# HG changeset patch
# User Paul Crowley <paul@lshift.net>
# Date 1209747822 -3600
# Node ID 98dbde5b13a16c1bc283e4dafe240f09c76ecea8
# Parent  87279134a2128f2cb5aca6c2a31f490c5aa52e4a
refresh-auth now takes ~/.ssh/authorized_keys as an argument, and
it checks that it wrote it last time before rewriting it.

diff -r 87279134a212 -r 98dbde5b13a1 README
--- a/README	Fri May 02 17:33:39 2008 +0100
+++ b/README	Fri May 02 18:03:42 2008 +0100
@@ -172,8 +172,10 @@
 might have access but shouldn't from using the repository while you
 fix things).  Then go into ~hg/repos/hgadmin, do an "hg update", edit
 things to your satisfaction, and commit the change.  Finally, run
-~/admin/hg-admin-tools/refresh-auth to regenerate
-~hg/.ssh/authorized_keys. 
+
+~hg/admin/hg-admin-tools/refresh-auth ~hg/.ssh/authorized_keys ./hg-ssh-wrapper
+
+to regenerate ~hg/.ssh/authorized_keys. 
 
 THANKS
 
diff -r 87279134a212 -r 98dbde5b13a1 hgadmin-hgrc
--- a/hgadmin-hgrc	Fri May 02 17:33:39 2008 +0100
+++ b/hgadmin-hgrc	Fri May 02 18:03:42 2008 +0100
@@ -3,5 +3,5 @@
 
 [hooks]
 changegroup.aaaaa_update = hg update -C default > /dev/null
-changegroup.refreshauth = ../../admin/hg-admin-tools/refresh-auth ./hg-ssh-wrapper
+changegroup.refreshauth = ../../admin/hg-admin-tools/refresh-auth ~/.ssh/authorized_keys ./hg-ssh-wrapper
 
diff -r 87279134a212 -r 98dbde5b13a1 hginit
--- a/hginit	Fri May 02 17:33:39 2008 +0100
+++ b/hginit	Fri May 02 18:03:42 2008 +0100
@@ -15,4 +15,4 @@
 hg add
 hg commit -m "initial commit"
 cp ../../admin/hg-admin-tools/hgadmin-hgrc .hg/hgrc
-../../admin/hg-admin-tools/refresh-auth ./hg-ssh-wrapper
+../../admin/hg-admin-tools/refresh-auth ~/.ssh/authorized_keys ./hg-ssh-wrapper
diff -r 87279134a212 -r 98dbde5b13a1 refresh-auth
--- a/refresh-auth	Fri May 02 17:33:39 2008 +0100
+++ b/refresh-auth	Fri May 02 18:03:42 2008 +0100
@@ -11,12 +11,22 @@
 import ruleset
 import subprocess
 
-if len(sys.argv) != 2:
+if len(sys.argv) != 3:
     sys.stderr.write("refresh-auth: wrong number of arguments (%s)\n" % sys.argv)
     sys.exit(-1)
 
-wrappercommand = sys.argv[1]
-akeyfile = os.path.expanduser("~/.ssh/authorized_keys")
+akeyfile = sys.argv[1]
+wrappercommand = sys.argv[2]
+prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
+
+if os.path.exists(akeyfile):
+    f = open(akeyfile)
+    try:
+        for l in f:
+            if not l.startswith(prefix):
+                raise Exception("Safety check failed, delete %s to continue" % akeyfile)
+    finally:
+        f.close()
 
 akeys = open(akeyfile + "_new", "w")
 for root, dirs, files in os.walk("keys"):
@@ -26,8 +36,6 @@
             # ignore any path that contains dodgy characters
             continue
         keyname = ffn[5:]
-        prefix=('command="%s",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding'
-            % ('%s %s' % (wrappercommand, keyname)))
         p = subprocess.Popen(("ssh-keygen", "-i", "-f", ffn), 
             stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         newkey = p.communicate()[0]
@@ -42,7 +50,7 @@
                 kf.close()
         for l in klines:
             if len(l):
-                akeys.write("%s %s\n" % (prefix, l))
+                akeys.write('%s"%s %s" %s\n' % (prefix, wrappercommand, keyname, l))
 
 akeys.close()