From d12d210fd6a6cd7fe9f397703fc752c562b68b92 Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Mon, 1 Aug 2016 17:52:05 +0200 Subject: Manage authorized_keys permissions continuously We can lazily create authorized_keys and set its permissions. This adds negligible overhead and it allows us to remove a setup step from GitLab both on source and in omnibus-gitlab. --- lib/gitlab_keys.rb | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'lib/gitlab_keys.rb') diff --git a/lib/gitlab_keys.rb b/lib/gitlab_keys.rb index f17e6b7..e1b62ad 100644 --- a/lib/gitlab_keys.rb +++ b/lib/gitlab_keys.rb @@ -34,7 +34,7 @@ class GitlabKeys lock do $logger.info "Adding key #{@key_id} => #{@key.inspect}" auth_line = @gitlab_key.key_line(@key_id, @key) - open(auth_file, 'a') { |file| file.puts(auth_line) } + open_auth_file('a') { |file| file.puts(auth_line) } end true end @@ -54,7 +54,7 @@ class GitlabKeys def batch_add_keys lock(300) do # Allow 300 seconds (5 minutes) for batch_add_keys - open(auth_file, 'a') do |file| + open_auth_file('a') do |file| stdin.each_line do |input| tokens = input.strip.split("\t") abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2 @@ -74,7 +74,7 @@ class GitlabKeys def rm_key lock do $logger.info "Removing key #{@key_id}" - open(auth_file, 'r+') do |f| + open_auth_file('r+') do |f| while line = f.gets do next unless line.start_with?("command=\"#{@gitlab_key.command(@key_id)}\"") f.seek(-line.length, IO::SEEK_CUR) @@ -88,7 +88,7 @@ class GitlabKeys end def clear - open(auth_file, 'w') { |file| file.puts '# Managed by gitlab-shell' } + open_auth_file('w') { |file| file.puts '# Managed by gitlab-shell' } true end @@ -107,6 +107,13 @@ class GitlabKeys def lock_file @lock_file ||= auth_file + '.lock' end + + def open_auth_file(mode) + open(auth_file, mode, 0600) do |file| + file.chmod(0600) + yield file + end + end end -- cgit v1.2.1