Add basic Git authentication/authorization scripts

This adds two scripts to be used together with Git over SSH:

* git-auth.py is supposed to be used as AuthorizedKeysCommand. It checks
  whether the public key belongs to any AUR user and invokes
  git-serve.py, passing the name of the corresponding user as a command
  line argument, if any.

* git-serve.py is a wrapper around git-shell(1) that checks whether the
  user passed as command line argument has access to the Git repository
  that a push operation writes to.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

conf/config.proto

@@ -26,3 +26,14 @@ max_rpc_results = 5000
 aur_request_ml = aur-requests@archlinux.org
 request_idle_time = 1209600
 auto_orphan_age = 15552000
+
+[auth]
+key-prefixes = ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519
+username-regex = [a-zA-Z0-9]+[.\-_]?[a-zA-Z0-9]+$
+git-serve-cmd = /srv/http/aur/scripts/git-integration/git-serve.py
+ssh-options = no-port-forwarding,no-X11-forwarding,no-pty
+
+[serve]
+repo-base = /pub/git/
+repo-regex = [a-z0-9][a-z0-9.+_-]*$
+git-shell-cmd = /usr/bin/git-shell

scripts/git-integration/git-auth.py

@@ -0,0 +1,41 @@
+#!/usr/bin/python3
+
+import configparser
+import mysql.connector
+import os
+import re
+
+config = configparser.RawConfigParser()
+config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config")
+
+aur_db_host = config.get('database', 'host')
+aur_db_name = config.get('database', 'name')
+aur_db_user = config.get('database', 'user')
+aur_db_pass = config.get('database', 'password')
+
+key_prefixes = config.get('auth', 'key-prefixes').split()
+username_regex = config.get('auth', 'username-regex')
+git_serve_cmd = config.get('auth', 'git-serve-cmd')
+ssh_opts = config.get('auth', 'ssh-options')
+
+pubkey = os.environ.get("SSH_KEY")
+valid_prefixes = tuple(p + " " for p in key_prefixes)
+if pubkey is None or not pubkey.startswith(valid_prefixes):
+    exit(1)
+
+db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
+                             passwd=aur_db_pass, db=aur_db_name,
+                             buffered=True)
+
+cur = db.cursor()
+cur.execute("SELECT Username FROM Users WHERE SSHPubKey = %s " +
+            "AND Suspended = 0", (pubkey,))
+
+if cur.rowcount != 1:
+    exit(1)
+
+user = cur.fetchone()[0]
+if not re.match(username_regex, user):
+    exit(1)
+
+print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts, pubkey))

scripts/git-integration/git-serve.py

@@ -0,0 +1,104 @@
+#!/usr/bin/python3
+
+import configparser
+import mysql.connector
+import os
+import pygit2
+import re
+import shlex
+import sys
+
+config = configparser.RawConfigParser()
+config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config")
+
+aur_db_host = config.get('database', 'host')
+aur_db_name = config.get('database', 'name')
+aur_db_user = config.get('database', 'user')
+aur_db_pass = config.get('database', 'password')
+
+repo_base_path = config.get('serve', 'repo-base')
+repo_regex = config.get('serve', 'repo-regex')
+git_shell_cmd = config.get('serve', 'git-shell-cmd')
+
+def repo_path_validate(path):
+    if not path.startswith(repo_base_path):
+        return False
+    if not path.endswith('.git/'):
+        return False
+    repo = path[len(repo_base_path):-5]
+    return re.match(repo_regex, repo)
+
+def repo_path_get_pkgbase(path):
+    pkgbase = path.rstrip('/').rpartition('/')[2]
+    if pkgbase.endswith('.git'):
+        pkgbase = pkgbase[:-4]
+    return pkgbase
+
+def setup_repo(repo, user):
+    if not re.match(repo_regex, repo):
+        die('invalid repository name: %s' % (repo))
+
+    db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
+                                 passwd=aur_db_pass, db=aur_db_name)
+    cur = db.cursor()
+
+    cur.execute("SELECT COUNT(*) FROM PackageBases WHERE Name = %s ", [repo])
+    if cur.fetchone()[0] > 0:
+        die('package base already exists: %s' % (repo))
+
+    cur.execute("SELECT ID FROM Users WHERE Username = %s ", [user])
+    userid = cur.fetchone()[0]
+    if userid == 0:
+        die('unknown user: %s' % (user))
+
+    cur.execute("INSERT INTO PackageBases (Name, SubmittedTS, ModifiedTS, " +
+                "SubmitterUID) VALUES (%s, UNIX_TIMESTAMP(), " +
+                "UNIX_TIMESTAMP(), %s)", [repo, userid])
+
+    db.commit()
+    db.close()
+
+    repo_path = repo_base_path + '/' + repo + '.git/'
+    pygit2.init_repository(repo_path, True)
+
+def check_permissions(pkgbase, user):
+    db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
+                                 passwd=aur_db_pass, db=aur_db_name,
+                                 buffered=True)
+    cur = db.cursor()
+
+    cur.execute("SELECT COUNT(*) FROM PackageBases INNER JOIN Users " +
+                "ON Users.ID = PackageBases.MaintainerUID OR " +
+                "PackageBases.MaintainerUID IS NULL WHERE " +
+                "Name = %s AND Username = %s", [pkgbase, user])
+    return cur.fetchone()[0] > 0
+
+def die(msg):
+    sys.stderr.write("%s\n" % (msg))
+    exit(1)
+
+user = sys.argv[1]
+cmd = os.environ.get("SSH_ORIGINAL_COMMAND")
+if not cmd:
+    die('no command specified')
+cmdargv = shlex.split(cmd)
+action = cmdargv[0]
+
+if action == 'git-upload-pack' or action == 'git-receive-pack':
+    path = cmdargv[1]
+    if not repo_path_validate(path):
+        die('invalid path: %s' % (path))
+    pkgbase = repo_path_get_pkgbase(path)
+    if action == 'git-receive-pack':
+        if not check_permissions(pkgbase, user):
+            die('permission denied: %s' % (user))
+    os.environ["AUR_USER"] = user
+    os.environ["AUR_GIT_DIR"] = path
+    os.environ["AUR_PKGBASE"] = pkgbase
+    os.execl(git_shell_cmd, git_shell_cmd, '-c', cmd)
+elif action == 'setup-repo':
+    if len(cmdargv) < 2:
+        die('missing repository name')
+    setup_repo(cmdargv[1], user)
+else:
+    die('invalid command: %s' % (action))