compile: pubkey related linting added

- warn about files in keydir/ that dont end with ".pub"
  - warn about pubkey files for which the user is not mentioned in config
  - warn more sternly about the opposite (user in config, no pubkey!)

update hook: add reponame to message on deny
auth: minor typo
This commit is contained in:
Sitaram Chamarty 2009-09-27 08:02:36 +05:30
parent 70d26d810b
commit c66e1ad732
3 changed files with 25 additions and 5 deletions

View file

@ -51,7 +51,7 @@ my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere!
# ----------------------------------------------------------------------------
# SSH_ORIGINAL_COMMAND must exist. Since we also captured $user, we print
# that in the message so people saying "ssh git@server" can see which gitosis
# that in the message so people saying "ssh git@server" can see which gitolite
# user he is being recognised as
my $cmd = $ENV{SSH_ORIGINAL_COMMAND}
or die "no SSH_ORIGINAL_COMMAND? I'm not a shell, $user!\n";

View file

@ -71,6 +71,7 @@ my $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._-]*$); # very simple patter
# groups can now represent user groups or repo groups
my %groups = ();
my %repos = ();
my %user_list = (); # only to catch lint; search for "lint" below
# set the umask before creating any files
umask($REPO_UMASK);
@ -172,6 +173,8 @@ while (<$conf_fh>)
{
for my $user (@users)
{
$user_list{$user}++; # only to catch lint, see later
# for 1st level check (see faq/tips doc)
$repos{$repo}{R}{$user} = 1 if $perms =~ /R/;
$repos{$repo}{W}{$user} = 1 if $perms =~ /W/;
@ -195,7 +198,7 @@ print $compiled_fh Data::Dumper->Dump([\%repos], [qw(*repos)]);
close $compiled_fh or die "$ATTN close compiled-conf failed: $!\n";
# ----------------------------------------------------------------------------
# any new repos created?
# any new repos to be created?
# ----------------------------------------------------------------------------
# modern gits allow cloning from an empty repo, so we just create it. Gitosis
@ -291,7 +294,7 @@ for my $repo (sort keys %repos) {
}
}
# has there been a change?
# has there been a change in the gitweb projects list?
if ($projlist_changed) {
print STDERR "updating gitweb project list $PROJECTS_LIST\n";
my $projlist_fh = wrap_open( ">", $PROJECTS_LIST);
@ -317,12 +320,29 @@ while (<$authkeys_fh>)
# options, in the standard ssh authorized_keys format), then the "end" line.
print $newkeys_fh "# gitolite start\n";
wrap_chdir($GL_KEYDIR);
for my $pubkey (glob("*.pub"))
for my $pubkey (glob("*"))
{
# lint check 1
unless ($pubkey =~ /\.pub$/)
{
print STDERR "WARNING: pubkey files should end with \".pub\", ignoring $pubkey\n";
next;
}
my $user = $pubkey; $user =~ s/(\@.+)?\.pub$//;
# lint check 2
print STDERR "WARNING: pubkey $pubkey exists but user $user not in config\n"
unless $user_list{$user};
$user_list{$user} = 'has pubkey';
print $newkeys_fh "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS ";
print $newkeys_fh `cat $pubkey`;
}
# lint check 3; a little more severe than the first two I guess...
for my $user (sort keys %user_list)
{
next if $user eq '@all' or $user_list{$user} eq 'has pubkey';
print STDERR "$ATTN user $user in config, but has no pubkey!\n";
}
print $newkeys_fh "# gitolite end\n";
close $newkeys_fh or die "$ATTN close newkeys failed: $!\n";

View file

@ -81,4 +81,4 @@ for my $ar (@allowed_refs)
exit 0;
}
}
die "$perm $ref $ENV{GL_USER} DENIED by fallthru\n";
die "$perm $ref $ENV{GL_REPO} $ENV{GL_USER} DENIED by fallthru\n";