summaryrefslogtreecommitdiff
path: root/lib/leap_cli/commands/user.rb
blob: a10d5163e09d833bb0111facd38e4fc4243a0ceb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

#
# perhaps we want to verify that the key files are actually the key files we expect.
# we could use 'file' for this:
#
# > file ~/.gnupg/00440025.asc
# ~/.gnupg/00440025.asc: PGP public key block
#
# > file ~/.ssh/id_rsa.pub
# ~/.ssh/id_rsa.pub: OpenSSH RSA public key
#

module LeapCli
  module Commands

    desc 'Manage trusted sysadmins (DEPRECATED)'
    long_desc "Use `leap user add` instead"
    command :'add-user' do |c|
      c.switch 'self', :desc => 'Add yourself as a trusted sysadmin by choosing among the public keys available for the current user.', :negatable => false
      c.flag 'ssh-pub-key', :desc => 'SSH public key file for this new user'
      c.flag 'pgp-pub-key', :desc => 'OpenPGP public key file for this new user'
      c.action do |global_options,options,args|
        do_add_user(global_options, options, args)
      end
    end

    desc 'Manage trusted sysadmins'
    long_desc "Manage the trusted sysadmins that are configured in the 'users' directory."
    command :user do |user|

      user.desc 'Adds a new trusted sysadmin'
      user.arg_name 'USERNAME'
      user.command :add do |c|
        c.switch 'self', :desc => 'Add yourself as a trusted sysadmin by choosing among the public keys available for the current user.', :negatable => false
        c.flag 'ssh-pub-key', :desc => 'SSH public key file for this new user'
        c.flag 'pgp-pub-key', :desc => 'OpenPGP public key file for this new user'
        c.action do |global_options,options,args|
          do_add_user(global_options, options, args)
        end
      end

      user.desc 'Removes a trusted sysadmin'
      user.arg_name 'USERNAME'
      user.command :rm do |c|
        c.action do |global_options,options,args|
          do_rm_user(global_options, options, args)
        end
      end

      user.desc 'Lists the configured sysadmins'
      user.command :ls do |c|
        c.action do |global_options,options,args|
          do_list_users(global_options, options, args)
        end
      end

    end

    private

    def do_add_user(global, options, args)
      require 'leap_cli/ssh'

      username = args.first
      if !username.any?
        if options[:self]
          username ||= `whoami`.strip
        else
          help! "Either USERNAME argument or --self flag is required."
        end
      end
      if Leap::Platform.reserved_usernames.include? username
        bail! %(The username "#{username}" is reserved. Sorry, pick another.)
      end

      ssh_pub_key = nil
      pgp_pub_key = nil

      if options['ssh-pub-key']
        ssh_pub_key = read_file!(options['ssh-pub-key'])
      end
      if options['pgp-pub-key']
        pgp_pub_key = read_file!(options['pgp-pub-key'])
      end

      if options[:self]
        ssh_pub_key ||= pick_ssh_key.to_s
        pgp_pub_key ||= pick_pgp_key
      end

      assert!(ssh_pub_key, 'Sorry, could not find SSH public key.')

      if ssh_pub_key
        write_file!([:user_ssh, username], ssh_pub_key)
      end
      if pgp_pub_key
        write_file!([:user_pgp, username], pgp_pub_key)
      end

      update_authorized_keys
    end

    def do_rm_user(global, options, args)
      dir = [:user_dir, args.first]
      if Util.dir_exists?(dir)
        Util.remove_file!(dir)
        update_authorized_keys
      else
        bail! :error, 'There is no directory `%s`' % Path.named_path(dir)
      end
    end

    def do_list_users(global, options, args)
      require 'leap_cli/ssh'

      ssh_keys = {}
      Dir.glob("#{ENV['HOME']}/.ssh/*.pub").each do |keyfile|
        key = SSH::Key.load(keyfile)
        ssh_keys[key.fingerprint] = key if key
      end

      ssh_agent_keys = {}
      if !`which ssh-add`.empty?
        `ssh-add -L`.split("\n").each do |keystring|
          key = SSH::Key.load(keystring)
          ssh_agent_keys[key.fingerprint] = key if key
        end
      end

      Dir.glob(path([:user_ssh, '*'])).each do |keyfile|
        username = File.basename(File.dirname(keyfile))
        log username, :color => :cyan do
          log Path.relative_path(keyfile)
          key = SSH::Key.load(keyfile)
          log 'SSH MD5 fingerprint: ' + key.fingerprint(:digest => :md5, :type => :ssh, :encoding => :hex)
          log 'SSH SHA256 fingerprint: ' + key.fingerprint(:digest => :sha256, :type => :ssh, :encoding => :base64)
          log 'DER MD5 fingerprint: ' + key.fingerprint(:digest => :md5, :type => :der, :encoding => :hex)
          if ssh_keys[key.fingerprint]
            log 'Matches local key: ' + ssh_keys[key.fingerprint].filename, color: :green
            if ssh_agent_keys[key.fingerprint]
              log 'Matches ssh-agent key: ' + ssh_agent_keys[key.fingerprint].summary(encoding: :base64), color: :green
            else
              log :error, 'No matching key in the ssh-agent'
            end
          end
        end
      end
    end

    #
    # let the the user choose among the ssh public keys that we encounter, or
    # just pick the key if there is only one.
    #
    def pick_ssh_key
      ssh_keys = []
      Dir.glob("#{ENV['HOME']}/.ssh/*.pub").each do |keyfile|
        ssh_keys << SSH::Key.load(keyfile)
      end

      if `which ssh-add`.strip.any?
        `ssh-add -L 2> /dev/null`.split("\n").compact.each do |line|
          key = SSH::Key.load(line)
          if key
            key.comment = 'ssh-agent'
            ssh_keys << key unless ssh_keys.include?(key)
          end
        end
      end
      ssh_keys.compact!

      assert! ssh_keys.any?, 'Sorry, could not find any SSH public key for you. Have you run ssh-keygen?'

      if ssh_keys.length > 1
        key_index = numbered_choice_menu('Choose your SSH public key', ssh_keys.collect(&:summary)) do |line, i|
          say("#{i+1}. #{line}")
        end
      else
        key_index = 0
        log "Picking the only compatible ssh key: "+ ssh_keys[key_index].filename do
          log ssh_keys[key_index].summary
        end
      end

      return ssh_keys[key_index]
    end

    #
    # let the the user choose among the gpg public keys that we encounter, or just pick the key if there is only one.
    #
    def pick_pgp_key
      begin
        require 'gpgme'
      rescue LoadError
        log "Skipping OpenPGP setup because gpgme is not installed."
        return
      end

      secret_keys = GPGME::Key.find(:secret)
      if secret_keys.empty?
        log "Skipping OpenPGP setup because I could not find any OpenPGP keys for you"
        return nil
      end

      secret_keys.select!{|key| !key.expired}

      if secret_keys.length > 1
        key_index = numbered_choice_menu('Choose your OpenPGP public key', secret_keys) do |key, i|
          key_info = key.to_s.split("\n")[0..1].map{|line| line.sub(/^\s*(sec|uid)\s*/,'')}.join(' -- ')
          say("#{i+1}. #{key_info}")
        end
      else
        key_index = 0
      end

      key_id = secret_keys[key_index].sha

      # can't use this, it includes signatures:
      #puts GPGME::Key.export(key_id, :armor => true, :export_options => :export_minimal)

      # export with signatures removed:
      return `gpg --armor --export-options export-minimal --export #{key_id}`.strip
    end

  end
end