1 files changed, 97 insertions, 33 deletions

diff --git a/lib/leap_cli/commands/user.rb b/lib/leap_cli/commands/user.rb
index b842e854..1ca92719 100644
--- a/lib/leap_cli/commands/user.rb
+++ b/lib/leap_cli/commands/user.rb
@@ -13,67 +13,131 @@
 module LeapCli
   module Commands
 
-    desc 'Adds a new trusted sysadmin by adding public keys to the "users" directory.'
-    arg_name 'USERNAME' #, :optional => false, :multiple => false
+    desc 'Manage trusted sysadmins (DEPRECATED)'
+    long_desc "Use `leap user add` instead"
     command :'add-user' do |c|
-
       c.switch 'self', :desc => 'Add yourself as a trusted sysadmin by choosing among the public keys available for the current user.', :negatable => false
       c.flag 'ssh-pub-key', :desc => 'SSH public key file for this new user'
       c.flag 'pgp-pub-key', :desc => 'OpenPGP public key file for this new user'
-
       c.action do |global_options,options,args|
-        username = args.first
-        if !username.any?
-          if options[:self]
-            username ||= `whoami`.strip
-          else
-            help! "Either USERNAME argument or --self flag is required."
-          end
-        end
-        if Leap::Platform.reserved_usernames.include? username
-          bail! %(The username "#{username}" is reserved. Sorry, pick another.)
-        end
+        do_add_user(global_options, options, args)
+      end
+    end
 
-        ssh_pub_key = nil
-        pgp_pub_key = nil
+    desc 'Manage trusted sysadmins'
+    long_desc "Manage the trusted sysadmins that are configured in the 'users' directory."
+    command :user do |user|
+
+      user.desc 'Adds a new trusted sysadmin'
+      user.arg_name 'USERNAME'
+      user.command :add do |c|
+        c.switch 'self', :desc => 'Add yourself as a trusted sysadmin by choosing among the public keys available for the current user.', :negatable => false
+        c.flag 'ssh-pub-key', :desc => 'SSH public key file for this new user'
+        c.flag 'pgp-pub-key', :desc => 'OpenPGP public key file for this new user'
+        c.action do |global_options,options,args|
+          do_add_user(global_options, options, args)
+        end
+      end
 
-        if options['ssh-pub-key']
-          ssh_pub_key = read_file!(options['ssh-pub-key'])
+      user.desc 'Removes a trusted sysadmin'
+      user.arg_name 'USERNAME'
+      user.command :rm do |c|
+        c.action do |global_options,options,args|
+          do_rm_user(global_options, options, args)
         end
-        if options['pgp-pub-key']
-          pgp_pub_key = read_file!(options['pgp-pub-key'])
+      end
+
+      user.desc 'Lists the configured sysadmins'
+      user.command :ls do |c|
+        c.action do |global_options,options,args|
+          do_list_users(global_options, options, args)
         end
+      end
+
+    end
 
+    private
+
+    def do_add_user(global, options, args)
+      require 'leap_cli/ssh'
+
+      username = args.first
+      if !username.any?
         if options[:self]
-          ssh_pub_key ||= pick_ssh_key.to_s
-          pgp_pub_key ||= pick_pgp_key
+          username ||= `whoami`.strip
+        else
+          help! "Either USERNAME argument or --self flag is required."
         end
+      end
+      if Leap::Platform.reserved_usernames.include? username
+        bail! %(The username "#{username}" is reserved. Sorry, pick another.)
+      end
 
-        assert!(ssh_pub_key, 'Sorry, could not find SSH public key.')
+      ssh_pub_key = nil
+      pgp_pub_key = nil
 
-        if ssh_pub_key
-          write_file!([:user_ssh, username], ssh_pub_key)
-        end
-        if pgp_pub_key
-          write_file!([:user_pgp, username], pgp_pub_key)
-        end
+      if options['ssh-pub-key']
+        ssh_pub_key = read_file!(options['ssh-pub-key'])
+      end
+      if options['pgp-pub-key']
+        pgp_pub_key = read_file!(options['pgp-pub-key'])
+      end
 
+      if options[:self]
+        ssh_pub_key ||= pick_ssh_key.to_s
+        pgp_pub_key ||= pick_pgp_key
+      end
+
+      assert!(ssh_pub_key, 'Sorry, could not find SSH public key.')
+
+      if ssh_pub_key
+        write_file!([:user_ssh, username], ssh_pub_key)
+      end
+      if pgp_pub_key
+        write_file!([:user_pgp, username], pgp_pub_key)
+      end
+
+      update_authorized_keys
+    end
+
+    def do_rm_user(global, options, args)
+      dir = [:user_dir, args.first]
+      if Util.dir_exists?(dir)
+        Util.remove_file!(dir)
         update_authorized_keys
+      else
+        bail! :error, 'There is no directory `%s`' % Path.named_path(dir)
+      end
+    end
+
+    def do_list_users(global, options, args)
+      require 'leap_cli/ssh'
+
+      Dir.glob(path([:user_ssh, '*'])).each do |keyfile|
+        username = File.basename(File.dirname(keyfile))
+        log username, :color => :cyan do
+          log Path.relative_path(keyfile)
+          key = SSH::Key.load(keyfile)
+          log 'SSH MD5 fingerprint: ' + key.fingerprint(:digest => :md5, :type => :ssh, :encoding => :hex)
+          log 'SSH SHA256 fingerprint: ' + key.fingerprint(:digest => :sha256, :type => :ssh, :encoding => :base64)
+          log 'DER MD5 fingerprint: ' + key.fingerprint(:digest => :md5, :type => :der, :encoding => :hex)
+        end
       end
     end
 
     #
-    # let the the user choose among the ssh public keys that we encounter, or just pick the key if there is only one.
+    # let the the user choose among the ssh public keys that we encounter, or
+    # just pick the key if there is only one.
     #
     def pick_ssh_key
       ssh_keys = []
       Dir.glob("#{ENV['HOME']}/.ssh/*.pub").each do |keyfile|
-        ssh_keys << SshKey.load(keyfile)
+        ssh_keys << SSH::Key.load(keyfile)
       end
 
       if `which ssh-add`.strip.any?
         `ssh-add -L 2> /dev/null`.split("\n").compact.each do |line|
-          key = SshKey.load(line)
+          key = SSH::Key.load(line)
           if key
             key.comment = 'ssh-agent'
             ssh_keys << key unless ssh_keys.include?(key)