#!/bin/sh # # uccpass, a wrapper around the pass(1) password manager for UCC # # David Adam , 2015 # (and your name here?) # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. init () { # Check for pass subcommand if ! type pass >/dev/null; then echo "uccpass: can't find the pass(1) command, is it installed correctly?" fi if ! type gpg2 >/dev/null; then echo "uccpass: can't find gpg2(1), is it installed correctly?" fi UCCPASS_ROOT="/home/wheel/bin/uccpass" UCCPASS_KEYRING="$UCCPASS_ROOT/keyring.gpg" export PASSWORD_STORE_DIR="$UCCPASS_ROOT/store" export PASSWORD_STORE_UMASK=007 export GIT_AUTHOR_EMAIL="$USER+wheel@ucc.gu.uwa.edu.au" export GIT_AUTHOR_NAME="`getent passwd $USER | cut -d: -f5`" export GPG_TTY=`tty` if [ -n "$UCCPASS_DEBUG" ]; then set -x; fi } add_to_shell () { # If you add more shells here, don't forget to add them to the egrep below. # # Use keychain. It is just better than futzing around with {ssh,gpg}-agent. # Maybe when systemd is on everything then https://github.com/vodik/envoy # will be better; until then, stick with what works. case $USER_SHELL in bash) bash_profile=". $UCCPASS_ROOT/bash_profile.uccpass" grep -qsF "$bash_profile" ~/.bash_profile || echo "$bash_profile" >> ~/.bash_profile bashrc=". $UCCPASS_ROOT/bashrc.uccpass" grep -qsF "$bashrc" ~/.bashrc || echo "$bashrc" >> ~/.bashrc ;; zsh) zprofile=". $UCCPASS_ROOT/zprofile.uccpass" grep -qsF "$zprofile" ~/.zprofile || echo "$zprofile" >> ~/.zprofile zshenv=". $UCCPASS_ROOT/zshenv.uccpass" grep -qsF "$zshenv" ~/.zshenv || echo "$zshenv" >> ~/.zshenv ;; fish) fishconfig="source $UCCPASS_ROOT/config.uccpass.fish" grep -qsF "$fishconfig" ~/.config/fish/config.fish || { mkdir -p ~/.config/fish; echo $fishconfig >> ~/.config/fish/config.fish ; } ;; esac } refresh_keys () { gpg2 --quiet --import $UCCPASS_KEYRING } new_user_setup () { echo " > Setting you up for uccpass" # Set up an agent echo -n " >> Checking for running GPG agent... " # Checking for a running agent sucks! if [ -z "$GPG_AGENT_INFO" ] || ! gpg-connect-agent /bye 2>/dev/null; then echo "not found." USER_SHELL=`basename $SHELL` if echo $USER_SHELL | egrep -q 'zsh|bash|fish'; then echo " [!] uccpass can install an password caching agent into your shell initialisation files." echo -n " [?] Do you want to do so? [Y/n] " read install_agent case $install_agent in N|n|[Nn][Oo]) ;; *) add_to_shell echo " [!] You will need to start a new shell to pick up your new agent." ;; esac fi echo -n " >> Starting GPG agent... " eval `SHELL=/bin/sh keychain --eval --quiet --agents gpg` fi echo "ok." # Generate new GPG key if ! gpg --list-keys $GIT_AUTHOR_EMAIL >/dev/null 2>&1; then echo " >> Generating new GPG key for $GIT_AUTHOR_NAME (UCC Wheel Group)" echo " [!] At the next prompt, you will be asked for a secure passphrase." echo " This controls access to the password store - please choose something secure." echo " [?] Press ENTER to continue..." read -r _ new_key_info=" Key-Type: default Subkey-Type: default Name-Real: $GIT_AUTHOR_NAME (UCC Wheel Group) Name-Email: $GIT_AUTHOR_EMAIL Expire-Date: 5y %ask-passphrase " echo "$new_key_info" | gpg2 --gen-key --batch fi # Get the key fingerprint KEY_FINGERPRINT=`gpg --list-secret-keys --with-fingerprint --with-colons $GIT_AUTHOR_EMAIL | grep '^fpr' | head -n 1 | cut -d: -f 10` # Add to .gpg-id echo -n " >> Adding your key to the access list... " if grep -qF "$KEY_FINGERPRINT" $PASSWORD_STORE_DIR/.gpg-id; then echo "already present!" else echo "$KEY_FINGERPRINT" >> $PASSWORD_STORE_DIR/.gpg-id echo "ok." fi # Add to key list # XXX: is it worth submitting these to an online keyserver? echo -n " >> Adding your key to the shared keyring... " if gpg2 --with-fingerprint --with-colons $UCCPASS_KEYRING | grep -qF "$KEY_FINGERPRINT"; then echo "already present!" else gpg2 --export --armor "$KEY_FINGERPRINT" >> $UCCPASS_KEYRING && echo "ok." fi # Done! echo " > uccpass setup complete." echo " [!] Ask someone with existing access to the password store to run \`uccpass reload\`." } init case "$1" in setup) new_user_setup refresh_keys ;; reload) refresh_keys echo "The following keys have access to the password store:" gpg2 --with-colons --list-keys `cat $PASSWORD_STORE_DIR/.gpg-id` | grep '^uid' | cut -d: -f 10 echo command pass init `cat $PASSWORD_STORE_DIR/.gpg-id` ;; help|--help) command pass $@ echo "uccpass also supports the following commands:" echo "setup: generate a new key and insert it into the password store" echo "reload: re-encrypt the password store" ;; insert|edit|generate|rm|cp|mv|git) refresh_keys command pass $@ ;; *) command pass $@ ;; esac # vim: autoindent tabstop=4 shiftwidth=4 expandtab softtabstop=4