Skip to content

Commit

Permalink
Merge pull request #205 from jedwards4b/sunset_svn_git_access
Browse files Browse the repository at this point in the history
Sunset svn git access
  • Loading branch information
jedwards4b authored Nov 17, 2023
2 parents 38bcc0a + 82a5edf commit 0f884bf
Show file tree
Hide file tree
Showing 40 changed files with 1,122 additions and 42 deletions.
12 changes: 10 additions & 2 deletions manic/repository_git.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

import copy
import os
import sys

from .global_constants import EMPTY_STR, LOCAL_PATH_INDICATOR
from .global_constants import VERBOSITY_VERBOSE
Expand Down Expand Up @@ -839,12 +840,19 @@ def _git_update_submodules(verbosity, dirname):
"""Run git submodule update for the side effect of updating this
repo's submodules.
"""
# due to https://vielmetti.typepad.com/logbook/2022/10/git-security-fixes-lead-to-fatal-transport-file-not-allowed-error-in-ci-systems-cve-2022-39253.html
# submodules from file doesn't work without overriding the protocol, this is done
# for testing submodule support but should not be done in practice
file_protocol = ""
if 'unittest' in sys.modules.keys():
file_protocol = "-c protocol.file.allow=always"

# First, verify that we have a .gitmodules file
if os.path.exists(
os.path.join(dirname,
ExternalsDescription.GIT_SUBMODULES_FILENAME)):
cmd = ('git -C {dirname} submodule update --init --recursive'
.format(dirname=dirname)).split()
cmd = ('git {file_protocol} -C {dirname} submodule update --init --recursive'
.format(file_protocol=file_protocol, dirname=dirname)).split()
if verbosity >= VERBOSITY_VERBOSE:
printlog(' {0}'.format(' '.join(cmd)))

Expand Down
3 changes: 3 additions & 0 deletions manic/repository_svn.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ def __init__(self, component_name, repo, ignore_ancestry=False):
Parse repo (a <repo> XML element).
"""
Repository.__init__(self, component_name, repo)
if 'github.com' in self._url:
msg = "SVN access to github.com is no longer supported"
fatal_error(msg)
self._ignore_ancestry = ignore_ancestry
if self._url.endswith('/'):
# there is already a '/' separator in the URL; no need to add another
Expand Down
4 changes: 2 additions & 2 deletions test/repos/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Git repositories for testing git-related behavior. For usage and terminology notes, see test/test_sys_checkout.py.
Git and svn repositories for testing git and svn-related behavior. For usage and terminology notes, see test/test_sys_checkout.py.

To list files and view file contents at HEAD:
For git repos: To list files and view file contents at HEAD:
```
cd <repo_dir>
git ls-tree --full-tree -r --name-only HEAD
Expand Down
5 changes: 5 additions & 0 deletions test/repos/simple-ext.svn/README.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
This is a Subversion repository; use the 'svnadmin' and 'svnlook'
tools to examine it. Do not add, delete, or modify files here
unless you know how to avoid corrupting the repository.

Visit http://subversion.apache.org/ for more information.
32 changes: 32 additions & 0 deletions test/repos/simple-ext.svn/conf/authz
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to:
### - a single user,
### - a group of users defined in a special [groups] section,
### - an alias defined in a special [aliases] section,
### - all authenticated users, using the '$authenticated' token,
### - only anonymous users, using the '$anonymous' token,
### - anyone, using the '*' wildcard.
###
### A match can be inverted by prefixing the rule with '~'. Rules can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').

[aliases]
# joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average

[groups]
# harry_and_sally = harry,sally
# harry_sally_and_joe = harry,sally,&joe

# [/foo/bar]
# harry = rw
# &joe = r
# * =

# [repository:/baz/fuz]
# @harry_and_sally = rw
# * = r
19 changes: 19 additions & 0 deletions test/repos/simple-ext.svn/conf/hooks-env.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
### This file is an example hook script environment configuration file.
### Hook scripts run in an empty environment by default.
### As shown below each section defines environment variables for a
### particular hook script. The [default] section defines environment
### variables for all hook scripts, unless overridden by a hook-specific
### section.

### This example configures a UTF-8 locale for all hook scripts, so that
### special characters, such as umlauts, may be printed to stderr.
### If UTF-8 is used with a mod_dav_svn server, the SVNUseUTF8 option must
### also be set to 'yes' in httpd.conf.
### With svnserve, the LANG environment variable of the svnserve process
### must be set to the same value as given here.
[default]
LANG = en_US.UTF-8

### This sets the PATH environment variable for the pre-commit hook.
[pre-commit]
PATH = /usr/local/bin:/usr/bin:/usr/sbin
8 changes: 8 additions & 0 deletions test/repos/simple-ext.svn/conf/passwd
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
# harry = harryssecret
# sally = sallyssecret
81 changes: 81 additions & 0 deletions test/repos/simple-ext.svn/conf/svnserve.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
### This file controls the configuration of the svnserve daemon, if you
### use it to allow access to this repository. (If you only allow
### access through http: and/or file: URLs, then this file is
### irrelevant.)

### Visit http://subversion.apache.org/ for more information.

[general]
### The anon-access and auth-access options control access to the
### repository for unauthenticated (a.k.a. anonymous) users and
### authenticated users, respectively.
### Valid values are "write", "read", and "none".
### Setting the value to "none" prohibits both reading and writing;
### "read" allows read-only access, and "write" allows complete
### read/write access to the repository.
### The sample settings below are the defaults and specify that anonymous
### users have read-only access to the repository, while authenticated
### users have read and write access to the repository.
# anon-access = read
# auth-access = write
### The password-db option controls the location of the password
### database file. Unless you specify a path starting with a /,
### the file's location is relative to the directory containing
### this configuration file.
### If SASL is enabled (see below), this file will NOT be used.
### Uncomment the line below to use the default password file.
# password-db = passwd
### The authz-db option controls the location of the authorization
### rules for path-based access control. Unless you specify a path
### starting with a /, the file's location is relative to the
### directory containing this file. The specified path may be a
### repository relative URL (^/) or an absolute file:// URL to a text
### file in a Subversion repository. If you don't specify an authz-db,
### no path-based access control is done.
### Uncomment the line below to use the default authorization file.
# authz-db = authz
### The groups-db option controls the location of the file with the
### group definitions and allows maintaining groups separately from the
### authorization rules. The groups-db file is of the same format as the
### authz-db file and should contain a single [groups] section with the
### group definitions. If the option is enabled, the authz-db file cannot
### contain a [groups] section. Unless you specify a path starting with
### a /, the file's location is relative to the directory containing this
### file. The specified path may be a repository relative URL (^/) or an
### absolute file:// URL to a text file in a Subversion repository.
### This option is not being used by default.
# groups-db = groups
### This option specifies the authentication realm of the repository.
### If two repositories have the same authentication realm, they should
### have the same password database, and vice versa. The default realm
### is repository's uuid.
# realm = My First Repository
### The force-username-case option causes svnserve to case-normalize
### usernames before comparing them against the authorization rules in the
### authz-db file configured above. Valid values are "upper" (to upper-
### case the usernames), "lower" (to lowercase the usernames), and
### "none" (to compare usernames as-is without case conversion, which
### is the default behavior).
# force-username-case = none
### The hooks-env options specifies a path to the hook script environment
### configuration file. This option overrides the per-repository default
### and can be used to configure the hook script environment for multiple
### repositories in a single file, if an absolute path is specified.
### Unless you specify an absolute path, the file's location is relative
### to the directory containing this file.
# hooks-env = hooks-env

[sasl]
### This option specifies whether you want to use the Cyrus SASL
### library for authentication. Default is false.
### Enabling this option requires svnserve to have been built with Cyrus
### SASL support; to check, run 'svnserve --version' and look for a line
### reading 'Cyrus SASL authentication is available.'
# use-sasl = true
### These options specify the desired strength of the security layer
### that you want SASL to provide. 0 means no encryption, 1 means
### integrity-checking only, values larger than 1 are correlated
### to the effective key length for encryption (e.g. 128 means 128-bit
### encryption). The values below are the defaults.
# min-encryption = 0
# max-encryption = 256
1 change: 1 addition & 0 deletions test/repos/simple-ext.svn/db/current
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
3
3 changes: 3 additions & 0 deletions test/repos/simple-ext.svn/db/format
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
8
layout sharded 1000
addressing logical
1 change: 1 addition & 0 deletions test/repos/simple-ext.svn/db/fs-type
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
fsfs
Loading

0 comments on commit 0f884bf

Please sign in to comment.