Commit d12d210f authored by Jacob Vosmaer's avatar Jacob Vosmaer

Manage authorized_keys permissions continuously

We can lazily create authorized_keys and set its permissions. This
adds negligible overhead and it allows us to remove a setup step from
GitLab both on source and in omnibus-gitlab.
parent c3cfebcf
...@@ -13,8 +13,6 @@ repository_storage_paths = ARGV ...@@ -13,8 +13,6 @@ repository_storage_paths = ARGV
commands = [ commands = [
%W(mkdir -p #{key_dir}), %W(mkdir -p #{key_dir}),
%W(chmod 700 #{key_dir}), %W(chmod 700 #{key_dir}),
%W(touch #{config.auth_file}),
%W(chmod 600 #{config.auth_file}),
] ]
repository_storage_paths.each do |repository_storage_path| repository_storage_paths.each do |repository_storage_path|
......
...@@ -34,7 +34,7 @@ class GitlabKeys ...@@ -34,7 +34,7 @@ class GitlabKeys
lock do lock do
$logger.info "Adding key #{@key_id} => #{@key.inspect}" $logger.info "Adding key #{@key_id} => #{@key.inspect}"
auth_line = @gitlab_key.key_line(@key_id, @key) auth_line = @gitlab_key.key_line(@key_id, @key)
open(auth_file, 'a') { |file| file.puts(auth_line) } open_auth_file('a') { |file| file.puts(auth_line) }
end end
true true
end end
...@@ -54,7 +54,7 @@ class GitlabKeys ...@@ -54,7 +54,7 @@ class GitlabKeys
def batch_add_keys def batch_add_keys
lock(300) do # Allow 300 seconds (5 minutes) for batch_add_keys lock(300) do # Allow 300 seconds (5 minutes) for batch_add_keys
open(auth_file, 'a') do |file| open_auth_file('a') do |file|
stdin.each_line do |input| stdin.each_line do |input|
tokens = input.strip.split("\t") tokens = input.strip.split("\t")
abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2 abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2
...@@ -74,7 +74,7 @@ class GitlabKeys ...@@ -74,7 +74,7 @@ class GitlabKeys
def rm_key def rm_key
lock do lock do
$logger.info "Removing key #{@key_id}" $logger.info "Removing key #{@key_id}"
open(auth_file, 'r+') do |f| open_auth_file('r+') do |f|
while line = f.gets do while line = f.gets do
next unless line.start_with?("command=\"#{@gitlab_key.command(@key_id)}\"") next unless line.start_with?("command=\"#{@gitlab_key.command(@key_id)}\"")
f.seek(-line.length, IO::SEEK_CUR) f.seek(-line.length, IO::SEEK_CUR)
...@@ -88,7 +88,7 @@ class GitlabKeys ...@@ -88,7 +88,7 @@ class GitlabKeys
end end
def clear def clear
open(auth_file, 'w') { |file| file.puts '# Managed by gitlab-shell' } open_auth_file('w') { |file| file.puts '# Managed by gitlab-shell' }
true true
end end
...@@ -107,6 +107,13 @@ class GitlabKeys ...@@ -107,6 +107,13 @@ class GitlabKeys
def lock_file def lock_file
@lock_file ||= auth_file + '.lock' @lock_file ||= auth_file + '.lock'
end end
def open_auth_file(mode)
open(auth_file, mode, 0600) do |file|
file.chmod(0600)
yield file
end
end
end end
......
...@@ -80,7 +80,7 @@ describe GitlabKeys do ...@@ -80,7 +80,7 @@ describe GitlabKeys do
context "without file writing" do context "without file writing" do
before do before do
gitlab_keys.should_receive(:open).and_yield(mock(:file, puts: nil)) gitlab_keys.should_receive(:open).and_yield(mock(:file, puts: nil, chmod: nil))
end end
it "should log an add-key event" do it "should log an add-key event" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment