gitolite/gl-compile-conf

#!/usr/bin/perl -w

use strict;
use Data::Dumper;

# === add-auth-keys ===

# part of the gitosis-lite (GL) suite

# (1) - "compiles" ~/.ssh/authorized_keys from the list of pub-keys
# (2) - also "compiles" the user-friendly GL conf file into something easier
#       to parse.  We're doing this because both the gl-auth-command and the
#       (gl-)update hook need this, and it seems easier to do this than
#       replicate the parsing code in both those places.  As a bonus, it's
#       probably more efficient.

# how run:      manual, by GL admin
# when:
#     - anytime a pubkey is added/deleted (i.e., contents of
#       ~/.gitosis-lite/keydir change)
#     - anytime gitosis-lite.conf is changed
# input:
#     - ~/.gitosis-lite/gitosis-lite.conf
#     - ~/.gitosis-lite/keydir
# output:
#     - ~/.ssh/authorized_keys
#     - ~/.ssh/gitosis-lite.conf-compiled.pm
# security:
#     - touches a very critical system file that manages the restrictions on
#       incoming users.  Be sure to audit AUTH_COMMAND and AUTH_OPTIONS (see
#       below) on any change to this script
#     - no security checks within program.  The GL admin runs this manually

# warnings:
#     - if the "start" line exists, but the "end" line does not, you lose the
#       rest of the existing authkey file.  In general, "don't do that (TM)",
#       but we do have a "vim -d" popping up so you can see the changes being
#       made, just in case...

# other notes:
#     - keys are added/deleted from the keystore **manually**, and all keys
#       are named "name.pub".  Keep the names simple.

# command and options for authorized_keys
our $AUTH_COMMAND=$ENV{HOME} . "/.gitosis-lite/gl-auth-command";
our $AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty";

our %groups = ();
our %repos = ();

# quick subroutines
sub my_chdir
{
    chdir($_[0]) or die "chdir $_[0] failed: $!";
}

sub expand_userlist
{
    my @list = @_;
    my @new_list = ();

    for my $item (@list)
    {
        if ($item =~ /^@/)      # nested group
        {
            die "undefined group $item" unless $groups{$item};
            # add those names to the list
            push @new_list, @{ $groups{$item} };
        }
        else
        {
            push @new_list, $item;
        }
    }

    return @new_list;
}

# ----------------------------------------------------------------------------
#       "compile" ssh authorized_keys
# ----------------------------------------------------------------------------

open(INF, "<", $ENV{HOME} . "/.ssh/authorized_keys") or die "open old authkeys failed: $!";
open(OUT, ">", $ENV{HOME} . "/.ssh/new_authkeys")    or die "open new authkeys failed: $!";
# save existing authkeys minus the GL-added stuff
while (<INF>)
{
    print OUT unless (/^# gitosis-lite start/../^# gitosis-lite end/);
}

# add our "start" line, each key on its own line (prefixed by command and
# options, in the standard ssh authorized_keys format), then the "end" line.
print OUT "# gitosis-lite start\n";
my_chdir($ENV{HOME} . "/.gitosis-lite/keydir");
for my $pubkey (glob("*.pub"))
{
    my $user = $pubkey; $user =~ s/\.pub$//;
    print OUT "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS ";
    print OUT `cat $pubkey`;
}
print OUT "# gitosis-lite end\n";
close(OUT);

# check what changes are being made; just a comfort factor
# system("vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys");

# all done; overwrite the file (use cat to avoid perm changes)
system("cat ~/.ssh/new_authkeys > ~/.ssh/authorized_keys");
system("rm  ~/.ssh/new_authkeys");

# if the gl admin directory (~/.gitosis-lite) is itself a git repo, do an
# autocheckin.  nothing fancy; this is a "just in case" type of thing.
my_chdir($ENV{HOME} . "/.gitosis-lite");
if (-d ".git")
{
    system("git add -A keydir");        # stage all changes in keydir
    if (! system("git diff --cached --quiet") )
    # and if there are any
    {
        open(COMMIT, "|-", "git commit -F -")
            or die "pipe commit failed: $!";
        print COMMIT "keydir changed\n\n";
        print COMMIT `git diff --cached --name-status`;
        close(COMMIT) or die "close commit failed: $!";
    }
}

# ----------------------------------------------------------------------------
#       "compile" GL conf
# ----------------------------------------------------------------------------

open(INF, "<", $ENV{HOME} . "/.gitosis-lite/gitosis-lite.conf")
    or die "open GL conf failed: $!";
open(OUT, ">", $ENV{HOME} . "/.ssh/gitosis-lite.conf-compiled.pm")
    or die "open GL conf compiled failed: $!";

# the syntax is fairly simple, so we parse it inline

my @repos;
while (<INF>)
{
    # normalise whitespace; keeps later regexes very simple
    s/=/ = /;
    s/\s+/ /g;
    s/^ //;
    s/ $//;
    # kill comments
    s/#.*//;
    # and blank lines
    next unless /\S/;


    # user groups
    if (/^(@\S+) = (.*)/)
    {
        push @{ $groups{$1} }, expand_userlist( split(' ', $2) );
    }
    # repo(s)
    elsif (/^repo (.*)/)
    {
        @repos = split(' ', $1);
    }
    # actual permission line
    elsif (/^(R|RW|RW\+) (.* )?= (.+)/)
    {
        my @perms = split //, $1;
        my @refs = split ' ', $2 if $2;
        my @users = split ' ', $3;

        # if no ref is given, this PERM applies to all refs
        @refs = qw(refs/.*) unless @refs;
        # fully qualify refs that dont start with "refs/"; prefix them with
        # "refs/heads/"
        @refs = map { m(^refs/) or s(^)(refs/heads/) } @refs;

        # expand the user list, unless it is just "@all"
        @users = expand_userlist ( @users )
            unless (@users == 1 and $users[0] eq '@all');

        # ok, we can finally populate the %repos hash
        for my $repo (@repos)       # each repo in the current stanza
        {
            for my $perm (@perms)
            {
                for my $ref (@refs)
                {
                    for my $user (@users)
                    {
                        $repos{$repo}{$perm}{$ref}{$user} = 1;
                    }
                }
            }
        }
    }
}

print OUT Data::Dumper->Dump([\%repos], [qw(*repos)]);
close(OUT);
shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00			`#!/usr/bin/perl -w`

			`use strict;`
gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00			`use Data::Dumper;`
shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00
			`# === add-auth-keys ===`

			`# part of the gitosis-lite (GL) suite`

gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00			`# (1) - "compiles" ~/.ssh/authorized_keys from the list of pub-keys`
			`# (2) - also "compiles" the user-friendly GL conf file into something easier`
			`# to parse. We're doing this because both the gl-auth-command and the`
			`# (gl-)update hook need this, and it seems easier to do this than`
			`# replicate the parsing code in both those places. As a bonus, it's`
			`# probably more efficient.`

shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00			`# how run: manual, by GL admin`
gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00			`# when:`
			`# - anytime a pubkey is added/deleted (i.e., contents of`
			`# ~/.gitosis-lite/keydir change)`
			`# - anytime gitosis-lite.conf is changed`
			`# input:`
			`# - ~/.gitosis-lite/gitosis-lite.conf`
			`# - ~/.gitosis-lite/keydir`
			`# output:`
			`# - ~/.ssh/authorized_keys`
			`# - ~/.ssh/gitosis-lite.conf-compiled.pm`
shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00			`# security:`
			`# - touches a very critical system file that manages the restrictions on`
			`# incoming users. Be sure to audit AUTH_COMMAND and AUTH_OPTIONS (see`
			`# below) on any change to this script`
			`# - no security checks within program. The GL admin runs this manually`

gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00			`# warnings:`
shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00			`# - if the "start" line exists, but the "end" line does not, you lose the`
			`# rest of the existing authkey file. In general, "don't do that (TM)",`
			`# but we do have a "vim -d" popping up so you can see the changes being`
			`# made, just in case...`

			`# other notes:`
			`# - keys are added/deleted from the keystore manually, and all keys`
gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00			`# are named "name.pub". Keep the names simple.`
shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00
			`# command and options for authorized_keys`
			`our $AUTH_COMMAND=$ENV{HOME} . "/.gitosis-lite/gl-auth-command";`
			`our $AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty";`

gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00			`our %groups = ();`
			`our %repos = ();`

shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00			`# quick subroutines`
			`sub my_chdir`
			`{`
			`chdir($_[0]) or die "chdir $_[0] failed: $!";`
			`}`

gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00			`sub expand_userlist`
			`{`
			`my @list = @_;`
			`my @new_list = ();`

			`for my $item (@list)`
			`{`
			`if ($item =~ /^@/) # nested group`
			`{`
			`die "undefined group $item" unless $groups{$item};`
			`# add those names to the list`
			`push @new_list, @{ $groups{$item} };`
			`}`
			`else`
			`{`
			`push @new_list, $item;`
			`}`
			`}`

			`return @new_list;`
			`}`

			`# ----------------------------------------------------------------------------`
			`# "compile" ssh authorized_keys`
			`# ----------------------------------------------------------------------------`

shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00			`open(INF, "<", $ENV{HOME} . "/.ssh/authorized_keys") or die "open old authkeys failed: $!";`
			`open(OUT, ">", $ENV{HOME} . "/.ssh/new_authkeys") or die "open new authkeys failed: $!";`
			`# save existing authkeys minus the GL-added stuff`
			`while (<INF>)`
			`{`
			`print OUT unless (/^# gitosis-lite start/../^# gitosis-lite end/);`
			`}`

			`# add our "start" line, each key on its own line (prefixed by command and`
			`# options, in the standard ssh authorized_keys format), then the "end" line.`
			`print OUT "# gitosis-lite start\n";`
			`my_chdir($ENV{HOME} . "/.gitosis-lite/keydir");`
			`for my $pubkey (glob("*.pub"))`
			`{`
			`my $user = $pubkey; $user =~ s/\.pub$//;`
			`print OUT "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS ";`
			print OUT `cat $pubkey`;
			`}`
			`print OUT "# gitosis-lite end\n";`
			`close(OUT);`

			`# check what changes are being made; just a comfort factor`
gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00			`# system("vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys");`
shell? perl? schizophrenia? fix it NOW dammit :) 2009-08-23 07:35:14 +02:00
			`# all done; overwrite the file (use cat to avoid perm changes)`
			`system("cat ~/.ssh/new_authkeys > ~/.ssh/authorized_keys");`
			`system("rm ~/.ssh/new_authkeys");`

			`# if the gl admin directory (~/.gitosis-lite) is itself a git repo, do an`
			`# autocheckin. nothing fancy; this is a "just in case" type of thing.`
			`my_chdir($ENV{HOME} . "/.gitosis-lite");`
			`if (-d ".git")`
			`{`
			`system("git add -A keydir"); # stage all changes in keydir`
			`if (! system("git diff --cached --quiet") )`
			`# and if there are any`
			`{`
			`open(COMMIT, "\|-", "git commit -F -")`
			`or die "pipe commit failed: $!";`
			`print COMMIT "keydir changed\n\n";`
			print COMMIT `git diff --cached --name-status`;
			`close(COMMIT) or die "close commit failed: $!";`
			`}`
			`}`
gl-compile-conf now has "compilation" of the conf file also 2009-08-23 10:16:45 +02:00
			`# ----------------------------------------------------------------------------`
			`# "compile" GL conf`
			`# ----------------------------------------------------------------------------`

			`open(INF, "<", $ENV{HOME} . "/.gitosis-lite/gitosis-lite.conf")`
			`or die "open GL conf failed: $!";`
			`open(OUT, ">", $ENV{HOME} . "/.ssh/gitosis-lite.conf-compiled.pm")`
			`or die "open GL conf compiled failed: $!";`

			`# the syntax is fairly simple, so we parse it inline`

			`my @repos;`
			`while (<INF>)`
			`{`
			`# normalise whitespace; keeps later regexes very simple`
			`s/=/ = /;`
			`s/\s+/ /g;`
			`s/^ //;`
			`s/ $//;`
			`# kill comments`
			`s/#.*//;`
			`# and blank lines`
			`next unless /\S/;`


			`# user groups`
			`if (/^(@\S+) = (.*)/)`
			`{`
			`push @{ $groups{$1} }, expand_userlist( split(' ', $2) );`
			`}`
			`# repo(s)`
			`elsif (/^repo (.*)/)`
			`{`
			`@repos = split(' ', $1);`
			`}`
			`# actual permission line`
			`elsif (/^(R\|RW\|RW\+) (.* )?= (.+)/)`
			`{`
			`my @perms = split //, $1;`
			`my @refs = split ' ', $2 if $2;`
			`my @users = split ' ', $3;`

			`# if no ref is given, this PERM applies to all refs`
			`@refs = qw(refs/.*) unless @refs;`
			`# fully qualify refs that dont start with "refs/"; prefix them with`
			`# "refs/heads/"`
			`@refs = map { m(^refs/) or s(^)(refs/heads/) } @refs;`

			`# expand the user list, unless it is just "@all"`
			`@users = expand_userlist ( @users )`
			`unless (@users == 1 and $users[0] eq '@all');`

			`# ok, we can finally populate the %repos hash`
			`for my $repo (@repos) # each repo in the current stanza`
			`{`
			`for my $perm (@perms)`
			`{`
			`for my $ref (@refs)`
			`{`
			`for my $user (@users)`
			`{`
			`$repos{$repo}{$perm}{$ref}{$user} = 1;`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`

			`print OUT Data::Dumper->Dump([\%repos], [qw(*repos)]);`
			`close(OUT);`