feat: GL_METADATA during non-repo commandsgitolite-gentoo-3.6.13

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

15 files changed, 253 insertions, 29 deletions

diff --git a/README.Gentoo b/README.Gentoo
index 50d9c4b..517c381 100644
--- a/README.Gentoo
+++ b/README.Gentoo
@@ -8,30 +8,41 @@ Features:
 
 	Additional metadata can be provided to be passed to the gitolite environment
 		This can be useful if you want to pass additional metadata to the hooks,
-		for e.g. cia.vc or other services.
-		You can set a list of allow/parsed variables (GL_METADATA) and a list of
-		*required* variables (GL_METADATA_REQUIRED).
+		e.g. notification services, or extra validation.
+
+		You can set:
+		- list of allow/parsed variables (GL_METADATA)
+		- list of *required* variables (GL_METADATA_REQUIRED).
+		- list of *appended* variables (GL_METADATA_APPENDED).
 
 		Example:
 		.gitolite.rc:
 		%RC = (
 		...
-			GL_METADATA => [ 'realname-ascii', 'cia-user' ],
-			GL_METADATA_REQUIRED => [ 'realname-ascii', 'cia-user' ],
+			GL_METADATA => [ 'realname-ascii', 'github-user', 'gpg-fpr' ],
+			GL_METADATA_REQUIRED => [ 'realname-ascii', 'gpg-fpr' ],
+			GL_METADATA_APPENDED => [ 'gpg-fpr' ],
 		...
 		)
 
 		keydir/$user.pub:
 		# realname-ascii: foo bar
-		# cia-user: foo
+		# github-user: foo
+		# gpg-fpr: 0123456789ABCDEF
+		# gpg-fpr: ABCDEF0123456789
 		ssh-rsa ... user@host
 
-		The hooks can then use $realname_ascii and $cia_user from the
-		environment.
+		The hooks can then use the variables from the environment, and they
+		should available as follows:
+
+		realname_ascii='foo bar'
+		github_user='foo'
+		gpg_fpr='0123456789ABCDEF ABCDEF0123456789'
+
 		Each '-' (dash) will be replaced by an '_' (underscore).
 
 		If you want other metadata or information from the .pub files, you
-		should look at the base Gitolite v3 documentation for "distinguishing
+		must look at the base Gitolite v3 documentation for "distinguishing
 		one key from another" and enable the '--key-file-name' option to
 		'ssh-authkeys'.
 
diff --git a/src/commands/sshkeys-lint b/src/commands/sshkeys-lint
index b67e77d..ca23ce1 100755
--- a/src/commands/sshkeys-lint
+++ b/src/commands/sshkeys-lint
@@ -19,7 +19,8 @@ $|++;
 
 my $in_gl_section = 0;
 my $warnings      = 0;
-my $KEYTYPE_REGEX = qr/\b(?:ssh-(?:rsa|dss|ed25519)|ecdsa-sha2-nistp(?:256|384|521))\b/;
+use Net::SSH::AuthorizedKey::SSH2;
+our $KEYTYPE_REGEX = ${Net::SSH::AuthorizedKey::SSH2::KEYTYPE_REGEX};
 
 sub msg {
     my $warning = shift;
diff --git a/src/gitolite-shell b/src/gitolite-shell
index e8efe3d..71d1a85 100755
--- a/src/gitolite-shell
+++ b/src/gitolite-shell
@@ -106,6 +106,11 @@ sub main {
 
     # set up the user
     my $user = $ENV{GL_USER} = shift @ARGV;
+    # set up the key file name (might be absent)
+    my $kfn = $ENV{GL_KFN} = shift @ARGV;
+
+    # Load user data for the non-git commands
+    env_user_options($user, $kfn);
 
     # set up the repo and the attempted access
     my ( $verb, $repo ) = parse_soc();    # returns only for git commands
@@ -114,7 +119,7 @@ sub main {
     my $aa = ( $verb =~ 'upload' ? 'R' : 'W' );
 
     # set up env vars from options set for this repo
-    env_options($repo, $user);
+    env_options($repo, $user, $kfn);
 
     # auto-create?
     if ( repo_missing($repo) and access( $repo, $user, '^C', 'any' ) !~ /DENIED/ ) {
diff --git a/src/lib/Gitolite/Conf/Load.pm b/src/lib/Gitolite/Conf/Load.pm
index 8c89759..0744ee3 100644
--- a/src/lib/Gitolite/Conf/Load.pm
+++ b/src/lib/Gitolite/Conf/Load.pm
@@ -9,6 +9,7 @@ package Gitolite::Conf::Load;
   access
   git_config
   env_options
+  env_user_options
 
   option
   repo_missing
@@ -227,6 +228,8 @@ sub env_options {
     my $cwd = getcwd();
 
     my $repo = shift;
+    my $user = shift;
+    my $kfn = shift;
     map { delete $ENV{$_} } grep { /^GL_OPTION_/ } keys %ENV;
     my $h = git_config( $repo, '^gitolite-options.ENV\.' );
     while ( my ( $k, $v ) = each %$h ) {
@@ -238,26 +241,39 @@ sub env_options {
 	# GL_ADMIN_BASE should also be absolute
     chdir($cwd);
 
+	env_user_options($user, $kfn);
+
+}
+
+sub env_user_options {
+    return unless -f "$rc{GL_ADMIN_BASE}/conf/gitolite.conf-compiled.pm";
+	#$ENV{'GL_env_user_options'} = printf "%d", (int($ENV{'GL_env_user_options'} || '0') + 1);
+    # prevent catch-22 during initial install
 	my $user = shift;
+	my $kfn = shift;
+	$kfn = undef if $kfn && $kfn eq '';
 	if($user) {
 		my @pubkeys;
 		# ssh-authkeys --key-file-name passes the actual pubkey file!
-		if(defined($ARGV[0])) {
-			my $f = $rc{GL_ADMIN_BASE}.'/'.$ARGV[0];
+		if(defined($kfn)) {
+			my $f = $rc{GL_ADMIN_BASE}.'/'.$kfn;
 			push @pubkeys, $f if -f $f;
 		}
-		# This catches the base 'user.pub', 'user@host.pub', exact matches
 		my $keydir = $rc{GL_ADMIN_BASE}.'/keydir/';
-		if(-d $keydir) {
+		if(scalar(@pubkeys) == 0 && -d $keydir) {
+			# exact matches: base 'user.pub', 'user@host.pub'
 			push @pubkeys, `find "$keydir" -type f -name "${user}.pub"`;
-			# this catches 'user@host@NN.pub' variant, for email-named users with multiple keys
-			push @pubkeys, `find "$keydir" -type f -name "${user}@*.pub"` if $user =~ m/@/;
+			# 'user@host@NN.pub' variant, for email-named users with multiple keys
+			push @pubkeys, `find "$keydir" -type f -name "${user}@*.pub"` if $user =~ m/@/ && $user !~ m/@.*@/;
 		}
 		chomp(@pubkeys);
-		return if $#pubkeys <= 0;
+		return if scalar(@pubkeys) <= 0;
+
+		my %GL_METADATA;
+		foreach (@{$rc{'GL_METADATA'}}, @{$rc{'GL_METADATA_REQUIRED'}}, @{$rc{'GL_METADATA_APPENDED'}}) {
+			$GL_METADATA{$_} = '';
+		}
 
-		# If they have multiple pubkeys, they SHOULD be the same, but we check
-		# anyway.
 		foreach my $pubkey (@pubkeys) {
 			my $pk_fh = _open('<', $pubkey);
 			while(defined(my $line = <$pk_fh>)) {
@@ -266,16 +282,36 @@ sub env_options {
 				$line =~ s/^\s*#\s*//;
 
 				my ($variable, $value) = split(/:\s*/, $line, 2);
+				chomp($value);
+				$value =~ s/^\s+|\s+$//;
 
-				if(grep(/^\Q${variable}\E$/, @{$rc{'GL_METADATA'}})) {
+				if(grep(/^\Q${variable}\E$/, keys %GL_METADATA)) {
 					if(length($value) > 0) {
-						$variable =~ s/-/_/g;
-						_die "Metadata $variable has conflicted values: '$ENV{$variable}' vs '$value'" if(defined($ENV{$variable}) and $ENV{$variable} ne $value);
-						$ENV{$variable} = $value;
-					}
-				}
-			}
+						if(grep(/^\Q${variable}\E$/, @{$rc{'GL_METADATA_APPENDED'}})) {
+							# Metadata should appear 0+/1+ times.
+							$GL_METADATA{$variable} .= ' '.$value; # TODO: what should this seperator really be?
+						} else {
+							# Metadata should appear exactly once
+							if($GL_METADATA{$variable} ne '' && $GL_METADATA{$variable} ne $value) {
+								_die "Metadata $variable has conflicted values: '$GL_METADATA{$variable}' vs '$value';"
+							}
+							$GL_METADATA{$variable} = $value;
+						}
+					} # if(length($value) > 0)
+				} # variable in GL_METADATA
+			} # pk_fh
 			close($pk_fh);
+		} # foreach pubkey
+
+		# GL_METADATA -> ENV
+		foreach my $k0 (keys %GL_METADATA) {
+			my $k1 = $k0;
+		    my $v = $GL_METADATA{$k0};
+			$k1 =~ s/-/_/g;
+			chomp $v;
+			$v =~ s/^\s+|\s+$//;
+			delete $ENV{$k1};
+			$ENV{$k1} = $v if length($v) > 0;
 		}
 	}
 }
diff --git a/src/lib/Gitolite/Rc.pm b/src/lib/Gitolite/Rc.pm
index 87387d3..fa65a3f 100644
--- a/src/lib/Gitolite/Rc.pm
+++ b/src/lib/Gitolite/Rc.pm
@@ -308,7 +308,10 @@ sub trigger {
     # name, so setup env from options
     require Gitolite::Conf::Load;
     Gitolite::Conf::Load->import('env_options');
-	if($_[0] && $_[1]) {
+	if($_[0] && $_[1] && $_[2]) {
+		env_options($_[0], $_[1], $_[2]);
+	}
+	elsif($_[0] && $_[1]) {
 		env_options($_[0], $_[1]);
 	}
 	elsif($_[0]) {
diff --git a/src/triggers/post-compile/ssh-authkeys b/src/triggers/post-compile/ssh-authkeys
index a95018d..4735bfb 100755
--- a/src/triggers/post-compile/ssh-authkeys
+++ b/src/triggers/post-compile/ssh-authkeys
@@ -11,6 +11,7 @@ use Gitolite::Common;
 # To parse the pubkeyfile with options etc.
 # 0.16 adds ecdsa keys
 # 0.17 adds ed25519 keys
+# 0.17.xx Gentoo patching adds security keys
 use Net::SSH::AuthorizedKeysFile 0.17;
 
 $|++;
diff --git a/t/keys/admin.pub b/t/keys/admin.pub
index b50a5b9..81c488d 100644
--- a/t/keys/admin.pub
+++ b/t/keys/admin.pub
@@ -1 +1,3 @@
+# glt-meta-required: admin_req
+# glt-meta-optional: admin_opt
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDT9fu7B3vE68LdRNloCcU5HnGqF2BzJzy+Td3Vtde2GK5RKarm3i6FL2qPSKyZw9fRhE2FIMSWi0bUpJanwNx4mlHZzsZiYQumqgTt5tU+cQEpjRw9f4b0pk2BsnLLHflCWkmaU74uKYzSg7xdqtGmGfeRzSMJMspojmd0SMYMcfh+w57CWvJbtrRFH9usw2IlhjPLkAMI6QCfJdCZutBbidE4I+oWiMEVMQEul7wS44OUlcSZEelrWT6T+CsWCn9zXFs6uOjHXbstlPi+Qt/n6VLCSGryjLNYdStD6tQlmyyLUsIYRlK52Ffmt6qSyYiVPBfQY8gjBLBkU1XGGPnX g3@sita-lt.atc.tcs.com
diff --git a/t/keys/u1.pub b/t/keys/u1.pub
index 264c1f0..3bce015 100644
--- a/t/keys/u1.pub
+++ b/t/keys/u1.pub
@@ -1 +1,5 @@
+# glt-meta-required: u1_req
+# glt-meta-optional: u1_opt
+# glt-meta-append: u1.entry1
+# glt-meta-append: u1.entry2
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4HweYnlRffTEWS2a+UuBKvOwYjNKJiIBgfx5Tp6kkav/GNgP0YTob0Rwv781NzTOI+EhS1Wb6H6QUQe1DVV44US5W5YC6Q81dEUOtg4x95HhTWHuiVPnxTf4iVy2t4pq9ev7ts8+FuG90HsU8zzG6xo9/BPoEbixOofI48vlrd5dbtKm25UPzso0cqjeyRZxtvvwRVC3sx8IxNqbpfY7hjTLV1rnWQ6G3qpFp4kehoCNcHhWlj2UlJAD4qbm5i74UjCfz3Ps/iPZpQ1kWrZQ5LC5WJ6RJHqV8e+iu3KHxgWtJFSxDht6tlQgIOnQSTYGImKtaI9cCn27HBeaz1Ru9 g3@sita-lt.atc.tcs.com
diff --git a/t/keys/u2.pub b/t/keys/u2.pub
index 916dcf5..f537897 100644
--- a/t/keys/u2.pub
+++ b/t/keys/u2.pub
@@ -1 +1,3 @@
+# glt-meta-required: u2_req
+# glt-meta-optional: u2_opt
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDj+3dZXir3wyVhX0lu9t/uATYPOK3p0PzEexYGHbBOaCBAz0jZGw+nW1Mig6m3hh2VPNXjXnvsEotUy+obsDGdWWMLv6bs+tPZibEQauttysd5se76nCHSWQ38IjPoweNbMtsWJGgeEqH0vJ9KIrEKAnd3KMWACcD7CteTAh89Ebyo4uSxvUpSwx19ibQ5QQL+YdTZ2whLkchjrGHLlDkFdaCR9hQrssvsTLDp98uG+rhT229C/67rhCjB7DgFjgHyu/JvveIQZwicgXYlFjSNULzIkV6NMmjYoqVfG7wzIC0CG2FwcTqADvGafV3xMXuzEcM2qmu8P2YtONRV3PWj g3@sita-lt.atc.tcs.com
diff --git a/t/keys/u3.pub b/t/keys/u3.pub
index e97645c..075abe2 100644
--- a/t/keys/u3.pub
+++ b/t/keys/u3.pub
@@ -1 +1,3 @@
+# glt-meta-required: u3_req
+# glt-meta-optional: u3_opt
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsrq5CSCgCdL7Dq+zgOa9059wZ0VTOHeK8cBce6DuyOMoZQHYrBxc3ByYk+3I1czQEn1mg4lKomjlxYsyXtCfUcG5u7IzTYh30Sp4m7Vi2f+LVcVg0ynx+PjCZrctlN147LehyRt5+TDpVBSrdyF5ch5pWlP3WOy7IhoTR6NaSMYy7n3rNcVBlhNI7bxMhiCFG+Fcarlb2EndXaT5kBD8CxZCqMrheu4gKL5EZGkqPn0QIjtXMiurgxQS2L7cuV1pjq3JixMZAu0Uli76X9lq+Ssz3v1w87Et6iLxkc9M8qHpqx2tlcDYnr74jIiA3LZDiw3FOaQiVT8QPKy9NMZ0z g3@sita-lt.atc.tcs.com
diff --git a/t/keys/u4.pub b/t/keys/u4.pub
index 06f3648..11f809a 100644
--- a/t/keys/u4.pub
+++ b/t/keys/u4.pub
@@ -1 +1,3 @@
+# glt-meta-required: u4_req
+# glt-meta-optional: u4_opt
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZaDduXtPQLxW5Hwd1sCqbC9Afj9P+ZpqqVB4mpwBNGBZA0O9W2ERqxbkrHwPNxJVFZLRwnkSlMsa+uzzhpeB2+DpPAVko7+6OuQUNmbD2F3gj8O/R2n9juGKZLy8C+edZ9jKokGJfimUTH0qDyhYfDLworcccqg7yMBYAc5Y7cYwHwFXXbxUui8YHpKn30auCW3M/1SE1Ee392hre97z58OTvzZJqd1VNNH0w0u3uqExI4qtuagVa0vfpbmGZWMUZNkLVk0hTo+KrKBSo+3IBhuXC/+dnfmzvYqbE/tJ5qDdKy5lQ+dGMzg9n7tgTu1w9M5TFxy3zG5NleCOHZaI3 g3@sita-lt.atc.tcs.com
diff --git a/t/keys/u5.pub b/t/keys/u5.pub
index 96a0045..7ee9d01 100644
--- a/t/keys/u5.pub
+++ b/t/keys/u5.pub
@@ -1 +1,3 @@
+# glt-meta-required: u5_req
+# glt-meta-optional: u5_opt
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjUDRtjr7RqQ1ImVHY95EBM22dwBFdU5RqvsI1rHA+pVdBHX5OZT16+YgSREt/SQUBrsvdAMWugW7iwOJImO99giQd2jE7gWTXbw8kGE5shdpqspxQEhnb3/wjd1N52rkJj9gcv8CNpP7RWS1ZftjCKC8YNqatcAqqOdbWZYqnpM2Pxum+mkG+PfK91ig4ti8Kz9Ip8p2VrKeCKKFNsoQs9xG7w3NjEeIXZv+7S3fV690/R8D9qkCyUqEd0KbxJxkm7Ih3O1yiAEUTl0abSHeqVskq8pPwmZNyBDlMEFyao9WZSSac+8jN3YbsPWyZsTEbsuep6QdxL129o+cXQHeh g3@sita-lt.atc.tcs.com
diff --git a/t/keys/u6.pub b/t/keys/u6.pub
index de5b06b..4e6cd06 100644
--- a/t/keys/u6.pub
+++ b/t/keys/u6.pub
@@ -1 +1,3 @@
+# glt-meta-required: u6_req
+# glt-meta-optional: u6_opt
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHJGNFPxGhIOcCdtl2tONeEEyuR81+iVYWpzeoCMCjxOans2yftH4oKXfVEOQL27iWXgA58X1sh0/2i8NW9ehMyiI509NiqydowEGkMfTi/EgPZTmsQ6FLNu9NrPNpKVg0UQPZr1sx9Qu4XpbFyEU8FAaFNloLxwMCRLlhhe+MdcCfUY2Sm/STmqW0Py+MmgzsyDkkubzhZ6M9DkKbA5eqxCPr1lRkTIDwneipZViQSGliRsoi7NoeStMLQ9RAnwxLfAzzfnxtannfNgUkyTIvVr/MlA84xoOIVNdePVS57/lmQgz9+SQ4wttoKAQUIxsvweRUSrhDR0uEkqXUh3Nt g3@sita-lt.atc.tcs.com
diff --git a/t/metadata.t b/t/metadata.t
new file mode 100644
index 0000000..70babce
--- /dev/null
+++ b/t/metadata.t
@@ -0,0 +1,141 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+use 5.10.0;
+use Data::Dumper;
+
+# this is hardcoded; change it if needed
+use lib "$ENV{PWD}/src/lib";
+use Gitolite::Common;
+use Gitolite::Test;
+use Gitolite::Rc;
+use Gitolite::Conf::Load;
+
+BEGIN {
+    $ENV{G3T_RC} = "$ENV{HOME}/g3trc";
+    put "$ENV{G3T_RC}", "";
+}
+
+my $bd = `gitolite query-rc -n GL_BINDIR`;
+my $h  = $ENV{HOME};
+my $ab = `gitolite query-rc -n GL_ADMIN_BASE`;
+my $ak = "$ENV{HOME}/.ssh/authorized_keys";
+my $kd = `gitolite query-rc -n GL_ADMIN_BASE` . "/keydir";
+umask 0077;
+
+# test metadata in keyfiles
+# ----------------------------------------------------------------------
+confreset; confadd '
+    @g1 = u1
+    @g2 = u2
+    repo foo
+        RW = @g1 u3
+        R  = @g2 u4
+';
+
+
+# This is a special command to test that metadata is exporter to the
+# environment for hooks/commands to use.
+my $printenv_cmd = $bd.'/commands/printenv.t';
+
+open(FH, '>>', $ENV{HOME}.'/.gitolite.rc');
+
+print FH <<"EOF";
+\$RC{GL_METADATA} = [ 'glt-meta-required', 'glt-meta-optional', 'glt-meta-append' ];
+\$RC{GL_METADATA_REQUIRED} = [ 'glt-meta-required' ];
+\$RC{GL_METADATA_APPENDED} = [ 'glt-meta-append' ];
+push \@{ \$RC{ENABLE} }, "printenv.t";
+
+# Required as last line.
+1;
+EOF
+
+close FH;
+
+put $printenv_cmd, <<'EOF';
+#!/bin/sh
+#printenv -0 |grep --null-data -i -e gl -e glt -e gitolite |sort -z |tr '\0' '\n'
+printenv  |grep -i -e gl -e glt -e gitolite |sort
+EOF
+chmod 0755, $printenv_cmd;
+
+END {
+	unlink $printenv_cmd;
+}
+
+try "
+    plan 49;
+
+    grep printenv $printenv_cmd;    ok or die 8;
+
+    # reset stuff
+    rm -f $h/.ssh/authorized_keys;          ok or die 1
+
+    cp $bd/../t/keys/u[1-6]* $h/.ssh;       ok or die 2
+    cp $bd/../t/keys/admin*  $h/.ssh;       ok or die 3
+    cp $bd/../t/keys/config  $h/.ssh;       ok or die 4
+        cat $h/.ssh/config
+        perl s/%USER/$ENV{USER}/
+        put $h/.ssh/config
+
+    mkdir                  $kd/;      ok or die 5
+    cp $bd/../t/keys/*.pub $kd/;      ok or die 6
+
+    # Setup authorized_keys with third parameter for keyfiles names, and validates the metadata.
+    gitolite ../triggers/post-compile/ssh-authkeys --key-file-name;  ok or die 7;
+
+    ssh u1 printenv.t;                ok;   /glt_meta/
+                                            /glt_meta_required=u1_req/
+                                            /glt_meta_optional=u1_opt/
+                                            !/glt_meta_required=u2_req/
+                                            !/glt_meta_optional=u2_opt/
+                                            /glt_meta_append=u1.entry1 u1.entry2/
+                                            !/glt_meta_append=u1.entry1 u1.entry2./
+
+    ssh u2 printenv.t;                ok;   /glt_meta/
+                                            !/glt_meta_required=u1_req/
+                                            !/glt_meta_optional=u1_opt/
+                                            /glt_meta_required=u2_req/
+                                            /glt_meta_optional=u2_opt/
+
+    ## Set u1 key to be missing required metadata
+    cat $kd/u1.pub
+    perl s/glt/xglt/g
+    put $kd/u1.pub
+
+    # Should *omit* the u1 key
+    gitolite ../triggers/post-compile/ssh-authkeys --key-file-name;  ok or die 8;
+	grep keydir/u1.pub $ak;				!ok;	!/opt.u1/
+
+    ## Set u1 key to be have metadata key conflicts
+    cat $bd/../t/keys/u1.pub							; ok
+    put $kd/u1.pub										; ok
+	echo '# glt-meta-optional: xxconflict' >>$kd/u1.pub	; ok
+
+    # Should ssh-authkeys should WORK, NON-FATAL
+    gitolite ../triggers/post-compile/ssh-authkeys --key-file-name;  ok or die 9;
+	# But this should fail with the conflict
+    ssh u1 printenv.t;                !ok;  /Metadata glt-meta-optional has conflicted values:/
+											/glt-meta-optional.*u1_opt/
+											/glt-meta-optional.*xxconflict/
+
+	# Repair key.
+    cp $bd/../t/keys/*.pub $kd/;      ok or die 10
+
+    # Setup authorized_keys with scan for keyfile based on user.
+    gitolite ../triggers/post-compile/ssh-authkeys;					 ok or die 11;
+
+    ssh u1 printenv.t;                ok;   /glt_meta/
+                                            /glt_meta_required=u1_req/
+                                            /glt_meta_optional=u1_opt/
+                                            !/glt_meta_required=u2_req/
+                                            !/glt_meta_optional=u2_opt/
+                                            /glt_meta_append=u1.entry1 u1.entry2/
+                                            !/glt_meta_append=u1.entry1 u1.entry2./
+
+    ssh u2 printenv.t;                ok;   /glt_meta/
+                                            !/glt_meta_required=u1_req/
+                                            !/glt_meta_optional=u1_opt/
+                                            /glt_meta_required=u2_req/
+                                            /glt_meta_optional=u2_opt/
+";
diff --git a/t/ssh-authkeys.t b/t/ssh-authkeys.t
index 43dec2e..e59f97e 100755
--- a/t/ssh-authkeys.t
+++ b/t/ssh-authkeys.t
@@ -15,7 +15,7 @@ my $ak = "$ENV{HOME}/.ssh/authorized_keys";
 mkdir("$ENV{HOME}/.ssh", 0700) if not -d "$ENV{HOME}/.ssh";
 my $kd = `gitolite query-rc -n GL_ADMIN_BASE` . "/keydir";
 
-try "plan 49";
+try "plan 55";
 
 my $pgm = "gitolite ../triggers/post-compile/ssh-authkeys";
 
@@ -74,4 +74,14 @@ try "
     # duplicate gl key
     cp bob.pub robert.pub
     $pgm;                       ok;     /robert.pub duplicates.*bob.pub/
+	rm robert.pub;				ok;
+
+	# Check key-file-name functionality
+	# should be disabled by default
+	$pgm;
+	grep -n dave $ak;			ok;		/command=.\Q$ENV{GL_BINDIR}/\Egitolite-shell dave. ssh/
+
+	# and only apply when enabled
+	$pgm --key-file-name;       ok;
+	grep -n dave $ak;			ok;		/command=.\Q$ENV{GL_BINDIR}/\Egitolite-shell dave keydir/dave.pub. ssh/
 ";