5 # This script completely destroys your ~/.ssh/authorized_keys |
5 # This script completely destroys your ~/.ssh/authorized_keys |
6 # file every time it is run |
6 # file every time it is run |
7 # WARNING |
7 # WARNING |
8 |
8 |
9 import sys |
9 import sys |
10 import os |
10 from mercurialserver import refreshauth |
11 import os.path |
|
12 import pwd |
|
13 import subprocess |
|
14 from mercurialserver import ruleset, paths |
|
15 |
11 |
16 if len(sys.argv) != 1: |
12 if len(sys.argv) != 1: |
17 sys.stderr.write("refresh-auth: must be called with no arguments (%s)\n" % sys.argv) |
13 sys.stderr.write("refresh-auth: must be called with no arguments (%s)\n" % sys.argv) |
18 sys.exit(-1) |
14 sys.exit(-1) |
19 |
15 |
20 pentry = pwd.getpwuid(os.geteuid()) |
16 refreshauth.refreshAuth() |
21 if pentry.pw_name != "hg": |
|
22 # FIXME: re-execute |
|
23 print >>sys.stderr, "Must be run as the 'hg' user" |
|
24 |
|
25 akeyfile = pentry.pw_dir + "/.ssh/authorized_keys" |
|
26 wrappercommand = paths.getEtcPath() + "/hg-ssh-wrapper" |
|
27 keydirs = [paths.getEtcPath() + "/keys", pentry.pw_dir + "/repos/hgadmin/keys"] |
|
28 prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command=' |
|
29 |
|
30 if os.path.exists(akeyfile): |
|
31 f = open(akeyfile) |
|
32 try: |
|
33 for l in f: |
|
34 if not l.startswith(prefix): |
|
35 raise Exception("Safety check failed, delete %s to continue" % akeyfile) |
|
36 finally: |
|
37 f.close() |
|
38 |
|
39 akeys = open(akeyfile + "_new", "w") |
|
40 for keyroot in keydirs: |
|
41 kr = keyroot + "/" |
|
42 #print "Processing keyroot", keyroot |
|
43 for root, dirs, files in os.walk(keyroot): |
|
44 for fn in files: |
|
45 ffn = os.path.join(root, fn) |
|
46 if not ffn.startswith(kr): |
|
47 raise Exception("Inconsistent behaviour in os.walk, bailing") |
|
48 #print "Processing file", ffn |
|
49 keyname = ffn[len(kr):] |
|
50 if not ruleset.goodpath(keyname): |
|
51 # ignore any path that contains dodgy characters |
|
52 #print "Ignoring file", ffn |
|
53 continue |
|
54 p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn), |
|
55 stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|
56 newkey = p.communicate()[0] |
|
57 if p.wait() == 0: |
|
58 klines = [l.strip() for l in newkey.split("\n")] |
|
59 else: |
|
60 # Conversion failed, read it directly. |
|
61 kf = open(ffn) |
|
62 try: |
|
63 klines = [l.strip() for l in kf] |
|
64 finally: |
|
65 kf.close() |
|
66 for l in klines: |
|
67 if len(l): |
|
68 akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l)) |
|
69 |
|
70 akeys.close() |
|
71 |
|
72 os.rename(akeyfile + "_new", akeyfile) |
|