blaggard 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 31aab3cfdcd15e952475d87c6504c1258e579183
+  data.tar.gz: d24471bf40000af22e5a0ac0dffd6700abe086f3
+SHA512:
+  metadata.gz: 8842ba4475ce9b8b5cbfa7689af39db5974f33525e3f8b9085d55843b9413e926fc3dee55b2254626f2d8ae7f269d0d85ac6d3465f84a7257fdaf0c9d5a9215c
+  data.tar.gz: bccc8d1cdfcb61f22da3ef9c735380341e6d8785f7c2dd4ed7b78cf27574ff89401dda9aff0baac2c359a916be5ff27cdd83a9cced3387d4c643454c2ce38271

data/.gitignore

@@ -0,0 +1,5 @@
+coverage/
+vendor/bundle
+.idea
+*.yml
+.bundle

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,15 @@
+source 'https://rubygems.org'
+
+gem "rack", "~> 1.5.2"
+gem "rake"
+gem "thor"
+gem "coveralls", :require => false
+
+group :test do
+  gem "test"
+  gem "rspec"
+  gem "rack-test", "~> 0.6.2"
+  gem "mocha"
+  gem "simplecov", :require => false # Disable for ruby 1.8
+  #gem "rcov", :require => false # Enable for ruby 1.8
+end

data/Gemfile.lock

@@ -0,0 +1,66 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    coveralls (0.7.11)
+      multi_json (~> 1.10)
+      rest-client (>= 1.6.8, < 2)
+      simplecov (~> 0.9.1)
+      term-ansicolor (~> 1.3)
+      thor (~> 0.19.1)
+    diff-lcs (1.2.5)
+    docile (1.1.5)
+    metaclass (0.0.4)
+    mime-types (2.4.3)
+    mocha (1.1.0)
+      metaclass (~> 0.0.1)
+    multi_json (1.10.1)
+    netrc (0.10.3)
+    rack (1.5.2)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rake (10.4.2)
+    rest-client (1.7.3)
+      mime-types (>= 1.16, < 3.0)
+      netrc (~> 0.7)
+    rspec (3.2.0)
+      rspec-core (~> 3.2.0)
+      rspec-expectations (~> 3.2.0)
+      rspec-mocks (~> 3.2.0)
+    rspec-core (3.2.1)
+      rspec-support (~> 3.2.0)
+    rspec-expectations (3.2.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-mocks (3.2.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-support (3.2.2)
+    rubytest (0.8.1)
+    simplecov (0.9.2)
+      docile (~> 1.1.0)
+      multi_json (~> 1.0)
+      simplecov-html (~> 0.9.0)
+    simplecov-html (0.9.0)
+    term-ansicolor (1.3.0)
+      tins (~> 1.0)
+    test (1.0.0)
+      rubytest
+    thor (0.19.1)
+    tins (1.3.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  coveralls
+  mocha
+  rack (~> 1.5.2)
+  rack-test (~> 0.6.2)
+  rake
+  rspec
+  simplecov
+  test
+  thor
+
+BUNDLED WITH
+   1.10.4

data/README.md

@@ -0,0 +1,84 @@
+#<div style='text-align:center'> Blaggard</div>
+### <div style='text-align:center'> A Ruby/Rack Git Smart-HTTP Server Handler that implements a branch-level access control layer</div>
+========================================
+
+This project is a fork of [Grack](https://github.com/schacon/grack). Please refer to documentation and license on grack's README. The name came from the acronym **B**ranch **L**evel **A**ccess **C**ontrol for **G**it which obviously expands into Blaggard since everyone wants to be a pirate...arrrr!
+
+## Installation
+
+To run as an executable:
+
+    gem install blaggard
+    cp $BLAGGARD_PATH/config.yml.example ~/config.yml
+    
+    # Edit ~/config.yml's project_root value to point to you repo's directory
+    
+    blaggard start ~/config.yml
+    git clone localhost:8080/my_repo.git
+    
+To run as a mounted bundle in routes.rb of another Rack application: 
+  
+    mount Blaggard::Bundle.new({
+	    git_path:     /bin/git,
+	    project_root: path/to/repos,
+	    upload_pack:  true,
+	    receive_pack: true,
+	    use_acl: true
+	  }), at: '/'
+    
+## Config
+
+Blaggard keeps all information about access control within the repo itself as an object. To create a config file, use the command line interface:
+
+    blaggard config path/to/repo path/to/config.yml
+    
+The config.yml is a list of group objects that correspond to the following format:
+
+    group_name:
+      # read and write must start with : to be parsed into symbols 
+      :read: 
+        # an array of branches that a group can read (clone, fetch, etc)
+        - refs/heads/readable1
+        - refs/heads/readable2
+      :write:
+        # an array of branches a group can write to (push, etc)
+        - refs/heads/writeable1
+        
+    another_group:
+      # even if a group has no privileges you must still include an
+      # empty array
+      :read: [] 
+      # if a group has access to all branches (ie. admin)
+      :write:
+        - refs/heads/*
+        
+ The command line executable should let you know if your config file is both parsable and if there are any errors, what groups those errors belong to.
+ 
+## Testing
+ 
+ To run unit tests:
+ 
+     rake test
+ 
+ To run an interactive Pry console with all libraries loaded run:
+ 
+     rake console
+     
+The test repository located at `spec/fixtures/spec_repo.git` is copied into a temp location before the tests and therefore the tests are dependent upon it staying the same. If you use this repo for testing in the console, just copy it to another directory and edit the startup config.yml to reflect that repo path.
+     
+   
+     
+## Contribution
+
+1. Take a look at the Issues
+2. Write a fix, making sure all tests run
+3. Submit a Pull Request
+4. Rejoice!
+ 
+
+
+
+
+
+
+

data/Rakefile

@@ -0,0 +1,20 @@
+task :default => :test
+ 
+desc "Run the tests."
+task :test do
+  system "bundle exec rspec spec"
+end
+
+task :console do
+  system "./script/console"
+end
+
+namespace :blaggard do
+  desc "Start Blaggard"
+  task :start do
+    system "./script/server"
+  end
+end
+ 
+desc "Start everything."
+multitask :start => [ 'blaggard:start' ]

data/bin/blaggard

@@ -0,0 +1,55 @@
+#!/usr/bin/env ruby
+libdir = File.absolute_path( File.join( File.dirname(__FILE__), '../lib' ) )
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require 'blaggard'
+require 'thor'
+
+class BlaggardCLI < Thor
+  include Blaggard
+  desc "config <repo> <config_file>", "add a YAML config file to the repository"
+  def config(repo, config)
+    repo = File.absolute_path(repo)
+    if Dir.entries(repo).include? ".git"
+      repo = "#{repo}/.git"
+    end
+    meta = Blaggard::GroupConfig.new(repo)
+    begin
+      data = YAML.load(File.read(config))
+    rescue
+      raise Blaggard::GroupConfigError, "#{config} not a valid YAML file"
+    end
+    data.each do |group_name, value|
+      unless value[:read].instance_of?(Array) && value[:write].instance_of?(Array)
+        raise Blaggard::GroupConfigError, "#{group_name} not a valid group structure. Groups must include :read: [] and :write: []"
+      end
+    end
+    meta.groups = data
+    meta.write_to_git
+    puts meta.read_from_git
+  end
+
+  desc "start [config.yml]", "starts the blaggard server. Optionally pass in a config file. If you don't it will run on localhost:8080"
+  def start(config = nil)
+    require 'rack'
+    if config
+      conf_data = YAML.load( File.read(config) )
+    else
+      conf_data = YAML.load( File.read(File.absolute_path("config.yml")))
+    end
+    puts "Starting server at project root: #{conf_data[:project_root]}"
+    app = Blaggard::App.new(conf_data)
+
+    protected_app = Rack::Auth::Basic.new(app) do |username, password|
+      # make call to LDAP to authenticate
+      true
+    end
+
+    pretty_protected_app = Rack::ShowStatus.new(Rack::ShowExceptions.new(protected_app))
+
+    Rack::Server.start :app => pretty_protected_app,
+                       :Port => app.config[:port] || 8080,
+                       :Host => app.config[:host] || 'localhost'
+  end
+end
+BlaggardCLI.start(ARGV)

data/blaggard.gemspec

@@ -0,0 +1,18 @@
+Gem::Specification.new do |s|
+  s.name = 'blaggard'
+  s.version = '1.0.0'
+  s.date = '2013-06-02'
+  s.summary = "This is a fork of Grack that adds Branch Level Access control and LDAP Authentication"
+  s.description = "This is a fork of Grack that adds Branch Level Access control and LDAP Authentication. This was designed to be used in conjuction with Qualcomm's ChipCode web application"
+  s.authors = ['Scott Chacon', 'Dawa Ometto', 'Ryan Canty']
+  s.email = 'jrcanty@gmail.com'
+  s.files = `git ls-files`.split("\n")
+  s.executables << 'blaggard'
+  s.homepage = "https://github.com/onetwopunch/blaggard"
+  s.license = 'MIT'
+
+  s.add_development_dependency('rspec')
+  s.add_dependency('rack')
+  s.add_dependency('thor')
+
+end

data/config.yml.example

@@ -0,0 +1,9 @@
+:host: localhost
+:port: 8080
+:project_root: ./blaggard/spec/resources
+:git_path: /usr/bin/git
+:upload_pack: true
+:receive_pack: true
+:base_url: http://auth_server.com/api
+:group_resource: users_groups
+:use_acl: true

data/install.txt

@@ -0,0 +1,60 @@
+Installation
+========================
+
+** This documentation is not finished yet. I haven't tested all of 
+these and it's obviously incomplete - these are currently just notes.
+
+FastCGI
+---------------------------------------
+Here is an example config from lighttpd server:
+----
+# main fastcgi entry
+$HTTP["url"] =~ "^/myapp/.+$" {
+  fastcgi.server = ( "/myapp" =>
+    ( "localhost" =>
+      ( "bin-path"    => "/var/www/localhost/cgi-bin/dispatch.fcgi",
+        "docroot"     => "/var/www/localhost/htdocs/myapp",
+        "host"        => "127.0.0.1",
+        "port"        => 1026,
+        "check-local" => "disable" 
+      )
+    )
+  )
+} # HTTP[url]
+----
+You can use the examples/dispatch.fcgi file as your dispatcher.
+
+(Example Apache setup?)
+
+Installing in a Java application server
+---------------------------------------
+# install Warbler
+$ sudo gem install warbler
+$ cd gitsmart
+$ (edit config.ru)
+$ warble
+$ cp gitsmart.war /path/to/java/autodeploy/dir
+
+Unicorn
+---------------------------------------
+With Unicorn (http://unicorn.bogomips.org/) you can just run 'unicorn'
+in the directory with the config.ru file.
+
+Thin
+---------------------------------------
+thin.yml
+---
+pid: /home/deploy/myapp/server/thin.pid
+log: /home/deploy/myapp/logs/thin.log
+timeout: 30
+port: 7654
+max_conns: 1024
+chdir: /home/deploy/myapp/site_files
+rackup: /home/deploy/myapp/server/config.ru
+max_persistent_conns: 512
+environment: production
+address: 127.0.0.1
+servers: 1
+daemonize: true
+
+

data/lib/blaggard.rb

@@ -0,0 +1,33 @@
+require 'zlib'
+require 'rack/request'
+require 'rack/response'
+require 'rack/utils'
+require 'time'
+require 'rack'
+require 'yaml'
+
+require 'blaggard/git'
+require 'blaggard/server'
+require 'blaggard/group_config'
+require 'blaggard/advertisement'
+require 'blaggard/auth'
+require 'blaggard/bundle'
+require 'blaggard/group_finder'
+
+
+module Blaggard
+  def self.app_root
+    File.absolute_path(File.join(__FILE__, "../.."))
+  end
+  class App
+    def initialize(config = nil)
+      @server = Blaggard::Server.new(config)
+    end
+    def config
+      @server.config
+    end
+    def call(env)
+      @server.call env
+    end
+  end
+end

data/lib/blaggard/advertisement.rb

@@ -0,0 +1,92 @@
+module Blaggard
+  class Advertisement
+    def initialize(repo_path, groups, service)
+      @git = Blaggard::Git.new(repo_path)
+      @meta = Blaggard::GroupConfig.new(repo_path)
+      @groups = groups
+      @repo_path = repo_path
+      @service = service
+      @priv = service == "upload-pack" ? :read : :write
+      refs_hash
+    end
+
+    def raw_refs
+      @raw_refs ||= @git.execute(%W(#{@service} --stateless-rpc --advertise-refs #{@repo_path})).split("\n")
+      @first_ref_line ||= @raw_refs.first + "\n" # head_ref\0capabilities
+      @pk_end ||= @raw_refs.last
+      @raw_refs
+    end
+
+    def accessible_tags
+      @tags || begin
+        tags = accessible_branches.map{ |branch| @git.tags_on_branch(branch)}.flatten.compact
+        tags.map{ |tag| "refs/tags/#{tag}"}.uniq
+      rescue
+        []
+      end
+    end
+
+    def accessible_branches
+      @branches || begin
+        branches = @meta.branches(@groups, @priv)
+
+        if branches.include? "refs/heads/*"
+          return refs_hash.keys.select{ |ref| ref.start_with? "refs/heads/"}
+        end
+        branches
+      end
+    end
+
+    def refs_hash
+      # To access the refs quicker, put them in a hash where the ref name is the key
+      @refs_hash ||= Hash[ raw_refs[1..-2].collect { |v| ary = v.split; [ary.last, ary.first] } ]
+    end
+
+    def update_head
+      #sort refs by time since the most recent will be the HEAD if the user doesn't have access
+      # to the actual head
+      refs = @git.time_ordered_refs & accessible_branches
+      new_head = refs.first
+      line = @first_ref_line.gsub(/symref\=HEAD\:(.*?) /, "symref=HEAD:#{new_head} ")
+
+      new_sha = refs_hash[new_head]
+      line = line.gsub(/[a-f0-9]{44}/, new_sha)
+      update_line_length(line)
+    end
+
+    def update_line_length(line)
+      # Each line contains 4 bytes of line length followed by the ref followed by the branch name
+      # When HEAD is not accessible we need to update the line length of the first ref which includes
+      # all the capabilities
+
+      # Len should be (line.length - 4) to account for the first 4 bytes, but Ruby parses the \0 as
+      # unicode \u0000 which adds back 4 characters.
+      len = line.encode('utf-8').length
+      hex = "%04x" % len
+      return "#{hex}#{line[4..-1]}"
+    end
+
+
+    def can_access_head?
+      head_file = File.join(@repo_path, 'HEAD')
+      ref = File.open(head_file, &:readline).split.last rescue (return false)
+      @groups.each do |group|
+        return true if @meta.can_access_branch?(group, @priv, ref)
+      end
+      return false
+    end
+
+    def advertise
+      # Construct the new advertisement using the updated head and only the
+      # branches accessible to the user
+      # TODO: We need a quick way to get only the tags for the accessible branches.
+      result = can_access_head? ? @first_ref_line : update_head
+      result += accessible_branches.map{ |branch| "#{refs_hash[branch]} #{branch}" }.join("\n")
+      result += "\n" unless accessible_tags.empty?
+      result += accessible_tags.map{ |tag| "#{refs_hash[tag]} #{tag}" }.join("\n")
+      result += "\n#{@pk_end}"
+
+      return result
+    end
+  end
+end