Add support for using github api (#2)

locus313 · Copilot · web-flow · commit 97a9b357cf0a · 2025-06-22T11:53:57.000-07:00
* Add support for using github api

* remove then

* add error check

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* update log message

* update log message

* move curl fetch into helper function

* readme updates

* add unsupported method error message

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* improve error message

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* move log_message function

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -2,18 +2,48 @@
 
 This Bash script pulls `authorized_keys` files from remote URLs and updates SSH access for multiple local users.
 
-## Features
+## 🔧 Features
 
-- Pull-based, no Git required
+- Pull-based (ideal for cron or systemd timer)
 - Supports multiple users
-- Designed for use with cron or systemd
+- Works with:
+  - ✅ Public URLs (method: `raw`)
+  - ✅ Private GitHub repositories via GitHub API (method: `api`, requires token)
+- Safe: Only updates keys if they’ve changed
+- Logs activity per user
+
+## ⚙️ Configuration
+
+Edit the `USER_KEYS` associative array in `sync-ssh-keys.sh` to define users and their key sources.  
+Each entry uses the format:  
+`["username"]="method:url"`
+
+- **raw:** Fetches directly from a public URL.
+- **api:** Fetches from a private GitHub repo using the GitHub API (requires `GITHUB_TOKEN` environment variable).
+
+**Example:**
+```bash
+declare -A USER_KEYS=(
+  ["ubuntu"]="raw:https://example.com/ssh-keys/ubuntu.authorized_keys"
+  ["devuser"]="api:https://api.github.com/repos/yourorg/ssh-keys/contents/keys/devuser.authorized_keys?ref=main"
+)
+```
 
 ## Usage
 
 1. Edit the `USER_KEYS` array in `sync-ssh-keys.sh` to define users and their key URLs.
-2. Add to root's crontab:
+2. If using the `api` method, export your GitHub token:
+   ```bash
+   export GITHUB_TOKEN=your_token_here
+   ```
+3. Add to root's crontab:
 
 ```cron
 */15 * * * * /usr/local/bin/sync-ssh-keys.sh >> /var/log/ssh-key-sync.log 2>&1
 ```
 
+## Implementation Notes
+
+- The script uses a helper function `fetch_key_file` to fetch keys using the appropriate method.
+- Only updates a user's `authorized_keys` if the remote file has changed.
+- Logs all actions with timestamps.
diff --git a/sync-ssh-keys.sh b/sync-ssh-keys.sh
@@ -3,9 +3,9 @@ set -euo pipefail
 
 # === Configuration: user -> remote key file URL ===
 declare -A USER_KEYS=(
-  ["ubuntu"]="https://example.com/ssh-keys/ubuntu.authorized_keys"
-  ["devuser"]="https://example.com/ssh-keys/devuser.authorized_keys"
-  ["admin"]="https://example.com/ssh-keys/admin.authorized_keys"
+  ["ubuntu"]="raw:https://example.com/ssh-keys/ubuntu.authorized_keys"
+  ["devuser"]="api:https://api.github.com/repos/yourorg/ssh-keys/contents/keys/devuser.authorized_keys?ref=main"
+  ["admin"]="api:https://api.github.com/repos/yourorg/ssh-keys/contents/keys/admin.authorized_keys?ref=main"
 )
 
 log_message() {
@@ -14,12 +14,34 @@ log_message() {
   echo "$TIMESTAMP: $1"
 }
 
+fetch_key_file() {
+  local METHOD="$1"
+  local URL="$2"
+  local OUTFILE="$3"
+
+  if [[ "$METHOD" == "raw" ]]; then
+    curl -fsSL "$URL" -o "$OUTFILE"
+    return $?
+  elif [[ "$METHOD" == "api" ]]; then
+    : "${GITHUB_TOKEN:?GITHUB_TOKEN is required for API access}"
+    curl -fsSL -H "Authorization: token $GITHUB_TOKEN" \
+               -H "Accept: application/vnd.github.v3.raw" \
+               "$URL" -o "$OUTFILE"
+    return $?
+  else
+    log_message "Error: Unsupported method '$METHOD' encountered for URL '$URL'. Halting execution."
+    exit 2
+  fi
+}
+
 TMP_FILES=()
 trap 'rm -f "${TMP_FILES[@]}"' EXIT
 for USER in "${!USER_KEYS[@]}"; do
   TMP_FILE=$(mktemp)
   TMP_FILES+=("$TMP_FILE")
-  URL="${USER_KEYS[$USER]}"
+  ENTRY="${USER_KEYS[$USER]}"
+  METHOD="${ENTRY%%:*}"
+  URL="${ENTRY#*:}"
   # Ensure user exists
   if ! id "$USER" &>/dev/null; then
     log_message "User '$USER' does not exist. Skipping."
@@ -41,17 +63,18 @@ for USER in "${!USER_KEYS[@]}"; do
     log_message "Created .ssh directory for user '$USER'"
   fi
 
-  # Fetch remote key file
-  if curl -fsSL "$URL" -o "$TMP_FILE"; then
-    if [ ! -f "$AUTH_KEYS" ] || ! cmp -s "$TMP_FILE" "$AUTH_KEYS"; then
-      cp "$TMP_FILE" "$AUTH_KEYS"
-      chown "$USER:$USER" "$AUTH_KEYS"
-      chmod 600 "$AUTH_KEYS"
-      log_message "Updated authorized_keys for user '$USER'"
-    else
-      log_message "No changes for user '$USER'"
-    fi
+  log_message "Fetching key file for $USER from $URL (method: $METHOD)"
+  if ! fetch_key_file "$METHOD" "$URL" "$TMP_FILE"; then
+    log_message "Failed to fetch key file for user '$USER' from $URL. Skipping."
+    continue
+  fi
+
+  if [ ! -f "$AUTH_KEYS" ] || ! cmp -s "$TMP_FILE" "$AUTH_KEYS"; then
+    cp "$TMP_FILE" "$AUTH_KEYS"
+    chown "$USER:$USER" "$AUTH_KEYS"
+    chmod 600 "$AUTH_KEYS"
+    log_message "Updated authorized_keys for user '$USER'"
   else
-    log_message "Failed to download keys for '$USER' from $URL"
+    log_message "No changes for user '$USER'"
   fi
 done
