diff options
| author | Jacob Vosmaer <jacob@gitlab.com> | 2016-08-01 17:52:05 +0200 |
|---|---|---|
| committer | Jacob Vosmaer <jacob@gitlab.com> | 2016-08-01 17:52:05 +0200 |
| commit | d12d210fd6a6cd7fe9f397703fc752c562b68b92 (patch) | |
| tree | fae18b313f7efbc83682f2f5bdadf4e18ce04f86 | |
| parent | c3cfebcf1cad21434bd90d4d3bb33824c4644eb5 (diff) | |
| download | gitlab-shell-keys-chmod.tar.gz | |
Manage authorized_keys permissions continuouslykeys-chmod
We can lazily create authorized_keys and set its permissions. This
adds negligible overhead and it allows us to remove a setup step from
GitLab both on source and in omnibus-gitlab.
| -rwxr-xr-x | bin/install | 2 | ||||
| -rw-r--r-- | lib/gitlab_keys.rb | 15 | ||||
| -rw-r--r-- | spec/gitlab_keys_spec.rb | 2 |
3 files changed, 12 insertions, 7 deletions
diff --git a/bin/install b/bin/install index 73ac592..e9c1654 100755 --- a/bin/install +++ b/bin/install @@ -13,8 +13,6 @@ repository_storage_paths = ARGV commands = [ %W(mkdir -p #{key_dir}), %W(chmod 700 #{key_dir}), - %W(touch #{config.auth_file}), - %W(chmod 600 #{config.auth_file}), ] repository_storage_paths.each do |repository_storage_path| diff --git a/lib/gitlab_keys.rb b/lib/gitlab_keys.rb index f17e6b7..e1b62ad 100644 --- a/lib/gitlab_keys.rb +++ b/lib/gitlab_keys.rb @@ -34,7 +34,7 @@ class GitlabKeys lock do $logger.info "Adding key #{@key_id} => #{@key.inspect}" auth_line = @gitlab_key.key_line(@key_id, @key) - open(auth_file, 'a') { |file| file.puts(auth_line) } + open_auth_file('a') { |file| file.puts(auth_line) } end true end @@ -54,7 +54,7 @@ class GitlabKeys def batch_add_keys lock(300) do # Allow 300 seconds (5 minutes) for batch_add_keys - open(auth_file, 'a') do |file| + open_auth_file('a') do |file| stdin.each_line do |input| tokens = input.strip.split("\t") abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2 @@ -74,7 +74,7 @@ class GitlabKeys def rm_key lock do $logger.info "Removing key #{@key_id}" - open(auth_file, 'r+') do |f| + open_auth_file('r+') do |f| while line = f.gets do next unless line.start_with?("command=\"#{@gitlab_key.command(@key_id)}\"") f.seek(-line.length, IO::SEEK_CUR) @@ -88,7 +88,7 @@ class GitlabKeys end def clear - open(auth_file, 'w') { |file| file.puts '# Managed by gitlab-shell' } + open_auth_file('w') { |file| file.puts '# Managed by gitlab-shell' } true end @@ -107,6 +107,13 @@ class GitlabKeys def lock_file @lock_file ||= auth_file + '.lock' end + + def open_auth_file(mode) + open(auth_file, mode, 0600) do |file| + file.chmod(0600) + yield file + end + end end diff --git a/spec/gitlab_keys_spec.rb b/spec/gitlab_keys_spec.rb index ed2fd58..5afa467 100644 --- a/spec/gitlab_keys_spec.rb +++ b/spec/gitlab_keys_spec.rb @@ -80,7 +80,7 @@ describe GitlabKeys do context "without file writing" do before do - gitlab_keys.should_receive(:open).and_yield(mock(:file, puts: nil)) + gitlab_keys.should_receive(:open).and_yield(mock(:file, puts: nil, chmod: nil)) end it "should log an add-key event" do |