stable
Clone or download
Global pre-receive hook executes WASM module to determine if incoming push should be accepted
The global pre-receive hook introduced in 1dbf56c8f680e7d537ff6afe3a81e30c74821720 now executes a WebAssembly module to decide if incoming references should be accepted or not. This is done through a new command: tuleap git:pre-receive. This command searches for a WASM module in /var/lib/tuleap/untrusted-code/git/pre-receive-hook/<repo-id>.wasm - If a module is present, it is executed with the incoming git object references * If the push should be accepted our command expect the following JSON output from the module: {"rejection_message": null} * If the push should be rejected: {"rejection_message": "some string explaining why this should be rejected"} - If there's no WASM module configured for the repository where the push is happening, the command automaticaly accepts the push. - If the feature flag is not set the command automaticaly accepts the push. How to test: - make bash-web - tuleap config-set feature_flag_enable_pre_receive_command 1 (set the feature flag) - The unit tests should pass (make tests-unit-php) - cp plugins/git/etc/sudoers.d/tuleap-git-prereceive /etc/sudoers.d/ - tuleap-cfg site-deploy:gitolite3-hooks - You should see the following message if the symlinks do not exist: [info] Creating post-receive hook symlink at /var/lib/gitolite/.gitolite/hooks/common/post-receive [info] Creating pre-receive hook symlink at /var/lib/gitolite/.gitolite/hooks/common/pre-receive [info] Executing gitolite setup --hooks-only - Find your testing repository ID - Place a valid WASM module in /var/lib/tuleap/untrusted-code/git/pre-receive-hook/<repo-id>.wasm (If you don't want to write your own, you can use https://gerrit.tuleap.net/plugins/gitiles/tuleap/+/refs/changes/75/27375/12/src/additional-packages/pre-receive-hook-example) - When you push something in your git repository check that the behaviour is conform to your WASM module - You should see a new entry in /var/log/tuleap/git_syslog, it should be of the form [debug] [pre-receive] Monitoring updated refs for: <your_repo_path> [debug] [pre-receive-wasm] <repository_path> <user_name> <old_rev> <new_rev> <refname> Part of story #31077 deploy a WebAssembly module to validate incoming references as a pre-receive hook Change-Id: Ib2b1b3c9aee2e8ef7084344f35426351396c44b0
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | plugins/git/db/uninstall.sql | +1 | −1 | Go to diff View file |
| M | plugins/git/etc/sudoers.d/tuleap-git-prereceive | +1 | −1 | Go to diff View file |
| M | plugins/git/hooks/pre-receive | +3 | −1 | Go to diff View file |
| D | plugins/git/hooks/pre-receive.php | +0 | −51 | Go to diff View file |
| A | plugins/git/include/Hook/PreReceive/PreReceiveAction.php | +121 | −0 | Go to diff View file |
| D | plugins/git/include/Hook/PreReceive/PreReceiveAnalyzeAction.php | +0 | −72 | Go to diff View file |
| D | plugins/git/include/Hook/PreReceive/PreReceiveAnalyzeCommand.php | +0 | −85 | Go to diff View file |
| D | plugins/git/include/Hook/PreReceive/PreReceiveCannotRetrieveReferenceException.php | +0 | −29 | Go to diff View file |
| A | plugins/git/include/Hook/PreReceive/PreReceiveCommand.php | +70 | −0 | Go to diff View file |
| M | plugins/git/include/Hook/PreReceive/PreReceiveHookData.php | +34 | −7 | Go to diff View file |
| M | plugins/git/include/gitPlugin.php | +20 | −15 | Go to diff View file |
| A | plugins/git/tests/unit/Hook/PreReceive/PreReceiveActionTest.php | +198 | −0 | Go to diff View file |
| D | plugins/git/tests/unit/Hook/PreReceive/PreReceiveAnalyzeActionTest.php | +0 | −121 | Go to diff View file |
| A | plugins/git/tests/unit/Hook/PreReceive/PreReceiveHookDataTest.php | +49 | −0 | Go to diff View file |
| R | plugins/git/include/Hook/PreReceive/PreReceiveWasmNotFoundException.php | Go to diff View file | ||
| M | src/common/WebAssembly/FFIWASMCaller.php | +4 | −2 | Go to diff View file |
| M | src/common/WebAssembly/WASMCaller.php | +6 | −1 | Go to diff View file |