src/mercurialserver/refreshauth.py
author Ashley Hewson <ash@lshift.net>
Wed, 23 Jul 2014 14:31:59 +0000
changeset 369 c359a85eef93
parent 311 3cbde66305e4
permissions -rw-r--r--
README.md edited online with Bitbucket
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
242
03d8f07230b3 Tidy up file prologues; move credits to CREDITS
Paul Crowley <paul@lshift.net>
parents: 213
diff changeset
     1
"""
03d8f07230b3 Tidy up file prologues; move credits to CREDITS
Paul Crowley <paul@lshift.net>
parents: 213
diff changeset
     2
Rewrite ~/.ssh/authorized_keys by recursing through key directories
03d8f07230b3 Tidy up file prologues; move credits to CREDITS
Paul Crowley <paul@lshift.net>
parents: 213
diff changeset
     3
"""
74
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     4
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 86
diff changeset
     5
import re
107
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
     6
import base64
260
57dcdb212d00 Fix permissions of authorized_keys file for sshd StrictModes
Steven King <kingrst@gmail.com>
parents: 242
diff changeset
     7
import os, stat
74
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     8
import os.path
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
import subprocess
211
0cd59649772c Rename paths.py ot config.py
Paul Crowley <paul@lshift.net>
parents: 165
diff changeset
    10
from mercurialserver import config
106
0519745e7a57 Much less strict about most things
Paul Crowley <paul@lshift.net>
parents: 86
diff changeset
    11
107
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    12
goodkey = re.compile("[/A-Za-z0-9._-]+$")
74
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    13
165
3606d60b07e5 Use .mercurial-sever file instead of hardcoding
Paul Crowley <paul@lshift.net>
parents: 107
diff changeset
    14
def refreshAuth():
213
72e7ba8b41a6 Don't hardwire location of authorized_keys file
Paul Crowley <paul@lshift.net>
parents: 211
diff changeset
    15
    akeyfile = config.getAuthorizedKeysPath()
211
0cd59649772c Rename paths.py ot config.py
Paul Crowley <paul@lshift.net>
parents: 165
diff changeset
    16
    wrappercommand = config.getExePath() + "/hg-ssh"
74
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    17
    prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    18
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    19
    if os.path.exists(akeyfile):
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    20
        f = open(akeyfile)
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    21
        try:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    22
            for l in f:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    23
                if not l.startswith(prefix):
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    24
                    raise Exception("Safety check failed, delete %s to continue" % akeyfile)
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    25
        finally:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    26
            f.close()
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    27
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    28
    akeys = open(akeyfile + "_new", "w")
211
0cd59649772c Rename paths.py ot config.py
Paul Crowley <paul@lshift.net>
parents: 165
diff changeset
    29
    for keyroot in config.getKeysPaths():
74
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    30
        kr = keyroot + "/"
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    31
        #print "Processing keyroot", keyroot
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    32
        for root, dirs, files in os.walk(keyroot):
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    33
            for fn in files:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    34
                ffn = os.path.join(root, fn)
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    35
                if not ffn.startswith(kr):
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    36
                    raise Exception("Inconsistent behaviour in os.walk, bailing")
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    37
                #print "Processing file", ffn
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    38
                keyname = ffn[len(kr):]
107
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    39
                if not goodkey.match(keyname):
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    40
                    # Encode it for safe quoting
84e9e33d866b Fixes, plus base64 what you don't trust
Paul Crowley <paul@lshift.net>
parents: 106
diff changeset
    41
                    keyname = "--base64 " + base64.b64encode(keyname)
311
3cbde66305e4 Fix white space
Paul Crowley <paul@lshift.net>
parents: 260
diff changeset
    42
                p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn),
74
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    43
                    stdout=subprocess.PIPE, stderr=subprocess.PIPE)
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    44
                newkey = p.communicate()[0]
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    45
                if p.wait() == 0:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    46
                    klines = [l.strip() for l in newkey.split("\n")]
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    47
                else:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    48
                    # Conversion failed, read it directly.
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    49
                    kf = open(ffn)
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    50
                    try:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    51
                        klines = [l.strip() for l in kf]
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    52
                    finally:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    53
                        kf.close()
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    54
                for l in klines:
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    55
                    if len(l):
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    56
                        akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    57
    akeys.close()
260
57dcdb212d00 Fix permissions of authorized_keys file for sshd StrictModes
Steven King <kingrst@gmail.com>
parents: 242
diff changeset
    58
    os.chmod(akeyfile + "_new", stat.S_IRUSR)
74
9d2ae2841bf2 Move meat of do-refresh-auth into a module
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    59
    os.rename(akeyfile + "_new", akeyfile)
311
3cbde66305e4 Fix white space
Paul Crowley <paul@lshift.net>
parents: 260
diff changeset
    60
75
5af89523a9d3 give refreshauth.py a hook and call that in hgadmin hgrc
Paul Crowley <paul@lshift.net>
parents: 74
diff changeset
    61
def hook(ui, repo, hooktype, node=None, source=None, **kwargs):
165
3606d60b07e5 Use .mercurial-sever file instead of hardcoding
Paul Crowley <paul@lshift.net>
parents: 107
diff changeset
    62
    refreshAuth()