Add GITLE_FULL_ACCESS_FINGREPRINTS to allow hosts to have RW or RO

access
2022-08-12 17:10:20 -06:00 · 2022-08-12 17:10:20 -06:00 · 3f680120bb
commit 3f680120bb
parent c48d83a99c
3 changed files with 39 additions and 7 deletions
--- a/go.mod
+++ b/go.mod
@ -3,12 +3,12 @@ module suah.dev/gitle
 go 1.18
 require (
-	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
+	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
-	suah.dev/gitkit v0.0.0-20220621212808-66c835b2b4a7
+	suah.dev/gitkit v0.4.0
 	suah.dev/protect v1.2.0
 )
 require (
-	github.com/gofrs/uuid v4.0.0+incompatible // indirect
+	github.com/gofrs/uuid v4.2.0+incompatible // indirect
-	golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 // indirect
+	golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -2,6 +2,8 @@ github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
 github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -9,10 +11,14 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 h1:J27LZFQBFoihqXoegpscI10HpjZ7B5WQLLKL2FZXQKw=
 golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab h1:2QkjZIsXupsJbJIdSjjUOgWK3aEtzyuh2mPt3l/CkeU=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -22,5 +28,7 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 suah.dev/gitkit v0.0.0-20220621212808-66c835b2b4a7 h1:OucF0TdvxhMb6cHSfoI+BetPQsTD5ZD+QN5O0238ABo=
 suah.dev/gitkit v0.0.0-20220621212808-66c835b2b4a7/go.mod h1:VjUjh6U71Sc81P0uJVjZYReKDKKd1Xi/PbkOOoYuJBU=
 suah.dev/gitkit v0.4.0 h1:1ONqeJuU+94hCahwMr15JCqJuGuV2P/ESHJOhJWlCs8=
 suah.dev/gitkit v0.4.0/go.mod h1:VjUjh6U71Sc81P0uJVjZYReKDKKd1Xi/PbkOOoYuJBU=
 suah.dev/protect v1.2.0 h1:4G4V43yVYXCjLFzaE9QJR0fLo3rf5vNBS9YxyoI19DU=
 suah.dev/protect v1.2.0/go.mod h1:Ocn1yqUskqe/is6N2bxQxtT+fegbvQsOFyHbJAQu9XE=
--- a/main.go
+++ b/main.go
@ -1,14 +1,17 @@
 package main
 import (
 	"bufio"
 	"bytes"
 	"fmt"
 	"golang.org/x/crypto/ssh"
 	"io/ioutil"
 	"log"
 	"os"
-	"suah.dev/protect"
+	"golang.org/x/crypto/ssh"
 	"suah.dev/gitkit"
 	"suah.dev/protect"
 )
 func envOr(name string, def string) string {
@ -23,6 +26,7 @@ func main() {
 	repos := envOr("GITLE_REPOS", "/var/gitle/repos")
 	akSrc := envOr("GITLE_AUTH_KEYS", "/var/gitle/authorized_keys")
 	hostKey := envOr("GITLE_HOST_KEY", "/var/gitle/host_key")
 	faFPs := envOr("GITLE_FULL_ACCESS_FINGREPRINTS", "/var/gitle/full_access_fingreprints")
 	port := envOr("GITLE_PORT", ":2222")
 	protect.Unveil(repos, "rwc")
@ -38,6 +42,17 @@ func main() {
 		AutoCreate: true,
 	})
 	fa, err := ioutil.ReadFile(faFPs)
 	if err != nil {
 		log.Fatalf("can't load full_access_fingreprints file: %s, err: %v", faFPs, err)
 	}
 	fpMap := map[string]bool{}
 	scanner := bufio.NewScanner(bytes.NewReader(fa))
 	for scanner.Scan() {
 		fp := scanner.Text()
 		fpMap[fp] = true
 	}
 	akb, err := ioutil.ReadFile(akSrc)
 	if err != nil {
 		log.Fatalf("can't load authorized keys file: %s, err: %v", akSrc, err)
@ -67,9 +82,18 @@ func main() {
 		ServerVersion: "SSH-2.0-gitle",
 		PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
 			if akMap[string(pubKey.Marshal())] {
 				fp := ssh.FingerprintSHA256(pubKey)
 				isRO := "yes"
 				if fpMap[fp] {
 					isRO = "no"
 				}
 				return &ssh.Permissions{
 					Extensions: map[string]string{
-						"pubkey-fp": ssh.FingerprintSHA256(pubKey),
+						"pubkey-fp": fp,
 						"key-id":    fp,
 					},
 					CriticalOptions: map[string]string{
 						"is-ro": isRO,
 					},
 				}, nil
 			}