[PATCH] Move git privilege check to update.py rather than auth.py
auth.py is run as an AutherizedKeysCommand which does not get the environment variables passed to it, so AUR_OVERWRITE always got hard-set to '0' by it. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> --- aurweb/git/auth.py | 1 - aurweb/git/update.py | 2 +- test/t1100-git-auth.sh | 17 ----------------- 3 files changed, 1 insertion(+), 19 deletions(-) diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py index b7819a9..828ed4e 100755 --- a/aurweb/git/auth.py +++ b/aurweb/git/auth.py @@ -53,7 +53,6 @@ def main(): env_vars = { 'AUR_USER': user, 'AUR_PRIVILEGED': '1' if account_type > 1 else '0', - 'AUR_OVERWRITE' : os.environ.get('AUR_OVERWRITE', '0') if account_type > 1 else '0', } key = keytype + ' ' + keytext diff --git a/aurweb/git/update.py b/aurweb/git/update.py index f681ddb..da48eb3 100755 --- a/aurweb/git/update.py +++ b/aurweb/git/update.py @@ -238,7 +238,7 @@ def main(): user = os.environ.get("AUR_USER") pkgbase = os.environ.get("AUR_PKGBASE") privileged = (os.environ.get("AUR_PRIVILEGED", '0') == '1') - allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1') + allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1') and privileged warn_or_die = warn if privileged else die if len(sys.argv) == 2 and sys.argv[1] == "restore": diff --git a/test/t1100-git-auth.sh b/test/t1100-git-auth.sh index dd20bea..71d526f 100755 --- a/test/t1100-git-auth.sh +++ b/test/t1100-git-auth.sh @@ -25,21 +25,4 @@ test_expect_success 'Test authentication with a wrong key.' ' test_must_be_empty out ' -test_expect_success 'Test AUR_OVERWRITE passthrough.' ' - AUR_OVERWRITE=1 \ - "$GIT_AUTH" "$AUTH_KEYTYPE_TU" "$AUTH_KEYTEXT_TU" >out && - grep -q AUR_OVERWRITE=1 out -' - -test_expect_success 'Make sure that AUR_OVERWRITE is unset by default.' ' - "$GIT_AUTH" "$AUTH_KEYTYPE_TU" "$AUTH_KEYTEXT_TU" >out && - grep -q AUR_OVERWRITE=0 out -' - -test_expect_success 'Make sure regular users cannot set AUR_OVERWRITE.' ' - AUR_OVERWRITE=1 \ - "$GIT_AUTH" "$AUTH_KEYTYPE_USER" "$AUTH_KEYTEXT_USER" >out && - grep -q AUR_OVERWRITE=0 out -' - test_done -- 2.16.0
Ehm, the subject should really be changed to something like this instead: Subject: [PATCH] Move AUR_OVERWRITE privilege check from git/auth to git/update Quoting Johannes Löthberg (2018-01-21 14:16:40)
auth.py is run as an AutherizedKeysCommand which does not get the environment variables passed to it, so AUR_OVERWRITE always got hard-set to '0' by it.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> --- aurweb/git/auth.py | 1 - aurweb/git/update.py | 2 +- test/t1100-git-auth.sh | 17 ----------------- 3 files changed, 1 insertion(+), 19 deletions(-)
diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py index b7819a9..828ed4e 100755 --- a/aurweb/git/auth.py +++ b/aurweb/git/auth.py @@ -53,7 +53,6 @@ def main(): env_vars = { 'AUR_USER': user, 'AUR_PRIVILEGED': '1' if account_type > 1 else '0', - 'AUR_OVERWRITE' : os.environ.get('AUR_OVERWRITE', '0') if account_type > 1 else '0', } key = keytype + ' ' + keytext
diff --git a/aurweb/git/update.py b/aurweb/git/update.py index f681ddb..da48eb3 100755 --- a/aurweb/git/update.py +++ b/aurweb/git/update.py @@ -238,7 +238,7 @@ def main(): user = os.environ.get("AUR_USER") pkgbase = os.environ.get("AUR_PKGBASE") privileged = (os.environ.get("AUR_PRIVILEGED", '0') == '1') - allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1') + allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1') and privileged warn_or_die = warn if privileged else die
if len(sys.argv) == 2 and sys.argv[1] == "restore": diff --git a/test/t1100-git-auth.sh b/test/t1100-git-auth.sh index dd20bea..71d526f 100755 --- a/test/t1100-git-auth.sh +++ b/test/t1100-git-auth.sh @@ -25,21 +25,4 @@ test_expect_success 'Test authentication with a wrong key.' ' test_must_be_empty out '
-test_expect_success 'Test AUR_OVERWRITE passthrough.' ' - AUR_OVERWRITE=1 \ - "$GIT_AUTH" "$AUTH_KEYTYPE_TU" "$AUTH_KEYTEXT_TU" >out && - grep -q AUR_OVERWRITE=1 out -' - -test_expect_success 'Make sure that AUR_OVERWRITE is unset by default.' ' - "$GIT_AUTH" "$AUTH_KEYTYPE_TU" "$AUTH_KEYTEXT_TU" >out && - grep -q AUR_OVERWRITE=0 out -' - -test_expect_success 'Make sure regular users cannot set AUR_OVERWRITE.' ' - AUR_OVERWRITE=1 \ - "$GIT_AUTH" "$AUTH_KEYTYPE_USER" "$AUTH_KEYTEXT_USER" >out && - grep -q AUR_OVERWRITE=0 out -' - test_done -- 2.16.0
-- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 PGP Key FP: 5134 EF9E AF65 F95B 6BB1 608E 50FB 9B27 3A9D 0BB5 https://theos.kyriasis.com/~kyrias/
git/auth is run as an AutherizedKeysCommand which does not get the environment variables passed to it, so AUR_OVERWRITE always got hard-set to '0' by it. Instead we need to perform the actual privilege check in git/update instead. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> --- README | 3 +++ aurweb/git/auth.py | 1 - aurweb/git/update.py | 2 +- test/t1100-git-auth.sh | 17 ----------------- test/t1300-git-update.sh | 14 +++++++++++++- 5 files changed, 17 insertions(+), 20 deletions(-) diff --git a/README b/README index e633ec3..4e96572 100644 --- a/README +++ b/README @@ -56,3 +56,6 @@ Links * Questions, comments, and patches related to aurweb can be sent to the AUR development mailing list: aur-dev@archlinux.org -- mailing list archives: https://mailman.archlinux.org/mailman/listinfo/aur-dev + + + foo diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py index b7819a9..828ed4e 100755 --- a/aurweb/git/auth.py +++ b/aurweb/git/auth.py @@ -53,7 +53,6 @@ def main(): env_vars = { 'AUR_USER': user, 'AUR_PRIVILEGED': '1' if account_type > 1 else '0', - 'AUR_OVERWRITE' : os.environ.get('AUR_OVERWRITE', '0') if account_type > 1 else '0', } key = keytype + ' ' + keytext diff --git a/aurweb/git/update.py b/aurweb/git/update.py index f681ddb..da48eb3 100755 --- a/aurweb/git/update.py +++ b/aurweb/git/update.py @@ -238,7 +238,7 @@ def main(): user = os.environ.get("AUR_USER") pkgbase = os.environ.get("AUR_PKGBASE") privileged = (os.environ.get("AUR_PRIVILEGED", '0') == '1') - allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1') + allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1') and privileged warn_or_die = warn if privileged else die if len(sys.argv) == 2 and sys.argv[1] == "restore": diff --git a/test/t1100-git-auth.sh b/test/t1100-git-auth.sh index dd20bea..71d526f 100755 --- a/test/t1100-git-auth.sh +++ b/test/t1100-git-auth.sh @@ -25,21 +25,4 @@ test_expect_success 'Test authentication with a wrong key.' ' test_must_be_empty out ' -test_expect_success 'Test AUR_OVERWRITE passthrough.' ' - AUR_OVERWRITE=1 \ - "$GIT_AUTH" "$AUTH_KEYTYPE_TU" "$AUTH_KEYTEXT_TU" >out && - grep -q AUR_OVERWRITE=1 out -' - -test_expect_success 'Make sure that AUR_OVERWRITE is unset by default.' ' - "$GIT_AUTH" "$AUTH_KEYTYPE_TU" "$AUTH_KEYTEXT_TU" >out && - grep -q AUR_OVERWRITE=0 out -' - -test_expect_success 'Make sure regular users cannot set AUR_OVERWRITE.' ' - AUR_OVERWRITE=1 \ - "$GIT_AUTH" "$AUTH_KEYTYPE_USER" "$AUTH_KEYTEXT_USER" >out && - grep -q AUR_OVERWRITE=0 out -' - test_done diff --git a/test/t1300-git-update.sh b/test/t1300-git-update.sh index b9c4f53..06d1498 100755 --- a/test/t1300-git-update.sh +++ b/test/t1300-git-update.sh @@ -137,7 +137,19 @@ test_expect_success 'Performing a non-fast-forward ref update as Trusted User.' test_cmp expected actual ' -test_expect_success 'Performing a non-fast-forward ref update with AUR_OVERWRITE=1.' ' +test_expect_success 'Performing a non-fast-forward ref update as normal user with AUR_OVERWRITE=1.' ' + old=$(git -C aur.git rev-parse HEAD) && + new=$(git -C aur.git rev-parse HEAD^) && + cat >expected <<-EOD && + error: denying non-fast-forward (you should pull first) + EOD + test_must_fail \ + env AUR_USER=user AUR_PKGBASE=foobar AUR_PRIVILEGED=0 AUR_OVERWRITE=1 \ + "$GIT_UPDATE" refs/heads/master "$old" "$new" 2>&1 && + test_cmp expected actual +' + +test_expect_success 'Performing a non-fast-forward ref update as Trusted User with AUR_OVERWRITE=1.' ' old=$(git -C aur.git rev-parse HEAD) && new=$(git -C aur.git rev-parse HEAD^) && AUR_USER=tu AUR_PKGBASE=foobar AUR_PRIVILEGED=1 AUR_OVERWRITE=1 \ -- 2.16.0
git/auth is run as an AutherizedKeysCommand which does not get the environment variables passed to it, so AUR_OVERWRITE always got hard-set to '0' by it. Instead we need to perform the actual privilege check in git/update instead. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> --- Removed unrelated garbage README change aurweb/git/auth.py | 1 - aurweb/git/update.py | 2 +- test/t1100-git-auth.sh | 17 ----------------- test/t1300-git-update.sh | 14 +++++++++++++- 4 files changed, 14 insertions(+), 20 deletions(-) diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py index b7819a9..828ed4e 100755 --- a/aurweb/git/auth.py +++ b/aurweb/git/auth.py @@ -53,7 +53,6 @@ def main(): env_vars = { 'AUR_USER': user, 'AUR_PRIVILEGED': '1' if account_type > 1 else '0', - 'AUR_OVERWRITE' : os.environ.get('AUR_OVERWRITE', '0') if account_type > 1 else '0', } key = keytype + ' ' + keytext diff --git a/aurweb/git/update.py b/aurweb/git/update.py index f681ddb..da48eb3 100755 --- a/aurweb/git/update.py +++ b/aurweb/git/update.py @@ -238,7 +238,7 @@ def main(): user = os.environ.get("AUR_USER") pkgbase = os.environ.get("AUR_PKGBASE") privileged = (os.environ.get("AUR_PRIVILEGED", '0') == '1') - allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1') + allow_overwrite = (os.environ.get("AUR_OVERWRITE", '0') == '1') and privileged warn_or_die = warn if privileged else die if len(sys.argv) == 2 and sys.argv[1] == "restore": diff --git a/test/t1100-git-auth.sh b/test/t1100-git-auth.sh index dd20bea..71d526f 100755 --- a/test/t1100-git-auth.sh +++ b/test/t1100-git-auth.sh @@ -25,21 +25,4 @@ test_expect_success 'Test authentication with a wrong key.' ' test_must_be_empty out ' -test_expect_success 'Test AUR_OVERWRITE passthrough.' ' - AUR_OVERWRITE=1 \ - "$GIT_AUTH" "$AUTH_KEYTYPE_TU" "$AUTH_KEYTEXT_TU" >out && - grep -q AUR_OVERWRITE=1 out -' - -test_expect_success 'Make sure that AUR_OVERWRITE is unset by default.' ' - "$GIT_AUTH" "$AUTH_KEYTYPE_TU" "$AUTH_KEYTEXT_TU" >out && - grep -q AUR_OVERWRITE=0 out -' - -test_expect_success 'Make sure regular users cannot set AUR_OVERWRITE.' ' - AUR_OVERWRITE=1 \ - "$GIT_AUTH" "$AUTH_KEYTYPE_USER" "$AUTH_KEYTEXT_USER" >out && - grep -q AUR_OVERWRITE=0 out -' - test_done diff --git a/test/t1300-git-update.sh b/test/t1300-git-update.sh index b9c4f53..06d1498 100755 --- a/test/t1300-git-update.sh +++ b/test/t1300-git-update.sh @@ -137,7 +137,19 @@ test_expect_success 'Performing a non-fast-forward ref update as Trusted User.' test_cmp expected actual ' -test_expect_success 'Performing a non-fast-forward ref update with AUR_OVERWRITE=1.' ' +test_expect_success 'Performing a non-fast-forward ref update as normal user with AUR_OVERWRITE=1.' ' + old=$(git -C aur.git rev-parse HEAD) && + new=$(git -C aur.git rev-parse HEAD^) && + cat >expected <<-EOD && + error: denying non-fast-forward (you should pull first) + EOD + test_must_fail \ + env AUR_USER=user AUR_PKGBASE=foobar AUR_PRIVILEGED=0 AUR_OVERWRITE=1 \ + "$GIT_UPDATE" refs/heads/master "$old" "$new" 2>&1 && + test_cmp expected actual +' + +test_expect_success 'Performing a non-fast-forward ref update as Trusted User with AUR_OVERWRITE=1.' ' old=$(git -C aur.git rev-parse HEAD) && new=$(git -C aur.git rev-parse HEAD^) && AUR_USER=tu AUR_PKGBASE=foobar AUR_PRIVILEGED=1 AUR_OVERWRITE=1 \ -- 2.16.0
On Sun, 21 Jan 2018 at 17:51:02, Johannes Löthberg wrote:
git/auth is run as an AutherizedKeysCommand which does not get the environment variables passed to it, so AUR_OVERWRITE always got hard-set to '0' by it. Instead we need to perform the actual privilege check in git/update instead.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> --- Removed unrelated garbage README change
aurweb/git/auth.py | 1 - aurweb/git/update.py | 2 +- test/t1100-git-auth.sh | 17 ----------------- test/t1300-git-update.sh | 14 +++++++++++++- 4 files changed, 14 insertions(+), 20 deletions(-)
Merged, thanks!
participants (2)
-
Johannes Löthberg
-
Lukas Fleischer