git-interface/git-auth.py

   1 #!/usr/bin/python3
   2
   3 import shlex
   4 import re
   5 import sys
   6
   7 import config
   8 import db
   9
  10
  11 def format_command(env_vars, command, ssh_opts, ssh_key):
  12     environment = ''
  13     for key, var in env_vars.items():
  14         environment += '{}={} '.format(key, shlex.quote(var))
  15
  16     command = shlex.quote(command)
  17     command = '{}{}'.format(environment, command)
  18
  19     # The command is being substituted into an authorized_keys line below,
  20     # so we need to escape the double quotes.
  21     command = command.replace('"', '\\"')
  22     msg = 'command="{}",{} {}'.format(command, ssh_opts, ssh_key)
  23     return msg
  24
  25
  26 valid_keytypes = config.get('auth', 'valid-keytypes').split()
  27 username_regex = config.get('auth', 'username-regex')
  28 git_serve_cmd = config.get('auth', 'git-serve-cmd')
  29 ssh_opts = config.get('auth', 'ssh-options')
  30
  31 keytype = sys.argv[1]
  32 keytext = sys.argv[2]
  33 if keytype not in valid_keytypes:
  34     exit(1)
  35
  36 conn = db.Connection()
  37
  38 cur = conn.execute("SELECT Users.Username, Users.AccountTypeID FROM Users " +
  39                    "INNER JOIN SSHPubKeys ON SSHPubKeys.UserID = Users.ID "
  40                    "WHERE SSHPubKeys.PubKey = ? AND Users.Suspended = 0",
  41                    (keytype + " " + keytext,))
  42
  43 row = cur.fetchone()
  44 if not row or cur.fetchone():
  45     exit(1)
  46
  47 user, account_type = row
  48 if not re.match(username_regex, user):
  49     exit(1)
  50
  51
  52 env_vars = {
  53     'AUR_USER': user,
  54     'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
  55 }
  56 key = keytype + ' ' + keytext
  57
  58 print(format_command(env_vars, git_serve_cmd, ssh_opts, key))