path: root/examples/monkeysphere-monitor-keys

#!/usr/bin/perl

# This script automatically runs:
#
#   monkeysphere-authentication update-users <user>
#
# every time it detects a change in an authorized_keys or authorized_user_ids
# file. The update-users command operates on the username that owns the file
# that was updated.
#
# The list of files to monitor is generated from the AUTHORIZED_USER_IDS and
# RAW_AUTHORIZED_KEYS variables found in
# /etc/monkeysphere/monkeysphere-authentication.conf and expanded using a list
# of users on the system.
#
# Additionally, the /var/lib/monkeysphere/user-update/lastchange file is
# monitored. If a change is made to that file, the list of files to monitor is
# re-generated based on a fresh listing of users. If you run a hook on user
# creation and deletion that generates a file in this directory, you can ensure
# that the list of files to monitor is always up-to-date.
#
# On debian system you can install required perl modules with: aptitude install
# libfile-changenotify-perl libfile-spec-perl libconfig-general-perl
#
# This script is designed to run at system start and should be run with root
# privileges.
#
# File::ChangeNotify is cross platform - it will choose a sub class for
# monitoring file system changes appropriate to your operating system (if you
# are running Linux, liblinux-inotify2-perl is recommended).

# FIXME: does this handle revocations and re-keying?  if a sysadmin
# switches over to this arrangement, how will the system check for
# revocations?  Scheduling a simple gpg --refresh should handle
# revocations.  I'm not sure how to best handle re-keyings.

use strict;
use warnings;
use File::ChangeNotify;
use File::Basename;
use File::Spec;
use Config::General;

my $user_update_file = '/var/lib/monkeysphere/user-update/lastchange';
my $debug = 0;
if (defined($ENV{MONKEYSPHERE_LOG_LEVEL}) &&
    $ENV{MONKEYSPHERE_LOG_LEVEL} =~ /^debug/i) {
  $debug = 1;
}

sub debug {
  printf STDERR @_
    if ($debug eq 1);
}

sub get_watch_files() {
  my @watch_files;
  my %key_file_locations = get_key_file_locations();
  # get list of users on the system
  while(my ($name, $passwd, $uid, $gid, $gcos, $dir, $shell, $home) = getpwent()) {
    while (my ($key, $file) = each (%key_file_locations)) {
      $file =~ s/%h/$home/;
      $file =~ s/%u/$name/;
      push(@watch_files,$file);
    }
  }
  endpwent();
  push(@watch_files,$user_update_file);
  return @watch_files;
}

sub get_key_file_locations {
  # set defaults
  my %key_file_locations;
  $key_file_locations{ 'authorized_user_ids' } = '%h/.monkeysphere/authorized_user_ids';
  $key_file_locations{ 'authorized_keys' } = '%h/.ssh/authorized_keys';

  # check monkeysphere-authentication configuration
  my $config_file = '/etc/monkeysphere/monkeysphere-authentication.conf';
  if (-f $config_file) {
    if (-r $config_file) {
      my %config;
      %config = Config::General::ParseConfig($config_file);
      if (exists $config{'AUTHORIZED_USER_IDS'}) {
        $key_file_locations{'authorized_user_ids'} = $config{'AUTHORIZED_USER_IDS'};
      }
      if (exists $config{'RAW_AUTHORIZED_KEYS'}) {
        $key_file_locations{'authorized_keys'} = $config{'RAW_AUTHORIZED_KEYS'};
      }
    }
  }
  return %key_file_locations;
}

sub get_watcher {
  my @filters;
  my @dirs;

  my(@files) = get_watch_files();
  for my $file (@files) {
    my $dir = dirname($file);
    if ( -d $dir && !grep $_ eq $dir, @dirs ) {
      debug("Watching dir: %s\n", $dir);
      push(@dirs,$dir);
      my $file = basename($file);
      if ( !grep $_ eq $file, @filters ) {
        debug("Adding file filter: %s\n", $file);
        push(@filters,$file);
      }
    }
  }

  # create combined file filters to limit our monitor

  # FIXME: what if the elements of @filters have some regex characters
  # in them?  this seems like it could match all kinds of crazy stuff

  my $filter = '^(' . join("|",@filters) . ')$';

  # return a watcher object
  return my $watcher =
    File::ChangeNotify->instantiate_watcher
      ( directories => [ @dirs ],
        filter      => qr/$filter/,
      );
}

sub watch {
  my $watcher = get_watcher();
  while ( my @events = $watcher->wait_for_events() ) {
    my @users;
    for my $event (@events) {
      if($event->path eq "$user_update_file") {
        debug("Reloading user list\n");
        $watcher = get_watcher();
      } else {
        # if user deleted, file might not exist
        if( -f $event->path) {
          # FIXME: how is this choosing a username?  What if the
          # sysadmin controls these files instead of the user?
          # (e.g. /etc/monkeysphere/authorized_user_ids/%u) then won't
          # the owner be the superuser each time?

          # Is there some more clever way that we can get back to the
          # user from the path itself?  maybe we store a lookup table
          # when we're generating the path list and refer back to it?
          my $username = getpwuid((stat($event->path))[4]);

          # FIXME: this seems like it is trying to treat an array as a
          # set.  Maybe it'd be better to use the keys of a hash (or
          # hashref) instead?
          if ( !grep $_ eq $username, @users ) {
            push(@users,$username);
          }
        }
      }
    }
    for my $user (@users) {
      debug("Updating user: %s\n", $user);
      # FIXME: this call blocks until m-a u finishes running, i think.
      # what happens if other changes occur in the meantime?  Can we
      # rate-limit this?  Could we instead spawn child processes that
      # run this command directly?
      system('monkeysphere-authentication', 'update-users', $user);
    }
  }
}

watch();