gitolite/src/gl-setup-authkeys

#!/usr/bin/perl -w

# shim program

# arg-1: keydir

# - an external program populates "keydir" with *all* keys and then
#   calls us, giving "keydir" as arg-1
# - we then call gitolite.pm's "setup_authkeys" function to do its thing

# IMPLEMENTATION NOTE: make sure this is in the same directory as
# "gitolite.pm" and all the rest of "src/".

# DISCUSSION:
#
# For now, we will assume *all* the keys are in the keydir passed.  The
# setup_authkeys routine factored out from the old gl-compile-conf is
# not setup to take a partial set of keys and create the
# ~/.ssh/authorized_keys file.
#
# Also, there are issues to do with *deleted* keys that need to be taken
# care of.
#
# All in all, unless it is shown to be quite inefficient, I'd much
# prefer processing *all* keys each time there is a change.

# setup
my $bindir = $0;
$bindir =~ s/\/[^\/]+$//;
$bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//;
require "$bindir/gitolite.pm";

# prevent newbie from running it accidentally and clobbering his authkeys
# file!
if (@ARGV and $ARGV[0] eq '-batch') {
    shift;
} else {
    print STDERR "
    This is a cronnable, batchable, program to rewrite ~/.ssh/authorized_keys
    using public keys in a given directory.

    If you are ABSOLUTELY sure you know what you're doing, here's how:

        $0 -batch keydir

    where 'keydir' contains a bunch of '*.pub' files\n\n";
    exit 1;
}

# quick sanity check and run
my $keydir = shift or die "I need a directory name\n";
-d $keydir or die "$keydir should be a directory\n";

&setup_authkeys($bindir, $keydir);
separate out the code that sets up ~/.ssh/authorized_keys NOTE: there are no functional changes in this for normal gitolite users. It's just a chunk of code moving into a new subroutine etc. KDE needs to populate the authkeys file from an LDAP store. Other large projects may have similar means to store keys, depending on how they do their user provisioning so a generic solution is worth exploring. This means that in these special cases - the gitolite-admin repo's keydir/ directory is not needed [1] - but they still need to create the authkeys file somehow Implementation: - write a shim program to make the authkeys-generation code callable from the command line/shell. - set $GL_NO_SETUP_AUTHKEYS=1 in the rc file to disable authkey generation during a "compile" (admin repo push) Expected usage of new program gl-setup-authkeys: - LDAP change triggers some script - this script collects all keys from LDAP, puts them in some directory, and then calls gl-setup-authkeys, passing it the name of the directory ALSO PLEASE SEE COMMENTS AT THE TOP OF THE NEW PROGRAM IN THIS COMMIT FOR SOME IMPORTANT DISCUSSION. ---- Footnotes: [1] It doesn't make sense to use it if the keys will be maintained by some other entity and can be called up as needed, and it adds an unnecessary extra step. 2010-07-25 17:25:32 +02:00			`#!/usr/bin/perl -w`

			`# shim program`

			`# arg-1: keydir`

			`# - an external program populates "keydir" with all keys and then`
			`# calls us, giving "keydir" as arg-1`
			`# - we then call gitolite.pm's "setup_authkeys" function to do its thing`

			`# IMPLEMENTATION NOTE: make sure this is in the same directory as`
			`# "gitolite.pm" and all the rest of "src/".`

			`# DISCUSSION:`
			`#`
			`# For now, we will assume all the keys are in the keydir passed. The`
			`# setup_authkeys routine factored out from the old gl-compile-conf is`
			`# not setup to take a partial set of keys and create the`
			`# ~/.ssh/authorized_keys file.`
			`#`
			`# Also, there are issues to do with deleted keys that need to be taken`
			`# care of.`
			`#`
			`# All in all, unless it is shown to be quite inefficient, I'd much`
			`# prefer processing all keys each time there is a change.`

			`# setup`
			`my $bindir = $0;`
			`$bindir =~ s/\/[^\/]+$//;`
			`$bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//;`
			`require "$bindir/gitolite.pm";`

			`# prevent newbie from running it accidentally and clobbering his authkeys`
			`# file!`
			`if (@ARGV and $ARGV[0] eq '-batch') {`
			`shift;`
			`} else {`
			`print STDERR "`
			`This is a cronnable, batchable, program to rewrite ~/.ssh/authorized_keys`
			`using public keys in a given directory.`

			`If you are ABSOLUTELY sure you know what you're doing, here's how:`

			`$0 -batch keydir`

			`where 'keydir' contains a bunch of '*.pub' files\n\n";`
			`exit 1;`
			`}`

			`# quick sanity check and run`
			`my $keydir = shift or die "I need a directory name\n";`
			`-d $keydir or die "$keydir should be a directory\n";`

			`&setup_authkeys($bindir, $keydir);`