summaryrefslogtreecommitdiffstats
path: root/scripts/git-integration/git-auth.py
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2014-06-04 22:11:43 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2014-12-27 12:42:12 +0100
commitad17b9e2b4bebcf744129ed5a1a2c6e544d42739 (patch)
tree791ee08db4c1759d89660bc1c90dd867e2662d91 /scripts/git-integration/git-auth.py
parent253e76d8cc718acef6bab802c76c4a70623b59cc (diff)
downloadaur-ad17b9e2b4bebcf744129ed5a1a2c6e544d42739.tar.gz
aur-ad17b9e2b4bebcf744129ed5a1a2c6e544d42739.tar.xz
Add basic Git authentication/authorization scripts
This adds two scripts to be used together with Git over SSH: * git-auth.py is supposed to be used as AuthorizedKeysCommand. It checks whether the public key belongs to any AUR user and invokes git-serve.py, passing the name of the corresponding user as a command line argument, if any. * git-serve.py is a wrapper around git-shell(1) that checks whether the user passed as command line argument has access to the Git repository that a push operation writes to. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'scripts/git-integration/git-auth.py')
-rwxr-xr-xscripts/git-integration/git-auth.py41
1 files changed, 41 insertions, 0 deletions
diff --git a/scripts/git-integration/git-auth.py b/scripts/git-integration/git-auth.py
new file mode 100755
index 00000000..8701d5ef
--- /dev/null
+++ b/scripts/git-integration/git-auth.py
@@ -0,0 +1,41 @@
+#!/usr/bin/python3
+
+import configparser
+import mysql.connector
+import os
+import re
+
+config = configparser.RawConfigParser()
+config.read(os.path.dirname(os.path.realpath(__file__)) + "/../../conf/config")
+
+aur_db_host = config.get('database', 'host')
+aur_db_name = config.get('database', 'name')
+aur_db_user = config.get('database', 'user')
+aur_db_pass = config.get('database', 'password')
+
+key_prefixes = config.get('auth', 'key-prefixes').split()
+username_regex = config.get('auth', 'username-regex')
+git_serve_cmd = config.get('auth', 'git-serve-cmd')
+ssh_opts = config.get('auth', 'ssh-options')
+
+pubkey = os.environ.get("SSH_KEY")
+valid_prefixes = tuple(p + " " for p in key_prefixes)
+if pubkey is None or not pubkey.startswith(valid_prefixes):
+ exit(1)
+
+db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
+ passwd=aur_db_pass, db=aur_db_name,
+ buffered=True)
+
+cur = db.cursor()
+cur.execute("SELECT Username FROM Users WHERE SSHPubKey = %s " +
+ "AND Suspended = 0", (pubkey,))
+
+if cur.rowcount != 1:
+ exit(1)
+
+user = cur.fetchone()[0]
+if not re.match(username_regex, user):
+ exit(1)
+
+print('command="%s %s",%s %s' % (git_serve_cmd, user, ssh_opts, pubkey))