Commit acc1d883 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Use lock file when add or remove keys from authorized_keys file

This prevents concurrent modification of authorized_keys file
Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent d8600696
...@@ -2,3 +2,4 @@ config.yml ...@@ -2,3 +2,4 @@ config.yml
tmp/* tmp/*
*.log *.log
/*.log.* /*.log.*
authorized_keys.lock
...@@ -36,13 +36,15 @@ class GitlabKeys ...@@ -36,13 +36,15 @@ class GitlabKeys
end end
def batch_add_keys def batch_add_keys
open(auth_file, 'a') do |file| lock do
stdin.each_line do |input| open(auth_file, 'a') do |file|
tokens = input.strip.split("\t") stdin.each_line do |input|
abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2 tokens = input.strip.split("\t")
key_id, public_key = tokens abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2
$logger.info "Adding key #{key_id} => #{public_key.inspect}" key_id, public_key = tokens
file.puts(key_line(key_id, public_key)) $logger.info "Adding key #{key_id} => #{public_key.inspect}"
file.puts(key_line(key_id, public_key))
end
end end
end end
true true
...@@ -57,15 +59,17 @@ class GitlabKeys ...@@ -57,15 +59,17 @@ class GitlabKeys
end end
def rm_key def rm_key
$logger.info "Removing key #{@key_id}" lock do
Tempfile.open('authorized_keys') do |temp| $logger.info "Removing key #{@key_id}"
open(auth_file, 'r+') do |current| Tempfile.open('authorized_keys') do |temp|
current.each do |line| open(auth_file, 'r+') do |current|
temp.puts(line) unless line.include?("/bin/gitlab-shell #{@key_id}\"") current.each do |line|
temp.puts(line) unless line.include?("/bin/gitlab-shell #{@key_id}\"")
end
end end
temp.close
FileUtils.cp(temp.path, auth_file)
end end
temp.close
FileUtils.cp(temp.path, auth_file)
end end
true true
end end
...@@ -74,4 +78,20 @@ class GitlabKeys ...@@ -74,4 +78,20 @@ class GitlabKeys
open(auth_file, 'w') { |file| file.puts '# Managed by gitlab-shell' } open(auth_file, 'w') { |file| file.puts '# Managed by gitlab-shell' }
true true
end end
def lock(timeout = 10)
File.open(lock_file, "w+") do |f|
begin
f.flock File::LOCK_EX
Timeout::timeout(timeout) { yield }
ensure
f.flock File::LOCK_UN
end
end
end
def lock_file
@lock_file ||= File.join(ROOT_PATH, "authorized_keys.lock")
end
end end
...@@ -145,6 +145,42 @@ describe GitlabKeys do ...@@ -145,6 +145,42 @@ describe GitlabKeys do
end end
end end
describe :lock do
it "should raise exception if operation lasts more then timeout" do
key = GitlabKeys.new
expect do
key.send :lock, 1 do
sleep 2
end
end.to raise_error
end
it "should actually lock file" do
$global = ""
key = GitlabKeys.new
thr1 = Thread.new do
key.send :lock do
# Put bigger sleep here to test if main thread will
# wait for lock file released before executing code
sleep 1
$global << "foo"
end
end
# make sure main thread start lock command after
# thread above
sleep 0.5
key.send :lock do
$global << "bar"
end
thr1.join
$global.should == "foobar"
end
end
def build_gitlab_keys(*args) def build_gitlab_keys(*args)
argv(*args) argv(*args)
GitlabKeys.new GitlabKeys.new
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment