1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
require 'timeout'
require_relative 'gitlab_config'
require_relative 'gitlab_logger'
class GitlabKeys
attr_accessor :auth_file, :key
def initialize
@command = ARGV.shift
@key_id = ARGV.shift
@key = ARGV.shift
@auth_file = GitlabConfig.new.auth_file
@gitlab_key = GitlabKey.new
end
def exec
case @command
when 'add-key'; add_key
when 'batch-add-keys'; batch_add_keys
when 'rm-key'; rm_key
when 'list-keys'; puts list_keys
when 'clear'; clear
else
$logger.warn "Attempt to execute invalid gitlab-keys command #{@command.inspect}."
puts 'not allowed'
false
end
end
protected
def add_key
lock do
$logger.info "Adding key #{@key_id} => #{@key.inspect}"
auth_line = @gitlab_key.key_line(@key_id, @key)
open_auth_file('a') { |file| file.puts(auth_line) }
end
true
end
def list_keys
$logger.info 'Listing all keys'
keys = ''
File.readlines(auth_file).each do |line|
# key_id & public_key
# command=".../bin/gitlab-shell key-741" ... ssh-rsa AAAAB3NzaDAxx2E\n
# ^^^^^^^ ^^^^^^^^^^^^^^^
matches = /^command=\".+?\s+(.+?)\".+?(?:ssh|ecdsa)-.*?\s(.+)\s*.*\n*$/.match(line)
keys << "#{matches[1]} #{matches[2]}\n" unless matches.nil?
end
keys
end
def batch_add_keys
lock(300) do # Allow 300 seconds (5 minutes) for batch_add_keys
open_auth_file('a') do |file|
stdin.each_line do |input|
tokens = input.strip.split("\t")
abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2
key_id, public_key = tokens
$logger.info "Adding key #{key_id} => #{public_key.inspect}"
file.puts(@gitlab_key.key_line(key_id, public_key))
end
end
end
true
end
def stdin
$stdin
end
def rm_key
lock do
$logger.info "Removing key #{@key_id}"
open_auth_file('r+') do |f|
while line = f.gets do
next unless line.start_with?("command=\"#{@gitlab_key.command(@key_id)}\"")
f.seek(-line.length, IO::SEEK_CUR)
# Overwrite the line with #'s. Because the 'line' variable contains
# a terminating '\n', we write line.length - 1 '#' characters.
f.write('#' * (line.length - 1))
end
end
end
true
end
def clear
open_auth_file('w') { |file| file.puts '# Managed by gitlab-shell' }
true
end
def lock(timeout = 10)
File.open(lock_file, "w+") do |f|
begin
f.flock File::LOCK_EX
Timeout::timeout(timeout) { yield }
ensure
f.flock File::LOCK_UN
end
end
end
def lock_file
@lock_file ||= auth_file + '.lock'
end
def open_auth_file(mode)
open(auth_file, mode, 0600) do |file|
file.chmod(0600)
yield file
end
end
end
class GitlabKey
def command(key_id)
"#{ROOT_PATH}/bin/gitlab-shell #{key_id}"
end
def key_line(key_id, public_key)
"command=\"#{command(key_id)}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{public_key}"
end
end
|
