git-interface/git-auth.py

   1 #!/usr/bin/python3
   2
   3 import configparser
   4 import mysql.connector
   5 import shlex
   6 import os
   7 import re
   8 import sys
   9
  10
  11 def format_command(env_vars, command, ssh_opts, ssh_key):
  12     environment = ''
  13     for key, var in env_vars.items():
  14         environment += '{}={} '.format(key, shlex.quote(var))
  15
  16     command = shlex.quote(command)
  17     command = '{}{}'.format(environment, command)
  18
  19     # The command is being substituted into an authorized_keys line below,
  20     # so we need to escape the double quotes.
  21     command = command.replace('"', '\\"')
  22     msg = 'command="{}",{} {}'.format(command, ssh_opts, ssh_key)
  23     return msg
  24
  25
  26 config = configparser.RawConfigParser()
  27 config.read(os.path.dirname(os.path.realpath(__file__)) + "/../conf/config")
  28
  29 aur_db_host = config.get('database', 'host')
  30 aur_db_name = config.get('database', 'name')
  31 aur_db_user = config.get('database', 'user')
  32 aur_db_pass = config.get('database', 'password')
  33 aur_db_socket = config.get('database', 'socket')
  34
  35 valid_keytypes = config.get('auth', 'valid-keytypes').split()
  36 username_regex = config.get('auth', 'username-regex')
  37 git_serve_cmd = config.get('auth', 'git-serve-cmd')
  38 ssh_opts = config.get('auth', 'ssh-options')
  39
  40 keytype = sys.argv[1]
  41 keytext = sys.argv[2]
  42 if not keytype in valid_keytypes:
  43     exit(1)
  44
  45 db = mysql.connector.connect(host=aur_db_host, user=aur_db_user,
  46                              passwd=aur_db_pass, db=aur_db_name,
  47                              unix_socket=aur_db_socket, buffered=True)
  48
  49 cur = db.cursor()
  50 cur.execute("SELECT Users.Username, Users.AccountTypeID FROM Users " +
  51             "INNER JOIN SSHPubKeys ON SSHPubKeys.UserID = Users.ID "
  52             "WHERE SSHPubKeys.PubKey = %s AND Users.Suspended = 0",
  53             (keytype + " " + keytext,))
  54
  55 if cur.rowcount != 1:
  56     exit(1)
  57
  58 user, account_type = cur.fetchone()
  59 if not re.match(username_regex, user):
  60     exit(1)
  61
  62
  63 env_vars = {
  64     'AUR_USER': user,
  65     'AUR_PRIVILEGED': '1' if account_type > 1 else '0',
  66 }
  67 key = keytype + ' ' + keytext
  68
  69 print(format_command(env_vars, git_serve_cmd, ssh_opts, key))