Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

  •  
     
    story #31077 deploy a WebAssembly module to validate incoming references as a pre-receive hook
Actions
Summary
Git administrator
deploy a WebAssembly module to validate incoming references as a pre-receive hook

new references pushed to a git repository can be validated on the spot by custom code (in the form of a WebAssembly module)

This is the continuation of story #28845, it consist of doing the same actions as the tuleap git:pre-receive-analyze command, but instead of performing the reference analysis retroactively, to do it right away when new references are pushed, like a Git pre-receive hook

  • a git pre-receive hook installed on every git repository is in charge of calling PHP code to check if a WASM module is setup for the repository where a push is happening, if that's the case it executes the WASM module
  • when a WASM module is executed, it either exits without any output with the exit code 0 if everything is expected or with a message and an exit code 1 if the objects should be rejected
  • If no module is setup for a repository the pre-receive hook systematically return 0 to accept the incoming changes
  • there is no way to upload a WASM module at this time, the files must be put at a specific path on the filesystem (/var/lib/tuleap/untrusted-code/git/pre-receive-hook/<repo-id>.wasm)
  • when all of the above is functional, the tuleap git:pre-receive-analyze is removed as this feature supersedes the command
Empty
Empty
Status
SCM/Git
Done
Development
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Empty
Details
#31077
Thomas Piras (tpiras)
2023-06-14 14:47
2023-02-17 10:22
32682

References
Artifact links
Empty
Referencing story #31077

Artifact Tracker v5

epic #31078 Run user defined validations on Git Commit
rel #31539 14.10

Git commit

tuleap/tuleap/stable

Centralize gitolite hooks deployment inside site-deploy:gitolite3-hooks cmd c44db8d8b0
User avatar Thomas Piras (tpiras) , 2023-02-17 14:47
Fix deployment of the gitolite post-receive hook 5a410e1934
User avatar Thomas Gerbet (tgerbet) , 2023-02-22 18:25
Deploy a new pre-receive hook inside every git repository 1dbf56c8f6
User avatar Thomas Piras (tpiras) , 2023-02-24 16:54
Package the Wasmtime lib wrapper b95fbd0a4c
User avatar Thomas Gerbet (tgerbet) , 2023-03-28 18:32
Global pre-receive hook executes WASM module to determine if incoming push should be accepted a5d8e55aeb
User avatar Thomas Piras (tpiras) , 2023-03-27 10:44
Separate concerns between what is related to the WASM call and the pre-receive logic daec7b0c51
User avatar Thomas Gerbet (tgerbet) , 2023-03-28 18:07
Disable Wamstime features not needed in Tuleap context aaf2b263d6
User avatar Thomas Gerbet (tgerbet) , 2023-03-29 19:47
Add Clippy to wasmtime-wrapper-lib packaging process ac60ae3993
User avatar Thomas Piras (tpiras) , 2023-03-30 11:59
Add logging and monitoring for git:pre-receive b93c8c68a1
User avatar Thomas Piras (tpiras) , 2023-04-28 11:57
Add logging and monitoring for git:pre-receive 72a861e347
User avatar Thomas Piras (tpiras) , 2023-05-03 12:25
Fix gitolite-admin repository being impacted by our pre-receive hook 7d0d135812
User avatar Thomas Piras (tpiras) , 2023-05-05 09:19
Do not filter protected git references 8a50dbb333
User avatar Thomas Piras (tpiras) , 2023-05-11 11:58
Preload FFI bindings during startup 8336544ba8
User avatar Thomas Gerbet (tgerbet) , 2023-05-19 09:48
Use a temporary dir with a fallback to /tmp when checking preload file b3bc86e4be
User avatar Thomas Gerbet (tgerbet) , 2023-05-22 14:59
Reverse the feature flag for the git:pre-receive command 0371fc7799
User avatar Thomas Piras (tpiras) , 2023-06-13 10:40
Display settings

Follow-ups

User avatar
Thomas Gerbet (tgerbet)2023-06-14 14:47

Closing this as all the points listed in the acceptance criteria have been dealt with. A new user story can be created to add the ability the repositories content in read only.

  • Status changed from On going to Done