diff options
author | Cullum Smith <cullum@sacredheartsc.com> | 2024-11-12 23:50:18 -0500 |
---|---|---|
committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-11-12 23:50:18 -0500 |
commit | 5aa2283f9951b3e035824b54bd0277ebf4394ffa (patch) | |
tree | df93cef70ce1d49576b9a98f165e8dfc6aaa52f7 /files/usr/local/libexec/gitolite-authorizedkeys.git_server | |
parent | 6512242bc03acf2bdaa4fea6fcc7fe51c2330f03 (diff) | |
download | infrastructure-5aa2283f9951b3e035824b54bd0277ebf4394ffa.tar.gz |
add gitolite/cgit
Diffstat (limited to 'files/usr/local/libexec/gitolite-authorizedkeys.git_server')
-rw-r--r-- | files/usr/local/libexec/gitolite-authorizedkeys.git_server | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/files/usr/local/libexec/gitolite-authorizedkeys.git_server b/files/usr/local/libexec/gitolite-authorizedkeys.git_server new file mode 100644 index 0000000..a1b2cfe --- /dev/null +++ b/files/usr/local/libexec/gitolite-authorizedkeys.git_server @@ -0,0 +1,52 @@ +#!/usr/local/bin/perl + +use strict; +use warnings; + +use Net::LDAP; +use Net::LDAP::Util qw(ldap_explode_dn escape_filter_value); +use Authen::SASL; + +open my $fh, '<', '/usr/local/etc/openldap/ldap.conf' or die($!); +my %config; +while (<$fh>) { + chomp; + next if /^#/; + my @pair = split(' ', $_, 2); + next unless (@pair == 2); + $config{$pair[0]} = $pair[1]; +} +close($fh); + +my $mech = $config{SASL_MECH} // 'GSSAPI'; +my $uri = $config{URI} // die("URI not specified\n"); +my $user_basedn = $config{USERS_BASE} // die("USERS_BASE not specified\n"); +my $group_basedn = $config{GROUPS_BASE} // die("GROUPS_BASE not specified\n"); +my $role_basedn = $config{ROLES_BASE} // die("ROLES_BASE not specified\n"); + +my $GITOLITE_SHELL = '/usr/local/libexec/gitolite/gitolite-shell'; + +my $conn = Net::LDAP->new($uri, version => '3') or die "$0: $@"; +my $sasl = Authen::SASL->new($mech); +my $status = $conn->bind(sasl => $sasl); +$status->code and die "$0: ".$status->error; + +my $filter = '(sshPublicKey=*)'; +if (@ARGV) { + $filter = '(&(sshPublicKey=*)(|('.join(')(', map { 'memberOf=cn='.escape_filter_value($_).",$role_basedn" } @ARGV).')))'; +} + +my $search = $conn->search( + scope => 'sub', + base => $user_basedn, + filter => $filter, + attrs => ['uid', 'sshPublicKey']); +$search->code and die "$0: ".$search->error; + +foreach my $entry ($search->entries) { + my $uid = ($entry->get_value('uid'))[0]; + foreach my $pubkey ($entry->get_value('sshPublicKey')) { + next unless rindex($pubkey, 'ssh-', 0) == 0; + print "command=\"$GITOLITE_SHELL $uid\",restrict $pubkey\n"; + } +} |