cdba-shell: Add some simple scripts for user maintenance

Introduce some scripts to allow storing users public keys in a git and some hooks such that when this is pushed to the server the authorized_keys file is re-generated. Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
2026-02-25 13:11:56 -08:00 · 2022-08-18 22:45:24 -05:00
parent 42f8108e7c
commit ffc91a6bf2
5 changed files with 81 additions and 0 deletions
--- a/shell/README
+++ b/shell/README
@@ -0,0 +1,8 @@
+Create an account, such as "cdba" and run ./setup.sh as this user.
+Give the user a password, or setup authorized_keys
+
+Then from the other machine: git clone cdba@host
+
+Add a file "admins" listing the names of the admins, add your cdba config file
+as "cdba" and create a directory "keydir" populated with id_rsa.pub files,
+named <name>.pub - where <name> is referenced against the admins list.
--- a/shell/cdba-shell
+++ b/shell/cdba-shell
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+user=$1
+cmd=${SSH_ORIGINAL_COMMAND%% *}
+
+if [ "$cmd" = "git-upload-pack" -o "$cmd" = "git-receive-pack" ]; then
+	if grep -Fxq $user $HOME/admins ; then
+		exec sh -c "$SSH_ORIGINAL_COMMAND"
+	fi
+
+	echo Permission denied
+	exit 1
+fi
+
+exec cdba-server
--- a/shell/post-receive
+++ b/shell/post-receive
@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+#
+# Generate new authorized_keys
+#
+AUTHORIZED_KEYS=$HOME/.ssh/authorized_keys
+AUTHORIZED_TMP=$HOME/.ssh/authorized_keys.tmp
+
+:> $AUTHORIZED_TMP
+git cat-file -p main:keydir | while read LINE; do
+    TYPE=$(echo $LINE | awk '{ print $2 }')
+    NAME=$(echo $LINE | awk '{ print $4 }')
+
+    if [ "$TYPE" != "blob" ]; then
+        continue
+    fi
+
+    USER=$(basename $NAME .pub)
+    PUBKEY=$(git cat-file blob main:keydir/$NAME)
+    echo "command=\"$HOME/bin/cdba-shell $USER\" $PUBKEY" >> $AUTHORIZED_TMP
+done
+mv $AUTHORIZED_TMP $AUTHORIZED_KEYS
+
+#
+# Install .cdba
+#
+git cat-file blob main:cdba > $HOME/.cdba
+
+#
+# Install admins list
+#
+git cat-file blob main:admins > $HOME/admins
--- a/shell/setup.sh
+++ b/shell/setup.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+git init --bare $HOME/cdba-admin
+install -m 755 post-receive $HOME/cdba-admin/hooks/
+install -m 755 update $HOME/cdba-admin/hooks/
+
+mkdir -p $HOME/bin
+install -m 755 cdba-shell $HOME/bin/
--- a/shell/update
+++ b/shell/update
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+refname="$1"
+oldrev="$2"
+newrev="$3"
+
+if [ "$refname" != "refs/heads/main" ]; then
+	echo "Only refs/heads/main allowed"
+	exit 1
+fi
+
+zero=$(git hash-object --stdin </dev/null | tr '[0-9a-f]' '0')
+if [ "$newrev" = "$zero" ]; then
+	echo "Don't delete main branch"
+	exit 1
+fi
+
+exit 0