summaryrefslogtreecommitdiff
path: root/lib/leap_cli/commands/user.rb
blob: 6c33878fe07265a2d6a8e307b18e4cac14bf608f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

#
# perhaps we want to verify that the key files are actually the key files we expect.
# we could use 'file' for this:
#
# > file ~/.gnupg/00440025.asc
# ~/.gnupg/00440025.asc: PGP public key block
#
# > file ~/.ssh/id_rsa.pub
# ~/.ssh/id_rsa.pub: OpenSSH RSA public key
#

module LeapCli
  module Commands

    desc 'Adds a new trusted sysadmin by adding public keys to the "users" directory.'
    arg_name 'USERNAME' #, :optional => false, :multiple => false
    command :'add-user' do |c|

      c.switch 'self', :desc => 'Add yourself as a trusted sysadin by choosing among the public keys available for the current user.', :negatable => false
      c.flag 'ssh-pub-key', :desc => 'SSH public key file for this new user'
      c.flag 'pgp-pub-key', :desc => 'OpenPGP public key file for this new user'

      c.action do |global_options,options,args|
        username = args.first
        if !username.any?
          if options[:self]
            username ||= `whoami`.strip
          else
            help! "Either USERNAME argument or --self flag is required."
          end
        end
        if Leap::Platform.reserved_usernames.include? username
          bail! %(The username "#{username}" is reserved. Sorry, pick another.)
        end

        ssh_pub_key = nil
        pgp_pub_key = nil

        if options['ssh-pub-key']
          ssh_pub_key = read_file!(options['ssh-pub-key'])
        end
        if options['pgp-pub-key']
          pgp_pub_key = read_file!(options['pgp-pub-key'])
        end

        if options[:self]
          ssh_pub_key ||= pick_ssh_key.to_s
          pgp_pub_key ||= pick_pgp_key
        end

        assert!(ssh_pub_key, 'Sorry, could not find SSH public key.')

        if ssh_pub_key
          write_file!([:user_ssh, username], ssh_pub_key)
        end
        if pgp_pub_key
          write_file!([:user_pgp, username], pgp_pub_key)
        end

        update_authorized_keys
      end
    end

    #
    # let the the user choose among the ssh public keys that we encounter, or just pick the key if there is only one.
    #
    def pick_ssh_key
      ssh_keys = []
      Dir.glob("#{ENV['HOME']}/.ssh/*.pub").each do |keyfile|
        ssh_keys << SshKey.load(keyfile)
      end

      if `which ssh-add`.strip.any?
        `ssh-add -L 2> /dev/null`.split("\n").compact.each do |line|
          key = SshKey.load(line)
          if key
            key.comment = 'ssh-agent'
            ssh_keys << key unless ssh_keys.include?(key)
          end
        end
      end
      ssh_keys.compact!

      assert! ssh_keys.any?, 'Sorry, could not find any SSH public key for you. Have you run ssh-keygen?'

      if ssh_keys.length > 1
        key_index = numbered_choice_menu('Choose your SSH public key', ssh_keys.collect(&:summary)) do |line, i|
          say("#{i+1}. #{line}")
        end
      else
        key_index = 0
      end

      return ssh_keys[key_index]
    end

    #
    # let the the user choose among the gpg public keys that we encounter, or just pick the key if there is only one.
    #
    def pick_pgp_key
      begin
        return unless `which gpg`.strip.any?
        require 'gpgme'
      rescue LoadError
        return
      end

      secret_keys = GPGME::Key.find(:secret)
      if secret_keys.empty?
        log "Skipping OpenPGP setup because I could not find any OpenPGP keys for you"
        return nil
      end

      secret_keys.select!{|key| !key.expired}

      if secret_keys.length > 1
        key_index = numbered_choice_menu('Choose your OpenPGP public key', secret_keys) do |key, i|
          key_info = key.to_s.split("\n")[0..1].map{|line| line.sub(/^\s*(sec|uid)\s*/,'')}.join(' -- ')
          say("#{i+1}. #{key_info}")
        end
      else
        key_index = 0
      end

      key_id = secret_keys[key_index].sha

      # can't use this, it includes signatures:
      #puts GPGME::Key.export(key_id, :armor => true, :export_options => :export_minimal)

      # export with signatures removed:
      return `gpg --armor --export-options export-minimal --export #{key_id}`.strip
    end

  end
end