#!/usr/bin/env bash LDAPSEARCH=ldapsearch KEY="immaeSshKey" LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" #LDAP_PASS="password taken from environment" LDAP_HOST="ldap.immae.eu" LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" LDAP_BASE="dc=immae,dc=eu" suitable_for() { type_for="$1" key="$2" if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then echo "$key" else key_type=$(cut -d " " -f 1 <<< "$key") if grep -q "\b-$type_for\b" <<< "$key_type"; then echo "" elif grep -q "\b$type_for\b" <<< "$key_type"; then echo $(sed -e "s/^[^ ]* //g" <<< "$key") else echo "" fi fi } clean_key_line() { type_for="$1" line="$2" if [[ "$line" == $KEY::* ]]; then # base64 keys should't happen, unless wrong copy-pasting key="" else key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line") fi suitable_for "$type_for" "$key" } ldap_search() { $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@" } ldap_keys() { user=$1; if [[ $user == gitolite ]]; then ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \ while read line ; do if [ ! -z "$line" ]; then if [[ $line == dn* ]]; then user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") if [ -n "$user" ]; then if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then # Capitalize first letter (backward compatibility) user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user") fi else # Service fake user user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line") fi elif [[ $line == $KEY* ]]; then key=$(clean_key_line git "$line") if [ ! -z "$key" ]; then if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' echo $key fi fi fi fi done exit 0 elif [[ $user == pub ]]; then ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \ while read line ; do if [ ! -z "$line" ]; then if [[ $line == dn* ]]; then echo "" user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") echo "# $user" elif [[ $line == $KEY* ]]; then key=$(clean_key_line pub "$line") key_forward=$(clean_key_line forward "$line") if [ ! -z "$key" ]; then if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then echo -n 'command="$HOME/bin/restrict '$user'" ' echo $key fi elif [ ! -z "$key_forward" ]; then if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then echo "# forward only" echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' echo $key_forward fi fi fi fi done echo "" ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \ while read line ; do if [ ! -z "$line" ]; then if [[ $line == dn* ]]; then echo "" user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") echo "# $user" elif [[ $line == $KEY* ]]; then key=$(clean_key_line forward "$line") if [ ! -z "$key" ]; then if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' echo $key fi fi fi fi done exit 0 else ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \ while read line ; do if [ ! -z "$line" ]; then if [[ $line == dn* ]]; then user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") elif [[ $line == $KEY* ]]; then key=$(clean_key_line ssh "$line") if [ ! -z "$key" ]; then if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then echo $key fi fi fi fi done fi } ldap_keys $@