diff options
author | Andrew Cady <d@jerkface.net> | 2019-07-29 18:42:41 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2019-07-29 19:09:03 -0400 |
commit | b97c9e45ff37ee6d6135a525a3c784136adcf188 (patch) | |
tree | 1ad91168281cbb4f1ed2f24720739e05c020ee9f | |
parent | 134c077b0607d702f248d26eea49360ae06d0450 (diff) |
query authorized_keys.d in ssh-forced-command
-rwxr-xr-x | forced-ssh-command | 33 | ||||
-rwxr-xr-x | hooks/post-receive | 33 |
2 files changed, 32 insertions, 34 deletions
diff --git a/forced-ssh-command b/forced-ssh-command index 4af26c6..e06d96c 100755 --- a/forced-ssh-command +++ b/forced-ssh-command | |||
@@ -141,14 +141,45 @@ valid_new_public_repo() | |||
141 | esac | 141 | esac |
142 | } | 142 | } |
143 | 143 | ||
144 | GET_NOMIC_USER() | ||
145 | { | ||
146 | local whitelist_dir="$1" a b keytype keyval keyname | ||
147 | if [ "$NOMIC_USER" ] | ||
148 | then | ||
149 | return | ||
150 | elif [ "$SSH_USER_AUTH" ] && [ -f "$SSH_USER_AUTH" ] | ||
151 | then | ||
152 | read authtype keytype keyval < "$SSH_USER_AUTH" | ||
153 | [ "$authtype" = publickey ] || exit | ||
154 | |||
155 | for keyname in "${whitelist_dir}"/* | ||
156 | do | ||
157 | while read a b _ | ||
158 | do | ||
159 | case "$a $b" in | ||
160 | "$keytype $keyval") | ||
161 | NOMIC_USER=${keyname#authorized_keys.d/} | ||
162 | break | ||
163 | ;; | ||
164 | esac | ||
165 | done < "$keyname" | ||
166 | done | ||
167 | true | ||
168 | else | ||
169 | warn "\$SSH_USER_AUTH missing. Try putting 'ExposeAuthInfo yes' in /etc/ssh/sshd_config" | ||
170 | false | ||
171 | fi | ||
172 | } | ||
173 | |||
144 | check_if_ssh_user_owns_repository() | 174 | check_if_ssh_user_owns_repository() |
145 | { | 175 | { |
146 | git --git-dir "$git_dir" config --get-all samizdat.anonymous-ssh-owner | grep -xqF "$SSH_REMOTE_FINGERPRINT_TRIMMED" | 176 | git --git-dir "$git_dir" config --get-all samizdat.anonymous-ssh-owner | grep -xqF "$SSH_REMOTE_FINGERPRINT_TRIMMED" |
147 | } | 177 | } |
178 | |||
148 | ssh_user_owns_repository() | 179 | ssh_user_owns_repository() |
149 | { | 180 | { |
150 | if [ -z "$SSH_USER_OWNS_REPOSITORY" ]; then | 181 | if [ -z "$SSH_USER_OWNS_REPOSITORY" ]; then |
151 | check_if_ssh_user_owns_repository | 182 | check_if_ssh_user_owns_repository || GET_NOMIC_USER "$git_dir" |
152 | SSH_USER_OWNS_REPOSITORY=$? | 183 | SSH_USER_OWNS_REPOSITORY=$? |
153 | fi | 184 | fi |
154 | return $SSH_USER_OWNS_REPOSITORY | 185 | return $SSH_USER_OWNS_REPOSITORY |
diff --git a/hooks/post-receive b/hooks/post-receive index 74fe96b..72dc81d 100755 --- a/hooks/post-receive +++ b/hooks/post-receive | |||
@@ -15,38 +15,5 @@ warn() | |||
15 | fi | 15 | fi |
16 | } | 16 | } |
17 | 17 | ||
18 | GET_NOMIC_USER() | ||
19 | { | ||
20 | if [ "$NOMIC_USER" ] | ||
21 | then | ||
22 | return | ||
23 | elif [ "$SSH_USER_AUTH" ] && [ -f "$SSH_USER_AUTH" ] | ||
24 | then | ||
25 | read authtype keytype keyval < "$SSH_USER_AUTH" | ||
26 | [ "$authtype" = publickey ] || exit | ||
27 | |||
28 | for keyname in authorized_keys.d/* | ||
29 | do | ||
30 | while read a b _ | ||
31 | do | ||
32 | case "$a $b" in | ||
33 | "$keytype $keyval") | ||
34 | NOMIC_USER=${keyname#authorized_keys.d/} | ||
35 | break | ||
36 | ;; | ||
37 | esac | ||
38 | done < "$keyname" | ||
39 | done | ||
40 | true | ||
41 | else | ||
42 | warn "\$SSH_USER_AUTH missing. Try putting 'ExposeAuthInfo yes' in /etc/ssh/sshd_config" | ||
43 | false | ||
44 | fi | ||
45 | } | ||
46 | |||
47 | GIT_WORK_TREE=. git checkout -f master -- authorized_keys.d/\* | 18 | GIT_WORK_TREE=. git checkout -f master -- authorized_keys.d/\* |
48 | 19 | ||
49 | if GET_NOMIC_USER | ||
50 | then | ||
51 | warn "NOMIC_USER=$NOMIC_USER" | ||
52 | fi | ||