src/hg-ssh
author Paul Crowley <paul@lshift.net>
Mon, 12 Oct 2009 16:52:06 +0100
changeset 108 00b48d7bdfa0
parent 107 84e9e33d866b
child 109 72100d3ed1bd
permissions -rwxr-xr-x
Improve check on whether user supplied a command
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
#!/usr/bin/env python
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
#
50
77d97aa18f29 update dates and copyright notices
Paul Crowley <paul@lshift.net>
parents: 46
diff changeset
     3
# Copyright 2008-2009 LShift Ltd
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     4
# Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de>
18
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
     5
# Authors:
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
     6
# Paul Crowley <paul@lshift.net>
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     7
# Thomas Arendsen Hein <thomas@intevation.de>
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
     8
# with ideas from  Mathieu PASQUET <kiorky@cryptelium.net>
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
#
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
# This software may be used and distributed according to the terms
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    11
# of the GNU General Public License, incorporated herein by reference.
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    12
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    13
"""
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    14
hg-ssh - limit access to hg repositories reached via ssh.  Part of
36
b3237aabd0fe Change the name to mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    15
mercurial-server.
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    16
18
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    17
This script is called by hg-ssh-wrapper with no arguments - everything
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    18
should be in enviroment variables:
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    19
39
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 36
diff changeset
    20
HG_ACCESS_RULES_PATH identifies the paths to the rule files
18
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    21
REMOTE_USER the remote user (which is the key used by ssh)
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    22
SSH_ORIGINAL_COMMAND the command the user was trying to run
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    23
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    24
It uses SSH_ORIGINAL_COMMAND to determine what the user was trying to
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    25
do and to what repository, and then checks each rule in the rule file
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    26
in turn for a matching rule which decides what to do, defaulting to
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    27
disallowing the action.
538d6b198f4a Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents: 15
diff changeset
    28
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    29
"""
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    30
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    31
# enable importing on demand to reduce startup time
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    32
from mercurial import demandimport; demandimport.enable()
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    33
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    34
from mercurial import dispatch
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    35
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    36
import sys, os, os.path
107
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    37
import base64
70
abb9ed8972e0 Move more into hg-ssh
Paul Crowley <paul@lshift.net>
parents: 69
diff changeset
    38
from mercurialserver import ruleset, paths
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    39
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    40
def fail(message):
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    41
    sys.stderr.write("mercurial-server: %s\n" % message)
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    42
    sys.exit(-1)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    43
107
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    44
def checkpath(path):
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    45
    path = os.path.dirname(path)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    46
    if path == "":
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    47
        return
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    48
    if os.path.exists(path + "/.hg"):
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    49
        raise ruleset.AccessException()
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    50
    checkpath(path)
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    51
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    52
def getrepo(op, repo):
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    53
    repo = os.path.normcase(os.path.normpath(repo.rstrip("/")))
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    54
    if len(repo) == 0:
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    55
        fail("path to repository seems to be empty")
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    56
    if repo.startswith("/"):
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    57
        fail("absolute paths are not supported")
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    58
    for component in repo.split("/"):
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    59
        if component.startswith("."):
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    60
            fail("paths cannot contain dot file components")
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    61
    ruleset.rules.set(repo=repo)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    62
    ruleset.rules.check(op, branch=None, file=None)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    63
    checkpath(repo)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    64
    return repo
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    65
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    66
#logfile = open("/tmp/hg-ssh.%d.txt" % os.getpid(), "w")
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    67
#logfile.write("Started: %s\n" % sys.argv)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    68
107
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    69
paths.setExePath()
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    70
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    71
if len(sys.argv) == 3 and sys.argv[1] == "--base64":
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    72
    ruleset.rules.set(user = base64.b64decode(sys.argv[2]))
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    73
elif len(sys.argv) == 2:
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    74
    ruleset.rules.set(user = sys.argv[1])
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    75
else:
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    76
    fail("hg-ssh wrongly called, is authorized_keys corrupt? (%s)" 
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    77
        % sys.argv)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    78
71
1120f78f81da Move more into hg-ssh
Paul Crowley <paul@lshift.net>
parents: 70
diff changeset
    79
# Use a different hgrc for remote pulls - this way you can set
1120f78f81da Move more into hg-ssh
Paul Crowley <paul@lshift.net>
parents: 70
diff changeset
    80
# up access.py for everything at once without affecting local operations
1120f78f81da Move more into hg-ssh
Paul Crowley <paul@lshift.net>
parents: 70
diff changeset
    81
1120f78f81da Move more into hg-ssh
Paul Crowley <paul@lshift.net>
parents: 70
diff changeset
    82
os.environ['HGRCPATH'] = paths.getEtcPath() + "/remote-hgrc"
1120f78f81da Move more into hg-ssh
Paul Crowley <paul@lshift.net>
parents: 70
diff changeset
    83
72
582808b47653 All work now in hg-ssh
Paul Crowley <paul@lshift.net>
parents: 71
diff changeset
    84
os.chdir('repos')
71
1120f78f81da Move more into hg-ssh
Paul Crowley <paul@lshift.net>
parents: 70
diff changeset
    85
77
8d14aac93b5d Most of the way through abolishing env vars
Paul Crowley <paul@lshift.net>
parents: 72
diff changeset
    86
for f in [
8d14aac93b5d Most of the way through abolishing env vars
Paul Crowley <paul@lshift.net>
parents: 72
diff changeset
    87
    paths.getEtcPath() + "/access.conf", 
8d14aac93b5d Most of the way through abolishing env vars
Paul Crowley <paul@lshift.net>
parents: 72
diff changeset
    88
    os.getcwd() + "/hgadmin/access.conf"]:
8d14aac93b5d Most of the way through abolishing env vars
Paul Crowley <paul@lshift.net>
parents: 72
diff changeset
    89
    if os.path.isfile(f):
8d14aac93b5d Most of the way through abolishing env vars
Paul Crowley <paul@lshift.net>
parents: 72
diff changeset
    90
        ruleset.rules.readfile(f)
70
abb9ed8972e0 Move more into hg-ssh
Paul Crowley <paul@lshift.net>
parents: 69
diff changeset
    91
108
00b48d7bdfa0 Improve check on whether user supplied a command
Paul Crowley <paul@lshift.net>
parents: 107
diff changeset
    92
cmd = os.environ.get('SSH_ORIGINAL_COMMAND', None)
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    93
try:
108
00b48d7bdfa0 Improve check on whether user supplied a command
Paul Crowley <paul@lshift.net>
parents: 107
diff changeset
    94
    if cmd is None:
00b48d7bdfa0 Improve check on whether user supplied a command
Paul Crowley <paul@lshift.net>
parents: 107
diff changeset
    95
        fail("direct logins on the hg account prohibited")
00b48d7bdfa0 Improve check on whether user supplied a command
Paul Crowley <paul@lshift.net>
parents: 107
diff changeset
    96
    elif cmd.startswith('hg -R ') and cmd.endswith(' serve --stdio'):
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    97
        repo = getrepo("read", cmd[6:-14])
107
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    98
        if not os.path.isdir(repo + "/.hg"):
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
    99
            fail("no such repository %s" % repo)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   100
        dispatch.dispatch(['-R', repo, 'serve', '--stdio'])
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   101
    elif cmd.startswith('hg init '):
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   102
        repo = getrepo("init", cmd[8:])
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   103
        if os.path.exists(repo):
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   104
            fail("%s exists" % repo)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   105
        d = os.path.dirname(repo)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   106
        if d != "" and not os.path.isdir(d):
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   107
            os.makedirs(d)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   108
        dispatch.dispatch(['init', repo])
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   109
    else:
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   110
        fail("illegal command %r" % cmd)
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   111
except ruleset.AccessException:
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   112
    fail("access denied")
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 103
diff changeset
   113