ssh-allow 0.6.0

data/.gitignore

@@ -0,0 +1,6 @@
+.DS_Store
+*.gem
+.bundle
+Gemfile.lock
+pkg/*
+tmp/*

data/.rspec

@@ -0,0 +1,2 @@
+--colour
+--format=doc

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in ssh-allow.gemspec
+gemspec

data/LICENSE.md

@@ -0,0 +1,24 @@
+# License & Copywrite
+
+**Copyright (c) 2008 by the Trustees of Dartmouth College. All rights reserved.**
+
+The remote_key Ruby library, and accompanying documentation, are provided
+subject to the following license agreement. By obtaining and/or using the
+software, you agree that you have read and understood this agreement, and
+will comply with its terms and conditions.
+
+ 1. Permission to use, copy, modify and distribute this software and
+documentation without fee is hereby granted, provided that the copyright
+notice and this agreement appear on all copies of the software and
+documentation.
+
+ 2. Any documentation and advertising material relating to this software must
+acknowledge that the software was developed by Dartmouth College.
+
+ 3. The name of Dartmouth College may not be used to endorse or promote
+products derived from this software without specific prior written
+permission.
+
+ 4. Neither the Trustees of Dartmouth College nor the authors make any
+representations about the suitability of this software for any purpose. It is
+provided "as is", without any express or implied warranty.

data/README.md

@@ -0,0 +1,70 @@
+# ssh-allow
+
+A mini-DSL for specifying which remote SSH commands are allowed (or denied) during a remote shell session, authenticated via an SSH key. Also comes with a command-line binary for comparing the current remote command against the list.
+
+## Purpose
+
+Guarding against the SSH_ORIGINAL_COMMAND environment is fairly command and allowing/denying simple commands is easy to do with a simple bash shell. Unfortunately, if what you need to do is allow a very narrow set of non-trivial commands, where the various command-line options and arguments need to be specified, trying to accomplish this with a bash script quickly becomes arduous.
+
+To try and solve this problem, I developed an extremely simple _DSL_, which is really just some stripped down ruby code, that would make specifying almost any range of commands, with almost any range of options and/or arguments, a straightforward problem. Those **rules** needed a specialized command-line binary to both process them and compare the allowed (or denied) commands against ENV['SSH_ORIGINAL_COMMAND'].
+
+That's ssh-allow.
+
+---
+
+## Installation
+
+    $ sudo gem install ssh-allow
+
+---
+
+## Usage
+
+### guard (default command)
+
+    $ ssh-allow guard [-r | --rules=<file>] [-e | --echo]
+
+The --rules `<file>` path defaults to `~/.ssh-rules`. If the intent is to deploy ssh-allow across multiple accounts on a single Unix/Linux server, then it's recommended that you create `/etc/ssh-allow/` to hold the various rules files.
+
+The --echo switch echos the command to std_in, prior to executing it.
+
+The guard command is intended to be specified in the ~/.ssh/authorized_keys file, as the front-part of the line containing the SSH key that needs command guarding. The configuration usually looks like this:
+
+    command="/usr/local/bin/ssh-allow guard -r=/etc/ssh-allow/rule_file" ssh-rsa AAAAB3Nza
+
+---
+
+## Rules Specification DSL
+
+Allowing an `ls` command, with no options and no arguments.
+
+```ruby
+allow!('ls')
+```
+
+Allowing an `ls` command, with any options and any arguments.
+
+```ruby
+allow!('ls') do
+  opts :any
+  args :any
+end
+```
+
+Allowing an `ls` command, with a specific option and a file-path argument regex.
+
+```ruby
+allow!('ls') do
+  opts '-ld'
+  args '^/foo/bar/.*'
+end
+```
+
+Allowing a `cp` command, with no options and two file-path argument regexes.
+
+```ruby
+allow!('cp') do
+  args '^/foo/bar/.*'
+  args '^/foo/baz/.*'
+end
+```

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks

data/bin/ssh-allow

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+
+require 'ssh/allow'
+SSH::Allow::CLI.start

data/lib/ssh/allow.rb

@@ -0,0 +1,4 @@
+require 'ssh/allow/cli'
+require 'ssh/allow/rule_set'
+require 'ssh/allow/rule'
+require 'ssh/allow/command'

data/lib/ssh/allow/cli.rb

@@ -0,0 +1,33 @@
+require 'thor'
+
+module SSH ; module Allow
+  class CLI < Thor
+
+    desc  "guard --rules | -r=<file> [--echo | -e]",
+          "Guard against the SSH_ORIGINAL_COMMAND, using rules in the --rules file."
+    method_option :rules, :type => :string, :aliases => '-r', :required => true,
+                  :default => File.expand_path("~/.ssh-rules"), :banner => "Path to rules file"
+    method_option :echo, :type => :boolean, :default => false, :aliases => '-e',
+                  :banner => "Echo the SSH_ORIGINAL_COMMAND."
+    def guard
+      rule_set.read(options[:rules])
+      puts command if options[:echo]
+      command.allowed?(rule_set.rules) ? command.run : fail
+    end
+
+    private
+
+    def rule_set
+      @rule_set ||= SSH::Allow::RuleSet.new
+    end
+
+    def command
+      @command ||= SSH::Allow::Command.new(ENV['SSH_ORIGINAL_COMMAND'])
+    end
+
+    def fail
+      raise Thor::Error, "Remote Command Not Allowed: #{command}"
+    end
+
+  end
+end ; end

data/lib/ssh/allow/command.rb

@@ -0,0 +1,41 @@
+$:.unshift(File.dirname(__FILE__)) unless $:.include?(File.dirname(__FILE__))
+
+require 'polyglot'
+require 'treetop'
+require 'command_line'
+
+module SSH ; module Allow
+  class Command
+    attr_reader :name, :options, :arguments
+
+    def initialize(cmd)
+      @cmd = cmd.to_s
+      @name = parsed.name.text_value
+      @options = parsed.option_list
+      @arguments = parsed.argument_list
+    end
+
+    def to_s
+      @cmd
+    end
+
+    def run
+      system(@cmd)
+    end
+
+    def allowed?(rules)
+      match, allow = false, false
+      rules.each do |rule|
+        match, allow = rule.match?(self)
+        break if match
+      end
+      allow
+    end
+
+    private
+
+    def parsed
+      @parsed ||= CommandLineParser.new.parse(@cmd)
+    end
+  end
+end ; end

data/lib/ssh/allow/command_line.treetop

@@ -0,0 +1,104 @@
+grammar CommandLine
+  rule command
+    name (delimited_option / delimited_argument)* {
+      def option_list
+        opts = self.elements[1].elements.inject([]) do |a, e|
+          a << e.opt_value
+        end
+        opts.compact
+      end
+
+      def argument_list
+        args = self.elements[1].elements.inject([]) do |a, e|
+          a << e.arg_value
+        end
+        args.compact
+      end
+    }
+  end
+
+  rule name
+    argument
+  end
+
+  rule delimited_option
+    ' ' option {
+      def opt_value
+        self.option.opt_value
+      end
+      
+      def arg_value
+        self.option.arg_value
+      end
+    }
+  end
+
+  rule delimited_argument
+    ' ' argument {
+      def opt_value
+        nil
+      end
+      
+      def arg_value
+        self.argument.text_value
+      end
+    }
+  end
+
+  rule option
+    (long_option / short_option)
+  end
+
+  rule long_option
+    '--' (opt_name '=' argument / opt_name) {
+      def opt_value
+        self.elements[1].respond_to?(:opt_name) ?
+          self.elements[1].opt_name.text_value : self.elements[1].text_value
+      end
+
+      def arg_value
+        self.elements[1].respond_to?(:opt_name) ?
+          self.elements[1].argument.text_value : nil
+      end
+    }
+  end
+
+  rule short_option
+    '-' (label_char '=' argument / opt_name) {
+    def opt_value
+      self.elements[1].respond_to?(:label_char) ?
+        self.elements[1].label_char.text_value : self.elements[1].text_value
+    end
+
+    def arg_value
+      self.elements[1].respond_to?(:label_char) ?
+        self.elements[1].argument.text_value : nil
+    end
+    }
+  end
+
+  rule argument
+    (quoted_chars / unquoted_chars) {
+      def arg_value
+        self.text_value
+      end
+    }
+  end
+
+  rule opt_name
+    label_char+
+  end
+
+  rule label_char
+    [a-zA-Z0-9]
+  end
+
+  rule quoted_chars
+    '"' (!'"' . / '\"')* '"'
+  end
+
+  rule unquoted_chars
+    (!' ' . / '\ ')+
+  end
+
+end

data/lib/ssh/allow/rule.rb

@@ -0,0 +1,97 @@
+module SSH ; module Allow
+
+  class Rule
+    attr_reader :command, :options, :arguments
+
+    def initialize(cmds)
+      @command = [cmds].flatten
+      @options = [:none]
+      @arguments = [:none]
+    end
+
+    def opts(opt_text)
+      opt_text.gsub!(/^--?/, '') if opt_text.is_a?(String)
+      push(:options, opt_text)
+    end
+
+    def args(arg_text)
+      arg_text = Regexp.new(arg_text) if arg_text.is_a?(String)
+      push(:arguments, arg_text)
+    end
+
+    def match_command?(name)
+      return false if none?(command)
+      return true if any?(command)
+      command.include?(name)
+    end
+
+    def match_options?(opt_list)
+      return opt_list.empty? if none?(options)
+      return true if any?(options)
+      return false if options.size != opt_list.size
+      opt_list.inject(true) { |match, opt| match && options.include?(opt) }
+    end
+
+    def match_arguments?(arg_list)
+      return arg_list.empty? if none?(arguments)
+      return true if any?(arguments)
+      return false if arguments.size != arg_list.size
+      arg_list.inject(true) { |match, arg| match && match_one_argument?(arg) }
+    end
+
+    def match_one_argument?(arg)
+      arguments.inject(false) { |match, one_arg| match || (one_arg === arg) }
+    end
+
+    def push(attrib, value)
+      send(attrib).clear if send(attrib) == [:none]
+      send(attrib).push(value)
+    end
+
+    def none?(part)
+      part == [:none]
+    end
+
+    def any?(part)
+      part == [:any]
+    end
+
+    private :push, :none?, :any?, :match_one_argument?
+
+    class << self
+      def allow(*cmds, &block)
+        create(Rule::Allow.new(cmds.flatten), &block)
+      end
+
+      def deny(*cmds, &block)
+        create(Rule::Deny.new(cmds.flatten), &block)
+      end
+
+      def create(rule, &block)
+        begin
+          rule.instance_eval(&block) if block_given?
+          rule
+        rescue Exception => e
+          false
+        end
+      end
+    end
+
+    class Allow < Rule
+      def match?(command)
+        match = [match_command?(command.name), match_options?(command.options),
+          match_arguments?(command.arguments)].inject(true) { |mem, var| var && mem }
+        return match, match
+      end
+    end
+
+    class Deny < Rule
+      def match?(command)
+        match = [match_command?(command.name), match_options?(command.options),
+          match_arguments?(command.arguments)].inject(true) { |mem, var| var && mem }
+        return match, !match
+      end
+    end
+  end
+
+end ; end

data/lib/ssh/allow/rule_set.rb

@@ -0,0 +1,38 @@
+module SSH ; module Allow
+
+  class RuleSet
+    attr_reader :rules
+
+    def initialize
+      @rules = []
+    end
+
+    def allow(cmd, &block)
+      push get_rule(:allow, cmd, block)
+    end
+
+    def allow!(cmd, &block)
+      rule = get_rule(:allow, cmd, block)
+      push(rule) or raise(%(Invalid rule: "#{cmd}"))
+    end
+
+    def read(path_to_rules)
+      self.instance_eval(read_rules(path_to_rules))
+    end
+
+    private
+
+    def push(rule)
+      rule ? @rules.push(rule) : false
+    end
+
+    def get_rule(type, cmd, block)
+      SSH::Allow::Rule.send(type, cmd, &block)
+    end
+
+    def read_rules(path_to_rules)
+      IO.read(path_to_rules)
+    end
+  end
+
+end ; end