archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Support custom policy for SVN access rules

Browse Source 
Implements following rules:
- Users
- Users of any project
- Users of all projects
- Administrators
- Signers

The 'If No Rules Match' the access is implicitly considered to
be 'DENY'.

It is not possible to control access based on the Moon phase.
This commit is contained in:
Sergey Sharybin
2020-09-17 12:38:14 +02:00
parent b2d7879162
commit 1bcc201b0a
1 changed files with 136 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
scripts/svnauth/rebuild_svnauth.php
View File

@@ -67,6 +67,138 @@ function handleSingleUserPHID(
$access[$branches_pathname]['RW'][] = $user_name;
}
function getProjectMembersPHIDs($viewer, $project_phid) {
$project = id(new PhabricatorProjectQuery())
->setViewer($viewer)
->needMembers(true)
->withPHIDs(array($project_phid))
->executeOne();
return $project->getMemberPHIDs();
}
function handleProjectPHID(
$viewer, $project_phid, $repository, &$namemap, &$access) {
$memberPHIDs = getProjectMembersPHIDs($viewer, $project_phid);
foreach ($memberPHIDs as $memberPHID) {
handleSingleUserPHID(
$viewer, $memberPHID, $repository, $namemap, $access);
}
}
function handleUsersPolicyRule(
$viewer, $rule, $repository, &$namemap, &$access) {
foreach ($rule['value'] as $user_phid) {
handleSingleUserPHID(
$viewer, $user_phid, $repository, $namemap, $access);
}
}
function handleProjectsPolicyRule(
$viewer, $rule, $repository, &$namemap, &$access) {
foreach ($rule['value'] as $project_phid) {
handleProjectPHID(
$viewer, $project_phid, $repository, $namemap, $access);
}
}
function handleProjectsAllPolicyRule(
$viewer, $rule, $repository, &$namemap, &$access) {
$is_first_project = true;
$allowed_members_phids = array();
foreach ($rule['value'] as $project_phid) {
$memberPHIDs = getProjectMembersPHIDs($viewer, $project_phid);
if ($is_first_project) {
$allowed_members_phids = $memberPHIDs;
$is_first_project = false;
} else {
$allowed_members_phids = array_intersect(
$allowed_members_phids, $memberPHIDs);
}
}
foreach ($allowed_members_phids as $user_phid) {
handleSingleUserPHID(
$viewer, $user_phid, $repository, $namemap, $access);
}
}
function handleAdministratorsPolicyRule(
$viewer, $rule, $repository, &$namemap, &$access) {
$administrators = id(new PhabricatorPeopleQuery())
->setViewer($viewer)
->withIsAdmin(true)
->execute();
foreach ($administrators as $administrator) {
handleSingleUserPHID(
$viewer, $administrator->getPHID(), $repository, $namemap, $access);
}
}
function handleLegalpadSingleDocument(
$viewer, $document, $repository, &$namemap, &$access) {
if ($document->getSignatureType() !=
LegalpadDocument::SIGNATURE_TYPE_INDIVIDUAL) {
return;
}
foreach ($document->getSignatures() as $signature) {
if ($signature->getSignatureType() !=
LegalpadDocument::SIGNATURE_TYPE_INDIVIDUAL) {
continue;
}
handleSingleUserPHID(
$viewer, $signature->getSignerPHID(), $repository, $namemap, $access);
}
}
function handleLegalpadSignaturePolicyRule(
$viewer, $rule, $repository, &$namemap, &$access) {
$documents = id(new LegalpadDocumentQuery())
->setViewer($viewer)
->withPHIDs($rule['value'])
->needSignatures(true)
->execute();
foreach ($documents as $document) {
handleLegalpadSingleDocument(
$viewer, $document, $repository, $namemap, $access);
}
}
function handleCustomPolicyRule(
$viewer, $rule, $repository, &$namemap, &$access) {
if ($rule['action'] != PhabricatorPolicy::ACTION_ALLOW) {
// By default the script decides to DENY unless explicitly allowed.
return;
}
$rule_type = $rule['rule'];
if ($rule_type == 'PhabricatorUsersPolicyRule') {
handleUsersPolicyRule(
$viewer, $rule, $repository, $namemap, $access);
} else if ($rule_type == 'PhabricatorProjectsPolicyRule') {
handleProjectsPolicyRule(
$viewer, $rule, $repository, $namemap, $access);
} else if ($rule_type == 'PhabricatorProjectsAllPolicyRule') {
handleProjectsAllPolicyRule(
$viewer, $rule, $repository, $namemap, $access);
} else if ($rule_type == 'PhabricatorAdministratorsPolicyRule') {
handleAdministratorsPolicyRule(
$viewer, $rule, $repository, $namemap, $access);
} else if ($rule_type == 'PhabricatorLegalpadSignaturePolicyRule') {
handleLegalpadSignaturePolicyRule(
$viewer, $rule, $repository, $namemap, $access);
}
}
function handleCustomPolicy(
$viewer, $policy, $repository, &$namemap, &$access) {
foreach ($policy->getRules() as $rule) {
handleCustomPolicyRule($viewer, $rule, $repository, $namemap, $access);
}
}
// Parse repository and put it's members to the config file
function handleSingleRepository(
$viewer, $repository, &$namemap, &$access) {
@@ -85,21 +217,14 @@ function handleSingleRepository(
}
if ($type == PhabricatorProjectProjectPHIDType::TYPECONST) {
$project = id(new PhabricatorProjectQuery())
->setViewer($viewer)
->needMembers(true)
->withPHIDs(array($pushable->getPHID()))
->executeOne();
$memberPHIDs = $project->getMemberPHIDs();
foreach ($memberPHIDs as $memberPHID) {
handleSingleUserPHID(
$viewer, $memberPHID, $repository, $namemap, $access);
}
handleProjectPHID(
$viewer, $pushable->getPHID(), $repository, $namemap, $access);
} else if ($type == PhabricatorPolicyType::TYPE_USER) {
handleSingleUserPHID(
$viewer, $pushable->getPHID(), $repository, $namemap, $access);
} else if ($type == PhabricatorPolicyPHIDTypePolicy::TYPECONST) {
handleCustomPolicy(
$viewer, $pushable, $repository, $namemap, $access);
/* pass */
} else {
/* pass */