|
| 1 | +#!/usr/bin/env bash |
| 2 | +# |
| 3 | +# Pre-receive hook that will reject all pushes where author or committer are not the current user. |
| 4 | +# |
| 5 | +# Pre-requisites for the users. |
| 6 | +# They must have: |
| 7 | +# * git config --global user.email set to an email address |
| 8 | +# * That email address must be set as a public email address in GitHub Enterprise |
| 9 | +# * git config --global user.name must be set to GitHub Enterprise login name |
| 10 | + |
| 11 | +# If we are on the GitHub Web interface then we don't need to bother to validate the commit user |
| 12 | +if [[ "${GITHUB_VIA}" == "pull request merge button" ]] || \ |
| 13 | + [[ "${GITHUB_VIA}" == "blob edit" ]]; then |
| 14 | + exit 0 |
| 15 | +fi |
| 16 | + |
| 17 | +# Set up a user token (attached to a non expiring account) that can just read public email addresses. |
| 18 | +TOKEN=USER:TOKEN |
| 19 | + |
| 20 | +# We set the address of the GHE Instance here |
| 21 | +GHE_URL=https://GHE-INSTANCE |
| 22 | + |
| 23 | +GITHUB_USER_EMAIL=`curl -s -k -u ${TOKEN} ${GHE URL}/api/v3/users/${GITHUB_USER_LOGIN} | grep email | sed 's/ \"email\"\: \"//' | sed 's/\",//'` |
| 24 | + |
| 25 | +if echo "${GITHUB_USER_EMAIL}" | grep "null," |
| 26 | +then |
| 27 | + echo -e "ERROR: User does not have public email address set in GitHub Enterprise." |
| 28 | + echo "Please set public email address at {GHE_URL}/settings/profile." |
| 29 | + exit 1 |
| 30 | +fi |
| 31 | + |
| 32 | +zero_commit="0000000000000000000000000000000000000000" |
| 33 | + |
| 34 | +# Do not traverse over commits that are already in the repository |
| 35 | +# (e.g. in a different branch) |
| 36 | +# This prevents funny errors if pre-receive hooks got enabled after some |
| 37 | +# commits got already in and then somebody tries to create a new branch |
| 38 | +# If this is unwanted behavior, just set the variable to empty |
| 39 | + |
| 40 | +excludeExisting="--not --all" |
| 41 | + |
| 42 | +while read oldrev newrev refname; do |
| 43 | + # branch or tag get deleted |
| 44 | + if [ "$newrev" = "$zero_commit" ]; then |
| 45 | + continue |
| 46 | + fi |
| 47 | + |
| 48 | + # Check for new branch or tag |
| 49 | + if [ "$oldrev" = "$zero_commit" ]; then |
| 50 | + span=`git rev-list $newrev $excludeExisting` |
| 51 | + else |
| 52 | + span=`git rev-list $oldrev..$newrev $excludeExisting` |
| 53 | + fi |
| 54 | + |
| 55 | + for COMMIT in $span; |
| 56 | + do |
| 57 | + AUTHOR_USER=`git log --format=%an -n 1 ${COMMIT}` |
| 58 | + AUTHOR_EMAIL=`git log --format=%ae -n 1 ${COMMIT}` |
| 59 | + COMMIT_USER=`git log --format=%cn -n 1 ${COMMIT}` |
| 60 | + COMMIT_EMAIL=`git log --format=%ce -n 1 ${COMMIT}` |
| 61 | + |
| 62 | + if [[ ${AUTHOR_USER} != ${GITHUB_USER_LOGIN} ]]; then |
| 63 | + echo -e "ERROR: Commit author (${AUTHOR_USER}) does not match the current GitHub Enterprise user (${GITHUB_USER_LOGIN})" |
| 64 | + exit 20 |
| 65 | + fi |
| 66 | + |
| 67 | + if [[ ${COMMIT_USER} != ${GITHUB_USER_LOGIN} ]]; then |
| 68 | + echo -e "ERROR: Commit User (${COMMIT_USER}) does not match the current GitHub Enterprise user (${GITHUB_USER_LOGIN})" |
| 69 | + exit 30 |
| 70 | + fi |
| 71 | + |
| 72 | + if [[ ${AUTHOR_EMAIL} != ${GITHUB_USER_EMAIL} ]]; then |
| 73 | + echo -e "ERROR: Commit author's email (${AUTHOR_EMAIL}) does not match the current GitHub Enterprise user's email (${GITHUB_USER_EMAIL})" |
| 74 | + exit 40 |
| 75 | + fi |
| 76 | + |
| 77 | + if [[ ${COMMIT_EMAIL} != ${GITHUB_USER_EMAIL} ]]; then |
| 78 | + echo -e "ERROR: Commit user's email (${COMMIT_EMAIL}) does not match the current GitHub Enterprise user's email (${GITHUB_USER_EMAIL})" |
| 79 | + exit 50 |
| 80 | + fi |
| 81 | + done |
| 82 | +done |
| 83 | + |
| 84 | +exit 0 |
0 commit comments