From 8efa5148fad4266d573ab4d488801abc7c83cd6f Mon Sep 17 00:00:00 2001 From: "jrayhawk+piny.be@omgwallhack.org" Date: Thu, 3 Feb 2011 02:07:18 -0800 Subject: Rough stab at hmacing newuser.cgi --- pinyweb/cgi-bin/newuser.cgi | 49 +++++++++++++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 13 deletions(-) diff --git a/pinyweb/cgi-bin/newuser.cgi b/pinyweb/cgi-bin/newuser.cgi index 90c2d59..7763f67 100755 --- a/pinyweb/cgi-bin/newuser.cgi +++ b/pinyweb/cgi-bin/newuser.cgi @@ -13,19 +13,42 @@ $q = CGI->new; print( "Content-type: text/plain\n\n" ); -if( $q->param('n') && $q->param('a') && $q->param('p') ) { - unless( open2( OUT, IN, '/usr/bin/sudo', '/usr/sbin/newuser', '--batch', $q->param('a'), $q->param('n') ) ) { - print 'could not execute newrepo'; - die; - }; - # make things flushier - select((select(IN), $| = 1)[0]); - select((select(OUT), $| = 1)[0]); - print( IN $q->param('p') . "\n" ); - close( IN ); - while( ) { - print; +if( $q->param("n") && $q->param("a") && $q->param("p") ) { + if ( $q->param("h") && $q->param("h") eq "REPLACE_THIS_WITH_REFERENCE_TO_HASH" ) { + unless( open2( OUT, IN, "/usr/bin/sudo", "/usr/sbin/newuser", "--batch", $q->param("a"), $q->param("n") ) ) { + print "could not execute newrepo"; + die; + }; + # make things flushier + select((select(IN), $| = 1)[0]); + select((select(OUT), $| = 1)[0]); + print( IN $q->param("p") . "\n" ); + close( IN ); + while( ) { + print; + }; + } else { # No hash, they need one sent to their address + print( "Dispatching email to " . $q->param("a") . "...\n" ); + unless( open( MAIL, "|/usr/lib/sendmail -t" ) ) { + print "could not execute sendmail"; + die; + }; + print( MAIL "To: " . $q->param("a") . "\n" ); + print( MAIL "Subject: Verifying account " . $q->param("n") . "\n" ); + print( MAIL "Content-Type: text/plain; charset=us-ascii\n\n" ); + print( MAIL "http" ); + if( $ENV{"HTTPS"} eq "on" ) { + print( MAIL "s" ); + }; + print( MAIL "://" . $ENV{"SERVER_NAME"} . $ENV{"SCRIPT_NAME"} . "?" ); + print( MAIL "h=" . "REPLACE_THIS_WITH_REFERENCE_TO_HASH" ); + print( MAIL "&n=" . $q->param("n") ); + print( MAIL "&a=" . $q->param("a") ); + print( MAIL "&p=" . $q->param("p") ); + print( MAIL "\n"); + close( MAIL ); + print( "Done!" ); }; } else { - print 'Missing parameters.'; + print( "Missing parameters." ); }; -- cgit v1.2.3 From da6e245112270694be287e0aa019fc44d3486f7f Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 20 Apr 2011 21:11:42 -0700 Subject: Better handling for empty config entries. --- libpiny/lib/Piny/Config.pm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libpiny/lib/Piny/Config.pm b/libpiny/lib/Piny/Config.pm index 718af5c..7ba1fd5 100644 --- a/libpiny/lib/Piny/Config.pm +++ b/libpiny/lib/Piny/Config.pm @@ -107,6 +107,10 @@ sub _build__conf { }; + foreach my $key ( keys %$conf ) { + $conf->{$key} = "" unless defined $conf->{$key}; + }; + return $conf; }; -- cgit v1.2.3 From babfac96492ef68d51110f6dd5f74eb7362070b8 Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 20 Apr 2011 21:11:57 -0700 Subject: Backend support for user configs. --- libpiny/lib/Piny/Config.pm | 4 ++++ libpiny/lib/Piny/User.pm | 33 ++++++++++++++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/libpiny/lib/Piny/Config.pm b/libpiny/lib/Piny/Config.pm index 7ba1fd5..535df33 100644 --- a/libpiny/lib/Piny/Config.pm +++ b/libpiny/lib/Piny/Config.pm @@ -208,6 +208,7 @@ sub tweakable { # The tweakables +# Repo-specific tweakables, in the repos' .git/config files. tweakable "piny_ikiwikidestdir" => "/srv/www/piny.be/", 'PathDir'; tweakable "piny_ikiwikisrcdir" => "/srv/ikiwiki/", 'PathDir'; tweakable "piny_ikiwikiurl" => "http://piny.be/", 'HttpUrl'; @@ -215,6 +216,9 @@ tweakable "piny_ikiwikisecureurl" => "https://secure.piny.be/", 'HttpsUrl' tweakable "piny_ikiwikisecurepath" => "/srv/www/secure.piny.be/", 'PathDir'; tweakable "receive_denynonfastforwards" => "true", 'GitBool'; +# User-specific tweakables, in the users' ~/.gitconfig files. +tweakable "user_email" => undef, 'Maybe[Str]'; + # Moose boilerplate __PACKAGE__->meta->make_immutable; diff --git a/libpiny/lib/Piny/User.pm b/libpiny/lib/Piny/User.pm index 6267ecb..aa01ba7 100644 --- a/libpiny/lib/Piny/User.pm +++ b/libpiny/lib/Piny/User.pm @@ -10,6 +10,7 @@ use Moose; use Moose::Util::TypeConstraints; use MooseX::StrictConstructor; +use Piny::Config; use Piny::Email; use Piny::Group; @@ -49,6 +50,20 @@ has 'password_hash' => , init_arg => undef ); +has 'home' => + ( is => 'ro' + , isa => 'Path' + , lazy_build => 1 + , init_arg => undef + ); + +has 'config' => + ( is => 'ro' + , isa => 'Piny::Config' + , lazy_build => 1 + , init_arg => undef + ); + has 'email' => ( is => 'ro' , isa => 'Piny::Email' @@ -180,10 +195,26 @@ sub _build_password_hash { return $s->pwent( )->[1]; }; +sub _build_home { + my ( $s ) = @_; + + return $s->pwent( )->[7]; +}; + +sub _build_config { + my ( $s ) = @_; + + return Piny::Config->new( confpath => $s->home . "/.gitconfig" ); +}; + sub _build_email { my ( $s ) = @_; - return Piny::Email->new( address => $s->pwent( )->[6] ); + if ( not defined $s->config->user_email ) { + die "You must provide a user.email attribute in your .gitconfig!"; + }; + + return Piny::Email->new( address => $s->config->user_email ); }; sub _build_groups { -- cgit v1.2.3 From f14aee049e7363e40dd817691aa8fb64c2f450e1 Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 20 Apr 2011 21:13:01 -0700 Subject: Revert "Attempt to fix parsing of empty strings in config options" This reverts commit f6f2473d1a32f23c56148cb032a29734d35cdc00. --- libpiny/lib/Piny/Config.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpiny/lib/Piny/Config.pm b/libpiny/lib/Piny/Config.pm index 30bb052..535df33 100644 --- a/libpiny/lib/Piny/Config.pm +++ b/libpiny/lib/Piny/Config.pm @@ -55,7 +55,7 @@ has 'confpath' => has '_conf' => ( is => 'ro' - , isa => 'HashRef[Maybe[Str]]' + , isa => 'HashRef[Str]' , lazy_build => 1 , clearer => 'clear_conf' , init_arg => undef -- cgit v1.2.3 From ff8b5180562a90f5f44447c627f86ab60467f55e Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 20 Apr 2011 21:41:14 -0700 Subject: Create .gitconfig for new users. --- pinyadmin/sbin/newuser | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pinyadmin/sbin/newuser b/pinyadmin/sbin/newuser index e38e791..ef61cd7 100755 --- a/pinyadmin/sbin/newuser +++ b/pinyadmin/sbin/newuser @@ -5,6 +5,8 @@ use warnings; use Email::Valid::Loose qw( ); +use Piny::User; + my ( $email, $username, $password ); # Configure the strictness of our email checks. @@ -147,6 +149,17 @@ if ( $ret ) { exit 1; }; +my $u = Piny::User->new( $username ); + +open( GITCONFIG, ">", $u->home . "/.gitconfig" ) or die "Could not open .gitconfig for new user: $!\n"; +print GITCONFIG <uid, $u->group->gid, $u->home . "/.gitconfig" ); + print "Your user has been created. Try logging in!\n"; exit 0; -- cgit v1.2.3 From d2977669bb388de0a991af6548427e896550e646 Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 20 Apr 2011 21:49:06 -0700 Subject: Allow changes to .gitconfig using pinyconfig interface. --- pinyadmin/sbin/pinyconfig | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/pinyadmin/sbin/pinyconfig b/pinyadmin/sbin/pinyconfig index f6752db..4b6f84b 100755 --- a/pinyadmin/sbin/pinyconfig +++ b/pinyadmin/sbin/pinyconfig @@ -8,30 +8,36 @@ use Piny; my ( $reponame, $attr, $value ) = @ARGV; if ( not defined $reponame or not defined $attr ) { - die "Usage: $0 reponame tweakable [value]\n"; + die "Usage: $0 reponame|--user tweakable [value]\n"; }; $attr = lc $attr; $attr =~ s/\./_/g; -my $repo = Piny::Repo->new( $reponame ); +my $config; + +if ( $repo eq "--user" ) { + $config = Piny::Environment->instance->user->config; +} else { + $config = Piny::Repo->new( $reponame )->config; +}; if ( defined $value ) { undef $@; eval { - $repo->config->$attr( $value ); + $config->$attr( $value ); }; if ( $@ ) { print STDERR "$attr is not a legal tweakable, or $value is not a legal value for that tweakable.\n$@\n"; }; - if ( $value ne $repo->config->$attr ) { + if ( $value ne $config->$attr ) { print STDERR "Failed to set $attr (perhaps an override is in place)\n"; }; }; undef $@; eval { - print "$attr = " . $repo->config->$attr . "\n"; + print "$attr = " . $config->$attr . "\n"; }; if ( $@ ) { print STDERR "$attr is not a legal tweakable, or its current value is illegal.\n$@\n"; -- cgit v1.2.3 From b5609ce3f6b3d40f1fc55e8bedc66e50fcf3f686 Mon Sep 17 00:00:00 2001 From: "jrayhawk+piny.be@omgwallhack.org" Date: Wed, 20 Apr 2011 22:19:33 -0700 Subject: Robustifying rebuildrepo to tolerate foreign-created repositories somewhat better. --- libpiny/lib/Piny/Repo.pm | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/libpiny/lib/Piny/Repo.pm b/libpiny/lib/Piny/Repo.pm index 17142ed..7818463 100644 --- a/libpiny/lib/Piny/Repo.pm +++ b/libpiny/lib/Piny/Repo.pm @@ -203,6 +203,17 @@ sub has_access { sub rebuild { my ( $s ) = @_; + unless( getgrnam("git-" . $s->name ) ) { + system( "/usr/sbin/addgroup", "--quiet", "git-" . $s->name ) and die "Could not create repo group!"; + system( "/usr/sbin/adduser", "--quiet", $s->owner->name, "git-" . $s->name ) and die "Could not add you to the repo group!"; + system( "/usr/sbin/adduser", "--quiet", "ikiwiki-" . $s->name, "git-" . $s->name ) and print "...But that's probably okay.\n"; + }; + + unless( getpwnam("ikiwiki-" . $s->name ) ) { + system( "/usr/sbin/adduser", "--quiet", "--system", "--group", "--gecos", $s->name, "ikiwiki-" . $s->name ) and die "Could not create ikiwiki user!"; + system( "/usr/sbin/adduser", "--quiet", "ikiwiki-" . $s->name, "git-" . $s->name ) and die "Could not add ikiwiki user to the repo group!"; + }; + my $ikiuser = Piny::User::IkiWiki->new( "name" => "ikiwiki-" . $s->name ); foreach( "git-daemon-export-ok", "packed-refs" ) { @@ -210,7 +221,7 @@ sub rebuild { close( TOUCH ); }; - foreach( "info", "logs" ) { + foreach( "info", "logs", "branches" ) { (-e $s->path . "/" . $_) or mkdir( $s->path . "/" . $_ ) or die "Could not mkdir $_ for repo: $!"; }; @@ -226,7 +237,12 @@ sub rebuild { print SETUP $s->ikiwiki_setup; close( SETUP ) or die "Could not close new ikiwiki setup file: $!"; - system( "/bin/chown", "-R", $ikiuser->name . "." . $ikiuser->name, $s->ikiwiki_srcdir, $s->ikiwiki_destdir, $s->secure_path ) and die "Could not change ownership of ikiwiki directories!"; + system( "/usr/bin/git", "clone", "--quiet", $s->path, $s->ikiwiki_srcdir ) and die "Could not clone repo to ikiwiki srcdir!"; + + foreach( $ikiuser->name, $s->ikiwiki_srcdir, $s->ikiwiki_destdir, $s->secure_path ) { + unless( -d $_ ) { mkdir( $_ ) }; + system( "/bin/chown", "-R", $ikiuser->name . ".", $_ ) and die "Could not change ownership of ikiwiki directories!"; + }; open( WIKILIST, ">", "/etc/ikiwiki/wikilist.d/" . $s->name ) or die "Could not create wikilist.d file: $!"; print WIKILIST $ikiuser->name . " /etc/ikiwiki/piny/" . $s->name . ".setup\n"; -- cgit v1.2.3 From 156639106697e3ed028e7a6df1bc6dc6d4a47b1c Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 20 Apr 2011 22:28:13 -0700 Subject: joe is a whiny baby who wants a better error message. --- libpiny/lib/Piny/User.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpiny/lib/Piny/User.pm b/libpiny/lib/Piny/User.pm index aa01ba7..780a698 100644 --- a/libpiny/lib/Piny/User.pm +++ b/libpiny/lib/Piny/User.pm @@ -211,7 +211,7 @@ sub _build_email { my ( $s ) = @_; if ( not defined $s->config->user_email ) { - die "You must provide a user.email attribute in your .gitconfig!"; + die "You must provide a user.email attribute in your .gitconfig!\nPlease run pinyconfig --user user.email your\@email.com"; }; return Piny::Email->new( address => $s->config->user_email ); -- cgit v1.2.3 From d7a522d4e85c88b9f8068b9d0a0ede271b382295 Mon Sep 17 00:00:00 2001 From: "jrayhawk+piny.be@omgwallhack.org" Date: Wed, 20 Apr 2011 22:30:18 -0700 Subject: Use the right variable name so pinyconfig actually compiles --- pinyadmin/sbin/pinyconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pinyadmin/sbin/pinyconfig b/pinyadmin/sbin/pinyconfig index 4b6f84b..e78cf3c 100755 --- a/pinyadmin/sbin/pinyconfig +++ b/pinyadmin/sbin/pinyconfig @@ -16,7 +16,7 @@ $attr =~ s/\./_/g; my $config; -if ( $repo eq "--user" ) { +if ( $reponame eq "--user" ) { $config = Piny::Environment->instance->user->config; } else { $config = Piny::Repo->new( $reponame )->config; -- cgit v1.2.3 From 43e46e947e0fda3e768302354e29d004da4a061b Mon Sep 17 00:00:00 2001 From: "jrayhawk+piny.be@omgwallhack.org" Date: Wed, 20 Apr 2011 22:37:34 -0700 Subject: Fix rebuildrepo to work with existing Ikiwiki directories. --- libpiny/lib/Piny/Repo.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libpiny/lib/Piny/Repo.pm b/libpiny/lib/Piny/Repo.pm index 7818463..cfa73bd 100644 --- a/libpiny/lib/Piny/Repo.pm +++ b/libpiny/lib/Piny/Repo.pm @@ -237,7 +237,9 @@ sub rebuild { print SETUP $s->ikiwiki_setup; close( SETUP ) or die "Could not close new ikiwiki setup file: $!"; - system( "/usr/bin/git", "clone", "--quiet", $s->path, $s->ikiwiki_srcdir ) and die "Could not clone repo to ikiwiki srcdir!"; + unless( -d $s->ikiwiki_srcdir ) { + system( "/usr/bin/git", "clone", "--quiet", $s->path, $s->ikiwiki_srcdir ) and die "Could not clone repo to ikiwiki srcdir!"; + }; foreach( $ikiuser->name, $s->ikiwiki_srcdir, $s->ikiwiki_destdir, $s->secure_path ) { unless( -d $_ ) { mkdir( $_ ) }; -- cgit v1.2.3 From 5693d353d000673f49b83e77b29eb1321a300441 Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 20 Apr 2011 22:59:08 -0700 Subject: introduce some semblance of security for the newuser cgi. --- pinyweb/cgi-bin/newuser.cgi | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pinyweb/cgi-bin/newuser.cgi b/pinyweb/cgi-bin/newuser.cgi index 7763f67..4f1263b 100755 --- a/pinyweb/cgi-bin/newuser.cgi +++ b/pinyweb/cgi-bin/newuser.cgi @@ -9,12 +9,19 @@ use CGI; use IPC::Open2; +use Piny::Auth; + $q = CGI->new; print( "Content-type: text/plain\n\n" ); if( $q->param("n") && $q->param("a") && $q->param("p") ) { - if ( $q->param("h") && $q->param("h") eq "REPLACE_THIS_WITH_REFERENCE_TO_HASH" ) { + + my $auth = Piny::Auth->new( ); + + my $code = $auth->hash( { "n" => $q->param( "n" ), "a" => $q->param( "a" ), "p" => $q->param( "p" ) } ); + + if ( $q->param("h") && $q->param("h") eq $code ) { unless( open2( OUT, IN, "/usr/bin/sudo", "/usr/sbin/newuser", "--batch", $q->param("a"), $q->param("n") ) ) { print "could not execute newrepo"; die; @@ -41,7 +48,7 @@ if( $q->param("n") && $q->param("a") && $q->param("p") ) { print( MAIL "s" ); }; print( MAIL "://" . $ENV{"SERVER_NAME"} . $ENV{"SCRIPT_NAME"} . "?" ); - print( MAIL "h=" . "REPLACE_THIS_WITH_REFERENCE_TO_HASH" ); + print( MAIL "h=" . $code ); print( MAIL "&n=" . $q->param("n") ); print( MAIL "&a=" . $q->param("a") ); print( MAIL "&p=" . $q->param("p") ); -- cgit v1.2.3 From a1a447406787efa2567b403334eb0031a7c45ad2 Mon Sep 17 00:00:00 2001 From: "jrayhawk+piny.be@omgwallhack.org" Date: Wed, 20 Apr 2011 23:15:07 -0700 Subject: Make libpiny.key readable by www-data --- libpiny/debian/libpiny-perl.postinst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libpiny/debian/libpiny-perl.postinst b/libpiny/debian/libpiny-perl.postinst index 065289a..aa38007 100755 --- a/libpiny/debian/libpiny-perl.postinst +++ b/libpiny/debian/libpiny-perl.postinst @@ -7,8 +7,9 @@ case "$1" in configure) if [ ! -f /etc/libpiny.key ]; then - umask 0177 + umask 0137 dd if=/dev/urandom of=/etc/libpiny.key bs=512 count=1 + chgrp www-data /etc/libpiny.key fi ;; -- cgit v1.2.3 From 7663a27030cbcd138fd2c9e7b324e314fb1f7d4c Mon Sep 17 00:00:00 2001 From: "jrayhawk+piny.be@omgwallhack.org" Date: Wed, 20 Apr 2011 23:57:59 -0700 Subject: Hard-coding gid for newuser --- pinyadmin/sbin/newuser | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pinyadmin/sbin/newuser b/pinyadmin/sbin/newuser index ef61cd7..22c73ef 100755 --- a/pinyadmin/sbin/newuser +++ b/pinyadmin/sbin/newuser @@ -158,7 +158,7 @@ print GITCONFIG <uid, $u->group->gid, $u->home . "/.gitconfig" ); +chown( $u->uid, (getgrnam("users"))[2] , $u->home . "/.gitconfig" ); print "Your user has been created. Try logging in!\n"; -- cgit v1.2.3 From 878f58e88d6b1b607279464488e46976785db60a Mon Sep 17 00:00:00 2001 From: "jrayhawk+piny.be@omgwallhack.org" Date: Fri, 22 Apr 2011 21:07:01 -0700 Subject: Postinstall should let secret key be readable by apache --- libpiny/debian/libpiny-perl.postinst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libpiny/debian/libpiny-perl.postinst b/libpiny/debian/libpiny-perl.postinst index aa38007..85cca0c 100755 --- a/libpiny/debian/libpiny-perl.postinst +++ b/libpiny/debian/libpiny-perl.postinst @@ -9,8 +9,9 @@ case "$1" in if [ ! -f /etc/libpiny.key ]; then umask 0137 dd if=/dev/urandom of=/etc/libpiny.key bs=512 count=1 - chgrp www-data /etc/libpiny.key fi + chgrp shadow /etc/libpiny.key + chmod g+r /etc/libpiny.key # Updating an old umask ;; -- cgit v1.2.3 From 2a27be477f89b42abb23793c5118b40120b793aa Mon Sep 17 00:00:00 2001 From: "jrayhawk+piny.be@omgwallhack.org" Date: Fri, 22 Apr 2011 21:08:18 -0700 Subject: Switching piny-web over to piny-hosting --- pinyconfigs/etc/apache2/sites-available/piny | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pinyconfigs/etc/apache2/sites-available/piny b/pinyconfigs/etc/apache2/sites-available/piny index a8e69d3..691c238 100644 --- a/pinyconfigs/etc/apache2/sites-available/piny +++ b/pinyconfigs/etc/apache2/sites-available/piny @@ -10,7 +10,7 @@ Alias /js /usr/share/javascript - RedirectMatch 301 ^/$ http://piny.be/piny-web/ + RedirectMatch 301 ^/$ http://piny.be/piny-hosting/ @@ -29,7 +29,7 @@ Alias /js /usr/share/javascript - RedirectMatch 301 ^/$ http://piny.be/piny-web/ + RedirectMatch 301 ^/$ http://piny.be/piny-hosting/ SSLEngine On SSLCertificateFile /etc/ssl/private/secure.piny.be.pem -- cgit v1.2.3