src/do-refresh-auth
author Paul Crowley <paul@lshift.net>
Fri, 06 Mar 2009 12:46:22 +0000
changeset 73 5d81ec164e5d
parent 67 fd16d9a1234b
child 74 9d2ae2841bf2
permissions -rwxr-xr-x
do-refresh-auth now does all the work
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
16
9fac559c3d55 don't assume Python path for refresh-auth
Paul Crowley <paul@ciphergoth.org>
parents: 15
diff changeset
     1
#!/usr/bin/env python
50
77d97aa18f29 update dates and copyright notices
Paul Crowley <paul@lshift.net>
parents: 42
diff changeset
     2
# Copyright 2008-2009 LShift Ltd
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     3
3
7e659a6870de make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents: 1
diff changeset
     4
# WARNING
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 3
diff changeset
     5
# This script completely destroys your ~/.ssh/authorized_keys
3
7e659a6870de make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents: 1
diff changeset
     6
# file every time it is run
7e659a6870de make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents: 1
diff changeset
     7
# WARNING
7e659a6870de make more robus and less crufty
Paul Crowley <paul@lshift.net>
parents: 1
diff changeset
     8
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 3
diff changeset
     9
import sys
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
import os
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    11
import os.path
73
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    12
import pwd
29
87279134a212 Convert PuTTY-style public keys automatically
Paul Crowley <paul@lshift.net>
parents: 16
diff changeset
    13
import subprocess
73
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    14
from mercurialserver import ruleset, paths
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    15
73
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    16
if len(sys.argv) != 1:
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    17
    sys.stderr.write("refresh-auth: must be called with no arguments (%s)\n" % sys.argv)
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 3
diff changeset
    18
    sys.exit(-1)
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 3
diff changeset
    19
73
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    20
pentry = pwd.getpwuid(os.geteuid())
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    21
if pentry.pw_name != "hg":
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    22
    # FIXME: re-execute
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    23
    print >>sys.stderr, "Must be run as the 'hg' user"
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    24
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    25
akeyfile = pentry.pw_dir + "/.ssh/authorized_keys"
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    26
wrappercommand = paths.getEtcPath() + "/hg-ssh-wrapper"
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    27
keydirs = [paths.getEtcPath() + "/keys", pentry.pw_dir + "/repos/hgadmin/keys"]
30
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    28
prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    29
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    30
if os.path.exists(akeyfile):
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    31
    f = open(akeyfile)
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    32
    try:
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    33
        for l in f:
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    34
            if not l.startswith(prefix):
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    35
                raise Exception("Safety check failed, delete %s to continue" % akeyfile)
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    36
    finally:
98dbde5b13a1 refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
Paul Crowley <paul@lshift.net>
parents: 29
diff changeset
    37
        f.close()
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    38
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    39
akeys = open(akeyfile + "_new", "w")
73
5d81ec164e5d do-refresh-auth now does all the work
Paul Crowley <paul@lshift.net>
parents: 67
diff changeset
    40
for keyroot in keydirs:
39
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    41
    kr = keyroot + "/"
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    42
    #print "Processing keyroot", keyroot
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    43
    for root, dirs, files in os.walk(keyroot):
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    44
        for fn in files:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    45
            ffn = os.path.join(root, fn)
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    46
            if not ffn.startswith(kr):
42
0e77495e91e2 Don't just complain, fail
Paul Crowley <paul@lshift.net>
parents: 39
diff changeset
    47
                raise Exception("Inconsistent behaviour in os.walk, bailing")
39
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    48
            #print "Processing file", ffn
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    49
            keyname = ffn[len(kr):]
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    50
            if not ruleset.goodpath(keyname):
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    51
                # ignore any path that contains dodgy characters
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    52
                #print "Ignoring file", ffn
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    53
                continue
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    54
            p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn), 
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    55
                stdout=subprocess.PIPE, stderr=subprocess.PIPE)
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    56
            newkey = p.communicate()[0]
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    57
            if p.wait() == 0:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    58
                klines = [l.strip() for l in newkey.split("\n")]
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    59
            else:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    60
                # Conversion failed, read it directly.
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    61
                kf = open(ffn)
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    62
                try:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    63
                    klines = [l.strip() for l in kf]
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    64
                finally:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    65
                    kf.close()
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    66
            for l in klines:
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    67
                if len(l):
f5055ce263c7 New system. No breaking in, just putting files in /etc/mercurial-server
Paul Crowley <paul@lshift.net>
parents: 33
diff changeset
    68
                    akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
29
87279134a212 Convert PuTTY-style public keys automatically
Paul Crowley <paul@lshift.net>
parents: 16
diff changeset
    69
15
f3654416d178 minor changes to README and script
Hubert Plociniczak <hubert@lshift.net>
parents: 11
diff changeset
    70
akeys.close()
0
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    71
41ecb5a3172c separate out executables and data
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    72
os.rename(akeyfile + "_new", akeyfile)