#!/bin/bash # Check an IP before allowing access. # This is also a generic example of how to add arbitrary checks at the PRE_GIT # stage, in order to control fetch/clone as well, not just push operations # (VREFs, in contrast, only work for pushes). # Notice how repo-specific information is being passed to this code (bullet 3 # below). For more on that, see: # https://gitolite.com/gitolite/dev-notes/#appendix-1-repo-specific-environment-variables # Instructions: # 1. put this in an appropriate triggers directory (read about non-core # code at http://gitolite.com/gitolite/non-core/ for more on this; the # cookbook may also help here). # 2. add a line: # PRE_GIT => [ 'IP-check' ], # just before the "ENABLE" line in the rc file # 3. add a line like this to the "repo ..." section in gitolite.conf: # option ENV.IP_allowed = 1.2.3.0/24 # take care that this expression is valid, in the sense that passing it # to 'ipcalc -n' will return the part before the "/". I.e., in this # example, 'ipcalc -n 1.2.3.0/24' should (and does) return 1.2.3.0. # ---- [ -n "$GL_OPTION_IP_allowed" ] || exit 0 expected=${GL_OPTION_IP_allowed%/*} mask=${GL_OPTION_IP_allowed#*/} current_ip=${SSH_CONNECTION%% *} eval `ipcalc -n $current_ip/$mask` [ "$expected" == "$NETWORK" ] && exit 0 echo >&2 "IP $current_ip does not match allowed block $GL_OPTION_IP_allowed" exit 1