2022-06-21 11:10:38 -06:00
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"log"
|
|
|
|
|
"os"
|
|
|
|
|
|
2022-06-21 15:33:16 -06:00
|
|
|
"suah.dev/protect"
|
|
|
|
|
"suah.dev/gitkit"
|
2022-06-21 11:10:38 -06:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func envOr(name string, def string) string {
|
|
|
|
|
s := os.Getenv(name)
|
|
|
|
|
if s == "" {
|
|
|
|
|
return def
|
|
|
|
|
}
|
|
|
|
|
return s
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
|
repos := envOr("GITLE_REPOS", "/var/gitle/repos")
|
|
|
|
|
akSrc := envOr("GITLE_AUTH_KEYS", "var/gitle/authorized_keys")
|
2022-06-21 11:53:09 -06:00
|
|
|
hostKey := envOr("GITLE_HOST_KEY", "/var/gitle/host_key")
|
2022-06-22 07:04:36 -06:00
|
|
|
port := envOr("GITLE_PORT", ":2222")
|
2022-06-21 11:10:38 -06:00
|
|
|
|
|
|
|
|
protect.Unveil(repos, "rwc")
|
|
|
|
|
protect.Unveil(akSrc, "r")
|
|
|
|
|
protect.Unveil(hostKey, "r")
|
|
|
|
|
protect.Unveil("/dev", "r")
|
|
|
|
|
protect.Unveil("/dev/null", "rw")
|
|
|
|
|
protect.Unveil("/usr/local/bin/", "rx")
|
|
|
|
|
protect.UnveilBlock()
|
|
|
|
|
|
|
|
|
|
server := gitkit.NewSSH(gitkit.Config{
|
|
|
|
|
Dir: repos,
|
|
|
|
|
AutoCreate: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
akb, err := ioutil.ReadFile(akSrc)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Fatalf("can't load authorized keys file: %s, err: %v", akSrc, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
akMap := map[string]bool{}
|
|
|
|
|
for len(akb) > 0 {
|
|
|
|
|
pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(akb)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Fatalf("failed to read pubKey entry: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
akMap[string(pubKey.Marshal())] = true
|
|
|
|
|
akb = rest
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b, err := ioutil.ReadFile(hostKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Fatalf("failed to read %s: %v", hostKey, err)
|
|
|
|
|
}
|
|
|
|
|
pk, err := ssh.ParsePrivateKey(b)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Fatalf("failed to parse %s: %v", hostKey, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
server.SSHConfig = &ssh.ServerConfig{
|
|
|
|
|
ServerVersion: "SSH-2.0-gitle",
|
|
|
|
|
PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
|
|
|
|
|
if akMap[string(pubKey.Marshal())] {
|
|
|
|
|
return &ssh.Permissions{
|
|
|
|
|
Extensions: map[string]string{
|
|
|
|
|
"pubkey-fp": ssh.FingerprintSHA256(pubKey),
|
|
|
|
|
},
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
return nil, fmt.Errorf("unknown public key for %q", conn.User())
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
server.SSHConfig.AddHostKey(pk)
|
|
|
|
|
server.SetupDone = true
|
|
|
|
|
|
2022-06-22 07:04:36 -06:00
|
|
|
err = server.ListenAndServe(port)
|
2022-06-21 11:10:38 -06:00
|
|
|
if err != nil {
|
|
|
|
|
log.Fatalf("failed to listen: %v\n", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
