X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-generate;h=9dcf0a350cb436541dcc3dffe812220b09afc8d4;hb=6ee830ff583d3db2afa0044a378b1737853e54b0;hp=41350d07093a1f31818c1e3e85ae6c4da67531ee;hpb=3a9baa335455ffcfbe195b1e65de4104405d7fab;p=mirror%2Fuserdir-ldap.git diff --git a/ud-generate b/ud-generate index 41350d0..9dcf0a3 100755 --- a/ud-generate +++ b/ud-generate @@ -77,6 +77,10 @@ GitoliteSSHRestrictions = getattr(ConfModule, "gitolitesshrestrictions", None) GitoliteSSHCommand = getattr(ConfModule, "gitolitesshcommand", None) GitoliteExportHosts = re.compile(getattr(ConfModule, "gitoliteexporthosts", ".")) MX_remap = json.loads(ConfModule.MX_remap) +use_mq = getattr(ConfModule, "use_mq", True) + +rtc_realm = getattr(ConfModule, "rtc_realm", None) +rtc_append = getattr(ConfModule, "rtc_append", None) def prettify(elem): """Return a pretty-printed XML string for the Element. @@ -161,9 +165,6 @@ def IsRetired(account): return False -#def IsGidDebian(account): -# return account['gidNumber'] == 800 - # See if this user is in the group list def IsInGroup(account, allowed, current_host): # See if the primary group is in the list @@ -307,7 +308,7 @@ def GenShadowSudo(accounts, File, untrusted, current_host): Pass = '*' if 'sudoPassword' in a: for entry in a['sudoPassword']: - Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry) + Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*-]+) ([^ ]+)$').match(entry) if Match == None: continue uuid = Match.group(1) @@ -436,10 +437,11 @@ def GenRtcPassword(accounts, File): os.umask(OldMask) for a in accounts: + if a.is_guest_account(): continue if not 'rtcPassword' in a: continue if not a.pw_active(): continue - Line = "%s@debian.org:%s:rtc.debian.org:AUTHORIZED" % (a['uid'], str(a['rtcPassword'])) + Line = "%s%s:%s:%s:AUTHORIZED" % (a['uid'], rtc_append, str(a['rtcPassword']), rtc_realm) Line = Sanitize(Line) + "\n" F.write("%s" % (Line)) @@ -447,6 +449,28 @@ def GenRtcPassword(accounts, File): Die(File, None, F) raise +# Generate the TOTP auth file +def GenTOTPSeed(accounts, File): + F = None + try: + OldMask = os.umask(0077) + F = open(File, "w", 0600) + os.umask(OldMask) + + F.write("# Option User Prefix Seed\n") + for a in accounts: + if a.is_guest_account(): continue + if not 'totpSeed' in a: continue + if not a.pw_active(): continue + + Line = "HOTP/T30/6 %s - %s" % (a['uid'], a['totpSeed']) + Line = Sanitize(Line) + "\n" + F.write("%s" % (Line)) + except: + Die(File, None, F) + raise + + def GenSSHtarballs(global_dir, userlist, ssh_userkeys, grouprevmap, target, current_host): OldMask = os.umask(0077) tf = tarfile.open(name=os.path.join(global_dir, 'ssh-keys-%s.tar.gz' % current_host), mode='w:gz') @@ -886,17 +910,21 @@ def ExtractDNSInfo(x): Algorithm = 1 if Split[0] == 'ssh-dss': Algorithm = 2 + if Split[0] == 'ssh-ed25519': + Algorithm = 4 if Algorithm == None: continue Fingerprint = hashlib.new('sha1', base64.decodestring(Split[1])).hexdigest() DNSInfo.append("%sIN\tSSHFP\t%u 1 %s" % (TTLprefix, Algorithm, Fingerprint)) + Fingerprint = hashlib.new('sha256', base64.decodestring(Split[1])).hexdigest() + DNSInfo.append("%sIN\tSSHFP\t%u 2 %s" % (TTLprefix, Algorithm, Fingerprint)) if 'architecture' in x[1]: Arch = GetAttr(x, "architecture") Mach = "" if x[1].has_key("machine"): Mach = " " + GetAttr(x, "machine") - DNSInfo.append("%sIN\tHINFO\t\"%s%s\" \"%s\"" % (TTLprefix, Arch, Mach, "Debian GNU/Linux")) + DNSInfo.append("%sIN\tHINFO\t\"%s%s\" \"%s\"" % (TTLprefix, Arch, Mach, "Debian")) if x[1].has_key("mXRecord"): for I in x[1]["mXRecord"]: @@ -1120,7 +1148,7 @@ def get_accounts(ldap_conn): "mailGreylisting", "mailCallout", "mailRBL", "mailRHSBL",\ "mailWhitelist", "sudoPassword", "objectClass", "accountStatus",\ "mailContentInspectionAction", "webPassword", "rtcPassword",\ - "bATVToken"]) + "bATVToken", "totpSeed"]) if passwd_attrs is None: raise UDEmptyList, "No Users" @@ -1191,7 +1219,6 @@ def generate_all(global_dir, ldap_conn): accounts_disabled = GenDisabledAccounts(accounts, global_dir + "disabled-accounts") accounts = filter(lambda x: not IsRetired(x), accounts) - #accounts_DDs = filter(lambda x: IsGidDebian(x), accounts) CheckForward(accounts) @@ -1209,6 +1236,7 @@ def generate_all(global_dir, ldap_conn): GenMailList(accounts, global_dir + "mail-whitelist", "mailWhitelist") GenWebPassword(accounts, global_dir + "web-passwords") GenRtcPassword(accounts, global_dir + "rtc-passwords") + GenTOTPSeed(accounts, global_dir + "users.oath") GenKeyrings(global_dir) # Compatibility. @@ -1221,7 +1249,6 @@ def generate_all(global_dir, ldap_conn): GenMarkers(accounts, global_dir + "markers") GenSSHKnown(host_attrs, global_dir + "ssh_known_hosts") GenHosts(host_attrs, global_dir + "debianhosts") - GenSSHGitolite(accounts, host_attrs, global_dir + "ssh-gitolite") GenDNS(accounts, global_dir + "dns-zone") GenZoneRecords(host_attrs, global_dir + "dns-sshfp") @@ -1316,7 +1343,7 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys): DoLink(global_dir, OutDir, "debian-private") if 'GITOLITE' in ExtraList: - DoLink(global_dir, OutDir, "ssh-gitolite") + GenSSHGitolite(all_accounts, all_hosts, OutDir + "ssh-gitolite", current_host=current_host) if 'exportOptions' in host[1]: for entry in host[1]['exportOptions']: v = entry.split('=',1) @@ -1340,6 +1367,9 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys): if 'RTC-PASSWORDS' in ExtraList: DoLink(global_dir, OutDir, "rtc-passwords") + if 'TOTP' in ExtraList: + DoLink(global_dir, OutDir, "users.oath") + if 'KEYRING' in ExtraList: for k in Keyrings: bn = os.path.basename(k) @@ -1476,7 +1506,8 @@ def ud_generate(): if need_update or options.force: msg = 'Update forced' if options.force else 'Update needed' generate_all(generate_dir, l) - mq_notify(options, msg) + if use_mq: + mq_notify(options, msg) last_run = int(time.time()) fd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, last_run)) fd.close()