#!/bin/bash

# === add-auth-keys ===
# refreshes ~/.ssh/authorized_keys from the list of pub-keys

# part of the gitosis-lite (GL) suite

# how run:      manual, by GL admin
# when:         anytime a pubkey is added/deleted
#               (i.e., contents of ~/.gitosis-lite/pubkeys change)
# input:        ~/.gitosis-lite/pubkeys
# output:       ~/.ssh/authorized_keys
# security:
#     - touches a very critical system file that manages the restrictions on
#       incoming users.  Be sure to audit AUTH_COMMAND and AUTH_OPTIONS (see
#       below) on any change to this script
#     - no security checks within program.  The GL admin runs this manually

# robustness:
#     - if the "start" line exists, but the "end" line does not, you lose the
#       rest of the existing authkey file.  In general, "don't do that (TM)",
#       but we do have a "vim -d" popping up so you can see the changes being
#       made, just in case...

# other notes:
#     - you do NOT need to run this for permission changes within
#       gitosis-lite.conf, (like giving an *existing* user new rights)
#     - keys are added/deleted from the keystore **manually**, and all keys
#       are named "name.pub"

# command and options for authorized_keys
AUTH_COMMAND=~/.gitosis-lite/myecho
AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty"

# save existing authkeys minus the GL-added stuff
sed -e '/^# gitosis-lite start/,/^# gitosis-lite end/d' \
    < ~/.ssh/authorized_keys \
    > ~/.ssh/new_authkeys

# add our "start" line, each key on its own line (prefixed by command and
# options, in the standard ssh authorized_keys format), then the "end" line.
echo "# gitosis-lite start" >> ~/.ssh/new_authkeys
cd ~/.gitosis-lite/pubkeys
for i in *.pub
do
    j=${i%.pub}
    echo -n "command=\"$AUTH_COMMAND $j\",$AUTH_OPTIONS "
    cat $i
done >> ~/.ssh/new_authkeys
echo "# gitosis-lite end" >> ~/.ssh/new_authkeys

# just so you can see what changes are being made
vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys

# all done; overwrite the file (use cat to avoid perm changes)
cat ~/.ssh/new_authkeys > ~/.ssh/authorized_keys
rm ~/.ssh/new_authkeys

# if the gl admin directory (~/.gitosis-lite) is itself a git repo, do an
# autocheckin.  nothing fancy; this is a "just in case" type of thing.
cd ~/.gitosis-lite
if [[ -d .git ]]
then
    git add -A pubkeys                  # stage all changes in pubkeys
    if ! git diff --cached --quiet      # and if there are any
    then
        echo pubkeys changed            # create a commit message
        echo
        git diff --cached --name-status
    fi | git commit -F -                # and commit
fi