Merge branch 'upstream' into gentoo

Conflicts:
	gitosis/run_hook.py
	gitosis/serve.py
	gitosis/test/test_run_hook.py
	gitosis/test/test_serve.py

9 files changed, 231 insertions, 21 deletions

diff --git a/MANIFEST.in b/MANIFEST.in
new file mode 100644
index 0000000..7e64813
--- /dev/null
+++ b/MANIFEST.in
@@ -0,0 +1,7 @@
+include COPYING
+include README.rst
+include example.conf
+include etc-event.d-local-git-daemon
+include gitweb.conf
+include lighttpd-gitweb.conf
+recursive-include gitosis/templates *
diff --git a/README.rst b/README.rst
index ee14705..9204776 100644
--- a/README.rst
+++ b/README.rst
@@ -41,7 +41,8 @@ First, we will create the user that will own the repositories. This is
 usually called ``git``, but any name will work, and you can have more
 than one per system if you really want to. The user does not need a
 password, but does need a valid shell (otherwise, SSH will refuse to
-work).
+work). Don't use an existing account unless you know what you're
+doing.
 
 I usually store ``git`` repositories in the subtree
 ``/srv/example.com/git`` (replace ``example.com`` with your own
diff --git a/example.conf b/example.conf
index 09ee5f4..87bd822 100644
--- a/example.conf
+++ b/example.conf
@@ -23,6 +23,11 @@ members = jdoe wsmith @anothergroup
 writable = foo bar baz/thud
 readonly = xyzzy
 
+## You can use groups just to avoid listing users multiple times. Note
+## no writable= or readonly= lines.
+[group anothergroup]
+members = alice bill
+
 ## You can play fancy tricks by making some repositories appear with
 ## different names in different contexts. Not really supported
 ## everywhere (e.g. gitweb) and can be confusing -- experts only.
diff --git a/gitosis/group.py b/gitosis/group.py
index 5c85833..5190aef 100644
--- a/gitosis/group.py
+++ b/gitosis/group.py
@@ -32,7 +32,11 @@ def _getMembership(config, user, seen):
         else:
             members = members.split()
 
-        if user in members:
+        # @all is the only group where membership needs to be
+        # bootstrapped like this, anything else gets started from the
+        # username itself
+        if (user in members
+            or '@all' in members):
             log.debug('found %(user)r in %(group)r' % dict(
                 user=user,
                 group=group,
diff --git a/gitosis/serve.py b/gitosis/serve.py
index 5c02437..2ba8a75 100644
--- a/gitosis/serve.py
+++ b/gitosis/serve.py
@@ -15,16 +15,18 @@ from gitosis import app
 from gitosis import util
 from gitosis import run_hook
 
-ALLOW_RE = re.compile(
-    "^'(?P<path>[a-zA-Z0-9][a-zA-Z0-9@._-]*(/[a-zA-Z0-9][a-zA-Z0-9@._-]*)*)'$"
-    )
+log = logging.getLogger('gitosis.serve')
+
+ALLOW_RE = re.compile("^'/*(?P<path>[a-zA-Z0-9][a-zA-Z0-9@._-]*(/[a-zA-Z0-9][a-zA-Z0-9@._-]*)*)'$")
 
 COMMANDS_READONLY = [
     'git-upload-pack',
+    'git upload-pack',
     ]
 
 COMMANDS_WRITE = [
     'git-receive-pack',
+    'git receive-pack',
     ]
 
 class ServingError(Exception):
@@ -62,9 +64,19 @@ def serve(cfg, user, command):
     try:
         verb, args = command.split(None, 1)
     except ValueError:
-        # all known commands take one argument; improve if/when needed
+        # all known "git-foo" commands take one argument; improve
+        # if/when needed
         raise UnknownCommandError()
 
+    if verb == 'git':
+        try:
+            subverb, args = args.split(None, 1)
+        except ValueError:
+            # all known "git foo" commands take one argument; improve
+            # if/when needed
+            raise UnknownCommandError()
+        verb = '%s %s' % (verb, subverb)
+
     if (verb not in COMMANDS_WRITE
         and verb not in COMMANDS_READONLY):
         raise UnknownCommandError()
@@ -100,6 +112,21 @@ def serve(cfg, user, command):
         path=path)
 
     if newpath is None:
+        # didn't have write access; try once more with the popular
+        # misspelling
+        newpath = access.haveAccess(
+            config=cfg,
+            user=user,
+            mode='writeable',
+            path=path)
+        if newpath is not None:
+            log.warning(
+                'Repository %r config has typo "writeable", '
+                +'should be "writable"',
+                path,
+                )
+
+    if newpath is None:
         # didn't have write access
 
         newpath = access.haveAccess(
@@ -170,15 +197,15 @@ class Main(app.App):
         except ValueError:
             parser.error('Missing argument USER.')
 
-        log = logging.getLogger('gitosis.serve.main')
+        main_log = logging.getLogger('gitosis.serve.main')
         os.umask(0022)
 
         cmd = os.environ.get('SSH_ORIGINAL_COMMAND', None)
         if cmd is None:
-            log.error('Need SSH_ORIGINAL_COMMAND in environment.')
+            main_log.error('Need SSH_ORIGINAL_COMMAND in environment.')
             sys.exit(1)
 
-        log.debug('Got command %(cmd)r' % dict(
+        main_log.debug('Got command %(cmd)r' % dict(
             cmd=cmd,
             ))
 
@@ -190,11 +217,11 @@ class Main(app.App):
                 user=user,
                 command=cmd,
                 )
-        except ServingError, ex:
-            log.error('%s', ex)
+        except ServingError, e:
+            main_log.error('%s', e)
             sys.exit(1)
 
-        log.debug('Serving %s', newcmd)
-        os.execvp('git-shell', ['git-shell', '-c', newcmd])
-        log.error('Cannot execute git-shell.')
+        main_log.debug('Serving %s', newcmd)
+        os.execvp('git', ['git', 'shell', '-c', newcmd])
+        main_log.error('Cannot execute git-shell.')
         sys.exit(1)
diff --git a/gitosis/test/test_access.py b/gitosis/test/test_access.py
index 9f9d81a..f39444c 100644
--- a/gitosis/test/test_access.py
+++ b/gitosis/test/test_access.py
@@ -1,5 +1,6 @@
 from nose.tools import eq_ as eq
 
+import logging
 from ConfigParser import RawConfigParser
 
 from gitosis import access
@@ -78,6 +79,14 @@ def test_read_yes_map_wouldHaveWritable():
     eq(access.haveAccess(config=cfg, user='jdoe', mode='readonly', path='foo/bar'),
        None)
 
+def test_read_yes_all():
+    cfg = RawConfigParser()
+    cfg.add_section('group fooers')
+    cfg.set('group fooers', 'members', '@all')
+    cfg.set('group fooers', 'readonly', 'foo/bar')
+    eq(access.haveAccess(config=cfg, user='jdoe', mode='readonly', path='foo/bar'),
+       ('repositories', 'foo/bar'))
+
 def test_base_global_absolute():
     cfg = RawConfigParser()
     cfg.add_section('gitosis')
diff --git a/gitosis/test/test_serve.py b/gitosis/test/test_serve.py
index 87b2e2a..4b414c4 100644
--- a/gitosis/test/test_serve.py
+++ b/gitosis/test/test_serve.py
@@ -1,7 +1,9 @@
 from nose.tools import eq_ as eq
 from gitosis.test.util import assert_raises
 
+import logging
 import os
+from cStringIO import StringIO
 from ConfigParser import RawConfigParser
 
 from gitosis import serve
@@ -21,7 +23,7 @@ def test_bad_newLine():
     eq(str(e), 'Command may not contain newline')
     assert isinstance(e, serve.ServingError)
 
-def test_bad_nospace():
+def test_bad_dash_noargs():
     cfg = RawConfigParser()
     e = assert_raises(
         serve.UnknownCommandError,
@@ -33,6 +35,18 @@ def test_bad_nospace():
     eq(str(e), 'Unknown command denied')
     assert isinstance(e, serve.ServingError)
 
+def test_bad_space_noargs():
+    cfg = RawConfigParser()
+    e = assert_raises(
+        serve.UnknownCommandError,
+        serve.serve,
+        cfg=cfg,
+        user='jdoe',
+        command='git upload-pack',
+        )
+    eq(str(e), 'Unknown command denied')
+    assert isinstance(e, serve.ServingError)
+
 def test_bad_command():
     cfg = RawConfigParser()
     e = assert_raises(
@@ -45,19 +59,43 @@ def test_bad_command():
     eq(str(e), 'Unknown command denied')
     assert isinstance(e, serve.ServingError)
 
-def test_bad_unsafeArguments():
+def test_bad_unsafeArguments_notQuoted():
+    cfg = RawConfigParser()
+    e = assert_raises(
+        serve.UnsafeArgumentsError,
+        serve.serve,
+        cfg=cfg,
+        user='jdoe',
+        command="git-upload-pack foo",
+        )
+    eq(str(e), 'Arguments to command look dangerous')
+    assert isinstance(e, serve.ServingError)
+
+def test_bad_unsafeArguments_badCharacters():
+    cfg = RawConfigParser()
+    e = assert_raises(
+        serve.UnsafeArgumentsError,
+        serve.serve,
+        cfg=cfg,
+        user='jdoe',
+        command="git-upload-pack 'ev!l'",
+        )
+    eq(str(e), 'Arguments to command look dangerous')
+    assert isinstance(e, serve.ServingError)
+
+def test_bad_unsafeArguments_dotdot():
     cfg = RawConfigParser()
     e = assert_raises(
         serve.UnsafeArgumentsError,
         serve.serve,
         cfg=cfg,
         user='jdoe',
-        command='git-upload-pack /evil/attack',
+        command="git-upload-pack 'something/../evil'",
         )
     eq(str(e), 'Arguments to command look dangerous')
     assert isinstance(e, serve.ServingError)
 
-def test_bad_forbiddenCommand_read():
+def test_bad_forbiddenCommand_read_dash():
     cfg = RawConfigParser()
     e = assert_raises(
         serve.ReadAccessDenied,
@@ -70,7 +108,20 @@ def test_bad_forbiddenCommand_read():
     assert isinstance(e, serve.AccessDenied)
     assert isinstance(e, serve.ServingError)
 
-def test_bad_forbiddenCommand_write_noAccess():
+def test_bad_forbiddenCommand_read_space():
+    cfg = RawConfigParser()
+    e = assert_raises(
+        serve.ReadAccessDenied,
+        serve.serve,
+        cfg=cfg,
+        user='jdoe',
+        command="git upload-pack 'foo'",
+        )
+    eq(str(e), 'Repository read access denied')
+    assert isinstance(e, serve.AccessDenied)
+    assert isinstance(e, serve.ServingError)
+
+def test_bad_forbiddenCommand_write_noAccess_dash():
     cfg = RawConfigParser()
     e = assert_raises(
         serve.ReadAccessDenied,
@@ -85,7 +136,22 @@ def test_bad_forbiddenCommand_write_noAccess():
     assert isinstance(e, serve.AccessDenied)
     assert isinstance(e, serve.ServingError)
 
-def test_bad_forbiddenCommand_write_readAccess():
+def test_bad_forbiddenCommand_write_noAccess_space():
+    cfg = RawConfigParser()
+    e = assert_raises(
+        serve.ReadAccessDenied,
+        serve.serve,
+        cfg=cfg,
+        user='jdoe',
+        command="git receive-pack 'foo'",
+        )
+    # error message talks about read in an effort to make it more
+    # obvious that jdoe doesn't have *even* read access
+    eq(str(e), 'Repository read access denied')
+    assert isinstance(e, serve.AccessDenied)
+    assert isinstance(e, serve.ServingError)
+
+def test_bad_forbiddenCommand_write_readAccess_dash():
     cfg = RawConfigParser()
     cfg.add_section('group foo')
     cfg.set('group foo', 'members', 'jdoe')
@@ -101,7 +167,23 @@ def test_bad_forbiddenCommand_write_readAccess():
     assert isinstance(e, serve.AccessDenied)
     assert isinstance(e, serve.ServingError)
 
-def test_simple_read():
+def test_bad_forbiddenCommand_write_readAccess_space():
+    cfg = RawConfigParser()
+    cfg.add_section('group foo')
+    cfg.set('group foo', 'members', 'jdoe')
+    cfg.set('group foo', 'readonly', 'foo')
+    e = assert_raises(
+        serve.WriteAccessDenied,
+        serve.serve,
+        cfg=cfg,
+        user='jdoe',
+        command="git receive-pack 'foo'",
+        )
+    eq(str(e), 'Repository write access denied')
+    assert isinstance(e, serve.AccessDenied)
+    assert isinstance(e, serve.ServingError)
+
+def test_simple_read_dash():
     tmp = util.maketemp()
     repository.init(os.path.join(tmp, 'foo.git'))
     cfg = RawConfigParser()
@@ -166,6 +248,22 @@ def test_simple_write():
         )
     eq(got, "git-receive-pack '%s/foo.git'" % tmp)
 
+def test_simple_write_space():
+    tmp = util.maketemp()
+    repository.init(os.path.join(tmp, 'foo.git'))
+    cfg = RawConfigParser()
+    cfg.add_section('gitosis')
+    cfg.set('gitosis', 'repositories', tmp)
+    cfg.add_section('group foo')
+    cfg.set('group foo', 'members', 'jdoe')
+    cfg.set('group foo', 'writable', 'foo')
+    got = serve.serve(
+        cfg=cfg,
+        user='jdoe',
+        command="git receive-pack 'foo'",
+        )
+    eq(got, "git receive-pack '%s/foo.git'" % tmp)
+
 def test_push_inits_if_needed():
     # a push to a non-existent repository (but where config authorizes
     # you to do that) will create the repository on the fly
@@ -424,3 +522,52 @@ def test_push_inits_sets_export_ok():
     path = os.path.join(repositories, 'foo.git', 'git-daemon-export-ok')
     assert os.path.exists(path)
 
+def test_absolute():
+    # as the only convenient way to use non-standard SSH ports with
+    # git is via the ssh://user@host:port/path syntax, and that syntax
+    # forces absolute urls, just force convert absolute paths to
+    # relative paths; you'll never really want absolute paths via
+    # gitosis, anyway.
+    tmp = util.maketemp()
+    repository.init(os.path.join(tmp, 'foo.git'))
+    cfg = RawConfigParser()
+    cfg.add_section('gitosis')
+    cfg.set('gitosis', 'repositories', tmp)
+    cfg.add_section('group foo')
+    cfg.set('group foo', 'members', 'jdoe')
+    cfg.set('group foo', 'readonly', 'foo')
+    got = serve.serve(
+        cfg=cfg,
+        user='jdoe',
+        command="git-upload-pack '/foo'",
+        )
+    eq(got, "git-upload-pack '%s/foo.git'" % tmp)
+
+def test_typo_writeable():
+    tmp = util.maketemp()
+    repository.init(os.path.join(tmp, 'foo.git'))
+    cfg = RawConfigParser()
+    cfg.add_section('gitosis')
+    cfg.set('gitosis', 'repositories', tmp)
+    cfg.add_section('group foo')
+    cfg.set('group foo', 'members', 'jdoe')
+    cfg.set('group foo', 'writeable', 'foo')
+    log = logging.getLogger('gitosis.serve')
+    buf = StringIO()
+    handler = logging.StreamHandler(buf)
+    log.addHandler(handler)
+    try:
+        got = serve.serve(
+            cfg=cfg,
+            user='jdoe',
+            command="git-receive-pack 'foo'",
+            )
+    finally:
+        log.removeHandler(handler)
+    eq(got, "git-receive-pack '%s/foo.git'" % tmp)
+    handler.flush()
+    eq(
+        buf.getvalue(),
+        "Repository 'foo' config has typo \"writeable\", shou"
+        +"ld be \"writable\"\n",
+        )
diff --git a/gitweb.conf b/gitweb.conf
index 8fb62d1..32d81b1 100644
--- a/gitweb.conf
+++ b/gitweb.conf
@@ -15,6 +15,15 @@ $projectroot = "/srv/example.com/git/repositories";
 # is already sharing anonymously.
 $export_ok = "git-daemon-export-ok";
 
+# Alternatively, you could set these, to allow exactly the things in
+# projects.list, which in this case is the repos with gitweb=yes
+# in gitosis.conf. This means you don't need daemon=yes, but you
+# can't have repositories hidden but browsable if you know the name.
+# And note gitweb already allows downloading the full repository,
+# so you might as well serve git-daemon too.
+# $export_ok = "";
+# $strict_export = "true";
+
 # A list of base urls where all the repositories can be cloned from.
 # Easier than having per-repository cloneurl files.
 @git_base_url_list = ('git://example.com');
diff --git a/lighttpd-gitweb.conf b/lighttpd-gitweb.conf
index cd0bedd..1046add 100644
--- a/lighttpd-gitweb.conf
+++ b/lighttpd-gitweb.conf
@@ -1,6 +1,7 @@
 server.modules  += (
   "mod_cgi",
   "mod_setenv",
+  "mod_redirect",
 )
 
 url.redirect += (