From d0765f2055b11e976228ed0f9c77e91f35fd9e8b Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Thu, 18 Jan 2024 09:19:40 +0100
Subject: [PATCH] fix: dom0 as sys-git client

The salt module git.config_get does not work in Dom0 and does not have
a key to set the system gitconfig.
---
 salt/dom0/install-dev.sls                                 | 3 +++
 salt/sys-git/README.md                                    | 6 ++++++
 salt/sys-git/files/client/git-core/git-init-qrexec        | 4 ++--
 .../files/client/git-core/git-remote-qrexec-connect       | 8 ++++----
 salt/sys-git/install-client.sls                           | 8 ++++++++
 5 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/salt/dom0/install-dev.sls b/salt/dom0/install-dev.sls
index 8dc9242..20db25d 100644
--- a/salt/dom0/install-dev.sls
+++ b/salt/dom0/install-dev.sls
@@ -6,6 +6,9 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 {% if grains['nodename'] == 'dom0' -%}
 
+include:
+  - sys-git.install-client
+
 "{{ slsdotpath }}-dev-updated":
   pkg.uptodate:
     - refresh: True
diff --git a/salt/sys-git/README.md b/salt/sys-git/README.md
index 3ca136a..f02f6fd 100644
--- a/salt/sys-git/README.md
+++ b/salt/sys-git/README.md
@@ -6,6 +6,7 @@ Git operations through Qrexec in Qubes OS.
 
 * [Description](#description)
 * [Alternatives comparison](#alternatives-comparison)
+* [Security](#security)
 * [Installation](#installation)
 * [Access control](#access-control)
 * [Usage](#usage)
@@ -42,6 +43,11 @@ implementation:
 | Validates Git communication | False | False | True | False |
 | Verifies tag signature | False | False | True | False |
 
+## Security
+
+It is not possible to filter Git's stdout from a Qrexec call as it is used by
+the local running git process.
+
 ## Installation
 
 - Top
diff --git a/salt/sys-git/files/client/git-core/git-init-qrexec b/salt/sys-git/files/client/git-core/git-init-qrexec
index 7d278be..eaa0de1 100755
--- a/salt/sys-git/files/client/git-core/git-init-qrexec
+++ b/salt/sys-git/files/client/git-core/git-init-qrexec
@@ -40,12 +40,12 @@ default_qube="sys-git"
 rpc_cmd="${vendor}.${rpc}+${repo}"
 
 if command -v qrexec-client-vm >/dev/null; then
-  exec qrexec-client-vm -- "${authority}" "${rpc_cmd}"
+  exec qrexec-client-vm -tT -- "${authority}" "${rpc_cmd}"
 elif command -v qrexec-client >/dev/null; then
   if test "${authority}" = "@default"; then
     authority="${default_qube}"
   fi
-  exec qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  exec qrexec-client -tT -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
 fi
 
 die "Qrexec programs not found: qrexec-client-vm, qrexec-client"
diff --git a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
index ea69ad6..a461995 100755
--- a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
+++ b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
@@ -66,14 +66,14 @@ then
 fi
 
 if command -v qrexec-client-vm >/dev/null; then
-  log "->" qrexec-client-vm -- "${authority}" "${rpc_cmd}"
-  exec qrexec-client-vm -- "${authority}" "${rpc_cmd}"
+  log "->" qrexec-client-vm -T -- "${authority}" "${rpc_cmd}"
+  exec qrexec-client-vm -T -- "${authority}" "${rpc_cmd}"
 elif command -v qrexec-client >/dev/null; then
   if test "${authority}" = "@default"; then
     authority="${default_qube}"
   fi
-  log "->" qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
-  exec qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  log "->" qrexec-client -T -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  exec qrexec-client -T -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
 fi
 
 die "Qrexec programs not found: qrexec-client-vm, qrexec-client"
diff --git a/salt/sys-git/install-client.sls b/salt/sys-git/install-client.sls
index 6dc4e62..228ca43 100644
--- a/salt/sys-git/install-client.sls
+++ b/salt/sys-git/install-client.sls
@@ -29,6 +29,9 @@ include:
     'RedHat': {
       'exec_path': '/usr/libexec/git-core',
     },
+    'Qubes OS': {
+      'exec_path': '/usr/libexec/git-core',
+    },
 }.get(grains.os_family) -%}
 
 "{{ slsdotpath }}-install-client-git-core-dir":
@@ -46,3 +49,8 @@ include:
       - mode
       - user
       - group
+
+"{{ slsdotpath }}-install-client-allow-protocol":
+  cmd.run:
+    - name: git config --system protocol.qrexec.allow always
+    - runas: root