1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
|
require 'timeout'
require_relative 'gitlab_config'
require_relative 'gitlab_logger'
require_relative 'gitlab_metrics'
class GitlabKeys # rubocop:disable Metrics/ClassLength
class KeyError < StandardError; end
attr_accessor :auth_file, :key
def self.command(whatever)
"#{ROOT_PATH}/bin/gitlab-shell #{whatever}"
end
def self.command_key(key_id)
unless /\A[a-z0-9-]+\z/ =~ key_id
raise KeyError, "Invalid key_id: #{key_id.inspect}"
end
command(key_id)
end
def self.whatever_line(command, trailer)
"command=\"#{command}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{trailer}"
end
def self.key_line(key_id, public_key)
public_key.chomp!
if public_key.include?("\n")
raise KeyError, "Invalid public_key: #{public_key.inspect}"
end
whatever_line(command_key(key_id), public_key)
end
def self.principal_line(username_key_id, principal)
principal.chomp!
if principal.include?("\n")
raise KeyError, "Invalid principal: #{principal.inspect}"
end
whatever_line(command_key(username_key_id), principal)
end
def initialize
@command = ARGV.shift
@key_id = ARGV.shift
key = ARGV.shift
@key = key.dup if key
@auth_file = GitlabConfig.new.auth_file
end
def exec
GitlabMetrics.measure("command-#{@command}") do
case @command
when 'add-key'
add_key
when 'batch-add-keys'
batch_add_keys
when 'rm-key'
rm_key
when 'list-keys'
list_keys
when 'list-key-ids'
list_key_ids
when 'clear'
clear
when 'check-permissions'
check_permissions
else
$logger.warn('Attempt to execute invalid gitlab-keys command', command: @command.inspect)
puts 'not allowed'
false
end
end
end
protected
def add_key
lock do
$logger.info('Adding key', key_id: @key_id, public_key: @key)
auth_line = self.class.key_line(@key_id, @key)
open_auth_file('a') { |file| file.puts(auth_line) }
end
true
end
def list_keys
$logger.info 'Listing all keys'
keys = ''
File.readlines(auth_file).each do |line|
# key_id & public_key
# command=".../bin/gitlab-shell key-741" ... ssh-rsa AAAAB3NzaDAxx2E\n
# ^^^^^^^ ^^^^^^^^^^^^^^^
matches = /^command=\".+?\s+(.+?)\".+?(?:ssh|ecdsa)-.*?\s(.+)\s*.*\n*$/.match(line)
keys << "#{matches[1]} #{matches[2]}\n" unless matches.nil?
end
puts keys
end
def list_key_ids
$logger.info 'Listing all key IDs'
open_auth_file('r') do |f|
f.each_line do |line|
matchd = line.match(/key-(\d+)/)
next unless matchd
puts matchd[1]
end
end
end
def batch_add_keys
lock(300) do # Allow 300 seconds (5 minutes) for batch_add_keys
open_auth_file('a') do |file|
stdin.each_line do |input|
tokens = input.strip.split("\t")
abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2
key_id, public_key = tokens
$logger.info('Adding key', key_id: key_id, public_key: public_key)
file.puts(self.class.key_line(key_id, public_key))
end
end
end
true
end
def stdin
$stdin
end
def rm_key
lock do
$logger.info('Removing key', key_id: @key_id)
open_auth_file('r+') do |f|
while line = f.gets # rubocop:disable Lint/AssignmentInCondition
next unless line.start_with?("command=\"#{self.class.command_key(@key_id)}\"")
f.seek(-line.length, IO::SEEK_CUR)
# Overwrite the line with #'s. Because the 'line' variable contains
# a terminating '\n', we write line.length - 1 '#' characters.
f.write('#' * (line.length - 1))
end
end
end
true
end
def clear
open_auth_file('w') { |file| file.puts '# Managed by gitlab-shell' }
true
end
def check_permissions
open_auth_file(File::RDWR | File::CREAT) { true }
rescue => ex
puts "error: could not open #{auth_file}: #{ex}"
if File.exist?(auth_file)
system('ls', '-l', auth_file)
else
# Maybe the parent directory is not writable?
system('ls', '-ld', File.dirname(auth_file))
end
false
end
def lock(timeout = 10)
File.open(lock_file, "w+") do |f|
begin
f.flock File::LOCK_EX
Timeout.timeout(timeout) { yield }
ensure
f.flock File::LOCK_UN
end
end
end
def lock_file
@lock_file ||= auth_file + '.lock'
end
def open_auth_file(mode)
open(auth_file, mode, 0o600) do |file|
file.chmod(0o600)
yield file
end
end
end
|
