gitolite/src/gl-auth-command

122 lines
4.4 KiB
Plaintext
Raw Normal View History

2009-08-25 05:14:46 +02:00
#!/usr/bin/perl
2009-08-23 14:54:37 +02:00
use strict;
2009-08-25 05:14:46 +02:00
use warnings;
2009-08-23 14:54:37 +02:00
# === auth-command ===
# the command that GL users actually run
2009-08-26 02:47:27 +02:00
# part of the gitolite (GL) suite
2009-08-23 14:54:37 +02:00
# how run: via sshd, being listed in "command=" in ssh authkeys
# when: every login by a GL user
# input: $1 is GL username, plus $SSH_ORIGINAL_COMMAND
# output:
# security:
# - currently, we just make some basic checks, copied from gitosis
# robustness:
# other notes:
# ----------------------------------------------------------------------------
# common definitions
# ----------------------------------------------------------------------------
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE);
2009-08-23 14:54:37 +02:00
our %repos;
2009-08-26 02:47:27 +02:00
my $glrc = $ENV{HOME} . "/.gitolite.rc";
die "parse $glrc failed: " . ($! or $@) unless do $glrc;
die "parse $GL_CONF_COMPILED failed: " . ($! or $@) unless do $GL_CONF_COMPILED;
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# definitions specific to this program
# ----------------------------------------------------------------------------
my $R_COMMANDS=qr/^(git[ -]upload-pack|git[ -]upload-archive)$/;
my $W_COMMANDS=qr/^git[ -]receive-pack$/;
2009-08-25 05:38:11 +02:00
my $REPONAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._/-]*$); # very simple pattern
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# start...
# ----------------------------------------------------------------------------
# first, fix the biggest gripe I have with gitosis, a 1-line change
my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere!
# ----------------------------------------------------------------------------
# sanity checks on SSH_ORIGINAL_COMMAND
# ----------------------------------------------------------------------------
# SSH_ORIGINAL_COMMAND must exist. Since we also captured $user, we print
# that in the message so people saying "ssh git@server" can see which gitosis
# user he is being recognised as
my $cmd = $ENV{SSH_ORIGINAL_COMMAND}
or die "no SSH_ORIGINAL_COMMAND? I'm not a shell, $user!\n";
2009-08-23 14:54:37 +02:00
# this check is largely for comic value if someone tries something outrageous;
# $cmd gets split and the pieces examined more thoroughly later anyway
die "$cmd??? you're a funny guy...\n"
if $cmd =~ /[<>&|;\n]/;
2009-08-23 14:54:37 +02:00
# split into command and arguments; the pattern allows old style as well as
# new style: "git-subcommand arg" or "git subcommand arg", just like gitosis
# does, although I'm not sure how necessary that is
#
# keep in mind this is how git sends across the command:
# git-receive-pack 'reponame.git'
# including the single quotes
my ($verb, $repo) = ($cmd =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*).git'/);
die "Sorry, I don't like the command you gave me: $cmd\n"
unless ( ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS )
and $repo =~ $REPONAME_PATT );
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# first level permissions check
# ----------------------------------------------------------------------------
# we know the user and repo; we just need to know what perm he's trying
my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');
die "$perm access for $repo denied to $user\n"
unless $repos{$repo}{$perm}{$user}
or $repos{$repo}{$perm}{'@all'};
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# logging, timestamp. also setup env vars for later
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# reponame
2009-08-23 14:54:37 +02:00
$ENV{GL_REPO}=$repo;
# timestamp
my ($s, $min, $h, $d, $m, $y) = (localtime)[0..5];
$y += 1900; $m++; # usual adjustments
for ($s, $min, $h, $d, $m) {
$_ = "0$_" if $_ < 10;
}
$ENV{GL_TS} = "$y-$m-$d.$h:$min:$s";
# substitute template parameters and set the logfile name
$GL_LOGT =~ s/%y/$y/g;
$GL_LOGT =~ s/%m/$m/g;
$GL_LOGT =~ s/%d/$d/g;
$ENV{GL_LOG} = $GL_LOGT;
# if log failure isn't important enough to block access, get rid of all the
# error checking
open my $log_fh, ">>", $ENV{GL_LOG}
or die "open log failed: $!\n";
print $log_fh "$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n";
close $log_fh or die "close log failed: $!\n";
2009-08-23 14:54:37 +02:00
# ----------------------------------------------------------------------------
# over to git now
# ----------------------------------------------------------------------------
2009-08-23 14:54:37 +02:00
$repo = "'$REPO_BASE/$repo.git'";
exec("git", "shell", "-c", "$verb $repo");