summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2016-03-07 18:40:24 -0400
committerJoey Hess2016-03-07 20:17:18 -0400
commit0daf924b43d0750b285a5e857eb9946a9a71e6cc (patch)
treea5ac2c8aa1464daa7c2649772242d466485935e2
parentad4323859caea503114df40bde0f6b273441e6d2 (diff)
privdata/relocate
better than symlinks because this way no conflict can ever occur and, commit from hook
l---------config.hs2
-rwxr-xr-xcontrib/post-checkout-hook28
-rwxr-xr-xcontrib/post-merge-hook44
-rw-r--r--privdata/.joeyconfig/README8
-rw-r--r--privdata/.joeyconfig/keyring.gpg (renamed from privdata.joey/keyring.gpg)bin113014 -> 113014 bytes
-rw-r--r--privdata/.joeyconfig/privdata.gpg (renamed from privdata.joey/privdata.gpg)0
-rw-r--r--privdata/relocate1
-rw-r--r--src/Propellor/Git/VerifiedBranch.hs3
-rw-r--r--src/Propellor/Gpg.hs56
-rw-r--r--src/Propellor/PrivData.hs7
-rw-r--r--src/Propellor/PrivData/Paths.hs20
11 files changed, 109 insertions, 60 deletions
diff --git a/config.hs b/config.hs
index ec313725..97d90636 120000
--- a/config.hs
+++ b/config.hs
@@ -1 +1 @@
-config-simple.hs \ No newline at end of file
+joeyconfig.hs \ No newline at end of file
diff --git a/contrib/post-checkout-hook b/contrib/post-checkout-hook
deleted file mode 100755
index 38998398..00000000
--- a/contrib/post-checkout-hook
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-#
-# git post-checkout hook, used by propellor's author to maintain a
-# joeyconfig branch where config.hs is a symlink to joeyconfig.hs
-#
-# Each time this hook is run, it checks if it's on a branch with
-# name ending in "config". If so, config.hs is pointed at $branch.hs
-# Otherwise, config.hs is pointed at config-simple.hs
-#
-
-set -e
-prevhead="$1"
-newhead="$2"
-branchcheckout="$3"
-if [ "$branchcheckout" != 0 ]; then
- branch="$(git symbolic-ref --short HEAD)"
- case "$branch" in
- "")
- true
- ;;
- *config)
- ln -sf "$branch".hs config.hs
- ;;
- *)
- ln -sf config-simple.hs config.hs
- ;;
- esac
-fi
diff --git a/contrib/post-merge-hook b/contrib/post-merge-hook
new file mode 100755
index 00000000..fa9ab5b6
--- /dev/null
+++ b/contrib/post-merge-hook
@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# git post-merge hook, used by propellor's author to maintain a
+# joeyconfig branch with some changes while being able to merge
+# between it and branches without the changes.
+#
+# Each time this hook is run, it checks if it's on a branch with
+# name ending in "config". If so, config.hs is pointed at $branch.hs
+# and privdata/relocate is written to make files in privdata/.$branch/ be
+# used.
+#
+# Otherwise, config.hs is pointed at config-simple.hs, and
+# privdata/relocate is removed.
+
+set -e
+
+commit () {
+ if [ -n "$(git status --short privdata/relocate config.hs)" ]; then
+ git commit privdata/relocate config.hs -m "$1"
+ fi
+}
+
+branch="$(git symbolic-ref --short HEAD)"
+case "$branch" in
+ "")
+ true
+ ;;
+ *config)
+ ln -sf "$branch".hs config.hs
+ git add config.hs
+ echo ".$branch" > privdata/relocate
+ git add privdata/relocate
+ commit "setting up $branch after merge"
+ ;;
+ *)
+ ln -sf config-simple.hs config.hs
+ git add config.hs
+ if [ -e privdata/relocate ]; then
+ rm -f privdata/relocate
+ git rm --quiet privdata/relocate
+ fi
+ commit "clean up after merge"
+ ;;
+esac
diff --git a/privdata/.joeyconfig/README b/privdata/.joeyconfig/README
new file mode 100644
index 00000000..6cc73b89
--- /dev/null
+++ b/privdata/.joeyconfig/README
@@ -0,0 +1,8 @@
+This is the privdata used by propellor's author, Joey Hess.
+
+While it has lots of important data in it, it's thankfully encrypted, so
+you can't read it.
+
+If you're bothered by this directory cluttering up your clone of propellor,
+feel free to delete it. Just don't expect Joey to merge any branches that
+delete it.
diff --git a/privdata.joey/keyring.gpg b/privdata/.joeyconfig/keyring.gpg
index 01dd24e7..01dd24e7 100644
--- a/privdata.joey/keyring.gpg
+++ b/privdata/.joeyconfig/keyring.gpg
Binary files differ
diff --git a/privdata.joey/privdata.gpg b/privdata/.joeyconfig/privdata.gpg
index 027c5972..027c5972 100644
--- a/privdata.joey/privdata.gpg
+++ b/privdata/.joeyconfig/privdata.gpg
diff --git a/privdata/relocate b/privdata/relocate
new file mode 100644
index 00000000..271692d8
--- /dev/null
+++ b/privdata/relocate
@@ -0,0 +1 @@
+.joeyconfig
diff --git a/src/Propellor/Git/VerifiedBranch.hs b/src/Propellor/Git/VerifiedBranch.hs
index a39bc7e9..51fcb573 100644
--- a/src/Propellor/Git/VerifiedBranch.hs
+++ b/src/Propellor/Git/VerifiedBranch.hs
@@ -2,7 +2,6 @@ module Propellor.Git.VerifiedBranch where
import Propellor.Base
import Propellor.Git
-import Propellor.Gpg
import Propellor.PrivData.Paths
import Utility.FileMode
@@ -14,6 +13,7 @@ import Utility.FileMode
verifyOriginBranch :: String -> IO Bool
verifyOriginBranch originbranch = do
let gpgconf = privDataDir </> "gpg.conf"
+ keyring <- privDataKeyring
writeFile gpgconf $ unlines
[ " keyring " ++ keyring
, "no-auto-check-trustdb"
@@ -38,6 +38,7 @@ fetchOrigin = do
oldsha <- getCurrentGitSha1 branchref
+ keyring <- privDataKeyring
whenM (doesFileExist keyring) $
ifM (verifyOriginBranch originbranch)
( do
diff --git a/src/Propellor/Gpg.hs b/src/Propellor/Gpg.hs
index a13734b4..55d89d29 100644
--- a/src/Propellor/Gpg.hs
+++ b/src/Propellor/Gpg.hs
@@ -1,7 +1,6 @@
module Propellor.Gpg where
import System.IO
-import System.FilePath
import System.Directory
import Data.Maybe
import Data.List.Utils
@@ -30,22 +29,21 @@ getGpgBin = do
Nothing -> getEnvDefault "GNUPGBIN" "gpg"
Just b -> return b
-keyring :: FilePath
-keyring = privDataDir </> "keyring.gpg"
-
-- Lists the keys in propellor's keyring.
listPubKeys :: IO [KeyId]
listPubKeys = do
gpgbin <- getGpgBin
- parse . lines <$> readProcess gpgbin listopts
+ keyring <- privDataKeyring
+ parse . lines <$> readProcess gpgbin (listopts keyring)
where
- listopts = useKeyringOpts ++ ["--with-colons", "--list-public-keys"]
+ listopts keyring = useKeyringOpts keyring ++
+ ["--with-colons", "--list-public-keys"]
parse = mapMaybe (keyIdField . split ":")
keyIdField ("pub":_:_:_:f:_) = Just f
keyIdField _ = Nothing
-useKeyringOpts :: [String]
-useKeyringOpts =
+useKeyringOpts :: FilePath -> [String]
+useKeyringOpts keyring =
[ "--options"
, "/dev/null"
, "--no-default-keyring"
@@ -55,20 +53,21 @@ useKeyringOpts =
addKey :: KeyId -> IO ()
addKey keyid = do
gpgbin <- getGpgBin
+ keyring <- privDataKeyring
exitBool =<< allM (uncurry actionMessage)
- [ ("adding key to propellor's keyring", addkeyring gpgbin)
+ [ ("adding key to propellor's keyring", addkeyring keyring gpgbin)
, ("staging propellor's keyring", gitAdd keyring)
, ("updating encryption of any privdata", reencryptPrivData)
, ("configuring git commit signing to use key", gitconfig gpgbin)
, ("committing changes", gitCommitKeyRing "add-key")
]
where
- addkeyring gpgbin' = do
+ addkeyring keyring' gpgbin' = do
createDirectoryIfMissing True privDataDir
boolSystem "sh"
[ Param "-c"
, Param $ gpgbin' ++ " --export " ++ keyid ++ " | gpg " ++
- unwords (useKeyringOpts ++ ["--import"])
+ unwords (useKeyringOpts keyring' ++ ["--import"])
]
gitconfig gpgbin' = ifM (snd <$> processTranscript gpgbin' ["--list-secret-keys", keyid] Nothing)
@@ -85,16 +84,17 @@ addKey keyid = do
rmKey :: KeyId -> IO ()
rmKey keyid = do
gpgbin <- getGpgBin
+ keyring <- privDataKeyring
exitBool =<< allM (uncurry actionMessage)
- [ ("removing key from propellor's keyring", rmkeyring gpgbin)
+ [ ("removing key from propellor's keyring", rmkeyring keyring gpgbin)
, ("staging propellor's keyring", gitAdd keyring)
, ("updating encryption of any privdata", reencryptPrivData)
, ("configuring git commit signing to not use key", gitconfig)
, ("committing changes", gitCommitKeyRing "rm-key")
]
where
- rmkeyring gpgbin' = boolSystem gpgbin' $
- (map Param useKeyringOpts) ++
+ rmkeyring keyring' gpgbin' = boolSystem gpgbin' $
+ (map Param (useKeyringOpts keyring')) ++
[ Param "--batch"
, Param "--yes"
, Param "--delete-key", Param keyid
@@ -110,12 +110,14 @@ rmKey keyid = do
)
reencryptPrivData :: IO Bool
-reencryptPrivData = ifM (doesFileExist privDataFile)
- ( do
- gpgEncrypt privDataFile =<< gpgDecrypt privDataFile
- gitAdd privDataFile
- , return True
- )
+reencryptPrivData = do
+ f <- privDataFile
+ ifM (doesFileExist f)
+ ( do
+ gpgEncrypt f =<< gpgDecrypt f
+ gitAdd f
+ , return True
+ )
gitAdd :: FilePath -> IO Bool
gitAdd f = boolSystem "git"
@@ -125,17 +127,21 @@ gitAdd f = boolSystem "git"
gitCommitKeyRing :: String -> IO Bool
gitCommitKeyRing action = do
+ keyring <- privDataKeyring
+ privdata <- privDataFile
-- Commit explicitly the keyring and privdata files, as other
-- changes may be staged by the user and shouldn't be committed.
- tocommit <- filterM doesFileExist [ privDataFile, keyring]
+ tocommit <- filterM doesFileExist [ privdata, keyring]
gitCommit (Just ("propellor " ++ action)) (map File tocommit)
-- Adds --gpg-sign if there's a keyring.
gpgSignParams :: [CommandParam] -> IO [CommandParam]
-gpgSignParams ps = ifM (doesFileExist keyring)
- ( return (ps ++ [Param "--gpg-sign"])
- , return ps
- )
+gpgSignParams ps = do
+ keyring <- privDataKeyring
+ ifM (doesFileExist keyring)
+ ( return (ps ++ [Param "--gpg-sign"])
+ , return ps
+ )
-- Automatically sign the commit if there'a a keyring.
gitCommit :: Maybe String -> [CommandParam] -> IO Bool
diff --git a/src/Propellor/PrivData.hs b/src/Propellor/PrivData.hs
index ac7b00d3..bc09f0c6 100644
--- a/src/Propellor/PrivData.hs
+++ b/src/Propellor/PrivData.hs
@@ -251,12 +251,13 @@ modifyPrivData' f = do
makePrivDataDir
m <- decryptPrivData
let (m', r) = f m
- gpgEncrypt privDataFile (show m')
- void $ boolSystem "git" [Param "add", File privDataFile]
+ privdata <- privDataFile
+ gpgEncrypt privdata (show m')
+ void $ boolSystem "git" [Param "add", File privdata]
return r
decryptPrivData :: IO PrivMap
-decryptPrivData = readPrivData <$> gpgDecrypt privDataFile
+decryptPrivData = readPrivData <$> (gpgDecrypt =<< privDataFile)
readPrivData :: String -> PrivMap
readPrivData = fromMaybe M.empty . readish
diff --git a/src/Propellor/PrivData/Paths.hs b/src/Propellor/PrivData/Paths.hs
index 3d0d8a58..7410370b 100644
--- a/src/Propellor/PrivData/Paths.hs
+++ b/src/Propellor/PrivData/Paths.hs
@@ -1,15 +1,31 @@
module Propellor.PrivData.Paths where
+import Utility.Exception
import System.FilePath
+import Control.Applicative
+import Prelude
privDataDir :: FilePath
privDataDir = "privdata"
-privDataFile :: FilePath
-privDataFile = privDataDir </> "privdata.gpg"
+privDataFile :: IO FilePath
+privDataFile = allowRelocate $ privDataDir </> "privdata.gpg"
+
+privDataKeyring :: IO FilePath
+privDataKeyring = allowRelocate $ privDataDir </> "keyring.gpg"
privDataLocal :: FilePath
privDataLocal = privDataDir </> "local"
privDataRelay :: String -> FilePath
privDataRelay host = privDataDir </> "relay" </> host
+
+-- Allow relocating files in privdata, by checking for a file
+-- privdata/relocate, which contains the path to a subdirectory that
+-- contains the files.
+allowRelocate :: FilePath -> IO FilePath
+allowRelocate f = reloc . lines
+ <$> catchDefaultIO "" (readFile (privDataDir </> "relocate"))
+ where
+ reloc (p:_) | not (null p) = privDataDir </> p </> takeFileName f
+ reloc _ = f