I want to block fake users in git commit. That means one user must not be able to change his/her email with someone else. I use gitolite. How can I implement this feature? As I have users' public keys, can I bind their email/name to that public key?
Asked
Active
Viewed 1,352 times
3
Kevin Reid
- 37,492
- 13
- 80
- 108
Sadi
- 2,346
- 4
- 18
- 31
2 Answers
2
As I have users' public key, can I bind email/name with that public key?
Not natively: Gitolite only works with the user id (as extracted from the http or ssh session and set in a variable GL_USER)
So you need to have that information elsewhere.
What I use is the public keys which are given by the users and stored in the gitolite/keys dir of the gitolite-admin repo.
A public ssh key is composed of 3 parts:
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WhateverYouWant
The last part, after the public key, is a string which can represent what you want.
I demand from the user a key with their email address in it (at the end).
I then setup a VREF (an update hook in gitolite) for all repo, which will validate the user.email seen in the commits with the email extracted from the ~gitolite/.ssh/authorized_keys file.
That file is managed by gitolite, and contains both the user.name and its email (because of the way I expect the users to give me their public key)
command=="..../gitolite-shell user-id" xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WhateverYouWant
If any of the email doesn't match the right user name, the VREF hook will reject the push.
My own VREF CHECKID (for a slightly different) purpose, is declare in the gitolite.conf as:
repo @all
RW+ = gitoliteadm
- VREF/CHECKID = @all
-
Thank you for let me know about VREF. It is really useful, but somehow I failed to make it work with user.email I have also checked it's document http://sitaramc.github.com/gitolite/g2/vref.html#virtual_refs_checking_author_email_ can you please help me a bit more – Sadi Jan 31 '13 at 13:40
-
I have user `- VREF/EMAIL-CHECK = @all` against one repository even also use `repo @all - VREF/EMAIL-CHECK = @all` None of those work – Sadi Jan 31 '13 at 14:09
-
@Sadi I have edited my answer with an example of a VREF config. – VonC Jan 31 '13 at 15:08
1
I wrote a hook that takes a slightly different approach than the previous answer. You put in an EMAILDOMAIN at the top, and it makes sure that the email address on the commit log equals [the committing user's SSH key file name]@[EMAILDOMAIN].
I tossed this into gitolite-admin/common-hooks so it runs server side on pushes.
#!/bin/bash
EMAILDOMAIN="company.com"
if [[ $2 = 0000000000000000000000000000000000000000 ]] || [[ $3 = 0000000000000000000000000000000000000000 ]]
then
exit 0
fi
# get name and email from git log
EMAILCMD="git log --format="%ce" $3 -1"
EMAIL=$($EMAILCMD)
NAMECMD="git log --format="%cn" $3 -1"
NAME=$($NAMECMD)
# environment variable for the gitolite user (the SSH key)
# echo $GL_USER
# compare email with gitolite user
EXPEMAIL="$GL_USER@$EMAILDOMAIN"
if [ "{$EXPEMAIL,,}" != "{$EMAIL,,}" ]
then
echo "You're committing with the SSH key for '$GL_USER'. That key belongs to $EXPEMAIL."
echo " (You've configured your email as $EMAIL)"
exit 1
fi
# TODO: maybe, if we ever bother installing mail on this box, send an email to some admins if someone is trying to key share
# check the name...
IFS=' ' read -ra NAMEPARTS <<< "${NAME,,}"
PARTCOUNT=0
for PART in "${NAMEPARTS[@]}"
do
PARTCOUNT=$((PARTCOUNT+1))
done
# make sure it's a full name
if (( "$PARTCOUNT" < 2 ))
then
echo "You should put in your full name, $NAME."
echo "If you've really only got one name (like Sting or Madonna), email an admin and we can make an exception for you."
exit 1
fi
exit 0
DrShaffopolis
- 1,088
- 1
- 11
- 14