deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

(new mirroring) enhance gl-tool

Browse source 
...it now does the mirroring peer key setup, unlike the kludgy manual way in the old setup
This commit is contained in:
Sitaram Chamarty 2011-08-12 22:10:12 +05:30
parent 68b45e1616
commit 5143cc890f
1 changed files with 87 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

143
src/gl-tool
View file

@ -1,75 +1,106 @@
#!/bin/sh #!/usr/bin/perl -w
# BEGIN USAGE # help/instructions are at the bottom, in the __DATA__ section
# $0 -- make some server side tasks easier use strict;
use warnings;
# Usage: use FindBin;
# $0 [sub-command [args]] BEGIN { $ENV{GL_BINDIR} = $FindBin::Bin; }
# Security notes: this program does not do any sanitisation of input. You're use lib $ENV{GL_BINDIR};
# running it at the CLI on the server, so you already have the power to do use gitolite_rc;
# whatever you want anyway. use gitolite;
# current sub-commands: sub usage { print <DATA>; exit 1; }
usage() unless (@ARGV);
# (1) REPLACE THE OLD $SHELL_USERS MECHANISM my $cmd = shift;
# my $pub = shift;
# $0 shell-add foo.pub
#
# adds the pubkey in foo.pub into the authkeys file with "-s" argument (shell
# access) and user "foo". The line will be added *before* the "# gitolite
# start" section, so that a gitolite-admin push will not affect it.
# Although there is no "shell-remove" sub-command, you can do that quite if ($cmd eq 'add-shell-user' or $cmd eq 'add-mirroring-peer') {
# easily by editing ~/.ssh/authorized_keys and deleting the appropriate line.
# END USAGE
die() { echo "$@"; exit 1; } >&2
if [ -z "$1" ]
then
perl -ne 's/\$0/$ARGV/ge; print if /BEGIN USAGE/../END USAGE/' $0 | grep -v USAGE | cut -c3-
exit 1
fi
if [ "$1" = "shell-add" ]
then
# sanity checks # sanity checks
[ -z "$2" ] && exec $0 $pub or usage();
[ -f "$2" ] || die "$2 does not exist" my $user = validate_pubkeyfile($pub);
wc -l < $2 | grep '^1$' >/dev/null || die "$2 contains more than one line"
# write the file out, with the new authkeys line added just *before* the
# gitolite section. But first, set the command that gets invoked
$cmd = ( $cmd eq 'add-shell-user' ? 'gl-auth-command -s' : 'gl-mirror-shell' );
ak_insert($cmd, $user, $pub);
exit 0;
}
die "could not understand command $cmd\n";
sub validate_pubkeyfile {
my $pub = shift;
-f $pub or die "$pub does not exist\n";
die "$pub contains more than one line\n" if wc_l($pub) > 1;
my $user = $pub;
$user =~ s(^.*/)(); # remove optional directory
die "file name must end in .pub\n" unless $user =~ /(.*)\.pub$/;
$user = $1;
return $user;
}
sub ak_insert {
my ($cmd, $user, $pub) = @_;
# must be kept consistent with what's in src/gl-compile-conf; on the plus # must be kept consistent with what's in src/gl-compile-conf; on the plus
# side, it's not likely to change anytime soon! # side, it's not likely to change anytime soon!
AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding" my $AUTH_OPTIONS = "no-port-forwarding,no-X11-forwarding,no-agent-forwarding";
GL_BINDIR=`${0%/*}/gl-query-rc GL_BINDIR` my $authline = "command=\"$ENV{GL_BINDIR}/$cmd $user\",$AUTH_OPTIONS " . slurp($pub);
pubkey_file=$2 my $authkeys = "$ENV{HOME}/.ssh/authorized_keys";
user=`basename $pubkey_file .pub` my $ak_lines = slurp($authkeys);
$ak_lines =~ s/^.*$cmd $user.*\n//m; # remove existing keyline, if present
$ak_lines =~ s/^# gitolite start/$authline# gitolite start/m;
my $akfh = wrap_open(">", $authkeys);
print $akfh $ak_lines;
close $akfh;
}
authline="command=\"$GL_BINDIR/gl-auth-command -s $user\",$AUTH_OPTIONS `cat $pubkey_file`"; sub wc_l {
my $fh = wrap_open("<", shift);
my @l = <$fh>;
my $l = @l;
return $l;
}
authkeys=$HOME/.ssh/authorized_keys __DATA__
for i in 1 gl-tool -- make some server side tasks easier
do
perl -lne "last if /# gitolite start/; print unless /gl-auth-command -s $user/; " $authkeys
echo $authline
perl -lne "print if /# gitolite start/ .. 0; " $authkeys
done > $authkeys.new
diff -u $authkeys $authkeys.new && die no change to authkey file Usage:
echo gl-tool [sub-command [args]]
echo If the above diff looks ok, press enter. Else press Ctrl-C.
read dummy
cat $authkeys > $authkeys.old
cat $authkeys.new > $authkeys
exit 0 Security notes: this program does not do any sanitisation of input. You're
fi running it at the CLI on the server, so you already have the power to do
whatever you want anyway.
die "could not understand command $1" current sub-commands:
(1) REPLACE THE OLD $SHELL_USERS MECHANISM
gl-tool add-shell-user foo.pub
Adds the pubkey in foo.pub into the authkeys file with "-s" argument (shell
access) and user "foo". The line will be added *before* the "# gitolite
start" section, so that a gitolite-admin push will not affect it.
Although there is no "remove-shell-user" sub-command, you can do that quite
easily by editing ~/.ssh/authorized_keys and deleting the appropriate line.
(2) ADD A MIRRORING PEER KEY
gl-tool add-mirroring-peer git@server.company.com.pub
As above, but the given key will invoke 'gl-mirror-shell' instead of the
usual 'gl-auth-command'. This is meant to be a server-to-server key, allowing
(in this example), the gitolite server called 'git@server.company.com' to
access this server for mirroring operations.