2009-08-25 08:44:46 +05:30
|
|
|
#!/usr/bin/perl
|
2009-08-23 18:24:37 +05:30
|
|
|
|
|
|
|
use strict;
|
2009-08-25 08:44:46 +05:30
|
|
|
use warnings;
|
2009-08-23 18:24:37 +05:30
|
|
|
|
|
|
|
# === auth-command ===
|
|
|
|
# the command that GL users actually run
|
|
|
|
|
2009-08-26 06:17:27 +05:30
|
|
|
# part of the gitolite (GL) suite
|
2009-08-23 18:24:37 +05:30
|
|
|
|
|
|
|
# how run: via sshd, being listed in "command=" in ssh authkeys
|
|
|
|
# when: every login by a GL user
|
|
|
|
# input: $1 is GL username, plus $SSH_ORIGINAL_COMMAND
|
|
|
|
# output:
|
|
|
|
# security:
|
|
|
|
# - currently, we just make some basic checks, copied from gitosis
|
|
|
|
|
|
|
|
# robustness:
|
|
|
|
|
|
|
|
# other notes:
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# common definitions
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
our $GL_ADMINDIR;
|
|
|
|
our $GL_CONF;
|
|
|
|
our $GL_KEYDIR;
|
|
|
|
our $GL_CONF_COMPILED;
|
|
|
|
our $REPO_BASE;
|
|
|
|
our %repos;
|
|
|
|
|
2009-08-26 06:17:27 +05:30
|
|
|
my $glrc = $ENV{HOME} . "/.gitolite.rc";
|
2009-08-23 18:24:37 +05:30
|
|
|
unless (my $ret = do $glrc)
|
|
|
|
{
|
|
|
|
die "parse $glrc failed: $@" if $@;
|
|
|
|
die "couldn't do $glrc: $!" unless defined $ret;
|
|
|
|
die "couldn't run $glrc" unless $ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
die "couldnt do perms file" unless (my $ret = do $GL_CONF_COMPILED);
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# definitions specific to this program
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
2009-08-25 09:21:07 +05:30
|
|
|
my $R_COMMANDS=qr/^git[ -]upload-pack$/;
|
|
|
|
my $W_COMMANDS=qr/^git[ -]receive-pack$/;
|
2009-08-25 09:08:11 +05:30
|
|
|
my $REPONAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._/-]*$); # very simple pattern
|
2009-08-23 18:24:37 +05:30
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# start...
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
# first, fix the biggest gripe I have with gitosis, a 1-line change
|
|
|
|
my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere!
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# sanity checks on SSH_ORIGINAL_COMMAND
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
# SSH_ORIGINAL_COMMAND must exist. Since we also captured $user, we print
|
|
|
|
# that in the message so people saying "ssh git@server" can see which gitosis
|
|
|
|
# user he is being recognised as
|
|
|
|
my $cmd = $ENV{SSH_ORIGINAL_COMMAND}
|
|
|
|
or die "no SSH_ORIGINAL_COMMAND? I'm not a shell, $user!";
|
|
|
|
|
2009-08-27 13:14:47 +05:30
|
|
|
# this check is largely for comic value if someone tries something outrageous;
|
|
|
|
# $cmd gets split and the pieces examined more thoroughly later anyway
|
2009-08-23 18:24:37 +05:30
|
|
|
die "$cmd??? you're a funny guy..."
|
2009-08-27 13:14:47 +05:30
|
|
|
if $cmd =~ /[<>&|;\n]/;
|
2009-08-23 18:24:37 +05:30
|
|
|
|
|
|
|
# split into command and arguments; the pattern allows old style as well as
|
|
|
|
# new style: "git-subcommand arg" or "git subcommand arg", just like gitosis
|
|
|
|
# does, although I'm not sure how necessary that is
|
|
|
|
#
|
|
|
|
# keep in mind this is how git sends across the command:
|
|
|
|
# git-receive-pack 'reponame.git'
|
|
|
|
# including the single quotes
|
|
|
|
|
2009-08-27 13:14:47 +05:30
|
|
|
my ($verb, $repo) = ($cmd =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*).git'/);
|
2009-08-23 18:24:37 +05:30
|
|
|
die "$verb? I don't do odd jobs, sorry..."
|
|
|
|
unless $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS;
|
|
|
|
|
|
|
|
die "I don't like the look of $repo, sorry!"
|
|
|
|
unless $repo =~ $REPONAME_PATT;
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# first level permissions check
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
2009-08-25 09:21:07 +05:30
|
|
|
# we know the user and repo; we just need to know what perm he's trying
|
|
|
|
my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');
|
|
|
|
|
2009-08-27 13:14:47 +05:30
|
|
|
die "$perm access for $repo denied to $user"
|
|
|
|
unless $repos{$repo}{$perm}{$user}
|
|
|
|
or $repos{$repo}{$perm}{'@all'};
|
2009-08-23 18:24:37 +05:30
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# over to git now
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
|
|
|
# ( but first save the reponame; we can save some time later in the hook )
|
|
|
|
$ENV{GL_REPO}=$repo;
|
|
|
|
|
2009-08-25 09:57:19 +05:30
|
|
|
# if log failure isn't important enough to block access, get rid of all the
|
|
|
|
# error checking
|
|
|
|
open my $log_fh, ">>", "$GL_ADMINDIR/log"
|
|
|
|
or die "open log failed: $!";
|
|
|
|
print $log_fh "\n", scalar(localtime), " $ENV{SSH_ORIGINAL_COMMAND} $user\n";
|
|
|
|
close $log_fh or die "close log failed: $!";
|
2009-08-23 18:24:37 +05:30
|
|
|
|
|
|
|
$repo = "'$REPO_BASE/$repo.git'";
|
|
|
|
exec("git", "shell", "-c", "$verb $repo");
|