#!/usr/bin/perl

use strict;
use warnings;

# === auth-command ===
# the command that GL users actually run

# part of the gitolite (GL) suite

# how run:      via sshd, being listed in "command=" in ssh authkeys
# when:         every login by a GL user
# input:        $1 is GL username, plus $SSH_ORIGINAL_COMMAND
# output:
# security:
#     - currently, we just make some basic checks, copied from gitosis

# robustness:

# other notes:

# ----------------------------------------------------------------------------
#       common definitions
# ----------------------------------------------------------------------------

# these are set by the "rc" file
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS);
# and these are set by gitolite.pm
our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT);
our %repos;

# the common setup module is in the same directory as this running program is
my $bindir = $0;
$bindir =~ s/\/[^\/]+$//;
$bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//;
require "$bindir/gitolite.pm";

# ask where the rc file is, get it, and "do" it
&where_is_rc();
die "parse $ENV{GL_RC} failed: "       . ($! or $@) unless do $ENV{GL_RC};

# we need to pass GL_ADMINDIR and the bindir to the child hooks
$ENV{GL_ADMINDIR} = $GL_ADMINDIR;
$ENV{GL_BINDIR} = $bindir;

# add a custom path for git binaries, if specified
$ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH;

# set the umask before creating any files
umask($REPO_UMASK);

my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" );

# ----------------------------------------------------------------------------
#       start...
# ----------------------------------------------------------------------------

# if the first argument is a "-s", this user is allowed to get a shell using
# this key
my $shell_allowed = 0;
if ($ARGV[0] eq '-s') {
    $shell_allowed = 1;
    shift;
}

# first, fix the biggest gripe I have with gitosis, a 1-line change
my $user=$ENV{GL_USER}=shift;       # there; now that's available everywhere!

# ----------------------------------------------------------------------------
#       logging, timestamp env vars
# ----------------------------------------------------------------------------

# timestamp
my ($s, $min, $h, $d, $m, $y) = (localtime)[0..5];
$y += 1900; $m++;               # usual adjustments
for ($s, $min, $h, $d, $m) {
    $_ = "0$_" if $_ < 10;
}
$ENV{GL_TS} = "$y-$m-$d.$h:$min:$s";

# substitute template parameters and set the logfile name
$GL_LOGT =~ s/%y/$y/g;
$GL_LOGT =~ s/%m/$m/g;
$GL_LOGT =~ s/%d/$d/g;
$ENV{GL_LOG} = $GL_LOGT;

# ----------------------------------------------------------------------------
#       sanity checks on SSH_ORIGINAL_COMMAND
# ----------------------------------------------------------------------------

# no SSH_ORIGINAL_COMMAND given...
unless ($ENV{SSH_ORIGINAL_COMMAND}) {
    # if the user is allowed to use a shell, give him one
    if ($shell_allowed) {
        my $shell = $ENV{SHELL};
        $shell =~ s/.*\//-/;    # change "/bin/bash" to "-bash"
        exec { $ENV{SHELL} } $shell;
    }
    # otherwise, pretend he typed in "info" and carry on...
    $ENV{SSH_ORIGINAL_COMMAND} = 'info';
}

# ----------------------------------------------------------------------------
#       get and set perms for actual repo created by wildcard-autoviv
# ----------------------------------------------------------------------------

my $CUSTOM_COMMANDS=qr/^\s*(expand|(get|set)(perms|desc))\b/;

# note that all the subs called here chdir somewhere else and do not come
# back; they all blithely take advantage of the fact that processing custom
# commands is sort of a dead end for normal (git) processing

if ($ENV{SSH_ORIGINAL_COMMAND} =~ $CUSTOM_COMMANDS) {
    die "wildrepos disabled, sorry\n" unless $GL_WILDREPOS;
    my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
    my ($verb, $repo) = ($cmd =~ /^\s*(\S+)(?:\s+'?\/?(.*?)(?:\.git)?'?)?$/);
    # deal with "no argument" cases
    $verb eq 'expand' ? $repo = '^' : die "$verb needs an argument\n" unless $repo;
    if ($repo =~ $REPONAME_PATT and $verb =~ /getperms|setperms/) {
        # with an actual reponame, you can "getperms" or "setperms"
        get_set_perms($repo_base_abs, $repo, $verb, $user);
    }
    elsif ($repo =~ $REPONAME_PATT and $verb =~ /(get|set)desc/) {
        # with an actual reponame, you can "getdesc" or "setdesc"
        get_set_desc($repo_base_abs, $repo, $verb, $user);
    }
    elsif ($verb eq 'expand') {
        # with a wildcard, you can "expand" it to see what repos actually match
        die "$repo has invalid characters" unless "x$repo" =~ $REPOPATT_PATT;
        expand_wild($GL_CONF_COMPILED, $repo_base_abs, $repo, $user);
    } else {
        die "$cmd doesn't make sense to me\n";
    }
    exit 0;
}

# ----------------------------------------------------------------------------
#       non-git commands
# ----------------------------------------------------------------------------

# if the command does NOT fit the pattern of a normal git command, send it off
# somewhere else...

# side notes on detecting a normal git command: the pattern we check allows
# old style as well as new style ("git-subcommand arg" or "git subcommand
# arg"), just like gitosis does, although I'm not sure how necessary that is.
# Currently, this is how git sends across the command (including the single
# quotes):
#       git-receive-pack 'reponame.git'

my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/);
unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
    # ok, it's not a normal git command; call the special command helper
    &special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE);
    exit;
}
die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;
die "$repo has two consecutive periods; I don't like that\n" if $repo =~ /\.\./;

# reponame
$ENV{GL_REPO}=$repo;

# ----------------------------------------------------------------------------
#       the real git commands (git-receive-pack, etc...)
# ----------------------------------------------------------------------------

# ----------------------------------------------------------------------------
#       first level permissions check
# ----------------------------------------------------------------------------

if ( -d "$repo_base_abs/$repo.git" ) {
    # existing repo
    my ($creater, $user_R, $user_W) = &repo_rights($repo_base_abs, $repo, $user);
    &parse_acl($GL_CONF_COMPILED, $repo, $creater, $user_R, $user_W);
} else {
    &parse_acl($GL_CONF_COMPILED, $repo, $user, $user, $user);

    # auto-vivify new repo if you have C access (and wildrepos is on)
    if ( $GL_WILDREPOS and $repos{$repo}{C}{$user} || $repos{$repo}{C}{'@all'} ) {
        wrap_chdir("$repo_base_abs");
        new_repo($repo, "$GL_ADMINDIR/hooks/common", $user);
        wrap_chdir($ENV{HOME});
    }
}

# we know the user and repo; we just need to know what perm he's trying
my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');

die "$perm access for $repo DENIED to $user\n"
    unless $repos{$repo}{$perm}{$user}
        or $repos{'@all'}{$perm}{$user}     # new: access to @all repos
        or $repos{$repo}{$perm}{'@all'};

# ----------------------------------------------------------------------------
#       over to git now
# ----------------------------------------------------------------------------

&log_it("$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n");

$repo = "'$REPO_BASE/$repo.git'";
exec("git", "shell", "-c", "$verb $repo");