Add GITLE_FULL_ACCESS_FINGREPRINTS to allow hosts to have RW or RO

access
This commit is contained in:
Aaron Bieber 2022-08-12 17:10:20 -06:00
parent c48d83a99c
commit 3f680120bb
No known key found for this signature in database
3 changed files with 39 additions and 7 deletions

8
go.mod
View File

@ -3,12 +3,12 @@ module suah.dev/gitle
go 1.18
require (
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
suah.dev/gitkit v0.0.0-20220621212808-66c835b2b4a7
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
suah.dev/gitkit v0.4.0
suah.dev/protect v1.2.0
)
require (
github.com/gofrs/uuid v4.0.0+incompatible // indirect
golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 // indirect
github.com/gofrs/uuid v4.2.0+incompatible // indirect
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab // indirect
)

8
go.sum
View File

@ -2,6 +2,8 @@ github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -9,10 +11,14 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 h1:J27LZFQBFoihqXoegpscI10HpjZ7B5WQLLKL2FZXQKw=
golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab h1:2QkjZIsXupsJbJIdSjjUOgWK3aEtzyuh2mPt3l/CkeU=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -22,5 +28,7 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
suah.dev/gitkit v0.0.0-20220621212808-66c835b2b4a7 h1:OucF0TdvxhMb6cHSfoI+BetPQsTD5ZD+QN5O0238ABo=
suah.dev/gitkit v0.0.0-20220621212808-66c835b2b4a7/go.mod h1:VjUjh6U71Sc81P0uJVjZYReKDKKd1Xi/PbkOOoYuJBU=
suah.dev/gitkit v0.4.0 h1:1ONqeJuU+94hCahwMr15JCqJuGuV2P/ESHJOhJWlCs8=
suah.dev/gitkit v0.4.0/go.mod h1:VjUjh6U71Sc81P0uJVjZYReKDKKd1Xi/PbkOOoYuJBU=
suah.dev/protect v1.2.0 h1:4G4V43yVYXCjLFzaE9QJR0fLo3rf5vNBS9YxyoI19DU=
suah.dev/protect v1.2.0/go.mod h1:Ocn1yqUskqe/is6N2bxQxtT+fegbvQsOFyHbJAQu9XE=

30
main.go
View File

@ -1,14 +1,17 @@
package main
import (
"bufio"
"bytes"
"fmt"
"golang.org/x/crypto/ssh"
"io/ioutil"
"log"
"os"
"suah.dev/protect"
"golang.org/x/crypto/ssh"
"suah.dev/gitkit"
"suah.dev/protect"
)
func envOr(name string, def string) string {
@ -23,6 +26,7 @@ func main() {
repos := envOr("GITLE_REPOS", "/var/gitle/repos")
akSrc := envOr("GITLE_AUTH_KEYS", "/var/gitle/authorized_keys")
hostKey := envOr("GITLE_HOST_KEY", "/var/gitle/host_key")
faFPs := envOr("GITLE_FULL_ACCESS_FINGREPRINTS", "/var/gitle/full_access_fingreprints")
port := envOr("GITLE_PORT", ":2222")
protect.Unveil(repos, "rwc")
@ -38,6 +42,17 @@ func main() {
AutoCreate: true,
})
fa, err := ioutil.ReadFile(faFPs)
if err != nil {
log.Fatalf("can't load full_access_fingreprints file: %s, err: %v", faFPs, err)
}
fpMap := map[string]bool{}
scanner := bufio.NewScanner(bytes.NewReader(fa))
for scanner.Scan() {
fp := scanner.Text()
fpMap[fp] = true
}
akb, err := ioutil.ReadFile(akSrc)
if err != nil {
log.Fatalf("can't load authorized keys file: %s, err: %v", akSrc, err)
@ -67,9 +82,18 @@ func main() {
ServerVersion: "SSH-2.0-gitle",
PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
if akMap[string(pubKey.Marshal())] {
fp := ssh.FingerprintSHA256(pubKey)
isRO := "yes"
if fpMap[fp] {
isRO = "no"
}
return &ssh.Permissions{
Extensions: map[string]string{
"pubkey-fp": ssh.FingerprintSHA256(pubKey),
"pubkey-fp": fp,
"key-id": fp,
},
CriticalOptions: map[string]string{
"is-ro": isRO,
},
}, nil
}