diff options
author | Richard Ipsum <richard.ipsum@codethink.co.uk> | 2014-02-15 18:42:55 +0000 |
---|---|---|
committer | Richard Ipsum <richard.ipsum@codethink.co.uk> | 2014-02-15 18:42:55 +0000 |
commit | 0df3aef92d1a4b30f3bfabc9d80f3a6709e285a0 (patch) | |
tree | b3da3c23313bbb5d99e3e3211c71615dea2144f7 | |
parent | 6ab2c1ae897fc72f6ee9b5efd84f260d9d0ca4c0 (diff) | |
download | gitano-0df3aef92d1a4b30f3bfabc9d80f3a6709e285a0.tar.gz |
user err
-rw-r--r-- | lib/gitano/auth.lua | 119 |
1 files changed, 52 insertions, 67 deletions
diff --git a/lib/gitano/auth.lua b/lib/gitano/auth.lua index 92d3271..2408e12 100644 --- a/lib/gitano/auth.lua +++ b/lib/gitano/auth.lua @@ -23,32 +23,60 @@ local function load_admin_conf(repo_root) return nil end - local config, msg = config.parse(admin_head) + local admin_conf, msg = config.parse(admin_head) - if not config then + if not admin_conf then log.critical("Unable to parse administration repository.") log.critical(" * " .. (msg or "No error?")) return nil end - return config + return admin_conf end --- TODO: this must be split up, it is far too long -local function is_authorized(user, cmdline) +local function set_log_level(admin_conf, username) + if admin_conf.groups["gitano-admin"].filtered_members[username] then + log.set_level(start_log_level) + end - if not user or not cmdline then - return nil + if not admin_conf.global.silent then + log.bump_level(log.level.CHAT) end +end + +local function set_environment(repo_root, repo, context, transactionid) + local env = { + ["GITANO_ROOT"] = repo_root, + ["GITANO_USER"] = context.username, + ["GITANO_KEYTAG"] = context.keytag, + ["GITANO_PROJECT"] = (repo or {}).name or "", + ["GITANO_SOURCE"] = "ssh", + ["GITANO_TRANSACTION_ID"] = transactionid, + } + for k, v in pairs(env) do + luxio.setenv(k, v) + end + + return env +end + +-- TODO: this must be split up, it is far too long +local function is_authorized(user, cmdline) local repo_root = os.getenv("GITANO_ROOT") local username = user local keytag = "" local authorized = false + local start_log_level = log.get_level() + log.cap_level(log.level.INFO) + local transactionid = log.syslog.open() + config.repo_path(repo_root) - local transactionid = log.syslog.open() + if not user or not cmdline then + return nil + end local parsed_cmdline, warnings = util.parse_cmdline(cmdline) @@ -57,102 +85,59 @@ local function is_authorized(user, cmdline) return nil end - local start_log_level = log.get_level() - - -- Clamp level at info until we have checked if the caller - -- is an admin or not - log.cap_level(log.level.INFO) - - local config = load_admin_conf(repo_root) - - if config.groups["gitano-admin"].filtered_members[username] then - log.set_level(start_log_level) - end - - if not config.global.silent then - log.bump_level(log.level.CHAT) - end - - local repo - -- Find the command + local admin_conf = load_admin_conf(repo_root) + set_log_level(admin_conf, username) ip = os.getenv("REMOTE_ADDR") or "unknown ip" - log.syslog.info("Client connected from", ip, "as", username, - "(" .. keytag .. ")", "Executing command:", - cmdline) + "(" .. keytag .. ")", "Executing command:", cmdline) local cmd = command.get(parsed_cmdline[1]) if not cmd then log.critical("Unknown command: " .. parsed_cmdline[1]) - return authorized + return nil end + local repo if cmd.takes_repo and #parsed_cmdline > 1 then -- Acquire the repository object for the target repo local msg - repo, msg = repository.find(config, parsed_cmdline[2]) + repo, msg = repository.find(admin_conf, parsed_cmdline[2]) + if not repo then log.critical("Unable to locate repository.") - log.critical(" * " .. (tostring(msg))) - log.critical("Cannot continue") - end - - if repo.is_nascent then - log.info("Repository " .. repo.name .. " is nascent") + log.critical(" * " .. (tostring(msg) or "No error")) + return nil end end -- Validate the commandline, massaging it as necessary. - - if not cmd.validate(config, repo, parsed_cmdline) then + if not cmd.validate(admin_conf, repo, parsed_cmdline) then log.critical("Validation of command line failed") - return authorized + return nil end - -- Construct our context ready for prep - local context = { - source = "http", - user = username, - keytag = keytag, - } - - local action, reason = cmd.prep(config, repo, parsed_cmdline, context) + local context = {source = "http", user = username, keytag = keytag} + local action, reason = cmd.prep(admin_conf, repo, parsed_cmdline, context) if not action then log.critical(reason) log.critical("Ruleset did not complete cleanly") + return nil end local env - if action == "allow" then log.info(reason or "Ruleset permitted action") authorized = true - - -- set env vars needed by gitano hooks - luxio.setenv("GITANO_ROOT", repo_root) - luxio.setenv("GITANO_USER", username) - luxio.setenv("GITANO_KEYTAG", keytag) - luxio.setenv("GITANO_PROJECT", (repo or {}).name or "") - luxio.setenv("GITANO_SOURCE", "http") - luxio.setenv("GITANO_TRANSACTION_ID", transactionid) - - env = { - ["GITANO_ROOT"] = repo_root, - ["GITANO_USER"] = username, - ["GITANO_KEYTAG"] = keytag, - ["GITANO_PROJECT"] = (repo or {}).name, - ["GITANO_SOURCE"] = "ssh", - ["GITANO_TRANSACTION_ID"] = transactionid, - } + env = set_environment(repo_root, repo, context, transactionid) else log.critical(reason) log.critical("Ruleset denied action. Sorry.") end - return authorized, cmd, parsed_cmdline, config, env + return authorized, cmd, parsed_cmdline, admin_conf, env end return { |