summaryrefslogtreecommitdiff
path: root/examples/monkeysphere-monitor-keys
blob: c5d0a0f8cd97b1f0b91f814a97145f96a51100db (plain) 
    

  1. #!/usr/bin/perl
    2. 

  2. 

  3. # This script automatically runs:
    4. 

  4. #
    5. 

  5. #   monkeysphere-authentication update-users <user>
    6. 

  6. #
    7. 

  7. # every time it detects a change in an authorized_keys or authorized_user_ids
    8. 

  8. # file. The update-users command operates on the username that owns the file
    9. 

  9. # that was updated.
    10. 

  10. #
    11. 

  11. # The list of files to monitor is generated from the AUTHORIZED_USER_IDS and
    12. 

  12. # RAW_AUTHORIZED_KEYS variables found in
    13. 

  13. # /etc/monkeysphere/monkeysphere-authentication.conf and expanded using a list
    14. 

  14. # of users on the system.
    15. 

  15. #
    16. 

  16. # Additionally, the /var/lib/monkeysphere/user-update/lastchange file is
    17. 

  17. # monitored. If a change is made to that file, the list of files to monitor is
    18. 

  18. # re-generated based on a fresh listing of users. If you run a hook on user
    19. 

  19. # creation and deletion that generates a file in this directory, you can ensure
    20. 

  20. # that the list of files to monitor is always up-to-date.
    21. 

  21. #
    22. 

  22. # On debian system you can install required perl modules with: aptitude install
    23. 

  23. # libfile-changenotify-perl libfile-spec-perl libconfig-general-perl
    24. 

  24. #
    25. 

  25. # This script is designed to run at system start and should be run with root
    26. 

  26. # privileges.
    27. 

  27. #
    28. 

  28. # File::ChangeNotify is cross platform - it will choose a sub class for
    29. 

  29. # monitoring file system changes appropriate to your operating system (if you
    30. 

  30. # are running Linux, liblinux-inotify2-perl is recommended).
    31. 

  31. 

  32. # FIXME: does this handle revocations and re-keying?  if a sysadmin
    33. 

  33. # switches over to this arrangement, how will the system check for
    34. 

  34. # revocations?  Scheduling a simple gpg --refresh should handle
    35. 

  35. # revocations.  I'm not sure how to best handle re-keyings.
    36. 

  36. 

  37. use strict;
    38. 

  38. use warnings;
    39. 

  39. use File::ChangeNotify;
    40. 

  40. use File::Basename;
    41. 

  41. use File::Spec;
    42. 

  42. use Config::General;
    43. 

  43. 

  44. my $user_update_file = '/var/lib/monkeysphere/user-update/lastchange';
    45. 

  45. my %watch_files;
    46. 

  46. 

  47. my $debug = 0;
    48. 

  48. if (defined($ENV{MONKEYSPHERE_LOG_LEVEL}) &&
    49. 

  49.     $ENV{MONKEYSPHERE_LOG_LEVEL} =~ /^debug/i) {
    50. 

  50.   $debug = 1;
    51. 

  51. }
    52. 

  52. 

  53. sub debug {
    54. 

  54.   printf STDERR @_
    55. 

  55.     if ($debug eq 1);
    56. 

  56. }
    57. 

  57. 

  58. sub set_watch_files() {
    59. 

  59.   my %key_file_locations = get_key_file_locations();
    60. 

  60.   # get list of users on the system
    61. 

  61.   while(my ($name, $passwd, $uid, $gid, $gcos, $dir, $shell, $home) = getpwent()) {
    62. 

  62.     while (my ($key, $file) = each (%key_file_locations)) {
    63. 

  63.       $file =~ s/%h/$home/;
    64. 

  64.       $file =~ s/%u/$name/;
    65. 

  65.       $watch_files{ $file } = $name;
    66. 

  66.     }
    67. 

  67.   }
    68. 

  68.   endpwent();
    69. 

  69.   $watch_files{ $user_update_file } = '';
    70. 

  70. }
    71. 

  71. 

  72. sub get_key_file_locations {
    73. 

  73.   # set defaults
    74. 

  74.   my %key_file_locations;
    75. 

  75.   $key_file_locations{ 'authorized_user_ids' } = '%h/.monkeysphere/authorized_user_ids';
    76. 

  76.   $key_file_locations{ 'authorized_keys' } = '%h/.ssh/authorized_keys';
    77. 

  77. 

  78.   # check monkeysphere-authentication configuration
    79. 

  79.   my $config_file = '/etc/monkeysphere/monkeysphere-authentication.conf';
    80. 

  80.   if (-f $config_file) {
    81. 

  81.     if (-r $config_file) {
    82. 

  82.       my %config;
    83. 

  83.       %config = Config::General::ParseConfig($config_file);
    84. 

  84.       if (exists $config{'AUTHORIZED_USER_IDS'}) {
    85. 

  85.         $key_file_locations{'authorized_user_ids'} = $config{'AUTHORIZED_USER_IDS'};
    86. 

  86.       }
    87. 

  87.       if (exists $config{'RAW_AUTHORIZED_KEYS'}) {
    88. 

  88.         $key_file_locations{'authorized_keys'} = $config{'RAW_AUTHORIZED_KEYS'};
    89. 

  89.       }
    90. 

  90.     }
    91. 

  91.   }
    92. 

  92.   return %key_file_locations;
    93. 

  93. }
    94. 

  94. 

  95. sub get_watcher {
    96. 

  96.   my @filters;
    97. 

  97.   my @dirs;
    98. 

  98. 

  99.   set_watch_files();
    100. 

  100.   for my $file (%watch_files) {
    101. 

  101.     my $dir = dirname($file);
    102. 

  102.     if ( -d $dir && !grep $_ eq $dir, @dirs ) {
    103. 

  103.       debug("Watching dir: %s\n", $dir);
    104. 

  104.       push(@dirs,$dir);
    105. 

  105.       my $file = basename($file);
    106. 

  106.       if ( !grep $_ eq $file, @filters ) {
    107. 

  107.         $file = quotemeta($file);
    108. 

  108.         debug("Adding file filter: %s\n", $file);
    109. 

  109.         push(@filters,$file);
    110. 

  110.       }
    111. 

  111.     }
    112. 

  112.   }
    113. 

  113. 

  114.   # create combined file filters to limit our monitor
    115. 

  115.   my $filter = '^(' . join("|",@filters) . ')$';
    116. 

  116. 

  117.   # return a watcher object
    118. 

  118.   return my $watcher =
    119. 

  119.     File::ChangeNotify->instantiate_watcher
    120. 

  120.       ( directories => [ @dirs ],
    121. 

  121.         filter      => qr/$filter/,
    122. 

  122.       );
    123. 

  123. }
    124. 

  124. 

  125. sub watch {
    126. 

  126.   my $watcher = get_watcher();
    127. 

  127.   while ( my @events = $watcher->wait_for_events() ) {
    128. 

  128.     my %users;
    129. 

  129.     for my $event (@events) {
    130. 

  130.       if($event->path eq "$user_update_file") {
    131. 

  131.         debug("Reloading user list\n");
    132. 

  132.         $watcher = get_watcher();
    133. 

  133.       } else {
    134. 

  134.         # if user deleted, file might not exist
    135. 

  135.         # FIXME - m-a u returns an error if the username
    136. 

  136.         # doesn't exist. It should silently ensure that 
    137. 

  137.         # the generated authorized_keys file is deleted.
    138. 

  138.         # Once it's fixed, we should execute even if the 
    139. 

  139.         # file is gone.
    140. 

  140.         if( -f $event->path) {
    141. 

  141.           my $username = $watch_files { $event->path };
    142. 

  142.           $users{ $username } = 1;
    143. 

  143.         }
    144. 

  144.       }
    145. 

  145.     }
    146. 

  146.     for ((my $username) = each(%users)) {
    147. 

  147.       debug("Updating user: %s\n", $username);
    148. 

  148.       # FIXME: this call blocks until m-a u finishes running, i think.
    149. 

  149.       # what happens if other changes occur in the meantime?  Can we
    150. 

  150.       # rate-limit this?  Could we instead spawn child processes that
    151. 

  151.       # run this command directly?
    152. 

  152.       system('monkeysphere-authentication', 'update-users', $username);
    153. 

  153.     }
    154. 

  154.   }
    155. 

  155. }
    156. 

  156. 

  157. watch();
    158.
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-10 14:55:43 +0000