update hook for Main git when handling push from weblate (#15402) · Issues · tails / sysadmin

update hook for Main git when handling push from weblate

Originally created by @Anonymous on #15402 (Redmine)

This scripts is the security barrier into maingit. It is triggerd by the bare git hook mechanism.
It is placed inside puppet-tails: files/gitolite/hooks/tails-weblate-update.hook

Envrironment:

the script is triggered for every push to tails.git
a malicious users try to trick this script
the translation-server may be compromised and the weblate user may pushes malicious commits.
GL_USER is a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing.
If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
Any output to stdout/stderr is allowed but only displayed to the user.

Expected outcome:

Weblate need to use “weblate <tails-l10n@boum.org>” as committer “name ” in any case
Weblate is ONLY to push po files nothing else in any case.
Everything else is not allowed for weblate.
For all other users the script should not do anything.

Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes

Attachments

test-tails-weblate-update

Parent Task: #15082 (closed)

Related issues

Related to tails#15185 (closed)
Related to #15401 (closed)
Related to tails#16760 (closed)
Related to tails#16761
Blocks #16712

_Originally created by @Anonymous on [#15402 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/15402)_

This scripts is the security barrier into maingit. It is triggerd by the
bare git hook mechanism.  
It is placed inside puppet-tails:
`files/gitolite/hooks/tails-weblate-update.hook`

Envrironment:

- the script is triggered for every push to tails.git
  - a malicious users try to trick this script
  - the translation-server may be compromised and the weblate user may
    pushes malicious commits.
  - `GL_USER` is a environment variable, that is set by gitolite and is
    safe to rely on and indicates the users that it pushing.
  - If the script returns with a status code 0 the push is allowed and
    not 0 if not allowed.
  - Any output to stdout/stderr is allowed but only displayed to the
    user.

Expected outcome:

- Weblate need to use “weblate \<tails-l10n@boum.org\>” as committer
    “name <email>” in any case
  - Weblate is ONLY to push po files nothing else in any case.
  - Everything else is not allowed for weblate.
  - For all other users the script should not do anything.

Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes

### Attachments

* [test-tails-weblate-update](https://redmine.tails.boum.org/code/attachments/download/2330/test-tails-weblate-update)

Parent Task: tails/sysadmin#15082

### Related issues

- **Related to** tails/tails#15185
  - **Related to** tails/sysadmin#15401
  - **Related to** tails/tails#16760
  - **Related to** tails/tails#16761
  - **Blocks** tails/sysadmin#16712

Edited May 21, 2020 by Anonymous

To upload designs, you'll need to enable LFS. More information