summaryrefslogtreecommitdiffstats
path: root/aurweb/git/auth.py
blob: abecd2762a539d30dc7aaeb6d569dc5b51161e4b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/env python3

import re
import shlex
import sys

import aurweb.config
import aurweb.db


def format_command(env_vars, command, ssh_opts, ssh_key):
    environment = ''
    for key, var in env_vars.items():
        environment += '{}={} '.format(key, shlex.quote(var))

    command = shlex.quote(command)
    command = '{}{}'.format(environment, command)

    # The command is being substituted into an authorized_keys line below,
    # so we need to escape the double quotes.
    command = command.replace('"', '\\"')
    msg = 'command="{}",{} {}'.format(command, ssh_opts, ssh_key)
    return msg


def main():
    valid_keytypes = aurweb.config.get('auth', 'valid-keytypes').split()
    username_regex = aurweb.config.get('auth', 'username-regex')
    git_serve_cmd = aurweb.config.get('auth', 'git-serve-cmd')
    ssh_opts = aurweb.config.get('auth', 'ssh-options')

    keytype = sys.argv[1]
    keytext = sys.argv[2]
    if keytype not in valid_keytypes:
        exit(1)

    conn = aurweb.db.Connection()

    cur = conn.execute("SELECT Users.Username, Users.AccountTypeID FROM Users "
                       "INNER JOIN SSHPubKeys ON SSHPubKeys.UserID = Users.ID "
                       "WHERE SSHPubKeys.PubKey = ? AND Users.Suspended = 0 "
                       "AND NOT Users.Passwd = ''",
                       (keytype + " " + keytext,))

    row = cur.fetchone()
    if not row or cur.fetchone():
        exit(1)

    user, account_type = row
    if not re.match(username_regex, user):
        exit(1)

    env_vars = {
        'AUR_USER': user,
        'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
    }
    key = keytype + ' ' + keytext

    print(format_command(env_vars, git_serve_cmd, ssh_opts, key))


if __name__ == '__main__':
    main()