From de80f5c9e9611372777c0f64d28f6e63f6333cb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakobus=20Sch=C3=BCrz?= <jakobus.schuerz@ebcont.com>
Date: Fri, 2 Aug 2019 03:43:25 +0200
Subject: [PATCH] users in static principal-files

---
 gitosis/run_hook.py       |  3 ++-
 gitosis/ssh_principals.py | 22 ++++++++++++----------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/gitosis/run_hook.py b/gitosis/run_hook.py
index 8b8b442..f126328 100644
--- a/gitosis/run_hook.py
+++ b/gitosis/run_hook.py
@@ -50,8 +50,9 @@ def post_update(cfg, git_dir):
         )
     principals = util.getSSHPrincipalsPath(config=cfg)
     ssh_principals.writePrincipals(
+        cfg=cfg,
         path=principals,
-        principals=os.path.join(export, 'keydir/principals'),
+        users=os.path.join(export, 'keydir/users'),
         )
 
 class Main(app.App):
diff --git a/gitosis/ssh_principals.py b/gitosis/ssh_principals.py
index 1fdf071..a2209c1 100644
--- a/gitosis/ssh_principals.py
+++ b/gitosis/ssh_principals.py
@@ -9,11 +9,11 @@ def isSafeUsername(user):
     match = _ACCEPTABLE_USER_RE.match(user)
     return (match is not None)
 
-def readPrincipals(principals):
+def readUsernames(userfile):
     """
-    Read SSH principals from ``principals``
+    Read SSH users from ``userfile``
     """
-    f = file(principals)
+    f = file(userfile)
     for line in f:
         if not isSafeUsername(line):
             log.warn('Unsafe SSH username in principalfile: %r', line)
@@ -24,14 +24,16 @@ def readPrincipals(principals):
 
 COMMENT = '### autogenerated by gitosis, DO NOT EDIT'
 
-def generatePrincipals(keys):
+def generatePrincipals(cfg, keys):
     TEMPLATE=('command="gitosis-serve %(user)s",no-port-forwarding,'
-              +'no-X11-forwarding,no-agent-forwarding,no-pty %(user)s')
+              +'no-X11-forwarding,no-agent-forwarding,no-pty %(principals)s')
+
+    principals=util.getAllowedSSHPrincipals(config=cfg)
 
     yield COMMENT
     for (user) in keys:
-        log.debug(TEMPLATE % dict(user=user))
-        yield TEMPLATE % dict(user=user)
+        log.debug(TEMPLATE % dict(user=user, principals=principals))
+        yield TEMPLATE % dict(user=user, principals=principals)
 
 _COMMAND_RE = re.compile('^command="(/[^ "]+/)?gitosis-serve [^"]+",no-port-forw'
                          +'arding,no-X11-forwarding,no-agent-forwardi'
@@ -52,7 +54,7 @@ def filterPrincipals(fp):
             continue
         yield line
 
-def writePrincipals(path, principals):
+def writePrincipals(cfg, path, users):
     tmp = '%s.%d.tmp' % (path, os.getpid())
     try:
         in_ = file(path)
@@ -69,8 +71,8 @@ def writePrincipals(path, principals):
                 for line in filterPrincipals(in_):
                     print >>out, line
 
-            keygen = readPrincipals(principals)
-            for line in generatePrincipals(keygen):
+            user = readUsernames(users)
+            for line in generatePrincipals(cfg, user):
                 print >>out, line
 
             os.fsync(out)