\r
public static final AccessPermission [] NEWPERMISSIONS = { EXCLUDE, VIEW, CLONE, PUSH, CREATE, DELETE, REWIND };\r
\r
+ public static final AccessPermission [] SSHPERMISSIONS = { VIEW, CLONE, PUSH };\r
+\r
public static AccessPermission LEGACY = REWIND;\r
\r
public final String code;\r
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
+import com.gitblit.Constants.AccessPermission;
import com.gitblit.Keys;
import com.gitblit.manager.IRuntimeManager;
import com.google.common.base.Charsets;
// skip comments
continue;
}
- SshKey key = new SshKey(entry);
- list.add(key);
+ String [] parts = entry.split(" ", 2);
+ AccessPermission perm = AccessPermission.fromCode(parts[0]);
+ if (perm.equals(AccessPermission.NONE)) {
+ // ssh-rsa DATA COMMENT
+ SshKey key = new SshKey(entry);
+ list.add(key);
+ } else if (perm.exceeds(AccessPermission.NONE)) {
+ // PERMISSION ssh-rsa DATA COMMENT
+ SshKey key = new SshKey(parts[1]);
+ key.setPermission(perm);
+ list.add(key);
+ }
}
if (list.isEmpty()) {
@Override
public boolean addKey(String username, SshKey key) {
try {
- String newKey = stripCommentFromKey(key.getRawData());
boolean replaced = false;
List<String> lines = new ArrayList<String>();
File keystore = getKeystore(username);
continue;
}
- String oldKey = stripCommentFromKey(line);
- if (newKey.equals(oldKey)) {
+ SshKey oldKey = parseKey(line);
+ if (key.equals(oldKey)) {
// replace key
- lines.add(key.getRawData());
+ lines.add(key.getPermission() + " " + key.getRawData());
replaced = true;
} else {
// retain key
if (!replaced) {
// new key, append
- lines.add(key.getRawData());
+ lines.add(key.getPermission() + " " + key.getRawData());
}
// write keystore
@Override
public boolean removeKey(String username, SshKey key) {
try {
- String rmKey = stripCommentFromKey(key.getRawData());
-
File keystore = getKeystore(username);
if (keystore.exists()) {
List<String> lines = new ArrayList<String>();
}
// only include keys that are NOT rmKey
- String oldKey = stripCommentFromKey(line);
- if (!rmKey.equals(oldKey)) {
+ SshKey oldKey = parseKey(line);
+ if (!key.equals(oldKey)) {
lines.add(entry);
}
}
return keys;
}
- /* Strips the comment from the key data and eliminates whitespace diffs */
- protected String stripCommentFromKey(String data) {
- String [] cols = data.split(" ", 3);
- String key = Joiner.on(" ").join(cols[0], cols[1]);
- return key;
+ protected SshKey parseKey(String line) {
+ String [] parts = line.split(" ", 2);
+ AccessPermission perm = AccessPermission.fromCode(parts[0]);
+ if (perm.equals(AccessPermission.NONE)) {
+ // ssh-rsa DATA COMMENT
+ SshKey key = new SshKey(line);
+ return key;
+ } else {
+ // PERMISSION ssh-rsa DATA COMMENT
+ SshKey key = new SshKey(parts[1]);
+ key.setPermission(perm);
+ return key;
+ }
}
}
import java.io.Serializable;
import java.security.PublicKey;
+import java.util.Arrays;
+import java.util.List;
import org.apache.commons.codec.binary.Base64;
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.util.Buffer;
import org.eclipse.jgit.lib.Constants;
+import com.gitblit.Constants.AccessPermission;
import com.gitblit.utils.StringUtils;
/**
private String toString;
+ private AccessPermission permission;
+
public SshKey(String data) {
this.rawData = data;
+ this.permission = AccessPermission.PUSH;
}
public SshKey(PublicKey key) {
this.publicKey = key;
this.comment = "";
+ this.permission = AccessPermission.PUSH;
}
public PublicKey getPublicKey() {
}
}
+ /**
+ * Returns true if this key may be used to clone or fetch.
+ *
+ * @return true if this key can be used to clone or fetch
+ */
+ public boolean canClone() {
+ return permission.atLeast(AccessPermission.CLONE);
+ }
+
+ /**
+ * Returns true if this key may be used to push changes.
+ *
+ * @return true if this key can be used to push changes
+ */
+ public boolean canPush() {
+ return permission.atLeast(AccessPermission.PUSH);
+ }
+
+ /**
+ * Returns the access permission for the key.
+ *
+ * @return the access permission for the key
+ */
+ public AccessPermission getPermission() {
+ return permission;
+ }
+
+ /**
+ * Control the access permission assigned to this key.
+ *
+ * @param value
+ */
+ public void setPermission(AccessPermission value) throws IllegalArgumentException {
+ List<AccessPermission> permitted = Arrays.asList(AccessPermission.SSHPERMISSIONS);
+ if (!permitted.contains(value)) {
+ throw new IllegalArgumentException("Illegal SSH public key permission specified: " + value);
+ }
+ this.permission = value;
+ }
+
public String getRawData() {
if (rawData == null && publicKey != null) {
// build the raw data manually from the public key
import org.eclipse.jgit.transport.ReceivePack;
+import com.gitblit.transport.ssh.SshKey;
import com.gitblit.transport.ssh.commands.CommandMetaData;
@CommandMetaData(name = "git-receive-pack", description = "Receives pushes from a client", hidden = true)
public class Receive extends BaseGitCommand {
@Override
protected void runImpl() throws Failure {
+ SshKey key = getContext().getClient().getKey();
+ if (key != null && !key.canPush()) {
+ throw new Failure(1, "Sorry, your SSH public key is not allowed to push changes!");
+ }
try {
ReceivePack rp = receivePackFactory.create(getContext().getClient(), repo);
rp.receive(in, out, null);
import org.eclipse.jgit.transport.UploadPack;
+import com.gitblit.transport.ssh.SshKey;
import com.gitblit.transport.ssh.commands.CommandMetaData;
@CommandMetaData(name = "git-upload-pack", description = "Sends packs to a client for clone and fetch", hidden = true)
@Override
protected void runImpl() throws Failure {
try {
+ SshKey key = getContext().getClient().getKey();
+ if (key != null && !key.canClone()) {
+ throw new Failure(1, "Sorry, your SSH public key is not allowed to clone!");
+ }
UploadPack up = uploadPackFactory.create(getContext().getClient(), repo);
up.upload(in, out, null);
} catch (Exception e) {
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.gitblit.Constants.AccessPermission;
import com.gitblit.models.UserModel;
import com.gitblit.transport.ssh.IPublicKeyManager;
import com.gitblit.transport.ssh.SshKey;
import com.gitblit.transport.ssh.commands.UsageExample;
import com.gitblit.utils.FlipTable;
import com.gitblit.utils.FlipTable.Borders;
+import com.gitblit.utils.StringUtils;
import com.google.common.base.Joiner;
/**
}
@CommandMetaData(name = "add", description = "Add an SSH public key to your account")
- @UsageExample(syntax = "cat ~/.ssh/id_rsa.pub | ${ssh} ${cmd} -", description = "Upload your SSH public key and add it to your account")
+ @UsageExample(syntax = "cat ~/.ssh/id_rsa.pub | ${ssh} ${cmd}", description = "Upload your SSH public key and add it to your account")
public static class AddKey extends BaseKeyCommand {
protected final Logger log = LoggerFactory.getLogger(getClass());
@Argument(metaVar = "<KEY>", usage = "the key(s) to add")
private List<String> addKeys = new ArrayList<String>();
+ @Option(name = "--permission", aliases = { "-p" }, metaVar = "PERMISSION", usage = "set the key access permission")
+ private String permission;
+
+ @Override
+ protected String getUsageText() {
+ String permissions = Joiner.on(", ").join(AccessPermission.SSHPERMISSIONS);
+ StringBuilder sb = new StringBuilder();
+ sb.append("Valid SSH public key permissions are:\n ").append(permissions);
+ return sb.toString();
+ }
+
@Override
public void run() throws IOException, UnloggedFailure {
String username = getContext().getClient().getUsername();
List<String> keys = readKeys(addKeys);
for (String key : keys) {
SshKey sshKey = parseKey(key);
+ if (!StringUtils.isEmpty(permission)) {
+ AccessPermission ap = AccessPermission.fromCode(permission);
+ if (ap.exceeds(AccessPermission.NONE)) {
+ try {
+ sshKey.setPermission(ap);
+ } catch (IllegalArgumentException e) {
+ throw new UnloggedFailure(1, e.getMessage());
+ }
+ }
+ }
getKeyManager().addKey(username, sshKey);
log.info("added SSH public key for {}", username);
}
}
protected void asTable(List<SshKey> keys) {
- String[] headers = { "#", "Fingerprint", "Comment", "Type" };
+ String[] headers = { "#", "Fingerprint", "Comment", "Permission", "Type" };
int len = keys == null ? 0 : keys.size();
Object[][] data = new Object[len][];
for (int i = 0; i < len; i++) {
// show 1-based index numbers with the fingerprint
// this is useful for comparing with "ssh-add -l"
SshKey k = keys.get(i);
- data[i] = new Object[] { (i + 1), k.getFingerprint(), k.getComment(), k.getAlgorithm() };
+ data[i] = new Object[] { (i + 1), k.getFingerprint(), k.getComment(),
+ k.getPermission(), k.getAlgorithm() };
}
stdout.println(FlipTable.of(headers, data, Borders.BODY_HCOLS));
}
protected void asTable(int index, SshKey key) {
- String[] headers = { "#", "Fingerprint", "Comment", "Type" };
+ String[] headers = { "#", "Fingerprint", "Comment", "Permission", "Type" };
Object[][] data = new Object[1][];
- data[0] = new Object[] { index, key.getFingerprint(), key.getComment(), key.getAlgorithm() };
+ data[0] = new Object[] { index, key.getFingerprint(), key.getComment(), key.getPermission(), key.getAlgorithm() };
stdout.println(FlipTable.of(headers, data, Borders.BODY_HCOLS));
}
projects / gitblit.git / commitdiff