freedombone/src/freedombone-adduser

#!/bin/bash
#  _____               _           _
# |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# |   __|  _| -_| -_| . | . |     | . | . |   | -_|
# |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
#                              Freedom in the Cloud

# Adds an user to the system

# License
# =======
#
# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-adduser
export TEXTDOMAINDIR="/usr/share/locale"

CONFIGURATION_FILE="$HOME/${PROJECT_NAME}.cfg"

UTILS_FILES="/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*"
for f in $UTILS_FILES
do
    source "$f"
done

APP_FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
for f in $APP_FILES
do
    source "$f"
done

ADD_USERNAME=$1
SSH_PUBLIC_KEY="$2"
GPG_KEYSERVER='hkp://keys.gnupg.net'
SSH_PORT=2222
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
DEFAULT_DOMAIN_NAME=

if [ ! "$ADD_USERNAME" ]; then
    echo $'No username was given'
    exit 1
fi

if [ -d "/home/$ADD_USERNAME" ]; then
    echo $"The user $ADD_USERNAME already exists"
    exit 2
fi

if [ ! -f "$COMPLETION_FILE" ]; then
    echo $"$COMPLETION_FILE not found"
    userdel -r "$ADD_USERNAME"
    exit 3
fi

# Minimum number of characters in a password
MINIMUM_PASSWORD_LENGTH=$(grep 'MINIMUM_PASSWORD_LENGTH=' "/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-passwords" | head -n 1 | awk -F '=' '{print $2}')

NEW_USER_PASSWORD="$(create_password "${MINIMUM_PASSWORD_LENGTH}")"
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash "$ADD_USERNAME"
adduser "$ADD_USERNAME" sasl
groupadd "$ADD_USERNAME"
chmod 0000 /etc/shadow
chmod 0000 /etc/gshadow

if [ ! -d "/home/$ADD_USERNAME" ]; then
    echo $'Home directory was not created'
    exit 4
fi

if [ "$SSH_PUBLIC_KEY" ]; then
    if [ ${#SSH_PUBLIC_KEY} -gt 5 ]; then
        if [ -f "$SSH_PUBLIC_KEY" ]; then
            mkdir "/home/$ADD_USERNAME/.ssh"
            cp "$SSH_PUBLIC_KEY" "/home/$ADD_USERNAME/.ssh/authorized_keys"
            chown -R "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/.ssh"
            echo $'ssh public key installed'
        else
            if [[ "$SSH_PUBLIC_KEY" == "ssh-"* ]]; then
                mkdir "/home/$ADD_USERNAME/.ssh"
                echo "$SSH_PUBLIC_KEY" > "/home/$ADD_USERNAME/.ssh/authorized_keys"
                chown -R "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/.ssh"
                echo $'ssh public key installed'
            else
                echo $'The second parameter does not look like an ssh key'
                exit 5
            fi
        fi
    fi
fi

if [ -d "/home/$ADD_USERNAME/Maildir" ]; then
    if grep -q "set from=" "/home/$ADD_USERNAME/.muttrc"; then
        sed -i "s|set from=.*|set from='$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>'|g" "/home/$ADD_USERNAME/.muttrc"
    else
        echo "set from='$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>'" >> "/home/$ADD_USERNAME/.muttrc"
    fi

    sed -i "s|\$USER@|$ADD_USERNAME@|g" "/home/$ADD_USERNAME/.procmailrc"
fi

# generate a gpg key
echo "Making a GPG key for $ADD_USERNAME@$HOSTNAME"
mkdir "/home/$ADD_USERNAME/.gnupg"
{ echo "keyserver $GPG_KEYSERVER";
  echo 'keyserver-options auto-key-retrieve';
  echo '';
  echo '# default preferences';
  echo 'personal-digest-preferences SHA256';
  echo 'cert-digest-algo SHA256';
  echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed'; } >> "/home/$ADD_USERNAME/.gnupg/gpg.conf"

chown -R "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/.gnupg"
chmod 700 "/home/$ADD_USERNAME/.gnupg"
chmod 600 "/home/$ADD_USERNAME/.gnupg/"*

# Generate a GPG key
{ echo 'Key-Type: eddsa';
  echo 'Key-Curve: Ed25519';
  echo 'Subkey-Type: eddsa';
  echo "Name-Real:  $ADD_USERNAME";
  echo "Name-Email: $ADD_USERNAME@$HOSTNAME";
  echo 'Expire-Date: 0';
  echo "Passphrase: $NEW_USER_PASSWORD"; } > "/home/$ADD_USERNAME/gpg-genkey.conf"
chown "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/gpg-genkey.conf"
su -m root -c "gpg --homedir /home/$ADD_USERNAME/.gnupg --batch --full-gen-key /home/$ADD_USERNAME/gpg-genkey.conf" - "$ADD_USERNAME"
chown -R "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/.gnupg"
shred -zu "/home/$ADD_USERNAME/gpg-genkey.conf"
MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$ADD_USERNAME" "$ADD_USERNAME@$HOSTNAME")
MY_GPG_PUBLIC_KEY="/home/$ADD_USERNAME/public_key.gpg"
su -m root -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - "$ADD_USERNAME"

if [ ! -f "$MY_GPG_PUBLIC_KEY" ]; then
    echo "GPG public key was not generated for $ADD_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID"
    userdel -r "$ADD_USERNAME"
    exit 7
fi

gpg_agent_setup "$ADD_USERNAME"

# add a monkeysphere subkey
#echo $'Adding monkeysphere subkey'
#su -c "monkeysphere gen-subkey" - $ADD_USERNAME
#echo $'Adding monkeysphere subkey to ssh-agent'
#su -c "monkeysphere s" - $ADD_USERNAME
# add authorized GPG email address
#mkdir /home/$ADD_USERNAME/.monkeysphere
#chmod 755 /home/$ADD_USERNAME/.monkeysphere
#echo "$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>" > /home/$ADD_USERNAME/.monkeysphere/authorized_user_ids
#chmod 644 /home/$ADD_USERNAME/.monkeysphere/authorized_user_ids
#chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.monkeysphere
#echo $'Updating monkeysphere users'
#monkeysphere-authentication update-users

if [ -f "/home/$ADD_USERNAME/.muttrc" ]; then
    # encrypt outgoing mail to the "sent" folder
    if ! grep -q "pgp_encrypt_only_command" "/home/$ADD_USERNAME/.muttrc"; then
        { echo '';
          echo $'# Encrypt items in the Sent folder';
          echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\""; } >> "/home/$ADD_USERNAME/.muttrc"
    else
        sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" "/home/$ADD_USERNAME/.muttrc"
    fi

    if ! grep -q "pgp_encrypt_sign_command" "/home/$ADD_USERNAME/.muttrc"; then
        echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> "/home/$ADD_USERNAME/.muttrc"
    else
        sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" "/home/$ADD_USERNAME/.muttrc"
    fi
fi

if ! grep -q "Change your GPG password" "/home/$ADD_USERNAME/README"; then
    { echo '';
      echo '';
      echo $'# Change your GPG password';
      echo $"It's very important to add a password to your GPG key so that";
      echo $"if anyone does get access to your email they still won't be able";
      echo $'to read them without knowning the GPG password.';
      echo $'You can change the it with:';
      echo '';
      echo "  gpg --edit-key $MY_GPG_PUBLIC_KEY_ID";
      echo '  passwd';
      echo '  save';
      echo '  quit'; } >> "/home/$ADD_USERNAME/README"
fi

chown "$ADD_USERNAME":"$ADD_USERNAME" "/home/$ADD_USERNAME/README"
chown "$ADD_USERNAME":"$ADD_USERNAME" "$MY_GPG_PUBLIC_KEY"
chmod 600 "/home/$ADD_USERNAME/README"

echo $'Detecting installed apps...'
detect_apps
get_apps_installed_names
# shellcheck disable=SC2068
for app_name in ${APPS_INSTALLED_NAMES[@]}
do
    if [[ $(function_exists "add_user_${app_name}") == "1" ]]; then
        echo $"Adding user to ${app_name}"
        app_load_variables "${app_name}"
        retval=$("add_user_${app_name}" "$ADD_USERNAME" "$NEW_USER_PASSWORD" | tail -n 1)
        if [[ $retval != '0' ]]; then
            echo $"Failed with error code ${retval}"
            "${PROJECT_NAME}-rmuser" "$ADD_USERNAME" --force
            exit 672392
        fi
        if ! grep -q "${app_name}_${ADD_USERNAME}" "$APP_USERS_FILE"; then
            echo "${app_name}_${ADD_USERNAME}" >> "$APP_USERS_FILE"
        fi
    fi
done

if [ -f /etc/nginx/.htpasswd ]; then
    if ! grep -q "${ADD_USERNAME}:" /etc/nginx/.htpasswd; then
        echo "$NEW_USER_PASSWORD" | htpasswd -i -s /etc/nginx/.htpasswd "$ADD_USERNAME"
    fi
fi

# add user menu on ssh login
if ! grep -q 'controluser' "/home/$ADD_USERNAME/.bashrc"; then
    echo 'export PS1="\W \$"' >> "/home/$ADD_USERNAME/.bashrc"
    echo 'controluser' >> "/home/$ADD_USERNAME/.bashrc"
fi

# fix some gpg strangeness when searching for keys
printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > "/home/$ADD_USERNAME/.gnupg/S.dirmngr"
if [ -d "/home/$ADD_USERNAME/.gnupg/crls.d" ]; then
    chmod +x "/home/$ADD_USERNAME/.gnupg/crls.d"
fi

"${PROJECT_NAME}-pass" -u "$ADD_USERNAME" -a login -p "$NEW_USER_PASSWORD"

gpg_agent_enable "$ADD_USERNAME"

clear

echo $"New user $ADD_USERNAME was created"
echo $"Their login password is $NEW_USER_PASSWORD"
echo ''
echo $"They can download their GPG keys with:"
echo ''
echo "    scp -P $SSH_PORT -r $ADD_USERNAME@$HOSTNAME:/home/$ADD_USERNAME/.gnupg ~/"
echo ''
echo $"They should also run ${PROJECT_NAME}-client on their system to ensure"
echo $'the best security.'

exit 0