Improve authorized_keys check

The old check only looked if authorized_keys exists. With this change, we look
whether we can actually open the file for reading and writing. When this fails
we try to print useful diagnostic information.

2 files changed, 16 insertions, 5 deletions

diff --git a/bin/check b/bin/check
index 363cb6a..d34a2d0 100755
--- a/bin/check
+++ b/bin/check
@@ -19,14 +19,12 @@ rescue GitlabNet::ApiUnreachableError
   abort "FAILED: Failed to connect to internal API"
 end
 
-
-puts "\nCheck directories and files: "
-
 config = GitlabConfig.new
 
 abort("ERROR: missing option in config.yml") unless config.auth_file
-print "\t#{config.auth_file}: "
-if File.exists?(config.auth_file)
+
+print "\nAccess to #{config.auth_file}: "
+if system(File.dirname(__FILE__) + '/gitlab-keys', 'check-permissions')
   print 'OK'
 else
   abort "FAILED"
diff --git a/lib/gitlab_keys.rb b/lib/gitlab_keys.rb
index e1b62ad..446ae9d 100644
--- a/lib/gitlab_keys.rb
+++ b/lib/gitlab_keys.rb
@@ -21,6 +21,7 @@ class GitlabKeys
     when 'rm-key';  rm_key
     when 'list-keys'; puts list_keys
     when 'clear';  clear
+    when 'check-permissions'; check_permissions
     else
       $logger.warn "Attempt to execute invalid gitlab-keys command #{@command.inspect}."
       puts 'not allowed'
@@ -92,6 +93,18 @@ class GitlabKeys
     true
   end
 
+  def check_permissions
+    open_auth_file('r+') { return true }
+  rescue
+    puts "error: could not open #{auth_file}"
+    if File.exist?(auth_file)
+      system('ls', '-l', auth_file)
+    else
+      # Maybe the parent directory is not writable?
+      system('ls', '-ld', File.dirname(auth_file))
+    end
+    false
+  end
 
   def lock(timeout = 10)
     File.open(lock_file, "w+") do |f|