summaryrefslogtreecommitdiff
path: root/src/common
blob: 9c76bd1e7e236b1d7183e1c6236ee70e083b9ee4 (plain)
  1. # -*-shell-script-*-
  2. # Shared sh functions for the monkeysphere
  3. #
  4. # Written by
  5. # Jameson Rollins <jrollins@fifthhorseman.net>
  6. #
  7. # Copyright 2008, released under the GPL, version 3 or later
  8. # all-caps variables are meant to be user supplied (ie. from config
  9. # file) and are considered global
  10. ########################################################################
  11. ### COMMON VARIABLES
  12. # managed directories
  13. ETC="/etc/monkeysphere"
  14. export ETC
  15. ########################################################################
  16. ### UTILITY FUNCTIONS
  17. # failure function. exits with code 255, unless specified otherwise.
  18. failure() {
  19. echo "$1" >&2
  20. exit ${2:-'255'}
  21. }
  22. # write output to stderr
  23. log() {
  24. echo -n "ms: " >&2
  25. echo "$@" >&2
  26. }
  27. loge() {
  28. echo "$@" >&2
  29. }
  30. # cut out all comments(#) and blank lines from standard input
  31. meat() {
  32. grep -v -e "^[[:space:]]*#" -e '^$' "$1"
  33. }
  34. # cut a specified line from standard input
  35. cutline() {
  36. head --line="$1" "$2" | tail -1
  37. }
  38. # check that characters are in a string (in an AND fashion).
  39. # used for checking key capability
  40. # check_capability capability a [b...]
  41. check_capability() {
  42. local usage
  43. local capcheck
  44. usage="$1"
  45. shift 1
  46. for capcheck ; do
  47. if echo "$usage" | grep -q -v "$capcheck" ; then
  48. return 1
  49. fi
  50. done
  51. return 0
  52. }
  53. # hash of a file
  54. file_hash() {
  55. md5sum "$1" 2> /dev/null
  56. }
  57. # convert escaped characters from gpg output back into original
  58. # character
  59. # FIXME: undo all escape character translation in with-colons gpg output
  60. unescape() {
  61. echo "$1" | sed 's/\\x3a/:/g'
  62. }
  63. # remove all lines with specified string from specified file
  64. remove_line() {
  65. local file
  66. local string
  67. file="$1"
  68. string="$2"
  69. if [ -z "$file" -o -z "$string" ] ; then
  70. return 1
  71. fi
  72. if [ ! -e "$file" ] ; then
  73. return 1
  74. fi
  75. # if the string is in the file...
  76. if grep -q -F "$string" "$file" 2> /dev/null ; then
  77. # remove the line with the string, and return 0
  78. grep -v -F "$string" "$file" | sponge "$file"
  79. return 0
  80. # otherwise return 1
  81. else
  82. return 1
  83. fi
  84. }
  85. # remove all lines with MonkeySphere strings in file
  86. remove_monkeysphere_lines() {
  87. local file
  88. file="$1"
  89. if [ -z "$file" ] ; then
  90. return 1
  91. fi
  92. if [ ! -e "$file" ] ; then
  93. return 1
  94. fi
  95. egrep -v '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$' \
  96. "$file" | sponge "$file"
  97. }
  98. # translate ssh-style path variables %h and %u
  99. translate_ssh_variables() {
  100. local uname
  101. local home
  102. uname="$1"
  103. path="$2"
  104. # get the user's home directory
  105. userHome=$(getent passwd "$uname" | cut -d: -f6)
  106. # translate '%u' to user name
  107. path=${path/\%u/"$uname"}
  108. # translate '%h' to user home directory
  109. path=${path/\%h/"$userHome"}
  110. echo "$path"
  111. }
  112. # test that a string to conforms to GPG's expiration format
  113. test_gpg_expire() {
  114. echo "$1" | egrep -q "^[0-9]+[mwy]?$"
  115. }
  116. # check that a file is properly owned, and that all it's parent
  117. # directories are not group/other writable
  118. check_key_file_permissions() {
  119. local user
  120. local path
  121. local access
  122. local gAccess
  123. local oAccess
  124. # function to check that an octal corresponds to writability
  125. is_write() {
  126. [ "$1" -eq 2 -o "$1" -eq 3 -o "$1" -eq 6 -o "$1" -eq 7 ]
  127. }
  128. user="$1"
  129. path="$2"
  130. # return 0 is path does not exist
  131. [ -e "$path" ] || return 0
  132. owner=$(stat --format '%U' "$path")
  133. access=$(stat --format '%a' "$path")
  134. gAccess=$(echo "$access" | cut -c2)
  135. oAccess=$(echo "$access" | cut -c3)
  136. # check owner
  137. if [ "$owner" != "$user" -a "$owner" != 'root' ] ; then
  138. return 1
  139. fi
  140. # check group/other writability
  141. if is_write "$gAccess" || is_write "$oAccess" ; then
  142. return 2
  143. fi
  144. if [ "$path" = '/' ] ; then
  145. return 0
  146. else
  147. check_key_file_permissions $(dirname "$path")
  148. fi
  149. }
  150. ### CONVERSION UTILITIES
  151. # output the ssh key for a given key ID
  152. gpg2ssh() {
  153. local keyID
  154. keyID="$1"
  155. gpg --export "$keyID" | openpgp2ssh "$keyID" 2> /dev/null
  156. }
  157. # output known_hosts line from ssh key
  158. ssh2known_hosts() {
  159. local host
  160. local key
  161. host="$1"
  162. key="$2"
  163. echo -n "$host "
  164. echo -n "$key" | tr -d '\n'
  165. echo " MonkeySphere${DATE}"
  166. }
  167. # output authorized_keys line from ssh key
  168. ssh2authorized_keys() {
  169. local userID
  170. local key
  171. userID="$1"
  172. key="$2"
  173. echo -n "$key" | tr -d '\n'
  174. echo " MonkeySphere${DATE} ${userID}"
  175. }
  176. # convert key from gpg to ssh known_hosts format
  177. gpg2known_hosts() {
  178. local host
  179. local keyID
  180. host="$1"
  181. keyID="$2"
  182. # NOTE: it seems that ssh-keygen -R removes all comment fields from
  183. # all lines in the known_hosts file. why?
  184. # NOTE: just in case, the COMMENT can be matched with the
  185. # following regexp:
  186. # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
  187. echo -n "$host "
  188. gpg2ssh "$keyID" | tr -d '\n'
  189. echo " MonkeySphere${DATE}"
  190. }
  191. # convert key from gpg to ssh authorized_keys format
  192. gpg2authorized_keys() {
  193. local userID
  194. local keyID
  195. userID="$1"
  196. keyID="$2"
  197. # NOTE: just in case, the COMMENT can be matched with the
  198. # following regexp:
  199. # '^MonkeySphere[[:digit:]]{4}(-[[:digit:]]{2}){2}T[[:digit:]]{2}(:[[:digit:]]{2}){2}$'
  200. gpg2ssh "$keyID" | tr -d '\n'
  201. echo " MonkeySphere${DATE} ${userID}"
  202. }
  203. ### GPG UTILITIES
  204. # retrieve all keys with given user id from keyserver
  205. # FIXME: need to figure out how to retrieve all matching keys
  206. # (not just first N (5 in this case))
  207. gpg_fetch_userid() {
  208. local userID
  209. local returnCode
  210. if [ "$CHECK_KEYSERVER" != 'true' ] ; then
  211. return 0
  212. fi
  213. userID="$1"
  214. log -n " checking keyserver $KEYSERVER... "
  215. echo 1,2,3,4,5 | \
  216. gpg --quiet --batch --with-colons \
  217. --command-fd 0 --keyserver "$KEYSERVER" \
  218. --search ="$userID" > /dev/null 2>&1
  219. returnCode="$?"
  220. loge "done."
  221. # if the user is the monkeysphere user, then update the
  222. # monkeysphere user's trustdb
  223. if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
  224. gpg_authentication "--check-trustdb" > /dev/null 2>&1
  225. fi
  226. return "$returnCode"
  227. }
  228. ########################################################################
  229. ### PROCESSING FUNCTIONS
  230. # userid and key policy checking
  231. # the following checks policy on the returned keys
  232. # - checks that full key has appropriate valididy (u|f)
  233. # - checks key has specified capability (REQUIRED_*_KEY_CAPABILITY)
  234. # - checks that requested user ID has appropriate validity
  235. # (see /usr/share/doc/gnupg/DETAILS.gz)
  236. # output is one line for every found key, in the following format:
  237. #
  238. # flag:fingerprint
  239. #
  240. # "flag" is an acceptability flag, 0 = ok, 1 = bad
  241. # "fingerprint" is the fingerprint of the key
  242. #
  243. # expects global variable: "MODE"
  244. process_user_id() {
  245. local userID
  246. local requiredCapability
  247. local requiredPubCapability
  248. local gpgOut
  249. local type
  250. local validity
  251. local keyid
  252. local uidfpr
  253. local usage
  254. local keyOK
  255. local uidOK
  256. local lastKey
  257. local lastKeyOK
  258. local fingerprint
  259. userID="$1"
  260. # set the required key capability based on the mode
  261. if [ "$MODE" = 'known_hosts' ] ; then
  262. requiredCapability="$REQUIRED_HOST_KEY_CAPABILITY"
  263. elif [ "$MODE" = 'authorized_keys' ] ; then
  264. requiredCapability="$REQUIRED_USER_KEY_CAPABILITY"
  265. fi
  266. requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]")
  267. # fetch the user ID if necessary/requested
  268. gpg_fetch_userid "$userID"
  269. # output gpg info for (exact) userid and store
  270. gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \
  271. --with-fingerprint --with-fingerprint \
  272. ="$userID" 2>/dev/null)
  273. # if the gpg query return code is not 0, return 1
  274. if [ "$?" -ne 0 ] ; then
  275. log " no primary keys found."
  276. return 1
  277. fi
  278. # loop over all lines in the gpg output and process.
  279. echo "$gpgOut" | cut -d: -f1,2,5,10,12 | \
  280. while IFS=: read -r type validity keyid uidfpr usage ; do
  281. # process based on record type
  282. case $type in
  283. 'pub') # primary keys
  284. # new key, wipe the slate
  285. keyOK=
  286. uidOK=
  287. lastKey=pub
  288. lastKeyOK=
  289. fingerprint=
  290. log " primary key found: $keyid"
  291. # if overall key is not valid, skip
  292. if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
  293. log " - unacceptable primary key validity ($validity)."
  294. continue
  295. fi
  296. # if overall key is disabled, skip
  297. if check_capability "$usage" 'D' ; then
  298. log " - key disabled."
  299. continue
  300. fi
  301. # if overall key capability is not ok, skip
  302. if ! check_capability "$usage" $requiredPubCapability ; then
  303. log " - unacceptable primary key capability ($usage)."
  304. continue
  305. fi
  306. # mark overall key as ok
  307. keyOK=true
  308. # mark primary key as ok if capability is ok
  309. if check_capability "$usage" $requiredCapability ; then
  310. lastKeyOK=true
  311. fi
  312. ;;
  313. 'uid') # user ids
  314. if [ "$lastKey" != pub ] ; then
  315. log " - got a user ID after a sub key! user IDs should only follow primary keys!"
  316. continue
  317. fi
  318. # don't bother with a uid if there is no valid or reasonable primary key.
  319. if [ "$keyOK" != true ] ; then
  320. continue
  321. fi
  322. # if an acceptable user ID was already found, skip
  323. if [ "$uidOK" ] ; then
  324. continue
  325. fi
  326. # if the user ID does not match, skip
  327. if [ "$(unescape "$uidfpr")" != "$userID" ] ; then
  328. continue
  329. fi
  330. # if the user ID validity is not ok, skip
  331. if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
  332. continue
  333. fi
  334. # mark user ID acceptable
  335. uidOK=true
  336. # output a line for the primary key
  337. # 0 = ok, 1 = bad
  338. if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
  339. log " * acceptable primary key."
  340. if [ -z "$sshKey" ] ; then
  341. log " ! primary key could not be translated (not RSA or DSA?)."
  342. else
  343. echo "0:${sshKey}"
  344. fi
  345. else
  346. log " - unacceptable primary key."
  347. if [ -z "$sshKey" ] ; then
  348. log " ! primary key could not be translated (not RSA or DSA?)."
  349. else
  350. echo "1:${sshKey}"
  351. fi
  352. fi
  353. ;;
  354. 'sub') # sub keys
  355. # unset acceptability of last key
  356. lastKey=sub
  357. lastKeyOK=
  358. fingerprint=
  359. # don't bother with sub keys if the primary key is not valid
  360. if [ "$keyOK" != true ] ; then
  361. continue
  362. fi
  363. # don't bother with sub keys if no user ID is acceptable:
  364. if [ "$uidOK" != true ] ; then
  365. continue
  366. fi
  367. # if sub key validity is not ok, skip
  368. if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then
  369. continue
  370. fi
  371. # if sub key capability is not ok, skip
  372. if ! check_capability "$usage" $requiredCapability ; then
  373. continue
  374. fi
  375. # mark sub key as ok
  376. lastKeyOK=true
  377. ;;
  378. 'fpr') # key fingerprint
  379. fingerprint="$uidfpr"
  380. sshKey=$(gpg2ssh "$fingerprint")
  381. # if the last key was the pub key, skip
  382. if [ "$lastKey" = pub ] ; then
  383. continue
  384. fi
  385. # output a line for the sub key
  386. # 0 = ok, 1 = bad
  387. if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then
  388. log " * acceptable sub key."
  389. if [ -z "$sshKey" ] ; then
  390. log " ! sub key could not be translated (not RSA or DSA?)."
  391. else
  392. echo "0:${sshKey}"
  393. fi
  394. else
  395. log " - unacceptable sub key."
  396. if [ -z "$sshKey" ] ; then
  397. log " ! sub key could not be translated (not RSA or DSA?)."
  398. else
  399. echo "1:${sshKey}"
  400. fi
  401. fi
  402. ;;
  403. esac
  404. done
  405. }
  406. # process a single host in the known_host file
  407. process_host_known_hosts() {
  408. local host
  409. local userID
  410. local nKeys
  411. local nKeysOK
  412. local ok
  413. local sshKey
  414. local tmpfile
  415. host="$1"
  416. log "processing: $host"
  417. userID="ssh://${host}"
  418. nKeys=0
  419. nKeysOK=0
  420. IFS=$'\n'
  421. for line in $(process_user_id "ssh://${host}") ; do
  422. # note that key was found
  423. nKeys=$((nKeys+1))
  424. ok=$(echo "$line" | cut -d: -f1)
  425. sshKey=$(echo "$line" | cut -d: -f2)
  426. if [ -z "$sshKey" ] ; then
  427. continue
  428. fi
  429. # remove the old host key line, and note if removed
  430. remove_line "$KNOWN_HOSTS" "$sshKey"
  431. # if key OK, add new host line
  432. if [ "$ok" -eq '0' ] ; then
  433. # note that key was found ok
  434. nKeysOK=$((nKeysOK+1))
  435. # hash if specified
  436. if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
  437. # FIXME: this is really hackish cause ssh-keygen won't
  438. # hash from stdin to stdout
  439. tmpfile=$(mktemp)
  440. ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
  441. ssh-keygen -H -f "$tmpfile" 2> /dev/null
  442. cat "$tmpfile" >> "$KNOWN_HOSTS"
  443. rm -f "$tmpfile" "${tmpfile}.old"
  444. else
  445. ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
  446. fi
  447. fi
  448. done
  449. # if at least one key was found...
  450. if [ "$nKeys" -gt 0 ] ; then
  451. # if ok keys were found, return 0
  452. if [ "$nKeysOK" -gt 0 ] ; then
  453. return 0
  454. # else return 2
  455. else
  456. return 2
  457. fi
  458. # if no keys were found, return 1
  459. else
  460. return 1
  461. fi
  462. }
  463. # update the known_hosts file for a set of hosts listed on command
  464. # line
  465. update_known_hosts() {
  466. local nHosts
  467. local nHostsOK
  468. local nHostsBAD
  469. local fileCheck
  470. local host
  471. # the number of hosts specified on command line
  472. nHosts="$#"
  473. nHostsOK=0
  474. nHostsBAD=0
  475. # set the trap to remove any lockfiles on exit
  476. trap "lockfile-remove $KNOWN_HOSTS" EXIT
  477. # create a lockfile on known_hosts
  478. lockfile-create "$KNOWN_HOSTS"
  479. # note pre update file checksum
  480. fileCheck="$(file_hash "$KNOWN_HOSTS")"
  481. for host ; do
  482. # process the host
  483. process_host_known_hosts "$host"
  484. # note the result
  485. case "$?" in
  486. 0)
  487. nHostsOK=$((nHostsOK+1))
  488. ;;
  489. 2)
  490. nHostsBAD=$((nHostsBAD+1))
  491. ;;
  492. esac
  493. # touch the lockfile, for good measure.
  494. lockfile-touch --oneshot "$KNOWN_HOSTS"
  495. done
  496. # remove the lockfile
  497. lockfile-remove "$KNOWN_HOSTS"
  498. # note if the known_hosts file was updated
  499. if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then
  500. log "known_hosts file updated."
  501. fi
  502. # if an acceptable host was found, return 0
  503. if [ "$nHostsOK" -gt 0 ] ; then
  504. return 0
  505. # else if no ok hosts were found...
  506. else
  507. # if no bad host were found then no hosts were found at all,
  508. # and return 1
  509. if [ "$nHostsBAD" -eq 0 ] ; then
  510. return 1
  511. # else if at least one bad host was found, return 2
  512. else
  513. return 2
  514. fi
  515. fi
  516. }
  517. # process hosts from a known_hosts file
  518. process_known_hosts() {
  519. local hosts
  520. log "processing known_hosts file..."
  521. hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ')
  522. if [ -z "$hosts" ] ; then
  523. log "no hosts to process."
  524. return
  525. fi
  526. # take all the hosts from the known_hosts file (first
  527. # field), grep out all the hashed hosts (lines starting
  528. # with '|')...
  529. update_known_hosts $hosts
  530. }
  531. # process uids for the authorized_keys file
  532. process_uid_authorized_keys() {
  533. local userID
  534. local nKeys
  535. local nKeysOK
  536. local ok
  537. local sshKey
  538. userID="$1"
  539. log "processing: $userID"
  540. nKeys=0
  541. nKeysOK=0
  542. IFS=$'\n'
  543. for line in $(process_user_id "$userID") ; do
  544. # note that key was found
  545. nKeys=$((nKeys+1))
  546. ok=$(echo "$line" | cut -d: -f1)
  547. sshKey=$(echo "$line" | cut -d: -f2)
  548. if [ -z "$sshKey" ] ; then
  549. continue
  550. fi
  551. # remove the old host key line
  552. remove_line "$AUTHORIZED_KEYS" "$sshKey"
  553. # if key OK, add new host line
  554. if [ "$ok" -eq '0' ] ; then
  555. # note that key was found ok
  556. nKeysOK=$((nKeysOK+1))
  557. ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
  558. fi
  559. done
  560. # if at least one key was found...
  561. if [ "$nKeys" -gt 0 ] ; then
  562. # if ok keys were found, return 0
  563. if [ "$nKeysOK" -gt 0 ] ; then
  564. return 0
  565. # else return 2
  566. else
  567. return 2
  568. fi
  569. # if no keys were found, return 1
  570. else
  571. return 1
  572. fi
  573. }
  574. # update the authorized_keys files from a list of user IDs on command
  575. # line
  576. update_authorized_keys() {
  577. local userID
  578. local nIDs
  579. local nIDsOK
  580. local nIDsBAD
  581. local fileCheck
  582. # the number of ids specified on command line
  583. nIDs="$#"
  584. nIDsOK=0
  585. nIDsBAD=0
  586. # set the trap to remove any lockfiles on exit
  587. trap "lockfile-remove $AUTHORIZED_KEYS" EXIT
  588. # create a lockfile on authorized_keys
  589. lockfile-create "$AUTHORIZED_KEYS"
  590. # note pre update file checksum
  591. fileCheck="$(file_hash "$AUTHORIZED_KEYS")"
  592. # remove any monkeysphere lines from authorized_keys file
  593. remove_monkeysphere_lines "$AUTHORIZED_KEYS"
  594. for userID ; do
  595. # process the user ID, change return code if key not found for
  596. # user ID
  597. process_uid_authorized_keys "$userID"
  598. # note the result
  599. case "$?" in
  600. 0)
  601. nIDsOK=$((nIDsOK+1))
  602. ;;
  603. 2)
  604. nIDsBAD=$((nIDsBAD+1))
  605. ;;
  606. esac
  607. # touch the lockfile, for good measure.
  608. lockfile-touch --oneshot "$AUTHORIZED_KEYS"
  609. done
  610. # remove the lockfile
  611. lockfile-remove "$AUTHORIZED_KEYS"
  612. # note if the authorized_keys file was updated
  613. if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then
  614. log "authorized_keys file updated."
  615. fi
  616. # if an acceptable id was found, return 0
  617. if [ "$nIDsOK" -gt 0 ] ; then
  618. return 0
  619. # else if no ok ids were found...
  620. else
  621. # if no bad ids were found then no ids were found at all, and
  622. # return 1
  623. if [ "$nIDsBAD" -eq 0 ] ; then
  624. return 1
  625. # else if at least one bad id was found, return 2
  626. else
  627. return 2
  628. fi
  629. fi
  630. }
  631. # process an authorized_user_ids file for authorized_keys
  632. process_authorized_user_ids() {
  633. local line
  634. local nline
  635. local userIDs
  636. authorizedUserIDs="$1"
  637. log "processing authorized_user_ids file..."
  638. if ! meat "$authorizedUserIDs" > /dev/null ; then
  639. log "no user IDs to process."
  640. return
  641. fi
  642. nline=0
  643. # extract user IDs from authorized_user_ids file
  644. IFS=$'\n'
  645. for line in $(meat "$authorizedUserIDs") ; do
  646. userIDs["$nline"]="$line"
  647. nline=$((nline+1))
  648. done
  649. update_authorized_keys "${userIDs[@]}"
  650. }