From ffc91a6bf25363a9314dbcf3a287dac527eae425 Mon Sep 17 00:00:00 2001
From: Bjorn Andersson <bjorn.andersson@linaro.org>
Date: Thu, 18 Aug 2022 22:45:24 -0500
Subject: [PATCH] cdba-shell: Add some simple scripts for user maintenance

Introduce some scripts to allow storing users public keys in a git and
some hooks such that when this is pushed to the server the
authorized_keys file is re-generated.

Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
---
 shell/README       |  8 ++++++++
 shell/cdba-shell   | 15 +++++++++++++++
 shell/post-receive | 32 ++++++++++++++++++++++++++++++++
 shell/setup.sh     |  8 ++++++++
 shell/update       | 18 ++++++++++++++++++
 5 files changed, 81 insertions(+)
 create mode 100644 shell/README
 create mode 100644 shell/cdba-shell
 create mode 100644 shell/post-receive
 create mode 100755 shell/setup.sh
 create mode 100644 shell/update

diff --git a/shell/README b/shell/README
new file mode 100644
index 0000000..4ac2fa5
--- /dev/null
+++ b/shell/README
@@ -0,0 +1,8 @@
+Create an account, such as "cdba" and run ./setup.sh as this user.
+Give the user a password, or setup authorized_keys
+
+Then from the other machine: git clone cdba@host
+
+Add a file "admins" listing the names of the admins, add your cdba config file
+as "cdba" and create a directory "keydir" populated with id_rsa.pub files,
+named <name>.pub - where <name> is referenced against the admins list.
diff --git a/shell/cdba-shell b/shell/cdba-shell
new file mode 100644
index 0000000..b23c197
--- /dev/null
+++ b/shell/cdba-shell
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+user=$1
+cmd=${SSH_ORIGINAL_COMMAND%% *}
+
+if [ "$cmd" = "git-upload-pack" -o "$cmd" = "git-receive-pack" ]; then
+	if grep -Fxq $user $HOME/admins ; then
+		exec sh -c "$SSH_ORIGINAL_COMMAND"
+	fi
+
+	echo Permission denied
+	exit 1
+fi
+
+exec cdba-server
diff --git a/shell/post-receive b/shell/post-receive
new file mode 100644
index 0000000..1c0c81a
--- /dev/null
+++ b/shell/post-receive
@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+#
+# Generate new authorized_keys
+#
+AUTHORIZED_KEYS=$HOME/.ssh/authorized_keys
+AUTHORIZED_TMP=$HOME/.ssh/authorized_keys.tmp
+
+:> $AUTHORIZED_TMP
+git cat-file -p main:keydir | while read LINE; do
+    TYPE=$(echo $LINE | awk '{ print $2 }')
+    NAME=$(echo $LINE | awk '{ print $4 }')
+
+    if [ "$TYPE" != "blob" ]; then
+        continue
+    fi
+
+    USER=$(basename $NAME .pub)
+    PUBKEY=$(git cat-file blob main:keydir/$NAME)
+    echo "command=\"$HOME/bin/cdba-shell $USER\" $PUBKEY" >> $AUTHORIZED_TMP
+done
+mv $AUTHORIZED_TMP $AUTHORIZED_KEYS
+
+#
+# Install .cdba
+#
+git cat-file blob main:cdba > $HOME/.cdba
+
+#
+# Install admins list
+#
+git cat-file blob main:admins > $HOME/admins
diff --git a/shell/setup.sh b/shell/setup.sh
new file mode 100755
index 0000000..76f4d5a
--- /dev/null
+++ b/shell/setup.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+git init --bare $HOME/cdba-admin
+install -m 755 post-receive $HOME/cdba-admin/hooks/
+install -m 755 update $HOME/cdba-admin/hooks/
+
+mkdir -p $HOME/bin
+install -m 755 cdba-shell $HOME/bin/
diff --git a/shell/update b/shell/update
new file mode 100644
index 0000000..535db30
--- /dev/null
+++ b/shell/update
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+refname="$1"
+oldrev="$2"
+newrev="$3"
+
+if [ "$refname" != "refs/heads/main" ]; then
+	echo "Only refs/heads/main allowed"
+	exit 1
+fi
+
+zero=$(git hash-object --stdin </dev/null | tr '[0-9a-f]' '0')
+if [ "$newrev" = "$zero" ]; then
+	echo "Don't delete main branch"
+	exit 1
+fi
+
+exit 0