src/gitolite-shell

   1 #!/usr/bin/perl
   2
   3 # gitolite shell, invoked from ~/.ssh/authorized_keys
   4 # ----------------------------------------------------------------------
   5
   6 use FindBin;
   7
   8 BEGIN { $ENV{GL_BINDIR} = $FindBin::RealBin; }
   9 BEGIN { $ENV{GL_LIBDIR} = "$ENV{GL_BINDIR}/lib"; }
  10 use lib $ENV{GL_LIBDIR};
  11
  12 # set HOME
  13 BEGIN { $ENV{HOME} = $ENV{GITOLITE_HTTP_HOME} if $ENV{GITOLITE_HTTP_HOME}; }
  14
  15 use Gitolite::Rc;
  16 use Gitolite::Common;
  17 use Gitolite::Conf::Load;
  18
  19 use strict;
  20 use warnings;
  21
  22 # the main() sub expects ssh-ish things; set them up...
  23 my $id = '';
  24 if ( exists $ENV{G3T_USER} ) {
  25     $id = in_file();    # file:// masquerading as ssh:// for easy testing
  26 } elsif ( exists $ENV{SSH_CONNECTION} ) {
  27     $id = in_ssh();
  28 } elsif ( exists $ENV{REQUEST_URI} ) {
  29     $id = in_http();
  30 } else {
  31     _die "who the *heck* are you?";
  32 }
  33
  34 # sanity...
  35 my $soc = $ENV{SSH_ORIGINAL_COMMAND};
  36 $soc =~ s/[\n\r]+/<<newline>>/g;
  37 _die "I don't like newlines in the command: '$soc'\n" if $ENV{SSH_ORIGINAL_COMMAND} ne $soc;
  38
  39 # allow gitolite-shell to be used as "$SHELL".  Experts only; no support, no docs
  40 if (@ARGV and $ARGV[0] eq '-c') {
  41     shift;
  42     $ARGV[0] =~ s/^$0 // or _die "unknown git/gitolite command: '$ARGV[0]'";
  43 }
  44
  45 # the INPUT trigger massages @ARGV and $ENV{SSH_ORIGINAL_COMMAND} as needed
  46 trigger('INPUT');
  47
  48 main($id);
  49
  50 gl_log('END') if $$ == $ENV{GL_TID};
  51
  52 exit 0;
  53
  54 # ----------------------------------------------------------------------
  55
  56 sub in_file {
  57     gl_log( 'file', "ARGV=" . join( ",", @ARGV ), "SOC=$ENV{SSH_ORIGINAL_COMMAND}" );
  58
  59     if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /git-\w+-pack/ ) {
  60         print STDERR "TRACE: gsh(", join( ")(", @ARGV ), ")\n";
  61         print STDERR "TRACE: gsh(SOC=$ENV{SSH_ORIGINAL_COMMAND})\n";
  62     }
  63     return 'file';
  64 }
  65
  66 sub in_http {
  67     http_setup_die_handler();
  68
  69     _die "GITOLITE_HTTP_HOME not set" unless $ENV{GITOLITE_HTTP_HOME};
  70
  71     _die "fallback to DAV not supported" if $ENV{REQUEST_METHOD} eq 'PROPFIND';
  72
  73     # fake out SSH_ORIGINAL_COMMAND and SSH_CONNECTION when called via http,
  74     # so the rest of the code stays the same (except the exec at the end).
  75     http_simulate_ssh_connection();
  76     $ENV{SSH_ORIGINAL_COMMAND} ||= '';
  77
  78     $ENV{REMOTE_USER} ||= $rc{HTTP_ANON_USER};
  79     @ARGV = ( $ENV{REMOTE_USER} );
  80
  81     my $ip;
  82     ( $ip = $ENV{SSH_CONNECTION} || '(no-IP)' ) =~ s/ .*//;
  83
  84     gl_log( 'http', "ARGV=" . join( ",", @ARGV ), "SOC=" . ( $ENV{SSH_ORIGINAL_COMMAND} || '' ), "FROM=$ip" );
  85
  86     return 'http';
  87 }
  88
  89 sub in_ssh {
  90     my $ip;
  91     ( $ip = $ENV{SSH_CONNECTION} || '(no-IP)' ) =~ s/ .*//;
  92
  93     gl_log( 'ssh', "ARGV=" . join( ",", @ARGV ), "SOC=" . ( $ENV{SSH_ORIGINAL_COMMAND} || '' ), "FROM=$ip" );
  94
  95     $ENV{SSH_ORIGINAL_COMMAND} ||= '';
  96
  97     return $ip;
  98 }
  99
 100 # ----------------------------------------------------------------------
 101
 102 # call this once you are sure arg-1 is the username and SSH_ORIGINAL_COMMAND
 103 # has been setup (even if it's not actually coming via ssh).
 104 sub main {
 105     my $id = shift;
 106
 107     # set up the user
 108     my $user = $ENV{GL_USER} = shift @ARGV;
 109
 110     # set up the repo and the attempted access
 111     my ( $verb, $repo ) = parse_soc();    # returns only for git commands
 112     Gitolite::Conf::Load::sanity($repo, $REPONAME_PATT);
 113     $ENV{GL_REPO} = $repo;
 114     my $aa = ( $verb =~ 'upload' ? 'R' : 'W' );
 115
 116     # set up env vars from options set for this repo
 117     env_options($repo);
 118
 119     # auto-create?
 120     if ( repo_missing($repo) and access( $repo, $user, '^C', 'any' ) !~ /DENIED/ ) {
 121         require Gitolite::Conf::Store;
 122         Gitolite::Conf::Store->import;
 123         new_wild_repo( $repo, $user, $aa );
 124         gl_log( 'create', $repo, $user, $aa );
 125     }
 126
 127     # a ref of 'any' signifies that this is a pre-git check, where we don't
 128     # yet know the ref that will be eventually pushed (and even that won't
 129     # apply if it's a read operation).  See the matching code in access() for
 130     # more information.
 131     unless ( $ENV{GL_BYPASS_ACCESS_CHECKS} ) {
 132         my $ret = access( $repo, $user, $aa, 'any' );
 133         trigger( 'ACCESS_1', $repo, $user, $aa, 'any', $ret );
 134         _die $ret . "\n(or you mis-spelled the reponame)" if $ret =~ /DENIED/;
 135
 136         gl_log( "pre_git", $repo, $user, $aa, 'any', $ret );
 137     }
 138
 139     trigger( 'PRE_GIT', $repo, $user, $aa, 'any', $verb );
 140     if ( $ENV{REQUEST_URI} ) {
 141         _system( "git", "http-backend" );
 142     } else {
 143         my $repodir = "'$rc{GL_REPO_BASE}/$repo.git'";
 144         _system( "git", "shell", "-c", "$verb $repodir" );
 145     }
 146     trigger( 'POST_GIT', $repo, $user, $aa, 'any', $verb );
 147 }
 148
 149 # ----------------------------------------------------------------------
 150
 151 sub parse_soc {
 152     my $soc = $ENV{SSH_ORIGINAL_COMMAND};
 153     $soc ||= 'info';
 154
 155     my $git_commands = "git-upload-pack|git-receive-pack|git-upload-archive";
 156     if ( $soc =~ m(^($git_commands) '?/?(.*?)(?:\.git(\d)?)?'?$) ) {
 157         my ( $verb, $repo, $trace_level ) = ( $1, $2, $3 );
 158         $ENV{D} = $trace_level if $trace_level;
 159         _die "invalid repo name: '$repo'" if $repo !~ $REPONAME_PATT;
 160         trace( 2, "git command", $soc );
 161         return ( $verb, $repo );
 162     }
 163
 164     # after this we should not return; caller expects us to handle it all here
 165     # and exit out
 166
 167     my @words = split ' ', $soc;
 168     if ( $rc{COMMANDS}{ $words[0] } ) {
 169         if ( $rc{COMMANDS}{ $words[0] } ne 'ua' ) {
 170             _die "suspicious characters loitering about '$soc'" if $soc !~ $REMOTE_COMMAND_PATT;
 171             _die "no relative paths allowed anywhere!" if $soc =~ m(\.\./);
 172         }
 173         trace( 2, "gitolite command", $soc );
 174         _system( "gitolite", @words );
 175         exit 0;
 176     }
 177
 178     _die "unknown git/gitolite command: '$soc'";
 179 }
 180
 181 # ----------------------------------------------------------------------
 182 # helper functions for "in_http"
 183
 184 sub http_setup_die_handler {
 185
 186     $SIG{__DIE__} = sub {
 187         my $service = ( $ENV{SSH_ORIGINAL_COMMAND} =~ /git-receive-pack/ ? 'git-receive-pack' : 'git-upload-pack' );
 188         my $message = shift; chomp($message);
 189         print STDERR "$message\n";
 190
 191         http_print_headers($service);
 192
 193         # format the service response, then the message.  With initial
 194         # help from Ilari and then a more detailed email from Shawn...
 195         $service = "# service=$service\n"; $message = "ERR $message\n";
 196         $service = sprintf( "%04X", length($service) + 4 ) . "$service";    # no CRLF on this one
 197         $message = sprintf( "%04X", length($message) + 4 ) . "$message";
 198
 199         print $service;
 200         print "0000";                                                       # flush-pkt, apparently
 201         print $message;
 202         print STDERR $service;
 203         print STDERR $message;
 204         exit 0;                                                             # if it's ok for die_webcgi in git.git/http-backend.c, it's ok for me ;-)
 205       }
 206 }
 207
 208 sub http_simulate_ssh_connection {
 209     # these patterns indicate normal git usage; see "services[]" in
 210     # http-backend.c for how I got that.  Also note that "info" is overloaded;
 211     # git uses "info/refs...", while gitolite uses "info" or "info?...".  So
 212     # there's a "/" after info in the list below
 213     if ( $ENV{PATH_INFO} =~ m(^/(.*)/(HEAD$|info/refs$|objects/|git-(?:upload|receive)-pack$)) ) {
 214         my $repo = $1;
 215         my $verb = ( $ENV{REQUEST_URI} =~ /git-receive-pack/ ) ? 'git-receive-pack' : 'git-upload-pack';
 216         $ENV{SSH_ORIGINAL_COMMAND} = "$verb '$repo'";
 217     } else {
 218         # this is one of our custom commands; could be anything really,
 219         # because of the adc feature
 220         my ($verb) = ( $ENV{PATH_INFO} =~ m(^/(\S+)) );
 221         my $args = $ENV{QUERY_STRING};
 222         $args =~ s/\+/ /g;
 223         $args =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
 224         $ENV{SSH_ORIGINAL_COMMAND} = $verb;
 225         $ENV{SSH_ORIGINAL_COMMAND} .= " $args" if $args;
 226         http_print_headers();    # in preparation for the eventual output!
 227
 228         # we also need to pipe STDERR out via STDOUT, else the user doesn't see those messages!
 229         open(STDERR, ">&STDOUT") or _die "Can't dup STDOUT: $!";
 230     }
 231     $ENV{SSH_CONNECTION} = "$ENV{REMOTE_ADDR} $ENV{REMOTE_PORT} $ENV{SERVER_ADDR} $ENV{SERVER_PORT}";
 232 }
 233
 234 my $http_headers_printed = 0;
 235
 236 sub http_print_headers {
 237     my ( $service, $code, $text ) = @_;
 238
 239     return if $http_headers_printed++;
 240     $code ||= 200;
 241     $text ||= "OK - gitolite";
 242
 243     $|++;
 244     print "Status: $code $text\r\n";
 245     print "Expires: Fri, 01 Jan 1980 00:00:00 GMT\r\n";
 246     print "Pragma: no-cache\r\n";
 247     print "Cache-Control: no-cache, max-age=0, must-revalidate\r\n";
 248     if ($service) {
 249         print "Content-Type: application/x-$service-advertisement\r\n";
 250     } else {
 251         print "Content-Type: text/plain\r\n";
 252     }
 253     print "\r\n";
 254 }