Add a system check for the git user's custom SSH configuration

author: Nick Thomas <nick@gitlab.com> 2017-08-30 12:00:39 +0100
committer: Nick Thomas <nick@gitlab.com> 2017-09-04 18:16:31 +0100
commit: 48115be509ce00120d0609f5f18a5bc3804bb21f (patch)
tree: 6ead152e6608e1c3d30de6469efc4b05dd090e0b /lib/system_check
parent: 25a443d65220cb76fab2c8123eca17f30c461a89 (diff)
download: gitlab-ce-48115be509ce00120d0609f5f18a5bc3804bb21f.tar.gz
1 files changed, 69 insertions, 0 deletions
diff --git a/lib/system_check/app/git_user_default_ssh_config_check.rb b/lib/system_check/app/git_user_default_ssh_config_check.rb
new file mode 100644
index 00000000000..7b486d78cf0
--- /dev/null
+++ b/lib/system_check/app/git_user_default_ssh_config_check.rb
@@ -0,0 +1,69 @@
+module SystemCheck
+  module App
+    class GitUserDefaultSSHConfigCheck < SystemCheck::BaseCheck
+      # These files are allowed in the .ssh directory. The `config` file is not
+      # whitelisted as it may change the SSH client's behaviour dramatically.
+      WHITELIST = %w[
+        authorized_keys
+        authorized_keys2
+        known_hosts
+      ].freeze
+
+      set_name 'Git user has default SSH configuration?'
+      set_skip_reason 'skipped (git user is not present or configured)'
+
+      def skip?
+        !home_dir || !File.directory?(home_dir)
+      end
+
+      def check?
+        forbidden_files.empty?
+      end
+
+      def show_error
+        backup_dir = "~/gitlab-check-backup-#{Time.now.to_i}"
+
+        instructions = forbidden_files.map do |filename|
+          "sudo mv #{Shellwords.escape(filename)} #{backup_dir}"
+        end
+
+        try_fixing_it("mkdir #{backup_dir}", *instructions)
+        for_more_information('doc/ssh/README.md in section "SSH on the GitLab server"')
+        fix_and_rerun
+      end
+
+      private
+
+      def git_user
+        Gitlab.config.gitlab.user
+      end
+
+      def home_dir
+        return @home_dir if defined?(@home_dir)
+
+        @home_dir =
+          begin
+            File.expand_path("~#{git_user}")
+          rescue ArgumentError
+            nil
+          end
+      end
+
+      def ssh_dir
+        return nil unless home_dir
+
+        File.join(home_dir, '.ssh')
+      end
+
+      def forbidden_files
+        @forbidden_files ||=
+          begin
+            present = Dir[File.join(ssh_dir, '*')]
+            whitelisted = WHITELIST.map { |basename| File.join(ssh_dir, basename) }
+
+            present - whitelisted
+          end
+      end
+    end
+  end
+end
author	Nick Thomas <nick@gitlab.com>	2017-08-30 12:00:39 +0100
committer	Nick Thomas <nick@gitlab.com>	2017-09-04 18:16:31 +0100
commit	48115be509ce00120d0609f5f18a5bc3804bb21f (patch)
tree	6ead152e6608e1c3d30de6469efc4b05dd090e0b /lib/system_check
parent	25a443d65220cb76fab2c8123eca17f30c461a89 (diff)
download	gitlab-ce-48115be509ce00120d0609f5f18a5bc3804bb21f.tar.gz