add gpg auth

1 files changed, 57 insertions, 0 deletions

diff --git a/gpg-verify b/gpg-verify
new file mode 100755
index 0000000..615a499
--- /dev/null
+++ b/gpg-verify
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -o pipefail
+exec &>>/var/log/gpg-verify.log
+perl -MData::Dumper -e 'print Dumper(\@ARGV);' "$@"
+
+if [ $# -ne 4 ]; then
+	exit 2
+fi
+
+username="$1"
+nonce="$2"
+key="$3"
+sig="$4"
+
+keyring="$(mktemp)"
+curl -sL "$key" | gpg -o - --dearmor >"$keyring" || exit 7
+gpgv_out="$(gpgv --keyring "$keyring" <(echo "$sig" | sed 's/-----BEGIN PGP SIGNATURE-----/&\n\n/') <(echo "$nonce") 2>&1)"
+verified_key="$(echo "$gpgv_out" |& grep -oP 'gpgv:\s*using \S+ key \K.*')"
+
+echo "keyring: $keyring"
+echo "$gpgv_out"
+
+if ! echo "$gpgv_out" | grep -qP 'gpgv: Good signature from'; then
+	exit 3
+fi
+
+if [ -z "$verified_key" ]; then
+	exit 4
+fi
+
+if [ "$username" = "new" ]; then
+	if new_user="$(grep -l -s -r -P '^\s*auth:\s*pgp-fingerprint\s+\Q'"$verified_key"'\E(\s|$)' /opt/autopeer/dn42-registry/data/mntner/ | perl -ne 's@^.*/@@; s@-MNT$@@; print lc;' | head -1)"; then
+		echo "making $new_user"; exit 0
+		if getent passwd "$new_user" &>/dev/null; then
+			exit 0
+		else
+			echo "[autopeer $(hostname -f)] New user being created: $new_user from $key $connection" | socat stdio "$NOTIFY_TO"
+			/usr/sbin/adduser --disabled-password --quiet --comment "created at $(date +%s) by $key ${connection//:/_}" --ingroup autopeer "$new_user"
+			/usr/sbin/adduser "$new_user" bird
+			( umask 0077; touch "/var/log/autopeer/$new_user".{tim,io}; )
+			chown "$new_user" "/var/log/autopeer/$new_user".{tim,io}
+			exit 0
+		fi
+	else
+		exit 5
+	fi
+else
+	if grep -q -s -P '^\s*auth:\s*pgp-fingerprint\s+\Q'"$verified_key"'\E(\s|$)' /opt/autopeer/dn42-registry/data/mntner/"$(echo "$username" | perl -ne 's@$@-MNT@; print uc;')"; then
+		exit 0
+	else
+		exit 6
+	fi
+fi
+
+
+exit 1