summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--bin/common.rb16
-rwxr-xr-xbin/meta-check9
-rwxr-xr-xbin/pgp-get-keyid-by-uid4
-rwxr-xr-xbin/pgp-list-keyids15
-rwxr-xr-xbin/postfix-generate-virtual-map7
-rwxr-xr-xbin/ssh-list-authorized-keys19
-rwxr-xr-xbin/uid-map8
-rw-r--r--hackers-git.yml35
8 files changed, 76 insertions, 37 deletions
diff --git a/bin/common.rb b/bin/common.rb
new file mode 100644
index 0000000..a5840ec
--- /dev/null
+++ b/bin/common.rb
@@ -0,0 +1,16 @@
+require 'yaml'
+
+def cfg
+ @cfg ||= YAML::load(open("hackers-git.yml"))
+end
+
+def load_user_yaml(filename)
+ user = YAML::load(open(filename))
+ groups = user["groups"] || []
+ user["groups"] = groups.concat((groups & cfg["groupgroups"].keys).map{|g|cfg["groupgroups"][g]}.flatten)
+ return user
+end
+
+def load_all_users
+ Dir.glob("#{cfg["yamldir"]}/*.yml").map{|filename|load_user_yaml(filename)}
+end
diff --git a/bin/meta-check b/bin/meta-check
index 16994ce..4a2981e 100755
--- a/bin/meta-check
+++ b/bin/meta-check
@@ -2,7 +2,8 @@
. libremessages
-PATH="$(dirname "$0"):$PATH"
+mydir="$(dirname "$0")"
+PATH="$mydir:$PATH"
check-yaml() {
file=$1
@@ -16,13 +17,15 @@ check-yaml() {
main() {
declare -i ret=0
+ yamldir="$(ruby -e "load '$mydir/common.rb'; print cfg['yamldir']")"
+
# Check the user YAML files
- for file in users/*.yml; do
+ for file in "$yamldir"/*.yml; do
check-yaml "$file" || ret=$?
done
msg 'Checking for duplicate usernames'
- dups=($(sed -n 's/^username: //p' -- users/*.yml| sort | uniq -d))
+ dups=($(sed -n 's/^username: //p' -- "$yamldir"/*.yml| sort | uniq -d))
if (( ${#dups[@]} )); then
error 'Duplicate usernames:'
plain '%s' "${dups[@]}"
diff --git a/bin/pgp-get-keyid-by-uid b/bin/pgp-get-keyid-by-uid
index 1dea99f..94a869d 100755
--- a/bin/pgp-get-keyid-by-uid
+++ b/bin/pgp-get-keyid-by-uid
@@ -1,5 +1,5 @@
#!/usr/bin/env ruby
# Usage: pgp-get-keyid-by-uid {uid}
-require 'yaml'
-puts YAML::load(open("users/#{ARGV[0]}.yml"))["pgp_keyid"]
+load "#{File.dirname(__FILE__)}/common.rb"
+puts load_user_yaml("#{cfg["yamldir"]}/#{ARGV[0]}.yml")["pgp_keyid"]
diff --git a/bin/pgp-list-keyids b/bin/pgp-list-keyids
index 93bc292..1807faa 100755
--- a/bin/pgp-list-keyids
+++ b/bin/pgp-list-keyids
@@ -1,20 +1,13 @@
#!/usr/bin/env ruby
# Usage: pgp-list-keyids
-cfg_groups = {
- :trusted => [ "hackers", "bots" ],
- :secondary => [ "trustedusers" ]
-}
-######################################################################
-require 'yaml'
+load "#{File.dirname(__FILE__)}/common.rb"
-users = Dir.glob("users/*.yml").map{|f|YAML::load(open(f))}
-
-users.each do |user|
+load_all_users.each do |user|
if user["groups"]
- if ! (user["groups"] & cfg_groups[:trusted]).empty?
+ if user["groups"].include?("keyring-trusted")
puts "trusted/#{user["username"]} #{user["pgp_keyid"]}"
- elsif ! (user["groups"] & cfg_groups[:secondary]).empty?
+ elsif user["groups"].include?("keyring-secondary")
puts "secondary/#{user["username"]} #{user["pgp_keyid"]}"
elsif user["pgp_keyid"]
puts "revoked/#{user["username"]} #{user["pgp_keyid"]}"
diff --git a/bin/postfix-generate-virtual-map b/bin/postfix-generate-virtual-map
index 1203c63..f323d6b 100755
--- a/bin/postfix-generate-virtual-map
+++ b/bin/postfix-generate-virtual-map
@@ -1,12 +1,9 @@
#!/usr/bin/env ruby
# Usage: postfix-show-virtual-map > ${file} && postmap hash:${file}
-cfg_groups = [ "hackers", "fellows" ]
-######################################################################
-require 'yaml'
+load "#{File.dirname(__FILE__)}/common.rb"
-users = Dir.glob("users/*.yml").map{|f|YAML::load(open(f))}
- .find_all{|u|u["groups"] and not (u["groups"] & cfg_groups).empty?}
+users = load_all_users.find_all{|u|u["groups"].include?("email")}
users.each do |user|
if user["email"] and user["email"].length > 0
diff --git a/bin/ssh-list-authorized-keys b/bin/ssh-list-authorized-keys
index 6a03c8d..5e178e1 100755
--- a/bin/ssh-list-authorized-keys
+++ b/bin/ssh-list-authorized-keys
@@ -1,22 +1,17 @@
#!/usr/bin/env ruby
# Usage: ssh-list-authorized-keys [username]
-cfg_groups = [ "repo", "git" ]
-######################################################################
-require 'set'
-require 'yaml'
+load "#{File.dirname(__FILE__)}/common.rb"
-all_users = Dir.glob("users/*.yml").map{|f|YAML::load(open(f))}
-users = Set.new
+all_users = load_all_users
-groupnames = ARGV & cfg_groups
+groupnames = ARGV & cfg["ssh_pseudo_users"]
usernames = ARGV & all_users.map{|u|u["username"]}
-unless groupnames.empty?
- groupnames.push("hackers")
-end
-
-users = all_users.find_all{|u| usernames.include?(u["username"]) or not ((u["groups"]||[]) & groupnames).empty?}
+users = all_users.find_all{|u|
+ # [ username was listed ] or [ the user is in a listed group ]
+ usernames.include?(u["username"]) or not (u["groups"] & groupnames).empty?
+}
# Buffer the output to avoid EPIPE when the reader hangs up early
output=""
diff --git a/bin/uid-map b/bin/uid-map
index 90dd472..26765fa 100755
--- a/bin/uid-map
+++ b/bin/uid-map
@@ -1,10 +1,10 @@
#!/usr/bin/env ruby
# Usage: uid-map
-require 'yaml'
+load "#{File.dirname(__FILE__)}/common.rb"
-users = Dir.glob("users/*.yml").each do |filename|
- uid = filename.sub(/users\/([0-9]*)\.yml/, "\\1").to_i
- user = YAML::load(open(filename))
+users = Dir.glob("#{cfg["yamldir"]}/*.yml").each do |filename|
+ uid = File.basename(filename).sub(/^([0-9]*)\.yml$/, "\\1").to_i
+ user = load_user_yaml(filename)
puts "#{uid}:#{user["username"]}"
end
diff --git a/hackers-git.yml b/hackers-git.yml
new file mode 100644
index 0000000..f0eef37
--- /dev/null
+++ b/hackers-git.yml
@@ -0,0 +1,35 @@
+---
+# Where to look for "${uid}.yml" files
+#yamldir: "/var/lib/hackers-git/users"
+yamldir: "users"
+
+# The message, if any, that is presented to the user when password
+# modification through PAM is prohibited.
+pam_password_prohibit_message: ''
+
+# Which groups imply membership in other groups (since UNIX groups
+# can't be nested). Only one level of nesting is supported ATM.
+#
+# That is, if you are in the 'hackers' group, you are also in the
+# 'repo' and 'git' groups, even if they aren't listed.
+groupgroups:
+ hackers:
+ - repo
+ - git
+ - ssh
+ - email
+ - keyring-trusted
+ fellows:
+ - email
+ trustedusers:
+ - keyring-secondary
+ bots:
+ - keyring-trusted
+
+# Groups that are system users that can be ssh'ed into.
+#
+# So, if 'lukeshu' is in the 'repo' group, he can ssh to
+# 'repo'@hostname.
+ssh_pseudo_users:
+- repo
+- git