unable to add new files to any directory named "tags."
John Gietzen
A: 

How about using the svn-auth file to define that? this would look like that:

[groups]
ADMINS=<your ID>
<rest of groups>=<all other IDs>

[/]
* = r
<rest of groups> = rw
@ADMINS = rw

[/tags]
<rest of groups> = r

This will allow the ADMINS read-write access to the tags directory, but no one else. I do not know the SSPI auth plugin, so perhaps my provided example does not work in your context.

mliebelt