gritano 0.1.2

data/features/data/keys/full_authorized_keys

@@ -0,0 +1,2 @@
+command="gritano-check igorbonadio" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFW6Du1iXTyo44g+7R4DNgm4P1fQIiW/iGRFwHJTV1jaPX74VwNq7tC1kBSdPS4+Q9f24wJC1MhWzLxB40BFdqn519JhhV+/1IWZdY/UJ0D5KiUw38U7QPzMM2uA0l0JeB+FwZAl/Oiu/ty3Fq0JsuqsolehIbRRLeiJiwrn1XC5LdhA81b2WBzM8SSFgAaXPimuLBXYJyYrcTR5SXczZvgkWojQEvk7wCavvDzFpy/DtXUFv0ZwUJILhN23cW3mg1IsGMXg7hOQfp67J6cX212YYXhDe+5sI3UpFWKCHcyxv3EdL8rQ/3DLSELkTwWHPRqDhn1wnPmfJlj8ZfbpyX git2@debian-ror
+command="gritano-check jessicaeto" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ4WqIu8XwnHwBz220/1Kbgi1IR7aanq8hW1dB0LD2dmCSyojBvduoht4p7+3k2R6A5y2DZvTetzEios9OFUnCC+4U8g2GTc+zGM0W+msCb6yWnpfYaIwHVuFtsid7lyWOCEYLi2WbNZxfAx0PbwIcHMoYWc9sil3R/YwLGorvQDGH0rFcf6BOMzVMDRD0yPvuN3xgAtBOxrSRl0U4dH+3fAQ9oKLePmouzLrrKvRmyVwl/rHNod8ae5VmmAalC+wXIsiQAI92Hwew757HzhY45wWtjOsdBBf45Psv7BkB1OqGxMfwysO5iwhY3HPTJs70K22K2DARpejFq8Bd8PyV git2@debian-ror

data/features/data/keys/igorbonadio.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFW6Du1iXTyo44g+7R4DNgm4P1fQIiW/iGRFwHJTV1jaPX74VwNq7tC1kBSdPS4+Q9f24wJC1MhWzLxB40BFdqn519JhhV+/1IWZdY/UJ0D5KiUw38U7QPzMM2uA0l0JeB+FwZAl/Oiu/ty3Fq0JsuqsolehIbRRLeiJiwrn1XC5LdhA81b2WBzM8SSFgAaXPimuLBXYJyYrcTR5SXczZvgkWojQEvk7wCavvDzFpy/DtXUFv0ZwUJILhN23cW3mg1IsGMXg7hOQfp67J6cX212YYXhDe+5sI3UpFWKCHcyxv3EdL8rQ/3DLSELkTwWHPRqDhn1wnPmfJlj8ZfbpyX git2@debian-ror

data/features/data/keys/igorbonadio_authorized_keys

@@ -0,0 +1 @@
+command="gritano-check igorbonadio" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFW6Du1iXTyo44g+7R4DNgm4P1fQIiW/iGRFwHJTV1jaPX74VwNq7tC1kBSdPS4+Q9f24wJC1MhWzLxB40BFdqn519JhhV+/1IWZdY/UJ0D5KiUw38U7QPzMM2uA0l0JeB+FwZAl/Oiu/ty3Fq0JsuqsolehIbRRLeiJiwrn1XC5LdhA81b2WBzM8SSFgAaXPimuLBXYJyYrcTR5SXczZvgkWojQEvk7wCavvDzFpy/DtXUFv0ZwUJILhN23cW3mg1IsGMXg7hOQfp67J6cX212YYXhDe+5sI3UpFWKCHcyxv3EdL8rQ/3DLSELkTwWHPRqDhn1wnPmfJlj8ZfbpyX git2@debian-ror

data/features/data/keys/jessicaeto.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ4WqIu8XwnHwBz220/1Kbgi1IR7aanq8hW1dB0LD2dmCSyojBvduoht4p7+3k2R6A5y2DZvTetzEios9OFUnCC+4U8g2GTc+zGM0W+msCb6yWnpfYaIwHVuFtsid7lyWOCEYLi2WbNZxfAx0PbwIcHMoYWc9sil3R/YwLGorvQDGH0rFcf6BOMzVMDRD0yPvuN3xgAtBOxrSRl0U4dH+3fAQ9oKLePmouzLrrKvRmyVwl/rHNod8ae5VmmAalC+wXIsiQAI92Hwew757HzhY45wWtjOsdBBf45Psv7BkB1OqGxMfwysO5iwhY3HPTJs70K22K2DARpejFq8Bd8PyV git2@debian-ror

data/features/data/keys/jessicaeto_authorized_keys

@@ -0,0 +1 @@
+command="gritano-check jessicaeto" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ4WqIu8XwnHwBz220/1Kbgi1IR7aanq8hW1dB0LD2dmCSyojBvduoht4p7+3k2R6A5y2DZvTetzEios9OFUnCC+4U8g2GTc+zGM0W+msCb6yWnpfYaIwHVuFtsid7lyWOCEYLi2WbNZxfAx0PbwIcHMoYWc9sil3R/YwLGorvQDGH0rFcf6BOMzVMDRD0yPvuN3xgAtBOxrSRl0U4dH+3fAQ9oKLePmouzLrrKvRmyVwl/rHNod8ae5VmmAalC+wXIsiQAI92Hwew757HzhY45wWtjOsdBBf45Psv7BkB1OqGxMfwysO5iwhY3HPTJs70K22K2DARpejFq8Bd8PyV git2@debian-ror

data/features/keys.feature

@@ -0,0 +1,31 @@
+Feature: Keys
+  In Order to restrict access to repositories
+  As Gritano
+  I want to manage user's keys
+
+  Background:
+    Given the following users exist:
+      | login       |
+      | igorbonadio |
+      | jessicaeto  |
+
+  Scenario Outline: Add user key
+    Given I add "<key>" key to "<user>"
+    When I generate the authorized_keys
+    Then I should see "<authorized_keys>" authorized_keys
+    Examples:
+      | user | key | authorized_keys |
+      | igorbonadio | igorbonadio.pub | igorbonadio_authorized_keys |
+      | jessicaeto  | jessicaeto.pub  | jessicaeto_authorized_keys  |
+
+  Scenario: Generate autorized_keys
+    Given I add "igorbonadio.pub" key to "igorbonadio"
+    And I add "jessicaeto.pub" key to "jessicaeto"
+    When I generate the authorized_keys
+    Then I should see "full_authorized_keys" authorized_keys
+    
+  Scenario: Duplicated keys
+    Given I add "igorbonadio.pub" key to "igorbonadio"
+    When I add "igorbonadio.pub" key to "igorbonadio"
+    Then I should see that "igorbonadio" has only one key
+

data/features/polices.feature

@@ -0,0 +1,55 @@
+Feature: Policies
+	In order to restrict access to repositories
+	As Gritano
+	I want to create policies
+	
+	Background:
+		Given the following users exist:
+		  | login       |
+		  | igorbonadio |
+		  | jessicaeto  |
+		  
+	  And the following repositories exist:
+	    | name            |
+	    | tmp/gritano.git |
+	    | tmp/jeka.git    |
+	    
+	  And the following permissions exist:
+	     | user        | repo            | access |
+	     | igorbonadio | tmp/gritano.git | read   |
+	     | igorbonadio | tmp/gritano.git | write  |
+	     | igorbonadio | tmp/jeka.git    | read   |
+	     | jessicaeto  | tmp/jeka.git    | read   |
+	     | jessicaeto  | tmp/jeka.git    | write  |
+	     
+	Scenario Outline: Create a new user
+		Given I create a new user called "<user>"
+		When I check if "<user>" has <access> access to "<repo>"
+		Then I should see that the access is <result>
+		Examples:
+		  | user       | access | repo            | result |
+		  | arybonadio | read   | tmp/gritano.git | denied |
+		  | arybonadio | write  | tmp/gritano.git | denied |
+		
+	Scenario Outline: Create a new repository
+		Given I create a new repository called "<repo>" to "<user>"
+		Then I should see that only "<user>" has access to "<repo>"
+		Examples:
+		  | user        | repo           |
+		  | igorbonadio | tmp/p-lang.git |
+		  | jessicaeto  | tmp/pabel.git  |
+		
+	Scenario Outline: Edit access permission
+		Given I <op> "<user>" <permission> access to "<repo>"
+		When I check if "<user>" has <access> access to "<repo>"
+		Then I should see that the access is <result>
+		Examples:
+		  | op     | user        | permission | repo         | access | result  |
+		  | add    | igorbonadio | read       | tmp/jeka.git | read   | allowed |
+		  | add    | igorbonadio | read       | tmp/jeka.git | write  | denied  |
+		  | add    | igorbonadio | write      | tmp/jeka.git | read   | allowed |
+		  | add    | igorbonadio | write      | tmp/jeka.git | write  | allowed |
+		  | remove | jessicaeto  | read       | tmp/jeka.git | read   | denied  |
+		  | remove | jessicaeto  | read       | tmp/jeka.git | write  | allowed |
+		  | remove | jessicaeto  | write      | tmp/jeka.git | read   | allowed |
+		  | remove | jessicaeto  | write      | tmp/jeka.git | write  | denied  |

data/features/step_definitions/command_step.rb

@@ -0,0 +1,8 @@
+When /^I receive a "(.*?)" command$/ do |cmd|
+  @access, @git_command, @repo = Gritano::Command.eval(cmd)
+end
+
+Then /^I should see that it is a "(.*?)" access to "(.*?)"$/ do |access, repo|
+  @access.to_s.should be == access
+  @repo.to_s.should be == repo
+end

data/features/step_definitions/console_step.rb

@@ -0,0 +1,14 @@
+Given /^I start the gritano console$/ do
+  @console = Gritano::Console.new
+  @console.ssh_path = 'tmp'
+end
+
+When /^I execute "(.*?)"$/ do |command|
+  @output = @console.execute(command.split(' '))
+end
+
+Then /^I should see a (success|error) message$/ do |ret|
+  expected_output = true if ret == 'success'
+  expected_output = false if ret == 'error'
+  @output.should be == expected_output
+end

data/features/step_definitions/keys_steps.rb

@@ -0,0 +1,23 @@
+Given /^the following keys exist:$/ do |table|
+  table.hashes.each do |key|
+    Gritano::User.find_by_login(key['login']).keys.create(name: key["key"], key: "key")
+  end
+end
+
+Given /^I add "(.*?)" key to "(.*?)"$/ do |key, login|
+  ssh_key = File.open(File.join("features/data/keys/", key)).readlines.join
+  Gritano::User.find_by_login(login).keys.create({name: key, key: ssh_key})
+end
+
+When /^I generate the authorized_keys$/ do
+  @authorized_keys = Gritano::Key.authorized_keys
+end
+
+Then /^I should see "(.*?)" authorized_keys$/ do |authorized_keys|
+  expected_authorized_keys = File.open(File.join("features/data/keys/", authorized_keys)).readlines.join
+  @authorized_keys.should be == expected_authorized_keys
+end
+
+Then /^I should see that "(.*?)" has only one key$/ do |login|
+  Gritano::User.find_by_login(login).keys.count.should be == 1
+end

data/features/step_definitions/polices_steps.rb

@@ -0,0 +1,54 @@
+Given /^the following users exist:$/ do |table|
+  table.hashes.each do |user|
+    Gritano::User.create(user)
+  end
+end
+
+Given /^the following repositories exist:$/ do |table|
+  table.hashes.each do |repo|
+    Gritano::Repository.create(repo)
+  end
+end
+
+Given /^the following permissions exist:$/ do |table|
+  table.hashes.each do |permission|
+    Gritano::User.find_by_login(permission['user'])
+      .add_access(Gritano::Repository.find_by_name(permission['repo']), permission['access'].to_sym)
+  end
+end
+
+Given /^I create a new user called "(.*?)"$/ do |login|
+  @user = Gritano::User.create(login: login)
+end
+
+When /^I check if "(.*?)" has (read|write) access to "(.*?)"$/ do |login, access, repo|
+  @access_result = @user.check_access(Gritano::Repository.find_by_name(repo), access.to_sym)
+end
+
+Then /^I should see that the access is (denied|allowed)$/ do |result|
+  @expected_result = false if result == 'denied'
+  @expected_result = true if result == 'allowed'
+  @access_result.should be == @expected_result
+end
+
+Given /^I create a new repository called "(.*?)" to "(.*?)"$/ do |repo, login|
+  Gritano::User.find_by_login(login).create_repository(name: repo)
+end
+
+Then /^I should see that only "(.*?)" has access to "(.*?)"$/ do |login, repo|
+  repository = Gritano::Repository.find_by_name(repo)
+  user = Gritano::User.find_by_login(login)
+  user.check_access(repository, :read).should be_true
+  user.check_access(repository, :write).should be_true
+  Gritano::User.all.each do |u|
+    unless u.login == user.login
+      u.check_access(repository, :read).should be_false
+      u.check_access(repository, :write).should be_false
+    end
+  end
+end
+
+Given /^I (add|remove) "(.*?)" (read|write) access to "(.*?)"$/ do |op, user, permission, repo|
+  @user = Gritano::User.find_by_login(user)
+  @user.send("#{op}_access", Gritano::Repository.find_by_name(repo), permission.to_sym)
+end

data/features/support/database_cleaner.rb

@@ -0,0 +1,15 @@
+begin
+  require 'database_cleaner'
+  require 'database_cleaner/cucumber'  
+  DatabaseCleaner.strategy = :truncation
+rescue NameError
+  raise "You need to add database_cleaner to your Gemfile (in the :test group) if you wish to use it."
+end
+
+Before do
+  DatabaseCleaner.start
+end
+
+After do |scenario|
+  DatabaseCleaner.clean
+end

data/features/support/env.rb

@@ -0,0 +1,25 @@
+require 'simplecov'
+SimpleCov.start do
+  add_filter "/features/"
+  add_filter "/spec/"
+end
+
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+
+$LOAD_PATH.unshift(File.dirname(__FILE__) + '/../../lib')
+require 'gritano'
+
+require 'rspec/expectations'
+
+require 'active_record'
+
+Before do
+  ActiveRecord::Base.establish_connection(YAML::load(File.open('db/database.yml')))
+end

data/lib/gritano.rb

@@ -0,0 +1,5 @@
+ROOT_PATH = File.expand_path(File.dirname(__FILE__))
+
+require File.join(ROOT_PATH, '/gritano/models')
+require File.join(ROOT_PATH, '/gritano/console')
+require File.join(ROOT_PATH, '/gritano/command')

data/lib/gritano/command.rb

@@ -0,0 +1,16 @@
+module Gritano
+  class Command
+    def self.eval(cmd)
+      case cmd
+        when /^git-receive-pack/ then
+          return :write, "git-receive-pack", self.repo(cmd)
+        when /^git-upload-pack/ then
+          return :read, "git-upload-pack", self.repo(cmd)
+      end
+    end
+    
+    def self.repo(cmd)
+      cmd.gsub(/^git-receive-pack/, '').gsub(/^git-upload-pack/, '').gsub("'", '').strip
+    end
+  end
+end

data/lib/gritano/console.rb

@@ -0,0 +1,119 @@
+module Gritano
+  class Console
+    
+    attr_accessor :repo_path
+    attr_accessor :ssh_path
+    
+    def initialize
+      @repo_path = nil
+      @ssh_path = nil
+    end
+    
+    def execute(argv)
+      send(argv[0..1].join('_').gsub('+', 'add_').gsub('-', 'remove_'), argv[2..-1])
+    end
+    
+    def user_add(argv)
+      login, = argv
+      user = User.new(login: login)
+      return true if user.save
+      return false
+    end
+    
+    def user_rm(argv)
+      login, = argv
+      user = User.find_by_login(login)
+      if user
+        if user.destroy
+          return true 
+        end
+      end
+      return false
+    end
+    
+    def repo_add(argv)
+      name, = argv
+      repo = Repository.new(name: name, path: @repo_path)
+      return true if repo.save
+      return false
+    end
+    
+    def repo_rm(argv)
+      name, = argv
+      repo = Repository.find_by_name(name)
+      if repo
+        if repo.destroy
+          return true
+        end
+      end
+      return false
+    end
+    
+    def repo_add_read(argv)
+      repo_name, login = argv
+      user = User.find_by_login(login)
+      repo = Repository.find_by_name(repo_name)
+      if repo and user
+        return user.add_access(repo, :read)
+      end
+      return false
+    end
+    
+    def repo_add_write(argv)
+      repo_name, login = argv
+      user = User.find_by_login(login)
+      repo = Repository.find_by_name(repo_name)
+      if repo and user
+        return user.add_access(repo, :write)
+      end
+      return false
+    end
+    
+    def repo_remove_read(argv)
+      repo_name, login = argv
+      user = User.find_by_login(login)
+      repo = Repository.find_by_name(repo_name)
+      if repo and user
+        return user.remove_access(repo, :read)
+      end
+      return false
+    end
+    
+    def repo_remove_write(argv)
+      repo_name, login = argv
+      user = User.find_by_login(login)
+      repo = Repository.find_by_name(repo_name)
+      if repo and user
+        return user.remove_access(repo, :write)
+      end
+      return false
+    end
+    
+    def user_add_key(argv)
+      login, key_name, key_file = argv
+      user = User.find_by_login(login)
+      if File.exist?(key_file)
+        if user
+          key = user.keys.create(name: key_name, key: File.open(key_file).readlines.join)
+          if key.valid?
+            File.open(File.join(@ssh_path, 'authorized_keys'), 'w').write(Key.authorized_keys)
+            return true
+          end
+        end
+      end
+      return false
+    end
+    
+    def user_remove_key(argv)
+      login, key_name = argv
+      key = Key.where(name: key_name).includes(:user).where("users.login" => login).limit(1)[0]
+      if key
+        if key.destroy
+          File.open(File.join(@ssh_path, 'authorized_keys'), 'w').write(Key.authorized_keys)
+          return true
+        end
+      end
+      return false
+    end
+  end
+end

data/lib/gritano/models.rb

@@ -0,0 +1,7 @@
+require 'active_record'
+require 'grit'
+
+require File.join(ROOT_PATH, 'gritano/models/user')
+require File.join(ROOT_PATH, 'gritano/models/repository')
+require File.join(ROOT_PATH, 'gritano/models/permission')
+require File.join(ROOT_PATH, 'gritano/models/key')

data/lib/gritano/models/key.rb

@@ -0,0 +1,21 @@
+module Gritano
+  class Key < ActiveRecord::Base
+    validates :name, :key, presence: true
+    validates :name, :uniqueness => { :scope => :user_id, :message => "should happen once per user" }
+
+    belongs_to :user
+
+    def self.authorized_keys
+      authorized_keys = ""
+      keys = Key.find(:all)
+      keys.each do |k|
+        user_key = k.key
+        unless k.key[-1] == "\n"
+          user_key = user_key + "\n"
+        end
+        authorized_keys += "command=\"gritano-check #{k.user.login}\" #{user_key}"
+      end
+      return authorized_keys
+    end
+  end
+end

data/lib/gritano/models/permission.rb

@@ -0,0 +1,39 @@
+module Gritano
+  class Permission < ActiveRecord::Base
+    belongs_to :user
+    belongs_to :repository
+    
+    READ = 1
+    WRITE = 2
+    
+    def add_access(access)
+      if access == :read
+        self.access = READ | (self.access || 0)
+      elsif access == :write
+        self.access = WRITE | (self.access || 0)
+      else
+        return false
+      end
+      return true
+    end
+    
+    def remove_access(access)
+      if access == :read
+        self.access = (self.access || 0) & (~ READ)
+      elsif access == :write
+        self.access = (self.access || 0) & (~ WRITE)
+      else
+        return false
+      end
+      return true
+    end
+    
+    def is(access)
+      if access == :read
+        return (self.access & READ) == READ
+      elsif access == :write
+        return (self.access & WRITE) == WRITE
+      end
+    end
+  end
+end