uccpass: first version
authorDavid Adam <zanchey@ucc.gu.uwa.edu.au>
Mon, 13 Apr 2015 14:06:55 +0000 (22:06 +0800)
committerDavid Adam <zanchey@ucc.gu.uwa.edu.au>
Mon, 13 Apr 2015 14:06:55 +0000 (22:06 +0800)
Supports `setup`, `reload` and keyring refresh.

uccpass [new file with mode: 0755]

diff --git a/uccpass b/uccpass
new file mode 100755 (executable)
index 0000000..62c42e3
--- /dev/null
+++ b/uccpass
@@ -0,0 +1,177 @@
+#!/bin/sh
+#
+# uccpass, a wrapper around the pass(1) password manager for UCC
+#
+# David Adam <zanchey@ucc.gu.uwa.edu.au>, 2015
+# (and your name here?)
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# 
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+init () {
+    # Check for pass subcommand
+    if ! type pass >/dev/null; then
+        echo "$0: can't find the pass(1) command, is it installed correctly?"
+    fi
+    if ! type gpg2 >/dev/null; then
+        echo "$0: can't find gpg2(1), is it installed correctly?"
+    fi
+
+    UCCPASS_ROOT="/home/wheel/bin/uccpass"
+    UCCPASS_KEYRING="$UCCPASS_ROOT/keyring.gpg"
+    export PASSWORD_STORE_DIR="$UCCPASS_ROOT/store"
+    export PASSWORD_STORE_UMASK=007
+
+    export GIT_AUTHOR_EMAIL="$USER+wheel@ucc.gu.uwa.edu.au"
+    export GIT_AUTHOR_NAME="`getent passwd $USER | cut -d: -f5`"
+
+    export GPG_TTY=`tty`
+
+    if [ -n "$UCCPASS_DEBUG" ]; then set -x; fi
+}
+
+add_to_shell () {
+    # If you add more shells here, don't forget to add them to the egrep below.
+    # 
+    # Use keychain. It is just better than futzing around with {ssh,gpg}-agent.
+    # Maybe when systemd is on everything then https://github.com/vodik/envoy
+    # will be better; until then, stick with what works.
+    case $USER_SHELL in
+        bash)
+            bash_profile=". $UCCPASS_ROOT/bash_profile.uccpass"
+            grep -qsF "$bash_profile" ~/.bash_profile || echo "$bash_profile" >> ~/.bash_profile
+            bashrc=". $UCCPASS_ROOT/bashrc.uccpass"
+            grep -qsF "$bashrc" ~/.bashrc || echo "$bashrc" >> ~/.bashrc
+            ;;
+        zsh)
+            zprofile=". $UCCPASS_ROOT/zprofile.uccpass"
+            grep -qsF "$zprofile" ~/.zprofile || echo "$zprofile" >> ~/.zprofile
+            zshenv=". $UCCPASS_ROOT/zshenv.uccpass"
+            grep -qsF "$zshenv" ~/.zshenv || echo "$zshenv" >> ~/.zshenv
+            ;;
+        fish)
+            fishconfig="source $UCCPASS_ROOT/config.uccpass.fish"
+            grep -qsF "$fishconfig" ~/.config/fish/config.fish || { mkdir -p ~/.config/fish; echo $fishconfig >> ~/.config/fish/config.fish ; }
+            ;;
+    esac
+}
+
+refresh_keys () {
+    gpg2 --quiet --import $UCCPASS_KEYRING
+}
+
+new_user_setup () {
+    echo " >  Setting you up for $0"
+
+    # Set up an agent
+    echo -n " >> Checking for running GPG agent... "
+    # Checking for a running agent sucks!
+    if [ -z "$GPG_AGENT_INFO" ] || ! gpg-connect-agent /bye 2>/dev/null; then
+        echo "not found."
+        USER_SHELL=`basename $SHELL`
+        if echo $USER_SHELL | egrep -q 'zsh|bash|fish'; then
+            echo " [!] $0 can install an password caching agent into your shell initialisation files."
+            echo -n " [?] Do you want to do so? [Y/n] " 
+            read install_agent
+            case $install_agent in
+                N|n|[Nn][Oo])
+                    ;;
+                *)
+                    add_to_shell
+                    echo " [!] You will need to start a new shell to pick up your new agent."
+                    ;;
+            esac
+        fi
+        echo -n " >> Starting GPG agent... "
+        eval `SHELL=/bin/sh keychain --eval --quiet --agents gpg`
+    fi
+    echo "ok."
+
+    # Generate new GPG key
+    if ! gpg --list-keys $GIT_AUTHOR_EMAIL >/dev/null 2>&1; then
+        echo " >> Generating new GPG key for $GIT_AUTHOR_NAME (UCC Wheel Group)"
+        echo " [!] At the next prompt, you will be asked for a secure passphrase."
+        echo "     This controls access to the password store - please choose something secure."
+        echo " [?] Press ENTER to continue..."
+        read -r _
+        new_key_info="    Key-Type: default
+                Subkey-Type: default
+                Name-Real: $GIT_AUTHOR_NAME (UCC Wheel Group)
+                Name-Email: $GIT_AUTHOR_EMAIL
+                Expire-Date: 5y
+                %ask-passphrase
+                 "
+        echo "$new_key_info" | gpg2 --gen-key --batch
+    fi
+
+    # Get the key fingerprint
+    KEY_FINGERPRINT=`gpg --list-secret-keys --with-fingerprint --with-colons $GIT_AUTHOR_EMAIL | grep '^fpr' | head -n 1 | cut -d: -f 10`
+
+    # Add to .gpg-id
+    echo -n " >> Adding your key to the access list... "
+    if grep -qF "$KEY_FINGERPRINT" $PASSWORD_STORE_DIR/.gpg-id; then
+        echo "already present!"
+    else
+        echo "$KEY_FINGERPRINT" >> $PASSWORD_STORE_DIR/.gpg-id
+        echo "ok."
+    fi
+
+    # Add to key list
+    # XXX: is it worth submitting these to an online keyserver?
+    echo -n " >> Adding your key to the shared keyring... "
+    if gpg2 --with-fingerprint --with-colons $UCCPASS_KEYRING | grep -qF "$KEY_FINGERPRINT"; then
+        echo "already present!"
+    else
+        gpg2 --export --armor "$KEY_FINGERPRINT" >> $UCCPASS_KEYRING && echo "ok."
+    fi
+
+    # Done!
+    echo " > $0 setup complete."
+    echo " [!] Ask someone with existing access to the password store to run \`$0 reload\`."
+}
+
+init
+
+case "$1" in
+    setup)
+        new_user_setup
+        refresh_keys
+        ;;
+    reload)
+        refresh_keys
+        echo "The following keys have access to the password store:"
+        gpg2 --with-colons --list-keys `cat $PASSWORD_STORE_DIR/.gpg-id` | grep '^uid' | cut -d: -f 10
+        echo
+        command pass init `cat $PASSWORD_STORE_DIR/.gpg-id`
+        ;;
+    help|--help)
+        command pass $@
+        echo "$0 also supports the following commands:"
+        echo "setup: generate a new key and insert it into the password store"
+        echo "reload: re-encrypt the password store"
+        ;;
+    insert|edit|generate|rm|cp|mv|git)
+        refresh_keys
+        command pass $@
+        ;;
+    *)
+        command pass $@
+        ;;
+esac
+
+# vim: autoindent tabstop=4 shiftwidth=4 expandtab softtabstop=4

UCC git Repository :: git.ucc.asn.au