diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-06-04 22:11:43 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-12-27 12:42:12 +0100 |
commit | ad17b9e2b4bebcf744129ed5a1a2c6e544d42739 (patch) | |
tree | 791ee08db4c1759d89660bc1c90dd867e2662d91 /scripts/git-integration/git-auth.py | |
parent | 253e76d8cc718acef6bab802c76c4a70623b59cc (diff) | |
download | aur-ad17b9e2b4bebcf744129ed5a1a2c6e544d42739.tar.gz aur-ad17b9e2b4bebcf744129ed5a1a2c6e544d42739.tar.xz |
Add basic Git authentication/authorization scripts
This adds two scripts to be used together with Git over SSH:
* git-auth.py is supposed to be used as AuthorizedKeysCommand. It checks
whether the public key belongs to any AUR user and invokes
git-serve.py, passing the name of the corresponding user as a command
line argument, if any.
* git-serve.py is a wrapper around git-shell(1) that checks whether the
user passed as command line argument has access to the Git repository
that a push operation writes to.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'scripts/git-integration/git-auth.py')
-rwxr-xr-x | scripts/git-integration/git-auth.py | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/scripts/git-integration/git-auth.py b/scripts/git-integration/git-auth.py new file mode 100755 index 00000000..8701d5ef --- /dev/null +++ b/scripts/git-integration/git-auth.py @@ -0,0 +1,41 @@ +#!/usr/bin/python3 + +import configparser +import mysql.connector +import os +import re + +config = configparser.RawConfigParser() +config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config") + +aur_db_host = config.get('database', 'host') +aur_db_name = config.get('database', 'name') +aur_db_user = config.get('database', 'user') +aur_db_pass = config.get('database', 'password') + +key_prefixes = config.get('auth', 'key-prefixes').split() +username_regex = config.get('auth', 'username-regex') +git_serve_cmd = config.get('auth', 'git-serve-cmd') +ssh_opts = config.get('auth', 'ssh-options') + +pubkey = os.environ.get("SSH_KEY") +valid_prefixes = tuple(p + " " for p in key_prefixes) +if pubkey is None or not pubkey.startswith(valid_prefixes): + exit(1) + +db = mysql.connector.connect(host=aur_db_host, user=aur_db_user, + passwd=aur_db_pass, db=aur_db_name, + buffered=True) + +cur = db.cursor() +cur.execute("SELECT Username FROM Users WHERE SSHPubKey = %s " + + "AND Suspended = 0", (pubkey,)) + +if cur.rowcount != 1: + exit(1) + +user = cur.fetchone()[0] +if not re.match(username_regex, user): + exit(1) + +print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts, pubkey)) |