git钩子限制特定人才可以修改特定文件

说下我场景需求
一、因为项目是使用gitlab-ci来发布到生产，所以会存在相关开发人员可能会去修改gitlab-ci配置文件，为了保证这个文件只有指定人修改
所以我们在git钩子限制。
二、项目中生产配置文件不允许开发人员随便修改，只有指定人员才可以修改。

一.首先我们要找到我们我们项目代码存放gitlab位置

1.查看项目id

登录gitlab后台找到对应项目id截图如下：

image.png

我的项目id是25

2.项目id转字符串

因为gitlab存放我们的项目路径不是直接根据项目保存的，需要对项目id转义命令如下

 echo -n 25 | sha256sum

命令中的25是我自己项目id，这个填写你们实际项目id
回车后显示一串字符串

[root@suoyoubao ~]# echo -n 25 | sha256sum
b7a56873cd771f2c446d369b649430b65a756ba278ff97ec81bb6f55b2e73569  -

3.找到gitlab中项目存放的位置

然后我们再把这串字符串查到我们项目存放所在位置命令如下：

find / -name b7a56873cd771f2c446d369b649430b65a756ba278ff97ec81bb6f55b2e73569.git

结果如下：

[root@suoyoubao ~]# find / -name b7a56873cd771f2c446d369b649430b65a756ba278ff97ec81bb6f55b2e73569.git
/var/opt/gitlab/git-data/repositories/@hashed/b7/a5/b7a56873cd771f2c446d369b649430b65a756ba278ff97ec81bb6f55b2e73569.git

4.找到需要编写脚本的位置

先cd到我们刚才查出来的文件路径，项目根目录有个custom_hooks文件夹如果没有自己创建，cd到custom_hooks里面新建命名为pre-receive文件

[root@suoyoubao /]# cd /var/opt/gitlab/git-data/repositories/@hashed/b7/a5/b7a56873cd771f2c446d369b649430b65a756ba278ff97ec81bb6f55b2e73569.git
[root@suoyoubao b7a56873cd771f2c446d369b649430b65a756ba278ff97ec81bb6f55b2e73569.git]# ls
branches  config  custom_hooks  description  HEAD  hooks  info  language-stats.cache  objects  packed-refs  refs
[root@suoyoubao b7a56873cd771f2c446d369b649430b65a756ba278ff97ec81bb6f55b2e73569.git]# cd custom_hooks/
[root@suoyoubao custom_hooks]# ls
pre-receive
[root@suoyoubao custom_hooks]# 

5.根据自己的需求修改下面脚本来限制只有指定的人可以修改指定文件

我这边是只允许root和syb用户才能修改
指定文件为：.gitlab-ci.yml，application-pro.yml ，bootstrap-pro.yml 三个文件
这里自己可以自己定义
附上脚本：

#!/usr/bin/env bash
#Fork hook from https://github.com/github/platform-samples/tree/master/pre-receive-hooks
#
# Pre-receive hook that will block any new commits that contain files ending
# with .gz, .zip or .tgz
#
# More details on pre-receive hooks and how to apply them can be found on
# https://help.github.com/enterprise/admin/guides/developer-workflow/managing-pre-receive-hooks-on-the-github-enterprise-appliance/
#
zero_commit="0000000000000000000000000000000000000000"
# Do not traverse over commits that are already in the repository
# (e.g. in a different branch)
# This prevents funny errors if pre-receive hooks got enabled after some
# commits got already in and then somebody tries to create a new branch
# If this is unwanted behavior, just set the variable to empty
echo $GL_USERNAME


# 定义允许哪些用户可以对指定文件修改
AGREE_USER=("root" "syb")
# 指定文件
MANAGE_FILES=(".gitlab-ci.yml" "application-pro.yml" "bootstrap-pro.yml")

# 是否过滤指定文件
IS_FILTER= 0

# 判断当前提交的用户是否在授权用户列表中
EXIT_USER=0

excludeExisting="--not --all"

while read oldrev newrev refname; do
# echo "payload"
echo $refname $oldrev $newrev
# branch or tag get deleted
if [ "$newrev" = "$zero_commit" ]; then
continue
fi
# Check for new branch or tag
if [ "$oldrev" = "$zero_commit" ]; then
    span=`git rev-list $newrev $excludeExisting`
else
    span=`git rev-list $oldrev..$newrev $excludeExisting`
fi
for COMMIT in $span; do
 for FILE  in `git log -1 --name-only --pretty=format:'' $COMMIT`; do
  for(( i=0;i<${#MANAGE_FILES[@]};i++)) do
    if [[ "$FILE" == *${MANAGE_FILES[i]}  ]];then
     IS_FILTER=1
    fi
  done
 done
done
done

for(( i=0;i<${#AGREE_USER[@]};i++)) do
 if [[ ${AGREE_USER[i]} == $GL_USERNAME ]];then
  EXIT_USER=1
 fi
done
if [ $IS_FILTER == 1 ] && [ $EXIT_USER != 1 ]; then
# if [ $IS_YML == 1 ]; then
#if [ $EXIT_USER == 1 ]; then
 exit 1
fi
exit 0