]>
Commit | Line | Data |
---|---|---|
1 | #!/usr/bin/env bash | |
2 | ||
3 | LDAPSEARCH=ldapsearch | |
4 | KEY="immaeSshKey" | |
5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" | |
6 | #LDAP_PASS="password taken from environment" | |
7 | LDAP_HOST="ldap.immae.eu" | |
8 | LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" | |
9 | LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" | |
10 | LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" | |
11 | LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" | |
12 | LDAP_BASE="dc=immae,dc=eu" | |
13 | ||
14 | suitable_for() { | |
15 | type_for="$1" | |
16 | key="$2" | |
17 | ||
18 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | |
19 | echo "$key" | |
20 | else | |
21 | key_type=$(cut -d " " -f 1 <<< "$key") | |
22 | ||
23 | if grep -q "\b-$type_for\b" <<< "$key_type"; then | |
24 | echo "" | |
25 | elif grep -q "\b$type_for\b" <<< "$key_type"; then | |
26 | echo $(sed -e "s/^[^ ]* //g" <<< "$key") | |
27 | else | |
28 | echo "" | |
29 | fi | |
30 | fi | |
31 | } | |
32 | ||
33 | clean_key_line() { | |
34 | type_for="$1" | |
35 | line="$2" | |
36 | ||
37 | if [[ "$line" == $KEY::* ]]; then | |
38 | # base64 keys should't happen, unless wrong copy-pasting | |
39 | key="" | |
40 | else | |
41 | key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line") | |
42 | fi | |
43 | ||
44 | suitable_for "$type_for" "$key" | |
45 | } | |
46 | ||
47 | ldap_search() { | |
48 | $LDAPSEARCH -h $LDAP_HOST -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@" | |
49 | } | |
50 | ||
51 | ldap_keys() { | |
52 | user=$1; | |
53 | if [[ $user == gitolite ]]; then | |
54 | ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \ | |
55 | while read line ; | |
56 | do | |
57 | if [ ! -z "$line" ]; then | |
58 | if [[ $line == dn* ]]; then | |
59 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | |
60 | if [ -n "$user" ]; then | |
61 | if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then | |
62 | # Capitalize first letter (backward compatibility) | |
63 | user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user") | |
64 | fi | |
65 | else | |
66 | # Service fake user | |
67 | user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line") | |
68 | fi | |
69 | elif [[ $line == $KEY* ]]; then | |
70 | key=$(clean_key_line git "$line") | |
71 | if [ ! -z "$key" ]; then | |
72 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | |
73 | echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' | |
74 | echo $key | |
75 | fi | |
76 | fi | |
77 | fi | |
78 | fi | |
79 | done | |
80 | exit 0 | |
81 | elif [[ $user == pub ]]; then | |
82 | ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \ | |
83 | while read line ; | |
84 | do | |
85 | if [ ! -z "$line" ]; then | |
86 | if [[ $line == dn* ]]; then | |
87 | echo "" | |
88 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | |
89 | echo "# $user" | |
90 | elif [[ $line == $KEY* ]]; then | |
91 | key=$(clean_key_line pub "$line") | |
92 | key_forward=$(clean_key_line forward "$line") | |
93 | if [ ! -z "$key" ]; then | |
94 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | |
95 | echo -n 'command="$HOME/bin/restrict '$user'" ' | |
96 | echo $key | |
97 | fi | |
98 | elif [ ! -z "$key_forward" ]; then | |
99 | if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then | |
100 | echo "# forward only" | |
101 | echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' | |
102 | echo $key_forward | |
103 | fi | |
104 | fi | |
105 | fi | |
106 | fi | |
107 | done | |
108 | ||
109 | echo "" | |
110 | ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \ | |
111 | while read line ; | |
112 | do | |
113 | if [ ! -z "$line" ]; then | |
114 | if [[ $line == dn* ]]; then | |
115 | echo "" | |
116 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | |
117 | echo "# $user" | |
118 | elif [[ $line == $KEY* ]]; then | |
119 | key=$(clean_key_line forward "$line") | |
120 | if [ ! -z "$key" ]; then | |
121 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | |
122 | echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' | |
123 | echo $key | |
124 | fi | |
125 | fi | |
126 | fi | |
127 | fi | |
128 | done | |
129 | exit 0 | |
130 | else | |
131 | ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \ | |
132 | while read line ; | |
133 | do | |
134 | if [ ! -z "$line" ]; then | |
135 | if [[ $line == dn* ]]; then | |
136 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | |
137 | elif [[ $line == $KEY* ]]; then | |
138 | key=$(clean_key_line ssh "$line") | |
139 | if [ ! -z "$key" ]; then | |
140 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | |
141 | echo $key | |
142 | fi | |
143 | fi | |
144 | fi | |
145 | fi | |
146 | done | |
147 | fi | |
148 | } | |
149 | ||
150 | ldap_keys $@ |