GitFOSS

ethicdevs / gitfoss

ed60d5e

Fork2

William Nemenchabig cleanup in ssh module

ed60d5e (parent 2192114)12/18/2023, 2:52:45 AM

big cleanup in ssh module

+ 18

- 75

Dockerfile

+ 4

- 0

View file (current ref)View file ($master)

@@ -102,8 +102,12 @@ RUN echo "/usr/bin/git-shell" >> /etc/shells
 
 # Create git user
 RUN adduser git
+RUN groupadd -f git
 # RUN usermod -u 1000 git
 
+# Add root to git group
+RUN sudo usermod -a -G git root
+
 # Change git user shell to use git-shell
 # RUN usermod --shell /usr/bin/git-shell git
 RUN usermod --shell /usr/bin/sh git

app/controllers/ssh-auth.ts

+ 1

- 27

View file (current ref)View file ($master)

@@ -14,18 +14,11 @@ const onSSHAuth: ReqHandler<AppRouteParams, AppRoute.SSH_AUTH> = async (
     cryptoService: request.cryptoService,
   });
 
-  // console.log("request:", request);
-
   request.body =
     typeof request.body === "string" ? JSON.parse(request.body) : request.body;
 
   const { command, repoSlug, username, publicKey } = request.body;
 
-  console.log("command:", command);
-  console.log("repoSlug:", repoSlug);
-  console.log("username:", username);
-  console.log("publicKey:", publicKey);
-
   const result = await gitService.repositoryResolver(
     repoSlug.replace(/\.git$/, "")
   );

...

@@ -35,18 +28,11 @@ const onSSHAuth: ReqHandler<AppRouteParams, AppRoute.SSH_AUTH> = async (
     ? gitRepositoryDir
     : `${gitRepositoryDir}.git`;
 
-  console.log("authMode:", authMode);
-  console.log("gitRepositoryDir:", gitRepositoryDir);
-
   if (
     authMode === GitServer.AuthMode.NEVER ||
     (authMode === GitServer.AuthMode.PUSH_ONLY &&
       command !== "git-receive-pack") // push
   ) {
-    console.log(
-      "no need for auth, repo is public/push_only and command is not push"
-    );
-
     reply.status(200).send({
       success: true,
       authMode,

...

@@ -64,19 +50,7 @@ const onSSHAuth: ReqHandler<AppRouteParams, AppRoute.SSH_AUTH> = async (
     }
   );
 
-  console.log(
-    "authorization result:",
-    isAuthorizationValid ? "valid" : "invalid"
-  );
-
-  // const gitSideBandMessage = require("git-side-band-message");
-  // const msg = gitSideBandMessage("Failure has occured!", Buffer.from("\u0003"));
-
-  const { frame } = require("git-pkt-line");
-  const msg = frame("error", "Forbidden access.");
-  console.log("message:", msg.toString("ascii"));
-
-  reply.status(isAuthorizationValid ? 200 : 400).send({
+  reply.status(isAuthorizationValid ? 200 : 403).send({
     success: isAuthorizationValid,
     authMode,
     command,

app/services/repository/getRepositorySSHCloneUrl.ts

+ 2

- 2

View file (current ref)View file ($master)

@@ -3,7 +3,7 @@ import type { ServiceMethodFactory } from "@ethicdevs/react-monolith";
 // generated via script[generate:prisma]
 import type { Repository } from "@prisma/client";
 // app
-import { Env } from "../../env";
+// import { Env } from "../../env";
 // service
 import type { RepositoryServiceDeps } from "./types";

...

@@ -25,7 +25,7 @@ const makeGetRepositorySSHCloneUrl: ServiceMethodFactory<
       );
     }
 
-    const baseUrl = `git@${Env.DEPLOYMENT_DOMAIN}`;
+    const baseUrl = `git@localhost`;
     return `${baseUrl}:${parentOrg.slug}/${repo.slug}.git`;
   };
 };

data/ssh_command

+ 5

- 26

View file (current ref)View file ($master)

@@ -1,49 +1,28 @@
 #!/bin/sh
 
-# set -u # exit on undefined variable
 SSH_ORIGINAL_COMMAND=${SSH_ORIGINAL_COMMAND}
-USERNAME=$1
 
-# If SSH_ORIGINAL_COMMAND is unset, simply kill term.
+# If SSH_ORIGINAL_COMMAND is unset, this was not invoked by ssh ForceCommand, kill now.
 if [ -z ${SSH_ORIGINAL_COMMAND+x} ]; then
   printf '%s\n' "Hi $USER! You've successfully authenticated, but I do not"
   printf '%s\n' "provide interactive shell access."
   exit 128
 fi
 
+USERNAME=$1
 RES_JSON=$(/usr/bin/ssh_command_node "${USERNAME}")
 EXIT=$?
 
+echo "result => (${EXIT})\n-----------\n\n" >> /home/git/ssh_commands.log
+
 COMMAND=$(echo "$RES_JSON" | jq -r '.command')
 AUTH_MODE=$(echo "$RES_JSON" | jq -r '.authMode')
 GIT_REPO_DIR=$(echo "$RES_JSON" | jq -r '.gitRepositoryDir')
 
-echo "AUTH_MODE: ${AUTH_MODE}" >> /home/git/ssh_commands.log
-echo "GIT_REPO_DIR: ${GIT_REPO_DIR}" >> /home/git/ssh_commands.log
-
-echo "ssh_command_node stdout: ${RES_JSON}" >> /home/git/ssh_commands.log
-echo "ssh_command_node exit code: ${EXIT}" >> /home/git/ssh_commands.log
-
 if [ "$EXIT" = "0" ]; then
   $COMMAND $GIT_REPO_DIR;
-  RESULT=$?
-
-  echo "result => ${RESULT}" >> /home/git/ssh_commands.log
   exit $?
 else
-  echo "C: 0017x03Forbidden access.\n"
+  echo "0016Forbidden access."
   exit 1
 fi
-
-# If we should reject:
-
-
-# Assuming bash will only execute the first command in the string
-# TODO See this https://unix.stackexchange.com/a/444949/309572
-# {
-#   $SSH_ORIGINAL_COMMAND
-#   exit $?
-# } || { # catch
-#   echo "Could not complete request."
-#   exit 1
-# }

data/ssh_command_node

+ 6

- 20

View file (current ref)View file ($master)

@@ -1,22 +1,15 @@
 #!/usr/bin/node
 
 const fs = require("fs");
-const cp = require("child_process");
 
 async function main(args, sshOriginalCommand) {
   const [_, __, username] = args;
 
   if (username == null || username.trim() === "") {
-    console.log(
-      `Hi ${process.env.USER}!\nLooks like we could not find your username.`
-    );
     process.exit(128);
   }
 
   if (sshOriginalCommand == null) {
-    console.log(
-      `Hi ${process.env.USER}!\nYou've successfully authenticated, but I do not provide interactive shell access.`
-    );
     process.exit(128);
   }

...

@@ -31,7 +24,7 @@ async function main(args, sshOriginalCommand) {
       line.startsWith("#")
         ? { type: "comment", text: line }
         : line.trim() !== ""
-        ? { type: "key", text: line }
+        ? { type: "key", text: line.trim() }
         : null
     )
     .filter((x) => x != null && x.type === "key");

...

@@ -49,14 +42,10 @@ async function main(args, sshOriginalCommand) {
 
   fs.appendFileSync(
     "/home/git/ssh_commands.log",
-    `username: ${username}\npublicKey: ${publicKey}\ncommand: ${command}\nrepoSlug: ${repoSlug}\n-----------\n\n`,
+    `username: ${username}\npublicKey: ${publicKey}\ncommand: ${command}\nrepoSlug: ${repoSlug}\n-----------\n`,
     { encoding: "utf8" }
   );
 
-  // console.log(
-  //   `username: ${username}\npublicKey: ${publicKey}\ncommand: ${command}\nrepoSlug: ${repoSlug}\n`
-  // );
-
   const res = await fetch(`http://localhost:1337/_ssh/auth`, {
     method: "POST",
     body: JSON.stringify({

...

@@ -71,30 +60,27 @@ async function main(args, sshOriginalCommand) {
     const text = await res.text();
     fs.appendFileSync(
       "/home/git/ssh_commands.log",
-      `${res.status}: ${res.statusText} - ${text}\n-----------\n\n`,
+      `${res.status}: ${res.statusText} - ${text}\n-----------\n`,
       { encoding: "utf8" }
     );
-    console.log("Forbidden access.");
+
     process.exit(128);
-    return;
   }
 
   const json = await res.json();
 
-  console.log(JSON.stringify(json));
-
   fs.appendFileSync(
     "/home/git/ssh_commands.log",
-    `${JSON.stringify(json, null, 2)}\n-----------\n\n`,
+    `${res.status}: ${res.statusText} - ${JSON.stringify(json)}\n-----------\n`,
     { encoding: "utf8" }
   );
 
   if (json.success === false) {
-    console.log("Forbiden access.");
     process.exit(128);
   }
 
   // success!
+  console.log(JSON.stringify(json));
   process.exit(0);
 }

GitFOSS • v0.2.0 (#421408f) • MIT License