Diffstat (limited to 'contrib/triggers/IP-check')
1 files changed, 43 insertions, 0 deletions
diff --git a/contrib/triggers/IP-check b/contrib/triggers/IP-check
new file mode 100755
@@ -0,0 +1,43 @@
+# Check an IP before allowing access.
+# This is also a generic example of how to add arbitrary checks at the PRE_GIT
+# stage, in order to control fetch/clone as well, not just push operations
+# (VREFs, in contrast, only work for pushes).
+# Notice how repo-specific information is being passed to this code (bullet 3
+# below). For more on that, see:
+# 1. put this in an appropriate triggers directory (read about non-core
+# code at http://gitolite.com/gitolite/non-core/ for more on this; the
+# cookbook may also help here).
+# 2. add a line:
+# PRE_GIT => [ 'IP-check' ],
+# just before the "ENABLE" line in the rc file
+# 3. add a line like this to the "repo ..." section in gitolite.conf:
+# option ENV.IP_allowed = 188.8.131.52/24
+# take care that this expression is valid, in the sense that passing it
+# to 'ipcalc -n' will return the part before the "/". I.e., in this
+# example, 'ipcalc -n 184.108.40.206/24' should (and does) return 220.127.116.11.
+[ -n "$GL_OPTION_IP_allowed" ] || exit 0
+eval `ipcalc -n $current_ip/$mask`
+[ "$expected" == "$NETWORK" ] && exit 0
+echo >&2 "IP $current_ip does not match allowed block $GL_OPTION_IP_allowed"