From 8a2d899b72f0adcd1c40f32c355d646cf72b3923 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Sun, 4 May 2014 12:22:00 +0100 Subject: Move runcmd into util --- lib/gitano/util.lua | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/lib/gitano/util.lua b/lib/gitano/util.lua index 291c68d..5fc4ab1 100644 --- a/lib/gitano/util.lua +++ b/lib/gitano/util.lua @@ -15,6 +15,27 @@ local tconcat = table.concat local check_password = scrypt.verify_password +local function run_command(cmd, cmdline, parsed_cmdline, user, + config, env, repo) + log.debug("Welcome to " .. config.global.site_name) + log.debug("Running:") + for i = 1, #parsed_cmdline do + log.debug(" => " .. parsed_cmdline[i]) + end + log.debug("") + log.debug("On behalf of " .. user .. " using key " .. env["GITANO_KEYTAG"]) + + local how, why = cmd.run(config, repo, parsed_cmdline, env) + + if how ~= "exit" or why ~= 0 then + log.critical("Error running " .. parsed_cmdline[1] .. ": " .. how) + return why + else + log.syslog.info(cmdline, "completed successfully") + return 0 + end +end + local function hash_password(password) -- For the moment we are using scrypt, -- we may decide to use other hash functions in the future @@ -502,4 +523,6 @@ return { hash_password = hash_password, check_password = check_password, + + run_command = run_command, } -- cgit v1.2.1 From 5f73b47797666dcc6095a8151981d9ef94870f36 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Sun, 4 May 2014 11:35:41 +0100 Subject: Add repo_root parameter to is_authorized --- lib/gitano/auth.lua | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/gitano/auth.lua b/lib/gitano/auth.lua index 8c3a4e6..2e275dd 100644 --- a/lib/gitano/auth.lua +++ b/lib/gitano/auth.lua @@ -49,8 +49,7 @@ local function set_environment(repo_root, repo, context, transactionid) return env end -local function is_authorized(user, source, cmdline) - local repo_root = os.getenv("GITANO_ROOT") +local function is_authorized(user, source, cmdline, repo_root) local keytag = "" local authorized = false -- cgit v1.2.1 From 25978dd00e0a77b9fcc36264a6602510c7407dab Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Sun, 4 May 2014 11:36:05 +0100 Subject: Make gitano-command pass repo_root to is_authorized --- bin/gitano-command.cgi.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/gitano-command.cgi.in b/bin/gitano-command.cgi.in index 1954635..681603b 100755 --- a/bin/gitano-command.cgi.in +++ b/bin/gitano-command.cgi.in @@ -74,7 +74,7 @@ if os.getenv("QUERY_STRING") then gitano.log.buffer_output() local authorized, cmd, parsed_cmdline, config, env, repo = - gitano.auth.is_authorized(user, "http", cmdline) + gitano.auth.is_authorized(user, "http", cmdline, os.getenv("GITANO_ROOT")) if authorized then local exit = run_command(cmd, cmdline, parsed_cmdline, -- cgit v1.2.1 From f6f975c4b3cd4b0417c61bb01f246297e87321f1 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Sun, 4 May 2014 11:36:28 +0100 Subject: Make gitano-smart-http pass repo_root to is_authorized --- bin/gitano-smart-http.cgi.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/gitano-smart-http.cgi.in b/bin/gitano-smart-http.cgi.in index 017c4e7..f294b28 100755 --- a/bin/gitano-smart-http.cgi.in +++ b/bin/gitano-smart-http.cgi.in @@ -59,7 +59,8 @@ if request_method == "GET" or request_method == "POST" then local user = os.getenv("REMOTE_USER") or "gitano/anonymous" local cmdline = parse_request(request_method) - if cmdline and gitano.auth.is_authorized(user, "http", cmdline) then + if cmdline and gitano.auth.is_authorized(user, "http", cmdline, + os.getenv("GITANO_ROOT")) then local proc = subprocess.spawn_simple({"git", "http-backend"}) local exit_code -- cgit v1.2.1 From 635d753a0c86e1213682ffa7cc5ee414c7c9f383 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Sun, 4 May 2014 10:48:49 +0100 Subject: Make gitano-auth use is_authorized and runcmd --- bin/gitano-auth.in | 142 ++++------------------------------------------------- 1 file changed, 9 insertions(+), 133 deletions(-) diff --git a/bin/gitano-auth.in b/bin/gitano-auth.in index 3901166..2190ae0 100644 --- a/bin/gitano-auth.in +++ b/bin/gitano-auth.in @@ -20,152 +20,28 @@ local sp = require "luxio.subprocess" -- @@GITANO_SHARE_PATH -- @@GITANO_PLUGIN_PATH -local repo_root, username, keytag = ... +local repo_root, user, keytag = ... gitano.config.repo_path(repo_root) local cmdline = luxio.getenv "SSH_ORIGINAL_COMMAND" or "" -local transactionid = gitano.log.syslog.open() - if cmdline:match("^[ \t\n]*$") then gitano.log.fatal("No command provided, cannot continue") end -local parsed_cmdline, warnings = gitano.util.parse_cmdline(cmdline) - -local start_log_level = gitano.log.get_level() --- Clamp level at info until we have checked if the caller --- is an admin or not -gitano.log.cap_level(gitano.log.level.INFO) - -if (#warnings > 0) then - gitano.log.error("Warnings encountered parsing commandline."); - gitano.log.warn("\t" .. cmdline) - gitano.log.warn("") - gitano.log.warn("Parsed as:") - for i = 1, #parsed_cmdline do - gitano.log.warn((" =[%2d]> %s"):format(i, parsed_cmdline[i])) - end - gitano.log.warn("\nWarnings were:") - for i = 1, #warnings do - gitano.log.warn(" * " .. warnings[i]) - end - gitano.log.warn("") - gitano.log.fatal("Game over, sorry\n") -end - --- Now load the administration data - -local admin_repo = gall.repository.new((repo_root or "") .. "/gitano-admin.git") - -if not admin_repo then - gitano.log.fatal("Unable to locate administration repository. Cannot continue"); -end - -local admin_head = admin_repo:get(admin_repo.HEAD) - -if not admin_head then - gitano.log.fatal("Unable to find the HEAD of the administration repository. Cannot continue"); -end - -local config, msg = gitano.config.parse(admin_head) - -if not config then - gitano.log.critical("Unable to parse administration repository.") - gitano.log.critical(" * " .. (msg or "No error?")) - gitano.log.fatal("Cannot continue") -end - --- Now, are we an admin? -if config.groups["gitano-admin"].filtered_members[username] then - -- Yep, so blithely reset logging level - gitano.log.set_level(start_log_level) -end - -if not config.global.silent then - -- Not silent, bump to chatty level automatically - gitano.log.bump_level(gitano.log.level.CHAT) -end - -local repo - --- Find the command +local authorized, cmd, parsed_cmdline, config, env, repo = + gitano.auth.is_authorized(user, "ssh", cmdline, repo_root) +if authorized then + local exit = gitano.util.run_command(cmd, cmdline, parsed_cmdline, + user, config, env, repo) -ip = string.match(luxio.getenv "SSH_CLIENT", "^[^ ]+") or "" - -gitano.log.syslog.info("Client connected from", ip, "as", username, - "(" .. keytag .. ")", "Executing command:", - cmdline) - -local cmd = gitano.command.get(parsed_cmdline[1]) - -if not cmd then - gitano.log.fatal("Unknown command: " .. parsed_cmdline[1]) -end - -if cmd.takes_repo then - repo, parsed_cmdline = cmd.detect_repo(config, parsed_cmdline) - if not repo and not parsed_cmdline then - gitano.log.fatal("Failed to acquire repository object") + if exit ~= 0 then + gitano.log.fatal("Error running command, exiting") end -end - --- Validate the commandline, massaging it as necessary. - -if not cmd.validate(config, repo, parsed_cmdline) then - gitano.log.fatal("Validation of command line failed") -end - --- Construct our context ready for prep -local context = { - source = "ssh", - user = username, - keytag = keytag, -} - -local action, reason = cmd.prep(config, repo, parsed_cmdline, context) - -if not action then - gitano.log.crit(reason) - gitano.log.fatal("Ruleset did not complete cleanly") -end - -if action == "allow" then - gitano.log.info(reason or "Ruleset permitted action") -else - gitano.log.critical(reason) - gitano.log.fatal("Ruleset denied action. Sorry.") -end - -gitano.log.debug("Welcome to " .. config.global.site_name) -gitano.log.debug("Running:") -for i = 1, #parsed_cmdline do - gitano.log.debug(" => " .. parsed_cmdline[i]) -end -gitano.log.debug("") -gitano.log.debug("On behalf of " .. username .. " using key " .. keytag) - --- Set up some useful environment variables - -local env = { - ["GITANO_ROOT"] = repo_root, - ["GITANO_USER"] = username, - ["GITANO_KEYTAG"] = keytag, - ["GITANO_PROJECT"] = (repo or {}).name, - ["GITANO_SOURCE"] = "ssh", - ["GITANO_TRANSACTION_ID"] = transactionid, -} - -local how, why = cmd.run(config, repo, parsed_cmdline, env) - -if how ~= "exit" or why ~= 0 then - gitano.log.critical("Error running sub-process:", - ("%s (%d)"):format(how, why)) - gitano.log.fatal("Unable to continue") else - gitano.log.syslog.info(cmdline, "completed successfully") + gitano.log.fatal("Not authorized") end gitano.log.syslog.close() -- cgit v1.2.1 From 7035283011cf3bd7deec82a61475c9e8edb5491d Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Sun, 4 May 2014 12:28:31 +0100 Subject: Make gitano-command cgi use runcmd --- bin/gitano-command.cgi.in | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/bin/gitano-command.cgi.in b/bin/gitano-command.cgi.in index 681603b..2fa1db2 100755 --- a/bin/gitano-command.cgi.in +++ b/bin/gitano-command.cgi.in @@ -29,26 +29,6 @@ function url_decode(str) return str end -function run_command(cmd, cmdline, parsed_cmdline, user, config, env, repo) - gitano.log.debug("Welcome to " .. config.global.site_name) - gitano.log.debug("Running:") - for i = 1, #parsed_cmdline do - gitano.log.debug(" => " .. parsed_cmdline[i]) - end - gitano.log.debug("") - gitano.log.debug("On behalf of " .. user .. " using key " .. env["GITANO_KEYTAG"]) - - local how, why = cmd.run(config, repo, parsed_cmdline, env) - - if how ~= "exit" or why ~= 0 then - gitano.log.critical("Error running " .. parsed_cmdline[1] .. ": " .. how) - return why - else - gitano.log.syslog.info(cmdline, "completed successfully") - return 0 - end -end - if os.getenv("QUERY_STRING") then local query_string = url_decode(os.getenv("QUERY_STRING")) local cmdline = query_string @@ -77,7 +57,7 @@ if os.getenv("QUERY_STRING") then gitano.auth.is_authorized(user, "http", cmdline, os.getenv("GITANO_ROOT")) if authorized then - local exit = run_command(cmd, cmdline, parsed_cmdline, + local exit = gitano.util.run_command(cmd, cmdline, parsed_cmdline, user, config, env, repo) stdout:write("Status: " .. (exit == 0 and "200 OK" or "400 Bad request") -- cgit v1.2.1 From 800ec03542c7bc09afbddce9a2b01f94d615fce9 Mon Sep 17 00:00:00 2001 From: Richard Ipsum Date: Sun, 4 May 2014 13:50:58 +0100 Subject: Make runcmd output "Unable to continue" At the moment the test suite requires that certain errors produce "Unable to continue" on stderr --- lib/gitano/util.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/gitano/util.lua b/lib/gitano/util.lua index 5fc4ab1..ab8730a 100644 --- a/lib/gitano/util.lua +++ b/lib/gitano/util.lua @@ -29,6 +29,7 @@ local function run_command(cmd, cmdline, parsed_cmdline, user, if how ~= "exit" or why ~= 0 then log.critical("Error running " .. parsed_cmdline[1] .. ": " .. how) + log.critical("Unable to continue") return why else log.syslog.info(cmdline, "completed successfully") -- cgit v1.2.1