diff options
Diffstat (limited to 'usr/src/pinyadmin/sbin')
-rwxr-xr-x | usr/src/pinyadmin/sbin/addaccess | 19 | ||||
-rwxr-xr-x | usr/src/pinyadmin/sbin/newrepo | 243 | ||||
-rwxr-xr-x | usr/src/pinyadmin/sbin/newuser | 129 | ||||
-rwxr-xr-x | usr/src/pinyadmin/sbin/rmaccess | 19 | ||||
-rwxr-xr-x | usr/src/pinyadmin/sbin/rmrepo | 64 |
5 files changed, 474 insertions, 0 deletions
diff --git a/usr/src/pinyadmin/sbin/addaccess b/usr/src/pinyadmin/sbin/addaccess new file mode 100755 index 0000000..8d0cef9 --- /dev/null +++ b/usr/src/pinyadmin/sbin/addaccess @@ -0,0 +1,19 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use Piny; + +my $env = Piny::Environment->new( ); + +my ( $reponame, @users ) = @ARGV; + +my $repo = Piny::Repo->new( $reponame ); + +if ( $repo->owner->uid != $env->user->uid ) { + print "You are not the owner of that repo!\n"; + exit( 3 ); +}; + +$repo->add_access( map { Piny::User->new( $_ ) } @users ); diff --git a/usr/src/pinyadmin/sbin/newrepo b/usr/src/pinyadmin/sbin/newrepo new file mode 100755 index 0000000..15bbde6 --- /dev/null +++ b/usr/src/pinyadmin/sbin/newrepo @@ -0,0 +1,243 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +my( $errorto ) = 'jrayhawk+piny.be@omgwallhack.org'; # Email address to send horrible errors to. +my( $reponame, $email, @errors, $wikilisttempfile, $cgitrctempfile, $description ); + +if ( ( ! scalar $ARGV[0] ) or ( scalar $ARGV[1] ) or ( $ARGV[0] !~ /^[a-z0-9][a-z0-9-]+$/ ) ) { + print( "Usage: newrepo REPONAME\n" ); + print( " REPONAME must consist only of lower case letters (a-z), digits (0-9), and minus (-) signs.\n" ); + print( " REPONAME must be at least two characters long and must start with an alphanumeric character.\n" ); + exit( 1 ); +} else { + $reponame = $ARGV[0]; +}; + +# We want to check to see if +# 1) $reponame already exists in some form so we don't try to create it, and +# 2) $reponame is only partially created, in which case we want to email someone who can sanity check and fix it. +open (PASSWD, '/etc/passwd'); +while(<PASSWD>) { + if( $_ =~ /^$ENV{SUDO_USER}:.+?:.+?:.+?:(.+?):/ ) { $email = $1; }; # While we're here, may as well grab the email address. + if( $_ =~ /^ikiwiki-$reponame:/ ) { push( @errors, "user ikiwiki-$reponame already exists!\n"); }; +}; +close(PASSWD); +open (GROUP, '/etc/group'); +while(<GROUP>) { + if( $_ =~ /^git-$reponame:/ ) { push( @errors, "group git-$reponame already exists!\n"); }; +}; +close(GROUP); +if( -d "/srv/git/$reponame.git" ) { push( @errors, "/srv/git/$reponame.git already exists!\n"); }; +if( -d "/srv/ikiwiki/$reponame" ) { push( @errors, "/srv/ikiwiki/$reponame already exists!\n"); }; +if( -d "/srv/www/piny.be/$reponame" ) { push( @errors, "/srv/www/piny.svcs.cs.pdx.edu/$reponame already exists!\n"); }; +if( -d "/srv/www/secure.piny.be/repos/$reponame" ) { push( @errors, "/srv/www/cgi.piny.be/repos/$reponame already exists!\n"); }; +if( -f "/etc/ikiwiki/piny/$reponame.setup" ) { push( @errors, "/etc/ikiwiki/piny/$reponame.setup already exists!\n"); }; +if( -f "/etc/ikiwiki/wikilist.d/$reponame" ) { push( @errors, "/etc/ikiwiki/wikilist.d/$reponame already exists!\n"); }; +if( -f "/etc/apache2/piny-available/$reponame" ) { push( @errors, "/etc/apache2/piny-available/$reponame already exists!\n"); }; +if( -f "/etc/cgitrc.d/$reponame" ) { push( @errors, "/etc/cgitrc.d/$reponame already exists!\n"); }; + +if( @errors ) { + if( @errors == 10 ) { # Everything's fine, nothing is broken + print( "$reponame already exists!\n" ); + } else { # IT'S ARMAGEDDON + open ( MAIL, "|/usr/lib/sendmail -t" ); + print( MAIL "To: $errorto\n" ); + print( MAIL "From: newrepo\@piny.be\n" ); + print( MAIL "Subject: Piny error: $ENV{SUDO_USER} found inconsistent $reponame in the creation process!\n" ); + print( MAIL "MIME-Version: 1.0\n" ); + print( MAIL "Content-Type: text/plain; charset=us-ascii\n" ); + print( MAIL "\n" ); + print( MAIL "@errors\n" ); + close( MAIL ); + print( "$reponame already exists but is in an inconsistent state! The Piny admins probably screwed up; they have been notified and will take a look at it.\n" ); + }; + exit( 2 ); +}; + +while( 1 ) { + + print( "Provide a one-line description to be used in repo listings, the shorter the better:\n" ); + chomp( $description = <STDIN> ); + + if( $description !~ /^[\x{0020}-\x{FDCF}\x{FDF0}-\x{FFFD}]{1,80}$/ ) { # everything but control characters and unicode-defined non-characters + print( "Must be 1-80 characters long; control characters (including tab) not allowed.\n" ); + next; + }; + + print( "Okay! Working, please wait...\n" ); + last; + +}; + +# CREATE USER/GROUPS +unless( system( "mkdir /srv/git/$reponame.git" ) == 0 ) { # We need a locking or atomic operation as our first to check against simultaneous execution. + print( "Somebody else has created the same repo as you in the course of executing this program!\n" ); + exit( 3 ); +}; +system( "/usr/sbin/addgroup --quiet git-$reponame" ); +system( "/usr/sbin/adduser --quiet --system --group --gecos $reponame ikiwiki-$reponame" ); +system( "/usr/sbin/adduser --quiet ikiwiki-$reponame git-$reponame | grep -v 'Adding user'" ); +system( "/usr/sbin/adduser --quiet $ENV{SUDO_USER} git-$reponame | grep -v 'Adding user '" ); + +# CREATE REPO +system( "GIT_DIR=/srv/git/$reponame.git /usr/bin/git init --template=/srv/git-template.git --quiet --shared" ); +open ( DESC, ">/srv/git/$reponame.git/description" ); +print( DESC "$description" ); +close( DESC ); +# ln -f post-receive /srv/git/$reponame.git/hooks/ # turn on e-mail commit notices +system( "/bin/chown -R $ENV{SUDO_USER}.git-$reponame /srv/git/$reponame.git/" ); +system( "/bin/chown -R ikiwiki-$reponame.ikiwiki-$reponame /srv/git/$reponame.git/hooks/" ); +system( "/bin/touch /srv/git/$reponame.git/git-daemon-export-ok" ); + +# WRITE IKIWIKI SETUP FILE +open ( SETUP, ">/etc/ikiwiki/piny/$reponame.setup" ); +print( SETUP +'#!/usr/bin/perl +# Configuration file for ikiwiki. +# Passing this to ikiwiki --setup will make ikiwiki generate wrappers and +# build the wiki. +# +# Remember to re-run ikiwiki --setup any time you edit this file. + +use IkiWiki::Setup::Standard { + wikiname => \'' . $reponame . '\', # PINY + adminemail => \'' . $email . '\', # PINY + srcdir => \'/srv/ikiwiki/' . $reponame . '\', # PINY + destdir => \'/srv/www/piny.be/' . $reponame . '\', # PINY + url => \'http://piny.be/' . $reponame . '\', # PINY + cgiurl => \'https://secure.piny.be/repos/' . $reponame . '/ikiwiki.cgi\', # PINY + historyurl => \'https://secure.piny.be/cgit/' . $reponame . '/log/[[file]]\', # PINY + diffurl => \'https://secure.piny.be/cgit/' . $reponame . '/diff/?id=[[sha1_commit]]\', # PINY + + templatedir => "/srv/templates", + underlaydir => "/etc/ikiwiki/share/underlay", + + rcs => "git", + gitorigin_branch => "origin", + gitmaster_branch => "master", + + wrappers => [ + { + cgi => 1, + wrapper => \'/srv/www/secure.piny.be/repos/' . $reponame . '/ikiwiki.cgi\', # PINY + wrappermode => "06755", + wrappergroup => \'git-' . $reponame . '\', # PINY + }, + { + wrapper => \'/srv/git/' . $reponame . '.git/hooks/post-update\', # PINY + wrappermode => "06755", + wrappergroup => \'git-' . $reponame . '\', # PINY + + notify => 0, + }, + ], + + # Generate rss feeds for blogs? + rss => 1, + # Generate atom feeds for blogs? + atom => 0, + # Include discussion links on all pages? + discussion => 0, + # To exclude files matching a regexp from processing. This adds to + # the default exclude list. + #exclude => qr/*\.wav/, + # To change the extension used for generated html files. + #htmlext => "htm", + # Time format (for strftime) + #timeformat => "%c", + # Locale to use. Must be a UTF-8 locale. + #locale => "en_US.UTF-8", + # Only send cookies over SSL connections. + sslcookie => 1, + # Logging settings: + verbose => 0, + syslog => 1, + # To link to user pages in a subdirectory of the wiki. + #userdir => "users", + # To create output files named page.html rather than page/index.html. + usedirs => 1, + # Simple spam prevention: require an account-creation password. + #account_creation_password => "example", + # Use new "!"-prefixed preprocessor directive syntax + prefix_directives => 1, + httpauth => 1, + # To add plugins, list them here. + add_plugins => [qw{sidebar toc meta table tag graphviz httpauth img attachment rename remove autoindex map teximg version edittemplate}], + disable_plugins => [qw{openid passwordauth}], + teximg_prefix => \'\\documentclass{scrartcl} +\\usepackage[version=3]{mhchem} +\\usepackage{amsmath} +\\usepackage{amsfonts} +\\usepackage{amssymb} +\\pagestyle{empty} +\\newcommand{\unit}[1]{\\ensuremath{\\, \\mathrm{#1}}} +\\begin{document}\', + + teximg_dvipng => 1, + + # For use with the tag plugin, make all tags be located under a + # base page. + tagbase => "tag", + + # For use with the search plugin if your estseek.cgi is located + # somewhere else. + #estseek => "/usr/lib/estraier/estseek.cgi", +}'); +close( SETUP ); +open ( WIKILIST, '>>/etc/ikiwiki/wikilist' ); +print( WIKILIST "ikiwiki-$reponame /etc/ikiwiki/piny/$reponame.setup\n" ); +close( WIKILIST ); + +# WRITE APACHE CONFIG +open ( APACHE, ">/etc/apache2/piny-available/$reponame" ); +print( APACHE '<Directory /srv/www/secure.piny.be/repos/' . $reponame . '> + AuthPAM_Enabled on + AuthGROUP_Enabled on + AuthPAM_FallThrough off + AuthBasicAuthoritative off + AuthType Basic + AuthName "User access to ' . $reponame . ' repository needed." + Require group git-' . $reponame . ' +</Directory>' ); +close( APACHE ); +link( "/etc/apache2/piny-available/$reponame", "/etc/apache2/piny-enabled/$reponame"); +system( '/etc/init.d/apache2 reload | grep -v "Reloading web server config: apache2."' ); + + +# CREATE IKIWIKI WORKING DIR +system( "/usr/bin/git clone --quiet /srv/git/$reponame /srv/ikiwiki/$reponame" ); +mkdir( "/srv/www/piny.be/$reponame" ); +mkdir( "/srv/www/secure.piny.be/repos/$reponame" ); +system( "/bin/chown -R ikiwiki-$reponame /srv/ikiwiki/$reponame /srv/www/piny.be/$reponame /srv/www/secure.piny.be/repos/$reponame" ); + +open ( WIKILIST, ">/etc/ikiwiki/wikilist.d/$reponame" ); # Maybe someday ikiwiki will support wikilist.d. +print( WIKILIST "ikiwiki-$reponame /etc/ikiwiki/piny/$reponame.setup\n" ); # In the meantime, we fake it. +close( WIKILIST ); +$wikilisttempfile = `/bin/mktemp`; +chomp( $wikilisttempfile ); +chmod ( 0644, $wikilisttempfile ); +system( "/bin/cat /etc/ikiwiki/wikilist.d/* > $wikilisttempfile" ); +system( "/bin/mv $wikilisttempfile /etc/ikiwiki/wikilist" ); # This is marginally racy, but the consequences are probably ignorable. + +open ( CGITRC, ">/etc/cgitrc.d/$reponame" ); # Maybe someday cgit will support cgitrc.d. +print( CGITRC # In the meantime, we fake it. +"repo.url=$reponame +repo.path=/srv/git/$reponame.git +repo.desc=$description +repo.owner=$email + +" ); # cgit already escapes HTML, so we don't need to do it on $description +close( CGITRC ); +$cgitrctempfile = `/bin/mktemp`; +chomp( $cgitrctempfile ); +chmod ( 0644, $cgitrctempfile ); +system( "/bin/cat /etc/cgitrc.d/* > $cgitrctempfile" ); +system( "/bin/mv $cgitrctempfile /etc/cgitrepos" ); # This is marginally racy, but the consequences are minor. + +# COMPILE +system( "/usr/bin/sudo -u ikiwiki-$reponame /usr/bin/ikiwiki --setup /etc/ikiwiki/piny/$reponame.setup | grep -v 'successfully generated'" ); + +print( "Web interface: http://piny.be/$reponame/\n" ); +print( "Repo information: https://secure.piny.be/cgit/$reponame/\n" ); diff --git a/usr/src/pinyadmin/sbin/newuser b/usr/src/pinyadmin/sbin/newuser new file mode 100755 index 0000000..e0b175b --- /dev/null +++ b/usr/src/pinyadmin/sbin/newuser @@ -0,0 +1,129 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use Email::Valid::Loose qw( ); + +# If they passed any arguments, complain and exit. +if ( scalar @ARGV ) { + print "You can't pass any arguments to this script!\n"; + exit 2; +}; + +# If they didn't provide a terminal definition, then assume xterm. +# Everybody emulates xterm to at least a basic extent. +if ( not exists $ENV{"TERM"} ) { + $ENV{"TERM"} = "xterm"; + print "I don't know what terminal you're using; guessing xterm...\n"; +}; + +# Disable buffering. +$|++; + +# Configure the strictness of our email checks. +my $checker = Email::Valid::Loose->new + ( "-fqdn" => 1 + , "-fudge" => 0 + , "-local_rules" => 0 + , "-mxcheck" => 1 + , "-tldcheck" => 0 + ); + +my ( $email, $username, $password1, $password2 ); + +while ( 1 ) { + + print "Your email address: "; + chomp ( $email = <STDIN> ); + + if ( $email eq "" ) { + print "You must provide an email address!\n"; + next; + }; + + $email = $checker->address( $email ); + if ( not defined $email ) { + print "Please, at least pretend to provide a valid email address.\n"; + next; + }; + + last; + +}; + +while ( 1 ) { + + print "Desired username: "; + chomp ( $username = <STDIN> ); + + if ( $username eq "" ) { + print "You have to enter a username!\n"; + next; + }; + + if ( $username =~ /^git-|^ikiwiki-/ ) { + print "Your username cannot start with git- or ikiwiki-!\n"; + next + }; + + if ( $username !~ /^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$/ ) { + print( "Usernames must consist only of letters, digits, underscores, periods, and dashes, and not start with a dash. Usernames are case sensitive.\n" ); + next + }; + + last; + +}; + +while ( 1 ) { + + system( "stty", "-echo" ); + print "Desired password: "; + chomp ( $password1 = <STDIN> ); + print "\nRetype password: "; + chomp ( $password2 = <STDIN> ); + print "\n"; + system( "stty", "echo" ); + + if ( $password1 ne $password2 ) { + print "Provided passwords do not match; try again.\n"; + next; + }; + + if ( $password1 eq "" ) { + print "You have to enter a password!\n"; + next; + }; + + last; + +}; + +my @saltchars = + ( 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' + , 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' + , '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' + , '.', '/' + ); + +my $salt = "\$6\$"; + +foreach my $n ( 1 .. 16 ) { + $salt .= $saltchars[int ( rand ( scalar @saltchars ) )]; +}; + +$salt .= "\$"; + +my $crypt = crypt( $password1, $salt ); + +my $ret = system( "/usr/sbin/useradd", "-c", "$email", "-k", "/var/empty", "-g", "users", "-m", "-p", $crypt, "-s", "/usr/local/bin/pinyshell", $username ); + +if ( $ret ) { + print "An error occured creating the user; most likely, that username is already taken.\n"; + exit 1; +}; + +print "Your user has been created. Try logging in!\n"; + +exit 0; diff --git a/usr/src/pinyadmin/sbin/rmaccess b/usr/src/pinyadmin/sbin/rmaccess new file mode 100755 index 0000000..f84fba0 --- /dev/null +++ b/usr/src/pinyadmin/sbin/rmaccess @@ -0,0 +1,19 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +use Piny; + +my $env = Piny::Environment->new( ); + +my ( $reponame, @users ) = @ARGV; + +my $repo = Piny::Repo->new( $reponame ); + +if ( $repo->owner->uid != $env->user->uid ) { + print "You are not the owner of that repo!\n"; + exit( 3 ); +}; + +$repo->remove_access( map { Piny::User->new( $_ ) } @users ); diff --git a/usr/src/pinyadmin/sbin/rmrepo b/usr/src/pinyadmin/sbin/rmrepo new file mode 100755 index 0000000..864830f --- /dev/null +++ b/usr/src/pinyadmin/sbin/rmrepo @@ -0,0 +1,64 @@ +#!/usr/bin/perl + +use strict; +use warnings; + +my( $reponame, $uid, $gitowner, $wikilisttempfile, $cgitrctempfile); + +if ( ( ! scalar $ARGV[0] ) or ( scalar $ARGV[1] ) or ( $ARGV[0] !~ /^[a-z0-9][a-z0-9-]+$/ ) ) { + print( "Usage: rmrepo REPONAME\n" ); + exit( 1 ); +} else { + $reponame = $ARGV[0]; +}; + +open (PASSWD, '/etc/passwd'); +while(<PASSWD>) { + if( $_ =~ /^$ENV{SUDO_USER}:.+?:(.+?):/ ) { $uid = $1; }; # grabbing uid. +}; +close(PASSWD); + +unless( -d "/srv/git/$reponame.git" ) { + print( "/srv/git/$reponame.git doesn't exist!\n" ); + exit( 2 ); +}; + +$gitowner = (stat "/srv/git/$reponame.git")[4]; + +if( ( $gitowner != $uid ) and ( $gitowner != 65534 ) ) { + print( "$reponame is not owned by you!\n" ); + exit( 3 ); +}; + +# We have to be careful about how we delete things; we don't want have post-update or ikiwiki.cgi thrashing, and we REALLY don't want to leave remappable owner UIDs around, but we're also keying security on /srv/git/$reponame +system( "/bin/chown -R nobody.nogroup /srv/git/$reponame.git" ); + +unlink( "/etc/ikiwiki/wikilist.d/$reponame" ); +$wikilisttempfile = `/bin/mktemp`; +chomp ( $wikilisttempfile ); +chmod ( 0644, $wikilisttempfile ); +system( "/bin/cat /etc/ikiwiki/wikilist.d/* > $wikilisttempfile" ); +system( "/bin/mv $wikilisttempfile /etc/ikiwiki/wikilist" ); # This is marginally racy, but the consequences are probably ignorable. + +unlink( "/etc/cgitrc.d/$reponame" ); +$cgitrctempfile = `/bin/mktemp`; +chomp ( $cgitrctempfile ); +chmod ( 0644, $cgitrctempfile ); +system( "/bin/cat /etc/cgitrc.d/* > $cgitrctempfile" ); +system( "/bin/mv $cgitrctempfile /etc/cgitrepos" ); # This is marginally racy, but the consequences are probably ignorable. + +system( "/bin/rm -r /srv/www/piny.be/$reponame" ); +system( "/bin/rm -r /srv/www/secure.piny.be/repos/$reponame" ); + +unlink( "/etc/ikiwiki/piny/$reponame.setup" ); +system( "/bin/rm -r /srv/ikiwiki/$reponame" ); + +unlink( "/etc/apache2/piny-available/$reponame" ); +unlink( "/etc/apache2/piny-enabled/$reponame" ); +system( '/etc/init.d/apache2 reload | grep -v "Reloading web server config: apache2."' ); + +system( "/usr/sbin/delgroup --quiet git-$reponame" ); +system( "/usr/sbin/deluser --quiet --remove-home ikiwiki-$reponame" ); +system( "/usr/sbin/delgroup --quiet ikiwiki-$reponame" ); + +system( "/bin/rm -rf /srv/git/$reponame.git" ); |