--- a/access/users.go Tue Jul 23 16:08:13 2019 -0500
+++ b/access/users.go Tue Jul 23 16:52:18 2019 -0500
@@ -45,7 +45,7 @@
// and returns the username if found, or err if not found.
func (a *Access) UsernameFromFingerprint(fingerprint string) (string, error) {
username, found := a.fingerprintIndex[fingerprint]
--- a/commands/commands.go Tue Jul 23 16:08:13 2019 -0500
+++ b/commands/commands.go Tue Jul 23 16:52:18 2019 -0500
@@ -24,7 +24,8 @@
Run(conn ssh.Channel, serverConn *ssh.ServerConn, req *ssh.Request) error
- CheckAccess(access access.Access, username string) bool
+ CheckAccess(access *access.Access, username string) bool func parse(cmd string) (cli, string, error) {
--- a/commands/init.go Tue Jul 23 16:08:13 2019 -0500
+++ b/commands/init.go Tue Jul 23 16:52:18 2019 -0500
@@ -24,6 +24,10 @@
return run(hg.Init(i.repoPath), conn, serverConn, req)
-func (i *Init) CheckAccess(access access.Access, username string) bool {
+func (i *Init) CheckAccess(access *access.Access, username string) bool { return access.Global.CanInit(username)
+func (i *Init) String() string { --- a/commands/serve.go Tue Jul 23 16:08:13 2019 -0500
+++ b/commands/serve.go Tue Jul 23 16:52:18 2019 -0500
@@ -25,6 +25,10 @@
return run(hg.Serve(s.repoPath), conn, serverConn, req)
-func (s *Serve) CheckAccess(access access.Access, username string) bool {
+func (s *Serve) CheckAccess(access *access.Access, username string) bool { return access.Global.CanRead(username)
+func (s *Serve) String() string { --- a/ssh/server.go Tue Jul 23 16:08:13 2019 -0500
+++ b/ssh/server.go Tue Jul 23 16:52:18 2019 -0500
@@ -9,6 +9,7 @@
"golang.org/x/crypto/ssh"
"bitbucket.org/rw_grim/hgkeeper/access"
+ "bitbucket.org/rw_grim/hgkeeper/commands" @@ -74,6 +75,7 @@
func (s *Server) publicKeyCallback(meta ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
username, err := s.a.UsernameFromPubkey(key)
+ log.Infof("username: %q; err %v", username, err) if s.a.Global.CanRead(access.Public) {
@@ -82,6 +84,8 @@
+ log.Infof("returning username: %q", username) Extensions: map[string]string{"username": username},
@@ -120,7 +124,7 @@
log.Infof("%s requested command %q", serverConn.RemoteAddr(), rawCmd)
- cmd, err := findCommand(rawCmd, s.reposPath)
+ cmd, err := commands.Find(rawCmd, s.reposPath) log.Warnf("failed to find command for %q, %v", rawCmd, err)
@@ -128,17 +132,17 @@
- // username := serverConn.Permissions.Extensions["username"]
+ username := serverConn.Permissions.Extensions["username"] + log.Infof("username in exec: %q", username) - // now check permissions
- // r, _, _ := s.a.GetPermissions(username, cmd.path)
- // log.Warnf("user %q does not have read access to %s", username, cmd.path)
- // req.Reply(false, nil)
+ if !cmd.CheckAccess(s.a, username) { + log.Warnf("User %s is not allowed to run %s", username, cmd) - log.Warnf("running %#v\n", cmd)
- if err := cmd.run(conn, serverConn, req); err != nil {
+ if err := cmd.Run(conn, serverConn, req); err != nil { log.Warnf("%s command %q failed: %v", serverConn.RemoteAddr(), rawCmd, err)