From: Tollef Fog Heen Date: Mon, 10 Mar 2014 09:21:57 +0000 (+0100) Subject: Add configuration file and use that to look up per-repository trusted uesrs X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=acdf1b0aeef6774c5aa4d142cf8867ca16a763a9;p=pwstore Add configuration file and use that to look up per-repository trusted uesrs --- diff --git a/README.asciidoc b/README.asciidoc index aeba362..81e37b5 100644 --- a/README.asciidoc +++ b/README.asciidoc @@ -35,7 +35,7 @@ Lines starting with a # are comments and thus get ignored. -------------------------------- % cat .users # This file needs to be gpg signed by a key whose fingerprint -# is listed in ~/.pws-trusted-users +# is listed in ~/.pws.yaml formorer = 6E3966C1E1D15DB973D05B491E45F8CA9DE23B16 weasel = 25FC1614B8F87B52FF2F99B962AF4031C82E0039 @@ -56,19 +56,23 @@ unauthorized tampering with the .users file - for tricking somebody to re-encrypt data to the wrong key - the .users file needs to be PGP-clearsigned with a key from a whitelist. -This whitelist lives in ~/.pws-trusted-users, and simply takes one -key fingerprint per line: +This whitelist lives in ~/.pws.yaml under the trusted_users key and +then under the directory name. A sample file looks like: --------------------------------- -% cat ~/.pws-trusted-users -#formorer -6E3966C1E1D15DB973D05B491E45F8CA9DE23B16 +aliases: + debian: + - &tfheen A28411A596193171331802C0B65A4871CA19D717 + - &weasel 25FC1614B8F87B52FF2F99B962AF4031C82E0039 + +trusted_users: + "~/.pws": + - *tfheen + "~/debian/dsa-passwords": + - *tfheen + - *weasel --------------------------------- -Currently this whitelist is the same for any pws repositories a user -might have. A patch to remove this limitation would be nice. - - adding a new file ----------------- diff --git a/pws.rb b/pws.rb index 97c085a..d90c940 100755 --- a/pws.rb +++ b/pws.rb @@ -35,6 +35,7 @@ GNUPG = "/usr/bin/gpg" GROUP_PATTERN = "@[a-zA-Z0-9-]+" USER_PATTERN = "[a-zA-Z0-9:-]+" $program_name = File.basename($0, '.*') +CONFIG_FILE = ENV['HOME']+ "/.pws.yaml" $editor = ENV['EDITOR'] if $editor == nil @@ -237,17 +238,31 @@ class GroupConfig def initialize(dirname=".", trusted_users=nil) @dirname = dirname if trusted_users - @trusted_users = trusted_users + @trusted_users = load_trusted_users(trusted_users) + elsif FileTest.exists?(CONFIG_FILE) + t = {} + begin + yaml = YAML::load_file(CONFIG_FILE) + yaml["trusted_users"].each do |k,v| + t[File.expand_path(k)] = v + end + @trusted_users = t[File.expand_path(dirname)] + if @trusted_users.nil? + raise ("Could not find #{File.expand_path(dirname)} in configuration file #{CONFIG_FILE}") + end + rescue Psych::SyntaxError, ArgumentError => e + raise("Could not parse YAML: #{e.message}") + end else - @trusted_users = ENV['HOME']+'/.pws-trusted-users' + @trusted_users = load_trusted_users(ENV['HOME']+'/.pws-trusted-users') end parse_file expand_groups end - def verify(content) + def load_trusted_users(trusted_users_file) begin - f = File.open(@trusted_users) + f = File.open(trusted_users_file) rescue Exception => e raise e end @@ -260,6 +275,10 @@ class GroupConfig trusted.push line end + trusted + end + + def verify(content) args = [] args.push "--keyring=./.keyring" if FileTest.exists?(".keyring") @@ -284,7 +303,7 @@ class GroupConfig raise "Not goodsig" end - if not trusted.include?(validsig) + if not @trusted_users.include?(validsig) raise ".users file is signed by #{validsig} which is not in #{@trusted_users}" end