From e9506862cf5876676c64bdf8f7b690d40c8ef95e Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Sep 26 2018 09:52:59 +0000
Subject: Implement forbidden users for ssh options


Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

---

diff --git a/doc/configuration.rst b/doc/configuration.rst
index 51c1b78..42cc82a 100644
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -1545,6 +1545,12 @@ to ssh is specific for a unique Pagure user (i.e. not using a single "git@" user
 for all git operations).
 
 
+SSH_KEYS_USERNAME_FORBIDDEN
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A list of usernames that are exempted from being verified via the keyhelper.
+
+
 SSH_KEYS_USERNAME_EXPECT
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/files/keyhelper.py b/files/keyhelper.py
index c248a61..8d9448f 100644
--- a/files/keyhelper.py
+++ b/files/keyhelper.py
@@ -47,6 +47,11 @@ username_lookup = pagure_config["SSH_KEYS_USERNAME_LOOKUP"]
 expect_username = pagure_config["SSH_KEYS_USERNAME_EXPECT"]
 
 
+if username in pagure_config["SSH_KEYS_USERNAME_FORBIDDEN"]:
+    print("User is forbidden for keyhelper.", file=sys.stderr)
+    sys.exit(1)
+
+
 if not username_lookup:
     if not expect_username:
         print("Pagure keyhelper configured incorrectly", file=sys.stderr)
diff --git a/pagure/default_config.py b/pagure/default_config.py
index 287bd62..d31f143 100644
--- a/pagure/default_config.py
+++ b/pagure/default_config.py
@@ -506,6 +506,8 @@ REPOSPANNER_REGIONS = {}
 # Configuration for the key helper
 # Look a username up in the database, overrides SSH_KEYS_USERNAME_EXPECT
 SSH_KEYS_USERNAME_LOOKUP = False
+# Except certain usernames from being used via the keyhelper
+SSH_KEYS_USERNAME_FORBIDDEN = ["root"]
 # Username to expect for ssh. Set to None to disallow any access
 SSH_KEYS_USERNAME_EXPECT = None
 # Arguments to add to the SSH keys, possible replacements: