2013-10-26 23:11:52 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
final class DiffusionSSHGitReceivePackWorkflow
|
|
|
|
|
extends DiffusionSSHGitWorkflow {
|
|
|
|
|
|
|
|
|
|
public function didConstruct() {
|
|
|
|
|
$this->setName('git-receive-pack');
|
|
|
|
|
$this->setArguments(
|
|
|
|
|
array(
|
|
|
|
|
array(
|
|
|
|
|
'name' => 'dir',
|
|
|
|
|
'wildcard' => true,
|
|
|
|
|
),
|
|
|
|
|
));
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-11 21:19:06 +01:00
|
|
|
protected function executeRepositoryOperations() {
|
2013-10-26 23:11:52 +02:00
|
|
|
$args = $this->getArgs();
|
2013-11-11 21:19:06 +01:00
|
|
|
$path = head($args->getArg('dir'));
|
|
|
|
|
$repository = $this->loadRepository($path);
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
|
|
|
|
|
// This is a write, and must have write access.
|
|
|
|
|
$this->requireWriteAccess();
|
|
|
|
|
|
Add "phd.user" with `sudo` hooks for SSH/HTTP writes
Summary:
Ref T2230. When fully set up, we have up to three users who all need to write into the repositories:
- The webserver needs to write for HTTP receives.
- The SSH user needs to write for SSH receives.
- The daemons need to write for "git fetch", "git clone", etc.
These three users don't need to be different, but in practice they are often not likely to all be the same user. If for no other reason, making them all the same user requires you to "git clone httpd@host.com", and installs are likely to prefer "git clone git@host.com".
Using three different users also allows better privilege separation. Particularly, the daemon user can be the //only// user with write access to the repositories. The webserver and SSH user can accomplish their writes through `sudo`, with a whitelisted set of commands. This means that even if you compromise the `ssh` user, you need to find a way to escallate from there to the daemon user in order to, e.g., write arbitrary stuff into the repository or bypass commit hooks.
This lays some of the groundwork for a highly-separated configuration where the SSH and HTTP users have the fewest privileges possible and use `sudo` to interact with repositories. Some future work which might make sense:
- Make `bin/phd` respect this (require start as the right user, or as root and drop privileges, if this configuration is set).
- Execute all `git/hg/svn` commands via sudo?
Users aren't expected to configure this yet so I haven't written any documentation.
Test Plan:
Added an SSH user ("dweller") and gave it sudo by adding this to `/etc/sudoers`:
dweller ALL=(epriestley) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack
Then I ran git pushes and pulls over SSH via "dweller@localhost". They successfully interacted with the repository on disk as the "epriestley" user.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7589
2013-11-18 17:58:35 +01:00
|
|
|
$command = csprintf('git-receive-pack %s', $repository->getLocalPath());
|
|
|
|
|
$command = PhabricatorDaemon::sudoCommandAsDaemonUser($command);
|
|
|
|
|
|
2013-12-03 00:45:36 +01:00
|
|
|
$future = id(new ExecFuture('%C', $command))
|
|
|
|
|
->setEnv($this->getEnvironment());
|
2013-11-11 21:19:06 +01:00
|
|
|
|
Generalize SSH passthru for repository hosting
Summary:
Ref T2230. In Git, we can determine if a command is read-only or read/write from the command itself, but this isn't the case in Mercurial or SVN.
For Mercurial and SVN, we need to proxy the protocol that's coming over the wire, look at each request from the client, and then check if it's a read or a write. To support this, provide a more flexible version of `passthruIO`.
The way this will work is:
- The SSH IO channel is wrapped in a `ProtocolChannel` which can parse the the incoming stream into message objects.
- The `willWriteCallback` will look at those messages and determine if they're reads or writes.
- If they're writes, it will check for write permission.
- If we're good to go, the message object is converted back into a byte stream and handed to the underlying command.
Test Plan: Executed `git clone`, `git clone --depth 3`, `git push` (against no-write repo, got error), `git push` (against valid repo).
Reviewers: btrahan
Reviewed By: btrahan
CC: hach-que, asherkin, aran
Maniphest Tasks: T2230
Differential Revision: https://secure.phabricator.com/D7551
2013-11-11 21:12:21 +01:00
|
|
|
$err = $this->newPassthruCommand()
|
|
|
|
|
->setIOChannel($this->getIOChannel())
|
|
|
|
|
->setCommandChannelFromExecFuture($future)
|
|
|
|
|
->execute();
|
2013-10-31 23:46:57 +01:00
|
|
|
|
|
|
|
|
if (!$err) {
|
|
|
|
|
$repository->writeStatusMessage(
|
|
|
|
|
PhabricatorRepositoryStatusMessage::TYPE_NEEDS_UPDATE,
|
|
|
|
|
PhabricatorRepositoryStatusMessage::CODE_OKAY);
|
2013-11-11 21:27:28 +01:00
|
|
|
$this->waitForGitClient();
|
2013-10-31 23:46:57 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $err;
|
2013-10-26 23:11:52 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|