git_acl_shell 1.0.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 2a4907a336c5ce915ad12f0a5c62645f2621b6b2
4
+ data.tar.gz: 2a4f4cd8b07650e61d908fcda58cb312ae0022be
5
+ SHA512:
6
+ metadata.gz: 920d496577b503111404951701f67ed0ce2b3cb2e9d915fafd8a757e2ab20bf559646e520619319ce0b25bab3d4d449ff183a23e6ba703f1097fb6bd899c95e4
7
+ data.tar.gz: 6c861a0545a4254a60f81710d9698899ba4f674958c73a972b33b58d0e9f2fd7489522088e5c9d122e19b1f2f76eee2c33a76aa8bdc5aec1e1c322ab2f8f67f7
data/.gitignore ADDED
@@ -0,0 +1,11 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /Gemfile.lock
4
+ /_yardoc/
5
+ /coverage/
6
+ /doc/
7
+ /pkg/
8
+ /spec/reports/
9
+ /tmp/
10
+ log/
11
+ *.gem
data/.rspec ADDED
@@ -0,0 +1,2 @@
1
+ --format documentation
2
+ --color
data/.ruby-version ADDED
@@ -0,0 +1 @@
1
+ 2.4.1
data/.travis.yml ADDED
@@ -0,0 +1,5 @@
1
+ sudo: false
2
+ language: ruby
3
+ rvm:
4
+ - 2.4.1
5
+ before_install: gem install bundler -v 1.15.4
data/Dockerfile ADDED
@@ -0,0 +1,6 @@
1
+ FROM ruby:2.4.1-alpine
2
+ RUN apk add --no-cache --update --upgrade bash git build-base
3
+ RUN mkdir /work
4
+ WORKDIR /work
5
+ ADD . /work
6
+ RUN bundle install
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in git-acl-shell.gemspec
4
+ gemspec
data/LICENSE.txt ADDED
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) Cucumber Limited
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,7 @@
1
+ # Git Acl Shell
2
+
3
+ Git shell that adds access control to Git repositories accessed over SSH.
4
+ Similar to [Gitolite](http://gitolite.com/gitolite/index.html) and [gitlab-shell](https://github.com/gitlabhq/gitlab-shell).
5
+
6
+ The main difference is that the shell queries an external service over HTTP
7
+ to check if a user has access.
data/Rakefile ADDED
@@ -0,0 +1,20 @@
1
+ require "bundler/gem_tasks"
2
+ require "rspec/core/rake_task"
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :default => :spec
7
+
8
+ DOCKER_IMAGE_NAME = 'git_acl_shell'
9
+
10
+ namespace :docker do
11
+ desc "build the image"
12
+ task :build do
13
+ sh "docker build -t #{DOCKER_IMAGE_NAME} #{Dir.pwd}"
14
+ end
15
+
16
+ desc "run tests in docker"
17
+ task :spec do
18
+ sh %{docker run --rm -v "#{Dir.pwd}":/src -it -w /src #{DOCKER_IMAGE_NAME} /bin/bash -c "bundle exec rspec"}
19
+ end
20
+ end
data/bin/console ADDED
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "git_acl_shell"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
data/exe/git-acl-shell ADDED
@@ -0,0 +1,23 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "git_acl_shell/shell"
4
+ require "git_acl_shell/acl/http_acl"
5
+ require "git_acl_shell/directory/http_directory"
6
+
7
+ command = ENV.delete('SSH_ORIGINAL_COMMAND')
8
+ key_id = ARGV[0]
9
+ base_uri = ARGV[1]
10
+ GitAclShell::Acl::HTTPAcl.base_uri(base_uri)
11
+ GitAclShell::Directory::HTTPDirectory.base_uri(base_uri)
12
+
13
+ shell = GitAclShell::Shell.new(
14
+ key_id,
15
+ acl: GitAclShell::Acl::HTTPAcl.new,
16
+ directory: GitAclShell::Directory::HTTPDirectory.new
17
+ )
18
+
19
+ if shell.exec(command)
20
+ exit 0
21
+ else
22
+ exit 1
23
+ end
@@ -0,0 +1,30 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'git_acl_shell/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "git_acl_shell"
8
+ spec.version = GitAclShell::VERSION
9
+ spec.authors = ["Cucumber Ltd"]
10
+ spec.email = ["devs@cucumber.io"]
11
+
12
+ spec.summary = %q{Git ACL Shell}
13
+ spec.description = %q{Protects access to git, using an ACL HTTP endpoint...}
14
+ spec.homepage = "https://cucumber.io"
15
+ spec.license = "MIT"
16
+
17
+ spec.files = `git ls-files -z`.split("\x0").reject do |f|
18
+ f.match(%r{^(test|spec|features)/})
19
+ end
20
+ spec.bindir = "exe"
21
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
22
+ spec.require_paths = ["lib"]
23
+
24
+ spec.add_dependency "httparty", "~> 0.15"
25
+
26
+ spec.add_development_dependency "bundler", "~> 1.15"
27
+ spec.add_development_dependency "rake", "~> 12.1"
28
+ spec.add_development_dependency "rspec", "~> 3.6"
29
+ spec.add_development_dependency "pact", "~> 1.15"
30
+ end
@@ -0,0 +1,8 @@
1
+ require "git_acl_shell/version"
2
+ require "git_acl_shell/errors"
3
+ require "git_acl_shell/shell"
4
+ require "git_acl_shell/directory/http_directory"
5
+ require "git_acl_shell/acl/http_acl"
6
+
7
+ module GitAclShell
8
+ end
@@ -0,0 +1,14 @@
1
+ require 'httparty'
2
+
3
+ module GitAclShell
4
+ module Acl
5
+ class HTTPAcl
6
+ include HTTParty
7
+
8
+ def authorized?(key_id, repo_base_name)
9
+ response = self.class.get("/permission", query: { 'key-id' => key_id, 'repo-base-name' => repo_base_name })
10
+ response.ok?
11
+ end
12
+ end
13
+ end
14
+ end
@@ -0,0 +1,19 @@
1
+ require 'httparty'
2
+ require 'git_acl_shell/errors'
3
+
4
+ module GitAclShell
5
+ module Directory
6
+ class HTTPDirectory
7
+ include HTTParty
8
+
9
+ def lookup(repo_alias)
10
+ response = self.class.get("/repo-base-name", query: { alias: repo_alias })
11
+ if response.ok?
12
+ return response.body
13
+ else
14
+ raise UnknownAlias
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,4 @@
1
+ module GitAclShell
2
+ class UnknownAlias < StandardError; end
3
+ end
4
+
@@ -0,0 +1,59 @@
1
+ require 'shellwords'
2
+ require 'git_acl_shell/errors'
3
+
4
+ module GitAclShell
5
+ class Shell
6
+ # See https://git-scm.com/docs/git-shell#_commands
7
+ # (git push) (git fetch) (git archive)
8
+ COMMAND_WHITELIST = %w(git-receive-pack git-upload-pack git-upload-archive).freeze
9
+
10
+ def initialize(key_id, acl:, directory:, kernel: Kernel, stderr: $stderr)
11
+ @key_id = key_id
12
+ @acl = acl
13
+ @directory = directory
14
+ @kernel = kernel
15
+ @stderr = stderr
16
+ end
17
+
18
+ def exec(command)
19
+ if command.nil?
20
+ @stderr.puts("OH HAI! U HAS LOGGD IN BUT WE DOAN PROVIDE SHELL ACCES. KTHXBAI!")
21
+ return false
22
+ end
23
+
24
+ args = Shellwords.shellwords(command)
25
+ if whitelist?(args)
26
+ repo_path = args.pop
27
+ repo_extension = File.extname(repo_path)
28
+ repo_alias = File.basename(repo_path, repo_extension)
29
+
30
+ begin
31
+ repo_name = @directory.lookup(repo_alias)
32
+ repo_path = File.join(File.dirname(repo_path), "#{repo_name}#{repo_extension}")
33
+ args.push(repo_path)
34
+ rescue UnknownAlias
35
+ @stderr.puts("Not found")
36
+ return false
37
+ end
38
+
39
+ if @acl.authorized?(@key_id, repo_name)
40
+ @kernel.exec(*args)
41
+ true
42
+ else
43
+ @stderr.puts("You've successfully authenticated, but you don't have access to this repo")
44
+ false
45
+ end
46
+ else
47
+ @stderr.puts("OH HAI! I CAN ONLY HALP U WIF GIT COMMANDZ, SRY! KTHXBAI!")
48
+ false
49
+ end
50
+ end
51
+
52
+ private
53
+
54
+ def whitelist?(args)
55
+ program = args[0]
56
+ COMMAND_WHITELIST.include?(program)
57
+ end
58
+ end
59
+ end
@@ -0,0 +1,3 @@
1
+ module GitAclShell
2
+ VERSION = "1.0.3"
3
+ end
metadata ADDED
@@ -0,0 +1,134 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: git_acl_shell
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.3
5
+ platform: ruby
6
+ authors:
7
+ - Cucumber Ltd
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2017-09-12 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: httparty
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '0.15'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '0.15'
27
+ - !ruby/object:Gem::Dependency
28
+ name: bundler
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '1.15'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '1.15'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rake
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '12.1'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '12.1'
55
+ - !ruby/object:Gem::Dependency
56
+ name: rspec
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '3.6'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: '3.6'
69
+ - !ruby/object:Gem::Dependency
70
+ name: pact
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: '1.15'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: '1.15'
83
+ description: Protects access to git, using an ACL HTTP endpoint...
84
+ email:
85
+ - devs@cucumber.io
86
+ executables:
87
+ - git-acl-shell
88
+ extensions: []
89
+ extra_rdoc_files: []
90
+ files:
91
+ - ".gitignore"
92
+ - ".rspec"
93
+ - ".ruby-version"
94
+ - ".travis.yml"
95
+ - Dockerfile
96
+ - Gemfile
97
+ - LICENSE.txt
98
+ - README.md
99
+ - Rakefile
100
+ - bin/console
101
+ - bin/setup
102
+ - exe/git-acl-shell
103
+ - git_acl_shell.gemspec
104
+ - lib/git_acl_shell.rb
105
+ - lib/git_acl_shell/acl/http_acl.rb
106
+ - lib/git_acl_shell/directory/http_directory.rb
107
+ - lib/git_acl_shell/errors.rb
108
+ - lib/git_acl_shell/shell.rb
109
+ - lib/git_acl_shell/version.rb
110
+ homepage: https://cucumber.io
111
+ licenses:
112
+ - MIT
113
+ metadata: {}
114
+ post_install_message:
115
+ rdoc_options: []
116
+ require_paths:
117
+ - lib
118
+ required_ruby_version: !ruby/object:Gem::Requirement
119
+ requirements:
120
+ - - ">="
121
+ - !ruby/object:Gem::Version
122
+ version: '0'
123
+ required_rubygems_version: !ruby/object:Gem::Requirement
124
+ requirements:
125
+ - - ">="
126
+ - !ruby/object:Gem::Version
127
+ version: '0'
128
+ requirements: []
129
+ rubyforge_project:
130
+ rubygems_version: 2.6.11
131
+ signing_key:
132
+ specification_version: 4
133
+ summary: Git ACL Shell
134
+ test_files: []