[aur-dev] [PATCH v2 2/2] Require TUs to explicitly request to overwrite a pkgbase

21 Jul 2017

AUR_PRIVILEGED allows people with privileged AUR accounts to evade the
block on non-fast-forward commits. While valid in this case, we should
not do so by default, since in at least one case a TU did this without
realizing there was an existing package.
( https://aur.archlinux.org/packages/rtmidi/ )

Switch to using allow_overwrite to check for destructive actions.
Use .ssh/config "SendEnv" on the TU's side and and sshd_config
"AcceptEnv" in the AUR server to specifically request overwrite access.
TUs should use: `export AUR_OVERWRITE=1; git push`

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---

v2: only require confirmation for force-pushing history.

If you want to restrict who can use this feature, it should be as simple
as adding a new account_type and modifying the env_vars passthrough,
which can be implemented separately.

 INSTALL              | 1 +
 aurweb/git/auth.py   | 1 +
 aurweb/git/update.py | 3 ++-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/INSTALL b/INSTALL
index 8c9c4dd..369e1e3 100644
--- a/INSTALL
+++ b/INSTALL
@@ -76,6 +76,7 @@ read the instructions below.
         PasswordAuthentication no
         AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k"
         AuthorizedKeysCommandUser aur
+        AcceptEnv AUR_OVERWRITE
 
 9) If you want to enable smart HTTP support with nginx and fcgiwrap, you can
    use the following directives:
diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py
index 022b0ff..fe018cb 100755
--- a/aurweb/git/auth.py
+++ b/aurweb/git/auth.py
@@ -52,6 +52,7 @@ def main():
     env_vars = {
         'AUR_USER': user,
         'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
+        'AUR_OVERWRITE' : os.environ.get('AUR_OVERWRITE', '0') if account_type > 1 else '0',
     }
     key = keytype + ' ' + keytext
 
diff --git a/aurweb/git/update.py b/aurweb/git/update.py
index 3b9ff97..5419338 100755
--- a/aurweb/git/update.py
+++ b/aurweb/git/update.py
@@ -238,6 +238,7 @@ def main():
     user = os.environ.get("AUR_USER")
     pkgbase = os.environ.get("AUR_PKGBASE")
     privileged = (os.environ.get("AUR_PRIVILEGED", '0') == '1')
+    allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1')
     warn_or_die = warn if privileged else die
 
     if len(sys.argv) == 2 and sys.argv[1] == "restore":
@@ -262,7 +263,7 @@ def main():
         walker = repo.walk(sha1_old, pygit2.GIT_SORT_TOPOLOGICAL)
         walker.hide(sha1_new)
         if next(walker, None) is not None:
-            if privileged:
+            if allow_overwrite:
                 warn("non-fast-forward push (are you absolutely sure you mean this?)")
             else:
                 die("denying non-fast-forward (you should pull first)")
-- 
2.13.3

    