Merge branch 'jnareb-review'
This commit is contained in:
commit
d1664e826f
3 changed files with 46 additions and 42 deletions
|
@ -43,9 +43,9 @@ die "couldnt do perms file" unless (my $ret = do $GL_CONF_COMPILED);
|
||||||
# definitions specific to this program
|
# definitions specific to this program
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
|
|
||||||
our $R_COMMANDS=qr/git[ -]upload-pack/;
|
my $R_COMMANDS=qr/^git[ -]upload-pack$/;
|
||||||
our $W_COMMANDS=qr/git[ -]receive-pack/;
|
my $W_COMMANDS=qr/^git[ -]receive-pack$/;
|
||||||
our $REPONAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._/-]*$); # very simple pattern
|
my $REPONAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._/-]*$); # very simple pattern
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
# start...
|
# start...
|
||||||
|
@ -87,8 +87,9 @@ die "I don't like the look of $repo, sorry!"
|
||||||
# first level permissions check
|
# first level permissions check
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
|
|
||||||
# now, knowing the user and repo (which is repo path), we try perms
|
# we know the user and repo; we just need to know what perm he's trying
|
||||||
my $perm = 'W'; $perm = 'R' if $verb =~ $R_COMMANDS;
|
my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');
|
||||||
|
|
||||||
die "access denied" unless $repos{$repo}{$perm}{$user};
|
die "access denied" unless $repos{$repo}{$perm}{$user};
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
|
@ -98,9 +99,12 @@ die "access denied" unless $repos{$repo}{$perm}{$user};
|
||||||
# ( but first save the reponame; we can save some time later in the hook )
|
# ( but first save the reponame; we can save some time later in the hook )
|
||||||
$ENV{GL_REPO}=$repo;
|
$ENV{GL_REPO}=$repo;
|
||||||
|
|
||||||
open(LOG, ">>", "$GL_ADMINDIR/log");
|
# if log failure isn't important enough to block access, get rid of all the
|
||||||
print LOG "\n", scalar(localtime), " $ENV{SSH_ORIGINAL_COMMAND} $user\n";
|
# error checking
|
||||||
close(LOG);
|
open my $log_fh, ">>", "$GL_ADMINDIR/log"
|
||||||
|
or die "open log failed: $!";
|
||||||
|
print $log_fh "\n", scalar(localtime), " $ENV{SSH_ORIGINAL_COMMAND} $user\n";
|
||||||
|
close $log_fh or die "close log failed: $!";
|
||||||
|
|
||||||
$repo = "'$REPO_BASE/$repo.git'";
|
$repo = "'$REPO_BASE/$repo.git'";
|
||||||
exec("git", "shell", "-c", "$verb $repo");
|
exec("git", "shell", "-c", "$verb $repo");
|
||||||
|
|
|
@ -59,12 +59,12 @@ unless (my $ret = do $glrc)
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
|
|
||||||
# command and options for authorized_keys
|
# command and options for authorized_keys
|
||||||
our $AUTH_COMMAND="$GL_ADMINDIR/gl-auth-command";
|
my $AUTH_COMMAND="$GL_ADMINDIR/gl-auth-command";
|
||||||
our $AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty";
|
my $AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty";
|
||||||
our $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._-]*$); # very simple pattern
|
my $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._-]*$); # very simple pattern
|
||||||
|
|
||||||
our %groups = ();
|
my %groups = ();
|
||||||
our %repos = ();
|
my %repos = ();
|
||||||
|
|
||||||
# set a restrictive umask, just in case
|
# set a restrictive umask, just in case
|
||||||
umask(0077);
|
umask(0077);
|
||||||
|
@ -105,13 +105,13 @@ sub expand_userlist
|
||||||
# "compile" GL conf
|
# "compile" GL conf
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
|
|
||||||
open(INF, "<", $GL_CONF)
|
open my $conf_fh, "<", $GL_CONF
|
||||||
or die "open GL conf failed: $!";
|
or die "open conf failed: $!";
|
||||||
|
|
||||||
# the syntax is fairly simple, so we parse it inline
|
# the syntax is fairly simple, so we parse it inline
|
||||||
|
|
||||||
my @repos;
|
my @repos;
|
||||||
while (<INF>)
|
while (<$conf_fh>)
|
||||||
{
|
{
|
||||||
# normalise whitespace; keeps later regexes very simple
|
# normalise whitespace; keeps later regexes very simple
|
||||||
s/=/ = /;
|
s/=/ = /;
|
||||||
|
@ -170,10 +170,10 @@ while (<INF>)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
open(OUT, ">", $GL_CONF_COMPILED)
|
open my $compiled_fh, ">", $GL_CONF_COMPILED
|
||||||
or die "open GL conf compiled failed: $!";
|
or die "open compiled-conf failed: $!";
|
||||||
print OUT Data::Dumper->Dump([\%repos], [qw(*repos)]);
|
print $compiled_fh Data::Dumper->Dump([\%repos], [qw(*repos)]);
|
||||||
close(OUT);
|
close $compiled_fh or die "close compiled-conf failed: $!";
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
# any new repos created?
|
# any new repos created?
|
||||||
|
@ -201,26 +201,28 @@ for my $repo (keys %repos)
|
||||||
# "compile" ssh authorized_keys
|
# "compile" ssh authorized_keys
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
|
|
||||||
open(INF, "<", $ENV{HOME} . "/.ssh/authorized_keys") or die "open old authkeys failed: $!";
|
open my $authkeys_fh, "<", $ENV{HOME} . "/.ssh/authorized_keys"
|
||||||
open(OUT, ">", $ENV{HOME} . "/.ssh/new_authkeys") or die "open new authkeys failed: $!";
|
or die "open authkeys failed: $!";
|
||||||
|
open my $newkeys_fh, ">", $ENV{HOME} . "/.ssh/new_authkeys"
|
||||||
|
or die "open newkeys failed: $!";
|
||||||
# save existing authkeys minus the GL-added stuff
|
# save existing authkeys minus the GL-added stuff
|
||||||
while (<INF>)
|
while (<$authkeys_fh>)
|
||||||
{
|
{
|
||||||
print OUT unless (/^# gitosis-lite start/../^# gitosis-lite end/);
|
print $newkeys_fh unless (/^# gitosis-lite start/../^# gitosis-lite end/);
|
||||||
}
|
}
|
||||||
|
|
||||||
# add our "start" line, each key on its own line (prefixed by command and
|
# add our "start" line, each key on its own line (prefixed by command and
|
||||||
# options, in the standard ssh authorized_keys format), then the "end" line.
|
# options, in the standard ssh authorized_keys format), then the "end" line.
|
||||||
print OUT "# gitosis-lite start\n";
|
print $newkeys_fh "# gitosis-lite start\n";
|
||||||
my_chdir($GL_KEYDIR);
|
my_chdir($GL_KEYDIR);
|
||||||
for my $pubkey (glob("*.pub"))
|
for my $pubkey (glob("*.pub"))
|
||||||
{
|
{
|
||||||
my $user = $pubkey; $user =~ s/\.pub$//;
|
my $user = $pubkey; $user =~ s/\.pub$//;
|
||||||
print OUT "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS ";
|
print $newkeys_fh "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS ";
|
||||||
print OUT `cat $pubkey`;
|
print $newkeys_fh `cat $pubkey`;
|
||||||
}
|
}
|
||||||
print OUT "# gitosis-lite end\n";
|
print $newkeys_fh "# gitosis-lite end\n";
|
||||||
close(OUT);
|
close $newkeys_fh or die "close newkeys failed: $!";
|
||||||
|
|
||||||
# check what changes are being made; just a comfort factor
|
# check what changes are being made; just a comfort factor
|
||||||
# system("vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys");
|
# system("vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys");
|
||||||
|
@ -238,10 +240,10 @@ if (-d ".git")
|
||||||
# and if there are any
|
# and if there are any
|
||||||
if (system("git diff --cached --quiet") )
|
if (system("git diff --cached --quiet") )
|
||||||
{
|
{
|
||||||
open(COMMIT, "|-", "git commit -F -")
|
open my $commit_ph, "|-", "git commit -F -"
|
||||||
or die "pipe commit failed: $!";
|
or die "open commit failed: $!";
|
||||||
print COMMIT "keydir changed\n\n";
|
print $commit_ph "keydir changed\n\n";
|
||||||
print COMMIT `git diff --cached --name-status`;
|
print $commit_ph `git diff --cached --name-status`;
|
||||||
close(COMMIT) or die "close commit failed: $!";
|
close $commit_ph or die "close commit failed: $!";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -41,12 +41,6 @@ unless (my $ret = do $glrc)
|
||||||
|
|
||||||
die "couldnt do perms file" unless (my $ret = do $GL_CONF_COMPILED);
|
die "couldnt do perms file" unless (my $ret = do $GL_CONF_COMPILED);
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------
|
|
||||||
# definitions specific to this program
|
|
||||||
# ----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
open(LOG, ">>", "$GL_ADMINDIR/log");
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
# start...
|
# start...
|
||||||
# ----------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------
|
||||||
|
@ -78,8 +72,12 @@ for my $refex (@$allowed_refs)
|
||||||
{
|
{
|
||||||
if ($ref =~ /$refex/)
|
if ($ref =~ /$refex/)
|
||||||
{
|
{
|
||||||
print LOG "$perm: $ENV{GL_USER} $ENV{GL_REPO} $ref $oldsha $newsha\n";
|
# if log failure isn't important enough to block pushes, get rid of
|
||||||
close (LOG);
|
# all the error checking
|
||||||
|
open my $log_fh, ">>", "$GL_ADMINDIR/log"
|
||||||
|
or die "open log failed: $!";
|
||||||
|
print $log_fh "$perm: $ENV{GL_USER} $ENV{GL_REPO} $ref $oldsha $newsha\n";
|
||||||
|
close $log_fh or die "close log failed: $!";
|
||||||
exit 0;
|
exit 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue