This project implements a dynamic Git auth backend for Pagure for Dist-Git, which has a slightly different access model than regular Pagure Git systems.
This plugin reuses the Pagure configuration, and adds several keys to it.
ACL_DEBUG: Whether to print some output with information decisions are based on.
ACL_PROTECTED_NAMESPACES: List of namespaces where the extra strong protections are in place.
BLACKLIST_RES: List of regular expressions with refs that can never be pushed.
ACL_BLOCK_UNSPECIFIED: Whether to deny pushes to branches that aren't either RCM, SIG or supported branches.
UNSPECIFIED_BLACKLIST_RES: List of regular expressions with refs that can't be used if unspecified.
RCM_BRANCHES: List of regular expressions with refs that people in the RCM group can push.
RCM_GROUP: The group containing RCM members
SUPPORTED_SIGS: List of groups that grant access to sig_prefix-$signame-* refs.
SIG_PREFIXES: List of prefixes for SIG refs.
To enable this plugin, you need to either point the PAGURE_PLUGIN environment variable at the pagure_distgit_config file or use the --plugin parameter of the runserver.py script.
ACL_DEBUG = False ACL_BLOCK_UNSPECIFIED = False ACL_PROTECTED_NAMESPACES = ['rpms', 'modules', 'container'] RCM_GROUP = 'relenggroup' RCM_BRANCHES = ['refs/heads/f[0-9]+'] # Pushing to c* stuff is never allowed BLACKLIST_RES = ['refs/heads/c[0-9]+.*'] # Pushing to (f|epel|el|olpc)(num+) that is not previously approved # (supported branches) is not allowed. UNSPECIFIED_BLACKLIST_RES = ['refs/heads/f[0-9]+', 'refs/heads/epel[0-9]+', 'refs/heads/el[0-9]+', 'refs/heads/olpc[0-9]+']
SIG_PREFIXES = ['refs/heads/c7', 'refs/heads/c7-plus', 'refs/heads/c7-alt', ] SUPPORTED_SIGS = ['sig-atomic', 'sig-cloud', 'sig-core', 'sig-storage', ] # Branches to which *nobody* will be able to push (basically Fedora) BLACKLIST_RES = ['refs/heads/el[0-9]+.*', 'refs/heads/olpc[0-9]+.*', ] ### Specific ACO group that will have access to all protected branches with RWC rights RCM_GROUP = 'centos-rcm' RCM_BRANCHES = ['refs/heads/c[0-9]+.*', 'refs/tags/.*', ]
The tests here require the test suite of pagure itself to work. You have to modify your PYTHONPATH to find them. Run with:
$ PYTHONPATH=.:/path/to/pagure/checkout pytest pagure_distgit_tests/
You can use our requirements-testing.txt to install testing dependencies with pip:
$ pip install -r /path/to/pagure/checkout/requirements.txt $ pip install -r /path/to/pagure/checkout/requirements-testing.txt $ pip install -r requirements-testing.txt
The dist-git needs pagure to run. This guide will use the existing pagure vagrant setup with few modifications. First you need to clone pagure:
$ git clone https://pagure.io/pagure.git $ cd pagure
Next step is to copy Vagrantfile.example as Vagrantfile to git root folder:
$ cp dev/Vagrantfile.example Vagrantfile
Add mount point for the dist-git repository. You need to add the following to Vagrantfile:
config.vm.synced_folder "/path/to/pagure-dist-git", "/srv/pagure-dist-git", type: "sshfs"
Create the vagrant machine and ssh into it:
$ vagrant up && vagrant ssh
In the vagrant we need to do a few more steps. First add dist-git specific tables and some test data:
$ cd /srv/pagure-dist-git/ $ sudo -u git python createdb.py -c /etc/pagure/pagure.cfg $ cd /srv/pagure $ sudo -u git PAGURE_CONFIG="/etc/pagure/pagure.cfg" python dev-data.py -a
Add theme to /etc/pagure/pagure.cfg:
THEME = 'srcfpo'
Update /etc/systemd/system/pagure.service with env variables:
Stop the running pagure instance:
Reload systemd daemons:
$ sudo systemctl daemon-reload
Start the pagure instance again:
Now you should have running instance of pagure with dist-git on http://localhost:5000. Nice hacking! :-)