src/do-refresh-auth
author Paul Crowley <paul@lshift.net>
Fri, 20 Feb 2009 11:19:29 +0000
changeset 45 59dee3c04279
parent 42 0e77495e91e2
child 50 77d97aa18f29
permissions -rwxr-xr-x
Remove root user now we have new way
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
16
9fac559c3d55 don't assume Python path for refresh-auth
Paul Crowley <paul@ciphergoth.org>
parents: 15
diff changeset
     1
#!/usr/bin/env python
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
3
7e659a6870de make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents: 1
diff changeset
     3
# WARNING
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 3
diff changeset
     4
# This script completely destroys your ~/.ssh/authorized_keys
3
7e659a6870de make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents: 1
diff changeset
     5
# file every time it is run
7e659a6870de make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents: 1
diff changeset
     6
# WARNING
7e659a6870de make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents: 1
diff changeset
     7
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 3
diff changeset
     8
import sys
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
import os
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
import os.path
29
87279134a212 Convert PuTTY-style public keys automatically
Paul Crowley <paul@lshift.net>
parents: 16
diff changeset
    11
import ruleset
87279134a212 Convert PuTTY-style public keys automatically
Paul Crowley <paul@lshift.net>
parents: 16
diff changeset
    12
import subprocess
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    13
39
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    14
if len(sys.argv) <= 3:
11
f3c73c9fc0ff add newline to error message
Paul Crowley <paul@lshift.net>
parents: 6
diff changeset
    15
    sys.stderr.write("refresh-auth: wrong number of arguments (%s)\n" % sys.argv)
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 3
diff changeset
    16
    sys.exit(-1)
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 3
diff changeset
    17
30
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    18
akeyfile = sys.argv[1]
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    19
wrappercommand = sys.argv[2]
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    20
prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    21
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    22
if os.path.exists(akeyfile):
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    23
    f = open(akeyfile)
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    24
    try:
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    25
        for l in f:
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    26
            if not l.startswith(prefix):
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    27
                raise Exception("Safety check failed, delete %s to continue" % akeyfile)
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    28
    finally:
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    29
        f.close()
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    30
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    31
akeys = open(akeyfile + "_new", "w")
39
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    32
for keyroot in sys.argv[3:]:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    33
    kr = keyroot + "/"
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    34
    #print "Processing keyroot", keyroot
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    35
    for root, dirs, files in os.walk(keyroot):
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    36
        for fn in files:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    37
            ffn = os.path.join(root, fn)
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    38
            if not ffn.startswith(kr):
42
0e77495e91e2 Don't just complain, fail
Paul Crowley <paul@lshift.net>
parents: 39
diff changeset
    39
                raise Exception("Inconsistent behaviour in os.walk, bailing")
39
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    40
            #print "Processing file", ffn
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    41
            keyname = ffn[len(kr):]
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    42
            if not ruleset.goodpath(keyname):
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    43
                # ignore any path that contains dodgy characters
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    44
                #print "Ignoring file", ffn
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    45
                continue
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    46
            p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn), 
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    47
                stdout=subprocess.PIPE, stderr=subprocess.PIPE)
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    48
            newkey = p.communicate()[0]
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    49
            if p.wait() == 0:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    50
                klines = [l.strip() for l in newkey.split("\n")]
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    51
            else:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    52
                # Conversion failed, read it directly.
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    53
                kf = open(ffn)
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    54
                try:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    55
                    klines = [l.strip() for l in kf]
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    56
                finally:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    57
                    kf.close()
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    58
            for l in klines:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    59
                if len(l):
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    60
                    akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
29
87279134a212 Convert PuTTY-style public keys automatically
Paul Crowley <paul@lshift.net>
parents: 16
diff changeset
    61
15
f3654416d178 minor changes to README and script
Hubert Plociniczak <hubert@lshift.net>
parents: 11
diff changeset
    62
akeys.close()
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    63
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    64
os.rename(akeyfile + "_new", akeyfile)
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    65