projects / monkeysphere.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge commit 'dkg/master'
[monkeysphere.git] / src / transition_0.22_0.23
1 #!/bin/bash
2
3 # this script should run without any errors.
4 set -e
5
6 # This is a post-install script for monkeysphere, to transition an old
7 # (<0.23) setup to the new (>=0.23) setup
8
9 SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
10
11 MADATADIR="${SYSDATADIR}/authentication"
12 MHDATADIR="${SYSDATADIR}/host"
13
14 STASHDIR="${SYSDATADIR}/backup-from-0.23-transition"
15
16
17 log() {
18     printf "$@" >&2
19 }
20
21 # FIXME: implement this function better.  here, we only care about
22 # dots, *and* about reversing the regexification of them.
23 gpg_unescape_and_unregex() {
24     sed  's/\\x5c\././g'
25 }
26
27
28 is_domain_name() {
29     printf "%s" "$1" | egrep -q '^[[:alnum:]][[:alnum:]-.]*[[:alnum:]]$'
30 }
31
32 # run the authentication setup
33 monkeysphere-authentication setup
34
35 # before 0.23, the old gnupg-host data directory used to contain the
36 # trust core and the system's ssh host key.  
37
38 if [ -d "$SYSDATADIR"/gnupg-host ] ; then
39
40 ### transfer identity certifiers, if they don't already exist in the
41 ### current setup:
42
43     if [ monkeysphere-authentication list-identity-certifiers | \
44         grep -q '^[A-F0-9]{40}:$' ] ; then
45         log 'There are already certifiers in the new system!\nNot transferring any certifiers.\n'
46     else
47         # get the old host keygrip (don't know why there would be more
48         # than one, but we'll transfer all tsigs made by any key that
49         # had been given ultimate ownertrust):
50         for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-ownertrust | \
51             grep ':6:$'
52             sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do
53             
54         # we're assuming that old id certifiers were only added by old
55         # versions of m-s c+, which added certifiers by ltsigning
56         # entire keys.
57             
58         # so we'll walk the list of tsigs from the old host key, and
59         # add those keys as certifiers to the new system.
60
61             # FIXME: if an admin has run "m-s add-id-certifier $foo"
62             # multiple times for the same $foo, we'll only transfer
63             # one of those certifications (even if later
64             # certifications had different parameters).
65             
66             GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --fingerprint --with-colons --fixed-list-mode --check-sigs | \
67                 cut -f 1,2,5,8,9,10 -d: | \
68                 egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
69                 while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
70                 case $type in
71                     'fpr') # this is a new key
72                         keyfpr=$fpr
73                         ;;
74                     'sig') # deal with all trust signatures, including
75                            # regexes if present.
76                         if [ "$keyfpr" ] ; then
77                             trustdepth=${trustparams%% *}
78                             trustlevel=${trustparams##* }
79                             if [ "$trustlevel" -ge 120 ] ; then
80                                 truststring=full
81                             elif [ "$trustlevel" -ge 60 ] ; then
82                                 truststring=marginal
83                             else
84                                 # trust levels below marginal are ignored.
85                                 continue
86                             fi
87
88                             finaldomain=
89                             if [ "$trustdomain" ] ; then
90                             # FIXME: deal with translating
91                             # $trustdomain back to a domain.
92                                 if [ printf "%s" "$trustdomain" | egrep -q '^<\[\^>\]\+\[@\.\][^>]+>\$$' ] ; then
93                                     dpart=$(printf "%s" "$trustdomain" | sed -r 's/^<\[\^>\]\+\[@\.\]([^>]+)>\$$/\1/' | gpg_unescape_and_unregex)
94                                     if [ is_domain_name "$dpart" ]; then
95                                         finaldomain="--domain $dpart"
96                                     else
97                                         log "Does not seem to be a domain name (%s), not adding certifier\n" "$dpart"
98                                         continue
99                                     fi
100                                 else
101                                     log "Does not seem to be a standard gpg domain-based tsig (%s), not adding certifier\n" "$trustdomain"
102                                     continue
103                                 fi
104                             fi
105
106                             CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX)
107                             log "Adding identity certifier with fingerprint %s\n" "$keyfpr"
108                             GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export "0x$keyfpr" --export-clean >"$CERTKEY"
109                             MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY"
110                             rm -f "$CERTKEY"
111                             # clear the fingerprint so that we don't
112                             # make additional tsigs on it if more uids
113                             # are present:
114                             $keyfpr=
115                         fi
116                         ;;
117                 esac
118             done
119         done
120     fi
121
122 ### transfer host key information (if present) into the new spot
123     
124     if [ -d "${MHDATADIR}" ] ; then
125         log "Not transferring host key info because host directory already exists.\n"
126     else
127         if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \
128             GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --with-colons --list-secret-keys | grep -q '^sec:' ; then
129             
130         # create host home
131             mkdir -p "${MHDATADIR}"
132             chmod 0700 "${MHDATADIR}"
133             
134             log "importing host key from old monkeysphere installation\n"
135             GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \
136                 GNUPGHOME="$MHDATADIR" gpg --import
137             
138             monkeysphere-host update-gpg-pub-file
139         else
140             log "No host key found in old monkeysphere install; not importing any host key.\n"
141         fi
142     fi
143
144
145 ### get rid of this old stuff, since we've transferred it all:
146
147     mkdir -p "$STASHDIR"
148     chmod 0700 "$STASHDIR"
149     mv "${SYSDATADIR}/gnupg-host" "$STASHDIR"
150 fi
151
152
153 # There is nothing in the old authentication directory that we should
154 # need to keep around, but it is not unreasonable to transfer keys to
155 # the new authentication keyring.
156 if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then
157
158     GNUPGHOME="${SYSDATADIR}/gnupg-authentication" gpg --export | \
159         monkeysphere-authentication gpg-cmd --import
160
161     mkdir -p "$STASHDIR"
162     chmod 0700 "$STASHDIR"
163     mv "${SYSDATADIR}/gnupg-authentication" "$STASHDIR"
164 fi
Bernie's friendly fork of http://web.monkeysphere.info/