Class: GitAclShell::Shell

Inherits:
Object
  • Object
show all
Defined in:
lib/git_acl_shell/shell.rb

Constant Summary collapse

COMMAND_WHITELIST =

See git-scm.com/docs/git-shell#_commands

(git push)       (git fetch)     (git archive)

%w(git-receive-pack git-upload-pack git-upload-archive).freeze
NO_SHELL_ACCESS_MESSAGE = 
ENV['git_acl_shell_no_shell_access_message'] || "You've succesfully authenticated, but shell access is not available."
ACCESS_DENIED_MESSAGE = 
ENV['git_acl_shell_access_denied_message'] || "You've successfully authenticated, but you don't have access to this repo."
COMMAND_DENIED_MESSAGE = 
ENV['git_acl_shell_command_denied_message'] || "You've successfully authenticated, but the only allowed commands are #{COMMAND_WHITELIST.join(', ')}."

Instance Method Summary collapse

Constructor Details

#initialize(key_id, acl:, directory:, kernel: Kernel, stderr: $stderr) ⇒ Shell

Returns a new instance of Shell.



13
14
15
16
17
18
19
 
# File 'lib/git_acl_shell/shell.rb', line 13

def initialize(key_id, acl:, directory:, kernel: Kernel, stderr: $stderr)
  @key_id    = key_id
  @acl       = acl
  @directory = directory
  @kernel    = kernel
  @stderr    = stderr
end

Instance Method Details

#exec(command) ⇒ Object 



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/git_acl_shell/shell.rb', line 21

def exec(command)
  if command.nil?
    @stderr.puts(NO_SHELL_ACCESS_MESSAGE)
    return false
  end

  args = Shellwords.shellwords(command)
  if whitelist?(args)
    repo_path = args.pop
    repo_extension = File.extname(repo_path)
    repo_alias = File.basename(repo_path, repo_extension)

    begin
      repo_name = @directory.lookup(repo_alias)
      repo_path = File.join(File.dirname(repo_path), "#{repo_name}#{repo_extension}")
      args.push(repo_path)
    rescue UnknownAlias
      @stderr.puts("Not found")
      return false
    end

    if @acl.authorized?(@key_id, repo_name)
      @kernel.exec(*args)
      true
    else
      @stderr.puts(ACCESS_DENIED_MESSAGE)
      false
    end
  else
    @stderr.puts(COMMAND_DENIED_MESSAGE)
    false
  end
end