diff options
| author | Andrew Cady <d@jerkface.net> | 2020-10-14 12:57:34 -0400 |
|---|---|---|
| committer | Andrew Cady <d@jerkface.net> | 2020-10-14 14:12:38 -0400 |
| commit | c0d54dce30ddb38e99397ec7055be7e367797b6e (patch) | |
| tree | 26be83bc1419acf011f820ed7170a470a3cf2f81 | |
| parent | c228c4335198dbec2eebdc3d850e24b05928d58f (diff) | |
cryptonomic.net in the namespace
| -rwxr-xr-x | bin/samizdat-ssh-command | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/bin/samizdat-ssh-command b/bin/samizdat-ssh-command index a03b554..3c1bd5d 100755 --- a/bin/samizdat-ssh-command +++ b/bin/samizdat-ssh-command | |||
| @@ -35,7 +35,7 @@ add_before_sentinel() | |||
| 35 | password_authentication() | 35 | password_authentication() |
| 36 | { | 36 | { |
| 37 | [ "$USER" ] || { echo 'Error: no $USER' >&2; exit 1; } | 37 | [ "$USER" ] || { echo 'Error: no $USER' >&2; exit 1; } |
| 38 | [ "$SSH_CLIENT_FINGERPRINT" ] || { echo 'Error: no $SSH_CLIENT_FINGERPRINT' >&2; exit 1; } | 38 | [ "$SSH_CLIENT_DOMAIN" ] || { echo 'Error: no $SSH_CLIENT_DOMAIN' >&2; exit 1; } |
| 39 | 39 | ||
| 40 | tty=$(tty) && [ "$tty" != 'not a tty' ] || tty= | 40 | tty=$(tty) && [ "$tty" != 'not a tty' ] || tty= |
| 41 | 41 | ||
| @@ -153,7 +153,7 @@ valid_new_public_repo() | |||
| 153 | 153 | ||
| 154 | check_if_ssh_user_owns_repository() | 154 | check_if_ssh_user_owns_repository() |
| 155 | { | 155 | { |
| 156 | git --git-dir "$git_dir" config --get-all samizdat.anonymous-ssh-owner | grep -xqF "$SSH_CLIENT_FINGERPRINT" | 156 | git --git-dir "$git_dir" config --get-all samizdat.anonymous-ssh-owner | grep -xqF "$SSH_CLIENT_DOMAIN" |
| 157 | } | 157 | } |
| 158 | ssh_user_owns_repository() | 158 | ssh_user_owns_repository() |
| 159 | { | 159 | { |
| @@ -175,11 +175,11 @@ is_public_repository() | |||
| 175 | 175 | ||
| 176 | authorized() | 176 | authorized() |
| 177 | { | 177 | { |
| 178 | # TODO: check SSH_CLIENT_FINGERPRINT against a blacklist | 178 | # TODO: check SSH_CLIENT_DOMAIN against a blacklist |
| 179 | ssh_user_owns_repository && return | 179 | ssh_user_owns_repository && return |
| 180 | is_public_repository && return | 180 | is_public_repository && return |
| 181 | test "$(git --git-dir "$1" config --bool --get samizdat.allow-anonymous-access)" = true 2>/dev/null && return 0 | 181 | test "$(git --git-dir "$1" config --bool --get samizdat.allow-anonymous-access)" = true 2>/dev/null && return 0 |
| 182 | # TODO: check SSH_CLIENT_FINGERPRINT against a whitelist | 182 | # TODO: check SSH_CLIENT_DOMAIN against a whitelist |
| 183 | } | 183 | } |
| 184 | 184 | ||
| 185 | maybe_initialize_heads() | 185 | maybe_initialize_heads() |
| @@ -245,6 +245,12 @@ case "$SSH_ORIGINAL_COMMAND" in | |||
| 245 | homedir_expand | 245 | homedir_expand |
| 246 | 246 | ||
| 247 | case "$git_dir" in | 247 | case "$git_dir" in |
| 248 | $HOME/????????????????????????????????????????????????.cryptonomic.net/public_git/*) | ||
| 249 | IFS=/ set -- "${git_dir#$HOME}" | ||
| 250 | git_ns_subdir=${git_dir#$HOME/} | ||
| 251 | git_ns=${git_ns_subdir%%/*} | ||
| 252 | git_dir=$HOME/${git_ns_subdir#$git_ns/} | ||
| 253 | ;; | ||
| 248 | $HOME/git_namespace/*/public_git/*) | 254 | $HOME/git_namespace/*/public_git/*) |
| 249 | git_ns_subdir=${git_dir#$HOME/git_namespace/} | 255 | git_ns_subdir=${git_dir#$HOME/git_namespace/} |
| 250 | git_ns=${git_ns_subdir%%/*} | 256 | git_ns=${git_ns_subdir%%/*} |
| @@ -267,8 +273,8 @@ case "$SSH_ORIGINAL_COMMAND" in | |||
| 267 | exit 1 | 273 | exit 1 |
| 268 | ;; | 274 | ;; |
| 269 | rsync\ --server\ *) | 275 | rsync\ --server\ *) |
| 270 | [ -d "$HOME"/incoming_rsync -a "${SSH_CLIENT_FINGERPRINT}" ] || { password_authentication; exit 1; } | 276 | [ -d "$HOME"/incoming_rsync -a "${SSH_CLIENT_DOMAIN}" ] || { password_authentication; exit 1; } |
| 271 | destdir=$HOME/incoming_rsync/$SSH_CLIENT_FINGERPRINT/ | 277 | destdir=$HOME/incoming_rsync/$SSH_CLIENT_DOMAIN/ |
| 272 | mkdir -p "$destdir" && exec rrsync "$destdir" | 278 | mkdir -p "$destdir" && exec rrsync "$destdir" |
| 273 | exit 1 | 279 | exit 1 |
| 274 | ;; | 280 | ;; |
| @@ -299,7 +305,7 @@ elif [ "$git_cmd" = 'git-receive-pack' ]; then | |||
| 299 | 305 | ||
| 300 | if [ ! -d "$git_dir" ]; then | 306 | if [ ! -d "$git_dir" ]; then |
| 301 | if valid_new_public_repo "$git_dir"; then | 307 | if valid_new_public_repo "$git_dir"; then |
| 302 | initialize_git "$git_dir" "$SSH_CLIENT_FINGERPRINT" | 308 | initialize_git "$git_dir" "$SSH_CLIENT_DOMAIN" |
| 303 | else | 309 | else |
| 304 | deny | 310 | deny |
| 305 | fi | 311 | fi |
| @@ -311,9 +317,9 @@ if authorized "$git_dir"; then | |||
| 311 | if [ "$git_cmd" = 'git-receive-pack' ]; then | 317 | if [ "$git_cmd" = 'git-receive-pack' ]; then |
| 312 | if ! ssh_user_owns_repository | 318 | if ! ssh_user_owns_repository |
| 313 | then | 319 | then |
| 314 | export GIT_NAMESPACE="$SSH_CLIENT_FINGERPRINT" | 320 | export GIT_NAMESPACE="$SSH_CLIENT_DOMAIN" |
| 315 | maybe_initialize_heads | 321 | maybe_initialize_heads |
| 316 | printf '%s:%s\n' 'd@cryptonomic.net' "git_namespace/$GIT_NAMESPACE/${git_dir#${HOME}/}" >&2 | 322 | printf '%s:%s\n' 'd@cryptonomic.net' "$GIT_NAMESPACE/${git_dir#${HOME}/}" >&2 |
| 317 | fi | 323 | fi |
| 318 | fi | 324 | fi |
| 319 | exec "$git_cmd" "$git_dir" | 325 | exec "$git_cmd" "$git_dir" |