This adds two scripts to be used together with Git over SSH: * git-auth.py is supposed to be used as AuthorizedKeysCommand. It checks whether the public key belongs to any AUR user and invokes git-serve.py, passing the name of the corresponding user as a command line argument, if any. * git-serve.py is a wrapper around git-shell(1) that checks whether the user passed as command line argument has access to the Git repository that a push operation writes to. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- conf/config.proto | 11 ++++ scripts/git-integration/git-auth.py | 41 ++++++++++++++ scripts/git-integration/git-serve.py | 104 +++++++++++++++++++++++++++++++++++ 3 files changed, 156 insertions(+) create mode 100755 scripts/git-integration/git-auth.py create mode 100755 scripts/git-integration/git-serve.py diff --git a/conf/config.proto b/conf/config.proto index f00b352..13cafe0 100644 --- a/conf/config.proto +++ b/conf/config.proto @@ -26,3 +26,14 @@ max_rpc_results = 5000 aur_request_ml = aur-requests@archlinux.org request_idle_time = 1209600 auto_orphan_age = 15552000 + +[auth] +key-prefixes = ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 +username-regex = [a-zA-Z0-9]+[.\-_]?[a-zA-Z0-9]+$ +git-serve-cmd = /srv/http/aur/scripts/git-integration/git-serve.py +ssh-options = no-port-forwarding,no-X11-forwarding,no-pty + +[serve] +repo-base = /pub/git/ +repo-regex = [a-z0-9][a-z0-9.+_-]*$ +git-shell-cmd = /usr/bin/git-shell diff --git a/scripts/git-integration/git-auth.py b/scripts/git-integration/git-auth.py new file mode 100755 index 0000000..8701d5e --- /dev/null +++ b/scripts/git-integration/git-auth.py @@ -0,0 +1,41 @@ +#!/usr/bin/python3 + +import configparser +import mysql.connector +import os +import re + +config = configparser.RawConfigParser() +config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config") + +aur_db_host = config.get('database', 'host') +aur_db_name = config.get('database', 'name') +aur_db_user = config.get('database', 'user') +aur_db_pass = config.get('database', 'password') + +key_prefixes = config.get('auth', 'key-prefixes').split() +username_regex = config.get('auth', 'username-regex') +git_serve_cmd = config.get('auth', 'git-serve-cmd') +ssh_opts = config.get('auth', 'ssh-options') + +pubkey = os.environ.get("SSH_KEY") +valid_prefixes = tuple(p + " " for p in key_prefixes) +if pubkey is None or not pubkey.startswith(valid_prefixes): + exit(1) + +db = mysql.connector.connect(host=aur_db_host, user=aur_db_user, + passwd=aur_db_pass, db=aur_db_name, + buffered=True) + +cur = db.cursor() +cur.execute("SELECT Username FROM Users WHERE SSHPubKey = %s " + + "AND Suspended = 0", (pubkey,)) + +if cur.rowcount != 1: + exit(1) + +user = cur.fetchone()[0] +if not re.match(username_regex, user): + exit(1) + +print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts, pubkey)) diff --git a/scripts/git-integration/git-serve.py b/scripts/git-integration/git-serve.py new file mode 100755 index 0000000..08132f2 --- /dev/null +++ b/scripts/git-integration/git-serve.py @@ -0,0 +1,104 @@ +#!/usr/bin/python3 + +import configparser +import mysql.connector +import os +import pygit2 +import re +import shlex +import sys + +config = configparser.RawConfigParser() +config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config") + +aur_db_host = config.get('database', 'host') +aur_db_name = config.get('database', 'name') +aur_db_user = config.get('database', 'user') +aur_db_pass = config.get('database', 'password') + +repo_base_path = config.get('serve', 'repo-base') +repo_regex = config.get('serve', 'repo-regex') +git_shell_cmd = config.get('serve', 'git-shell-cmd') + +def repo_path_validate(path): + if not path.startswith(repo_base_path): + return False + if not path.endswith('.git/'): + return False + repo = path[len(repo_base_path):-5] + return re.match(repo_regex, repo) + +def repo_path_get_pkgbase(path): + pkgbase = path.rstrip('/').rpartition('/')[2] + if pkgbase.endswith('.git'): + pkgbase = pkgbase[:-4] + return pkgbase + +def setup_repo(repo, user): + if not re.match(repo_regex, repo): + die('invalid repository name: %s' % (repo)) + + db = mysql.connector.connect(host=aur_db_host, user=aur_db_user, + passwd=aur_db_pass, db=aur_db_name) + cur = db.cursor() + + cur.execute("SELECT COUNT(*) FROM PackageBases WHERE Name = %s ", [repo]) + if cur.fetchone()[0] > 0: + die('package base already exists: %s' % (repo)) + + cur.execute("SELECT ID FROM Users WHERE Username = %s ", [user]) + userid = cur.fetchone()[0] + if userid == 0: + die('unknown user: %s' % (user)) + + cur.execute("INSERT INTO PackageBases (Name, SubmittedTS, ModifiedTS, " + + "SubmitterUID) VALUES (%s, UNIX_TIMESTAMP(), " + + "UNIX_TIMESTAMP(), %s)", [repo, userid]) + + db.commit() + db.close() + + repo_path = repo_base_path + '/' + repo + '.git/' + pygit2.init_repository(repo_path, True) + +def check_permissions(pkgbase, user): + db = mysql.connector.connect(host=aur_db_host, user=aur_db_user, + passwd=aur_db_pass, db=aur_db_name, + buffered=True) + cur = db.cursor() + + cur.execute("SELECT COUNT(*) FROM PackageBases INNER JOIN Users " + + "ON Users.ID = PackageBases.MaintainerUID OR " + + "PackageBases.MaintainerUID IS NULL WHERE " + + "Name = %s AND Username = %s", [pkgbase, user]) + return cur.fetchone()[0] > 0 + +def die(msg): + sys.stderr.write("%s\n" % (msg)) + exit(1) + +user = sys.argv[1] +cmd = os.environ.get("SSH_ORIGINAL_COMMAND") +if not cmd: + die('no command specified') +cmdargv = shlex.split(cmd) +action = cmdargv[0] + +if action == 'git-upload-pack' or action == 'git-receive-pack': + path = cmdargv[1] + if not repo_path_validate(path): + die('invalid path: %s' % (path)) + pkgbase = repo_path_get_pkgbase(path) + if action == 'git-receive-pack': + if not check_permissions(pkgbase, user): + die('permission denied: %s' % (user)) + os.environ["AUR_USER"] = user + os.environ["AUR_GIT_DIR"] = path + os.environ["AUR_PKGBASE"] = pkgbase + os.execl(git_shell_cmd, git_shell_cmd, '-c', cmd) +elif action == 'setup-repo': + if len(cmdargv) < 2: + die('missing repository name') + setup_repo(cmdargv[1], user) +else: + die('invalid command: %s' % (action)) -- 2.2.1