Changes to Enable SSH for Repository hosting

.kitchen.yml

@@ -15,7 +15,14 @@ suites:
       - recipe[phabricator::default]
     attributes: {
         "phabricator": {
-            "domain": "phabricator.example.com"
+            "domain": "phabricator.example.com",
+            "repo_hosting_enabled": true
+        },
+        "authorization": {
+            "sudo": {
+                "users": ["vagrant"],
+               "passwordless": true
+            }
         }
     }
   - name: arcanist

README.md

@@ -17,10 +17,11 @@ This cookbook has been tested on Ubuntu 12.04 and 14.04.
 - `nginx ~> 2.7`
 - `mysql ~> 6.0`
 - `database ~> 3.1`
+- `openssl ~> 4.4`
 
 Attributes
 ----------
-See `attributes/default.rb`.
+See `attributes/default.rb` and `attributes/repo_hosting.rb`.
 
 Usage
 -----
@@ -38,11 +39,42 @@ Just include `phabricator` in your node's `run_list`:
 MySQL Installation
 ------------------
 
-If `node['phabricator]['mysql_host']` is set to `localhost`, the cookbook will
+If `node['phabricator']['mysql_host']` is set to `localhost`, the cookbook will
 install and configure the MySQL server appropriately. Otherwise, it will
 configure Phabricator to connect to an external database. In the latter case, a
 MySQL database user will //not// be managed by this cookbook.
 
+Repository Hosting
+------------------
+
+If running Ubuntu 14.04, this recipe can also setup Phabricator for hosting repositories
+over SSH. (It requires functionality in OpenSSH 6.2 or newer, which is not available for
+Ubuntu 12.04).
+
+If `node['phabricator']['repo_hosting_enabled']` is set to `true`, the cookbook will
+set up the server for serving up VCS over SSH.
+Defaults to `false` to preserve behaviour with previous versions.
+
+It will setup a seperate daemon called `ssh-vcs`, which  is configured to listen on a
+different port to the standard system sshd, this is controlled via
+`default['phabricator']['ssh_vcs_port']` It defaults to `617`.
+
+This is a highly locked down SSH process following recommendations from upstream:
+[https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/]
+
+The user used for VCS is controlled via `default['phabricator']['vcsuser']` and defaults
+to `git`.
+
+When interacting with Diffusion over ssh the following is recommended in your `~/.ssh/config`:
+
+```
+Host phabricator.example.com
+  User git
+  Port 617
+  Compression yes
+```
+
+
 Contributing
 ------------
 1. Fork the repository on Github

attributes/repo_hosting.rb

@@ -0,0 +1,19 @@
+# Default to previous behaviour of not hosting repos in phabricator
+# NB this setting has no effect on Ubuntu 12.04 as its version of OpenSSH
+# is too old to work.
+default['phabricator']['repo_hosting_enabled'] = false
+
+# Port that VCS SSH will listen on
+default['phabricator']['ssh_vcs_port'] = '617'
+
+# User for Source code hosting
+default['phabricator']['vcsuser'] = 'git'
+
+append_paths = []
+append_paths << File.join(node['phabricator']['path'], '/phabricator/support/bin')
+append_paths << '/bin'
+append_paths << '/usr/bin'
+append_paths << '/usr/local/bin'
+append_paths << '/usr/lib/git-core'
+
+default['phabricator']['config']['environment.append-paths'] = %Q('#{append_paths}')

metadata.rb

@@ -15,3 +15,5 @@
 depends             'nginx',    '~> 2.7'
 depends             'mysql',    '~> 6.0'
 depends             'database', '~> 3.1'
+depends             'sudo', '~> 2.7.2'
+depends             'openssl', '~> 4.4.0'

recipes/default.rb

@@ -65,7 +65,7 @@
     action :create
     user node['phabricator']['user']
     group node['phabricator']['group']
-    mode "0750"
+    mode "0755"
 end
 
 %w{ phabricator libphutil arcanist }.each do |repo|
@@ -83,7 +83,7 @@
     action :create
     user node['phabricator']['user']
     group node['phabricator']['group']
-    mode "0750"
+    mode "0755"
 end
 
 # Set up file storage
@@ -187,3 +187,12 @@
         node.set['phabricator']['storage_upgrade_done'] = true
     end
 end
+
+# Setup ssh repo hosting if we want it!
+# Only applicable on 14.04 or newer, due to need for AuthorizedKeysCommand which came in
+# OpenSSH 6.2.
+if node['platform_version'] >= '14.04'
+    if node['phabricator']['repo_hosting_enabled']
+        include_recipe 'phabricator::repo_hosting'
+    end
+end

recipes/repo_hosting.rb

@@ -0,0 +1,107 @@
+#
+# Cookbook Name:: phabricator
+# Recipe:: repo_hosting
+#
+# Copyright 2014, MET Norway
+#
+# Authors: Kim Tore Jensen <[email protected]>,
+#          Andrew Mulholland <[email protected]>
+#
+# Sets up phabricator for hosting repositories over SSH
+
+# To prevent the `vcsuser` (i.e. git ) user from being locked, a password needs to be provided with
+# account creation. Using OpenSSLCookbook's RandomPassword function to generate a secure password.
+unless node['phabricator']['vcspassword']
+    Chef::Recipe.send(:include, OpenSSLCookbook::RandomPassword)
+    require 'digest/sha2'
+    node.set['phabricator']['vcspassword'] = Digest::SHA512.hexdigest(random_password(length: 50))
+end
+
+user node['phabricator']['vcsuser'] do
+    comment 'VCS User'
+    home File.join('/home', node['phabricator']['vcsuser'])
+    shell '/bin/sh'
+    system true
+    # This password is never used!
+    password node['phabricator']['vcspassword']
+    action [:create, :unlock]
+end
+
+directory File.join('/home', node['phabricator']['vcsuser']) do
+    action :create
+    owner node['phabricator']['vcsuser']
+    mode '0755'
+end
+
+directory '/etc/ssh-phabricator' do
+    action :create
+end
+
+template '/etc/init/ssh-vcs.conf' do
+    source 'ssh-phabricator/ssh-vcs.conf.erb'
+    owner 'root'
+    group 'root'
+    mode '0755'
+    notifies :restart, 'service[ssh-vcs]'
+end
+
+service 'ssh-vcs' do
+    provider Chef::Provider::Service::Upstart
+    supports status: true, restart: true, reload: true
+    action [:enable, :start]
+end
+
+template '/etc/ssh-phabricator/sshd_config' do
+    source 'ssh-phabricator/sshd_config.erb'
+    owner 'root'
+    group 'root'
+    mode '0755'
+    notifies :restart, 'service[ssh-vcs]'
+end
+
+directory '/usr/libexec' do
+    owner 'root'
+    group 'root'
+    mode '0755'
+end
+
+template '/usr/libexec/ssh-phabricator-hook' do
+    source 'ssh-phabricator/ssh-phabricator-hook.erb'
+    owner 'root'
+    group 'root'
+    mode '0755'
+end
+
+# enable /etc/sudoers.d directory to enable the sudoer provider to work
+node.override[:authorization][:sudo][:include_sudoers_d] = true
+
+# We use template here, because right now upstream `sudo` cookbook doesn't support
+# setting setenv, which is needed because phab runs `sudo -E`.
+# Have filed https://github.com/chef-cookbooks/sudo/pull/72 for this.
+sudo 'vcsuser' do
+    template 'phab_sudo.erb'
+    variables commands: ['/usr/bin/git-upload-pack',
+                         '/usr/bin/git-receive-pack',
+                         '/usr/bin/hg',
+                         '/usr/bin/svnserve'],
+              nopasswd: true,
+              setenv: true,
+              sudoer: node['phabricator']['vcsuser'],
+              runas: node['phabricator']['user']
+end
+
+sudo 'www-data' do
+    template 'phab_sudo.erb'
+    variables commands: ['/usr/bin/git-http-backend'],
+              nopasswd: true,
+              setenv: true,
+              sudoer: 'www-data',
+              runas: node['phabricator']['user']
+end
+
+# Install Git, Mercurial, SVN
+%w(git subversion mercurial).each do |pkg|
+    package pkg do
+        action :install
+    end
+end

templates/default/phab_sudo.erb

@@ -0,0 +1,6 @@
+# This file is managed by Chef.
+# Do NOT modify this file directly.
+
+<% @commands.each do |command| -%>
+<%= @sudoer %> ALL=(<%= @runas %>) <%= 'NOPASSWD:' if @nopasswd %><%=  'SETENV:' if @setenv %><%= command %>
+<% end -%>

templates/default/ssh-phabricator/phabricator-ssh-hook.erb

@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+VCSUSER="#{node['phabricator']['vcsuser']"
+#
+# Path to Phabricator directory.
+ROOT="#{node['phabricator']['path']"
+
+if [ "$1" != "$VCSUSER" ];
+then
+  exit 1
+fi
+
+exec "$ROOT/bin/ssh-auth" $@

templates/default/ssh-phabricator/ssh-phabricator-hook.erb

@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+VCSUSER="<%= node['phabricator']['vcsuser'] %>"
+#
+# Path to Phabricator directory.
+ROOT="<%= File.join(node['phabricator']['path'],'phabricator') %>"
+
+if [ "$1" != "$VCSUSER" ];
+then
+  exit 1
+fi
+
+exec "$ROOT/bin/ssh-auth" $@

templates/default/ssh-phabricator/ssh-vcs.conf.erb

@@ -0,0 +1,27 @@
+# ssh for VCS
+#
+# This OpenSSH server provides ssh access to VCS for Phabricator
+
+description "SSH-VCS server"
+
+start on runlevel [2345]
+stop on runlevel [!2345]
+
+respawn
+respawn limit 10 5
+umask 022
+
+env SSH_SIGSTOP=1
+expect stop
+
+# 'sshd -D' leaks stderr and confuses things in conjunction with 'console log'
+console none
+
+pre-start script
+    test -x /usr/sbin/sshd || { stop; exit 0; }
+
+end script
+
+# if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
+# 'exec' line here instead
+exec /usr/sbin/sshd -D -f /etc/ssh-phabricator/sshd_config

templates/default/ssh-phabricator/sshd_config.erb

@@ -0,0 +1,12 @@
+AuthorizedKeysCommand /usr/libexec/ssh-phabricator-hook
+AuthorizedKeysCommandUser <%= node['phabricator']['vcsuser'] %>
+
+Port <%= node['phabricator']['ssh_vcs_port'] %>
+Protocol 2
+PermitRootLogin no
+AllowAgentForwarding no
+AllowTcpForwarding no
+PrintMotd no
+PrintLastLog no
+PasswordAuthentication no
+AuthorizedKeysFile none

test/integration/default/bats/default.bats

@@ -22,3 +22,21 @@
         [ $status -eq 0 ]
     }
 }
+
+@test "SSHD VCS is running" {
+    if [ $(lsb_release -r | awk '{print $2}') == "12.04" ]; then
+      skip "SSH hosting not supported on 12.04"
+    fi
+
+    run service ssh-vcs status
+    [ $status -eq 0 ]
+}
+
+@test "SSHd for VCS is listening" {
+    if [ $(lsb_release -r | awk '{print $2}') == "12.04" ]; then
+      skip "SSH hosting not supported on 12.04"
+    fi
+
+    run sh -c "netstat -nlp |grep :617"
+    [ $status -eq 0 ]
+}