diff options
author | Andrew Cady <d@jerkface.net> | 2020-10-14 12:57:34 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2020-10-14 14:12:38 -0400 |
commit | c0d54dce30ddb38e99397ec7055be7e367797b6e (patch) | |
tree | 26be83bc1419acf011f820ed7170a470a3cf2f81 | |
parent | c228c4335198dbec2eebdc3d850e24b05928d58f (diff) |
cryptonomic.net in the namespace
-rwxr-xr-x | bin/samizdat-ssh-command | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/bin/samizdat-ssh-command b/bin/samizdat-ssh-command index a03b554..3c1bd5d 100755 --- a/bin/samizdat-ssh-command +++ b/bin/samizdat-ssh-command | |||
@@ -35,7 +35,7 @@ add_before_sentinel() | |||
35 | password_authentication() | 35 | password_authentication() |
36 | { | 36 | { |
37 | [ "$USER" ] || { echo 'Error: no $USER' >&2; exit 1; } | 37 | [ "$USER" ] || { echo 'Error: no $USER' >&2; exit 1; } |
38 | [ "$SSH_CLIENT_FINGERPRINT" ] || { echo 'Error: no $SSH_CLIENT_FINGERPRINT' >&2; exit 1; } | 38 | [ "$SSH_CLIENT_DOMAIN" ] || { echo 'Error: no $SSH_CLIENT_DOMAIN' >&2; exit 1; } |
39 | 39 | ||
40 | tty=$(tty) && [ "$tty" != 'not a tty' ] || tty= | 40 | tty=$(tty) && [ "$tty" != 'not a tty' ] || tty= |
41 | 41 | ||
@@ -153,7 +153,7 @@ valid_new_public_repo() | |||
153 | 153 | ||
154 | check_if_ssh_user_owns_repository() | 154 | check_if_ssh_user_owns_repository() |
155 | { | 155 | { |
156 | git --git-dir "$git_dir" config --get-all samizdat.anonymous-ssh-owner | grep -xqF "$SSH_CLIENT_FINGERPRINT" | 156 | git --git-dir "$git_dir" config --get-all samizdat.anonymous-ssh-owner | grep -xqF "$SSH_CLIENT_DOMAIN" |
157 | } | 157 | } |
158 | ssh_user_owns_repository() | 158 | ssh_user_owns_repository() |
159 | { | 159 | { |
@@ -175,11 +175,11 @@ is_public_repository() | |||
175 | 175 | ||
176 | authorized() | 176 | authorized() |
177 | { | 177 | { |
178 | # TODO: check SSH_CLIENT_FINGERPRINT against a blacklist | 178 | # TODO: check SSH_CLIENT_DOMAIN against a blacklist |
179 | ssh_user_owns_repository && return | 179 | ssh_user_owns_repository && return |
180 | is_public_repository && return | 180 | is_public_repository && return |
181 | test "$(git --git-dir "$1" config --bool --get samizdat.allow-anonymous-access)" = true 2>/dev/null && return 0 | 181 | test "$(git --git-dir "$1" config --bool --get samizdat.allow-anonymous-access)" = true 2>/dev/null && return 0 |
182 | # TODO: check SSH_CLIENT_FINGERPRINT against a whitelist | 182 | # TODO: check SSH_CLIENT_DOMAIN against a whitelist |
183 | } | 183 | } |
184 | 184 | ||
185 | maybe_initialize_heads() | 185 | maybe_initialize_heads() |
@@ -245,6 +245,12 @@ case "$SSH_ORIGINAL_COMMAND" in | |||
245 | homedir_expand | 245 | homedir_expand |
246 | 246 | ||
247 | case "$git_dir" in | 247 | case "$git_dir" in |
248 | $HOME/????????????????????????????????????????????????.cryptonomic.net/public_git/*) | ||
249 | IFS=/ set -- "${git_dir#$HOME}" | ||
250 | git_ns_subdir=${git_dir#$HOME/} | ||
251 | git_ns=${git_ns_subdir%%/*} | ||
252 | git_dir=$HOME/${git_ns_subdir#$git_ns/} | ||
253 | ;; | ||
248 | $HOME/git_namespace/*/public_git/*) | 254 | $HOME/git_namespace/*/public_git/*) |
249 | git_ns_subdir=${git_dir#$HOME/git_namespace/} | 255 | git_ns_subdir=${git_dir#$HOME/git_namespace/} |
250 | git_ns=${git_ns_subdir%%/*} | 256 | git_ns=${git_ns_subdir%%/*} |
@@ -267,8 +273,8 @@ case "$SSH_ORIGINAL_COMMAND" in | |||
267 | exit 1 | 273 | exit 1 |
268 | ;; | 274 | ;; |
269 | rsync\ --server\ *) | 275 | rsync\ --server\ *) |
270 | [ -d "$HOME"/incoming_rsync -a "${SSH_CLIENT_FINGERPRINT}" ] || { password_authentication; exit 1; } | 276 | [ -d "$HOME"/incoming_rsync -a "${SSH_CLIENT_DOMAIN}" ] || { password_authentication; exit 1; } |
271 | destdir=$HOME/incoming_rsync/$SSH_CLIENT_FINGERPRINT/ | 277 | destdir=$HOME/incoming_rsync/$SSH_CLIENT_DOMAIN/ |
272 | mkdir -p "$destdir" && exec rrsync "$destdir" | 278 | mkdir -p "$destdir" && exec rrsync "$destdir" |
273 | exit 1 | 279 | exit 1 |
274 | ;; | 280 | ;; |
@@ -299,7 +305,7 @@ elif [ "$git_cmd" = 'git-receive-pack' ]; then | |||
299 | 305 | ||
300 | if [ ! -d "$git_dir" ]; then | 306 | if [ ! -d "$git_dir" ]; then |
301 | if valid_new_public_repo "$git_dir"; then | 307 | if valid_new_public_repo "$git_dir"; then |
302 | initialize_git "$git_dir" "$SSH_CLIENT_FINGERPRINT" | 308 | initialize_git "$git_dir" "$SSH_CLIENT_DOMAIN" |
303 | else | 309 | else |
304 | deny | 310 | deny |
305 | fi | 311 | fi |
@@ -311,9 +317,9 @@ if authorized "$git_dir"; then | |||
311 | if [ "$git_cmd" = 'git-receive-pack' ]; then | 317 | if [ "$git_cmd" = 'git-receive-pack' ]; then |
312 | if ! ssh_user_owns_repository | 318 | if ! ssh_user_owns_repository |
313 | then | 319 | then |
314 | export GIT_NAMESPACE="$SSH_CLIENT_FINGERPRINT" | 320 | export GIT_NAMESPACE="$SSH_CLIENT_DOMAIN" |
315 | maybe_initialize_heads | 321 | maybe_initialize_heads |
316 | printf '%s:%s\n' 'd@cryptonomic.net' "git_namespace/$GIT_NAMESPACE/${git_dir#${HOME}/}" >&2 | 322 | printf '%s:%s\n' 'd@cryptonomic.net' "$GIT_NAMESPACE/${git_dir#${HOME}/}" >&2 |
317 | fi | 323 | fi |
318 | fi | 324 | fi |
319 | exec "$git_cmd" "$git_dir" | 325 | exec "$git_cmd" "$git_dir" |