#!/usr/bin/perl -w # dgit-repos-push-receiver # # usages: # .../dgit-repos-push-receiver SUITES KEYRING-AUTH-SPEC DGIT-REPOS-DIR --ssh # .../dgit-repos-push-receiver SUITES KEYRING-AUTH-SPEC DGIT-REPOS-DIR PACKAGE # internal usage: # .../dgit-repos-push-receiver --pre-receive-hook PACKAGE # # Invoked as the ssh restricted command # # Works like git-receive-pack # # SUITES is the name of a file which lists the permissible suites # one per line (#-comments and blank lines ignored) # # KEYRING-AUTH-SPEC is a :-separated list of # KEYRING.GPG,AUTH-SPEC # where AUTH-SPEC is one of # a # mDM.TXT use strict; # What we do is this: # - extract the destination repo name # - make a hardlink clone of the destination repo # - provide the destination with a stunt pre-receive hook # - run actual git-receive-pack with that new destination # as a result of this the stunt pre-receive hook runs; it does this # + understand what refs we are allegedly updating and # check some correspondences: # * we are updating only refs/tags/debian/* and refs/dgit/* # * and only one of each # * and the tag does not already exist # and # * recovering the suite name from the destination refs/dgit/ ref # + disassemble the signed tag into its various fields and signature # including: # * parsing the first line of the tag message to recover # the package name, version and suite # * checking that the package name corresponds to the dest repo name # * checking that the suite name is as recovered above # + verify the signature on the signed tag # and if necessary check that the keyid and package are listed in dm.txt # + check various correspondences: # * the suite is one of those permitted # * the signed tag must refer to a commit # * the signed tag commit must be the refs/dgit value # * the name in the signed tag must correspond to its ref name # * the tag name must be debian/ (massaged as needed) # * the signed tag has a suitable name # * the commit is a fast forward # + push the signed tag and new dgit branch to the actual repo # # If the destination repo does not already exist, we need to make # sure that we create it reasonably atomically, and also that # we don't every have a destination repo containing no refs at all # (because such a thing causes git-fetch-pack to barf). So then we # do as above, except: # - before starting, we take out our own lock for the destination repo # - we create a prospective new destination repo by making a copy # of _template # - we use the prospective new destination repo instead of the # actual new destination repo (since the latter doesn't exist) # - we set up a post-receive hook as well, which # + checks that exactly two refs were updated # + touches a stamp file # - after git-receive-pack exits, we rename the prospective # destination repo into place # # Cleanup strategy: # - We are crash-only # - Temporary working trees and their locks are cleaned up # opportunistically by a program which tries to take each lock and # if successful deletes both the tree and the lockfile # - Prospective working trees and their locks are cleaned up by # a program which tries to take each lock and if successful # deletes any prospective working tree and the lock (but not # of course any actual tree) # - It is forbidden to _remove_ the lockfile without removing # the corresponding temporary tree, as the lockfile is also # a stampfile whose presence indicates that there may be # cleanup to do use POSIX; use Fcntl qw(:flock); our $package_re = '[0-9a-z][-+.0-9a-z]+'; our $dgitrepos; our $pkg; our $destrepo; our $workrepo; our @keyrings; sub acquirelock ($$) { my ($lock, $must) = @_; for (;;) { my $fh = new IO::File, ">", $lock or die "open $lock: $!"; my $ok = flock $fh, $must ? LOCK_EX : (LOCK_EX|LOCK_NB); if (!$ok) { return unless $must; die "flock $lock: $!"; } if (!stat $lock) { next if $! == ENOENT; die "stat $lock: $!"; } my $want = (stat _)[1]; stat $fh or die $!; my $got = (stat _)[1]; return $fh if $got == $want; } } sub makeworkingclone () { $workrepo = "$dgitrepos/_tmp/${pkg}_incoming$$"; my $lock = "$workrepo.lock"; my $lockfh = acquirelock($lock, 1); if (!stat $destrepo) { $! == ENOENT or die "stat dest repo $destrepo: $!"; mkdir $workrepo or die "create work repo $workrepo: $!"; runcmd qw(git init --bare), $workrepo; } else { runcmd qw(git clone -l -q --mirror), $destrepo, $workrepo; } } sub setupstunthook () { my $prerecv = "$workrepo/hooks/pre-receive"; my $fh = new IO::File, $prerecv, O_WRONLY|O_CREAT|O_TRUNC, 0777 or die "$prerecv: $!"; print $fh <) { m/^(\S+) (\S+) (\S+)$/ or die "$_ ?"; my ($old, $sha1, $refname) = ($1, $2, $3); if ($refname =~ m{^refs/tags/(?=debian/)}) { die if defined $tagname; $tagname = $'; #'; $tagval = $sha1; reject "tag $tagname already exists -". " not replacing previously-pushed version" if $old =~ m/[^0]/; } elsif ($refname =~ m{^refs/dgit/}) { die if defined $suite; $suite = $'; #'; $oldcommit = $old; $commit = $sha1; } else { die; } } STDIN->error and die $!; die unless defined $refname; die unless defined $branchname; } sub parsetag () { open PT, ">dgit-tmp/plaintext" or die $!; open DS, ">dgit-tmp/plaintext.asc" or die $!; open T, "-|", qw(git cat-file tag), $tagval or die $!; for (;;) { $!=0; $_=; defined or die $!; print PT or die $!; if (m/^(\S+) (.*)/) { push @{ $tagh{$1} }, $2; } elsif (!m/\S/) { last; } else { die; } } $!=0; $_=; defined or die $!; m/^($package_re) release (\S+) for (\S+) \[dgit\]$/ or die; die unless $1 eq $pkg; $version = $2; die unless $3 eq $suite; for (;;) { print PT or die $!; $!=0; $_=; defined or die $!; last if m/^-----BEGIN PGP/; } for (;;) { print DS or die $!; $!=0; $_=; last if !defined; } T->error and die $!; close PT or die $!; close DS or die $!; } sub checksig_keyring ($) { my ($keyringfile) = @_; # returns primary-keyid if signed by a key in this keyring # or undef if not # or dies on other errors my $ok = undef; open P, "-|", (qw(gpgv --status-fd=1), map { '--keyring', $_ }, @keyrings, qw(dgit-tmp/plaintext.asc dgit-tmp/plaintext)) or die $!; while (

) { next unless s/^\[GNUPG:\]: //; chomp or die; my @l = split / /, $_; if ($l[0] eq 'NO_PUBKEY') { last; } elsif ($l[0] eq 'VALIDSIG') { my $sigtype = $l[9]; $sigtype eq '00' or reject "signature is not of type 00!"; $ok = $l[10]; die unless defined $ok; last; } } close P; return $ok; } sub dm_txt_check ($$) { my ($keyid, $dmtxtfn) = @_; open DT, '<', $dmtxtfn or die "$dmtxtfn $!"; while (

) { m/^fingerprint:\s+$keyid$/oi ..0 or next; m/^\S/ or reject "key $keyid missing Allow section in permissions!"; # in right stanza... s/^allow:/ /i ..0 or next; s/^\s+// or reject "package $package not allowed for key $keyid"; # in allow field... s/\([^()]+\)//; s/\,//; foreach my $p (split /\s+/) { return if $p eq $package; # yay! } } DT->error and die $!; close DT or die $!; reject "key $keyid not in permissions list although in keyring!"; } sub verifytag () { foreach my $kas (split /:/, $keyrings) { $kas =~ s/^([^,]+),// or die; my $keyid = checksig_keyring $1; if (defined $keyid) { if ($kas =~ m/^a$/) { return; # yay } elsif ($kas =~ m/^m([^,]+)$/) { dm_txt_check($keyid, $1); return; } else { die; } } } reject "key not found in keyrings"; } sub checks () { fixme check the suite against the approved list tagh1('type') eq 'commit' or die; tagh1('object') eq $commit or die; tagh1('tag') eq $tagname or die; my $v = $version; $v =~ y/~:/_%/; $tagname eq "debian/$v" or die; # check that our ref is being fast-forwarded if ($oldcommit =~ m/[^0]/) { $?=0; $!=0; my $mb = `git merge-base $commit $oldcommit`; chomp $mb; $mb eq $oldcommit or reject "not fast forward on dgit branch"; } } sub onwardpush () { $!=0; my $r = system (qw(git send-pack), $destrepo, "$commit:refs/dgit/$suite", "$tagval:refs/tags/$tagname"); !$r or die "onward push failed: $r $!"; } sub stunthook () { chdir $workrepo or die "chdir $workrepo: $!"; mkdir "dgit-tmp" or $!==EEXIST or die $!; readupdates(); parsetag(); verifytag(); checks(); onwardpush(); } #----- arg parsing and main program ----- sub parseargs () { die unless @ARGV; if ($ARGV[0] eq '--pre-receive-hook') { shift @ARGV; @ARGV == 1 or die; $pkg = shift @ARGV; defined($workrepo = $ENV{'DGIT_RPR_WORK'}) or die; defined($destrepo = $ENV{'DGIT_RPR_DEST'}) or die; defined($keyrings = $ENV{'DGIT_RPR_KEYRINGS'}) or die $!; open STDOUT, ">&STDERR" or die $!; stunthook(); exit 0; } die unless @ARGV>=3; die if $ARGV[0] =~ m/^-/; $suitesfile = shift @ARGV; die if $ARGV[0] =~ m/^-/; $ENV{'DGIT_RPR_KEYRINGS'} = shift @ARGV; die if $ARGV[0] =~ m/^-/; $dgitrepos = shift @ARGV; die unless @ARGV; if ($ARGV[0] != m/^-/) { @ARGV == 1 or die; $pkg = shift @ARGV; } elsif ($ARGV[0] eq '--ssh') { shift @ARGV; !@ARGV or die; my $cmd = $ENV{'SSH_ORIGINAL_COMMAND'}; $cmd =~ m{ ^ (?:\S*/)? (git-receive-pack|git-upload-pack) \s+ (?:\S*/)? ($package_re)\.git $ }ox or die "requested command $cmd not understood"; $method = $1; $pkg = $2; my $func = $method; $func =~ y/-/_/; $func = $main::{"main__$func"}; &$func; } else { die; } $destrepo = "$dgitrepos/$pkg.git"; } sub main__git_receive_pack () { parseargs(); fixme check method; makeworkingclone(); setupstunthook(); runcmd qw(git receive-pack), $destdir; }