Commit Stop allows the management of push permissions for source code repositories. It integrates with both Git and CVS. Other source code repositories may be integrated via custom hooks based on Commit Stop's REST service.
Commit Stop is commonly used to prevent pushes (commits) to sensitive branches, unless there is a good reason for it. It allows the definition of permission rules via a simple website. Those rules may check for the name of the repository, branch, user, group and the content of the commit message.
The configuration of Commit Stop is done via a simple text configuration, accessable on the website. All changes are logged and an old configuration can be restored easily.
Rules are processed from top to bottom. Processing is stopped at the first matching rule. The first token specifies whether access is granted (+) or denied (+). The next tokens are regular expressions matching the repository name, branch name, user name, group (e. g. for LDAP based Git authentication) and commit comment.
An optional message may be returned to the git/cvs client by defining it after the special delimiter |<|.
If no rule matches, access is denied. Therefore the following example has a catchall rule at the end to allow access.
# Repository Branch User Group Comment Optional message # -------------------------------------------------------------------------------------------------------- # This repository shall be ignored by restrictions defined below + cs.sys.externalapps.browser .* .* .* .* # Allow access to user abc on repository webapps, branch VERSION_2017_06 + webapps VERSION_2017_06 abc .* .* # Disallow commits on branch VERSION_2017_06 of several repositories - cs.*|cm.*|rt.*|rm.*|webapps VERSION_2017_06 .* .* .* |<| quality assurance phase # Fall through rule to allow access + .* .* .* .* .*
The server component of Commit Stop is implemented as Postsai extension. Therefore you need a working Postsai installation to begin with.
./install.py in the Postsai root folder to update the database.
config.py in the Postsai root folder to configure management permissions.
A simple configuration allows submission of commitstop configurations to any user authenticated by the webserver:
# checks the permission to submit a new commit stop configuration
# (edit according to your needs)
def repository_status_permission():
return "REMOTE_USER" in os.environ
You can check other environment variables instead, for example the result from a webserver's LDAP authorization module. Or just hard code a list of trusted usernames.
In order to prevent pushes to a Git repository in accordance with the rules defined in Commit Stop, a Git hook is needed.
Please copy the file hooks/checkcommitstop.py to your Git server as update hook and make sure it is executable (chmod +x).
Alternatively, if you are using Gitolite, the script should be executed as VREF instead: Please copy hooks/checkcommitstop.py to /usr/share/gitolite3/VREF/ and make sure it is executable (chmod +x).
The configuration is done as usual via gitolite.conf. For example:
repo @all
option ENV.checkcommitstopurl = https://example.com/postsai/extensions/commitstop/api.py
- VREF/checkcommitstop = @all
Commit Stop makes use of a CVS verifymsg hook in order to enforce the defined rules.
Please edit CVSROOT/verifymsg to add the following line with an appropriate repository name and server url:
.* /usr/local/bin/verifymsg.py --repository=nameofrepo
--url=https://example.com/postsai/extensions/commitstop/api.py --msgfile=%l
Please note: verifymsg does only execute the first line that matches the module name. You cannot define multiple verifymsg hook without using a shell script as multiplexer.
The endpoint for Commit Stop's REST service is https://[server]/postsai/extensions/commitstop/api.py.
The following URL-parameters are understood: repository, branch, user, group amd commitmsg.
Commit Stop uses normal HTTP status code to communicate whether the actions is allowed or not: 200 means permisison is granted and 403 means that permission was denied. The body of the HTTP response may contain an explanation as plain text.