6 use Digest
::MD5
qw(md5);
25 require Digest
::SHA
::PurePerl
;
26 Digest
::SHA
::PurePerl
->import(
29 die "One of Digest::SHA or Digest::SHA1 or Digest::SHA::PurePerl "
30 . "must be available\n";
36 my @md5 = unpack('C*', md5
(time . $$ . rand() . join(':',%$self)));
37 $md5[6] = 0x40 | ($md5[6] & 0x0F); # Version 4 -- random
38 $md5[8] = 0x80 | ($md5[8] & 0x3F); # RFC 4122 specification
40 '%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x',
46 my (undef, undef, $gid) = getgrnam($Girocco::Config
::owning_group
||'');
47 my $owngroupid = $gid ?
$gid : 65534;
48 Girocco
::User
->load($self->{name
}) and die "User $self->{name} already exists";
49 $self->{uuid
} = $self->_gen_uuid;
50 my $email_uuid = join ',', $self->{email
}, $self->{uuid
};
51 filedb_atomic_append
(jailed_file
('/etc/passwd'),
52 join(':', $self->{name
}, 'x', '\i', $owngroupid, $email_uuid, '/', '/bin/git-shell-verify'));
57 filedb_atomic_edit
(jailed_file
('/etc/passwd'),
61 if ($self->{name
} eq (split /:/)[0]) {
62 # preserve all but login name and comment field
63 my @fields=split(/:/, $_, -1);
64 $fields[0] = $self->{name
};
65 $self->{uuid
} = (split(',', $fields[4]))[1] || '';
66 $self->{uuid
} or $self->{uuid
} = $self->_gen_uuid;
67 $fields[4] = join(',', $self->{email
}, $self->{uuid
});
68 return join(':', @fields)."\n";
78 '/etc/sshkeys/'.$self->{name
};
83 open F
, "<".jailed_file
($self->_sshkey_path) or die "sshkey load failed: $!";
88 if (/^ssh-(?:dss|rsa) /) {
90 } elsif (/^# REPOAUTH ([0-9a-f]+) (\d+)/) {
92 $auth = $1 unless (time >= $expire);
96 my $keys = join("\n", @keys); chomp $keys;
102 open F
, ">".jailed_file
($self->_sshkey_path) or die "sshkey failed: $!";
103 if (defined($self->{auth
}) && $self->{auth
}) {
104 my $expire = time + 24 * 3600;
105 print F
"# REPOAUTH $self->{auth} $expire\n";
107 print F
$self->{keys}."\n";
109 chmod 0664, jailed_file
($self->_sshkey_path);
112 # private constructor, do not use
116 Girocco
::User
::valid_name
($name) or die "refusing to create user with invalid name ($name)!";
117 my $proj = { name
=> $name };
122 # public constructor #0
123 # creates a virtual user not connected to disk record
124 # you can conjure() it later to disk
128 my $self = $class->_new($name);
132 # public constructor #1
137 open F
, jailed_file
("/etc/passwd") or die "user load failed: $!";
141 next unless (shift eq $name);
143 my $self = $class->_new($name);
146 (undef, $self->{uid
}, undef, $email_uuid) = @_;
147 ($self->{keys}, $self->{auth
}) = $self->_sshkey_load;
148 ($self->{email
}, $self->{uuid
}) = split ',', $email_uuid;
151 $self->{uuid
} or $self->_passwd_update;
158 # public constructor #2
163 open F
, jailed_file
("/etc/passwd") or die "user load failed: $!";
167 next unless ($_[2] eq $uid);
169 my $self = $class->_new($_[0]);
172 (undef, undef, $self->{uid
}, undef, $email_uuid) = @_;
173 ($self->{keys}, $self->{auth
}) = $self->_sshkey_load;
174 ($self->{email
}, $self->{uuid
}) = split ',', $email_uuid;
177 $self->{uuid
} or $self->_passwd_update;
184 # $user may not be in sane state if this returns false!
188 my $cgi = $gcgi->cgi;
190 $self->{name
} = $gcgi->wparam('name');
191 Girocco
::User
::valid_name
($self->{name
})
192 or $gcgi->err("Name contains invalid characters.");
194 $self->{email
} = $gcgi->wparam('email');
195 valid_email
($self->{email
})
196 or $gcgi->err("Your email sure looks weird...?");
198 $self->keys_fill($gcgi);
204 foreach (split /\r\n|\r|\n/, $keys) {
205 next if /^[ \t]*$/ || /^[ \t]*#/;
208 return join("\n", @lines);
214 my $email = shift || '';
216 if (valid_email
($email)) {
217 $self->{email
} = $email;
218 $self->_passwd_update;
220 $gcgi->err("Your email sure looks weird...?");
223 not $gcgi->err_check;
228 my ($type, $bits, $fingerprint, $comment) = sshpub_validate
($key);
229 return $type ?
1 : 0;
235 my $cgi = $gcgi->cgi;
237 $self->{keys} = _trimkeys
($cgi->param('keys'));
238 length($self->{keys}) <= 4096
239 or $gcgi->err("The list of keys is more than 4kb. Do you really need that much?");
240 foreach (split /\r?\n/, $self->{keys}) {
242 /^ssh-(?:dss|rsa) [0-9A-Za-z+\/=]+ \S
+@\S
+$/ && _checkkey
($_)
243 or $keyval=CGI
::escapeHTML
($_),$gcgi->err(<<EOT);
244 Your ssh key ("$keyval") appears to have an invalid format
245 (does not start with ssh-dss or ssh-rsa or does not end with <tt>\@</tt>-identifier) -
246 maybe your browser has split a single key onto multiple lines?
250 not $gcgi->err_check;
261 my @keys = split(/\r?\n/, $self->{keys});
264 my %types = ('ssh-dss' => 'DSA', 'ssh-rsa' => 'RSA');
268 my ($type, $bits, $fingerprint, $comment) = sshpub_validate
($_);
269 next unless $type && $types{$type};
270 my $euser = CGI
::escapeHTML
(CGI
::Util
::escape
($self->{name
}));
271 $html .= "<li>$bits <tt>$fingerprint</tt> ($types{$type}) $comment";
272 $html .= "<br /><a target=\"_blank\" href=\"/usercert.cgi/$euser/$line/".
273 $Girocco::Config
::nickname
."_${euser}_user_$line.pem\">".
274 "download https push user authentication certificate</a> <sup>".
275 "<a target=\"_blank\" href=\"$Girocco::Config::htmlurl/httpspush.html\">".
276 "(learn more)</a></sup>"
277 if $type eq 'ssh-rsa' && $Girocco::Config
::httpspushurl
&&
278 $Girocco::Config
::clientcert
&&
279 $Girocco::Config
::clientkey
;
289 $self->{auth
} = sha1_hex
(time . $$ . rand() . $self->{keys});
297 delete $self->{auth
};
311 /^[a-zA-Z0-9+._-]+$/;
316 Girocco
::User
::valid_name
($name) or die "tried to query for user with invalid name $name!";
317 (-e jailed_file
("/etc/sshkeys/$name"));
322 $Girocco::Config
::chrooted
and undef; # TODO for ACLs within chroot
323 scalar(getpwnam($name));