Manage authorized_keys permissions continuously

We can lazily create authorized_keys and set its permissions. This adds negligible overhead and it allows us to remove a setup step from GitLab both on source and in omnibus-gitlab.

Manage authorized_keys permissions continuously
We can lazily create authorized_keys and set its permissions. This adds negligible overhead and it allows us to remove a setup step from GitLab both on source and in omnibus-gitlab.
d12d210f · Jacob Vosmaer · c3cfebcf · d12d210f · d12d210f · d12d210f
Commit d12d210f authored Aug 01, 2016 by Jacob Vosmaer
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 7 deletions

bin/install bin/install +0 -2

lib/gitlab_keys.rb lib/gitlab_keys.rb +11 -4

spec/gitlab_keys_spec.rb spec/gitlab_keys_spec.rb +1 -1

No files found.
--- a/bin/install
+++ b/bin/install
@@ -13,8 +13,6 @@ repository_storage_paths = ARGV
 commands = [
  %W(mkdir -p #{key_dir}),
  %W(chmod 700 #{key_dir}),
-  %W(touch #{config.auth_file}),
-  %W(chmod 600 #{config.auth_file}),
 ]

 repository_storage_paths.each do |repository_storage_path|

--- a/lib/gitlab_keys.rb
+++ b/lib/gitlab_keys.rb
@@ -34,7 +34,7 @@ class GitlabKeys
    lock do
      $logger.info "Adding key #{@key_id} => #{@key.inspect}"
      auth_line = @gitlab_key.key_line(@key_id, @key)
-      open(auth_file, 'a') { |file| file.puts(auth_line) }
+      open_auth_file('a') { |file| file.puts(auth_line) }
    end
    true
  end
@@ -54,7 +54,7 @@ class GitlabKeys

  def batch_add_keys
    lock(300) do # Allow 300 seconds (5 minutes) for batch_add_keys
-      open(auth_file, 'a') do |file|
+      open_auth_file('a') do |file|
        stdin.each_line do |input|
          tokens = input.strip.split("\t")
          abort("#{$0}: invalid input #{input.inspect}") unless tokens.count == 2
@@ -74,7 +74,7 @@ class GitlabKeys
  def rm_key
    lock do
      $logger.info "Removing key #{@key_id}"
-      open(auth_file, 'r+') do |f|
+      open_auth_file('r+') do |f|
        while line = f.gets do
          next unless line.start_with?("command=\"#{@gitlab_key.command(@key_id)}\"")
          f.seek(-line.length, IO::SEEK_CUR)
@@ -88,7 +88,7 @@ class GitlabKeys
  end

  def clear
-    open(auth_file, 'w') { |file| file.puts '# Managed by gitlab-shell' }
+    open_auth_file('w') { |file| file.puts '# Managed by gitlab-shell' }
    true
  end

@@ -107,6 +107,13 @@ class GitlabKeys
  def lock_file
    @lock_file ||= auth_file + '.lock'
  end
+  
+  def open_auth_file(mode)
+    open(auth_file, mode, 0600) do |file|
+      file.chmod(0600)
+      yield file
+    end
+  end
 end



--- a/spec/gitlab_keys_spec.rb
+++ b/spec/gitlab_keys_spec.rb
@@ -80,7 +80,7 @@ describe GitlabKeys do

    context "without file writing" do
      before do
-        gitlab_keys.should_receive(:open).and_yield(mock(:file, puts: nil))
+        gitlab_keys.should_receive(:open).and_yield(mock(:file, puts: nil, chmod: nil))
      end

      it "should log an add-key event" do