Modify how logging is handled. Now send most everything to stderr.
[monkeysphere.git] / src / common
old mode 100755 (executable)
new mode 100644 (file)
index 073b8af..0f98923
@@ -14,8 +14,8 @@
 # managed directories
 ETC="/etc/monkeysphere"
 export ETC
-LIB="/var/lib/monkeysphere"
-export LIB 
+CACHE="/var/cache/monkeysphere"
+export CACHE
 ########################################################################
 
 failure() {
@@ -23,14 +23,8 @@ failure() {
     exit ${2:-'1'}
 }
 
-# write output to stdout
-log() {
-    echo -n "ms: "
-    echo "$@"
-}
-
 # write output to stderr
-loge() {
+log() {
     echo -n "ms: " 1>&2
     echo "$@" 1>&2
 }
@@ -82,27 +76,36 @@ unescape() {
     echo "$1" | sed 's/\\x3a/:/'
 }
 
-# stand in until we get dkg's gpg2ssh program
-gpg2ssh_tmp() {
+# convert key from gpg to ssh known_hosts format
+gpg2known_hosts() {
     local keyID
-    local userID
     local host
 
-    keyID="$2"
-    userID="$3"
-
-    if [ "$mode" = 'authorized_keys' ] ; then
-       gpgkey2ssh "$keyID" | sed -e "s/COMMENT/${userID}/"
+    keyID="$1"
+    host=$(echo "$2" | sed -e "s|ssh://||")
 
     # NOTE: it seems that ssh-keygen -R removes all comment fields from
     # all lines in the known_hosts file.  why?
     # NOTE: just in case, the COMMENT can be matched with the
     # following regexp:
     # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
-    elif [ "$MODE" = 'known_hosts' ] ; then
-       host=$(echo "$userID" | sed -e "s|ssh://||")
-       echo -n "$host "; gpgkey2ssh "$keyID" | sed -e "s/COMMENT/MonkeySphere${DATE}/"
-    fi
+    echo -n "$host "
+    gpg --export "$keyID" | \
+       openpgp2ssh "$keyID" | tr -d '\n'
+    echo " MonkeySphere${DATE}"
+}
+
+# convert key from gpg to ssh authorized_keys format
+gpg2authorized_keys() {
+    local keyID
+    local userID
+
+    keyID="$1"
+    userID="$2"
+
+    gpg --export "$keyID" | \
+       openpgp2ssh "$keyID" | tr -d '\n'
+    echo " MonkeySphere${DATE}:${userID}"
 }
 
 # userid and key policy checking
@@ -144,7 +147,7 @@ process_user_id() {
 
     # return 1 if there only "tru" lines are output from gpg
     if [ -z "$(echo "$gpgOut" | grep -v '^tru:')" ] ; then
-       loge "  key not found."
+       log "  key not found."
        return 1
     fi
 
@@ -173,18 +176,18 @@ process_user_id() {
 
                # check primary key validity
                if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
-                   loge "  unacceptable primary key validity ($validity)."
+                   log "  unacceptable primary key validity ($validity)."
                    continue
                fi
                # check capability is not Disabled...
                if check_capability "$capability" 'D' ; then
-                   loge "  key disabled."
+                   log "  key disabled."
                    continue
                fi
                # check overall key capability
                # must be Encryption and Authentication
                if ! check_capability "$capability" $requiredPubCapability ; then
-                   loge "  unacceptable primary key capability ($capability)."
+                   log "  unacceptable primary key capability ($capability)."
                    continue
                fi
 
@@ -233,17 +236,23 @@ process_user_id() {
     # key cache file
     if [ "$keyOK" -a "$uidOK" -a "${keyIDs[*]}" ] ; then
        for keyID in ${keyIDs[@]} ; do
-           loge "  acceptable key/uid found."
-
-           # export the key with gpg2ssh
-            # FIXME: needs to apply extra options for authorized_keys
-           # lines if specified
-           gpg2ssh_tmp "$keyID" "$userID" >> "$cacheDir"/"$userIDHash"."$pubKeyID"
-
-           # hash the cache file if specified
-           if [ "$MODE" = 'known_hosts' -a "$HASH_KNOWN_HOSTS" ] ; then
-               ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1
-               rm "$cacheDir"/"$userIDHash"."$pubKeyID".old
+           log "  acceptable key/uid found."
+
+           if [ "$MODE" = 'known_hosts' ] ; then
+               # export the key
+               gpg2known_hosts "$keyID" "$userID" >> \
+                   "$cacheDir"/"$userIDHash"."$pubKeyID"
+               # hash the cache file if specified
+               if [ "$HASH_KNOWN_HOSTS" ] ; then
+                   ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1
+                   rm "$cacheDir"/"$userIDHash"."$pubKeyID".old
+               fi
+           elif [ "$MODE" = 'authorized_keys' ] ; then
+               # export the key
+                # FIXME: needs to apply extra options for authorized_keys
+               # lines if specified
+               gpg2authorized_keys "$keyID" "$userID" >> \
+                   "$cacheDir"/"$userIDHash"."$pubKeyID"
            fi
        done
     fi
@@ -283,21 +292,76 @@ process_known_hosts() {
     cacheDir="$2"
 
     # take all the hosts from the known_hosts file (first field),
-    # grep out all the hashed hosts (lines starting with '|')
+    # grep out all the hashed hosts (lines starting with '|')...
     cut -d ' ' -f 1 "$knownHosts" | \
     grep -v '^|.*$' | \
     while IFS=, read -r -a hosts ; do
-       # process each host
+       # ...and process each host
        for host in ${hosts[*]} ; do
            process_host "$host" "$cacheDir"
        done
     done
 }
 
-# process authorized_keys file
+# update an authorized_keys file after first processing the 
+# authorized_user_ids file
+update_authorized_keys() {
+    local msAuthorizedKeys
+    local userAuthorizedKeys
+    local cacheDir
+
+    msAuthorizedKeys="$1"
+    userAuthorizedKeys="$2"
+    cacheDir="$3"
+
+    process_authorized_ids "$AUTHORIZED_USER_IDS" "$cacheDir"
+
+    # write output key file
+    log "writing monkeysphere authorized_keys file... "
+    touch "$msAuthorizedKeys"
+    if [ "$(ls "$cacheDir")" ] ; then
+       log -n "adding gpg keys... "
+       cat "$cacheDir"/* > "$msAuthorizedKeys"
+       echo "done."
+    else
+       log "no gpg keys to add."
+    fi
+    if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then
+       log -n "adding user authorized_keys file... "
+       cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
+       echo "done."
+    fi
+    log "monkeysphere authorized_keys file generated: $msAuthorizedKeys"
+}
+
+# process an authorized_*_ids file
+# go through line-by-line, extract each userid, and process
+process_authorized_ids() {
+    local authorizedIDs
+    local cacheDir
+    local userID
+
+    authorizedIDs="$1"
+    cacheDir="$2"
+
+    # clean out keys file and remake keys directory
+    rm -rf "$cacheDir"
+    mkdir -p "$cacheDir"
+
+    # loop through all user ids in file
+    # FIXME: needs to handle authorized_keys options
+    cat "$authorizedIDs" | meat | \
+    while read -r userID ; do
+       # process the userid
+       log "processing userid: '$userID'"
+       process_user_id "$userID" "$cacheDir" > /dev/null
+    done
+}
+
+# EXPERIMENTAL (unused) process userids found in authorized_keys file
 # go through line-by-line, extract monkeysphere userids from comment
 # fields, and process each userid
-process_authorized_keys() {
+process_userids_from_authorized_keys() {
     local authorizedKeys
     local cacheDir
     local userID
@@ -328,30 +392,6 @@ process_authorized_keys() {
     done
 }
 
-# process an authorized_*_ids file
-# go through line-by-line, extract each userid, and process
-process_authorized_ids() {
-    local authorizedIDs
-    local cacheDir
-    local userID
-
-    authorizedIDs="$1"
-    cacheDir="$2"
-
-    # clean out keys file and remake keys directory
-    rm -rf "$cacheDir"
-    mkdir -p "$cacheDir"
-
-    # loop through all user ids in file
-    # FIXME: needs to handle authorized_keys options
-    cat "$authorizedIDs" | meat | \
-    while read -r userID ; do
-       # process the userid
-       log "processing userid: '$userID'"
-       process_user_id "$userID" "$cacheDir" > /dev/null
-    done
-}
-
 # update the cache for userid, and prompt to add file to
 # authorized_user_ids file if the userid is found in gpg
 # and not already in file.