1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
#!/usr/bin/env python3
import re
import shlex
import sys
import aurweb.config
import aurweb.db
def format_command(env_vars, command, ssh_opts, ssh_key):
environment = ''
for key, var in env_vars.items():
environment += '{}={} '.format(key, shlex.quote(var))
command = shlex.quote(command)
command = '{}{}'.format(environment, command)
# The command is being substituted into an authorized_keys line below,
# so we need to escape the double quotes.
command = command.replace('"', '\\"')
msg = 'command="{}",{} {}'.format(command, ssh_opts, ssh_key)
return msg
def main():
valid_keytypes = aurweb.config.get('auth', 'valid-keytypes').split()
username_regex = aurweb.config.get('auth', 'username-regex')
git_serve_cmd = aurweb.config.get('auth', 'git-serve-cmd')
ssh_opts = aurweb.config.get('auth', 'ssh-options')
keytype = sys.argv[1]
keytext = sys.argv[2]
if keytype not in valid_keytypes:
exit(1)
conn = aurweb.db.Connection()
cur = conn.execute("SELECT Users.Username, Users.AccountTypeID FROM Users "
"INNER JOIN SSHPubKeys ON SSHPubKeys.UserID = Users.ID "
"WHERE SSHPubKeys.PubKey = ? AND Users.Suspended = 0 "
"AND NOT Users.Passwd = ''",
(keytype + " " + keytext,))
row = cur.fetchone()
if not row or cur.fetchone():
exit(1)
user, account_type = row
if not re.match(username_regex, user):
exit(1)
env_vars = {
'AUR_USER': user,
'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
}
key = keytype + ' ' + keytext
print(format_command(env_vars, git_serve_cmd, ssh_opts, key))
if __name__ == '__main__':
main()
|