# # # patch "README" # from [c89ddcc4c84537e3e1143636bca5ccffb2a8ec18] # to [dcd6c6a714b860fc00b6ffbc8999e49835ed91a4] # # patch "policy.lua" # from [69469449c77c4ec97c050b841060390988eb0557] # to [6ec7c72d22df7bba5f16cb5e23b0df129a73aa77] # # patch "update-policy.lua" # from [537d7961b91e0aa5e9495894f2ae49e9b2b47f87] # to [e1c5f50c73d03aa68006c0de1d36e88a9874770d] # # patch "update-policy.sh" # from [0087dede16e0fcb24282fb693a06f85b12a8f0a9] # to [3bd60f5af1f911bb9079f7aad067070ff5a43e47] # ============================================================ --- README c89ddcc4c84537e3e1143636bca5ccffb2a8ec18 +++ README dcd6c6a714b860fc00b6ffbc8999e49835ed91a4 @@ -27,7 +27,7 @@ cache/all-policy-branches This contains a list of all used policy branches. - self/ + policy/ A directory that looks exactly like a normal policy branch. @@ -56,16 +56,16 @@ with policy branch "policy.branch", and keys "key1", "key2" will be allowed to commit revisions to "policy.branch". - delegations.d/prefix/ - There is one directory like this for each prefix delegated to another - policy branch. - - delegations.d/prefix/self/ + delegations.d/checkouts/prefix/ This is a checkout of the policy branch to which the prefix is delegated. It is NOT present in the policy branch itself, but is created and maintained on disk by the policy scripts. - delegations.d/prefix/override-servers - delegations.d/prefix/override-write-permissions + delegations.d/overrides/prefix/ + There is one directory like this for each prefix delegated to another + policy branch. + + delegations.d/overrides/prefix/override-servers + delegations.d/overrides/prefix/override-write-permissions This files (if present) allow the policy branch to ignore parts of the policy of the branches it delegates to. ============================================================ --- policy.lua 69469449c77c4ec97c050b841060390988eb0557 +++ policy.lua 6ec7c72d22df7bba5f16cb5e23b0df129a73aa77 @@ -161,10 +161,29 @@ function note_netsync_end(sid, status, b server_maybe_request_sync('') end - -- Do we update the control checkout? - local ctlbranch = trim(read_conffile("serverctl-branch")) - if ctlbranch and sessions[sid].branches[ctlbranch] then - execute(get_confdir() .. "/update-policy.sh", get_confdir()) + -- Do we have policy branches to update? + local updated_a_policy = false + local updated_policies = '{' + local policies = conffile_iterator('policy/cache/all-policy-branches') + while policies ~= nil and policies:next() do + for local br, _ in pairs(sessions[sid].branches) do + if policies.line == br then + if updated_a_policy then + updated_policies = updated_policies .. ',' + end + updated_policies = updated_policies .. br + updated_a_policy = true + end + end end + if policies ~= nil then + policies:close() + end + updated_policies = updated_policies .. '}' + + if updated_a_policy then + execute(get_confdir() .. "/update-policy.sh", get_confdir(), updated_policies) + end + sessions[sid] = nil end ============================================================ --- update-policy.lua 537d7961b91e0aa5e9495894f2ae49e9b2b47f87 +++ update-policy.lua e1c5f50c73d03aa68006c0de1d36e88a9874770d @@ -1,23 +1,25 @@ do -- hooks used when updating the policy branches -- looks at the DELEGATIONS and PREFIX env vars trusted_keys = {} do - local delegations = read_basic_io_conffile(os.getenv('DELEGATIONS')) local prefix = os.getenv('PREFIX') + if prefix then + local delegations = read_basic_io_conffile(os.getenv('DELEGATIONS')) - local myprefix = false - for local _, item in pairs(delegations) do - if item.name == 'delegate' then - if item.values[1] == prefix then - myprefix = true - else - myprefix = false + local myprefix = false + for local _, item in pairs(delegations) do + if item.name == 'delegate' then + if item.values[1] == prefix then + myprefix = true + else + myprefix = false + end end + if item.name = 'admin' and myprefix then + table.insert(trusted_keys, item.values[1]) + end end - if item.name = 'admin' and myprefix then - table.insert(trusted_keys, item.values[1]) - end end end ============================================================ --- update-policy.sh 0087dede16e0fcb24282fb693a06f85b12a8f0a9 +++ update-policy.sh 3bd60f5af1f911bb9079f7aad067070ff5a43e47 @@ -1,27 +1,50 @@ #!/bin/sh +update_policy_branch () { + export DELEGATIONS + export PREFIX + if [ -d $CODIR ]; then + BEFORE=$(cd $CODIR && mtn automate get_base_revision_id) + (cd $CODIR && mtn $CLIENTCONF update -b $1 --quiet) + AFTER=$(cd $CODIR && mtn automate get_base_revision_id) + if [ $BEFORE != $AFTER ]; then + echo $CODIR + fi + else + mtn $CLIENTCONF checkout -b $1 $CODIR --quiet + echo $CODIR + fi +} + +update_policy_children () { + DELEGATIONS=$1/delegations + grep '^[[:space:]]*delegate' $DELEGATIONS | while read DUMMY PREFIX PBRANCH + do + CODIR=$1/delegations.d/checkouts/$PREFIX + update_policy_branch $PBRANCH + update_policy_children $CODIR + done +} + do_work() { # The local server, that this is pulling from # and updating the configuration of. SERVER="localhost" -BRANCHES="$1" +BASEDIR="$1" -[ -f policy.mtn ] || mtn -d policy.mtn db init +BRANCHES="$2" -DB="--db $(pwd)/policy.mtn" -CONFDIR="--confdir $(pwd)" -RCFILE="--rcfile $(pwd)/update-policy.lua" +[ -f policy/policy.mtn ] || mtn -d policy/policy.mtn db init + +DB="--db $BASEDIR/policy/policy.mtn" +CONFDIR="--confdir $BASEDIR" +RCFILE="--rcfile $BASEDIR/update-policy.lua" CLIENTCONF="${DB} ${CONFDIR} ${RCFILE}" -mtn $CLIENTCONF pull $SERVER $(cat serverctl-branch) --quiet || exit $? +mtn $CLIENTCONF pull $SERVER "$BRANCHES" --quiet || exit $? -if [ -d serverctl ] -then - (cd serverctl && mtn $CLIENTCONF update) -else - mtn $CLIENTCONF checkout -b $(cat serverctl-branch) serverctl -fi +update_policy_children $BASEDIR/policy/policy mtn $CLIENTCONF pull $SERVER '' --exclude 'policy-branches-updated' --quiet } @@ -34,7 +57,7 @@ done sleep 1 done -do_work $2 +do_work "$@" rmdir update-policy.lock }