catalinux / rocketgit (public) (License: Affero GPLv3) (since 2015-03-19) (hash sha1)
Main RocketGit repo
Clone URLs: https://rocketgit.com/user/catalinux/rocketgit ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit git://git.rocketgit.com/user/catalinux/rocketgit
v0.0 v0.1 v0.10 v0.11 v0.12 v0.13 v0.14 v0.15 v0.17 v0.18 v0.19 v0.2 v0.20 v0.21 v0.22 v0.23 v0.24 v0.25 v0.27 v0.28 v0.29 v0.31 v0.32 v0.33 v0.34 v0.35 v0.36 v0.38 v0.39 v0.40 v0.41 v0.42 v0.43 v0.44 v0.45 v0.46 v0.47 v0.48 v0.49 v0.50 v0.51 v0.52 v0.53 v0.54 v0.55 v0.56 v0.57 v0.58 v0.60 v0.61 v0.62 v0.63 v0.64 v0.65 v0.66 v0.67 v0.68 v0.69 v0.70 v0.71 v0.72 v0.73 v0.77 v0.78 group1/branch1 group2/subgroup1/branch2 main master release
List of commits:
Subject Hash Author Date (UTC)
Added possibility to use AuthorizedKeysCommand for performance reasons bce5d32d2b419cb9bc53d54de2a915ac1342432e Catalin(ux) M. BOIE 2016-11-06 12:35:15
Restart rocketgit-fpm service if needed 5742bea67f2e784e2b2bb9e97f005fc621c4119d Catalin(ux) M. BOIE 2016-11-02 19:56:53
Added CORS headers so API will work 57b172971ff1329d02dc1220ec77fe9a875d6633 Catalin(ux) M. BOIE 2016-11-02 19:56:17
Added git hosting solution comparison page 8eca6c104373fd0dbcde54691edfd9e81a3a59be Catalin(ux) M. BOIE 2016-11-02 19:54:26
Be sure a key is present or use a default one (api) 842d587f948ff4ec9de56e2ebfd591d96b066a43 Catalin(ux) M. BOIE 2016-10-13 22:45:51
Small correction in wording agains CLA 70dc902b1c84e6ee416d7af2af8bef319dbb7504 Catalin(ux) M. BOIE 2016-10-11 15:50:07
Make it the default: word-wrap: break-word 1512f51eba93b6dd296246bf20432ec9223148d9 Catalin(ux) M. BOIE 2016-10-08 07:53:19
Footer: reverse last two columns d9fe4e8adf980996d5ca06387a0a2c49236e7ad4 Catalin(ux) M. BOIE 2016-10-08 07:51:55
Post configuration must include also web conf file 3583e8915579dc8e4c9a508bac7998a3e612e501 Catalin(ux) M. BOIE 2016-10-08 07:50:00
ssl_request_log -> rocketgit-ssl_request_log 639e5532748729cd8a6ac8e4cf082b24e15e2eeb Catalin(ux) M. BOIE 2016-10-08 07:47:45
Add 'SSLCipherSuite PROFILE=SYSTEM' to the SSL configuration 100d73878b3da1718cf97c58d016ed182c690a9b Catalin(ux) M. BOIE 2016-10-08 06:33:09
Instruct login user to create a repo if she/he has none. f6f2f438deadb1ec80d32acbc8947dcc849dca19 Catalin(ux) M. BOIE 2016-10-08 06:24:57
Small changes at vm docs 8106a47f5bf89990ba7f7dbb0f8feb319ba4d883 Catalin(ux) M. BOIE 2016-10-05 03:32:37
No need to login to find out the ip address 55a3abd3dda66d9d0dccdc0fc27dc3dc3e7c3fa1 Catalin(ux) M. BOIE 2016-10-05 03:25:47
Bump version to 0.62 61acc979d8c3bb629e03dc371bba1f604f300205 Catalin(ux) M. BOIE 2016-10-04 18:49:31
TODO updates cc78fa90ebdb7605013f2ba40b7d196d708d7415 Catalin(ux) M. BOIE 2016-10-04 18:49:04
Allow php-fpm to use lock files and to regenerate authorized_keys file 5970fcb677e3443ff96549413df105c9956f0abf Catalin(ux) M. BOIE 2016-10-04 18:48:35
Add ServerName and ServerAlias also for TLS virtual host 08bf46f86137767e4432222475a3ea31034a132a Catalin(ux) M. BOIE 2016-10-04 18:47:47
Bump version to 0.61 99a6ed768168adf45bab328c7405cd10a3e3a81d Catalin(ux) M. BOIE 2016-10-03 16:31:43
TODO updates cdc8de4255d6c343a9223bcf334228651e41ae6f Catalin(ux) M. BOIE 2016-10-03 16:31:22
Commit bce5d32d2b419cb9bc53d54de2a915ac1342432e - Added possibility to use AuthorizedKeysCommand for performance reasons
Author: Catalin(ux) M. BOIE
Author date (UTC): 2016-11-06 12:35
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2016-11-06 12:35
Parent(s): 5742bea67f2e784e2b2bb9e97f005fc621c4119d
Signing key:
Tree: 284ced865292a2959974ed74e1bf9374a9c790a4
File Lines added Lines deleted
compare.csv 1 0
inc/admin.inc.php 100 0
inc/admin/admin.php 5 1
inc/fixes.inc.php 88 0
inc/keys.inc.php 89 16
inc/struct.inc.php 11 0
root/themes/default/admin/menu.html 1 0
root/themes/default/admin/settings/load_err.html 3 0
root/themes/default/admin/settings/main.html 23 0
root/themes/default/admin/settings/menu.html 5 0
root/themes/default/admin/settings/ok.html 3 0
root/themes/default/admin/settings/ssh/hints.html 15 0
root/themes/default/invalid_menu.html 1 1
selinux/rocketgit.fc 2 0
selinux/rocketgit.te.tmpl 7 1
tools/rg_authorize 62 0
File compare.csv changed (mode: 100644) (index 3bafaac..1085d08)
... ... Usable with lynx,Yes,Yes,Yes,?,?,n/a,Yes
19 19 Web Hooks,Yes,Yes,Yes,?,?,No,? Web Hooks,Yes,Yes,Yes,?,?,No,?
20 20 Web Hooks - provide client certs,Yes,No,No,?,?,n/a,? Web Hooks - provide client certs,Yes,No,No,?,?,n/a,?
21 21 Web Hooks - authenticate server (CA cert),Yes,No,No,?,?,n/a,? Web Hooks - authenticate server (CA cert),Yes,No,No,?,?,n/a,?
22 OpenSSH AuthorizedKeysCommand,Yes,?,?,?,?,?,?
22 23 ,,,,,,, ,,,,,,,
23 24 [Rights],,,,,,, [Rights],,,,,,,
24 25 Path control,Yes,?,?,?,?,?,? Path control,Yes,?,?,?,?,?,?
File inc/admin.inc.php changed (mode: 100644) (index 2f21b5d..8db3708)
... ... function rg_clean_logs($dir)
475 475 } }
476 476 } }
477 477
478 /*
479 * Admin ->Settings -> SSH menu
480 */
481 function rg_admin_settings_ssh($db, $rg)
482 {
483 rg_log_enter('admin_settings_menu');
484
485 $ret = '';
486 $errmsg = array();
487 $hints = array();
488 while ($rg['doit'] == 1) {
489 if (!rg_valid_referer()) {
490 $errmsg[] = 'invalid referer; try again';
491 break;
492 }
493
494 if (!rg_token_valid($db, $rg, 'admin_settings_ssh', FALSE)) {
495 $errmsg[] = 'invalid token; try again';
496 break;
497 }
498
499 $akp = rg_var_int('AuthorizedKeysCommand');
500 $r = rg_state_set($db, 'AuthorizedKeysCommand', $akp);
501 if ($r === FALSE) {
502 $errmsg[] = 'cannot set state; try again';
503 break;
504 }
505
506 // Nobody will force the regeneration, so, do it here!
507 $ev = array(
508 'category' => 'rg_keys_event_regen',
509 'prio' => 10,
510 'ui' => array('uid' => $rg['login_ui']['uid'])
511 );
512 $r = rg_event_add($db, $ev);
513 if ($r !== TRUE) {
514 $errmsg[] = 'cannot add event';
515 break;
516 }
517
518 $ret .= rg_template('admin/settings/ok.html',
519 $rg, TRUE /*xss*/);
520 break;
521 }
522
523 // Load defaults
524 while (1) {
525 $r = rg_state_get($db, 'AuthorizedKeysCommand');
526 if ($r === FALSE) {
527 $ret = rg_template('admin/settings/load_err.html',
528 $rg, TRUE /*xss*/);
529 break;
530 }
531
532 $rg['AuthorizedKeysCommand'] = $r;
533
534 $hints[]['HTML:hint'] = rg_template('admin/settings/ssh/hints.html',
535 $rg, TRUE /*xss*/);
536
537 $rg['HTML:hints'] = rg_template_table('hints/list', $hints, $rg);
538 $rg['HTML:errmsg'] = rg_template_errmsg($errmsg);
539 $rg['rg_form_token'] = rg_token_get($db, $rg, 'admin_settings_ssh');
540 $ret .= rg_template('admin/settings/main.html', $rg, TRUE /*xss*/);
541 break;
542 }
543
544 rg_log_exit();
545 return $ret;
546 }
547
548 /*
549 * Deals with Admin -> Settings menu
550 */
551 function rg_admin_settings($db, &$rg, $paras)
552 {
553 rg_log_enter('admin_settings');
554
555 $ret = '';
556
557 $_op = empty($paras) ? 'ssh' : array_shift($paras);
558 rg_log("DEBUG: _op=$_op sparas=" . rg_array2string($paras));
559
560 $rg['admin_settings_menu'][$_op] = 1;
561 $rg['HTML:menu_level2'] = rg_template('admin/settings/menu.html',
562 $rg, TRUE /*xss*/);
563
564 switch ($_op) {
565 case 'ssh':
566 $ret .= rg_admin_settings_ssh($db, $rg);
567 break;
568
569 default:
570 $ret .= rg_template('invalid_menu.html', $rg, TRUE /*xss*/);
571 break;
572 }
573
574 rg_log_exit();
575 return $ret;
576 }
577
478 578 ?> ?>
File inc/admin/admin.php changed (mode: 100644) (index 83e68f1..bdad503)
... ... if ($rg['login_ui']['is_admin'] != 1) {
8 8 return; return;
9 9 } }
10 10
11 $_subop = empty($paras) ? 'plans' : array_shift($paras);
11 $_subop = empty($paras) ? 'settings' : array_shift($paras);
12 12
13 13 $rg['admin_menu'][$_subop] = 1; $rg['admin_menu'][$_subop] = 1;
14 14 $rg['HTML:menu_level2'] = ''; $rg['HTML:menu_level2'] = '';
 
... ... $rg['HTML:menu_level2'] = '';
16 16 $rg['url_up'] = $rg['url']; $rg['url_up'] = $rg['url'];
17 17 $rg['url'] .= '/' . $_subop; $rg['url'] .= '/' . $_subop;
18 18 switch ($_subop) { switch ($_subop) {
19 case 'settings':
20 $_admin_body = rg_admin_settings($db, $rg, $paras);
21 break;
22
19 23 case 'plans': case 'plans':
20 24 include($INC . "/admin/plans/plans.php"); include($INC . "/admin/plans/plans.php");
21 25 $_admin_body = $_admin_plans; $_admin_body = $_admin_plans;
File inc/fixes.inc.php changed (mode: 100644) (index 4bd2ef2..60e2798)
... ... $rg_fixes[9] = array(
42 42 $rg_fixes[10] = array( $rg_fixes[10] = array(
43 43 'functions' => 'rg_fixes_drop_if_exists' 'functions' => 'rg_fixes_drop_if_exists'
44 44 ); );
45 $rg_fixes[11] = array(
46 'functions' => 'rg_fixes_fingerprint_sha256'
47 );
45 48
46 49 // This must be the last line // This must be the last line
47 50 $rg_fixes_ver = count($rg_fixes); $rg_fixes_ver = count($rg_fixes);
 
... ... function rg_fixes_drop_if_exists($db)
680 683 return $ret; return $ret;
681 684 } }
682 685
686 /*
687 * We need to update the keys.fingerprint_sha256 field
688 */
689 function rg_fixes_fingerprint_sha256($db)
690 {
691 global $php_errormsg;
692
693 rg_log_enter('rg_fixes_fingerprint_sha256');
694
695 $ret = TRUE;
696 while (1) {
697 // keys table
698 $sql = 'SELECT key_id, key FROM keys'
699 . ' WHERE fingerprint_sha256 = \'\'';
700 $res = rg_sql_query($db, $sql);
701 if ($res === FALSE) {
702 $ret = FALSE;
703 break;
704 }
705 while (($row = rg_sql_fetch_array($res))) {
706 $ki = rg_keys_info($row['key']);
707 if ($ki['ok'] !== 1) {
708 rg_log('Cannot get info about key'
709 . ' ' . $row['key_id'] . ': '
710 . rg_keys_error() . '; ignore it');
711 continue;
712 }
713
714 $params = array(
715 'key_id' => $row['key_id'],
716 'fingerprint_sha256' => $ki['fingerprint_sha256']
717 );
718 $sql = 'UPDATE keys'
719 . ' SET fingerprint_sha256 = @@fingerprint_sha256@@'
720 . ' WHERE key_id = @@key_id@@';
721 $res2 = rg_sql_query_params($db, $sql, $params);
722 if ($res2 === FALSE) {
723 rg_log('Cannot update fingerprint_sha256: '
724 . rg_sql_error());
725 break;
726 }
727 rg_sql_free_result($res2);
728 }
729 rg_sql_free_result($res);
730
731 // workers table
732 $sql = 'SELECT id, ssh_key FROM workers'
733 . ' WHERE fingerprint_sha256 = \'\'';
734 $res = rg_sql_query($db, $sql);
735 if ($res === FALSE) {
736 $ret = FALSE;
737 break;
738 }
739 while (($row = rg_sql_fetch_array($res))) {
740 $ki = rg_keys_info($row['ssh_key']);
741 if ($ki['ok'] !== 1) {
742 rg_log('Cannot get info about key'
743 . ' ' . $row['id'] . ': '
744 . rg_keys_error() . '; ignore it');
745 continue;
746 }
747
748 $params = array(
749 'id' => $row['id'],
750 'fingerprint_sha256' => $ki['fingerprint_sha256']
751 );
752 $sql = 'UPDATE workers'
753 . ' SET fingerprint_sha256 = @@fingerprint_sha256@@'
754 . ' WHERE id = @@id@@';
755 $res2 = rg_sql_query_params($db, $sql, $params);
756 if ($res2 === FALSE) {
757 rg_log('Cannot update fingerprint_sha256: '
758 . rg_sql_error());
759 break;
760 }
761 rg_sql_free_result($res2);
762 }
763 rg_sql_free_result($res);
764 break;
765 }
766
767 rg_log_exit();
768 return $ret;
769 }
770
683 771
684 772
685 773 /* /*
File inc/keys.inc.php changed (mode: 100644) (index f164a44..e117fb5)
... ... function rg_keys_event_del($db, $event)
72 72 * Regenerate keyring. * Regenerate keyring.
73 73 * We ignore requests that were inserted in queue after we already * We ignore requests that were inserted in queue after we already
74 74 * regenerated the keys. * regenerated the keys.
75 * We must regenerate now to not let the user wait too much.
76 * TODO: When we will have support in sshd for key lookup, we will not need
77 * to regenerate.
78 75 */ */
79 76 function rg_keys_event_regen($db, $event) function rg_keys_event_regen($db, $event)
80 77 { {
 
... ... function rg_keys_add($db, $ui, $key)
421 418 'key' => $ki['type'] . ' ' . $ki['key'] 'key' => $ki['type'] . ' ' . $ki['key']
422 419 . ' ' . $ki['comment'], . ' ' . $ki['comment'],
423 420 'count' => 0, 'count' => 0,
424 'first_use' => 0);
425 $sql = "INSERT INTO keys (itime, uid, key)"
426 . " VALUES (@@itime@@, @@uid@@, @@key@@)"
421 'first_use' => 0,
422 'fingerprint_sha256' => $ki['fingerprint_sha256']);
423 $sql = "INSERT INTO keys (itime, uid, key"
424 . ", fingerprint_sha256)"
425 . " VALUES (@@itime@@, @@uid@@, @@key@@"
426 . ", @@fingerprint_sha256@@)"
427 427 . " RETURNING key_id"; . " RETURNING key_id";
428 428 $res = rg_sql_query_params($db, $sql, $params); $res = rg_sql_query_params($db, $sql, $params);
429 429 if ($res === FALSE) { if ($res === FALSE) {
 
... ... function rg_keys_update_use($db, $uid, $key_id, $ip, $cmd)
559 559 return $ret; return $ret;
560 560 } }
561 561
562 /*
563 * Outputs a line for authorized_keys file
564 */
565 function rg_keys_output_line($i)
566 {
567 global $rg_scripts;
568 global $rg_ssh_paras;
569
570 return 'command="'
571 . $rg_scripts . '/scripts/remote.sh'
572 . ' ' . $i['uid']
573 . ' ' . $i['key_id']
574 . ' ' . $i['flags']
575 . '"'
576 . ',' . $rg_ssh_paras
577 . ' ' . trim($i['key']) . "\n";
578 }
579
562 580 /* /*
563 581 * Regenerates authorized_keys files * Regenerates authorized_keys files
564 582 */ */
 
... ... function rg_keys_regen($db)
567 585 global $php_errormsg; global $php_errormsg;
568 586 global $rg_keys_file; global $rg_keys_file;
569 587 global $rg_scripts; global $rg_scripts;
570 global $rg_ssh_paras;
571 588
572 589 rg_prof_start("keys_regen"); rg_prof_start("keys_regen");
573 590
 
... ... function rg_keys_regen($db)
585 602 chgrp($dir, "rocketgit"); chgrp($dir, "rocketgit");
586 603 } }
587 604
605 $akp = rg_state_get($db, 'AuthorizedKeysCommand');
606 if ($akp === FALSE) {
607 rg_keys_set_error('cannot get state of AuthorizedKeysCommand');
608 break;
609 }
610
611 if ($akp == 1) {
612 if (file_exists($rg_keys_file))
613 unlink($rg_keys_file);
614 $ret = TRUE;
615 break;
616 }
617
588 618 $tmp = $rg_keys_file . ".tmp"; $tmp = $rg_keys_file . ".tmp";
589 619 $f = @fopen($tmp, "w"); $f = @fopen($tmp, "w");
590 620 if ($f === FALSE) { if ($f === FALSE) {
 
... ... function rg_keys_regen($db)
634 664 $errors = 0; $errors = 0;
635 665 foreach ($list as $row) { foreach ($list as $row) {
636 666 //rg_log("Writing key [" . $row['key'] . "] for uid " . $row['uid']); //rg_log("Writing key [" . $row['key'] . "] for uid " . $row['uid']);
637 $buf = "command=\""
638 . $rg_scripts . "/scripts/remote.sh"
639 . " " . $row['uid']
640 . " " . $row['key_id']
641 . " " . $row['flags']
642 . "\""
643 . "," . $rg_ssh_paras
644 . " " . $row['key'] . "\n";
667 $buf = rg_keys_output_line($row);
645 668 if (@fwrite($f, $buf) === FALSE) { if (@fwrite($f, $buf) === FALSE) {
646 669 rg_keys_set_error("cannot write; disk space problems? ($php_errormsg)"); rg_keys_set_error("cannot write; disk space problems? ($php_errormsg)");
647 670 $errors = 1; $errors = 1;
 
... ... function rg_keys_list($db, $ui)
686 709 . " ORDER BY itime DESC"; . " ORDER BY itime DESC";
687 710 $res = rg_sql_query_params($db, $sql, $params); $res = rg_sql_query_params($db, $sql, $params);
688 711 if ($res === FALSE) { if ($res === FALSE) {
689 rg_keys_set_error("Cannot query (" . rg_sql_error() . ")");
712 rg_keys_set_error('cannot select from db');
690 713 break; break;
691 714 } }
692 715
 
... ... function rg_keys_list($db, $ui)
738 761 return $ret; return $ret;
739 762 } }
740 763
764 /*
765 * Search a key by fingerprint
766 * Used for OpenSSH (rg_authorize script)
767 */
768 function rg_keys_search_by_fingerprint($db, $fp)
769 {
770 rg_prof_start('keys_search_by_fingerprint');
771
772 $ret = array('ok' => 0, 'list' => array());
773 while (1) {
774 $params = array('fp' => $fp);
775 $sql = 'SELECT key_id, uid, key FROM keys'
776 . ' WHERE fingerprint_sha256 = @@fp@@';
777 $res = rg_sql_query_params($db, $sql, $params);
778 if ($res === FALSE) {
779 rg_keys_set_error('cannot select from keys table');
780 break;
781 }
782 while (($row = rg_sql_fetch_array($res))) {
783 $row['flags'] = 'N';
784 $ret['list'][] = $row;
785 }
786 rg_sql_free_result($res);
787
788 $sql = 'SELECT id, who, ssh_key FROM workers'
789 . ' WHERE fingerprint_sha256 = @@fp@@';
790 $res = rg_sql_query_params($db, $sql, $params);
791 if ($res === FALSE) {
792 rg_keys_set_error('cannot select from workers table');
793 break;
794 }
795 while (($row = rg_sql_fetch_array($res))) {
796 $row2 = array(
797 'key_id' => $row['id'],
798 'uid' => $row['who'],
799 'key' => $row['ssh_key'],
800 'flags' => 'W'
801 );
802 $ret['list'][] = $row2;
803 }
804 rg_sql_free_result($res);
805
806 $ret['ok'] = 1;
807 break;
808 }
809
810 rg_prof_end('keys_search_by_fingerprint');
811 return $ret;
812 }
813
741 814 ?> ?>
File inc/struct.inc.php changed (mode: 100644) (index bf940b6..a30d3e5)
... ... $rg_sql_struct[40]['other'] = array(
577 577 "UPDATE users SET disk_used_mb = 0 WHERE disk_used_mb IS NULL" "UPDATE users SET disk_used_mb = 0 WHERE disk_used_mb IS NULL"
578 578 ); );
579 579
580 $rg_sql_struct[41]['other'] = array(
581 'keys_fingerprint' => "ALTER TABLE keys ADD fingerprint_sha256"
582 . " TEXT NOT NULL DEFAULT ''",
583 'keys_fingerprint_index' => "CREATE INDEX keys_i_fingerprint_sha256"
584 . " ON keys(fingerprint_sha256)",
585 'workers_fingerprint' => "ALTER TABLE workers ADD fingerprint_sha256"
586 . " TEXT NOT NULL DEFAULT ''",
587 'workers_fingerprint_index' => "CREATE INDEX workers_i_fingerprint_sha256"
588 . " ON workers(fingerprint_sha256)"
589 );
590
580 591 // Do not forget to add the new tables to statistics // Do not forget to add the new tables to statistics
581 592 // This must be the last line // This must be the last line
582 593 $rg_sql_schema_ver = count($rg_sql_struct); $rg_sql_schema_ver = count($rg_sql_struct);
File root/themes/default/admin/menu.html changed (mode: 100644) (index 83dccef..11eeb0f)
2 2
3 3 <div class="menu menu2"> <div class="menu menu2">
4 4 <ul> <ul>
5 <li@@if(@@admin_menu::settings@@ == 1){{ class="selected"}}{{}}><a href="/op/admin/settings">Settings</a></li>
5 6 <li@@if(@@admin_menu::plans@@ == 1){{ class="selected"}}{{}}><a href="/op/admin/plans">Plans</a></li> <li@@if(@@admin_menu::plans@@ == 1){{ class="selected"}}{{}}><a href="/op/admin/plans">Plans</a></li>
6 7 <li@@if(@@admin_menu::users@@ == 1){{ class="selected"}}{{}}><a href="/op/admin/users">Users</a></li> <li@@if(@@admin_menu::users@@ == 1){{ class="selected"}}{{}}><a href="/op/admin/users">Users</a></li>
7 8 <li@@if(@@admin_menu::repos@@ == 1){{ class="selected"}}{{}}><a href="/op/admin/repos">Repos</a></li> <li@@if(@@admin_menu::repos@@ == 1){{ class="selected"}}{{}}><a href="/op/admin/repos">Repos</a></li>
File root/themes/default/admin/settings/load_err.html added (mode: 100644) (index 0000000..e5b0113)
1 <div class="mess warning">
2 Cannot load state; check the logs.
3 </div>
File root/themes/default/admin/settings/main.html added (mode: 100644) (index 0000000..0d5f09b)
1 <div class="formarea">
2
3 <div class="formarea_title">SSH settings</div>
4
5 @@errmsg@@
6
7 <form method="post" action="/op/admin/settings/ssh">
8 <input type="hidden" name="doit" value="1" />
9 <input type="hidden" name="token" value="@@rg_form_token@@" />
10
11 <p>
12 <label for="AuthorizedKeysCommand">Activate OpenSSH's AuthorizedKeysCommand (see hints)</label><br />
13 <select name="AuthorizedKeysCommand" id="AuthorizedKeysCommand">
14 <option value="0"@@if(@@AuthorizedKeysCommand@@ == 0){{ selected="selected"}}>No (RocketGit will generate authorized_keys file)</option>
15 <option value="1"@@if(@@AuthorizedKeysCommand@@ == 1){{ selected="selected"}}>Yes (you activated it in sshd_config)</option>
16 </select>
17 </p>
18
19 <input type="submit" value="Update" />
20 </form>
21 </div>
22
23 @@hints@@
File root/themes/default/admin/settings/menu.html added (mode: 100644) (index 0000000..3e7d824)
1 <div class="menu menu3">
2 <ul>
3 <li@@if(@@admin_settings_menu::ssh@@ == 1){{ class="selected"}}{{}}><a href="/op/admin/settings/ssh">SSH</a></li>
4 </ul>
5 </div>
File root/themes/default/admin/settings/ok.html added (mode: 100644) (index 0000000..fa13532)
1 <div class="mess ok">
2 Configuration has been successfully saved.
3 </div>
File root/themes/default/admin/settings/ssh/hints.html added (mode: 100644) (index 0000000..434dcdb)
1 <br />
2 AuthorizedKeysCommand - Provides a faster way to authenticate users by ssh protocol.<br />
3 If you choose 'Yes', RocketGit will not generate the authorized_keys
4 file anymore; instead, it will provide a helper to OpenSSH that will look-up directly in
5 the database the fingerprint provided by the user.<br />
6 See 'man sshd_config' for more info.<br />
7 Before choosing 'Yes', you must append to /etc/ssh/sshd_config file the following lines
8 (use tab to indent):
9 <div class="xcode">
10 Match User rocketgit<br />
11 &nbsp;&nbsp; AuthorizedKeysCommand /usr/sbin/rg_authorize %f<br />
12 &nbsp;&nbsp; AuthorizedKeysCommandUser rocketgit<br />
13 &nbsp;&nbsp; AuthenticationMethods publickey
14 </div>
15
File root/themes/default/invalid_menu.html copied from file root/themes/default/warning.html (similarity 70%) (mode: 100644) (index 58130bf..269ac4f)
1 1 <div class="mess warning"> <div class="mess warning">
2 @@msg@@
2 Invalid menu.
3 3 </div> </div>
File selinux/rocketgit.fc changed (mode: 100644) (index 9f689f4..6bbf7df)
17 17 /usr/share/rocketgit/scripts(/.*)? -- gen_context(system_u:object_r:rocketgit_exec_t,s0) /usr/share/rocketgit/scripts(/.*)? -- gen_context(system_u:object_r:rocketgit_exec_t,s0)
18 18
19 19 /usr/lib/systemd/system/rocketgit-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) /usr/lib/systemd/system/rocketgit-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
20
21 /usr/sbin/rg_authorize gen_context(system_u:object_r:rocketgit_worker_exec_t,s0)
File selinux/rocketgit.te.tmpl changed (mode: 100644) (index 87bec49..6fe2153)
1 policy_module(rocketgit,1.0.112)
1 policy_module(rocketgit,1.0.114)
2 2
3 3 ######################################## ########################################
4 4 # #
 
... ... gen_require(`
14 14 type unconfined_t; type unconfined_t;
15 15 role unconfined_r; role unconfined_r;
16 16 type fs_t; type fs_t;
17 type sshd_t;
17 18 # next are for worker.sh # next are for worker.sh
18 19 #class dir mounton; #class dir mounton;
19 20 #class filesystem { getattr mount unmount }; #class filesystem { getattr mount unmount };
 
... ... optional_policy(`
57 58
58 59 # Force ssh to transition to rocketgit_t # Force ssh to transition to rocketgit_t
59 60 domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t) domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t)
61 domain_auto_trans(sshd_t, rocketgit_exec_t, rocketgit_t)
62 # Allow rocketgit_t to send sigchld to sshd, else:
63 # type=AVC msg=audit(1478322111.327:1158923): avc: denied { sigchld } for pid=24506 comm="sshd" scontext=system_u:system_r:rocketgit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
64 # Not sure if this is the best way.
65 allow rocketgit_t sshd_t:process sigchld;
60 66
61 67 # Allow events.php to manage /home/rocketgit/.ssh # Allow events.php to manage /home/rocketgit/.ssh
62 68 userdom_manage_user_home_content(rocketgit_t) userdom_manage_user_home_content(rocketgit_t)
File tools/rg_authorize added (mode: 100755) (index 0000000..0ca4cbc)
1 #!/usr/bin/php
2 <?php
3 // This is called by SSH daemon to lookup a fingerprint
4 error_reporting(E_ALL);
5 ini_set('track_errors', 'On');
6 set_time_limit(30);
7
8 $_s = microtime(TRUE);
9
10 require_once('/etc/rocketgit/config.php');
11
12 $INC = $rg_scripts . '/inc';
13 require_once($INC . '/init.inc.php');
14 require_once($INC . '/log.inc.php');
15 require_once($INC . '/sql.inc.php');
16 require_once($INC . '/struct.inc.php');
17 require_once($INC . '/cache.inc.php');
18 require_once($INC . '/prof.inc.php');
19 require_once($INC . '/keys.inc.php');
20 require_once($INC . '/user.inc.php');
21 require_once($INC . '/fixes.inc.php');
22
23
24 rg_prof_start('MAIN');
25
26 rg_log_set_file($rg_log_dir . '/authorize.log');
27 rg_log_set_sid('000000'); // to spread the logs
28
29 rg_sql_app('rg_authorize');
30 $db = rg_sql_open($rg_sql);
31 if ($db === FALSE) {
32 rg_log('Cannot connect to db!');
33 exit(1);
34 }
35
36 if ($_SERVER['argc'] != 2) {
37 rg_log('Invalid number of parameters (' . $_SERVER['argc'] . ')!');
38 rg_log_ml('argv: ' . print_r($_SERVER['argv'], TRUE));
39 exit(1);
40 }
41
42 $fp = trim($_SERVER['argv'][1]);
43 if (strncmp($fp, 'SHA256:', 7) != 0) {
44 rg_log('Invalid fingerprint type: ' . $fp . '!');
45 exit(1);
46 }
47 $fp = substr($fp, 7);
48 $fp = rtrim($fp, '=');
49
50 $r = rg_keys_search_by_fingerprint($db, $fp);
51 if ($r['ok'] !== 1) {
52 rg_log('Cannot lookup by fingerprint: ' . rg_keys_error());
53 exit(1);
54 }
55 rg_log('DEBUG: Found ' . count($r['list']) . ' key(s)');
56
57 foreach ($r['list'] as $i)
58 echo rg_keys_output_line($i);
59
60 rg_prof_end('MAIN');
61 rg_prof_log();
62 ?>
Hints:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/catalinux/rocketgit

Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit

Clone this repository using git:
git clone git://git.rocketgit.com/user/catalinux/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main