Merge branch 'authorized-keys-permission-check' into 'master'

Improve authorized_keys check The old check only looked if authorized_keys exists. With this change, we look whether we can actually open the file for reading and writing. When this fails we try to print useful diagnostic information. See merge request !79

Merge branch 'authorized-keys-permission-check' into 'master'
Improve authorized_keys check The old check only looked if authorized_keys exists. With this change, we look whether we can actually open the file for reading and writing. When this fails we try to print useful diagnostic information. See merge request !79
4a9d5265 · Douwe Maan · a7d2fed0 · 784221bd · 4a9d5265 · 4a9d5265
Commit 4a9d5265 authored Aug 03, 2016 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 6 deletions

bin/check bin/check +3 -5

lib/gitlab_keys.rb lib/gitlab_keys.rb +13 -0

spec/gitlab_keys_spec.rb spec/gitlab_keys_spec.rb +20 -1

No files found.
--- a/bin/check
+++ b/bin/check
@@ -19,14 +19,12 @@ rescue GitlabNet::ApiUnreachableError
  abort "FAILED: Failed to connect to internal API"
 end

-
-puts "\nCheck directories and files: "
-
 config = GitlabConfig.new

 abort("ERROR: missing option in config.yml") unless config.auth_file
-print "\t#{config.auth_file}: "
-if File.exists?(config.auth_file)
+
+print "\nAccess to #{config.auth_file}: "
+if system(File.dirname(__FILE__) + '/gitlab-keys', 'check-permissions')
  print 'OK'
 else
  abort "FAILED"

--- a/lib/gitlab_keys.rb
+++ b/lib/gitlab_keys.rb
@@ -21,6 +21,7 @@ class GitlabKeys
    when 'rm-key';  rm_key
    when 'list-keys'; puts list_keys
    when 'clear';  clear
+    when 'check-permissions'; check_permissions
    else
      $logger.warn "Attempt to execute invalid gitlab-keys command #{@command.inspect}."
      puts 'not allowed'
@@ -92,6 +93,18 @@ class GitlabKeys
    true
  end

+  def check_permissions
+    open_auth_file('r+') { true }
+  rescue => ex
+    puts "error: could not open #{auth_file}: #{ex}"
+    if File.exist?(auth_file)
+      system('ls', '-l', auth_file)
+    else
+      # Maybe the parent directory is not writable?
+      system('ls', '-ld', File.dirname(auth_file))
+    end
+    false
+  end

  def lock(timeout = 10)
    File.open(lock_file, "w+") do |f|

--- a/spec/gitlab_keys_spec.rb
+++ b/spec/gitlab_keys_spec.rb
@@ -15,7 +15,6 @@ describe GitlabKeys do
    it { gitlab_keys.instance_variable_get(:@key_id).should == 'key-741' }
  end

-
  describe :add_key do
    let(:gitlab_keys) { build_gitlab_keys('add-key', 'key-741', 'ssh-rsa AAAAB3NzaDAxx2E') }

@@ -145,6 +144,20 @@ describe GitlabKeys do
    end
  end

+  describe :check_permissions do
+    let(:gitlab_keys) { build_gitlab_keys('check-permissions') }
+
+    it 'returns true when the file can be opened' do
+      create_authorized_keys_fixture
+      expect(gitlab_keys.exec).to eq(true)
+    end
+
+    it 'returns false if opening raises an exception' do
+      gitlab_keys.should_receive(:open_auth_file).and_raise("imaginary error")
+      expect(gitlab_keys.exec).to eq(false)
+    end
+  end
+
  describe :exec do
    it 'add-key arg should execute add_key method' do
      gitlab_keys = build_gitlab_keys('add-key')
@@ -170,6 +183,12 @@ describe GitlabKeys do
      gitlab_keys.exec
    end

+    it 'check-permissions arg should execute check_permissions method' do
+      gitlab_keys = build_gitlab_keys('check-permissions')
+      gitlab_keys.should_receive(:check_permissions)
+      gitlab_keys.exec
+    end
+
    it 'should puts message if unknown command arg' do
      gitlab_keys = build_gitlab_keys('change-key')
      gitlab_keys.should_receive(:puts).with('not allowed')