From 7ab3ff28179a07037fef4207b7b5446c45a8479c Mon Sep 17 00:00:00 2001
From: Mathieu Bridon <bochecha@fedoraproject.org>
Date: Thu, 18 Sep 2014 16:54:39 +0200
Subject: [PATCH] distgit: Block push of branches named 'origin/*'

We already use the update hook for gitolite.

This introduces a new update hook, which merely chains the gitolite one,
and a new one to block pushes to badly named branches.

The new hook was written originally by Till Maas.

https://fedorahosted.org/rel-eng/ticket/4071
---
 roles/distgit/files/setup_git_package          | 12 ++++++++++--
 roles/git/hooks/files/update-block-push-origin | 10 ++++++++++
 roles/git/hooks/files/update-chained           | 12 ++++++++++++
 roles/git/hooks/tasks/main.yml                 |  2 ++
 4 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 roles/git/hooks/files/update-block-push-origin
 create mode 100644 roles/git/hooks/files/update-chained

diff --git a/roles/distgit/files/setup_git_package b/roles/distgit/files/setup_git_package
index 73f5d28bc5..d474ffb05d 100644
--- a/roles/distgit/files/setup_git_package
+++ b/roles/distgit/files/setup_git_package
@@ -108,9 +108,17 @@ git commit -q -m 'Initial setup of the repo' --author "$AUTHOR"
 git push -q origin master
 popd >/dev/null
 
-# Put our special update hooks in place
-ln -s /usr/share/gitolite/hooks/common/update $GITROOT/$PACKAGE.git/hooks/
+# Setup our update hooks
+mkdir -p $GITROOT/$PACKAGE.git/hooks/update-chained.d
+ln -s /usr/share/gitolite/hooks/common/update \
+    $GITROOT/$PACKAGE.git/hooks/update-chained.d/update-gitolite
+ln -s /usr/share/git-core/update-block-push-origin \
+    $GITROOT/$PACKAGE.git/hooks/update-chained.d/update-block-push-origin
 
+# This one kicks off all the others in update-chained.d
+ln -s /usr/share/git-core/update-chained $GITROOT/$PACKAGE.git/hooks/update
+
+# Setup our post-receive hooks
 mkdir -p $GITROOT/$PACKAGE.git/hooks/post-receive-chained.d
 ln -s /usr/share/git-core/mail-hooks/gnome-post-receive-email \
     $GITROOT/$PACKAGE.git/hooks/post-receive-chained.d/post-receive-email
diff --git a/roles/git/hooks/files/update-block-push-origin b/roles/git/hooks/files/update-block-push-origin
new file mode 100644
index 0000000000..17380e3136
--- /dev/null
+++ b/roles/git/hooks/files/update-block-push-origin
@@ -0,0 +1,10 @@
+#!/bin/sh
+#
+# Block pushes to branches if their name starts with `origin/`
+# https://fedorahosted.org/rel-eng/ticket/4071
+
+refname="${1}"
+sha1_old="${2}"
+sha1_new="${3}"
+
+echo "${refname}" | grep -qE '^refs/heads/origin/' && exit 1 || exit 0
diff --git a/roles/git/hooks/files/update-chained b/roles/git/hooks/files/update-chained
new file mode 100644
index 0000000000..6062f4bf9c
--- /dev/null
+++ b/roles/git/hooks/files/update-chained
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+
+refname="${1}"
+sha1_old="${2}"
+sha1_new="${3}"
+
+
+$GIT_DIR/hooks/update-chained.d/update-gitolite "$refname" "$sha1_old" "$sha1_new" || exit 1
+$GIT_DIR/hooks/update-chained.d/update-block-push-origin "$refname" "$sha1_old" "$sha1_new" || exit 1
+
+exit 0
diff --git a/roles/git/hooks/tasks/main.yml b/roles/git/hooks/tasks/main.yml
index af15eff6b1..9d6c34aed2 100644
--- a/roles/git/hooks/tasks/main.yml
+++ b/roles/git/hooks/tasks/main.yml
@@ -13,6 +13,8 @@
   with_items:
   - post-receive-fedmsg
   - post-receive-chained
+  - update-block-push-origin
+  - update-chained
 
 - name: install the git mail hooks
   copy: src={{item}} dest=/usr/share/git-core/mail-hooks mode=0755