From b3f0bbedbf242d2640d3bc56cce62ae726081400 Mon Sep 17 00:00:00 2001
From: Clint Adams <schizo@debian.org>
Date: Sat, 2 Oct 2010 14:10:59 -0400
Subject: [PATCH] Assume that space- or tab-prefixed lines contain ssh
 authorized_keys options applicable to the preceding user ID.

---
 src/share/common | 71 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 52 insertions(+), 19 deletions(-)

diff --git a/src/share/common b/src/share/common
index af346a8..a741efb 100644
--- a/src/share/common
+++ b/src/share/common
@@ -505,13 +505,15 @@ ssh2known_hosts() {
 
 # output authorized_keys line from ssh key
 ssh2authorized_keys() {
-    local userID
-    local key
-    
-    userID="$1"
-    key="$2"
+    local koptions="$1"
+    local userID="$2"
+    local key="$3"
 
-    printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID"
+    if [[ -z $koptions ]]; then
+        printf "%s MonkeySphere%s %s\n" "$key" "$DATE" "$userID"
+    else
+        printf "%s %s MonkeySphere%s %s\n" "$koptions" "$key" "$DATE" "$userID"
+    fi
 }
 
 # convert key from gpg to ssh known_hosts format
@@ -608,7 +610,7 @@ gpg_fetch_userid() {
 # flag:sshKey to the calling function.
 process_user_id() {
     local returnCode=0
-    local userID
+    local userID="$1"
     local requiredCapability
     local requiredPubCapability
     local gpgOut
@@ -623,8 +625,6 @@ process_user_id() {
     local lastKeyOK
     local fingerprint
 
-    userID="$1"
-
     # set the required key capability based on the mode
     requiredCapability=${REQUIRED_KEY_CAPABILITY:="a"}
     requiredPubCapability=$(echo "$requiredCapability" | tr "[:lower:]" "[:upper:]")
@@ -1042,6 +1042,7 @@ process_known_hosts() {
 # process uids for the authorized_keys file
 process_uid_authorized_keys() {
     local userID
+    local koptions
     local nKeys
     local nKeysOK
     local ok
@@ -1050,7 +1051,8 @@ process_uid_authorized_keys() {
     # set the key processing mode
     export REQUIRED_KEY_CAPABILITY="$REQUIRED_USER_KEY_CAPABILITY"
 
-    userID="$1"
+    koptions="$1"
+    userID="$2"
 
     log verbose "processing: $userID"
 
@@ -1077,7 +1079,7 @@ process_uid_authorized_keys() {
 	    # note that key was found ok
 	    nKeysOK=$((nKeysOK+1))
 
-	    ssh2authorized_keys "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
+	    ssh2authorized_keys "$koptions" "$userID" "$sshKey" >> "$AUTHORIZED_KEYS"
 	fi
     done
 
@@ -1105,9 +1107,14 @@ update_authorized_keys() {
     local nIDsOK
     local nIDsBAD
     local fileCheck
+    local x koptions
+    declare -i argtype
+
+    if (( $# % 2 )); then log error "Bad number of arguments; this should never happen."; return 1; fi
 
     # the number of ids specified on command line
-    nIDs="$#"
+    (( nIDs=$#/2 ))
+    (( argtype=0 ))
 
     nIDsOK=0
     nIDsBAD=0
@@ -1129,10 +1136,15 @@ update_authorized_keys() {
     # remove any monkeysphere lines from authorized_keys file
     remove_monkeysphere_lines "$AUTHORIZED_KEYS"
 
-    for userID ; do
+    for x; do
+        (( argtype++ ))
+        if (( $argtype % 2 )); then
+            koptions="$x"
+        else
+            userID="$x"
 	# process the user ID, change return code if key not found for
 	# user ID
-	process_uid_authorized_keys "$userID" || returnCode="$?"
+	process_uid_authorized_keys "$koptions" "$userID" || returnCode="$?"
 
 	# note the result
 	case "$returnCode" in
@@ -1146,6 +1158,7 @@ update_authorized_keys() {
 
 	# touch the lockfile, for good measure.
 	lock touch "$AUTHORIZED_KEYS"
+	fi
     done
 
     # remove the lockfile and the trap
@@ -1178,11 +1191,15 @@ update_authorized_keys() {
 # process an authorized_user_ids file for authorized_keys
 process_authorized_user_ids() {
     local line
-    local nline
-    local userIDs
+    declare -i nline
+    declare -a userIDs
+    declare -a koptions
+    declare -a export_array
 
     authorizedUserIDs="$1"
 
+    (( nline=0 ))
+
     # exit if the authorized_user_ids file is empty
     if [ ! -e "$authorizedUserIDs" ] ; then
 	failure "authorized_user_ids file '$authorizedUserIDs' does not exist."
@@ -1204,11 +1221,27 @@ process_authorized_user_ids() {
     # extract user IDs from authorized_user_ids file
     IFS=$'\n'
     for line in $(meat "$authorizedUserIDs") ; do
-	userIDs["$nline"]="$line"
-	nline=$((nline+1))
+	case "$line" in
+	  (" "*|$'\t'*)
+	    if [[ -z ${koptions[${nline}]} ]]; then
+	        koptions[${nline}]=$(echo $line | sed 's/^[ 	]*//;s/[ 	]$//;')
+	    else
+	        koptions[${nline}]="${koptions[${nline}]},$(echo $line | sed 's/^[ 	]*//;s/[ 	]$//;')"
+	    fi
+	    ;;
+          (*)
+	    ((nline++))
+	    userIDs[${nline}]="$line"
+	    unset koptions[${nline}] || true
+            ;;
+	  esac
+    done
+
+    for i in $(seq 1 $nline); do
+        export_array+=("${koptions[$i]}" "${userIDs[$i]}")
     done
 
-    update_authorized_keys "${userIDs[@]}"
+    update_authorized_keys "${export_array[@]}"
 }
 
 # takes a gpg key or keys on stdin, and outputs a list of
-- 
2.26.2