每个分支按钩子方式进行Git用户授权

Question

5开发人员可以通过同一个ssh-帐户访问git-存储库。我需要限制一些分支(生产，开发)的推动-进入该回购。如何用git钩子实现简单的分支安全？

Answer 1

首先，让我向您指出，在GIT中，可以使用一个push命令上传更多分支，在这种情况下，这可能会带来安全风险。为了避免这种情况，你应该使用像下面这样的脚本(只是认为每个人都可以推到第一个分支，但是第二个.授权将在第一次--但第二次？)

while read anotherOldrev anotherNewrev anotherRefname
    do
        newRefType="$(echo $anotherRefname | awk '{split($0,a,"/"); print a[2]}')"
        if test "$newRefType" = "heads"
        then
            #branch
            if test "$refname"
            then
                #branch, 2nd time, which means another branch
            else
                #branch, 1st time
                oldrev=$anotherOldrev
                newrev=$anotherNewrev
                refname=$anotherRefname
            fi
        else
            #tag
        fi
    done

第二，我不确定你是否能在预接收钩子中进行授权，因为你得到的所有信息都是旧的引用，新的引用和它的名字.暂时更改名称的...but只是一两个命令(http://git-scm.com/book/en/Customizing-Git)

Answer 2

您可以使用预接收或更新挂钩来完成此操作，是的。(这里的区别是，预接收钩子只能接受或拒绝整个推送，而更新钩子可以接受或拒绝每个单个的参考更新。)请注意，海泡石支持这种“开箱即用”。有关高级别概述，请参见吉特书。

Answer 3

预接收钩子的简单解决方案：

#!/bin/bash

while read old_rev new_rev ref_name; do
    for script in `find $PWD/hooks/pre-receive.d/ -perm -100 -type f`; do
        ${script} "$old_rev" "$new_rev" "$ref_name"
        if [ "$?" -ne 0 ]; then
            status=1
        fi
    done
done

exit ${status}

此文件必须位于预接收程序.d目录中：

#!/bin/bash

old_rev=$1
new_rev=$2
ref_name=$3

# Secure branches
sec_branches=(refs/heads/production refs/heads/development)

# Authorized users
authorized_users=('John Doe' 'Bob Smith')

# get rev type
zero="0000000000000000000000000000000000000000"
if [ "$new_rev" = "$zero" ]; then
    new_rev_type=delete
else
    new_rev_type=$(git cat-file -t ${new_rev})
fi

case "$ref_name","$new_rev_type" in
    refs/heads/*,commit)
        # new commit        
        case ${sec_branches[@]} in
            *${ref_name}*)
                # Save committer and author into variables
                commit_prefs=$(git log -1 --pretty=format:'%an:%cn' ${new_rev})
                IFS=":" read author committer <<< "$commit_prefs"

                # if committer and author not in allowed persons - exit
                case ${authorized_users[@]} in
                    *${author}*)
                    ;;
                    *)
                        branch_name=`echo ${ref_name:11}`
                        echo
                        echo "You're not allowed to push in $branch_name branch" >&2
                        echo
                        exit 1
                    ;;
                esac

                # if committer and author not equal - exit
                if [ "$author" != "$committer" ]; then
                    echo
                    echo "You're not author of pushed commits. This is prohibited" >&2
                    echo
                    exit 1
                fi
            ;;
        esac
    ;;
esac

更新

正如在注释托瑞克中所指出的，这不是安全的解决方案，但它可以防止事故发生。