freedombone/src/freedombone-adduser

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#

# Adds an user to the system

# License
# =======
#
# Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-adduser
export TEXTDOMAINDIR="/usr/share/locale"

CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg

UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
for f in $UTILS_FILES
do
    source $f
done

APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
for f in $APP_FILES
do
    source $f
done

MY_USERNAME=$1
SSH_PUBLIC_KEY="$2"
GPG_KEYSERVER='hkp://keys.gnupg.net'
SSH_PORT=2222
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
DEFAULT_DOMAIN_NAME=

if [ ! $MY_USERNAME ]; then
    echo $'No username was given'
    exit 1
fi

if [ -d /home/$MY_USERNAME ]; then
    echo $"The user $MY_USERNAME already exists"
    exit 2
fi

if [ ! -f $COMPLETION_FILE ]; then
    echo $"$COMPLETION_FILE not found"
    userdel -r $MY_USERNAME
    exit 3
fi

# Minimum number of characters in a password
MINIMUM_PASSWORD_LENGTH=$(cat /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-passwords | grep 'MINIMUM_PASSWORD_LENGTH=' | head -n 1 | awk -F '=' '{print $2}')

NEW_USER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $MY_USERNAME
adduser $MY_USERNAME sasl

if [ ! -d /home/$MY_USERNAME ]; then
    echo $'Home directory was not created'
    exit 4
fi

if [ "$SSH_PUBLIC_KEY" ]; then
    if [ ${#SSH_PUBLIC_KEY} -gt 5 ]; then
        if [ -f "$SSH_PUBLIC_KEY" ]; then
            mkdir /home/$MY_USERNAME/.ssh
            cp $SSH_PUBLIC_KEY /home/$MY_USERNAME/.ssh/authorized_keys
            chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
            echo $'ssh public key installed'
        else
            if [[ "$SSH_PUBLIC_KEY" == "ssh-"* ]]; then
                mkdir /home/$MY_USERNAME/.ssh
                echo "$SSH_PUBLIC_KEY" > /home/$MY_USERNAME/.ssh/authorized_keys
                chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
                echo $'ssh public key installed'
            else
                echo $'The second parameter does not look like an ssh key'
                exit 5
            fi
        fi
    fi
fi

if [ -d /home/$MY_USERNAME/Maildir ]; then
    if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then
        sed -i "s|set from=.*|set from='$MY_USERNAME <$MY_USERNAME@$HOSTNAME>'|g" /home/$MY_USERNAME/.muttrc
    else
        echo "set from='$MY_USERNAME <$MY_USERNAME@$HOSTNAME>'" >> /home/$MY_USERNAME/.muttrc
    fi

    USERN='$USER@'
    sed -i "s|$USERN|$MY_USERNAME@|g" /home/$MY_USERNAME/.procmailrc
fi

# generate a gpg key
echo "Making a GPG key for $MY_USERNAME@$HOSTNAME"
mkdir /home/$MY_USERNAME/.gnupg
echo "keyserver $GPG_KEYSERVER" >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo 'keyserver-options auto-key-retrieve' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo '' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo '# default preferences' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo 'personal-digest-preferences SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo 'cert-digest-algo SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf
echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$MY_USERNAME/.gnupg/gpg.conf

chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
chmod 700 /home/$MY_USERNAME/.gnupg
chmod 600 /home/$MY_USERNAME/.gnupg/*

# Generate a GPG key
echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf
echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Real:  $MY_USERNAME" >> /home/$MY_USERNAME/gpg-genkey.conf
echo "Name-Email: $MY_USERNAME@$HOSTNAME" >> /home/$MY_USERNAME/gpg-genkey.conf
echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
shred -zu /home/$MY_USERNAME/gpg-genkey.conf
MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$HOSTNAME | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
MY_GPG_PUBLIC_KEY=/home/$MY_USERNAME/public_key.gpg
su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME

if [ ! -f $MY_GPG_PUBLIC_KEY ]; then
    echo "GPG public key was not generated for $MY_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID"
    userdel -r $MY_USERNAME
    exit 7
fi

# add a monkeysphere subkey
su -c "monkeysphere gen-subkey $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME
# add authorized GPG email address
mkdir /home/$MY_USERNAME/.monkeysphere
chmod 755 /home/$MY_USERNAME/.monkeysphere
echo "$MY_USERNAME <$MY_USERNAME@$HOSTNAME>" > /home/$MY_USERNAME/.monkeysphere/authorized_user_ids
chmod 644 /home/$MY_USERNAME/.monkeysphere/authorized_user_ids
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.monkeysphere
monkeysphere-authentication update-users

if [ -f /home/$MY_USERNAME/.muttrc ]; then
    # encrypt outgoing mail to the "sent" folder
    if ! grep -q "pgp_encrypt_only_command" /home/$MY_USERNAME/.muttrc; then
        echo '' >> /home/$MY_USERNAME/.muttrc
        echo $'# Encrypt items in the Sent folder' >> /home/$MY_USERNAME/.muttrc
        echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc
    else
        sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc
    fi

    if ! grep -q "pgp_encrypt_sign_command" /home/$MY_USERNAME/.muttrc; then
        echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc
    else
        sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc
    fi
fi

if ! grep -q "Change your GPG password" /home/$MY_USERNAME/README; then
    echo '' >> /home/$MY_USERNAME/README
    echo '' >> /home/$MY_USERNAME/README
    echo $'# Change your GPG password' >> /home/$MY_USERNAME/README
    echo $"It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README
    echo $"if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README
    echo $'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README
    echo $'You can change the it with:' >> /home/$MY_USERNAME/README
    echo '' >> /home/$MY_USERNAME/README
    echo "  gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README
    echo '  passwd' >> /home/$MY_USERNAME/README
    echo '  save' >> /home/$MY_USERNAME/README
    echo '  quit' >> /home/$MY_USERNAME/README
fi

chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
chown $MY_USERNAME:$MY_USERNAME $MY_GPG_PUBLIC_KEY
chmod 600 /home/$MY_USERNAME/README

echo $'Detecting installed apps...'
detect_apps
get_apps_installed_names
for app_name in "${APPS_INSTALLED_NAMES[@]}"
do
    if [[ $(function_exists add_user_${app_name}) == "1" ]]; then
        echo $"Adding user to ${app_name}"
        app_load_variables ${app_name}
        retval=$(add_user_${app_name} "$MY_USERNAME" "$NEW_USER_PASSWORD")
        if [[ $retval != '0' ]]; then
            echo $"Failed with error code ${retval}"
            ${PROJECT_NAME}-rmuser $MY_USERNAME
            exit 672392
        fi
        if ! grep -q "${app_name}_${MY_USERNAME}" $APP_USERS_FILE; then
            echo "${app_name}_${MY_USERNAME}" >> $APP_USERS_FILE
        fi
    fi
done

if [ -f /etc/nginx/.htpasswd ]; then
    if ! grep "${MY_USERNAME}:" /etc/nginx/.htpasswd; then
        echo "$NEW_USER_PASSWORD" | htpasswd -i -s /etc/nginx/.htpasswd $MY_USERNAME
    fi
fi

# add user menu on ssh login
if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then
    echo 'control' >> /home/$MY_USERNAME/.bashrc
fi

clear
echo $"New user $MY_USERNAME was created"
echo $"Their login password is $NEW_USER_PASSWORD"
echo ''
echo $'IMPORTANT: Make a note of the password, because it will not be saved'
echo $'anywhere else. Preferably give it to them in person on paper or via'
echo $'a secure channel, not in an unencrypted email.'
echo ''
echo $"They can download their GPG keys with:"
echo ''
echo "    scp -P $SSH_PORT -r $MY_USERNAME@$HOSTNAME:/home/$MY_USERNAME/.gnupg ~/"
echo ''
echo $"They should also run ${PROJECT_NAME}-client on their system to ensure"
echo $'the best security.'

exit 0