From: David Adam Date: Mon, 13 Apr 2015 14:06:55 +0000 (+0800) Subject: uccpass: first version X-Git-Url: https://git.ucc.asn.au/?p=zanchey%2Fuccpass.git;a=commitdiff_plain;h=cec09c3133b150ad81bd66cee4620020cae95fc7 uccpass: first version Supports `setup`, `reload` and keyring refresh. --- diff --git a/uccpass b/uccpass new file mode 100755 index 0000000..62c42e3 --- /dev/null +++ b/uccpass @@ -0,0 +1,177 @@ +#!/bin/sh +# +# uccpass, a wrapper around the pass(1) password manager for UCC +# +# David Adam , 2015 +# (and your name here?) +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +init () { + # Check for pass subcommand + if ! type pass >/dev/null; then + echo "$0: can't find the pass(1) command, is it installed correctly?" + fi + if ! type gpg2 >/dev/null; then + echo "$0: can't find gpg2(1), is it installed correctly?" + fi + + UCCPASS_ROOT="/home/wheel/bin/uccpass" + UCCPASS_KEYRING="$UCCPASS_ROOT/keyring.gpg" + export PASSWORD_STORE_DIR="$UCCPASS_ROOT/store" + export PASSWORD_STORE_UMASK=007 + + export GIT_AUTHOR_EMAIL="$USER+wheel@ucc.gu.uwa.edu.au" + export GIT_AUTHOR_NAME="`getent passwd $USER | cut -d: -f5`" + + export GPG_TTY=`tty` + + if [ -n "$UCCPASS_DEBUG" ]; then set -x; fi +} + +add_to_shell () { + # If you add more shells here, don't forget to add them to the egrep below. + # + # Use keychain. It is just better than futzing around with {ssh,gpg}-agent. + # Maybe when systemd is on everything then https://github.com/vodik/envoy + # will be better; until then, stick with what works. + case $USER_SHELL in + bash) + bash_profile=". $UCCPASS_ROOT/bash_profile.uccpass" + grep -qsF "$bash_profile" ~/.bash_profile || echo "$bash_profile" >> ~/.bash_profile + bashrc=". $UCCPASS_ROOT/bashrc.uccpass" + grep -qsF "$bashrc" ~/.bashrc || echo "$bashrc" >> ~/.bashrc + ;; + zsh) + zprofile=". $UCCPASS_ROOT/zprofile.uccpass" + grep -qsF "$zprofile" ~/.zprofile || echo "$zprofile" >> ~/.zprofile + zshenv=". $UCCPASS_ROOT/zshenv.uccpass" + grep -qsF "$zshenv" ~/.zshenv || echo "$zshenv" >> ~/.zshenv + ;; + fish) + fishconfig="source $UCCPASS_ROOT/config.uccpass.fish" + grep -qsF "$fishconfig" ~/.config/fish/config.fish || { mkdir -p ~/.config/fish; echo $fishconfig >> ~/.config/fish/config.fish ; } + ;; + esac +} + +refresh_keys () { + gpg2 --quiet --import $UCCPASS_KEYRING +} + +new_user_setup () { + echo " > Setting you up for $0" + + # Set up an agent + echo -n " >> Checking for running GPG agent... " + # Checking for a running agent sucks! + if [ -z "$GPG_AGENT_INFO" ] || ! gpg-connect-agent /bye 2>/dev/null; then + echo "not found." + USER_SHELL=`basename $SHELL` + if echo $USER_SHELL | egrep -q 'zsh|bash|fish'; then + echo " [!] $0 can install an password caching agent into your shell initialisation files." + echo -n " [?] Do you want to do so? [Y/n] " + read install_agent + case $install_agent in + N|n|[Nn][Oo]) + ;; + *) + add_to_shell + echo " [!] You will need to start a new shell to pick up your new agent." + ;; + esac + fi + echo -n " >> Starting GPG agent... " + eval `SHELL=/bin/sh keychain --eval --quiet --agents gpg` + fi + echo "ok." + + # Generate new GPG key + if ! gpg --list-keys $GIT_AUTHOR_EMAIL >/dev/null 2>&1; then + echo " >> Generating new GPG key for $GIT_AUTHOR_NAME (UCC Wheel Group)" + echo " [!] At the next prompt, you will be asked for a secure passphrase." + echo " This controls access to the password store - please choose something secure." + echo " [?] Press ENTER to continue..." + read -r _ + new_key_info=" Key-Type: default + Subkey-Type: default + Name-Real: $GIT_AUTHOR_NAME (UCC Wheel Group) + Name-Email: $GIT_AUTHOR_EMAIL + Expire-Date: 5y + %ask-passphrase + " + echo "$new_key_info" | gpg2 --gen-key --batch + fi + + # Get the key fingerprint + KEY_FINGERPRINT=`gpg --list-secret-keys --with-fingerprint --with-colons $GIT_AUTHOR_EMAIL | grep '^fpr' | head -n 1 | cut -d: -f 10` + + # Add to .gpg-id + echo -n " >> Adding your key to the access list... " + if grep -qF "$KEY_FINGERPRINT" $PASSWORD_STORE_DIR/.gpg-id; then + echo "already present!" + else + echo "$KEY_FINGERPRINT" >> $PASSWORD_STORE_DIR/.gpg-id + echo "ok." + fi + + # Add to key list + # XXX: is it worth submitting these to an online keyserver? + echo -n " >> Adding your key to the shared keyring... " + if gpg2 --with-fingerprint --with-colons $UCCPASS_KEYRING | grep -qF "$KEY_FINGERPRINT"; then + echo "already present!" + else + gpg2 --export --armor "$KEY_FINGERPRINT" >> $UCCPASS_KEYRING && echo "ok." + fi + + # Done! + echo " > $0 setup complete." + echo " [!] Ask someone with existing access to the password store to run \`$0 reload\`." +} + +init + +case "$1" in + setup) + new_user_setup + refresh_keys + ;; + reload) + refresh_keys + echo "The following keys have access to the password store:" + gpg2 --with-colons --list-keys `cat $PASSWORD_STORE_DIR/.gpg-id` | grep '^uid' | cut -d: -f 10 + echo + command pass init `cat $PASSWORD_STORE_DIR/.gpg-id` + ;; + help|--help) + command pass $@ + echo "$0 also supports the following commands:" + echo "setup: generate a new key and insert it into the password store" + echo "reload: re-encrypt the password store" + ;; + insert|edit|generate|rm|cp|mv|git) + refresh_keys + command pass $@ + ;; + *) + command pass $@ + ;; +esac + +# vim: autoindent tabstop=4 shiftwidth=4 expandtab softtabstop=4