update hook for Main git when handling push from weblate (#15402) · Issues · tails / sysadmin

update hook for Main git when handling push from weblate

Originally created by @Anonymous on #15402 (Redmine)

This scripts is the security barrier into maingit. It is triggerd by the bare git hook mechanism.
It is placed inside puppet-tails: files/gitolite/hooks/tails-weblate-update.hook

Envrironment:

the script is triggered for every push to tails.git
a malicious users try to trick this script
the translation-server may be compromised and the weblate user may pushes malicious commits.
GL_USER is a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing.
If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
Any output to stdout/stderr is allowed but only displayed to the user.

Expected outcome:

Weblate need to use “weblate <tails-l10n@boum.org>” as committer “name ” in any case
Weblate is ONLY to push po files nothing else in any case.
Everything else is not allowed for weblate.
For all other users the script should not do anything.

Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes

Attachments

test-tails-weblate-update

Parent Task: #15082 (closed)

Related issues

Related to tails#15185 (closed)
Related to #15401 (closed)
Related to tails#16760 (closed)
Related to tails#16761
Blocks #16712 (closed)

Edited May 21, 2020 by Anonymous

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information