2009-08-25 05:14:46 +02:00
|
|
|
#!/usr/bin/perl
|
2009-08-23 14:54:37 +02:00
|
|
|
|
|
|
|
use strict;
|
2009-08-25 05:14:46 +02:00
|
|
|
use warnings;
|
2009-08-23 14:54:37 +02:00
|
|
|
|
|
|
|
# === auth-command ===
|
|
|
|
# the command that GL users actually run
|
|
|
|
|
2009-08-26 02:47:27 +02:00
|
|
|
# part of the gitolite (GL) suite
|
2009-08-23 14:54:37 +02:00
|
|
|
|
|
|
|
# how run: via sshd, being listed in "command=" in ssh authkeys
|
|
|
|
# when: every login by a GL user
|
|
|
|
# input: $1 is GL username, plus $SSH_ORIGINAL_COMMAND
|
|
|
|
# output:
|
|
|
|
# security:
|
|
|
|
# - currently, we just make some basic checks, copied from gitosis
|
|
|
|
|
|
|
|
# robustness:
|
|
|
|
|
|
|
|
# other notes:
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# common definitions
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
2009-12-04 05:21:22 +01:00
|
|
|
# these are set by the "rc" file
|
2009-12-15 11:41:21 +01:00
|
|
|
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR);
|
2009-12-04 05:21:22 +01:00
|
|
|
# and these are set by gitolite.pm
|
|
|
|
our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT);
|
2009-08-23 14:54:37 +02:00
|
|
|
our %repos;
|
|
|
|
|
2009-10-25 03:59:52 +01:00
|
|
|
# the common setup module is in the same directory as this running program is
|
|
|
|
my $bindir = $0;
|
|
|
|
$bindir =~ s/\/[^\/]+$//;
|
|
|
|
require "$bindir/gitolite.pm";
|
|
|
|
|
|
|
|
# ask where the rc file is, get it, and "do" it
|
|
|
|
&where_is_rc();
|
|
|
|
die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
|
2009-08-23 14:54:37 +02:00
|
|
|
|
2009-12-15 08:05:48 +01:00
|
|
|
# we need to pass GL_ADMINDIR and the bindir to the child hooks (well only the
|
|
|
|
# admin repo's post-update hook but still...)
|
|
|
|
$ENV{GL_ADMINDIR} = $GL_ADMINDIR;
|
|
|
|
$ENV{GL_BINDIR} = $bindir;
|
|
|
|
|
2009-10-13 06:32:45 +02:00
|
|
|
# add a custom path for git binaries, if specified
|
|
|
|
$ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH;
|
|
|
|
|
2009-12-15 11:41:21 +01:00
|
|
|
# set the umask before creating any files
|
|
|
|
umask($REPO_UMASK);
|
|
|
|
|
2009-08-23 14:54:37 +02:00
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# start...
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
2009-12-19 16:22:30 +01:00
|
|
|
# if the first argument is a "-s", this user is allowed to get a shell using
|
|
|
|
# this key
|
|
|
|
my $shell_allowed = 0;
|
|
|
|
if ($ARGV[0] eq '-s') {
|
|
|
|
$shell_allowed = 1;
|
|
|
|
shift;
|
|
|
|
}
|
|
|
|
|
2009-08-23 14:54:37 +02:00
|
|
|
# first, fix the biggest gripe I have with gitosis, a 1-line change
|
|
|
|
my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere!
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# sanity checks on SSH_ORIGINAL_COMMAND
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
2009-12-19 16:22:30 +01:00
|
|
|
# print basic access info if SSH_ORIGINAL_COMMAND does not exist
|
2009-10-28 09:03:24 +01:00
|
|
|
unless ($ENV{SSH_ORIGINAL_COMMAND}) {
|
2009-12-19 16:22:30 +01:00
|
|
|
# unless the user is allowed to use a shell
|
|
|
|
if ($shell_allowed) {
|
|
|
|
my $shell = $ENV{SHELL};
|
|
|
|
$shell =~ s/.*\//-/; # change "/bin/bash" to "-bash"
|
|
|
|
exec { $ENV{SHELL} } $shell;
|
|
|
|
}
|
2009-12-04 05:21:22 +01:00
|
|
|
&report_basic($GL_ADMINDIR, $GL_CONF_COMPILED, $user);
|
2009-10-28 09:03:24 +01:00
|
|
|
exit 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
|
2009-12-19 16:22:30 +01:00
|
|
|
# people allowed to get a shell can get basic access info by asking nicely
|
2009-12-23 15:26:53 +01:00
|
|
|
if ($cmd eq 'info') {
|
2009-12-19 16:22:30 +01:00
|
|
|
&report_basic($GL_ADMINDIR, $GL_CONF_COMPILED, $user);
|
2009-12-23 15:26:53 +01:00
|
|
|
print "you also have shell access\n\r" if $shell_allowed;
|
2009-12-19 16:22:30 +01:00
|
|
|
exit 1;
|
|
|
|
}
|
2009-08-23 14:54:37 +02:00
|
|
|
|
|
|
|
# split into command and arguments; the pattern allows old style as well as
|
|
|
|
# new style: "git-subcommand arg" or "git subcommand arg", just like gitosis
|
|
|
|
# does, although I'm not sure how necessary that is
|
|
|
|
#
|
|
|
|
# keep in mind this is how git sends across the command:
|
|
|
|
# git-receive-pack 'reponame.git'
|
|
|
|
# including the single quotes
|
|
|
|
|
2009-10-29 16:22:06 +01:00
|
|
|
my ($verb, $repo) = ($cmd =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:.git)?'/);
|
2009-12-19 16:22:30 +01:00
|
|
|
unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
|
|
|
|
# if the user is allowed a shell, just run the command
|
|
|
|
exec $ENV{SHELL}, "-c", $ENV{SSH_ORIGINAL_COMMAND} if $shell_allowed;
|
|
|
|
# otherwise, whine
|
|
|
|
die "bad command: $cmd\n";
|
|
|
|
}
|
2009-08-23 14:54:37 +02:00
|
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# first level permissions check
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
2009-12-04 05:21:22 +01:00
|
|
|
# parse the compiled acl; goes into %repos (global)
|
|
|
|
&parse_acl($GL_CONF_COMPILED);
|
|
|
|
|
2009-08-25 05:51:07 +02:00
|
|
|
# we know the user and repo; we just need to know what perm he's trying
|
|
|
|
my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');
|
|
|
|
|
2009-11-22 05:51:22 +01:00
|
|
|
die "$perm access for $repo DENIED to $user\n"
|
2009-08-27 09:44:47 +02:00
|
|
|
unless $repos{$repo}{$perm}{$user}
|
|
|
|
or $repos{$repo}{$perm}{'@all'};
|
2009-08-23 14:54:37 +02:00
|
|
|
|
2009-11-27 18:30:58 +01:00
|
|
|
# create the repo if it doesn't already exist and the user has "W" access
|
|
|
|
my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" );
|
2009-12-04 05:21:22 +01:00
|
|
|
if ( not -d "$repo_base_abs/$repo.git" ) {
|
|
|
|
if ( $repos{$repo}{W}{$user} or $repos{$repo}{W}{'@all'} ) {
|
|
|
|
wrap_chdir("$repo_base_abs");
|
|
|
|
new_repo($repo, "$GL_ADMINDIR/src/hooks");
|
|
|
|
wrap_chdir($ENV{HOME});
|
|
|
|
}
|
2009-11-27 18:30:58 +01:00
|
|
|
}
|
|
|
|
|
2009-08-23 14:54:37 +02:00
|
|
|
# ----------------------------------------------------------------------------
|
2009-09-06 10:04:41 +02:00
|
|
|
# logging, timestamp. also setup env vars for later
|
2009-08-23 14:54:37 +02:00
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
2009-09-06 10:04:41 +02:00
|
|
|
# reponame
|
2009-08-23 14:54:37 +02:00
|
|
|
$ENV{GL_REPO}=$repo;
|
|
|
|
|
2009-09-06 10:04:41 +02:00
|
|
|
# timestamp
|
|
|
|
my ($s, $min, $h, $d, $m, $y) = (localtime)[0..5];
|
|
|
|
$y += 1900; $m++; # usual adjustments
|
|
|
|
for ($s, $min, $h, $d, $m) {
|
|
|
|
$_ = "0$_" if $_ < 10;
|
|
|
|
}
|
|
|
|
$ENV{GL_TS} = "$y-$m-$d.$h:$min:$s";
|
|
|
|
|
|
|
|
# substitute template parameters and set the logfile name
|
|
|
|
$GL_LOGT =~ s/%y/$y/g;
|
|
|
|
$GL_LOGT =~ s/%m/$m/g;
|
|
|
|
$GL_LOGT =~ s/%d/$d/g;
|
|
|
|
$ENV{GL_LOG} = $GL_LOGT;
|
|
|
|
|
2009-08-25 06:27:19 +02:00
|
|
|
# if log failure isn't important enough to block access, get rid of all the
|
|
|
|
# error checking
|
2009-09-06 10:04:41 +02:00
|
|
|
open my $log_fh, ">>", $ENV{GL_LOG}
|
2009-09-10 17:54:58 +02:00
|
|
|
or die "open log failed: $!\n";
|
2009-09-06 10:04:41 +02:00
|
|
|
print $log_fh "$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n";
|
2009-09-10 17:54:58 +02:00
|
|
|
close $log_fh or die "close log failed: $!\n";
|
2009-08-23 14:54:37 +02:00
|
|
|
|
2009-09-06 10:04:41 +02:00
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# over to git now
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
2009-08-23 14:54:37 +02:00
|
|
|
$repo = "'$REPO_BASE/$repo.git'";
|
|
|
|
exec("git", "shell", "-c", "$verb $repo");
|