summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2014-06-04 22:11:43 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2014-12-27 12:42:12 +0100
commitad17b9e2b4bebcf744129ed5a1a2c6e544d42739 (patch)
tree791ee08db4c1759d89660bc1c90dd867e2662d91
parent253e76d8cc718acef6bab802c76c4a70623b59cc (diff)
downloadaurweb-ad17b9e2b4bebcf744129ed5a1a2c6e544d42739.tar.xz
Add basic Git authentication/authorization scripts
This adds two scripts to be used together with Git over SSH: * git-auth.py is supposed to be used as AuthorizedKeysCommand. It checks whether the public key belongs to any AUR user and invokes git-serve.py, passing the name of the corresponding user as a command line argument, if any. * git-serve.py is a wrapper around git-shell(1) that checks whether the user passed as command line argument has access to the Git repository that a push operation writes to. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--conf/config.proto11
-rwxr-xr-xscripts/git-integration/git-auth.py41
-rwxr-xr-xscripts/git-integration/git-serve.py104
3 files changed, 156 insertions, 0 deletions
diff --git a/conf/config.proto b/conf/config.proto
index f00b352..13cafe0 100644
--- a/conf/config.proto
+++ b/conf/config.proto
@@ -26,3 +26,14 @@ max_rpc_results = 5000
aur_request_ml = aur-requests@archlinux.org
request_idle_time = 1209600
auto_orphan_age = 15552000
+
+[auth]
+key-prefixes = ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519
+username-regex = [a-zA-Z0-9]+[.\-_]?[a-zA-Z0-9]+$
+git-serve-cmd = /srv/http/aur/scripts/git-integration/git-serve.py
+ssh-options = no-port-forwarding,no-X11-forwarding,no-pty
+
+[serve]
+repo-base = /pub/git/
+repo-regex = [a-z0-9][a-z0-9.+_-]*$
+git-shell-cmd = /usr/bin/git-shell
diff --git a/scripts/git-integration/git-auth.py b/scripts/git-integration/git-auth.py
new file mode 100755
index 0000000..8701d5e
--- /dev/null
+++ b/scripts/git-integration/git-auth.py
@@ -0,0 +1,41 @@
+#!/usr/bin/python3
+
+import configparser
+import mysql.connector
+import os
+import re
+
+config = configparser.RawConfigParser()
+config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config")
+
+aur_db_host = config.get('database', 'host')
+aur_db_name = config.get('database', 'name')
+aur_db_user = config.get('database', 'user')
+aur_db_pass = config.get('database', 'password')
+
+key_prefixes = config.get('auth', 'key-prefixes').split()
+username_regex = config.get('auth', 'username-regex')
+git_serve_cmd = config.get('auth', 'git-serve-cmd')
+ssh_opts = config.get('auth', 'ssh-options')
+
+pubkey = os.environ.get("SSH_KEY")
+valid_prefixes = tuple(p + " " for p in key_prefixes)
+if pubkey is None or not pubkey.startswith(valid_prefixes):
+ exit(1)
+
+db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
+ passwd=aur_db_pass, db=aur_db_name,
+ buffered=True)
+
+cur = db.cursor()
+cur.execute("SELECT Username FROM Users WHERE SSHPubKey = %s " +
+ "AND Suspended = 0", (pubkey,))
+
+if cur.rowcount != 1:
+ exit(1)
+
+user = cur.fetchone()[0]
+if not re.match(username_regex, user):
+ exit(1)
+
+print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts, pubkey))
diff --git a/scripts/git-integration/git-serve.py b/scripts/git-integration/git-serve.py
new file mode 100755
index 0000000..08132f2
--- /dev/null
+++ b/scripts/git-integration/git-serve.py
@@ -0,0 +1,104 @@
+#!/usr/bin/python3
+
+import configparser
+import mysql.connector
+import os
+import pygit2
+import re
+import shlex
+import sys
+
+config = configparser.RawConfigParser()
+config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config")
+
+aur_db_host = config.get('database', 'host')
+aur_db_name = config.get('database', 'name')
+aur_db_user = config.get('database', 'user')
+aur_db_pass = config.get('database', 'password')
+
+repo_base_path = config.get('serve', 'repo-base')
+repo_regex = config.get('serve', 'repo-regex')
+git_shell_cmd = config.get('serve', 'git-shell-cmd')
+
+def repo_path_validate(path):
+ if not path.startswith(repo_base_path):
+ return False
+ if not path.endswith('.git/'):
+ return False
+ repo = path[len(repo_base_path):-5]
+ return re.match(repo_regex, repo)
+
+def repo_path_get_pkgbase(path):
+ pkgbase = path.rstrip('/').rpartition('/')[2]
+ if pkgbase.endswith('.git'):
+ pkgbase = pkgbase[:-4]
+ return pkgbase
+
+def setup_repo(repo, user):
+ if not re.match(repo_regex, repo):
+ die('invalid repository name: %s' % (repo))
+
+ db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
+ passwd=aur_db_pass, db=aur_db_name)
+ cur = db.cursor()
+
+ cur.execute("SELECT COUNT(*) FROM PackageBases WHERE Name = %s ", [repo])
+ if cur.fetchone()[0] > 0:
+ die('package base already exists: %s' % (repo))
+
+ cur.execute("SELECT ID FROM Users WHERE Username = %s ", [user])
+ userid = cur.fetchone()[0]
+ if userid == 0:
+ die('unknown user: %s' % (user))
+
+ cur.execute("INSERT INTO PackageBases (Name, SubmittedTS, ModifiedTS, " +
+ "SubmitterUID) VALUES (%s, UNIX_TIMESTAMP(), " +
+ "UNIX_TIMESTAMP(), %s)", [repo, userid])
+
+ db.commit()
+ db.close()
+
+ repo_path = repo_base_path + '/' + repo + '.git/'
+ pygit2.init_repository(repo_path, True)
+
+def check_permissions(pkgbase, user):
+ db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
+ passwd=aur_db_pass, db=aur_db_name,
+ buffered=True)
+ cur = db.cursor()
+
+ cur.execute("SELECT COUNT(*) FROM PackageBases INNER JOIN Users " +
+ "ON Users.ID = PackageBases.MaintainerUID OR " +
+ "PackageBases.MaintainerUID IS NULL WHERE " +
+ "Name = %s AND Username = %s", [pkgbase, user])
+ return cur.fetchone()[0] > 0
+
+def die(msg):
+ sys.stderr.write("%s\n" % (msg))
+ exit(1)
+
+user = sys.argv[1]
+cmd = os.environ.get("SSH_ORIGINAL_COMMAND")
+if not cmd:
+ die('no command specified')
+cmdargv = shlex.split(cmd)
+action = cmdargv[0]
+
+if action == 'git-upload-pack' or action == 'git-receive-pack':
+ path = cmdargv[1]
+ if not repo_path_validate(path):
+ die('invalid path: %s' % (path))
+ pkgbase = repo_path_get_pkgbase(path)
+ if action == 'git-receive-pack':
+ if not check_permissions(pkgbase, user):
+ die('permission denied: %s' % (user))
+ os.environ["AUR_USER"] = user
+ os.environ["AUR_GIT_DIR"] = path
+ os.environ["AUR_PKGBASE"] = pkgbase
+ os.execl(git_shell_cmd, git_shell_cmd, '-c', cmd)
+elif action == 'setup-repo':
+ if len(cmdargv) < 2:
+ die('missing repository name')
+ setup_repo(cmdargv[1], user)
+else:
+ die('invalid command: %s' % (action))