RubyGems - git_wit - Versions diffs - 0.0.3 → 0.0.4.pre - Mend

git_wit 0.0.3 → 0.0.4.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

data/lib/git_wit/actions/ssh/sudoers.rb ADDED Viewed

@@ -0,0 +1,94 @@
+module GitWit::Actions::Ssh
+  class Sudoers < Thor::Actions::EmptyDirectory
+    attr_reader :base, :name
+    def initialize(base, name, config = {})
+      @base, @name = base, name
+      @config = {verbose: true}.merge config
+    end
+    def invoke!
+      invoke_with_conflict_check do
+        create
+      end
+    end
+    def revoke!
+      say_status :remove, :red
+      destroy if !pretend? && exists?
+    end
+    def exists?
+      `sudo grep '#{sentinel}' /etc/sudoers &>/dev/null`
+      $?.success?
+    end
+    protected
+    def sentinel
+      "# git_wit sudoers #{name}"
+    end
+    def real_path
+      "/etc/sudoers"
+    end
+    def lock_path
+      "#{real_path}.tmp"
+    end
+    def append(str)
+      `echo '#{str}' | sudo tee -a '#{lock_path}' >/dev/null`
+      raise Thor::Error, "Could not append to #{lock_path}" unless $?.success?
+    end
+    def with_lock(&block)
+      `sudo cp -p '#{real_path}' '#{lock_path}'`
+      unless $?.success?
+        raise Thor::Error, "Could not copy sudoers from #{real_path} to #{lock_path}"
+      end
+      old_destination = base.destination_root
+      Dir.mktmpdir do |dir|
+        base.destination_root = dir
+        yield
+      end
+      base.destination_root = old_destination
+      `sudo visudo -cqf '#{lock_path}'`
+      unless $?.success?
+        raise Thor::Error, "Invalid sudoers lock at #{lock_path}"
+      end
+      out = `sudo cat '#{lock_path}'`
+      raise Thor::Error, "Refusing to install empty sudoers" unless out.present?
+      `sudo mv '#{lock_path}' '#{real_path}'`
+      raise Thor::Error, "Could install sudoers from #{lock_path} to #{real_path}" unless $?.success?
+    ensure
+      `sudo rm -rf '#{lock_path}'`
+    end
+    def create
+      with_lock do
+        base.template "sudoers.tt"
+        append sentinel
+        `cat '#{base.destination_root}/sudoers' | sudo tee -a '#{lock_path}' >/dev/null`
+        raise Thor::Error, "Could not modify #{lock_path}" unless $?.success?
+        append sentinel
+      end
+    end
+    def destroy
+      with_lock do
+        `sudo cat '#{lock_path}' | sed -e '/^#{sentinel}/,/^#{sentinel}/d' > '#{base.destination_root}/sudoers'`
+        `cat '#{base.destination_root}/sudoers' | sudo tee '#{lock_path}' >/dev/null`
+        raise Thor::Error, "Could not modify #{lock_path}" unless $?.success?
+      end
+    end
+    def relative_destination
+      "sudoers #{name}"
+    end
+  end
+end

data/lib/git_wit/auth.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module GitWit
     if config.authenticate.respond_to?(:call)
       return config.authenticate.call(user, password)
     end
-    false
+    config.authenticate
   end
   def self.authorize_write(user, repository)
@@ -23,6 +23,6 @@ module GitWit
   def self.authorize(operation, user, repository)
     cfg = config.send "authorize_#{operation}".to_sym
-    cfg.respond_to?(:call) ? cfg.call(user, repository) : false
+    cfg.respond_to?(:call) ? cfg.call(user, repository) : cfg
   end
 end

data/lib/git_wit/authorized_keys.rb CHANGED Viewed

@@ -1,103 +1,60 @@
-require "tempfile"
-require "authorized_keys"
 module GitWit
-  def self.regenerate_authorized_keys(keymap)
-    key_file = authorized_keys_file
-    key_file.clear do |file|
-      keymap.each do |username, keys|
+  # Public: Determine the path to the authorized_keys file based on the
+  # configuration. If not explicitly configured, the ssh_user's home directory
+  # is used to construct the path by adding ".ssh/authorized_keys".
+  #
+  # Returns the path as a String or nothing if it cannot be determined.
+  def self.authorized_keys_path
+    return config.authorized_keys_path if config.authorized_keys_path.present?
+    if ssh_user.present?
+      File.expand_path(File.join("~#{ssh_user}", ".ssh", "authorized_keys"))
+    end
+  end
+  # Public: Get an authorized_keys file instance.
+  #
+  # Returns an AuthorizedKeys::File instance.
+  # Raises ConfigurationError if the path cannot be determined.
+  def self.authorized_keys_file
+    path = authorized_keys_path
+    return AuthorizedKeys::File.new path if path.present?
+    raise ConfigurationError, "Could not determine path to authorized_keys file"
+  end
+  # Public: Clear out all existing public keys in the authorized_keys file and
+  # add each public key for each user in the key map to the new file.
+  #
+  # keys_map - The Hash of String public key contents, keyed by String username.
+  #
+  # Returns nothing.
+  def self.regenerate_authorized_keys(keys_map)
+    keys_file = authorized_keys_file
+    keys_file.clear do |file|
+      keys_map.each do |username, keys|
         keys.each do |key|
-          key_file.add AuthorizedKeys::Key.shell_key_for_username(username, key)
+          keys_file.add AuthorizedKeys::Key.shell_key_for_username(username, key)
         end
       end
     end
+    nil
   end
+  # Public: Add a public key for a given username to the authorized_keys file.
+  #
+  # username - The String username for the public key owner.
+  # key      - The String public key contents.
+  #
+  # Returns nothing.
   def self.add_authorized_key(username, key)
     authorized_keys_file.add AuthorizedKeys::Key.shell_key_for_username(username, key)
   end
+  # Public: Remove a public key from the authorized_keys file.
+  #
+  # key - The String public key contents.
+  #
+  # Returns nothing.
   def self.remove_authorized_key(key)
     authorized_keys_file.remove key
   end
-  def self.authorized_keys_file
-    AuthorizedKeys::File.new authorized_keys_path
-  end
-  def self.authorized_keys_path
-    config.authorized_keys_path || File.expand_path("~#{ssh_user}/.ssh/authorized_keys")
-  end
-  module AuthorizedKeys
-    class File < ::AuthorizedKeys::File
-      attr_accessor :original_location
-      def keys
-        list = []
-        modify "r" do |file|
-          file.each do |line|
-            list << Key.new(line.chomp)
-          end
-        end
-        list
-      end
-      def remove(key)
-        key = Key.new(key) if key.is_a?(String)
-        cached_keys = keys
-        modify 'w' do |file|
-          cached_keys.each do |k|
-            file.puts k unless key == k
-          end
-        end
-      end
-      def owned?
-        owner == Process.uid
-      end
-      def owner(file = nil)
-        file ||= location
-        ::File.stat(file).uid
-      rescue Errno::EACCES, Errno::ENOENT
-        parent = ::File.dirname file
-        owner parent unless file == parent
-      end
-      def modify(mode, &block)
-        return super if owned? || self.original_location
-        contents = %x(sudo -u "##{owner}" cat "#{location}") unless mode.include? "w"
-        original_owner = owner
-        self.original_location = location
-        tmp = Tempfile.new "git_wit_authorized_keys"
-        self.location = tmp.path
-        tmp.write contents unless mode.include? "w"
-        tmp.close
-        super
-        self.location = original_location
-        if mode != "r"
-          %x(cat "#{tmp.path}" | sudo -u "##{owner}" tee "#{location}" >/dev/null)
-        end
-        tmp.unlink
-        self.original_location = nil
-      end
-      def clear(&block)
-        modify "w", &block
-      end
-    end
-    class Key < ::AuthorizedKeys::Key
-      SHELL_OPTIONS = %w(no-port-forwarding no-X11-forwarding
-        no-agent-forwarding no-pty)
-      def self.shell_key_for_username(username, key, debug = false)
-        key = self.new key if key.is_a? String
-        debug = debug ? "--debug " : ""
-        key.options = [%(command="gw-shell #{debug}#{username}"), *SHELL_OPTIONS]
-        key
-      end
-    end
-  end
 end

data/lib/git_wit/authorized_keys/file.rb ADDED Viewed

@@ -0,0 +1,61 @@
+module GitWit
+  module AuthorizedKeys
+    class File < ::AuthorizedKeys::File
+      attr_accessor :original_location
+      def keys
+        list = []
+        modify "r" do |file|
+          file.each do |line|
+            list << Key.new(line.chomp)
+          end
+        end
+        list
+      end
+      def remove(key)
+        key = Key.new(key) if key.is_a?(String)
+        cached_keys = keys
+        modify 'w' do |file|
+          cached_keys.each do |k|
+            file.puts k unless key == k
+          end
+        end
+      end
+      def owned?
+        owner == Process.uid
+      end
+      def owner(file = nil)
+        file ||= location
+        ::File.stat(file).uid
+      rescue Errno::EACCES, Errno::ENOENT
+        parent = ::File.dirname file
+        owner parent unless file == parent
+      end
+      def modify(mode, &block)
+        return super if owned? || self.original_location
+        contents = %x(sudo -u "##{owner}" cat "#{location}") unless mode.include? "w"
+        original_owner = owner
+        self.original_location = location
+        tmp = Tempfile.new "git_wit_authorized_keys"
+        self.location = tmp.path
+        tmp.write contents unless mode.include? "w"
+        tmp.close
+        super
+        self.location = original_location
+        if mode != "r"
+          %x(cat "#{tmp.path}" | sudo -u "##{owner}" tee "#{location}" >/dev/null)
+        end
+        tmp.unlink
+        self.original_location = nil
+      end
+      def clear(&block)
+        modify "w", &block
+      end
+    end
+  end
+end

data/lib/git_wit/authorized_keys/key.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module GitWit
+  module AuthorizedKeys
+    class Key < ::AuthorizedKeys::Key
+      SHELL_OPTIONS = %w(no-port-forwarding no-X11-forwarding
+        no-agent-forwarding no-pty)
+      def self.shell_key_for_username(username, key, debug = false)
+        key = self.new key if key.is_a? String
+        cmd = debug ? "debug" : "git-shell #{username}"
+        key.options = [%(command="git_wit #{cmd}"), *SHELL_OPTIONS]
+        key
+      end
+    end
+  end
+end

data/lib/git_wit/cli.rb ADDED Viewed

@@ -0,0 +1,19 @@
+require "thor"
+require "git_wit/commands/util"
+require "git_wit/commands/git_shell"
+require "git_wit/commands/debug"
+module GitWit
+  class Cli < Thor
+    include Thor::Actions
+    include Commands::Util
+    include Commands::GitShell
+    include Commands::Debug
+    desc "debug", "debug the SSH configuration"
+    def debug(*args); super; end
+    desc "git-shell USER CMD REPO", "run git-shell CMD as USER in REPO"
+    def git_shell(*args); super; end
+  end
+end

data/lib/git_wit/commands/debug.rb ADDED Viewed

@@ -0,0 +1,21 @@
+module GitWit
+  module Commands
+    module Debug
+      def debug
+        boot_app
+        debug_banner "Start"
+        pp "ENVIRONMENT:", ENV
+        GitWit.configure { |c| pp "GitWit Config:", c }
+        debug_banner "End"
+        $stdout.flush
+        exec_with_sudo!
+      end
+      protected
+      def debug_banner(msg = nil)
+        msg = "#{msg} " if msg.present?
+        puts "\n" * 2 + "*" * 5 + " GitWit DEBUG #{msg}" + "*" * 5 + "\n" * 2
+      end
+    end
+  end
+end

data/lib/git_wit/commands/git_shell.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module GitWit
+  module Commands
+    module GitShell
+      GIT_SHELL_COMMAND_RE = /^(git-[^\s]+)\s+'([^']+\.git)'/
+      GIT_SHELL_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive)
+      def git_shell(user, cmd = nil, repo = nil)
+        @command, @repository, @user = cmd, repo, nil
+        exec_with_sudo!
+        boot_app
+        parse_ssh_original_command if ENV["SSH_ORIGINAL_COMMAND"].present?
+        validate_git_shell_command
+        authenticate user
+        authorize
+        run_git_shell
+      end
+      protected
+      def parse_ssh_original_command
+        m = GIT_SHELL_COMMAND_RE.match ENV["SSH_ORIGINAL_COMMAND"]
+        nothing, @command, @repository = m.to_a if m.present?
+      end
+      def validate_git_shell_command
+        unless GIT_SHELL_COMMANDS.include? @command
+          abort "Unknown git shell command: #{@command}"
+        end
+      end
+      def authenticate(user)
+        @user = GitWit.user_for_authentication user
+        abort "Anonymous access denied via SSH" unless @user.present?
+      end
+      def authorize
+        op = @command == "git-receive-pack" ? :write : :read
+        abort "Unauthorized" unless GitWit.authorize op, @user, @repository
+      end
+      def run_git_shell
+        repo_path = File.expand_path File.join(GitWit.repositories_path, @repository)
+        cmd = [GitWit.git_path, "shell", "-c", "#{@command} '#{repo_path}'"]
+        Rails.logger.info "GitWit SSH cmd: #{cmd.join " "}"
+        exec *cmd
+      end
+    end
+  end
+end

data/lib/git_wit/commands/util.rb ADDED Viewed

@@ -0,0 +1,37 @@
+module GitWit
+  module Commands
+    module Util
+      def exec_with_sudo!(user = app_user)
+        return if running_as?(user)
+        Dir.chdir rails_root
+        ENV["TERM"] = "dumb"
+        cmd = ["sudo", "-u", "##{user}", $PROGRAM_NAME, *ARGV]
+        exec *cmd
+      end
+      def running_as?(user)
+        Process.uid == user
+      end
+      def app_user
+        File.stat(rails_root).uid
+      end
+      def rails_root
+        return File.expand_path(ENV["RAILS_ROOT"]) if ENV["RAILS_ROOT"]
+        return Dir.pwd if File.exist? File.join(Dir.pwd, "config/environment.rb")
+        return File.expand_path("..", ENV["BUNDLE_GEMFILE"]) if ENV["BUNDLE_GEMFILE"]
+        Dir.pwd
+      end
+      def boot_app
+        require File.expand_path File.join(rails_root, "config/environment") unless booted?
+        require "git_wit"
+      end
+      def booted?
+        defined?(Rails)
+      end
+    end
+  end
+end