X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-generate;h=9dcf0a350cb436541dcc3dffe812220b09afc8d4;hb=6ee830ff583d3db2afa0044a378b1737853e54b0;hp=49ef0d0905425a70548fc3dfa4d296a20cf558b7;hpb=758d9b1f031fe5f12ca19b72e587b22fb1204332;p=mirror%2Fuserdir-ldap.git

diff --git a/ud-generate b/ud-generate
index 49ef0d0..9dcf0a3 100755
--- a/ud-generate
+++ b/ud-generate
@@ -74,8 +74,13 @@ isSSHFP = re.compile("^\s*IN\s+SSHFP")
 DNSZone = ".debian.net"
 Keyrings = ConfModule.sync_keyrings.split(":")
 GitoliteSSHRestrictions = getattr(ConfModule, "gitolitesshrestrictions", None)
+GitoliteSSHCommand = getattr(ConfModule, "gitolitesshcommand", None)
 GitoliteExportHosts = re.compile(getattr(ConfModule, "gitoliteexporthosts", "."))
 MX_remap = json.loads(ConfModule.MX_remap)
+use_mq = getattr(ConfModule, "use_mq", True)
+
+rtc_realm = getattr(ConfModule, "rtc_realm", None)
+rtc_append = getattr(ConfModule, "rtc_append", None)
 
 def prettify(elem):
    """Return a pretty-printed XML string for the Element.
@@ -160,9 +165,6 @@ def IsRetired(account):
 
    return False
 
-#def IsGidDebian(account):
-#   return account['gidNumber'] == 800
-
 # See if this user is in the group list
 def IsInGroup(account, allowed, current_host):
   # See if the primary group is in the list
@@ -306,7 +308,7 @@ def GenShadowSudo(accounts, File, untrusted, current_host):
          Pass = '*'
          if 'sudoPassword' in a:
             for entry in a['sudoPassword']:
-               Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry)
+               Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*-]+) ([^ ]+)$').match(entry)
                if Match == None:
                   continue
                uuid = Match.group(1)
@@ -340,8 +342,10 @@ def GenShadowSudo(accounts, File, untrusted, current_host):
    Done(File, F, None)
 
 # Generate the sudo passwd file
-def GenSSHGitolite(accounts, hosts, File):
+def GenSSHGitolite(accounts, hosts, File, sshcommand=None, current_host=None):
    F = None
+   if sshcommand is None:
+      sshcommand = GitoliteSSHCommand
    try:
       OldMask = os.umask(0022)
       F = open(File + ".tmp", "w", 0600)
@@ -352,19 +356,30 @@ def GenSSHGitolite(accounts, hosts, File):
             if not 'sshRSAAuthKey' in a: continue
 
             User = a['uid']
-            prefix = GitoliteSSHRestrictions.replace('@@USER@@', User)
+            prefix = GitoliteSSHRestrictions
+            prefix = prefix.replace('@@COMMAND@@', sshcommand)
+            prefix = prefix.replace('@@USER@@', User)
             for I in a["sshRSAAuthKey"]:
+               if I.startswith("allowed_hosts=") and ' ' in line:
+                  if current_host is None:
+                     continue
+                  machines, I = I.split('=', 1)[1].split(' ', 1)
+                  if current_host not in machines.split(','):
+                     continue # skip this key
+
                if I.startswith('ssh-'):
                   line = "%s %s"%(prefix, I)
                else:
-                  line = "%s,%s"%(prefix, I)
+                  continue # do not allow keys with other restrictions that might conflict
                line = Sanitize(line) + "\n"
                F.write(line)
 
          for dn, attrs in hosts:
             if not 'sshRSAHostKey' in attrs: continue
             hostname = "host-" + attrs['hostname'][0]
-            prefix = GitoliteSSHRestrictions.replace('@@USER@@', hostname)
+            prefix = GitoliteSSHRestrictions
+            prefix = prefix.replace('@@COMMAND@@', sshcommand)
+            prefix = prefix.replace('@@USER@@', hostname)
             for I in attrs["sshRSAHostKey"]:
                line = "%s %s"%(prefix, I)
                line = Sanitize(line) + "\n"
@@ -422,10 +437,11 @@ def GenRtcPassword(accounts, File):
       os.umask(OldMask)
 
       for a in accounts:
+         if a.is_guest_account(): continue
          if not 'rtcPassword' in a: continue
          if not a.pw_active(): continue
 
-         Line = "%s@debian.org:%s:rtc.debian.org:AUTHORIZED" % (a['uid'], str(a['rtcPassword']))
+         Line = "%s%s:%s:%s:AUTHORIZED" % (a['uid'], rtc_append, str(a['rtcPassword']), rtc_realm)
          Line = Sanitize(Line) + "\n"
          F.write("%s" % (Line))
 
@@ -433,6 +449,28 @@ def GenRtcPassword(accounts, File):
       Die(File, None, F)
       raise
 
+# Generate the TOTP auth file
+def GenTOTPSeed(accounts, File):
+   F = None
+   try:
+      OldMask = os.umask(0077)
+      F = open(File, "w", 0600)
+      os.umask(OldMask)
+
+      F.write("# Option User Prefix Seed\n")
+      for a in accounts:
+         if a.is_guest_account(): continue
+         if not 'totpSeed' in a: continue
+         if not a.pw_active(): continue
+
+         Line = "HOTP/T30/6 %s - %s" % (a['uid'], a['totpSeed'])
+         Line = Sanitize(Line) + "\n"
+         F.write("%s" % (Line))
+   except:
+      Die(File, None, F)
+      raise
+
+
 def GenSSHtarballs(global_dir, userlist, ssh_userkeys, grouprevmap, target, current_host):
    OldMask = os.umask(0077)
    tf = tarfile.open(name=os.path.join(global_dir, 'ssh-keys-%s.tar.gz' % current_host), mode='w:gz')
@@ -872,17 +910,21 @@ def ExtractDNSInfo(x):
             Algorithm = 1
          if Split[0] == 'ssh-dss':
             Algorithm = 2
+         if Split[0] == 'ssh-ed25519':
+            Algorithm = 4
          if Algorithm == None:
             continue
          Fingerprint = hashlib.new('sha1', base64.decodestring(Split[1])).hexdigest()
          DNSInfo.append("%sIN\tSSHFP\t%u 1 %s" % (TTLprefix, Algorithm, Fingerprint))
+         Fingerprint = hashlib.new('sha256', base64.decodestring(Split[1])).hexdigest()
+         DNSInfo.append("%sIN\tSSHFP\t%u 2 %s" % (TTLprefix, Algorithm, Fingerprint))
 
    if 'architecture' in x[1]:
       Arch = GetAttr(x, "architecture")
       Mach = ""
       if x[1].has_key("machine"):
          Mach = " " + GetAttr(x, "machine")
-      DNSInfo.append("%sIN\tHINFO\t\"%s%s\" \"%s\"" % (TTLprefix, Arch, Mach, "Debian GNU/Linux"))
+      DNSInfo.append("%sIN\tHINFO\t\"%s%s\" \"%s\"" % (TTLprefix, Arch, Mach, "Debian"))
 
    if x[1].has_key("mXRecord"):
       for I in x[1]["mXRecord"]:
@@ -1106,7 +1148,7 @@ def get_accounts(ldap_conn):
                     "mailGreylisting", "mailCallout", "mailRBL", "mailRHSBL",\
                     "mailWhitelist", "sudoPassword", "objectClass", "accountStatus",\
                     "mailContentInspectionAction", "webPassword", "rtcPassword",\
-                    "bATVToken"])
+                    "bATVToken", "totpSeed"])
 
    if passwd_attrs is None:
       raise UDEmptyList, "No Users"
@@ -1177,7 +1219,6 @@ def generate_all(global_dir, ldap_conn):
    accounts_disabled = GenDisabledAccounts(accounts, global_dir + "disabled-accounts")
 
    accounts = filter(lambda x: not IsRetired(x), accounts)
-   #accounts_DDs = filter(lambda x: IsGidDebian(x), accounts)
 
    CheckForward(accounts)
 
@@ -1195,6 +1236,7 @@ def generate_all(global_dir, ldap_conn):
    GenMailList(accounts, global_dir + "mail-whitelist", "mailWhitelist")
    GenWebPassword(accounts, global_dir + "web-passwords")
    GenRtcPassword(accounts, global_dir + "rtc-passwords")
+   GenTOTPSeed(accounts, global_dir + "users.oath")
    GenKeyrings(global_dir)
 
    # Compatibility.
@@ -1207,7 +1249,6 @@ def generate_all(global_dir, ldap_conn):
    GenMarkers(accounts, global_dir + "markers")
    GenSSHKnown(host_attrs, global_dir + "ssh_known_hosts")
    GenHosts(host_attrs, global_dir + "debianhosts")
-   GenSSHGitolite(accounts, host_attrs, global_dir + "ssh-gitolite")
 
    GenDNS(accounts, global_dir + "dns-zone")
    GenZoneRecords(host_attrs, global_dir + "dns-sshfp")
@@ -1302,14 +1343,23 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys):
       DoLink(global_dir, OutDir, "debian-private")
 
    if 'GITOLITE' in ExtraList:
-      DoLink(global_dir, OutDir, "ssh-gitolite")
+      GenSSHGitolite(all_accounts, all_hosts, OutDir + "ssh-gitolite", current_host=current_host)
    if 'exportOptions' in host[1]:
       for entry in host[1]['exportOptions']:
          v = entry.split('=',1)
          if v[0] != 'GITOLITE' or len(v) != 2: continue
-         gitolite_accounts = filter(lambda x: IsInGroup(x, [v[1]], current_host), all_accounts)
-         gitolite_hosts = filter(lambda x: GitoliteExportHosts.match(x[1]["hostname"][0]), all_hosts)
-         GenSSHGitolite(gitolite_accounts, gitolite_hosts, OutDir + "ssh-gitolite-%s"%(v[1],))
+         options = v[1].split(',')
+         group = options.pop(0);
+         gitolite_accounts = filter(lambda x: IsInGroup(x, [group], current_host), all_accounts)
+         if not 'nohosts' in options:
+            gitolite_hosts = filter(lambda x: GitoliteExportHosts.match(x[1]["hostname"][0]), all_hosts)
+         else:
+            gitolite_hosts = []
+         command = None
+         for opt in options:
+            if opt.startswith('sshcmd='):
+               command = opt.split('=',1)[1]
+         GenSSHGitolite(gitolite_accounts, gitolite_hosts, OutDir + "ssh-gitolite-%s"%(group,), sshcommand=command, current_host=current_host)
 
    if 'WEB-PASSWORDS' in ExtraList:
       DoLink(global_dir, OutDir, "web-passwords")
@@ -1317,6 +1367,9 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys):
    if 'RTC-PASSWORDS' in ExtraList:
       DoLink(global_dir, OutDir, "rtc-passwords")
 
+   if 'TOTP' in ExtraList:
+      DoLink(global_dir, OutDir, "users.oath")
+
    if 'KEYRING' in ExtraList:
       for k in Keyrings:
          bn = os.path.basename(k)
@@ -1453,7 +1506,8 @@ def ud_generate():
    if need_update or options.force:
       msg = 'Update forced' if options.force else 'Update needed'
       generate_all(generate_dir, l)
-      mq_notify(options, msg)
+      if use_mq:
+         mq_notify(options, msg)
       last_run = int(time.time())
    fd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, last_run))
    fd.close()