gitauth 0.0.5.0

data/bin/gitauth-shell

@@ -0,0 +1,30 @@
+#!/usr/bin/env ruby
+
+#--
+#   Copyright (C) 2009 Brown Beagle Software
+#   Copyright (C) 2009 Darcy Laycock <sutto@sutto.net>
+#
+#   This program is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU Affero General Public License for more details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#++
+
+
+base = __FILE__
+# Get out of symlink-hell and then require the gitauth file.
+base = File.readlink(base) while File.symlink?(base)
+
+require File.expand_path(File.join(File.dirname(base), "..", "lib", "gitauth"))
+
+# Start the cli client.
+GitAuth::Client.start!(ARGV[0], ENV["SSH_ORIGINAL_COMMAND"])
+

data/config.ru

@@ -0,0 +1,22 @@
+vendor_dir = File.join(File.dirname(__FILE__), "vendor")
+
+require File.join(vendor_dir, "rack", "lib", "rack")
+require File.join(vendor_dir, "sinatra", "lib", "sinatra")
+
+require File.join(File.dirname(__FILE__), "lib", "gitauth")
+require GitAuth::BASE_DIR.join("lib", "gitauth", "web_app")
+
+GitAuth::Settings.setup!
+
+output = File.open(GitAuth::Logger.default_logger_path, "a+")
+
+STDOUT.reopen(output)
+STDERR.reopen(output)
+
+{:root => GitAuth::BASE_DIR, :run => false, :env => :production}.each_pair do |key, value|
+  GitAuth::WebApp.configure do
+    set key, value
+  end
+end
+
+run GitAuth::WebApp.new

data/lib/gitauth.rb

@@ -0,0 +1,100 @@
+#--
+#   Copyright (C) 2009 Brown Beagle Software
+#   Copyright (C) 2009 Darcy Laycock <sutto@sutto.net>
+#
+#   This program is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU Affero General Public License for more details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#++
+
+require 'pathname'
+
+# Prepend lib dir + any vendored lib's to the front of the load
+# path to ensure they're loaded first.
+$LOAD_PATH.unshift(*Dir[Pathname(__FILE__).dirname.join("../{lib,vendor/*/lib}").expand_path])
+
+require 'perennial'
+
+module GitAuth
+  include Perennial
+  include Loggable
+  
+  VERSION     = [0, 0, 5, 0]
+  BASE_DIR    = Pathname(__FILE__).dirname.join("..").expand_path
+  GITAUTH_DIR = Pathname("~/.gitauth/").expand_path
+  
+  manifest do |m, l|
+    Settings.root                  = File.dirname(__FILE__)
+    Settings.default_settings_path = GITAUTH_DIR.join("settings.yml")
+    Settings.lookup_key_path       = []
+    Logger.default_logger_path     = GITAUTH_DIR.join("gitauth.log")
+    # Register stuff on the loader.
+    l.register_controller :web_app, 'GitAuth::WebApp'
+    l.before_run { GitAuth.prepare }
+  end
+  
+  require 'gitauth/message'        # Basic error messages etc (as of yet unushed)
+  require 'gitauth/saveable_class' # Simple YAML store for dumpables classes
+  require 'gitauth/repo'           # The basic GitAuth repo object
+  require 'gitauth/user'           # The basic GitAuth user object
+  require 'gitauth/group'          # The basic GitAuth group object (collection of users)
+  require 'gitauth/command'        # Processes / filters commands
+  require 'gitauth/client'         # Handles the actual SSH interaction / bringing it together
+  
+  autoload :AuthSetupMiddleware,  'gitauth/auth_setup_middleware'
+  autoload :ApacheAuthentication, 'gitauth/apache_authentication'
+  autoload :WebApp,               'gitauth/web_app'
+  
+  class << self
+    
+    def prepare
+      GitAuth::Settings.setup!
+      reload_models!
+    end
+    
+    def version
+      VERSION.join(".")
+    end
+    
+    def msg(type, message)
+      Message.new(type, message)
+    end
+
+    def get_user_or_group(name)
+      name = name.to_s.strip
+      return if name.empty?
+      (name =~ /^@/ ? Group : User).get(name)
+    end
+
+    def has_git?
+      !`which git`.blank?
+    end
+
+    def each_model(method = nil, &blk)
+      [Repo, User, Group].each { |m| m.send(method) } if method.present?
+      [Repo, User, Group].each(&blk) unless blk.nil?
+    end
+    
+    def reload_models!
+      each_model(:load!)
+    end
+    
+    def run(command)
+      GitAuth::Logger.info "Running command: #{command}"
+      result = system "#{command} 2> /dev/null 1> /dev/null"
+      GitAuth::Logger.info "Command was #{"not " if !result}successful"
+      return result
+    end
+    
+  end
+  
+end

data/lib/gitauth/apache_authentication.rb

@@ -0,0 +1,64 @@
+require 'fileutils'
+require 'digest/sha2'
+
+module GitAuth
+  class ApacheAuthentication
+    PUBLIC_DIR = GitAuth::BASE_DIR.join("public")
+    
+    class << self
+      
+      def setup?
+        PUBLIC_DIR.join(".htaccess").file? && PUBLIC_DIR.join(".htpasswd").file?
+      end
+      
+      def setup
+        GitAuth::WebApp.check_auth
+        puts "To continue, we require you re-enter the password you wish to use."
+        raw_password  = ''
+        password_hash = ''
+        existing_hash = GitAuth::Settings.web_password_hash
+        while raw_password.blank? && password_hash != existing_hash
+          raw_password  = read_password('GitAuth Password: ')
+          password_hash = sha256_password(raw_password)
+          if raw_password.blank?
+            puts "You need to provide a password, please try again"
+          elsif password_hash != existing_hash
+            puts "Your password doesn't match the stored password. Please try again."
+          end
+        end
+        raw_username = GitAuth::Settings.web_username
+        encoded_password = "{SHA}#{[Digest::SHA1.digest(raw_password)].pack('m').strip}"
+        File.open(PUBLIC_DIR.join(".htpasswd"), "w+") do |file|
+          file.puts "#{raw_username}:#{encoded_password}"
+        end
+        File.open(PUBLIC_DIR.join(".htaccess"), "w+") do |file|
+          file.puts "AuthType Basic"
+          file.puts "AuthName \"GitAuth\""
+          file.puts "AuthUserFile #{PUBLIC_DIR.join(".htpasswd").expand_path}"
+          file.puts "Require valid-user"
+        end
+      end
+      
+      def remove
+        PUBLIC_DIR.join(".htaccess").delete
+        PUBLIC_DIR.join(".htpasswd").delete
+      rescue Errno::ENOENT
+      end
+      
+      protected
+      
+      def read_password(text)
+        system "stty -echo" 
+        password = Readline.readline(text)
+        system "stty echo"
+        print "\n"
+        return password
+      end
+      
+      def sha256_password(pass)
+        Digest::SHA256.hexdigest(pass)
+      end
+      
+    end
+  end
+end

data/lib/gitauth/auth_setup_middleware.rb

@@ -0,0 +1,44 @@
+#--
+#   Copyright (C) 2009 Brown Beagle Software
+#   Copyright (C) 2009 Darcy Laycock <sutto@sutto.net>
+#
+#   This program is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU Affero General Public License for more details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#++
+
+module GitAuth
+  class AuthSetupMiddleware
+    
+    def initialize(app)
+      @app = app
+      @files = Rack::File.new(GitAuth::BASE_DIR.join("public").to_s)
+    end
+    
+    def call(env)
+      dup._call(env)
+    end
+    
+    def _call(env)
+      if GitAuth::WebApp.has_auth?
+        @app.call(env)
+      elsif env["PATH_INFO"].include?("/gitauth.css")
+        @files.call(env)
+      else
+        content = ERB.new(File.read(GitAuth::BASE_DIR.join("views", "auth_setup.erb"))).result
+        headers = {"Content-Type" => "text/html", "Content-Length" => Rack::Utils.bytesize(content).to_s}
+        [403, headers, [content]]
+      end
+    end
+    
+  end
+end

data/lib/gitauth/client.rb

@@ -0,0 +1,95 @@
+#--
+#   Copyright (C) 2009 Brown Beagle Software
+#   Copyright (C) 2009 Darcy Laycock <sutto@sutto.net>
+#   Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies)
+#   Copyright (C) 2007, 2008 Johan Sørensen <johan@johansorensen.com>
+#   Copyright (C) 2008 Tor Arne Vestbø <tavestbo@trolltech.com>
+#
+#   This program is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU Affero General Public License for more details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#++
+
+module GitAuth
+  class Client
+    include GitAuth::Loggable
+    
+    attr_accessor :user, :command
+    
+    def initialize(user_name, command)
+      logger.debug "Initializing client with command: #{command.inspect} and user name #{user_name.inspect}"
+      @callbacks = Hash.new { |h,k| h[k] = [] }
+      @user      = GitAuth::User.get(user_name.to_s.strip)
+      @command   = command
+    end
+    
+    def exit_with_error(error)
+      logger.warn "Exiting with error: #{error}"
+      $stderr.puts error
+      exit! 1
+    end
+    
+    def run!
+      if @user.nil?
+        exit_with_error "An invalid user / key was used. Please ensure it is setup with GitAuth"
+      elsif @command.to_s.strip.empty?
+        if user.shell_accessible?
+          exec(ENV["SHELL"])
+        else
+          exit_with_error "SSH_ORIGINAL_COMMAND is needed, mmmkay?"
+        end
+      else
+        command   = Command.parse(@command)
+        repo      = command.bad? ? nil : Repo.get(extract_repo_name(command))
+        if command.bad?
+          if user.shell_accessible?
+            exec(@command)
+          else
+            exit_with_error "Invalid ssh command - Access Denied"
+          end
+        elsif repo.nil?
+          exit_with_error "Unable to push to a non-existant repository"
+        elsif user.can_execute?(command, repo)
+          git_shell_argument = "#{command.verb} '#{repo.real_path}'"
+          logger.info "Running command: #{git_shell_argument} for user: #{@user.name}"
+          exec("git-shell", "-c", git_shell_argument)
+        else
+          exit_with_error "Unable to execute command on this repository"
+        end
+      end
+    rescue Exception => e
+      logger.fatal "Exception: #{e.class.name}: #{e.message}"
+      e.backtrace.each do |l|
+        logger.fatal "  => #{l}"
+      end
+      exit_with_error "Exception raised - Please check your gitauth log / contact an administrator"
+    end
+    
+    def self.start!(user, command)
+      # Gitorious does it so I should too!
+      File.umask(0022)
+      # Setup models etc
+      GitAuth.prepare
+      # Finally, create and initialize
+      client = self.new(user, command)
+      yield client if block_given?
+      client.run!
+    end
+    
+    protected
+    
+    def extract_repo_name(command)
+      command.path.gsub(/\.git$/, "")
+    end
+    
+  end
+end

data/lib/gitauth/command.rb

@@ -0,0 +1,101 @@
+#--
+#   Copyright (C) 2009 Brown Beagle Software
+#   Copyright (C) 2009 Darcy Laycock <sutto@sutto.net>
+#   Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies)
+#   Copyright (C) 2007, 2008 Johan Sørensen <johan@johansorensen.com>
+#   Copyright (C) 2008 Tim Dysinger <tim@dysinger.net>
+#   Copyright (C) 2008 Tor Arne Vestbø <tavestbo@trolltech.com>
+#
+#   This program is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU Affero General Public License for more details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#++
+
+# This along with the associated gitauth-shell command are inspired by
+# (and essentially, derived from) gitosis (http://eagain.net/gitweb/?p=gitosis.git)
+# and gitorius (http://gitorius.org)
+# Gitosis is of this writing licensed under the GPLv2 and is copyright (c) Tommi Virtanen
+# and can be found at http://eagain.net/gitweb/?p=gitosis.git
+# GitAuth::Command is licensed under the same license
+
+module GitAuth
+  class Command
+    
+    # Standard Commands
+    READ_COMMANDS  = ["git-upload-pack", "git upload-pack"]
+    WRITE_COMMANDS = ["git-receive-pack", "git receive-pack"]
+    PATH_REGEXP    = /^'([\w\_\-\~\.\+\/]+\/)?([\w\_\-\.\+]+(\.git)?)'$/i.freeze
+    
+    attr_reader :path, :verb, :command
+    
+    def initialize(command)
+      @command     = command
+      @verb        = nil
+      @argument    = nil
+      @path        = nil
+      @bad_command = true
+    end
+    
+    def bad?
+      @bad_command
+    end
+    
+    def write?
+      !bad? && @verb_type == :write
+    end
+    
+    def read?
+      !bad? && !write?
+    end
+    
+    def process
+      return if @command.include?("\n") || @command !~ /^git[ \-]/i
+      @verb, @argument = split_command
+      return if @argument.nil? || @argument.is_a?(Array) 
+      # Check if it's read / write
+      if READ_COMMANDS.include?(@verb)
+        @verb_type = :read
+      elsif WRITE_COMMANDS.include?(@verb)
+        @verb_type = :write
+      else
+        return
+      end
+      if PATH_REGEXP =~ @argument
+        @path = $2
+        return unless @path
+      else
+        return
+      end
+      @bad_command = false
+    end
+    
+    def self.parse(command)
+      command = self.new(command)
+      command.process
+      command
+    end
+    
+    protected
+    
+    def split_command
+      parts = @command.split(" ")
+      if parts.size == 3
+        ["#{parts[0]} #{parts[1]}", parts[2]]
+      elsif parts.size == 2
+        parts
+      else
+        raise BadCommandError
+      end
+    end
+    
+  end
+end