RubyGems - git_wit - Versions diffs - 0.0.3 → 0.0.4.pre - Mend

git_wit 0.0.3 → 0.0.4.pre

Files changed (195) hide show

data/lib/git_wit/actions/ssh/sudoers.rb ADDED Viewed

@@ -0,0 +1,94 @@
+module GitWit::Actions::Ssh
+  class Sudoers < Thor::Actions::EmptyDirectory
+    attr_reader :base, :name
+    def initialize(base, name, config = {})
+      @base, @name = base, name
+      @config = {verbose: true}.merge config
+    end
+    def invoke!
+      invoke_with_conflict_check do
+        create
+      end
+    end
+    def revoke!
+      say_status :remove, :red
+      destroy if !pretend? && exists?
+    end
+    def exists?
+      `sudo grep '#{sentinel}' /etc/sudoers &>/dev/null`
+      $?.success?
+    end
+    protected
+    def sentinel
+      "# git_wit sudoers #{name}"
+    end
+    def real_path
+      "/etc/sudoers"
+    end
+    def lock_path
+      "#{real_path}.tmp"
+    end
+    def append(str)
+      `echo '#{str}' | sudo tee -a '#{lock_path}' >/dev/null`
+      raise Thor::Error, "Could not append to #{lock_path}" unless $?.success?
+    end
+    def with_lock(&block)
+      `sudo cp -p '#{real_path}' '#{lock_path}'`
+      unless $?.success?
+        raise Thor::Error, "Could not copy sudoers from #{real_path} to #{lock_path}"
+      end
+      old_destination = base.destination_root
+      Dir.mktmpdir do |dir|
+        base.destination_root = dir
+        yield
+      end
+      base.destination_root = old_destination
+      `sudo visudo -cqf '#{lock_path}'`
+      unless $?.success?
+        raise Thor::Error, "Invalid sudoers lock at #{lock_path}"
+      end
+      out = `sudo cat '#{lock_path}'`
+      raise Thor::Error, "Refusing to install empty sudoers" unless out.present?
+      `sudo mv '#{lock_path}' '#{real_path}'`
+      raise Thor::Error, "Could install sudoers from #{lock_path} to #{real_path}" unless $?.success?
+    ensure
+      `sudo rm -rf '#{lock_path}'`
+    end
+    def create
+      with_lock do
+        base.template "sudoers.tt"
+        append sentinel
+        `cat '#{base.destination_root}/sudoers' | sudo tee -a '#{lock_path}' >/dev/null`
+        raise Thor::Error, "Could not modify #{lock_path}" unless $?.success?
+        append sentinel
+      end
+    end
+    def destroy
+      with_lock do
+        `sudo cat '#{lock_path}' | sed -e '/^#{sentinel}/,/^#{sentinel}/d' > '#{base.destination_root}/sudoers'`
+        `cat '#{base.destination_root}/sudoers' | sudo tee '#{lock_path}' >/dev/null`
+        raise Thor::Error, "Could not modify #{lock_path}" unless $?.success?
+      end
+    end
+    def relative_destination
+      "sudoers #{name}"
+    end
+  end
+end

data/lib/git_wit/auth.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module GitWit
     if config.authenticate.respond_to?(:call)
       return config.authenticate.call(user, password)
     end
-    false
+    config.authenticate
   end
   def self.authorize_write(user, repository)
@@ -23,6 +23,6 @@ module GitWit
   def self.authorize(operation, user, repository)
     cfg = config.send "authorize_#{operation}".to_sym
-    cfg.respond_to?(:call) ? cfg.call(user, repository) : false
+    cfg.respond_to?(:call) ? cfg.call(user, repository) : cfg
   end
 end

data/lib/git_wit/authorized_keys.rb CHANGED Viewed

@@ -1,103 +1,60 @@
-require "tempfile"
-require "authorized_keys"
 module GitWit
-  def self.regenerate_authorized_keys(keymap)
-    key_file = authorized_keys_file
-    key_file.clear do |file|
-      keymap.each do |username, keys|
+  # Public: Determine the path to the authorized_keys file based on the
+  # configuration. If not explicitly configured, the ssh_user's home directory
+  # is used to construct the path by adding ".ssh/authorized_keys".
+  #
+  # Returns the path as a String or nothing if it cannot be determined.
+  def self.authorized_keys_path
+    return config.authorized_keys_path if config.authorized_keys_path.present?
+    if ssh_user.present?
+      File.expand_path(File.join("~#{ssh_user}", ".ssh", "authorized_keys"))
+    end
+  end
+  # Public: Get an authorized_keys file instance.
+  #
+  # Returns an AuthorizedKeys::File instance.
+  # Raises ConfigurationError if the path cannot be determined.
+  def self.authorized_keys_file
+    path = authorized_keys_path
+    return AuthorizedKeys::File.new path if path.present?
+    raise ConfigurationError, "Could not determine path to authorized_keys file"
+  end
+  # Public: Clear out all existing public keys in the authorized_keys file and
+  # add each public key for each user in the key map to the new file.
+  #
+  # keys_map - The Hash of String public key contents, keyed by String username.
+  #
+  # Returns nothing.
+  def self.regenerate_authorized_keys(keys_map)
+    keys_file = authorized_keys_file
+    keys_file.clear do |file|
+      keys_map.each do |username, keys|
         keys.each do |key|
-          key_file.add AuthorizedKeys::Key.shell_key_for_username(username, key)
+          keys_file.add AuthorizedKeys::Key.shell_key_for_username(username, key)
         end
       end
     end
+    nil
   end
+  # Public: Add a public key for a given username to the authorized_keys file.
+  #
+  # username - The String username for the public key owner.
+  # key      - The String public key contents.
+  #
+  # Returns nothing.
   def self.add_authorized_key(username, key)
     authorized_keys_file.add AuthorizedKeys::Key.shell_key_for_username(username, key)
   end
+  # Public: Remove a public key from the authorized_keys file.
+  #
+  # key - The String public key contents.
+  #
+  # Returns nothing.
   def self.remove_authorized_key(key)
     authorized_keys_file.remove key
   end
-  def self.authorized_keys_file
-    AuthorizedKeys::File.new authorized_keys_path
-  end
-  def self.authorized_keys_path
-    config.authorized_keys_path || File.expand_path("~#{ssh_user}/.ssh/authorized_keys")
-  end
-  module AuthorizedKeys
-    class File < ::AuthorizedKeys::File
-      attr_accessor :original_location
-      def keys
-        list = []
-        modify "r" do |file|
-          file.each do |line|
-            list << Key.new(line.chomp)
-          end
-        end
-        list
-      end
-      def remove(key)
-        key = Key.new(key) if key.is_a?(String)
-        cached_keys = keys
-        modify 'w' do |file|
-          cached_keys.each do |k|
-            file.puts k unless key == k
-          end
-        end
-      end
-      def owned?
-        owner == Process.uid
-      end
-      def owner(file = nil)
-        file ||= location
-        ::File.stat(file).uid
-      rescue Errno::EACCES, Errno::ENOENT
-        parent = ::File.dirname file
-        owner parent unless file == parent
-      end
-      def modify(mode, &block)
-        return super if owned? || self.original_location
-        contents = %x(sudo -u "##{owner}" cat "#{location}") unless mode.include? "w"
-        original_owner = owner
-        self.original_location = location
-        tmp = Tempfile.new "git_wit_authorized_keys"
-        self.location = tmp.path
-        tmp.write contents unless mode.include? "w"
-        tmp.close
-        super
-        self.location = original_location
-        if mode != "r"
-          %x(cat "#{tmp.path}" | sudo -u "##{owner}" tee "#{location}" >/dev/null)
-        end
-        tmp.unlink
-        self.original_location = nil
-      end
-      def clear(&block)
-        modify "w", &block
-      end
-    end
-    class Key < ::AuthorizedKeys::Key
-      SHELL_OPTIONS = %w(no-port-forwarding no-X11-forwarding
-        no-agent-forwarding no-pty)
-      def self.shell_key_for_username(username, key, debug = false)
-        key = self.new key if key.is_a? String
-        debug = debug ? "--debug " : ""
-        key.options = [%(command="gw-shell #{debug}#{username}"), *SHELL_OPTIONS]
-        key
-      end
-    end
-  end
 end

data/lib/git_wit/authorized_keys/file.rb ADDED Viewed

@@ -0,0 +1,61 @@
+module GitWit
+  module AuthorizedKeys
+    class File < ::AuthorizedKeys::File
+      attr_accessor :original_location
+      def keys
+        list = []
+        modify "r" do |file|
+          file.each do |line|
+            list << Key.new(line.chomp)
+          end
+        end
+        list
+      end
+      def remove(key)
+        key = Key.new(key) if key.is_a?(String)
+        cached_keys = keys
+        modify 'w' do |file|
+          cached_keys.each do |k|
+            file.puts k unless key == k
+          end
+        end
+      end
+      def owned?
+        owner == Process.uid
+      end
+      def owner(file = nil)
+        file ||= location
+        ::File.stat(file).uid
+      rescue Errno::EACCES, Errno::ENOENT
+        parent = ::File.dirname file
+        owner parent unless file == parent
+      end
+      def modify(mode, &block)
+        return super if owned? || self.original_location
+        contents = %x(sudo -u "##{owner}" cat "#{location}") unless mode.include? "w"
+        original_owner = owner
+        self.original_location = location
+        tmp = Tempfile.new "git_wit_authorized_keys"
+        self.location = tmp.path
+        tmp.write contents unless mode.include? "w"
+        tmp.close
+        super
+        self.location = original_location
+        if mode != "r"
+          %x(cat "#{tmp.path}" | sudo -u "##{owner}" tee "#{location}" >/dev/null)
+        end
+        tmp.unlink
+        self.original_location = nil
+      end
+      def clear(&block)
+        modify "w", &block
+      end
+    end
+  end
+end

data/lib/git_wit/authorized_keys/key.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module GitWit
+  module AuthorizedKeys
+    class Key < ::AuthorizedKeys::Key
+      SHELL_OPTIONS = %w(no-port-forwarding no-X11-forwarding
+        no-agent-forwarding no-pty)
+      def self.shell_key_for_username(username, key, debug = false)
+        key = self.new key if key.is_a? String
+        cmd = debug ? "debug" : "git-shell #{username}"
+        key.options = [%(command="git_wit #{cmd}"), *SHELL_OPTIONS]
+        key
+      end
+    end
+  end
+end

data/lib/git_wit/cli.rb ADDED Viewed

@@ -0,0 +1,19 @@
+require "thor"
+require "git_wit/commands/util"
+require "git_wit/commands/git_shell"
+require "git_wit/commands/debug"
+module GitWit
+  class Cli < Thor
+    include Thor::Actions
+    include Commands::Util
+    include Commands::GitShell
+    include Commands::Debug
+    desc "debug", "debug the SSH configuration"
+    def debug(*args); super; end
+    desc "git-shell USER CMD REPO", "run git-shell CMD as USER in REPO"
+    def git_shell(*args); super; end
+  end
+end

data/lib/git_wit/commands/debug.rb ADDED Viewed

@@ -0,0 +1,21 @@
+module GitWit
+  module Commands
+    module Debug
+      def debug
+        boot_app
+        debug_banner "Start"
+        pp "ENVIRONMENT:", ENV
+        GitWit.configure { |c| pp "GitWit Config:", c }
+        debug_banner "End"
+        $stdout.flush
+        exec_with_sudo!
+      end
+      protected
+      def debug_banner(msg = nil)
+        msg = "#{msg} " if msg.present?
+        puts "\n" * 2 + "*" * 5 + " GitWit DEBUG #{msg}" + "*" * 5 + "\n" * 2
+      end
+    end
+  end
+end

data/lib/git_wit/commands/git_shell.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module GitWit
+  module Commands
+    module GitShell
+      GIT_SHELL_COMMAND_RE = /^(git-[^\s]+)\s+'([^']+\.git)'/
+      GIT_SHELL_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive)
+      def git_shell(user, cmd = nil, repo = nil)
+        @command, @repository, @user = cmd, repo, nil
+        exec_with_sudo!
+        boot_app
+        parse_ssh_original_command if ENV["SSH_ORIGINAL_COMMAND"].present?
+        validate_git_shell_command
+        authenticate user
+        authorize
+        run_git_shell
+      end
+      protected
+      def parse_ssh_original_command
+        m = GIT_SHELL_COMMAND_RE.match ENV["SSH_ORIGINAL_COMMAND"]
+        nothing, @command, @repository = m.to_a if m.present?
+      end
+      def validate_git_shell_command
+        unless GIT_SHELL_COMMANDS.include? @command
+          abort "Unknown git shell command: #{@command}"
+        end
+      end
+      def authenticate(user)
+        @user = GitWit.user_for_authentication user
+        abort "Anonymous access denied via SSH" unless @user.present?
+      end
+      def authorize
+        op = @command == "git-receive-pack" ? :write : :read
+        abort "Unauthorized" unless GitWit.authorize op, @user, @repository
+      end
+      def run_git_shell
+        repo_path = File.expand_path File.join(GitWit.repositories_path, @repository)
+        cmd = [GitWit.git_path, "shell", "-c", "#{@command} '#{repo_path}'"]
+        Rails.logger.info "GitWit SSH cmd: #{cmd.join " "}"
+        exec *cmd
+      end
+    end
+  end
+end

data/lib/git_wit/commands/util.rb ADDED Viewed

@@ -0,0 +1,37 @@
+module GitWit
+  module Commands
+    module Util
+      def exec_with_sudo!(user = app_user)
+        return if running_as?(user)
+        Dir.chdir rails_root
+        ENV["TERM"] = "dumb"
+        cmd = ["sudo", "-u", "##{user}", $PROGRAM_NAME, *ARGV]
+        exec *cmd
+      end
+      def running_as?(user)
+        Process.uid == user
+      end
+      def app_user
+        File.stat(rails_root).uid
+      end
+      def rails_root
+        return File.expand_path(ENV["RAILS_ROOT"]) if ENV["RAILS_ROOT"]
+        return Dir.pwd if File.exist? File.join(Dir.pwd, "config/environment.rb")
+        return File.expand_path("..", ENV["BUNDLE_GEMFILE"]) if ENV["BUNDLE_GEMFILE"]
+        Dir.pwd
+      end
+      def boot_app
+        require File.expand_path File.join(rails_root, "config/environment") unless booted?
+        require "git_wit"
+      end
+      def booted?
+        defined?(Rails)
+      end
+    end
+  end
+end