Merge commit 'dkg/master'

[monkeysphere.git] / rhesus / rhesus

#!/bin/sh

# rhesus: monkeysphere authorized_keys update script
#
# Written by
# Jameson Rollins <jrollins@fifthhorseman.net>
#
# Copyright 2008, released under the GPL, version 3 or later

##################################################
# load conf file
CONF_FILE=${CONF_FILE:-"/etc/monkeysphere/monkeysphere.conf"}
. "$CONF_FILE"

export GNUPGHOME
##################################################

CMD=$(basename $0)

usage() {
cat <<EOF
usage: $CMD USERNAME
EOF
}

failure() {
    echo "$1" >&2
    exit ${2:-'1'}
}

meat() {
    grep -v -e "^[[:space:]]*#" -e '^$' "$1"
}

cutline() {
    head --line="$1" | tail -1
}

### MAIN

if [ -z "$1" ] ; then
    usage
    exit 1
fi

# user name of user to update
USERNAME="$1"
if ! id "$USERNAME" > /dev/null ; then
    failure "User '$USERNAME' does not exist."
fi

AUTH_USER_IDS="$AUTH_USER_IDS_DIR"/"$USERNAME"
if [ ! -e "$AUTH_USER_IDS" ] ; then
    failure "No auth_user_ids file for user '$USERNAME'."
fi

KEYDIR="$AUTH_KEYS_DIR"/"$USERNAME"/keys
AUTH_KEYS="$AUTH_KEYS_DIR"/authorized_keys

# make sure the gnupg home exists with proper permissions
mkdir -p "$GNUPGHOME"
chmod 0700 "$GNUPGHOME"

# find number of user ids in auth_user_ids file
NLINES=$(meat "$AUTH_USER_IDS" | wc -l)

# clean out keys file and remake keys directory
rm -rf "$KEYDIR"
mkdir -p "$KEYDIR"

# loop through all user ids, and generate ssh keys
for (( N=1; N<=$NLINES; N=N+1 )) ; do
    # get user id
    USERID=$(meat "$AUTH_USER_IDS" | cutline "$N" )
    USERID_HASH=$(echo "$USERID" | sha1sum | awk '{ print $1 }')

    KEYFILE="$KEYDIR"/"$USERID_HASH"

    # search for key on keyserver
    echo "ms: validating: '$USERID'"
    RETURN=$(echo 1 | gpg --quiet --batch --command-fd 0 --with-colons --keyserver "$KEYSERVER" --search ="$USERID")

    # if the key was found...
    if [ "$RETURN" ] ; then
        echo "ms:   key found."
        
        # checking key attributes
        # see /usr/share/doc/gnupg/DETAILS.gz:
        
        PUB_INFO=$(gpg --fixed-list-mode --with-colons --list-keys --with-fingerprint ="$USERID" | grep '^pub:')

        # extract needed fields
        KEY_TRUST=$(echo "$PUB_INFO" | cut -d: -f2)
        KEY_CAPABILITY=$(echo "$PUB_INFO" | cut -d: -f12)
        
        # check if key disabled
        if  echo "$KEY_CAPABILITY" | grep -q '[D]' ; then
            echo "ms:   key disabled -> SKIPPING"
            continue
        fi

        # check key capability
        REQUIRED_KEY_CAPABILITY=${REQUIRED_KEY_CAPABILITY:-'a'}
        if  echo "$KEY_CAPABILITY" | grep -q '[$REQUIRED_KEY_CAPABILITY]' ; then
            echo "ms:   key capability verified ('$KEY_CAPABILITY')."
        else
            echo "ms:   unacceptable key capability ('$KEY_CAPABILITY') -> SKIPPING"
            continue
        fi

        echo -n "ms:   key "

        # if key is not fully trusted exit
        # (this includes not revoked or expired)
        # determine trust
        case "$KEY_TRUST" in
            'i')
                echo -n "invalid" ;;
            'r')
                echo -n "revoked" ;;
            'e')
                echo -n "expired" ;;
            '-'|'q'|'n'|'m')
                echo -n "has unacceptable trust" ;;
            'f'|'u')
                echo -n "fully trusted"
                # convert pgp key to ssh key, and write to cache file
                echo -n " -> generating ssh key..."
                #gpg2ssh "$KEYID" | sed -e "s/COMMENT/$USERID/" > "$KEYFILE"
                echo " done."
                continue
            ;;
            *)
                echo -n "has unknown trust" ;;
        esac
        echo ". -> SKIPPING"
    else
        echo "ms:   key not found."
    fi
done

if [ $(ls "$KEYDIR") ]  ; then
    echo "ms: writing ms authorized_keys file..."
    cat "$KEYDIR"/* > "$AUTH_KEYS"
else
    echo "ms: no gpg keys to add to authorized_keys file."
fi
if [ -s ~"$USERNAME"/.ssh/authorized_keys ] ; then
    echo "ms: adding user authorized_keys..."
    cat ~"$USERNAME"/.ssh/authorized_keys >> "$AUTH_KEYS"
fi