hg-ssh
author Paul Crowley <paul@lshift.net>
Thu, 17 Apr 2008 16:50:17 +0100 (2008-04-17)
changeset 11 f3c73c9fc0ff
parent 10 524b4a45ef0a
child 15 f3654416d178
permissions -rwxr-xr-x
add newline to error message
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
#!/usr/bin/env python
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
#
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     3
# Copyright 2008 LShift Ltd
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     4
# Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de>
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     5
# Author(s):
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
     6
# Paul Crowley <paul@lshift.net>
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     7
# Thomas Arendsen Hein <thomas@intevation.de>
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
     8
# with ideas from  Mathieu PASQUET <kiorky@cryptelium.net>
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
#
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
# This software may be used and distributed according to the terms
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    11
# of the GNU General Public License, incorporated herein by reference.
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    12
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    13
"""
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    14
hg-ssh - limit access to hg repositories reached via ssh.  Part of
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    15
hg-admin-tools.
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    16
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    17
This script is called by hg-ssh-wrapper with two arguments:
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    18
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    19
hg-ssh <rulefile> <keyname>
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    20
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    21
It expects to find the command the SSH user was trying to run in the
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    22
environment variable SSH_ORIGINAL_COMMAND, and uses it to determine
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    23
what the user was trying to do and to what repository, and then checks
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    24
each rule in the rule file in turn for a matching rule which decides
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    25
what to do, defaulting to disallowing the action.
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    26
"""
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    27
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    28
# enable importing on demand to reduce startup time
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    29
from mercurial import demandimport; demandimport.enable()
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    30
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    31
from mercurial import dispatch
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    32
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    33
import sys, os, re
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    34
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    35
def fail(message):
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    36
    #logfile.write("Fail: %s\n" % message)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    37
    sys.stderr.write(message + "\n")
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    38
    sys.exit(-1)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    39
5
6fc5eab8ae58 disallow dots
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    40
# Note that this currently disallows dots in path components - if you change it
6fc5eab8ae58 disallow dots
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    41
# to allow them ensure that "." and ".." are disallowed in path components.
6fc5eab8ae58 disallow dots
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    42
allowedchars = "A-Za-z0-9_-"
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    43
goodpathre = re.compile("([%s]+/)*[%s]+$" % (allowedchars, allowedchars))
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    44
def goodpath(path):
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    45
    if goodpathre.match(path) is None:
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    46
        fail("Disallowing path: %s" % path)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    47
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    48
# Don't put anything except *A-Za-z0-9_- in rule globs or
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    49
# you'll probably break security.  No regexp metachars, not even .
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    50
# We may fix this later.
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    51
goodglobre = re.compile("[*/%s]+$" % allowedchars)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    52
def globmatch(pattern, match):
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    53
    if goodglobre.match(pattern) is None:
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    54
        fail("Bad glob pattern in auth config: %s" % pattern)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    55
    pattern = pattern.replace(".", r'\.')
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    56
    pattern = pattern.replace("*", "[%s]*" % allowedchars)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    57
    return re.compile(pattern + "$").match(match) is not None
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    58
7
2935e7232bd3 syntax error
Paul Crowley <paul@lshift.net>
parents: 5
diff changeset
    59
def testrule(rulefile, keyname, path, applicable):
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    60
    goodpath(keyname)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    61
    goodpath(path)
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    62
    f = open(rulefile)
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    63
    try:
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    64
        for l in f:
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    65
            l = l.strip()
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    66
            if l == "" or l.startswith("#"):
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    67
                continue
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    68
            rule, rk, rp = l.split()
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    69
            if globmatch(rk, keyname) and globmatch(rp, path):
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    70
                #logfile.write("Used rule: %s\n" % l)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    71
                return rule in applicable
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    72
        return False
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    73
    finally:
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    74
        f.close()
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    75
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    76
def get_cmd(rulefile, keyname, cmd):
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    77
    if cmd.startswith('hg -R ') and cmd.endswith(' serve --stdio'):
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    78
        path = cmd[6:-14]
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    79
        if testrule(rulefile, keyname, path, set(["allow", "init"])):
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    80
            return ['-R', path, 'serve', '--stdio']
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    81
    elif cmd.startswith('hg init '):
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    82
        path = cmd[8:]
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    83
        if testrule(rulefile, keyname, path, set(["init"])):
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    84
            return ['init', path]
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    85
    fail("Illegal command %r" % cmd)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    86
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    87
#logfile = open("/tmp/hg-ssh.%d.txt" % os.getpid(), "w")
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    88
#logfile.write("Started: %s\n" % sys.argv)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    89
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    90
if len(sys.argv) != 3:
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    91
    fail("hg-ssh must have exactly two arguments (%s)" 
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    92
        % sys.argv)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    93
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    94
rulefile = sys.argv[1]
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 0
diff changeset
    95
keyname = sys.argv[2]
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    96
todispatch = get_cmd(rulefile, keyname, 
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 7
diff changeset
    97
    os.environ.get('SSH_ORIGINAL_COMMAND', '?'))
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    98
dispatch.dispatch(todispatch)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    99