1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
#!/usr/bin/perl -w
# help/instructions are at the bottom, in the __DATA__ section
use strict;
use warnings;
use FindBin;
BEGIN { $ENV{GL_BINDIR} = $FindBin::Bin; }
use lib $ENV{GL_BINDIR};
use gitolite_rc;
use gitolite;
sub usage { print <DATA>; exit 1; }
usage() if (not @ARGV) or $ARGV[0] eq '-h';
my $cmd = shift;
my $pub = shift;
if ($cmd eq 'add-shell-user' or $cmd eq 'add-mirroring-peer') {
# sanity checks
$pub or usage();
my $user = validate_pubkeyfile($pub);
# write the file out, with the new authkeys line added just *before* the
# gitolite section. But first, set the command that gets invoked
$cmd = ( $cmd eq 'add-shell-user' ? 'gl-auth-command -s' : 'gl-mirror-shell' );
ak_insert($cmd, $user, $pub);
exit 0;
}
die "could not understand command $cmd\n";
sub validate_pubkeyfile {
my $pub = shift;
-f $pub or die "$pub does not exist\n";
die "$pub contains more than one line\n" if wc_l($pub) > 1;
my $user = $pub;
$user =~ s(^.*/)(); # remove optional directory
die "file name must end in .pub\n" unless $user =~ /(.*)\.pub$/;
$user = $1;
return $user;
}
sub ak_insert {
my ($cmd, $user, $pub) = @_;
# must be kept consistent with what's in src/gl-compile-conf; on the plus
# side, it's not likely to change anytime soon!
my $AUTH_OPTIONS = "no-port-forwarding,no-X11-forwarding,no-agent-forwarding";
my $authline = "command=\"$ENV{GL_BINDIR}/$cmd $user\",$AUTH_OPTIONS " . slurp($pub);
my $authkeys = "$ENV{HOME}/.ssh/authorized_keys";
my $ak_lines = slurp($authkeys);
$ak_lines =~ s/^.*$cmd $user.*\n//m; # remove existing keyline, if present
$ak_lines =~ s/^# gitolite start/$authline# gitolite start/m;
my $akfh = wrap_open(">", $authkeys);
print $akfh $ak_lines;
close $akfh;
}
sub wc_l {
my $fh = wrap_open("<", shift);
my @l = <$fh>;
my $l = @l;
return $l;
}
__DATA__
gl-tool -- make some server side tasks easier
Usage:
gl-tool [sub-command [args]]
Security notes: this program does not do any sanitisation of input. You're
running it at the CLI on the server, so you already have the power to do
whatever you want anyway.
current sub-commands:
(1) REPLACE THE OLD $SHELL_USERS MECHANISM
gl-tool add-shell-user foo.pub
Adds the pubkey in foo.pub into the authkeys file with "-s" argument (shell
access) and user "foo". The line will be added *before* the "# gitolite
start" section, so that a gitolite-admin push will not affect it.
Although there is no "remove-shell-user" sub-command, you can do that quite
easily by editing ~/.ssh/authorized_keys and deleting the appropriate line.
(2) ADD A MIRRORING PEER KEY
gl-tool add-mirroring-peer git@server.company.com.pub
As above, but the given key will invoke 'gl-mirror-shell' instead of the
usual 'gl-auth-command'. This is meant to be a server-to-server key, allowing
(in this example), the gitolite server called 'git@server.company.com' to
access this server for mirroring operations.
|
GitWeb