(password access) can now do ADCs also

idea credit Jeff (though I'm sure he didn't ask this on behalf of the
KDE folks ;-)
This commit is contained in:
Sitaram Chamarty 2011-09-15 21:23:51 +05:30
parent 32417b5b39
commit 7b8866dbf6
3 changed files with 67 additions and 31 deletions

View file

@ -2,6 +2,25 @@
. $(dirname $0)/adc.common-functions . $(dirname $0)/adc.common-functions
# the help adc now takes some options; we need to process them first
[ "$1" = "-list" ] && {
# the GL_ADC_PATH directory has files other than ADCs also, notably the
# include file for shell ADCs, and maybe a README or two. Those should be
# chmod -x.
# if you want to temporarily hide any ADC from being listed, do the same
# thing: chmod -x
cd $($GL_BINDIR/gl-query-rc GL_ADC_PATH)
for i in *
do
[ -x $i ] && echo $i
done
exit 0
}
# the local site can have a file called gl-adc-help.txt, which will be used as # the local site can have a file called gl-adc-help.txt, which will be used as
# the *entire* help text for this site... # the *entire* help text for this site...

View file

@ -7,40 +7,64 @@ use warnings;
# site-local changes # site-local changes
# the original login shell your users had. Set this to something like # the original login shell your users had (or) the shell to forward
# "/sbin/nologin" or "/bin/false" if you don't want them to have a normal # non-gitolite commands to
# shell (i.e., you created these accounts *only* to provide a password
# authentication passthru to gitolite)
my $shell = "/bin/bash"; my $shell = "/bin/bash";
# suggested values if you really don't want them actually logging in:
# /sbin/nologin - obvious
# /usr/bin/passwd - same, but allows them to change their passwords
# the gitolite hosting user you want to forward git commands to. Typically # the gitolite hosting user you want to forward git commands to. Typically
# this will be 'git' or perhaps 'gitolite', but actually could be anything # this will be 'git' or perhaps 'gitolite', but actually could be anything
my $hosting_user = "gitolite-test"; my $hosting_user = "gitolite-test";
# ADCs...
# either list all the ADCs you wish to allow forwarding to (SPACE-separated):
my $ADC_list = "";
# -- OR --
# if you upgraded to the new 'help' adc with the '-list' option, set this to 1:
my $detect_ADCs = 0;
# if you do neither, ADCs are not forwarded
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# process normal logins (the ones that *don't* get forwarded to the gitolite # no arguments? nothing to forward
# hosting user)
# this is a normal login, not to be forwarded to the gitolite hosting user, if:
# - there are no arguments
exec($shell) unless @ARGV; exec($shell) unless @ARGV;
# - the first argument is not "-c"
exec($shell, @ARGV) unless $ARGV[0] eq '-c'; # forward normal git ops
# - the second argument does not fit what git usually sends forward(@ARGV) if
exec($shell, @ARGV) unless $ARGV[1] =~ /^(git-receive-pack|git-upload-pack|git-upload-archive) '(\S+)'$/; $ARGV[0] eq '-c' and
# - there *is* a local directory with the same name as the second part of argument #2 $ARGV[1] =~ /^(git-receive-pack|git-upload-pack|git-upload-archive) '(\S+)'$/ and
exec($shell, @ARGV) if -d $2; ( not -d "$2" );
# forward gitolite special commands
forward(@ARGV) if $ARGV[0] eq '-c' and $ARGV[1] =~ /^(info|expand|((set|get)(perms|desc)))( |$)/;
# forward ADCs
if ($ADC_list or $detect_ADCs) {
$ADC_list ||= `ssh $hosting_user\@localhost help -list`;
$ADC_list =~ s/\s+/ /g;
# find the command he's running
my $cmd = $1 if $ARGV[1] =~ /^(\S+)/;
# forward if the command appears somewhere in the ADC list
forward(@ARGV) if $ARGV[0] eq '-c' and $cmd and $ADC_list =~ /(^| )$cmd( |$)/;
}
# at this point it's back to local processing
exec($shell, @ARGV);
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# if all that failed, it means we have to forward this to the hosting user # forward to the hosting user
sub forward {
# this message is important in debugging and trouble shooting; see
# documentation
print STDERR "[forwarding to $hosting_user\@localhost]\n";
# this message is important in debugging and trouble shooting; see documentation # but first we check for rsa key
print STDERR "[forwarding to $hosting_user\@localhost]\n"; -f ".ssh/id_rsa" or die "ask your admin to add you to gitolite";
# but first we check for rsa key shift if $_[0] eq '-c';
-f ".ssh/id_rsa" or die "ask your admin to add you to gitolite"; exec("ssh", "$hosting_user\@localhost", @_);
}
shift; # that pesky '-c'...
exec("ssh", "$hosting_user\@localhost", @ARGV);

View file

@ -81,13 +81,6 @@ these pesky ssh keys.
normal users also. In fact, you can have users who give you a pub key normal users also. In fact, you can have users who give you a pub key
from their workstation the normal way, as well as use this method. from their workstation the normal way, as well as use this method.
* Special commands and ADCs will NOT work from the workstation for such
users; they have to log on to their own userid on the server and run the
appropriate command (such as `ssh git@localhost info`) from there. <font
color="gray">We could have handled the known special commands (info,
expand, setperms, etc.), but considering that an ADC could be called
*anything*, a general solution is impossible.</font>
<a name="_what_the_2_scripts_actually_do"></a> <a name="_what_the_2_scripts_actually_do"></a>
### what the 2 scripts actually do ### what the 2 scripts actually do
@ -125,7 +118,7 @@ Here's how to set this up. First, the **one-time** tasks:
`/usr/local/bin`. `/usr/local/bin`.
* As root, customise the program `/usr/local/bin/gl-shell`. You will need * As root, customise the program `/usr/local/bin/gl-shell`. You will need
to change only 2 variables at the top in a section clearly marked as to change some variables at the top in a section clearly marked
'site-local changes'. 'site-local changes'.
* As root, copy `contrib/real-users/gl-shell-setup` to some place on root's * As root, copy `contrib/real-users/gl-shell-setup` to some place on root's