commit 555dfd741b74510a90615225a35e5ef219cda36c · kot.pink/core

+21 -6

cmd/repoguard/main.go

···

       26
        
       	incomingUser = flag.String("user", "", "Allowed git user")

     

       27
        
       	baseDirFlag  = flag.String("base-dir", "/home/git", "Base directory for git repositories")

     

       28
        
       	logPathFlag  = flag.String("log-path", "/var/log/git-wrapper.log", "Path to log file")

     

       29
       -
       	endpoint     = flag.String("internal-api", "http://localhost:5555", "Internal API endpoint")

     

       30
        
       )

     

       31
        
       

     

       32
        
       func main() {

     
···

       68
        
       

     

       69
        
       	// did:foo/repo-name or

     

       70
        
       	// handle/repo-name

     

       71
       -
       	components := filepath.SplitList(cmdParts[2])

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       72
        
       	if len(components) != 2 {

     

       73
        
       		exitWithLog("invalid repo format, needs <user>/<repo>")

     

       74
        
       	}

     
···

       89
        
       

     

       90
        
       	if gitCommand != "git-upload-pack" {

     

       91
        
       		if !isPushPermitted(*incomingUser, qualifiedRepoName) {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       92
        
       			exitWithLog("access denied: user not allowed")

     

       93
        
       		}

     

       94
        
       	}

     
···

       187
        
       }

     

       188
        
       

     

       189
        
       func isPushPermitted(user, qualifiedRepoName string) bool {

     

       190
       -
       	url, _ := url.Parse(*endpoint + "/push-allowed/")

     

       191
       -
       	url.Query().Add(user, user)

     

       192
       -
       	url.Query().Add(user, qualifiedRepoName)

     

       0
        
       
     

       0
        
       
     

       193
        
       

     

       194
       -
       	req, err := http.Get(url.String())

     

       195
        
       	if err != nil {

     

       196
        
       		exitWithLog(fmt.Sprintf("error verifying permissions: %v", err))

     

       197
        
       	}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       198
        
       

     

       199
        
       	return req.StatusCode == http.StatusNoContent

     

       200
        
       }

···

       26
        
       	incomingUser = flag.String("user", "", "Allowed git user")

     

       27
        
       	baseDirFlag  = flag.String("base-dir", "/home/git", "Base directory for git repositories")

     

       28
        
       	logPathFlag  = flag.String("log-path", "/var/log/git-wrapper.log", "Path to log file")

     

       29
       +
       	endpoint     = flag.String("internal-api", "http://localhost:5444", "Internal API endpoint")

     

       30
        
       )

     

       31
        
       

     

       32
        
       func main() {

     
···

       68
        
       

     

       69
        
       	// did:foo/repo-name or

     

       70
        
       	// handle/repo-name

     

       71
       +
       

     

       72
       +
       	components := strings.Split(strings.Trim(cmdParts[1], "'"), "/")

     

       73
       +
       	logEvent("Command components", map[string]interface{}{

     

       74
       +
       		"components": components,

     

       75
       +
       	})

     

       76
        
       	if len(components) != 2 {

     

       77
        
       		exitWithLog("invalid repo format, needs <user>/<repo>")

     

       78
        
       	}

     
···

       93
        
       

     

       94
        
       	if gitCommand != "git-upload-pack" {

     

       95
        
       		if !isPushPermitted(*incomingUser, qualifiedRepoName) {

     

       96
       +
       			logEvent("all infos", map[string]interface{}{

     

       97
       +
       				"did":      *incomingUser,

     

       98
       +
       				"reponame": qualifiedRepoName,

     

       99
       +
       			})

     

       100
        
       			exitWithLog("access denied: user not allowed")

     

       101
        
       		}

     

       102
        
       	}

     
···

       195
        
       }

     

       196
        
       

     

       197
        
       func isPushPermitted(user, qualifiedRepoName string) bool {

     

       198
       +
       	u, _ := url.Parse(*endpoint + "/push-allowed")

     

       199
       +
       	q := u.Query()

     

       200
       +
       	q.Add("user", user)

     

       201
       +
       	q.Add("repo", qualifiedRepoName)

     

       202
       +
       	u.RawQuery = q.Encode()

     

       203
        
       

     

       204
       +
       	req, err := http.Get(u.String())

     

       205
        
       	if err != nil {

     

       206
        
       		exitWithLog(fmt.Sprintf("error verifying permissions: %v", err))

     

       207
        
       	}

     

       208
       +
       

     

       209
       +
       	logEvent("url", map[string]interface{}{

     

       210
       +
       		"url":    u.String(),

     

       211
       +
       		"status": req.Status,

     

       212
       +
       	})

     

       213
        
       

     

       214
        
       	return req.StatusCode == http.StatusNoContent

     

       215
        
       }