根据提交者名称拒绝推送
我最近建立了一个善变的存储库。所有 pusing 都是通过 ssh 完成的。目前,只有拥有 LDAP 帐户的用户才能将更改推送到存储库。但是,考虑到在提交到本地存储库时,可以使用 --user 来使用任何提交者名称。可能会出现提交者名称与 LDAP 帐户名称不匹配的情况。我想避免这种情况。
确保这种情况不会发生的最佳方法是什么?钩子是解决这个问题的最佳方法吗?我不希望这是一个本地挂钩,而是与存储库位于同一台计算机上的挂钩。它需要在推送事件时检查提交者名称是否与 LDAP 帐户匹配,以及是否不发送回适当的错误消息。
这看起来是一种明智的处理方式还是我以错误的方式解决了这个问题?
I've recently set up a mercurial repsoitory. All pusing is done via ssh. Currently only users with an LDAP account can push changes to the repository. However, given that when commiting to a local repository any commiter name can be used using the --user. It is possible to have the situation where a commiter name does not match the LDAP account name. I want to avoid this.
What would be the best way to ensure this does not happen? Would a hook be the best way to deal with this problem? I would not want this to be a local hook, but hook that would live on same machine as the repository. It would need to check whether a commiter name matched the LDAP account on the event of a push, and if it doesn't send an appropriate error message back.
Does this seem like a sensible way to proceed or am I going about the problem in the wrong way?
如果您只是想检查用户名是否正确,那么使用Mercurial Server 因为每次推送都使用用户的 ssh 密钥进行身份验证,并且您将在 $REMOTE_USER 环境变量中找到密钥名称,因此 pretxncommit 类型的挂钩(即应用更改后)可以检查作者姓名和密钥名称匹配,然后可以拒绝并回滚提交(如果不匹配)。
例如,如果您约定将所有密钥存储在如下路径中:
coders/"name"_rsa.pub
那么这段代码应该进行检查:
但是,当用户刚刚从其他存储库中提取更改(即其他人所做的提交)并将其推送到您的时,可能会出现问题带有他/她的密钥的存储库。然后,即使用户名在第一次提交中是正确的,钩子也会拒绝它们。使用 hg,我们可以在存储库之间转发变更集,即使使用各种用户名列表也是如此。但如果这不是您遇到的情况,那么您可以尝试这..
If you just want to check that the username is correct, it should be possible when using Mercurial Server because every push is authenticated with a user's ssh key and you will find the key name in the $REMOTE_USER environment variable, so a hook of type pretxncommit (i.e., after changes have been applied) can check that the author name and the key name match and then can reject and rollback the commit if it doesn't.
E.g., if you have the convention of having all the keys stored in paths like:
coders/"name"_rsa.pub
then this code should do the check:
However, there might be a problem when a user has just pulled changes from an other repository (i.e., commits that were made by other people) and pushes them to your repository with his/her key. Then the hook will reject them even if the usernames were correct in the first commits.. with hg, we can forward changesets between repositories even with a list of various usernames.. But if this is not a case you will encounter then you might try this..