-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssh_handle_receive_pack.go
135 lines (118 loc) · 3.49 KB
/
ssh_handle_receive_pack.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
// SPDX-License-Identifier: AGPL-3.0-only
// SPDX-FileCopyrightText: Copyright (c) 2025 Runxi Yu <https://runxiyu.org>
package main
import (
"errors"
"fmt"
"os"
"os/exec"
gliderSSH "github.com/gliderlabs/ssh"
"github.com/go-git/go-git/v5"
"go.lindenii.runxiyu.org/lindenii-common/cmap"
)
// packPass contains information known when handling incoming SSH connections
// that then needs to be used in hook socket connection handlers. See hookc(1).
type packPass struct {
session gliderSSH.Session
repo *git.Repository
pubkey string
directAccess bool
repoPath string
userID int
userType string
repoID int
groupPath []string
repoName string
contribReq string
}
// packPasses contains hook cookies mapped to their packPass.
var packPasses = cmap.Map[string, packPass]{}
// sshHandleRecvPack handles attempts to push to repos.
func sshHandleRecvPack(session gliderSSH.Session, pubkey, repoIdentifier string) (err error) {
groupPath, repoName, repoID, repoPath, directAccess, contribReq, userType, userID, err := getRepoInfo2(session.Context(), repoIdentifier, pubkey)
if err != nil {
return err
}
repo, err := git.PlainOpen(repoPath)
if err != nil {
return err
}
repoConf, err := repo.Config()
if err != nil {
return err
}
repoConfCore := repoConf.Raw.Section("core")
if repoConfCore == nil {
return errors.New("repository has no core section in config")
}
hooksPath := repoConfCore.OptionAll("hooksPath")
if len(hooksPath) != 1 || hooksPath[0] != config.Hooks.Execs {
return errors.New("repository has hooksPath set to an unexpected value")
}
if !directAccess {
switch contribReq {
case "closed":
if !directAccess {
return errors.New("you need direct access to push to this repo")
}
case "registered_user":
if userType != "registered" {
return errors.New("you need to be a registered user to push to this repo")
}
case "ssh_pubkey":
fallthrough
case "federated":
if pubkey == "" {
return errors.New("you need to have an SSH public key to push to this repo")
}
if userType == "" {
userID, err = addUserSSH(session.Context(), pubkey)
if err != nil {
return err
}
fmt.Fprintln(session.Stderr(), "you are now registered as user ID", userID)
userType = "pubkey_only"
}
case "public":
default:
panic("unknown contrib_requirements value " + contribReq)
}
}
cookie, err := randomUrlsafeStr(16)
if err != nil {
fmt.Fprintln(session.Stderr(), "Error while generating cookie:", err)
}
packPasses.Store(cookie, packPass{
session: session,
pubkey: pubkey,
directAccess: directAccess,
repoPath: repoPath,
userID: userID,
repoID: repoID,
groupPath: groupPath,
repoName: repoName,
repo: repo,
contribReq: contribReq,
userType: userType,
})
defer packPasses.Delete(cookie)
// The Delete won't execute until proc.Wait returns unless something
// horribly wrong such as a panic occurs.
proc := exec.CommandContext(session.Context(), "git-receive-pack", repoPath)
proc.Env = append(os.Environ(),
"LINDENII_FORGE_HOOKS_SOCKET_PATH="+config.Hooks.Socket,
"LINDENII_FORGE_HOOKS_COOKIE="+cookie,
)
proc.Stdin = session
proc.Stdout = session
proc.Stderr = session.Stderr()
if err = proc.Start(); err != nil {
fmt.Fprintln(session.Stderr(), "Error while starting process:", err)
return err
}
err = proc.Wait()
if err != nil {
fmt.Fprintln(session.Stderr(), "Error while waiting for process:", err)
}
return err
}