X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fcommon;h=c0a903054983c0c1aa130e8c2452eefc83bc9a7f;hb=c32302172e3533b2170329206ff011d6e3a26a49;hp=01e6f32093da85de5004ea29b62ec220c7d82bd9;hpb=2ed952e2207d5278cfe96db2d7eeed40709f846b;p=monkeysphere.git

diff --git a/src/common b/src/common
index 01e6f32..c0a9030 100644
--- a/src/common
+++ b/src/common
@@ -1,13 +1,13 @@
 # -*-shell-script-*-
 
-# Shared bash functions for the monkeysphere
+# Shared sh functions for the monkeysphere
 #
 # Written by
 # Jameson Rollins <jrollins@fifthhorseman.net>
 #
 # Copyright 2008, released under the GPL, version 3 or later
 
-# all caps variables are meant to be user supplied (ie. from config
+# all-caps variables are meant to be user supplied (ie. from config
 # file) and are considered global
 
 ########################################################################
@@ -43,12 +43,22 @@ cutline() {
 # FIXME: need to figure out how to retrieve all matching keys
 # (not just first 5)
 gpg_fetch_userid() {
-    local id
-    id="$1"
-    echo 1,2,3,4,5 | \
-	gpg --quiet --batch --command-fd 0 --with-colons \
-	--keyserver "$KEYSERVER" \
-	--search ="$id" >/dev/null 2>&1
+    local userID
+
+    userID="$1"
+
+    # if CHECK_KEYSERVER variable set, check the keyserver
+    # for the user ID
+    if [ "CHECK_KEYSERVER" ] ; then
+	echo 1,2,3,4,5 | \
+	    gpg --quiet --batch --command-fd 0 --with-colons \
+	    --keyserver "$KEYSERVER" \
+	    --search ="$userID" >/dev/null 2>&1
+
+    # otherwise just return true
+    else
+	return
+    fi
 }
 
 # check that characters are in a string (in an AND fashion).
@@ -117,19 +127,20 @@ gpg2authorized_keys() {
 
     gpg --export "$keyID" | \
 	openpgp2ssh "$keyID" | tr -d '\n'
-    echo " MonkeySphere${DATE}:${userID}"
+    echo " MonkeySphere${DATE}: ${userID}"
 }
 
 # userid and key policy checking
 # the following checks policy on the returned keys
 # - checks that full key has appropriate valididy (u|f)
-# - checks key has specified capability (REQUIRED_KEY_CAPABILITY)
+# - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY)
 # - checks that particular desired user id has appropriate validity
 # see /usr/share/doc/gnupg/DETAILS.gz
 # expects global variable: "MODE"
 process_user_id() {
     local userID
     local cacheDir
+    local requiredCapability
     local requiredPubCapability
     local gpgOut
     local line
@@ -148,7 +159,13 @@ process_user_id() {
     userID="$1"
     cacheDir="$2"
 
-    requiredPubCapability=$(echo "$REQUIRED_KEY_CAPABILITY" | tr "[:lower:]" "[:upper:]")
+    # set the required key capability based on the mode
+    if [ "$MODE" = 'known_hosts' ] ; then
+	requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY"
+    elif [ "$MODE" = 'authorized_keys' ] ; then
+	requiredCapability="$REQUIRED_USER_KEY_CAPABILITY"	
+    fi
+    requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]")
 
     # fetch keys from keyserver, return 1 if none found
     gpg_fetch_userid "$userID" || return 1
@@ -207,7 +224,7 @@ process_user_id() {
 		keyOK=true
 
 		# add primary key ID to key list if it has required capability
-		if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then
+		if check_capability "$capability" $requiredCapability ; then
 		    keyIDs[${#keyIDs[*]}]="$keyid"
 		fi
 		;;
@@ -230,7 +247,7 @@ process_user_id() {
 		;;
 	    'sub') # sub keys
 		# add sub key ID to key list if it has required capability
-		if check_capability "$capability" $REQUIRED_KEY_CAPABILITY ; then
+		if check_capability "$capability" $requiredCapability ; then
 		    keyIDs[${#keyIDs[*]}]="$keyid"
 		fi
 		;;
@@ -258,7 +275,7 @@ process_user_id() {
 		gpg2known_hosts "$keyID" "$userID" >> \
 		    "$cacheDir"/"$userIDHash"."$pubKeyID"
 		# hash the cache file if specified
-		if [ "$HASH_KNOWN_HOSTS" ] ; then
+		if [ "$HASH_KNOWN_HOSTS" = "true" ] ; then
 		    ssh-keygen -H -f "$cacheDir"/"$userIDHash"."$pubKeyID" > /dev/null 2>&1
 		    rm "$cacheDir"/"$userIDHash"."$pubKeyID".old
 		fi
@@ -282,25 +299,30 @@ process_user_id() {
 update_userid() {
     local userID
     local cacheDir
-    local userIDKeyCache
+    local keyCache
 
     userID="$1"
     cacheDir="$2"
 
     log "processing userid: '$userID'"
 
-    userIDKeyCache=$(process_user_id "$userID" "$cacheDir")
-
-    if [ -z "$userIDKeyCache" ] ; then
+    # return 1 if there is no output of the user ID processing
+    # ie. no key was found
+    keyCachePath=$(process_user_id "$userID" "$cacheDir")
+    if [ -z "$keyCachePath" ] ; then
 	return 1
     fi
+
+    # check if user ID is in the authorized_user_ids file
     if ! grep -q "^${userID}\$" "$AUTHORIZED_USER_IDS" ; then
 	read -p "user ID not currently authorized.  authorize? [Y|n]: " OK; OK=${OK:=Y}
 	if [ ${OK/y/Y} = 'Y' ] ; then
+	    # add if specified
 	    log -n "adding user ID to authorized_user_ids file... "
 	    echo "$userID" >> "$AUTHORIZED_USER_IDS"
 	    echo "done."
 	else
+	    # else do nothing
 	    log "authorized_user_ids file untouched."
 	fi
     fi
@@ -328,17 +350,17 @@ remove_userid() {
 process_host() {
     local host
     local cacheDir
-    local hostKeyCachePath
+    local keyCachePath
 
     host="$1"
     cacheDir="$2"
 
-    log "processing host: '$host'"
+    log "processing host: $host"
 
-    hostKeyCachePath=$(process_user_id "ssh://${host}" "$cacheDir")
+    keyCachePath=$(process_user_id "ssh://${host}" "$cacheDir")
     if [ $? = 0 ] ; then
 	ssh-keygen -R "$host" -f "$USER_KNOWN_HOSTS"
-	cat "$hostKeyCachePath" >> "$USER_KNOWN_HOSTS"
+	cat "$keyCachePath" >> "$USER_KNOWN_HOSTS"
     fi
 }
 
@@ -346,18 +368,15 @@ process_host() {
 # go through line-by-line, extract each host, and process with the
 # host processing function
 process_known_hosts() {
-    local knownHosts
     local cacheDir
     local hosts
     local host
 
-    knownHosts="$1"
-    cacheDir="$2"
+    cacheDir="$1"
 
     # take all the hosts from the known_hosts file (first field),
     # grep out all the hashed hosts (lines starting with '|')...
-    cut -d ' ' -f 1 "$knownHosts" | \
-    grep -v '^|.*$' | \
+    meat "$USER_KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | \
     while IFS=, read -r -a hosts ; do
 	# ...and process each host
 	for host in ${hosts[*]} ; do
@@ -389,7 +408,7 @@ update_authorized_keys() {
     else
 	log "no gpg keys to add."
     fi
-    if [ "$userAuthorizedKeys" -a -s "$userAuthorizedKeys" ] ; then
+    if [ "$userAuthorizedKeys" != "-" -a -s "$userAuthorizedKeys" ] ; then
 	log -n "adding user authorized_keys file... "
 	cat "$userAuthorizedKeys" >> "$msAuthorizedKeys"
 	echo "done."
@@ -425,7 +444,7 @@ process_authorized_ids() {
 # EXPERIMENTAL (unused) process userids found in authorized_keys file
 # go through line-by-line, extract monkeysphere userids from comment
 # fields, and process each userid
-process_userids_from_authorized_keys() {
+process_authorized_keys() {
     local authorizedKeys
     local cacheDir
     local userID
@@ -468,6 +487,11 @@ trust_key() {
     # get key fingerprint
     fingerprint=$(get_key_fingerprint "$keyID")
 
+    # attach a "non-exportable" signature to the key
+    # this is required for the key to have any validity at all
+    # the 'y's on stdin indicates "yes, i really want to sign"
+    echo -e 'y\ny' | gpg --lsign-key --command-fd 0 "$fingerprint"
+
     # import "full" trust for fingerprint into gpg
     echo ${fingerprint}:5: | gpg --import-ownertrust
     if [ $? = 0 ] ; then