Add --overrides-file and --allow-system-uid options.

These options make it possible to actually use this tool on single-user
systems like OpenWRT, where individual users don't make much sense but
we still want to be able to use the github-provided SSH key fingerprint
checking.  The design is to allow explicit whitelisting of system UIDs,
then to provide an overrides file that maps UIDs to (potentially
multiple) GitHub usernames.

Author: staticfloat

Diff for: Cargo.lock

@@ -6,7 +6,6 @@ edition = "2018"
 
 [dependencies]
 clap = "2.33.0"
-fstrings = "0.2.2"
 sshkeys = "0.3.2"
 users = "0.9.1"
 tempfile = "3.1.0"

Diff for: Cargo.toml

@@ -9,6 +9,9 @@ ARG GID=1000
 RUN useradd -u ${UID} staticfloat
 RUN echo "staticfloat ALL = NOPASSWD: ALL" >> /etc/sudoers
 
+# Create `keno` user that will not work by default, because he's a system user
+RUN useradd -u 900 keno
+
 # Copy in our build artifacts
 COPY runtests.sh /var/runtests.sh
 COPY target/release/authorized-keys-github /usr/local/bin/authorized-keys-github

Diff for: Dockerfile

@@ -70,10 +70,10 @@ TARGET_TRIPLETS := aarch64-unknown-linux-gnu \
 $(foreach triplet,$(TARGET_TRIPLETS),$(eval multibuild: target/$(triplet)/release/authorized-keys-github))
 
 check:
-	$(call docker_exec,rust,cargo fmt --color=always --all -- --check)
+	$(call docker_exec,rust,cargo fmt --all -- --check)
 
 format:
-	$(call docker_exec,rust,cargo fmt --color=always --all)
+	$(call docker_exec,rust,cargo fmt --all)
 
 .PHONY: test build
 test: $(NATIVE_EXE)

Diff for: Makefile

@@ -13,6 +13,18 @@ For this tool to work, users must use the same username as their GitHub username
 
 The tool will attempt to build a cache of SSH key fingerprints at `/var/keys` by default; to change this, use the `--keys-dir` option.
 
+## Overriding local usernames and usage for system accounts
+
+In the event that you want to use this tool with local usernames that you do not control (such as the `root` user on a single-user system like OpenWRT) you can use the `--overrides-file` argument to explicitly map UIDs to GitHub usernames.
+A simple example is given here:
+```
+# Allow users `keno` and `staticfloat` to login as `root`
+0: keno staticfloat
+```
+A more complete example overrides file with comments is [given in `example.overrides`](./example.overrides).
+Note that overrides files must be owned by the user that the command is being run by (usually `root`) and cannot be writable by any other user or group.
+In order to actually login as `root` (or any system user account with a UID <1000) you must explicitly whitelist the account by passing `--allow-system-uid=xxx` to the command.
+
 ## Usage Warning
 
 Although we have taken some pains to test this in exceptional circumstances (such as disk space exhaustion, read-only filesystems, etc...) it is possible there remain serious bugs that can lock you out of your server.

Diff for: README.md

@@ -0,0 +1,24 @@
+# This is an "overrides" file, it allows the administrator to provide
+# overrides on which UIDs should be mapped to which GitHub usernames.
+# The syntax is a series of lines of the form:
+#
+#   <uid>: username1 username2 ...
+#
+# Multiple usernames are permissable, to allow multiple github users
+# to log in to a shared account (e.g. `root` on single-user systems).
+# Note that you must pass `--allow-system-uid=xxx` for each UID under
+# 1000 for these to be accepted.
+#
+# If a UID is listed here, the typical user database in `/etc/passwd`
+# is not consulted at all; this provides a secure mechanism by which
+# to map local usernames which are constrained in some way to github
+# usernames that you do have full control over.
+#
+# Needless to say, lines starting with '#' are ignored.
+# What follows here is a series of examples:
+
+# A single UID can be mapped to multiple GitHub usernames
+0: keno staticfloat
+
+# A GitHub username can be assigned to multiple UIDs
+1000: staticfloat

Diff for: example.overrides

@@ -15,13 +15,16 @@ export RUST_BACKTRACE=full
 
 header() {
     tput bold
-    tput setaf 1
+    tput setaf 4
     echo "$*"
     tput sgr0
 }
 
 die() {
+    tput bold
+    tput setaf 1
     echo "ERROR: $*" >&2
+    tput sgr0
     exit 1
 }
 
@@ -83,6 +86,67 @@ FINGERPRINT="SHA256:0000000000000000000000000000000000000000000"
 OUTPUT="$(authorized-keys-github --keys-dir="${KEYS_DIR}" --fp=${FINGERPRINT} $(id -u) 2>&1 | tee >(cat 1>&2))"
 test_output "${OUTPUT}" "REFRESH_EXPECTED" ""
 
+# System users are not allowed without `--allow-system-user`:
+# In our `Dockerfile`, we setup a user with a valid GitHub username (keno) with UID 900:
+if [[ $(getent passwd 900 2>/dev/null) == "keno:"* ]]; then
+    header "System user, errors"
+    if authorized-keys-github --keys-dir="${KEYS_DIR}" 900 ; then
+        die "System user should not be allowed!"
+    fi
+    
+    header "System user, positive"
+    OUTPUT="$(authorized-keys-github --keys-dir="${KEYS_DIR}" --allow-system-uid=900 900 2>&1 | tee >(cat 1>&2))"
+    test_output "${OUTPUT}" "REFRESH_EXPECTED" "KEYS_EXPECTED"
+fi
+
+# Generate overrides file for a system user:
+OVERRIDES_FILE="${KEYS_DIR}/overrides"
+cat >"${OVERRIDES_FILE}" <<EOF
+901: staticfloat keno
+32000: staticfloat
+EOF
+
+header "Overrides, single"
+OUTPUT="$(authorized-keys-github --keys-dir="${KEYS_DIR}" --overrides-file="${OVERRIDES_FILE}" 32000 2>&1 | tee >(cat 1>&2))"
+test_output "${OUTPUT}" "REFRESH_EXPECTED" "KEYS_EXPECTED"
+num_staticfloat_keys=$(grep "ssh-rsa" <<<"${OUTPUT}" | wc -l)
+
+header "Overrides, multiple and system user"
+OUTPUT="$(authorized-keys-github --keys-dir="${KEYS_DIR}" --overrides-file="${OVERRIDES_FILE}" --allow-system-uid=901 901 2>&1 | tee >(cat 1>&2))"
+test_output "${OUTPUT}" "REFRESH_EXPECTED" "KEYS_EXPECTED"
+num_combined_keys=$(grep "ssh-rsa" <<<"${OUTPUT}" | wc -l)
+
+if [[ "${num_combined_keys}" -le "${num_staticfloat_keys}" ]]; then
+    die "Expected more keys than ${num_combined_keys}!"
+fi
+
+# Generate a completely invalid overrides file
+header "Invalid overrides, errors"
+cat >"${OVERRIDES_FILE}" <<EOF
+901: staticfloat keno
+science: you monster
+EOF
+if authorized-keys-github --keys-dir="${KEYS_DIR}" --overrides-file="${OVERRIDES_FILE}" $(id -u) ; then
+    die "Invalid override file should fail!"
+fi
+
+# Generate an overrides file that contains a duplicate mapping
+header "Overlapping overrides, errors"
+cat >"${OVERRIDES_FILE}" <<EOF
+901: staticfloat keno
+902: staticfloat
+901: keno
+EOF
+if authorized-keys-github --keys-dir="${KEYS_DIR}" --overrides-file="${OVERRIDES_FILE}" $(id -u) ; then
+    die "Overlapping override file should fail!"
+fi
+
+# Generate an overrides file that is writable by other users
+header "Other-writable overrides, errors"
+chmod g+w "${OVERRIDES_FILE}"
+if authorized-keys-github --keys-dir="${KEYS_DIR}" --overrides-file="${OVERRIDES_FILE}" $(id -u) ; then
+    die "Other-writable override file should fail!"
+fi
 
 # Fill up tmpfs to generate out-of-space errors:
 fill_up_disk_space "${KEYS_DIR}"