From df882c1e7e63fc658d0296dbd272499923fc4c69 Mon Sep 17 00:00:00 2001 From: Jameson Rollins Date: Mon, 18 Oct 2010 09:55:53 -0400 Subject: Simplification/refactoring of key/file processing This is a fairly major overhaul to greatly reduce the number of redundant code paths. We here created a new process_keys_for_file function that processes key from a userid for a given key file. All the main top elevel functions now call this one function. The main top level monkeysphere functions for updating the user's authorized_keys and known_hosts files are now moved to their own sourced files, which greatly reduces the amount of code sourced with common. monkeysphere now updates authorized_keys and known_hosts in temporary files that are then atomically moved into place upon completion. Finally, removed the confusing return codes in the key/file processing functions that were based on number of valid/invalid keys processed. It was confusing in the presence of actual errors that stopped processing. --- src/share/m/update_authorized_keys | 51 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 src/share/m/update_authorized_keys (limited to 'src/share/m/update_authorized_keys') diff --git a/src/share/m/update_authorized_keys b/src/share/m/update_authorized_keys new file mode 100644 index 0000000..f38bdab --- /dev/null +++ b/src/share/m/update_authorized_keys @@ -0,0 +1,51 @@ +# -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) + +# Monkeysphere update_authorized_keys subcommand +# +# The monkeysphere scripts are written by: +# Jameson Rollins +# Jamie McClelland +# Daniel Kahn Gillmor +# +# They are Copyright 2010, and are all released under the GPL, version +# 3 or later. + +update_authorized_keys() { + local tmpFile + + log debug "updating authorized_keys file:" + log debug " $AUTHORIZED_KEYS" + + # check permissions on the authorized_{keys,user_ids} file paths + check_key_file_permissions $(whoami) "$AUTHORIZED_KEYS" || failure + check_key_file_permissions $(whoami) "$AUTHORIZED_USER_IDS" || failure + + # create a lockfile on authorized_keys + lock create "$AUTHORIZED_KEYS" + + # make temp file + #tmpFile="$(dirname "$keyFile")/.$(basename "$keyFile")." + tmpFile=$(mktemp "${AUTHORIZED_KEYS}.monkeysphere.XXXXXX") + + # FIXME: we're discarding any pre-existing EXIT trap; is this bad? + trap "lock remove $AUTHORIZED_KEYS; rm -f $tmpFile" EXIT + + # remove any monkeysphere lines from authorized_keys file + remove_monkeysphere_lines "$AUTHORIZED_KEYS" > "$tmpFile" + + process_authorized_user_ids "$tmpFile" \ + < "$AUTHORIZED_USER_IDS" + + # note if the authorized_keys file was updated + if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$(file_hash "$tmpFile")" ] ; then + log debug "authorized_keys file updated." + fi + mv -f "$tmpFile" "$AUTHORIZED_KEYS" + + # remove the lockfile and the trap + lock remove "$AUTHORIZED_KEYS" + + # remove the trap + trap - EXIT +} -- cgit v1.2.3