jakob/gitosis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

users in static principal-files

Browse source
This commit is contained in:
Jakobus Schürz 2019-08-02 03:43:25 +02:00
parent 2a528be734
commit de80f5c9e9
2 changed files with 14 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
gitosis/run_hook.py
View file

@ -50,8 +50,9 @@ def post_update(cfg, git_dir):
) )
principals = util.getSSHPrincipalsPath(config=cfg) principals = util.getSSHPrincipalsPath(config=cfg)
ssh_principals.writePrincipals( ssh_principals.writePrincipals(
cfg=cfg,
path=principals, path=principals,
principals=os.path.join(export, 'keydir/principals'), users=os.path.join(export, 'keydir/users'),
) )
class Main(app.App): class Main(app.App):

22
gitosis/ssh_principals.py
View file

@ -9,11 +9,11 @@ def isSafeUsername(user):
match = _ACCEPTABLE_USER_RE.match(user) match = _ACCEPTABLE_USER_RE.match(user)
return (match is not None) return (match is not None)
def readPrincipals(principals): def readUsernames(userfile):
""" """
Read SSH principals from ``principals`` Read SSH users from ``userfile``
""" """
f = file(principals) f = file(userfile)
for line in f: for line in f:
if not isSafeUsername(line): if not isSafeUsername(line):
log.warn('Unsafe SSH username in principalfile: %r', line) log.warn('Unsafe SSH username in principalfile: %r', line)
@ -24,14 +24,16 @@ def readPrincipals(principals):
COMMENT = '### autogenerated by gitosis, DO NOT EDIT' COMMENT = '### autogenerated by gitosis, DO NOT EDIT'
def generatePrincipals(keys): def generatePrincipals(cfg, keys):
TEMPLATE=('command="gitosis-serve %(user)s",no-port-forwarding,' TEMPLATE=('command="gitosis-serve %(user)s",no-port-forwarding,'
+'no-X11-forwarding,no-agent-forwarding,no-pty %(user)s') +'no-X11-forwarding,no-agent-forwarding,no-pty %(principals)s')
principals=util.getAllowedSSHPrincipals(config=cfg)
yield COMMENT yield COMMENT
for (user) in keys: for (user) in keys:
log.debug(TEMPLATE % dict(user=user)) log.debug(TEMPLATE % dict(user=user, principals=principals))
yield TEMPLATE % dict(user=user) yield TEMPLATE % dict(user=user, principals=principals)
_COMMAND_RE = re.compile('^command="(/[^ "]+/)?gitosis-serve [^"]+",no-port-forw' _COMMAND_RE = re.compile('^command="(/[^ "]+/)?gitosis-serve [^"]+",no-port-forw'
+'arding,no-X11-forwarding,no-agent-forwardi' +'arding,no-X11-forwarding,no-agent-forwardi'
@ -52,7 +54,7 @@ def filterPrincipals(fp):
continue continue
yield line yield line
def writePrincipals(path, principals): def writePrincipals(cfg, path, users):
tmp = '%s.%d.tmp' % (path, os.getpid()) tmp = '%s.%d.tmp' % (path, os.getpid())
try: try:
in_ = file(path) in_ = file(path)
@ -69,8 +71,8 @@ def writePrincipals(path, principals):
for line in filterPrincipals(in_): for line in filterPrincipals(in_):
print >>out, line print >>out, line
keygen = readPrincipals(principals) user = readUsernames(users)
for line in generatePrincipals(keygen): for line in generatePrincipals(cfg, user):
print >>out, line print >>out, line
os.fsync(out) os.fsync(out)