X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=rhesus%2Frhesus;h=0c7e1003db01326e0c0a46282aa068c731ea9bb6;hb=d19ed9fb6cc0bd7de9eb14b6d192c9eaccedc427;hp=7979e418c9e3e1a367adc2cab00e90c02467d360;hpb=7ba522ae456c76c6d131ecac990815f7d55695d5;p=monkeysphere.git

diff --git a/rhesus/rhesus b/rhesus/rhesus
index 7979e41..0c7e100 100755
--- a/rhesus/rhesus
+++ b/rhesus/rhesus
@@ -9,24 +9,19 @@
 
 ##################################################
 # load conf file
-#. /etc/monkeysphere/monkeysphere.conf
-. ~/ms/monkeysphere.conf
-
-# user name of user to update
-USERNAME="$1"
-
-#AUTH_KEYS_DIR_BASE=/var/lib/monkeysphere/authorized_keys/
-AUTH_KEYS_DIR_BASE=~/ms/authorized_keys
-
-AUTH_KEYS_DIR="$AUTH_KEYS_DIR_BASE"/"$USERNAME"
-AUTH_KEYS_FILE="$AUTH_KEYS_DIR"/authorized_keys
-
-AUTH_USER_IDS="$AUTH_USER_IDS_DIR"/"$USERNAME"
+CONF_FILE=${CONF_FILE:-"/etc/monkeysphere/monkeysphere.conf"}
+. "$CONF_FILE"
 
 export GNUPGHOME
 ##################################################
 
-### FUNCTIONS
+CMD=$(basename $0)
+
+usage() {
+cat <<EOF
+usage: $CMD USERNAME
+EOF
+}
 
 failure() {
     echo "$1" >&2
@@ -43,6 +38,25 @@ cutline() {
 
 ### MAIN
 
+if [ -z "$1" ] ; then
+    usage
+    exit 1
+fi
+
+# user name of user to update
+USERNAME="$1"
+if ! id "$USERNAME" > /dev/null ; then
+    failure "User '$USERNAME' does not exist."
+fi
+
+AUTH_USER_IDS="$AUTH_USER_IDS_DIR"/"$USERNAME"
+if [ ! -e "$AUTH_USER_IDS" ] ; then
+    failure "No auth_user_ids file for user '$USERNAME'."
+fi
+
+KEYDIR="$AUTH_KEYS_DIR"/"$USERNAME"/keys
+AUTH_KEYS="$AUTH_KEYS_DIR"/authorized_keys
+
 # make sure the gnupg home exists with proper permissions
 mkdir -p "$GNUPGHOME"
 chmod 0700 "$GNUPGHOME"
@@ -51,38 +65,87 @@ chmod 0700 "$GNUPGHOME"
 NLINES=$(meat "$AUTH_USER_IDS" | wc -l)
 
 # clean out keys file and remake keys directory
-rm -rf "$AUTH_KEYS_DIR"/keys
-mkdir -p "$AUTH_KEYS_DIR"/keys
+rm -rf "$KEYDIR"
+mkdir -p "$KEYDIR"
 
 # loop through all user ids, and generate ssh keys
 for (( N=1; N<=$NLINES; N=N+1 )) ; do
     # get user id
-    USERID=$(meat "$AUTH_USER_IDS" | head --line="$N" | tail -1)
+    USERID=$(meat "$AUTH_USER_IDS" | cutline "$N" )
     USERID_HASH=$(echo "$USERID" | sha1sum | awk '{ print $1 }')
 
-    # get key id from user id
-    #KEYID=$(gpguser2key "$USERID")
-    KEYID="$USERID"
-
-    echo "Receiving keys for: $USERID ($KEYID)..."
-
-    # is primary key revoked && kill
-    # for all associated keys (primary and sub)
-    #  - type "A"
-    #  - not revoked
-    #  - signed by trusted user
-    #  output ssh key
-
-    # Receive keys into key ring
-    if gpg --recv-keys --keyserver "$KEYSERVER" "$KEYID" ; then
-	# convert pgp key to ssh key, and write to cache file
-	KEYFILE="$AUTH_KEYS_DIR"/keys/"$USERID_HASH"
-	gpgkey2ssh "$KEYID" | sed -e "s/COMMENT/$USERID/" > "$KEYFILE"
+    KEYFILE="$KEYDIR"/"$USERID_HASH"
+
+    # search for key on keyserver
+    echo "ms: validating: '$USERID'"
+    RETURN=$(echo 1 | gpg --quiet --batch --command-fd 0 --with-colons --keyserver "$KEYSERVER" --search ="$USERID")
+
+    # if the key was found...
+    if [ "$RETURN" ] ; then
+	echo "ms:   key found."
+	
+	# checking key attributes
+	# see /usr/share/doc/gnupg/DETAILS.gz:
+	
+	PUB_INFO=$(gpg --fixed-list-mode --with-colons --list-keys --with-fingerprint ="$USERID" | grep '^pub:')
+
+	# extract needed fields
+	KEY_TRUST=$(echo "$PUB_INFO" | cut -d: -f2)
+	KEY_CAPABILITY=$(echo "$PUB_INFO" | cut -d: -f12)
+	
+	# check if key disabled
+	if  echo "$KEY_CAPABILITY" | grep -q '[D]' ; then
+	    echo "ms:   key disabled -> SKIPPING"
+	    continue
+	fi
+
+        # check key capability
+	REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-'a'}
+	if  echo "$KEY_CAPABILITY" | grep -q '[$REQUIRED_KEY_CAPABILITY]' ; then
+	    echo "ms:   key capability verified ('$KEY_CAPABILITY')."
+	else
+	    echo "ms:   unacceptable key capability ('$KEY_CAPABILITY') -> SKIPPING"
+	    continue
+	fi
+
+	echo -n "ms:   key "
+
+	# if key is not fully trusted exit
+        # (this includes not revoked or expired)
+	# determine trust
+	case "$KEY_TRUST" in
+	    'i')
+		echo -n "invalid" ;;
+	    'r')
+		echo -n "revoked" ;;
+	    'e')
+		echo -n "expired" ;;
+	    '-'|'q'|'n'|'m')
+		echo -n "has unacceptable trust" ;;
+	    'f'|'u')
+		echo -n "fully trusted"
+                # convert pgp key to ssh key, and write to cache file
+		echo -n " -> generating ssh key..."
+		#gpg2ssh "$KEYID" | sed -e "s/COMMENT/$USERID/" > "$KEYFILE"
+		echo " done."
+		continue
+	    ;;
+	    *)
+		echo -n "has unknown trust" ;;
+	esac
+	echo ". -> SKIPPING"
+    else
+	echo "ms:   key not found."
     fi
 done
 
-echo "Writing authorized_keys file '$AUTH_KEYS_FILE'..."
-cat "$AUTH_KEYS_DIR"/keys/* > "$AUTH_KEYS_FILE" || > "$AUTH_KEYS_FILE"
+if [ $(ls "$KEYDIR") ]  ; then
+    echo "ms: writing ms authorized_keys file..."
+    cat "$KEYDIR"/* > "$AUTH_KEYS"
+else
+    echo "ms: no gpg keys to add to authorized_keys file."
+fi
 if [ -s ~"$USERNAME"/.ssh/authorized_keys ] ; then
-    cat ~"$USERNAME"/.ssh/authorized_keys >> "$AUTH_KEYS_FILE"
+    echo "ms: adding user authorized_keys..."
+    cat ~"$USERNAME"/.ssh/authorized_keys >> "$AUTH_KEYS"
 fi