git_wit 0.0.3 → 0.0.4.pre

data/lib/generators/git_wit/{templates → install/templates}/git_wit.rb

@@ -4,41 +4,42 @@ GitWit.configure do |config|
   # Configure the path to the repositories. This folder should be readable
   # and writable by your application. Use an absolute path for best results.
   # No trailing slash necessary.
-  # config.repositories_path = "/var/git"
+  <%= maybe_config :repositories_path, "/var/git" %>
 
   # Configure the user for which to manage SSH keys (if enabled.) This user 
   # must be allowed to run gw-ssh (or bundle exec or rvm or whatever) via sudo 
   # as the application user.
-  # config.ssh_user = "git"
+  <%= maybe_config :ssh_user, "git" %>
 
   # Configure the absolute path to the authorized_keys file for ssh_user. By
   # default, this will be calculated as "~ssh_user/.ssh/authorized_keys". 
-  # config.authorized_keys_path = "/var/git/.ssh/authorized_keys"
+  <%= maybe_config :authorized_keys_path, "/var/git/.ssh/authorized_keys" %>
 
-  # Configure the path to the git-http-backend binary.
-  # config.git_http_backend_path = "/usr/libexec/git-core/git-http-backend"
+  # Configure the path to the git binary. Defaults to "git". Use a full path if 
+  # the "git" command is not found in the PATH environment variable.
+  <%= maybe_config :git_path, "/path/to/bin/git" %>
 
   # Configure the HTTP Basic Auth Realm. Go nuts.
-  # config.realm = "GitWit"
+  <%= maybe_config :realm, "GitWit" %>
 
   # Allow or disable write operations (push) via non-secure (http) protocols.
-  # config.insecure_write = false
+  <%= maybe_config :insecure_write, false %>
 
   # Allow or disable authentication via non-secure (http) protocols. GitWit uses
   # HTTP Basic authentication, which sends your password in cleartext. This is
   # bad behaviour so the default is to completely disallow authentication
   # without SSL. Note that this will effectively disable insecure write
   # operations as well when set to false, since writes require authentication.
-  # config.insecure_auth = false
+  <%= maybe_config :insecure_auth, false %>
 
   # Configure git user attributes. GitWit will "try" these attributes when
   # discerning the user information to pass to git. These may be callables that
   # accept the user model (if authenticated) and should return a string value.
   # If nil (or return nil), reasonable defaults will be used.
   #
-  # config.username_attribute = :login          # REMOTE_USER
-  # config.committer_email_attribute = :email   # GIT_COMMITTER_NAME
-  # config.committer_name_attribute = :name     # GIT_COMMITTER_EMAIL
+  <%= maybe_config :username_attribute, :login %>
+  <%= maybe_config :email_attribute, :email %>
+  <%= maybe_config :name_attribute, :name %>
 
   # Customize how the user is derived from the username. Below is an example for 
   # devise. Your callable should accept a username return a user model. A string
@@ -60,6 +61,9 @@ GitWit.configure do |config|
   # config.authenticate = ->(user, password) do
   #   user.try :valid_password, password
   # end
+<% if attributes[:authenticate] -%>
+  config.authenticate = true
+<% end -%>
 
   # Customize the authorization handlers. There are two - one for read and one
   # for write operations. They will receive the user model (if authenticated)
@@ -70,9 +74,15 @@ GitWit.configure do |config|
   #   repo = Repository.find_by_path repository
   #   repo.public? || repo.user_id = user.id
   # end
+<% if attributes[:authorize_read] -%>
+  config.authorize_read = true
+<% end -%>
   #
   # config.authorize_write = ->(user, repository) do
   #   repo = Repository.find_by_path repository
   #   repo.user_id = user.id || user.admin?
   # end
+<% if attributes[:authorize_write] -%>
+  config.authorize_write = true
+<% end -%>
 end

data/lib/generators/git_wit/ssh_user/USAGE

@@ -0,0 +1,11 @@
+Description:
+    Creates an SSH-only user for GitWit access.
+
+Example:
+    rails generate git_wit:ssh_user /home/gitwit
+
+    This will create:
+        /home/gitwit
+        /home/gitwit/.ssh
+        /home/gitwit/.ssh/authorized_keys
+        /home/gitwit/.bashrc

data/lib/generators/git_wit/ssh_user/ssh_user_generator.rb

@@ -0,0 +1,53 @@
+require "git_wit/actions"
+
+module GitWit
+  class SshUserGenerator < Rails::Generators::Base
+    include GitWit::Actions
+
+    source_root File.expand_path('../templates', __FILE__)
+    
+    argument :home, type: :string, required: false
+
+    def check_user
+      raise Thor::Error, "GitWit ssh_user is not configured." unless ssh_user.present?
+    end
+
+    def create_user
+      @home = dscl_user ssh_user, home
+    end
+
+    def create_group
+      dscl_group ssh_group
+    end
+
+    def add_user_to_group
+      dscl_group_membership ssh_user, ssh_group
+    end
+
+    def build_home
+      ssh_home ssh_user, home
+    end
+
+    def add_user_to_sudoers
+      ssh_sudoers ssh_user
+    end
+
+    protected
+    def ssh_user
+      GitWit.ssh_user
+    end
+    alias_method :ssh_group, :ssh_user
+
+    def rails_user
+      @rails_user ||= `whoami`.strip
+    end
+
+    def git_wit_bindir
+      bin_path = Rails.root.join("bin", "git_wit")
+      return bin_path.dirname.to_s if bin_path.exist?
+      bin_path = `which git_wit`.strip
+      return File.dirname(bin_path) if bin_path.present?
+      raise Thor::Error, "Could not determine path to git_wit executable"
+    end
+  end
+end

data/lib/generators/git_wit/ssh_user/templates/bashrc.tt

@@ -0,0 +1,7 @@
+# Generated by git_wit
+export PATH="<%= git_wit_bindir %>:<%= RbConfig::CONFIG['bindir'] %>:$PATH"
+export RAILS_ENV="<%= ENV["RAILS_ENV"].presence || "development" %>"
+export RAILS_ROOT="<%= Rails.root %>"
+<% %w(GEM_HOME GEM_PATH BUNDLE_GEMFILE).each do |k| ; next unless ENV[k].present? -%>
+export <%= k %>="<%= ENV[k] %>"
+<% end -%>

data/lib/generators/git_wit/ssh_user/templates/sudoers.tt

@@ -0,0 +1,12 @@
+
+# Note: The following lines *must* appear *after* `Defaults env_reset`!
+# Allow gitwit to pass the following environment variables to sudo processes:
+Defaults:<%= ssh_user %> env_keep += "SSH_ORIGINAL_COMMAND GEM_HOME GEM_PATH"
+Defaults:<%= ssh_user %> env_keep += "BUNDLE_GEMFILE RAILS_ENV RAILS_ROOT"
+
+# Allow <%= rails_user %> to run any command as <%= ssh_user %>
+<%= rails_user %> ALL=(<%= ssh_user %>) NOPASSWD:ALL
+
+# Allow <%= ssh_user %> to run *only* gw-shell as <%= rails_user %>
+<%= ssh_user %> ALL=(<%= rails_user %>) NOPASSWD:<%= File.join(git_wit_bindir, "git_wit") %>
+

data/lib/git_wit.rb

@@ -1,15 +1,20 @@
+require "authorized_keys"
 require "active_support/configurable"
 require "git_wit/engine"
 require "git_wit/errors"
 require "git_wit/auth"
 require "git_wit/shell"
 require "git_wit/authorized_keys"
+require "git_wit/authorized_keys/key"
+require "git_wit/authorized_keys/file"
+require "git_wit/cli"
 
 module GitWit
   include ActiveSupport::Configurable
 
   config_accessor :repositories_path, :ssh_user, :realm,
-    :git_http_backend_path, :insecure_write, :insecure_auth
+    :git_path, :insecure_write, :insecure_auth, :username_attribute,
+    :email_attribute, :name_attribute
 
   def self.reset_config!
     @_config = nil
@@ -28,11 +33,21 @@ module GitWit
     reset_config!
     configure do |config|
       config.realm = "GitWit"
-      config.repositories_path = "/var/git"
-      config.ssh_user = "git"
-      config.git_http_backend_path = "/usr/libexec/git-core/git-http-backend"
+      config.repositories_path = Rails.root.join("repositories").to_s
+      config.ssh_user = nil
+      config.git_path = "git"
       config.insecure_write = false
       config.insecure_auth = false
+      config.authenticate = false
+      config.authorize_read = false
+      config.authorize_write = false
+      config.username_attribute = :login
+      config.email_attribute = :email
+      config.name_attribute = :name
     end
   end
+
+  class << self
+    private :config
+  end
 end

data/lib/git_wit/actions.rb

@@ -0,0 +1,17 @@
+module GitWit; module Actions; end; end
+
+require "git_wit/actions/ssh"
+require "git_wit/actions/ssh/home"
+require "git_wit/actions/ssh/sudoers"
+require "git_wit/actions/dscl"
+require "git_wit/actions/dscl/base"
+require "git_wit/actions/dscl/user"
+require "git_wit/actions/dscl/group"
+require "git_wit/actions/dscl/group_membership"
+
+module GitWit
+  module Actions
+    include Dscl::Actions
+    include Ssh::Actions
+  end
+end

data/lib/git_wit/actions/dscl.rb

@@ -0,0 +1,15 @@
+module GitWit::Actions::Dscl
+  module Actions
+    def dscl_user(name, home, config = {})
+      action User.new(self, name, home, config)
+    end
+
+    def dscl_group(name, config = {})
+      action Group.new(self, name, config)
+    end
+
+    def dscl_group_membership(user, group, config = {})
+      action GroupMembership.new(self, user, group, config)
+    end
+  end
+end

data/lib/git_wit/actions/dscl/base.rb

@@ -0,0 +1,75 @@
+module GitWit::Actions::Dscl
+  class Base < Thor::Actions::EmptyDirectory
+
+    attr_reader :base, :type, :name
+
+    def initialize(base, type, name, config = {})
+      @base, @type, @name = base, type, name
+      @config = {verbose: true}.merge config
+    end
+
+    def invoke!
+      invoke_with_conflict_check do
+        create
+      end
+    end
+
+    def revoke!
+      say_status :remove, :red
+      destroy if !pretend? && exists?
+    end
+
+    def exists?
+      dscl_exists?
+    end
+
+    protected
+    def id_exists?(check_id)
+      dscl_key_exists? "#{type.to_s.first}id", check_id
+    end
+
+    def dscl_key_exists?(key, value)
+      results = dscl "list /#{type.to_s.capitalize}s #{key}"
+      !!(results =~ Regexp.new("#{Regexp.escape(value.to_s)}\n"))
+    end
+
+    def dscl_exists?
+      results = dscl "list /#{type.to_s.capitalize}s"
+      !!(results =~ Regexp.new("#{Regexp.escape(name)}\n"))
+    end
+
+    def next_id
+      guess = 200
+      while id_exists?(guess) && guess < 1000
+        guess += 1
+      end
+      return guess unless id_exists? guess
+      raise Thor::Error, "Could not get next #{type.to_s.first}id."
+    end
+
+    def dscl(command, config = {})
+      command = "dscl . #{command}"
+      desc = "#{command} from #{type}"
+
+      if config[:with]
+        desc = "#{File.basename(config[:with].to_s)} #{desc}"
+        command = "#{config[:with]} #{command}"
+      end
+
+      say_status :run, :green, desc if config[:verbose]
+
+      output = `#{command}`
+      raise Thor::Error, "dscl command failed: #{desc}" unless $?.success?
+      output
+    end
+
+    def sudo_dscl(command, config = {})
+      dscl command, config.merge(with: "sudo")
+    end
+
+    def say_status(status, color, msg = nil)
+      msg ||= "#{type} #{name}"
+      base.shell.say_status status, msg, color if config[:verbose]
+    end
+  end
+end

data/lib/git_wit/actions/dscl/group.rb

@@ -0,0 +1,20 @@
+module GitWit::Actions::Dscl
+  class Group < Base
+    def initialize(base, name, config = {})
+      super base, :group, name, config
+    end
+
+    protected
+    def create
+      gid = next_id
+      sudo_dscl "create /Groups/#{name}"
+      sudo_dscl "create /Groups/#{name} Password '*'"
+      sudo_dscl "create /Groups/#{name} PrimaryGroupID #{gid}"
+      sudo_dscl "create /Groups/#{name} GroupMembers ''"
+    end
+
+    def destroy
+      sudo_dscl "delete /Groups/#{name}"
+    end
+  end
+end

data/lib/git_wit/actions/dscl/group_membership.rb

@@ -0,0 +1,30 @@
+module GitWit::Actions::Dscl
+  class GroupMembership < Base
+    attr_reader :user, :group
+
+    def initialize(base, user, group, config = {})
+      super base, :group_membership, "#{user} #{group}", config
+      @user, @group = user, group
+    end
+
+    def exists?
+      check = `dsmemberutil checkmembership -U '#{user}' -G '#{group}' 2>/dev/null`
+      $?.success? && !!(check =~ /is a member/)
+    end
+
+    protected
+    def create
+      sudo_dscl "create /Users/#{user} PrimaryGroupID #{gid}"
+      sudo_dscl "append /Groups/#{group} GroupMembership #{user}"
+    end
+    
+    def destroy
+    end
+
+    def gid
+      gid = dscl "read /Groups/#{group} gid".split("gid: ", 2).last
+      raise Thor::Error, "Could not find gid for group #{group}" unless gid.present?
+      gid.to_i
+    end
+  end
+end

data/lib/git_wit/actions/dscl/user.rb

@@ -0,0 +1,39 @@
+module GitWit::Actions::Dscl
+  class User < Base
+    def initialize(base, name, home, config = {})
+      super base, :user, name, config
+      @home = home
+    end
+
+    def invoke!
+      invoke_with_conflict_check do
+        create
+      end
+      home
+    end
+
+    def revoke!
+      say_status :remove, :red
+      destroy if !pretend? && exists?
+      home
+    end
+
+    protected
+    def home
+      @home || "/Users/#{name}"
+    end
+
+    def create
+      uid = next_id
+      sudo_dscl "create /Users/#{name}"
+      sudo_dscl "create /Users/#{name} RealName '#{name}'"
+      sudo_dscl "create /Users/#{name} UniqueID #{uid}"
+      sudo_dscl "create /Users/#{name} NFSHomeDirectory '#{home}'"
+      sudo_dscl "create /Users/#{name} UserShell '/bin/bash'"
+    end
+
+    def destroy
+      sudo_dscl "delete /Users/#{name}"
+    end
+  end
+end

data/lib/git_wit/actions/ssh.rb

@@ -0,0 +1,11 @@
+module GitWit::Actions::Ssh
+  module Actions
+    def ssh_home(user, home, config = {})
+      action Home.new(self, user, home, config)
+    end
+
+    def ssh_sudoers(user, config = {})
+      action Sudoers.new(self, user, config)
+    end
+  end
+end

data/lib/git_wit/actions/ssh/home.rb

@@ -0,0 +1,55 @@
+module GitWit::Actions::Ssh
+  class Home < Thor::Actions::EmptyDirectory
+    attr_reader :base, :user, :home
+
+    def initialize(base, user, home, config = {})
+      @base, @user, @home = base, user, File.expand_path(home)
+      @config = {verbose: true}.merge config
+    end
+
+    def invoke!
+      invoke_with_conflict_check do
+        create
+      end
+    end
+
+    def revoke!
+      say_status :remove, :red
+      destroy if !pretend? && exists?
+      home
+    end
+
+    def exists?
+      Dir.exists? home
+    end
+
+    protected
+    def create
+      old_destination = base.destination_root
+      Dir.mktmpdir do |dir|
+        base.destination_root = dir
+        base.chmod ".", 0755
+        base.inside "." do
+          base.empty_directory ".ssh"
+          base.chmod ".ssh", 0700
+          base.inside ".ssh" do
+            base.create_file "authorized_keys", ""
+            base.chmod "authorized_keys", 0600
+          end
+          base.template "bashrc.tt", ".bashrc"
+        end
+        `sudo cp -R '#{dir}' '#{home}'`
+        `sudo chown -R #{user}:#{user} '#{home}'`
+      end
+      base.destination_root = old_destination
+    end
+
+    def destroy
+      `sudo rm -rf '#{home}'`
+    end
+
+    def relative_destination
+      home
+    end
+  end
+end