Git Repositories

Fix ssh authentication.
authorCyrille Pontvieux <jrd@enialis.net>
Thu, 27 Nov 2014 20:30:24 +0000 (21:30 +0100)
committerCyrille Pontvieux <jrd@enialis.net>
Thu, 27 Nov 2014 20:30:24 +0000 (21:30 +0100)
Makefile
configure
homegit/git-shell-commands/check
homegit/git-shell-commands/no-interactive-login [new file with mode: 0755]
src/style.css
tpl/footer.html [new file with mode: 0644]
tpl/header.html [new file with mode: 0644]
tpl/indextext.html [new file with mode: 0644]

index e6d5d43..7e63614 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -57,6 +57,7 @@ gen/.website: gen/home gen/www/$(WEB_BASE_DIR) gen/sudoers.d gen/sudoers.d/git g
        @cp -r homegit/* gen/home/
        @cp -r src/* src/.??* gen/www/${WEB_BASE_DIR}
        (cd git-master/gitweb && make prefix=/usr GITWEB_PROJECTROOT=${GIT_HOME} GITWEB_PROJECT_MAXDEPTH=50 GITWEB_EXPORT_OK=git-daemon-export-ok GITWEB_HOME_LINK_STR=/${WEB_BASE_DIR} GITWEB_SITENAME="${WEB_TITLE}" gitwebdir=${PREFIX}/${WEB_BASE_DIR}${GITWEB_DIR} all)
+       @for h in header footer indextext; do sed -r 's,__WEB_TITLE__,${WEB_TITLE},g; s,__PREFIX__,${PREFIX},g; s,__WEB_BASE_DIR__,${WEB_BASE_DIR},g; s,__GITWEB_DIR__,${GITWEB_DIR},g; s,__GIT_HOSTNAME__,${GIT_HOSTNAME},g; s,__GIT_HOSTPORT__,${GIT_HOSTPORT},g;' tpl/$$h.html > gen/$$h.html; done
        @touch $@
        @echo "Run 'make install' to install the git repositories and the web site"
 
@@ -66,6 +67,7 @@ clean:
 
 install: _root gen/.website _githome _webhome _sudo
        (cd git-master/gitweb && make prefix=/usr GITWEB_PROJECTROOT=${GIT_HOME} GITWEB_PROJECT_MAXDEPTH=50 GITWEB_EXPORT_OK=git-daemon-export-ok GITWEB_HOME_LINK_STR=/${WEB_BASE_DIR} GITWEB_SITENAME="${WEB_TITLE}" gitwebdir=${PREFIX}/${WEB_BASE_DIR}${GITWEB_DIR} install)
+       @cp -v gen/*.html ${PREFIX}/${WEB_BASE_DIR}${GITWEB_DIR}/
        @echo ""
        @echo "Installation complete."
        @echo ""
@@ -79,7 +81,7 @@ _root:
        @if [ $$(id -u) -ne 0 ]; then echo "You need to be root."; exit 1; fi
 
 _githome:
-       @if grep -q "^${GIT_USER}:" /etc/passwd; then usermod -s /usr/bin/git-shell -L ${GIT_USER}; usermod -a -G $$(groups ${GIT_USER}|cut -d: -f2-|awk '{print $$1}') ${WEB_USER}; else useradd -d ${GIT_HOME} -m -r -s /usr/bin/git-shell -U ${GIT_USER}; usermod -a -G ${GIT_USER} ${WEB_USER}; fi
+       @if grep -q "^${GIT_USER}:" /etc/passwd; then usermod -s /usr/bin/git-shell -p '*' ${GIT_USER}; usermod -a -G $$(groups ${GIT_USER}|cut -d: -f2-|awk '{print $$1}') ${WEB_USER}; else useradd -d ${GIT_HOME} -m -r -s /usr/bin/git-shell -p '*' -U ${GIT_USER}; usermod -a -G ${GIT_USER} ${WEB_USER}; fi
        @cp -rv gen/home/* ${GIT_HOME}/
        
 _webhome:
index b96cb4e..5736872 100755 (executable)
--- a/configure
+++ b/configure
@@ -132,3 +132,4 @@ WEB_TITLE = $WEB_TITLE
 EOF
 
 [ -d git-master ] || wget https://github.com/git/git/archive/master.tar.gz -O - | tar xzf -
+sed -i 's/^GITWEB_SITE_HEADER =/& header.html/; s/^GITWEB_SITE_FOOTER =/& footer.html/;' git-master/gitweb/Makefile
index ec25370..b33d9b7 100755 (executable)
@@ -1,15 +1,56 @@
 #!/bin/sh
 GITUSER="$1"
+if [ -z "$SSH_ORIGINAL_COMMAND" ]; then
+  USER=$GITUSER
+  export USER
+  exec git-shell
+fi
+ispublic() {
+  [ -e "$1"/git-daemon-export-ok ]
+}
+rungitcmd() {
+  exec /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"
+}
+error() {
+  echo "Error: $1" >&2
+  exit 1
+}
 eval set -- $SSH_ORIGINAL_COMMAND
 # $1 = command
 # $2 = repo path
+CMD="$1"
 REPO="$2"
+PUSHCMD="git-receive-pack"
 if [ -d "$REPO" ] && [ -r "$REPO"/.users ]; then
-  if grep -q "^$GITUSER\$" "$REPO"/.users; then
-    eval "$@"
+  if grep -q "^$GITUSER:.*\$" "$REPO"/.users; then
+    RIGHT=$(sed -r -n "/^$GITUSER:/{s/^$GITUSER:(.*)/\1/;p}" "$REPO"/.users)
+    case $RIGHT in
+      admin|user)
+        # admin and regular user have the same right on the git repo
+        rungitcmd
+        ;;
+      readonly)
+        if [ "$CMD" = "$PUSHCMD" ]; then
+          # push command is forbidden to readonly users
+          error "$GITUSER not authorized to push on $REPO"
+        else
+          # other commands are allowed
+          rungitcmd
+        fi
+        ;;
+      *)
+        error "$GITUSER has the unexpected right $RIGHT"
+    esac
   else
-    echo "Error: $GITUSER not authorized on $REPO" >&2
+    if [ "$CMD" != "$PUSHCMD" ] && [ -e "$REPO"/git-daemon-export-ok ]; then
+      rungitcmd
+    else
+      # not a member and the command is push or
+      # not a member and the repo is not public
+      error "$GITUSER not authorized on $REPO"
+    fi
   fi
 else
-  eval "$@"
+  # will fail as the repo does not exist
+  rungitcmd
 fi
diff --git a/homegit/git-shell-commands/no-interactive-login b/homegit/git-shell-commands/no-interactive-login
new file mode 100755 (executable)
index 0000000..73e8773
--- /dev/null
@@ -0,0 +1,4 @@
+#!/bin/sh
+printf '%s\n' "Hi $USER"
+printf '%s\n' "You've successfully authenticated, but no shell is provided."
+exit 128
index 052f10d..84e4010 100644 (file)
@@ -66,9 +66,18 @@ table th {
   text-align: center !important;
   height: 30px;
 }
+table tr {
+  border-bottom: 1px gray dashed;
+}
+table tr:first-child {
+  border-bottom: 1px black solid;
+}
 table tr:hover {
   background-color: #CCC;
 }
+table tr td {
+  padding: 10px 0;
+}
 #nav {
   padding: 5px 0 5px 20px;
   border-bottom: 1px solid gray;
diff --git a/tpl/footer.html b/tpl/footer.html
new file mode 100644 (file)
index 0000000..e569562
--- /dev/null
@@ -0,0 +1,2 @@
+<div class="footer">
+</div>
diff --git a/tpl/header.html b/tpl/header.html
new file mode 100644 (file)
index 0000000..61290a9
--- /dev/null
@@ -0,0 +1,3 @@
+<div class="header">
+  <h1><a href="/__WEB_BASE_DIR__">__WEB_TITLE__</a></h1>
+</div>
diff --git a/tpl/indextext.html b/tpl/indextext.html
new file mode 100644 (file)
index 0000000..99c9f18
--- /dev/null
@@ -0,0 +1,3 @@
+<div class="index">
+  Here are all public projects.
+</div>