Add 'remove_userid' function, inverse of 'update_userids'.
[monkeysphere.git] / src / monkeysphere-server
index 6eeb7021dc1de7965dd81e75f37fb509e5b2cca8..13221c5bcb6c029a51e73347751dc9fd8b270297 100755 (executable)
@@ -28,14 +28,15 @@ GREP_OPTIONS=
 usage() {
 cat <<EOF
 usage: $PGRM <subcommand> [args]
-Monkeysphere server admin tool.
+MonkeySphere server admin tool.
 
 subcommands:
   update-users (s) [USER]...            update users authorized_keys files
   gen-key (g)                           generate gpg key for the server
   publish-key (p)                       publish server key to keyserver
   trust-keys (t) KEYID...               mark keyids as trusted
-  update-user-userids (u) USER UID...   add/update userids for a user
+  update-user-userids (u) USER UID...   add/update user IDs for a user
+  remove-user-userids (r) USER UID...   remove user IDs for a user
   help (h,?)                            this help
 
 EOF
@@ -44,10 +45,10 @@ EOF
 # generate server gpg key
 gen_key() {
     # set key defaults
-    KEY_TYPE=${KEY_TYPE:-RSA}
-    KEY_LENGTH=${KEY_LENGTH:-2048}
-    KEY_USAGE=${KEY_USAGE:-encrypt,auth}
-    SERVICE=${SERVICE:-ssh}
+    KEY_TYPE=${KEY_TYPE:-"RSA"}
+    KEY_LENGTH=${KEY_LENGTH:-"2048"}
+    KEY_USAGE=${KEY_USAGE:-"encrypt,auth"}
+    SERVICE=${SERVICE:-"ssh"}
     HOSTNAME_FQDN=${HOSTNAME_FQDN:-$(hostname -f)}
 
     USERID=${USERID:-"$SERVICE"://"$HOSTNAME_FQDN"}
@@ -70,7 +71,7 @@ EOF
 )
     fi
 
-    log "The following key parameters will be used:"
+    echo "The following key parameters will be used:"
     echo "$keyParameters"
 
     read -p "generate key? [Y|n]: " OK; OK=${OK:=Y}
@@ -90,25 +91,10 @@ EOF
 EOF
 )
 
-    echo "generating server key..."
+    log "generating server key..."
     echo "$keyParameters" | gpg --batch --gen-key
 }
 
-# publish server key to keyserver
-publish_key() {
-    read -p "publish key to $KEYSERVER? [Y|n]: " OK; OK=${OK:=Y}
-    if [ ${OK/y/Y} != 'Y' ] ; then
-       failure "aborting."
-    fi
-
-    keyID=$(gpg --list-key --with-colons ="$USERID" 2> /dev/null | grep '^pub:' | cut -d: -f5)
-
-    # dummy command so as not to publish fakes keys during testing
-    # eventually:
-    #gpg --send-keys --keyserver "$KEYSERVER" "$keyID"
-    echo "NOT PUBLISHED: gpg --send-keys --keyserver $KEYSERVER $keyID"
-}
-
 ########################################################################
 # MAIN
 ########################################################################
@@ -129,7 +115,6 @@ GNUPGHOME=${GNUPGHOME:-"$MS_HOME"/gnupg}
 KEYSERVER=${KEYSERVER:-subkeys.pgp.net}
 REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-"e a"}
 USER_CONTROLLED_AUTHORIZED_KEYS=${USER_CONTROLLED_AUTHORIZED_KEYS:-%h/.ssh/authorized_keys}
-STAGING_AREA=${STAGING_AREA:-"$LIB"/stage}
 
 export GNUPGHOME
 
@@ -137,7 +122,7 @@ export GNUPGHOME
 mkdir -p -m 0700 "$GNUPGHOME"
 
 case $COMMAND in
-    'update-users'|'s')
+    'update-users'|'update-user'|'s')
        if [ "$1" ] ; then
            unames="$@"
        else
@@ -145,16 +130,21 @@ case $COMMAND in
        fi
 
        for uname in $unames ; do
+           MODE="authorized_keys"
+
            log "----- user: $uname -----"
 
-           MODE="authorized_keys"
+           # set variables for the user
            AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
-           cacheDir="$STAGING_AREA"/"$uname"/user_keys
-           msAuthorizedKeys="$STAGING_AREA"/"$uname"/authorized_keys
+           msAuthorizedKeys="$CACHE"/"$uname"/authorized_keys
+           cacheDir="$CACHE"/"$uname"/user_keys
+
+            # make sure user's authorized_user_ids file exists
+           touch "$AUTHORIZED_USER_IDS"
 
-            # make sure authorized_user_ids file exists
+           # skip if the user's authorized_user_ids file is empty
            if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
-               log "authorized_user_ids file for '$uname' is empty or does not exist."
+               log "authorized_user_ids file for '$uname' is empty."
                continue
            fi
 
@@ -165,8 +155,9 @@ case $COMMAND in
            fi
 
            # update authorized_keys
-           update_authorized_keys "$cacheDir" "$msAuthorizedKeys" "$userAuthorizedKeys"
+           update_authorized_keys "$msAuthorizedKeys" "$userAuthorizedKeys" "$cacheDir"
        done
+
        log "----- done. -----"
        ;;
 
@@ -175,19 +166,47 @@ case $COMMAND in
        ;;
 
     'publish-key'|'p')
-       publish_key
+       publish_server_key
        ;;
 
-    'trust-keys'|'t')
+    'trust-keys'|'trust-key'|'t')
        if [ -z "$1" ] ; then
            failure "you must specify at least one key to trust."
        fi
+
+       # process key IDs
        for keyID ; do
            trust_key "$keyID"
        done
        ;;
 
-    'update-user-userids'|'u')
+    'update-user-userids'|'update-user-userid'|'u')
+       uname="$1"
+       shift
+       if [ -z "$uname" ] ; then
+           failure "you must specify user."
+       fi
+       if [ -z "$1" ] ; then
+           failure "you must specify at least one userid."
+       fi
+
+       # set variables for the user
+       AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
+       cacheDir="$CACHE"/"$uname"/user_keys
+
+        # make sure user's authorized_user_ids file exists
+       touch "$AUTHORIZED_USER_IDS"
+
+       # process the user IDs
+       for userID ; do
+           update_userid "$userID" "$cacheDir"
+       done
+
+       log "run the following to update user's authorized_keys file:"
+       log "$PGRM update-users $uname"
+       ;;
+
+    'remove-user-userids'|'remove-user-userid'|'r')
        uname="$1"
        shift
        if [ -z "$uname" ] ; then
@@ -196,11 +215,20 @@ case $COMMAND in
        if [ -z "$1" ] ; then
            failure "you must specify at least one userid."
        fi
+
+       # set variables for the user
        AUTHORIZED_USER_IDS="$MS_HOME"/authorized_user_ids/"$uname"
-       userKeysCacheDir="$STAGING_AREA"/"$uname"/user_keys
+
+        # make sure user's authorized_user_ids file exists
+       touch "$AUTHORIZED_USER_IDS"
+
+       # process the user IDs
        for userID ; do
-           update_userid "$userID" "$userKeysCacheDir"
+           remove_userid "$userID"
        done
+
+       log "run the following to update user's authorized_keys file:"
+       log "$PGRM update-users $uname"
        ;;
 
     'help'|'h'|'?')
@@ -209,6 +237,6 @@ case $COMMAND in
 
     *)
         failure "Unknown command: '$COMMAND'
-Type 'cereal-admin help' for usage."
+Type '$PGRM help' for usage."
         ;;
 esac