aboutsummaryrefslogblamecommitdiff
path: root/nixops/ldap_authorized_keys.sh
blob: d869d74a063b9dcb076ef0af8e53a04eea0d5234 (plain) (tree)














































                                                                        
                                                                                                        













































                                                                                                                              
                                                                                    






















































                                                                                   
#!/usr/bin/env bash

LDAPSEARCH=ldapsearch
KEY="immaeSshKey"
LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
#LDAP_PASS="password taken from environment"
LDAP_HOST="ldap.immae.eu"
LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
LDAP_BASE="dc=immae,dc=eu"

suitable_for() {
  type_for="$1"
  key="$2"

  if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
    echo "$key"
  else
    key_type=$(cut -d " " -f 1 <<< "$key")

    if grep -q "\b-$type_for\b" <<< "$key_type"; then
      echo ""
    elif grep -q "\b$type_for\b" <<< "$key_type"; then
      echo $(sed -e "s/^[^ ]* //g" <<< "$key")
    else
      echo ""
    fi
  fi
}

clean_key_line() {
  type_for="$1"
  line="$2"

  if [[ "$line" == $KEY::* ]]; then
    # base64 keys should't happen, unless wrong copy-pasting
    key=""
  else
    key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line")
  fi

  suitable_for "$type_for" "$key"
}

ldap_search() {
  $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
}

ldap_keys() {
  user=$1;
  if [[ $user == gitolite ]]; then
    ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \
      while read line ;
      do
        if [ ! -z "$line" ]; then
          if [[ $line == dn* ]]; then
            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
            if [ -n "$user" ]; then
              if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then
                # Capitalize first letter (backward compatibility)
                user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
              fi
            else
              # Service fake user
              user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line")
            fi
          elif [[ $line == $KEY* ]]; then
            key=$(clean_key_line git "$line")
            if [ ! -z "$key" ]; then
              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
                echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
                echo $key
              fi
            fi
          fi
        fi
      done
    exit 0
  elif [[ $user == pub ]]; then
    ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
      while read line ;
      do
        if [ ! -z "$line" ]; then
          if [[ $line == dn* ]]; then
            echo ""
            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
            echo "# $user"
          elif [[ $line == $KEY* ]]; then
            key=$(clean_key_line pub "$line")
            key_forward=$(clean_key_line forward "$line")
            if [ ! -z "$key" ]; then
              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
                echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
                echo $key
              fi
            elif [ ! -z "$key_forward" ]; then
              if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then
                echo "# forward only"
                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
                echo $key_forward
              fi
            fi
          fi
        fi
      done

    echo ""
    ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
      while read line ;
      do
        if [ ! -z "$line" ]; then
          if [[ $line == dn* ]]; then
            echo ""
            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
            echo "# $user"
          elif [[ $line == $KEY* ]]; then
            key=$(clean_key_line forward "$line")
            if [ ! -z "$key" ]; then
              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
                echo $key
              fi
            fi
          fi
        fi
      done
    exit 0
  else
    ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \
      while read line ;
      do
        if [ ! -z "$line" ]; then
          if [[ $line == dn* ]]; then
            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
          elif [[ $line == $KEY* ]]; then
            key=$(clean_key_line ssh "$line")
            if [ ! -z "$key" ]; then
              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
                echo $key
              fi
            fi
          fi
        fi
      done
  fi
}

ldap_keys $@