From d7686f68c0cac4381711ee8cf2784f1a617f6e9e Mon Sep 17 00:00:00 2001 From: Mercier Pierre-Olivier Date: Sat, 28 Sep 2013 11:15:31 +0200 Subject: [PATCH] Check IP in gl-pre-git hook --- commands/first-install.sh | 2 +- hooks/gl-pre-git | 38 ++++++++++++++++ hooks/submissions.pl | 96 ++++++++++++++++----------------------- 3 files changed, 77 insertions(+), 59 deletions(-) create mode 100755 hooks/gl-pre-git diff --git a/commands/first-install.sh b/commands/first-install.sh index 9a3d158..706e3e1 100755 --- a/commands/first-install.sh +++ b/commands/first-install.sh @@ -18,7 +18,7 @@ then fi done -elif [ "$KERNEL" = "Linux"] +elif [ "$KERNEL" = "Linux" ] then if [ -f "/etc/debian_version" ] diff --git a/hooks/gl-pre-git b/hooks/gl-pre-git new file mode 100755 index 0000000..97946b3 --- /dev/null +++ b/hooks/gl-pre-git @@ -0,0 +1,38 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use v5.10; +use File::Basename; +use Net::IP; + +use ACU::Log; +$ACU::Log::log_file = "/var/log/hooks/" . basename($0) . ".log"; + +# First, check if the repository is in the YYYY/ directory +exit 0 if ($ENV{GL_REPO} !~ /^2[0-9]{3}\/.+\/.+/); + + +my $ip = $1 if ($ENV{'SSH_CLIENT'} =~ m/([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/); +say "Votre IP est : $ip."; + +$ip = Net::IP->new($ip) or die ("IP invalide"); + +my $schoolnetwork = Net::IP->new('192.168.0.0/16'); + +if ($ip->overlaps($schoolnetwork) != $IP_A_IN_B_OVERLAP) +{ + log ERROR, "Vous n'êtes pas autorisé à envoyer vos modifications depuis cette IP."; + exit 1; +} + +my $sshnetwork = Net::IP->new('10.41.253.0/24'); + +if ($ip->overlaps($sshnetwork) == $IP_A_IN_B_OVERLAP) +{ + log ERROR, "Vous n'êtes pas autorisé à envoyer vos modifications depuis cette IP."; + exit 1; +} + + +exit 0; diff --git a/hooks/submissions.pl b/hooks/submissions.pl index b51e278..3032555 100755 --- a/hooks/submissions.pl +++ b/hooks/submissions.pl @@ -3,8 +3,10 @@ use strict; use warnings; use v5.10; -use Date::Manip; +use DateTime::Format::ISO8601; use File::Basename; +use Net::IP; +use POSIX qw(strftime); use Socket; use ACU::API::Projects; @@ -28,29 +30,6 @@ if ($ref =~ m<^refs/tags/(.+)$>) my $tag = $1; log DEBUG, "Pushed tag for repository $ENV{GL_REPO}: $tag with IP $ENV{'SSH_CLIENT'}"; - my $ip = $1 if ($ENV{'SSH_CLIENT'} =~ m/([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/); - say "[ACU] Your IP is: $ip."; - - $ip = ip2long($ip); - - my $net = ip2long("10.41.0.0"); - my $mask = ip2long("255.255.0.0"); - - if (($ip & $mask) != ($net & $mask)) - { - log ERROR, "[ACU] You are not authorized to push from this IP. This will be reported."; - exit 1; - } - - $net = ip2long("10.41.253.0"); - $mask = ip2long("255.255.255.0"); - - if (($ip & $mask) == ($net & $mask)) - { - log ERROR, "[ACU] You are not authorized to push from this IP. This will be reported."; - exit 1; - } - # Get project informations my $project; eval { @@ -71,64 +50,65 @@ if ($ref =~ m<^refs/tags/(.+)$>) exists $_->{vcs} and $_->{vcs}{tag} eq $tag; } @{ $project->{submissions} }; - my $date = $ENV{'GL_TS'}; - $date =~ s/\./ /; - my $glts = ParseDate($date); + my $glts = DateTime::Format::ISO8601->parse_datetime( + do { + my $t = $ENV{'GL_TS'}; + $t =~ tr/./T/; + $t + }); chomp (my $tokengiven = `git cat-file tag $newsha 2> /dev/null | sed -e '1,/^\$/d'`); for my $rendu (@rendus) { - my $open = ParseDate($rendu->{period}{begin}); - my $close = ParseDate($rendu->{period}{end}); + my $open = DateTime::Format::ISO8601->parse_datetime($rendu->{period}{begin}); + my $close = DateTime::Format::ISO8601->parse_datetime($rendu->{period}{end}); # TODO: check exceptions by login/group - say "[ACU] Date courante: ", $glts; - say "[ACU] Date fermeture: ", $close; + say "Date courante : ", $glts->strftime("%d/%m/%Y %H:%M:%S"); - if ((Date_Cmp($glts, $open) == -1)) + if (DateTime->compare($glts, $open) == -1) { - say "[ACU] Tag not allowed: upload not yet opened!"; + say "Date d'ouverture : ", $open->strftime("%d/%m/%Y %H:%M:%S"); + log ERROR, "Tag rejeté : le rendu n'est pas encore ouvert."; exit(4); } - if ((Date_Cmp($glts, $close) == 1)) + say "Date de fermeture : ", $close->strftime("%d/%m/%Y %H:%M:%S"); + + if (DateTime->compare($glts, $close) == 1) { - say "[ACU] Tag not allowed: upload closed!"; + log ERROR, "Tag rejeté : le rendu est clos."; exit(5); } my $token = $rendu->{vcs}{token}; - if ($token ne "" and $token ne $tokengiven) + if ($token ne "" and $token ne $tokengiven and $newsha ne '0' x 40) { - say "[ACU] Error 0x65cd58: Bad token."; + log ERROR, "Tag rejeté : mauvais token."; exit(6); } } - # Send data to API - my $last_commit = `git log -1 --name-status`; - eval { - API::Submission::add($promo, $id_project, $tag, $repo_login, $last_commit); - }; - if ($@) { - my $err = $@; - log DEBUG, "ERROR: ".$err; - log DONE, "[ACU] Upload successful"; + if ($newsha eq '0' x 40) { + log USAGE, "Mais pour quelle raison voudriez-vous supprimer un tag ?!"; } - else { - log DONE, "[ACU] Upload successful, please check this information on the intranet"; + else + { + # Send data to API + my $last_commit = `git log $newsha -1 --decorate --tags`; + eval { + API::Submission::add($promo, $id_project, $tag, $repo_login, $last_commit); + }; + if ($@) { + my $err = $@; + log DEBUG, "ERROR: ".$err; + log DONE, "Tag '$tag' effectué avec succès !"; + } + else { + log DONE, "Tag '$tag' effectué avec succès ! Vérifiez-le sur l'intranet."; + } } } exit 0; - -sub ip2long -{ - return unpack("l*", pack("l*", unpack("N*", inet_aton(shift)))); -} - -sub long2ip -{ - return inet_ntoa(pack("N*", shift)); -}