Merge remote-tracking branch 'upstream/master' into keyring_new_format

2015-06-02 21:47:23 +02:00
parent 6489733299 592c726b1d
commit bef40214b8
14 changed files with 144 additions and 68 deletions
--- a/bin/_blackbox_common.sh
+++ b/bin/_blackbox_common.sh
@@ -75,8 +75,8 @@ function is_on_cryptlist() {
 # Exit with error if a file exists.
 function fail_if_exists() {
  if [[ -f "$1" ]]; then
-    echo ERROR: "$1" exists.  "$2"
-    echo Exiting...
+    echo ERROR: "$1" exists.  "$2" >&2
+    echo Exiting... >&2
    exit 1
  fi
 }
@@ -84,8 +84,8 @@ function fail_if_exists() {
 # Exit with error if a file is missing.
 function fail_if_not_exists() {
  if [[ ! -f "$1" ]]; then
-    echo ERROR: "$1" not found.  "$2"
-    echo Exiting...
+    echo ERROR: "$1" not found.  "$2" >&2
+    echo Exiting... >&2
    exit 1
  fi
 }
@@ -94,8 +94,8 @@ function fail_if_not_exists() {
 function fail_if_not_in_repo() {
  _determine_vcs_base_and_type
  if [[ $VCS_TYPE = "unknown" ]]; then
-    echo "ERROR: This must be run in a VCS repo: git, hg, or svn."
-    echo Exiting...
+    echo "ERROR: This must be run in a VCS repo: git, hg, or svn." >&2
+    echo Exiting... >&2
    exit 1
  fi
 }
@@ -107,9 +107,9 @@ function fail_if_not_on_cryptlist() {
  local name="$1"

  if ! is_on_cryptlist "$name" ; then
-    echo "ERROR: $name not found in $BB_FILES"
-    echo "PWD="$(/bin/pwd)
-    echo 'Exiting...'
+    echo "ERROR: $name not found in $BB_FILES" >&2
+    echo "PWD="$(/bin/pwd) >&2
+    echo 'Exiting...' >&2
    exit 1
  fi
 }
@@ -117,9 +117,9 @@ function fail_if_not_on_cryptlist() {
 # Exit with error if keychain contains secret keys.
 function fail_if_keychain_has_secrets() {
  if [[ -s ${SECRING} ]]; then
-    echo 'ERROR: The file' "$SECRING" 'should be empty.'
-    echo 'Did someone accidentally add this private key to the ring?'
-    echo 'Exiting...'
+    echo 'ERROR: The file' "$SECRING" 'should be empty.' >&2
+    echo 'Did someone accidentally add this private key to the ring?' >&2
+    echo 'Exiting...' >&2
    exit 1
  fi
 }
@@ -144,9 +144,9 @@ function get_encrypted_filename() {

 # Prepare keychain for use.
 function prepare_keychain() {
-  echo '========== Importing keychain: START'
-  gpg --import "$(get_pubring_path)" 2>&1 | egrep -v 'not changed$'
-  echo '========== Importing keychain: DONE'
+  echo '========== Importing keychain: START' >&2
+  gpg --import "$(get_pubring_path)" 2>&1 | egrep -v 'not changed$' >&2
+  echo '========== Importing keychain: DONE' >&2
 }

 # Add file to list of encrypted files.
@@ -177,9 +177,9 @@ function encrypt_file() {
  unencrypted="$1"
  encrypted="$2"

-  echo "========== Encrypting: $unencrypted"
-  gpg --use-agent --yes --trust-model=always --encrypt -o "$encrypted"  $(awk '{ print "-r" $1 }' < "$BB_ADMINS") "$unencrypted"
-  echo '========== Encrypting: DONE'
+  echo "========== Encrypting: $unencrypted" >&2
+  gpg --use-agent --no-tty --yes --trust-model=always --encrypt -o "$encrypted"  $(awk '{ print "-r" $1 }' < "$BB_ADMINS") "$unencrypted" >&2
+  echo '========== Encrypting: DONE' >&2
 }

 # Decrypt .gpg file, asking "yes/no" before overwriting unencrypted file.
@@ -190,11 +190,11 @@ function decrypt_file() {
  encrypted="$1"
  unencrypted="$2"

-  echo '========== EXTRACTING ''"'$unencrypted'"'
+  echo '========== EXTRACTING ''"'$unencrypted'"' >&2

  old_umask=$(umask)
  umask "$DECRYPT_UMASK"
-  gpg --use-agent -q --decrypt -o "$unencrypted" "$encrypted"
+  gpg --use-agent --no-tty -q --decrypt -o "$unencrypted" "$encrypted" >&2
  umask "$old_umask"
 }

@@ -216,12 +216,12 @@ function decrypt_file_overwrite() {

  old_umask=$(umask)
  umask "$DECRYPT_UMASK"
-  gpg --use-agent --yes -q --decrypt -o "$unencrypted" "$encrypted"
+  gpg --use-agent --no-tty --yes -q --decrypt -o "$unencrypted" "$encrypted" >&2
  umask "$old_umask"

  new_hash=$(md5sum_file "$unencrypted")
  if [[ "$old_hash" != "$new_hash" ]]; then
-    echo "========== EXTRACTED $unencrypted"
+    echo "========== EXTRACTED $unencrypted" >&2
  fi
 }

--- a/bin/_stack_lib.sh
+++ b/bin/_stack_lib.sh
@@ -1,6 +1,9 @@
 # Library functions for bash scripts at Stack Exchange.

+# NOTE: This file is open sourced. Do not put Stack-proprietary code here.
+
 # Usage:
+#
 #   set -e
 #   . _stack_lib.sh

@@ -46,6 +49,48 @@ function add_on_exit()
    fi
 }

+function create_self_deleting_tempfile() {
+  local filename
+
+  case $(uname -s) in
+    Darwin )
+      : ${TMPDIR:=/tmp} ;
+      filename=$(mktemp -t _stacklib_ )
+      ;;
+    Linux )
+      filename=$(mktemp)
+      ;;
+    * )
+      echo 'ERROR: Unknown OS. Exiting.'
+      exit 1
+      ;;
+  esac
+
+  add_on_exit rm -f "$filename"
+  echo "$filename"
+}
+
+function create_self_deleting_tempdir() {
+  local filename
+
+  case $(uname -s) in
+    Darwin )
+      : ${TMPDIR:=/tmp} ;
+      filename=$(mktemp -d -t _stacklib_ )
+      ;;
+    Linux )
+      filename=$(mktemp -d)
+      ;;
+    * )
+      echo 'ERROR: Unknown OS. Exiting.'
+      exit 1
+      ;;
+  esac
+
+  add_on_exit rm -rf "$filename"
+  echo "$filename"
+}
+
 # Securely and portably create a temporary file that will be deleted
 # on EXIT.  $1 is the variable name to store the result.
 function make_self_deleting_tempfile() {
@@ -55,14 +100,11 @@ function make_self_deleting_tempfile() {
  case $(uname -s) in
    Darwin )
      : ${TMPDIR:=/tmp} ;
-      name=$(mktemp -t _stacklib_.XXXXXXX )
+      name=$(mktemp -t _stacklib_ )
      ;;
    Linux )
      name=$(mktemp)
      ;;
-    CYGWIN* )
-      name=$(mktemp)
-      ;;
    * )
      echo 'ERROR: Unknown OS. Exiting.'
      exit 1
@@ -79,15 +121,12 @@ function make_tempdir() {

  case $(uname -s) in
    Darwin )
-      : "${TMPDIR:=/tmp}" ;
+      : ${TMPDIR:=/tmp} ;
      name=$(mktemp -d -t _stacklib_ )
      ;;
    Linux )
      name=$(mktemp -d)
      ;;
-    CYGWIN* )
-      name=$(mktemp -d)
-      ;;
    * )
      echo 'ERROR: Unknown OS. Exiting.'
      exit 1
@@ -99,12 +138,12 @@ function make_tempdir() {

 function make_self_deleting_tempdir() {
  local __resultvar="$1"
-  local dirname
+  local dname

-  make_tempdir dirname
+  make_tempdir dname

-  add_on_exit rm -rf "$dirname"
-  eval $__resultvar="$dirname"
+  add_on_exit rm -rf "$dname"
+  eval $__resultvar="$dname"
 }

 function fail_if_not_running_as_root() {
--- a/bin/blackbox_cat
+++ b/bin/blackbox_cat
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 #
-# blackbox_cat.sh -- Decrypt a file, cat it, shred it
+# blackbox_cat -- Decrypt a file, cat it, shred it
 #
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
--- a/bin/blackbox_decrypt_all_files
+++ b/bin/blackbox_decrypt_all_files
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+#
+# blacbox_decrypt_all_files -- Decrypt all blackbox files (INTERACTIVE).
+#
+
+# Usage:
+#   blacbox_decrypt_all_files [GROUP]
+#       GROUP is optional.  If supplied, the resulting files
+#       are chgrp'ed to that group.
+
+# Since this is often run in a security-critical situation, we
+# force /usr/bin and /bin to the front of the PATH.
+export PATH=/usr/bin:/bin:"$PATH"
+
+set -e
+
+if [[ -z $GPG_AGENT_INFO ]]; then
+  eval $(gpg-agent --daemon)
+fi
+
+exec blackbox_postdeploy.sh "$@"
--- a/bin/blackbox_edit
+++ b/bin/blackbox_edit
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 #
-# blackbox_edit.sh -- Decrypt a file temporarily for edition, then re-encrypts it again
+# blackbox_edit -- Decrypt a file temporarily for edition, then re-encrypts it again
 #
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
--- a/bin/blackbox_edit_start
+++ b/bin/blackbox_edit_start
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 #
-# blackbox_edit_start.sh -- Decrypt a file for editing.
+# blackbox_edit_start -- Decrypt a file for editing.
 #

 set -e
@@ -11,7 +11,7 @@ source "${blackbox_home}/_blackbox_common.sh"
 for param in """$@""" ; do
  unencrypted_file=$(get_unencrypted_filename "$param")
  encrypted_file=$(get_encrypted_filename "$param")
-  echo ========== PLAINFILE '"'$unencrypted_file'"'
+  echo >&2 ========== PLAINFILE '"'$unencrypted_file'"'

  fail_if_not_on_cryptlist "$unencrypted_file"
  fail_if_not_exists "$encrypted_file" "This should not happen."
@@ -19,7 +19,7 @@ for param in """$@""" ; do
    rm -f "$unencrypted_file"
  fi
  if [[ -f "$unencrypted_file" ]]; then
-    echo SKIPPING: "$1" "Will not overwrite non-empty files."
+    echo >&2 SKIPPING: "$1" "Will not overwrite non-empty files."
    continue
  fi

--- a/bin/blackbox_list_files
+++ b/bin/blackbox_list_files
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 #
-# blackbox_list_files.sh -- List files that black box is tracking
+# blackbox_list_files -- List files that black box is tracking
 #
 set -e
 blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
--- a/bin/blackbox_postdeploy
+++ b/bin/blackbox_postdeploy
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 #
-# blackbox_postdeploy.sh -- Decrypt all blackbox files.
+# blackbox_postdeploy -- Decrypt all blackbox files.
 #

 # Usage:
--- a/bin/blackbox_register_new_file
+++ b/bin/blackbox_register_new_file
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 #
-# blackbox_register_new_file.sh -- Enroll a new file in the blackbox system.
+# blackbox_register_new_file -- Enroll a new file in the blackbox system.
 #
 # Takes a previously unencrypted file and enrolls it into the blackbox
 # system.  It will be kept in the repo as an encrypted file.  On deployment