From 941a4951442a628a47dcefb4d0190699bacf71f7 Mon Sep 17 00:00:00 2001
From: Loic d'Anterroches <titoo@users.sourceforge.net>
Date: Mon, 19 Jan 2009 20:44:03 +0100
Subject: [PATCH] Added the bulk of the access control to the git repositories.

---
 scripts/gitcron.php              | 41 ++++++++++++++++++++++++++++++++
 scripts/gitserve.py              | 34 ++++++++++++++++++++++++++
 src/IDF/Plugin/SyncGit/Cron.php  | 19 +++++++++++----
 src/IDF/Plugin/SyncGit/Serve.php | 34 +++++++++++++++-----------
 4 files changed, 110 insertions(+), 18 deletions(-)
 create mode 100644 scripts/gitcron.php
 create mode 100644 scripts/gitserve.py

diff --git a/scripts/gitcron.php b/scripts/gitcron.php
new file mode 100644
index 0000000..ee44091
--- /dev/null
+++ b/scripts/gitcron.php
@@ -0,0 +1,41 @@
+<?php
+/* -*- tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+# ***** BEGIN LICENSE BLOCK *****
+# This file is part of InDefero, an open source project management application.
+# Copyright (C) 2008 Céondo Ltd and contributors.
+#
+# InDefero is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# InDefero is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+# ***** END LICENSE BLOCK ***** */
+
+/**
+ * This script is used to control the access to the git repositories
+ * using a restricted shell access.
+ *
+ * The only argument must be the login of the user.
+ */
+// Set the include path to have Pluf and IDF in it.
+$indefero_path = dirname(__FILE__).'/../src';
+//$pluf_path = '/path/to/pluf/src';
+set_include_path(get_include_path()
+                 .PATH_SEPARATOR.$indefero_path
+//                 .PATH_SEPARATOR.$pluf_path
+                 );
+require 'Pluf.php';
+Pluf::start(dirname(__FILE__).'/../src/IDF/conf/idf.php');
+Pluf_Dispatcher::loadControllers(Pluf::f('idf_views'));
+IDF_Plugin_SyncGit_Cron::main();
+
diff --git a/scripts/gitserve.py b/scripts/gitserve.py
new file mode 100644
index 0000000..1f89a83
--- /dev/null
+++ b/scripts/gitserve.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+
+GITSERVEPHP='/home/loa/Projects/indefero/scripts/gitserve.php'
+
+# ***** BEGIN LICENSE BLOCK *****
+# This file is part of InDefero, an open source project management application.
+# Copyright (C) 2008 Céondo Ltd and contributors.
+#
+# InDefero is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# InDefero is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+# ***** END LICENSE BLOCK ***** */
+
+import os
+import sys
+import commands
+
+status, output = commands.getstatusoutput('php %s %s' % (GITSERVEPHP, sys.argv[1]))
+if status == 0:
+    os.execvp('git', ['git', 'shell', '-c', output.strip()])
+else:
+    sys.stderr.write("%s\n" % output)
+sys.exit(1)
diff --git a/src/IDF/Plugin/SyncGit/Cron.php b/src/IDF/Plugin/SyncGit/Cron.php
index 3f83deb..94acfa9 100644
--- a/src/IDF/Plugin/SyncGit/Cron.php
+++ b/src/IDF/Plugin/SyncGit/Cron.php
@@ -29,8 +29,7 @@ class IDF_Plugin_SyncGit_Cron
     /**
      * Template for the SSH key.
      */
-    public $template = 'command="%s %s",no-port-forwarding,no-X11-forwarding,'
-        .'no-agent-forwarding,no-pty %s';
+    public $template = 'command="php %s %s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s';
 
     /**
      * Synchronize.
@@ -38,8 +37,7 @@ class IDF_Plugin_SyncGit_Cron
     public static function sync()
     {
         $template = Pluf::factory(__CLASS__)->template;
-        $keys = Pluf::factory('IDF_Key')->getList(array('view'=>'join_user'));
-        $cmd = Pluf::f('idf_plugin_syncgit_path_gitserve', '/bin/false');
+        $cmd = Pluf::f('idf_plugin_syncgit_path_gitserve', '/dev/null');
         $authorized_keys = Pluf::f('idf_plugin_syncgit_path_authorized_keys', false);
         if (false == $authorized_keys) {
             throw new Pluf_Exception_SettingError('Setting git_path_authorized_keys not set.');
@@ -48,6 +46,7 @@ class IDF_Plugin_SyncGit_Cron
             throw new Exception('Cannot create file: '.$authorized_keys);
         }
         $out = '';
+        $keys = Pluf::factory('IDF_Key')->getList(array('view'=>'join_user'));
         foreach ($keys as $key) {
             if (strlen($key->content) > 40 // minimal check
                 and preg_match('/^[a-zA-Z][a-zA-Z0-9_.-]*(@[a-zA-Z][a-zA-Z0-9.-]*)?$/', $key->login)) {
@@ -57,4 +56,16 @@ class IDF_Plugin_SyncGit_Cron
         }
         file_put_contents($authorized_keys, $out, LOCK_EX);        
     }
+
+    /**
+     * Check if a sync is needed.
+     *
+     */
+    public static function main()
+    {
+        if (file_exists(Pluf::f('idf_plugin_syncgit_sync_file'))) {
+            @unlink(Pluf::f('idf_plugin_syncgit_sync_file'));
+            self::sync();
+        }
+    }
 }
diff --git a/src/IDF/Plugin/SyncGit/Serve.php b/src/IDF/Plugin/SyncGit/Serve.php
index 5a25696..6ee1132 100644
--- a/src/IDF/Plugin/SyncGit/Serve.php
+++ b/src/IDF/Plugin/SyncGit/Serve.php
@@ -104,15 +104,13 @@ class IDF_Plugin_SyncGit_Serve
      */
     public static function main($argv, $env)
     {
-        if (count($argv) != 1) {
-            print('Missing argument USER.');
-            exit(1);
+        if (count($argv) != 2) {
+            self::fatalError('Missing argument USER.');
         }
-        $username = $argv[0];
+        $username = $argv[1];
         umask(0022);
         if (!isset($env['SSH_ORIGINAL_COMMAND'])) {
-            print('Need SSH_ORIGINAL_COMMAND in environment.');
-            exit(1);
+            self::fatalError('Need SSH_ORIGINAL_COMMAND in environment.');
         }
         $cmd = $env['SSH_ORIGINAL_COMMAND'];
         chdir(Pluf::f('idf_plugin_syncgit_git_home_dir', '/home/git'));
@@ -120,15 +118,10 @@ class IDF_Plugin_SyncGit_Serve
         try {
             $new_cmd = $serve->serve($username, $cmd);
         } catch (Exception $e) {
-            print($e->getMessage());
-            exit(1);
+            self::fatalError($e->getMessage());
         }
-        passthru(sprintf('git shell -c %s', $new_cmd), $res);
-        if ($res != 0) {
-            print('Cannot execute git-shell.');
-            exit(1);
-        }
-        exit();
+        print $new_cmd;
+        exit(0);
     }
 
     /**
@@ -164,6 +157,8 @@ class IDF_Plugin_SyncGit_Serve
         $user = $users[0];
         $request = new StdClass();
         $request->user = $user;
+        $request->conf = $conf;
+        $request->project = $project;
         if (true === IDF_Precondition::accessTabGeneric($request, 'source_access_rights')) {
             if ($mode == 'readonly') {
                 return array(Pluf::f('idf_plugin_syncgit_base_repositories', '/home/git/repositories'),
@@ -177,6 +172,17 @@ class IDF_Plugin_SyncGit_Serve
         return false;
     }
 
+    /**
+     * Die on a message on stderr.
+     *
+     * @param string Message
+     */
+    public static function fatalError($mess)
+    {
+        fwrite(STDERR, $mess."\n");
+        exit(1);
+    }
+
     /**
      * Init a new empty bare repository.
      *