mirror of
https://gitlab.archlinux.org/archlinux/aurweb.git
synced 2025-02-03 10:43:03 +01:00
ad17b9e2b4
This adds two scripts to be used together with Git over SSH: * git-auth.py is supposed to be used as AuthorizedKeysCommand. It checks whether the public key belongs to any AUR user and invokes git-serve.py, passing the name of the corresponding user as a command line argument, if any. * git-serve.py is a wrapper around git-shell(1) that checks whether the user passed as command line argument has access to the Git repository that a push operation writes to. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
41 lines
1.2 KiB
Python
Executable file
41 lines
1.2 KiB
Python
Executable file
#!/usr/bin/python3
|
|
|
|
import configparser
|
|
import mysql.connector
|
|
import os
|
|
import re
|
|
|
|
config = configparser.RawConfigParser()
|
|
config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config")
|
|
|
|
aur_db_host = config.get('database', 'host')
|
|
aur_db_name = config.get('database', 'name')
|
|
aur_db_user = config.get('database', 'user')
|
|
aur_db_pass = config.get('database', 'password')
|
|
|
|
key_prefixes = config.get('auth', 'key-prefixes').split()
|
|
username_regex = config.get('auth', 'username-regex')
|
|
git_serve_cmd = config.get('auth', 'git-serve-cmd')
|
|
ssh_opts = config.get('auth', 'ssh-options')
|
|
|
|
pubkey = os.environ.get("SSH_KEY")
|
|
valid_prefixes = tuple(p + " " for p in key_prefixes)
|
|
if pubkey is None or not pubkey.startswith(valid_prefixes):
|
|
exit(1)
|
|
|
|
db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
|
|
passwd=aur_db_pass, db=aur_db_name,
|
|
buffered=True)
|
|
|
|
cur = db.cursor()
|
|
cur.execute("SELECT Username FROM Users WHERE SSHPubKey = %s " +
|
|
"AND Suspended = 0", (pubkey,))
|
|
|
|
if cur.rowcount != 1:
|
|
exit(1)
|
|
|
|
user = cur.fetchone()[0]
|
|
if not re.match(username_regex, user):
|
|
exit(1)
|
|
|
|
print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts, pubkey))
|