5143cc890f
...it now does the mirroring peer key setup, unlike the kludgy manual way in the old setup
107 lines
2.9 KiB
Perl
Executable file
107 lines
2.9 KiB
Perl
Executable file
#!/usr/bin/perl -w
|
|
|
|
# help/instructions are at the bottom, in the __DATA__ section
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use FindBin;
|
|
BEGIN { $ENV{GL_BINDIR} = $FindBin::Bin; }
|
|
|
|
use lib $ENV{GL_BINDIR};
|
|
use gitolite_rc;
|
|
use gitolite;
|
|
|
|
sub usage { print <DATA>; exit 1; }
|
|
usage() unless (@ARGV);
|
|
|
|
my $cmd = shift;
|
|
my $pub = shift;
|
|
|
|
if ($cmd eq 'add-shell-user' or $cmd eq 'add-mirroring-peer') {
|
|
# sanity checks
|
|
$pub or usage();
|
|
my $user = validate_pubkeyfile($pub);
|
|
|
|
# write the file out, with the new authkeys line added just *before* the
|
|
# gitolite section. But first, set the command that gets invoked
|
|
$cmd = ( $cmd eq 'add-shell-user' ? 'gl-auth-command -s' : 'gl-mirror-shell' );
|
|
ak_insert($cmd, $user, $pub);
|
|
|
|
exit 0;
|
|
}
|
|
|
|
die "could not understand command $cmd\n";
|
|
|
|
sub validate_pubkeyfile {
|
|
my $pub = shift;
|
|
|
|
-f $pub or die "$pub does not exist\n";
|
|
die "$pub contains more than one line\n" if wc_l($pub) > 1;
|
|
|
|
my $user = $pub;
|
|
$user =~ s(^.*/)(); # remove optional directory
|
|
die "file name must end in .pub\n" unless $user =~ /(.*)\.pub$/;
|
|
$user = $1;
|
|
|
|
return $user;
|
|
}
|
|
|
|
sub ak_insert {
|
|
my ($cmd, $user, $pub) = @_;
|
|
|
|
# must be kept consistent with what's in src/gl-compile-conf; on the plus
|
|
# side, it's not likely to change anytime soon!
|
|
my $AUTH_OPTIONS = "no-port-forwarding,no-X11-forwarding,no-agent-forwarding";
|
|
|
|
my $authline = "command=\"$ENV{GL_BINDIR}/$cmd $user\",$AUTH_OPTIONS " . slurp($pub);
|
|
|
|
my $authkeys = "$ENV{HOME}/.ssh/authorized_keys";
|
|
my $ak_lines = slurp($authkeys);
|
|
$ak_lines =~ s/^.*$cmd $user.*\n//m; # remove existing keyline, if present
|
|
$ak_lines =~ s/^# gitolite start/$authline# gitolite start/m;
|
|
my $akfh = wrap_open(">", $authkeys);
|
|
print $akfh $ak_lines;
|
|
close $akfh;
|
|
}
|
|
|
|
sub wc_l {
|
|
my $fh = wrap_open("<", shift);
|
|
my @l = <$fh>;
|
|
my $l = @l;
|
|
return $l;
|
|
}
|
|
|
|
__DATA__
|
|
|
|
gl-tool -- make some server side tasks easier
|
|
|
|
Usage:
|
|
gl-tool [sub-command [args]]
|
|
|
|
Security notes: this program does not do any sanitisation of input. You're
|
|
running it at the CLI on the server, so you already have the power to do
|
|
whatever you want anyway.
|
|
|
|
current sub-commands:
|
|
|
|
(1) REPLACE THE OLD $SHELL_USERS MECHANISM
|
|
|
|
gl-tool add-shell-user foo.pub
|
|
|
|
Adds the pubkey in foo.pub into the authkeys file with "-s" argument (shell
|
|
access) and user "foo". The line will be added *before* the "# gitolite
|
|
start" section, so that a gitolite-admin push will not affect it.
|
|
|
|
Although there is no "remove-shell-user" sub-command, you can do that quite
|
|
easily by editing ~/.ssh/authorized_keys and deleting the appropriate line.
|
|
|
|
(2) ADD A MIRRORING PEER KEY
|
|
|
|
gl-tool add-mirroring-peer git@server.company.com.pub
|
|
|
|
As above, but the given key will invoke 'gl-mirror-shell' instead of the
|
|
usual 'gl-auth-command'. This is meant to be a server-to-server key, allowing
|
|
(in this example), the gitolite server called 'git@server.company.com' to
|
|
access this server for mirroring operations.
|