summaryrefslogtreecommitdiff
path: root/src/monkeysphere-authentication
blob: 56a8877d4293bf811fe7833c681ed8506ae2dcc8 (plain) 
    

  1. #!/usr/bin/env bash
    2. 

  2. 

  3. # monkeysphere-authentication: Monkeysphere authentication admin tool
    4. 

  4. #
    5. 

  5. # The monkeysphere scripts are written by:
    6. 

  6. # Jameson Rollins <jrollins@finestructure.net>
    7. 

  7. # Jamie McClelland <jm@mayfirst.org>
    8. 

  8. # Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    9. 

  9. # Micah Anderson <micah@riseup.net>
    10. 

  10. #
    11. 

  11. # They are Copyright 2008-2009, and are all released under the GPL,
    12. 

  12. # version 3 or later.
    13. 

  13. 

  14. ########################################################################
    15. 

  15. set -e
    16. 

  16. 

  17. PGRM=$(basename $0)
    18. 

  18. 

  19. SYSSHAREDIR=${MONKEYSPHERE_SYSSHAREDIR:-"/usr/share/monkeysphere"}
    20. 

  20. export SYSSHAREDIR
    21. 

  21. . "${SYSSHAREDIR}/common" || exit 1
    22. 

  22. 

  23. # sharedir for authentication functions
    24. 

  24. MASHAREDIR="${SYSSHAREDIR}/ma"
    25. 

  25. 

  26. SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
    27. 

  27. export SYSDATADIR
    28. 

  28. 

  29. # temp directory to enable atomic moves of authorized_keys files
    30. 

  30. MATMPDIR="${SYSDATADIR}/tmp"
    31. 

  31. export MSTMPDIR
    32. 

  32. 

  33. # UTC date in ISO 8601 format if needed
    34. 

  34. DATE=$(date -u '+%FT%T')
    35. 

  35. 

  36. # unset some environment variables that could screw things up
    37. 

  37. unset GREP_OPTIONS
    38. 

  38. 

  39. # default return code
    40. 

  40. RETURN=0
    41. 

  41. 

  42. ########################################################################
    43. 

  43. # FUNCTIONS
    44. 

  44. ########################################################################
    45. 

  45. 

  46. usage() {
    47. 

  47.     cat <<EOF >&2
    48. 

  48. usage: $PGRM <subcommand> [options] [args]
    49. 

  49. Monkeysphere authentication admin tool.
    50. 

  50. 

  51. subcommands:
    52. 

  52.  update-users (u) [USER]...          update user authorized_keys files
    53. 

  53.  add-id-certifier (c+) KEYID         import and tsign a certification key
    54. 

  54.    --domain (-n) DOMAIN                limit ID certifications to DOMAIN
    55. 

  55.    --trust (-t) TRUST                  trust level of certifier (full)
    56. 

  56.    --depth (-d) DEPTH                  trust depth for certifier (1)
    57. 

  57.  remove-id-certifier (c-) KEYID      remove a certification key
    58. 

  58.  list-id-certifiers (c)              list certification keys
    59. 

  59. 

  60.  expert
    61. 

  61.   diagnostics (d)                    monkeysphere authentication status
    62. 

  62.   gpg-cmd CMD                        execute gpg command
    63. 

  63. 

  64.  version (v)                         show version number
    65. 

  65.  help (h,?)                          this help
    66. 

  66. 

  67. EOF
    68. 

  68. }
    69. 

  69. 

  70. # function to run command as monkeysphere user
    71. 

  71. su_monkeysphere_user() {
    72. 

  72.     # if the current user is the monkeysphere user, then just eval
    73. 

  73.     # command
    74. 

  74.     if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
    75. 

  75.     eval "$@"
    76. 

  76. 

  77.     # otherwise su command as monkeysphere user
    78. 

  78.     else
    79. 

  79.     su "$MONKEYSPHERE_USER" -c "$@"
    80. 

  80.     fi
    81. 

  81. }
    82. 

  82. 

  83. # function to interact with the gpg core keyring
    84. 

  84. gpg_core() {
    85. 

  85.     local returnCode
    86. 

  86. 

  87.     GNUPGHOME="$GNUPGHOME_CORE"
    88. 

  88.     export GNUPGHOME
    89. 

  89. 

  90.     # NOTE: we supress this warning because we need the monkeysphere
    91. 

  91.     # user to be able to read the host pubring.  we realize this might
    92. 

  92.     # be problematic, but it's the simplest solution, without too much
    93. 

  93.     # loss of security.
    94. 

  94.     gpg --no-permission-warning "$@"
    95. 

  95.     returnCode="$?"
    96. 

  96. 

  97.     # always reset the permissions on the host pubring so that the
    98. 

  98.     # monkeysphere user can read the trust signatures
    99. 

  99.     chgrp "$MONKEYSPHERE_USER" "${GNUPGHOME_CORE}/pubring.gpg"
    100. 

  100.     chmod g+r "${GNUPGHOME_CORE}/pubring.gpg"
    101. 

  101.     
    102. 

  102.     return "$returnCode"
    103. 

  103. }
    104. 

  104. 

  105. # function to interact with the gpg sphere keyring
    106. 

  106. # FIXME: this function requires basically accepts only a single
    107. 

  107. # argument because of problems with quote expansion.  this needs to be
    108. 

  108. # fixed/improved.
    109. 

  109. gpg_sphere() {
    110. 

  110.     GNUPGHOME="$GNUPGHOME_SPHERE"
    111. 

  111.     export GNUPGHOME
    112. 

  112. 

  113.     su_monkeysphere_user "gpg $@"
    114. 

  114. }
    115. 

  115. 

  116. ########################################################################
    117. 

  117. # MAIN
    118. 

  118. ########################################################################
    119. 

  119. 

  120. # unset variables that should be defined only in config file
    121. 

  121. unset KEYSERVER
    122. 

  122. unset AUTHORIZED_USER_IDS
    123. 

  123. unset RAW_AUTHORIZED_KEYS
    124. 

  124. unset MONKEYSPHERE_USER
    125. 

  125. 

  126. # load configuration file
    127. 

  127. [ -e ${MONKEYSPHERE_AUTHENTICATION_CONFIG:="${SYSCONFIGDIR}/monkeysphere-authentication.conf"} ] && . "$MONKEYSPHERE_AUTHENTICATION_CONFIG"
    128. 

  128. 

  129. # set empty config variable with ones from the environment, or with
    130. 

  130. # defaults
    131. 

  131. LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
    132. 

  132. KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
    133. 

  133. AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
    134. 

  134. RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
    135. 

  135. MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
    136. 

  136. 

  137. # other variables
    138. 

  138. CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
    139. 

  139. REQUIRED_USER_KEY_CAPABILITY=${MONKEYSPHERE_REQUIRED_USER_KEY_CAPABILITY:="a"}
    140. 

  140. GNUPGHOME_CORE=${MONKEYSPHERE_GNUPGHOME_CORE:="${SYSDATADIR}/authentication/core"}
    141. 

  141. GNUPGHOME_SPHERE=${MONKEYSPHERE_GNUPGHOME_SPHERE:="${SYSDATADIR}/authentication/sphere"}
    142. 

  142. 

  143. # export variables needed in su invocation
    144. 

  144. export DATE
    145. 

  145. export MODE
    146. 

  146. export LOG_LEVEL
    147. 

  147. export MONKEYSPHERE_USER
    148. 

  148. export KEYSERVER
    149. 

  149. export CHECK_KEYSERVER
    150. 

  150. export REQUIRED_USER_KEY_CAPABILITY
    151. 

  151. export GNUPGHOME_CORE
    152. 

  152. export GNUPGHOME_SPHERE
    153. 

  153. export GNUPGHOME
    154. 

  154. 

  155. # get subcommand
    156. 

  156. COMMAND="$1"
    157. 

  157. [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
    158. 

  158. shift
    159. 

  159. 

  160. case $COMMAND in
    161. 

  161.     'update-users'|'update-user'|'u')
    162. 

  162.     source "${MASHAREDIR}/update_users"
    163. 

  163.     update_users "$@"
    164. 

  164.     ;;
    165. 

  165. 

  166.     'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
    167. 

  167.     source "${MASHAREDIR}/add_certifier"
    168. 

  168.     add_certifier "$@"
    169. 

  169.     ;;
    170. 

  170. 

  171.     'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
    172. 

  172.     source "${MASHAREDIR}/remove_certifier"
    173. 

  173.     remove_certifier "$@"
    174. 

  174.     ;;
    175. 

  175. 

  176.     'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
    177. 

  177.     source "${MASHAREDIR}/list_certifiers"
    178. 

  178.     list_certifiers "$@"
    179. 

  179.     ;;
    180. 

  180. 

  181.     'expert'|'e')
    182. 

  182.     SUBCOMMAND="$1"
    183. 

  183.     shift
    184. 

  184.     case "$SUBCOMMAND" in
    185. 

  185.         'diagnostics'|'d')
    186. 

  186.         source "${MASHAREDIR}/diagnostics"
    187. 

  187.         diagnostics
    188. 

  188.         ;;
    189. 

  189. 

  190.         'gpg-cmd')
    191. 

  191.         gpg_sphere "$@"
    192. 

  192.         ;;
    193. 

  193. 

  194.         *)
    195. 

  195.         failure "Unknown expert subcommand: '$COMMAND'
    196. 

  196. Type '$PGRM help' for usage."
    197. 

  197.         ;;
    198. 

  198.     esac
    199. 

  199.     ;;
    200. 

  200. 

  201.     'version'|'v')
    202. 

  202.     echo "$VERSION"
    203. 

  203.     ;;
    204. 

  204. 

  205.     '--help'|'help'|'-h'|'h'|'?')
    206. 

  206.         usage
    207. 

  207.         ;;
    208. 

  208. 

  209.     *)
    210. 

  210.         failure "Unknown command: '$COMMAND'
    211. 

  211. Type '$PGRM help' for usage."
    212. 

  212.         ;;
    213. 

  213. esac
    214. 

  214. 

  215. exit "$RETURN"
    216.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-03 04:19:41 +0000