Merge commit 'jrollins/master'

3 files changed, 60 insertions, 47 deletions

diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1
index 1a52983..03116b2 100644
--- a/man/man1/monkeysphere.1
+++ b/man/man1/monkeysphere.1
@@ -39,6 +39,32 @@ host, 1 if no matching keys were found at all, and 2 if matching keys
 were found but none were acceptable.  `k' may be used in place of
 `update-known_hosts'.
 .TP
+.B update-authorized_keys
+Update the authorized_keys file for the user executing the command
+(see MONKEYSPHERE_AUTHORIZED_KEYS in ENVIRONMENT, below).  First all
+monkeysphere keys are cleared from the authorized_keys file.  Then, or
+each user ID in the user's authorized_user_ids file, gpg will be
+queried for keys associated with that user ID, optionally querying a
+keyserver.  If an acceptable key is found (see KEY ACCEPTABILITY in
+.BR monkeysphere (7)),
+the key is added to the user's authorized_keys file.
+If a key is found but is unacceptable for the user ID, any matching
+keys are removed from the user's authorized_keys file.  If no gpg key
+is found for the user ID, nothing is done.  This subcommand will exit
+with a status of 0 if at least one acceptable key was found for a user
+ID, 1 if no matching keys were found at all, and 2 if matching keys
+were found but none were acceptable.  `a' may be used in place of
+`update-authorized_keys'.
+.TP
+.B gen-subkey [KEYID]
+Generate an authentication subkey for a private key in your GnuPG
+keyring.  For the primary key with the specified key ID, generate a
+subkey with "authentication" capability that can be used for
+monkeysphere transactions.  An expiration length can be specified with
+the `-e' or `--expire' option (prompt otherwise).  If no key ID is
+specified, but only one key exists in the secret keyring, that key
+will be used.  `g' may be used in place of `gen-subkey'.
+.TP
 .B ssh-proxycommand
 an ssh proxy command that can be used
 to trigger a monkeysphere update of the ssh known_hosts file for a
@@ -87,32 +113,6 @@ variable (to `true' or `false') will override the keyserver-checking policy
 defined above.
 
 .TP
-.B update-authorized_keys
-Update the authorized_keys file for the user executing the command
-(see MONKEYSPHERE_AUTHORIZED_KEYS in ENVIRONMENT, below).  First all
-monkeysphere keys are cleared from the authorized_keys file.  Then, or
-each user ID in the user's authorized_user_ids file, gpg will be
-queried for keys associated with that user ID, optionally querying a
-keyserver.  If an acceptable key is found (see KEY ACCEPTABILITY in
-.BR monkeysphere (7)),
-the key is added to the user's authorized_keys file.
-If a key is found but is unacceptable for the user ID, any matching
-keys are removed from the user's authorized_keys file.  If no gpg key
-is found for the user ID, nothing is done.  This subcommand will exit
-with a status of 0 if at least one acceptable key was found for a user
-ID, 1 if no matching keys were found at all, and 2 if matching keys
-were found but none were acceptable.  `a' may be used in place of
-`update-authorized_keys'.
-.TP
-.B gen-subkey [KEYID]
-Generate an authentication subkey for a private key in your GnuPG
-keyring.  For the primary key with the specified key ID, generate a
-subkey with "authentication" capability that can be used for
-monkeysphere transactions.  An expiration length can be specified with
-the `-e' or `--expire' option (prompt otherwise).  If no key ID is
-specified, but only one key exists in the secret keyring, that key
-will be used.  `g' may be used in place of `gen-subkey'.
-.TP
 .B subkey-to-ssh-agent [ssh-add arguments]
 Push all authentication-capable subkeys in your GnuPG secret keyring
 into your running ssh-agent.  Additional arguments are passed through
diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index a8f17f9..4aaf02d 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -47,6 +47,7 @@ usage: $PGRM <subcommand> [options] [args]
 Monkeysphere authentication admin tool.
 
 subcommands:
+ setup (s)                           setup monkeysphere user authentication
  update-users (u) [USER]...          update user authorized_keys files
  add-id-certifier (c+) KEYID         import and tsign a certification key
    --domain (-n) DOMAIN                limit ID certifications to DOMAIN
@@ -155,6 +156,11 @@ COMMAND="$1"
 shift
 
 case $COMMAND in
+    'setup'|'setup'|'s')
+	source "${MASHAREDIR}/setup"
+	setup "$@"
+	;;
+
     'update-users'|'update-user'|'u')
 	source "${MASHAREDIR}/update_users"
 	update_users "$@"
diff --git a/tests/basic b/tests/basic
index 5006f8f..bf6a364 100755
--- a/tests/basic
+++ b/tests/basic
@@ -19,7 +19,7 @@ set -o pipefail
 
 ## make sure that the right tools are installed to run the test.  the
 ## test has *more* requirements than plain ol' monkeysphere:
-which socat || { echo "You must have socat installed to run this test." ; exit 1; }
+which socat >/dev/null || { echo "You must have socat installed to run this test." ; exit 1; }
 
 ## FIXME: other checks?
 
@@ -107,7 +107,7 @@ trap failed_cleanup EXIT
 ## set up some variables to ensure that we're operating strictly in
 ## the tests, not system-wide:
 
-export TESTDIR=$(pwd)
+export TESTDIR=$(dirname "$0")
 
 # make temp dir
 TEMPDIR="$TESTDIR"/tmp
@@ -161,34 +161,22 @@ get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf
 
 # set up sshd
 echo "### configuring sshd..."
-cp etc/ssh/sshd_config "$SSHD_CONFIG"
+cp "$TESTDIR"/etc/ssh/sshd_config "$SSHD_CONFIG"
 # write the sshd_config
 cat <<EOF >> "$SSHD_CONFIG"
 HostKey ${MONKEYSPHERE_SYSDATADIR}/ssh_host_rsa_key
 AuthorizedKeysFile ${MONKEYSPHERE_SYSDATADIR}/authentication/authorized_keys/%u
 EOF
 
+
+### SERVER HOST SETUP
+
 # set up monkeysphere host
 echo "### configuring monkeysphere host..."
 mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/host
 
-# set up monkeysphere authentication
-echo "### configuring monkeysphere authentication..."
-mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authentication/{authorized_keys,core,sphere,tmp}
-cp etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
-cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
-AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
-EOF
-cat <<EOF > "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
-primary-keyring ${MONKEYSPHERE_SYSDATADIR}/authentication/sphere/pubring.gpg
-keyring ${MONKEYSPHERE_SYSDATADIR}/authentication/core/pubring.gpg
-EOF
-
-
-### SERVER TESTS
-
 # create a new host key
-echo "### generating server key..."
+echo "### generating server host key..."
 # add gpg.conf with quick-random
 get_gpg_prng_arg >> "$MONKEYSPHERE_SYSCONFIGDIR"/host/gpg.conf
 echo | monkeysphere-host expert gen-key --length 1024 --expire 0 testhost
@@ -199,13 +187,32 @@ HOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f
 
 # certify it with the "Admin's Key".
 # (this would normally be done via keyservers)
-echo "### certifying server key..."
-monkeysphere-authentication expert gpg-cmd "--armor --export $HOSTKEYID" | gpgadmin --import
+echo "### certifying server host key..."
+GNUPGHOME="$MONKEYSPHERE_SYSCONFIGDIR"/host gpg --armor --export "$HOSTKEYID" | gpgadmin --import
 echo y | gpgadmin --command-fd 0 --sign-key "$HOSTKEYID"
 
 # FIXME: how can we test publish-key without flooding junk into the
 # keyservers?
 
+
+### SERVER AUTHENTICATION TESTS
+
+# set up monkeysphere authentication
+echo "### configuring monkeysphere authentication..."
+mkdir -p -m 700 "$MONKEYSPHERE_SYSDATADIR"/authentication/{authorized_keys,core,sphere,tmp}
+cp "$TESTDIR"/etc/monkeysphere/monkeysphere-authentication.conf "$TEMPDIR"/
+cat <<EOF >> "$TEMPDIR"/monkeysphere-authentication.conf
+AUTHORIZED_USER_IDS="$MONKEYSPHERE_HOME/authentication/authorized_user_ids"
+EOF
+cat <<EOF > "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
+primary-keyring ${MONKEYSPHERE_SYSDATADIR}/authentication/sphere/pubring.gpg
+keyring ${MONKEYSPHERE_SYSDATADIR}/authentication/core/pubring.gpg
+EOF
+
+# setup server authentication
+echo "### setting up server authentication..."
+monkeysphere-authentication setup
+
 # add admin as identity certifier for testhost
 echo "### adding admin as certifier..."
 echo y | monkeysphere-authentication add-id-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg