X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-generate;h=7b9ca4cf21d562cf6930b2b8512e97dfb17093d7;hp=07918bdead7f2a77078153b87578e663aa5bc3eb;hb=871ab5f2e8bda25130c70834052fa8fb020a5373;hpb=3a43c86784c706c1ef6c650bf270365def78f996 diff --git a/ud-generate b/ud-generate index 07918bd..7b9ca4c 100755 --- a/ud-generate +++ b/ud-generate @@ -74,6 +74,7 @@ isSSHFP = re.compile("^\s*IN\s+SSHFP") DNSZone = ".debian.net" Keyrings = ConfModule.sync_keyrings.split(":") GitoliteSSHRestrictions = getattr(ConfModule, "gitolitesshrestrictions", None) +GitoliteSSHCommand = getattr(ConfModule, "gitolitesshcommand", None) GitoliteExportHosts = re.compile(getattr(ConfModule, "gitoliteexporthosts", ".")) MX_remap = json.loads(ConfModule.MX_remap) @@ -160,9 +161,6 @@ def IsRetired(account): return False -#def IsGidDebian(account): -# return account['gidNumber'] == 800 - # See if this user is in the group list def IsInGroup(account, allowed, current_host): # See if the primary group is in the list @@ -306,7 +304,7 @@ def GenShadowSudo(accounts, File, untrusted, current_host): Pass = '*' if 'sudoPassword' in a: for entry in a['sudoPassword']: - Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry) + Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*-]+) ([^ ]+)$').match(entry) if Match == None: continue uuid = Match.group(1) @@ -340,8 +338,10 @@ def GenShadowSudo(accounts, File, untrusted, current_host): Done(File, F, None) # Generate the sudo passwd file -def GenSSHGitolite(accounts, hosts, File): +def GenSSHGitolite(accounts, hosts, File, sshcommand=None, current_host=None): F = None + if sshcommand is None: + sshcommand = GitoliteSSHCommand try: OldMask = os.umask(0022) F = open(File + ".tmp", "w", 0600) @@ -352,19 +352,30 @@ def GenSSHGitolite(accounts, hosts, File): if not 'sshRSAAuthKey' in a: continue User = a['uid'] - prefix = GitoliteSSHRestrictions.replace('@@USER@@', User) + prefix = GitoliteSSHRestrictions + prefix = prefix.replace('@@COMMAND@@', sshcommand) + prefix = prefix.replace('@@USER@@', User) for I in a["sshRSAAuthKey"]: + if I.startswith("allowed_hosts=") and ' ' in line: + if current_host is None: + continue + machines, I = I.split('=', 1)[1].split(' ', 1) + if current_host not in machines.split(','): + continue # skip this key + if I.startswith('ssh-'): line = "%s %s"%(prefix, I) else: - line = "%s,%s"%(prefix, I) + continue # do not allow keys with other restrictions that might conflict line = Sanitize(line) + "\n" F.write(line) for dn, attrs in hosts: if not 'sshRSAHostKey' in attrs: continue hostname = "host-" + attrs['hostname'][0] - prefix = GitoliteSSHRestrictions.replace('@@USER@@', hostname) + prefix = GitoliteSSHRestrictions + prefix = prefix.replace('@@COMMAND@@', sshcommand) + prefix = prefix.replace('@@USER@@', hostname) for I in attrs["sshRSAHostKey"]: line = "%s %s"%(prefix, I) line = Sanitize(line) + "\n" @@ -872,10 +883,14 @@ def ExtractDNSInfo(x): Algorithm = 1 if Split[0] == 'ssh-dss': Algorithm = 2 + if Split[0] == 'ssh-ed25519': + Algorithm = 4 if Algorithm == None: continue Fingerprint = hashlib.new('sha1', base64.decodestring(Split[1])).hexdigest() DNSInfo.append("%sIN\tSSHFP\t%u 1 %s" % (TTLprefix, Algorithm, Fingerprint)) + Fingerprint = hashlib.new('sha256', base64.decodestring(Split[1])).hexdigest() + DNSInfo.append("%sIN\tSSHFP\t%u 2 %s" % (TTLprefix, Algorithm, Fingerprint)) if 'architecture' in x[1]: Arch = GetAttr(x, "architecture") @@ -1177,7 +1192,6 @@ def generate_all(global_dir, ldap_conn): accounts_disabled = GenDisabledAccounts(accounts, global_dir + "disabled-accounts") accounts = filter(lambda x: not IsRetired(x), accounts) - #accounts_DDs = filter(lambda x: IsGidDebian(x), accounts) CheckForward(accounts) @@ -1307,9 +1321,18 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys): for entry in host[1]['exportOptions']: v = entry.split('=',1) if v[0] != 'GITOLITE' or len(v) != 2: continue - gitolite_accounts = filter(lambda x: IsInGroup(x, [v[1]], current_host), all_accounts) - gitolite_hosts = filter(lambda x: GitoliteExportHosts.match(x[1]["hostname"][0]), all_hosts) - GenSSHGitolite(gitolite_accounts, gitolite_hosts, OutDir + "ssh-gitolite-%s"%(v[1],)) + options = v[1].split(',') + group = options.pop(0); + gitolite_accounts = filter(lambda x: IsInGroup(x, [group], current_host), all_accounts) + if not 'nohosts' in options: + gitolite_hosts = filter(lambda x: GitoliteExportHosts.match(x[1]["hostname"][0]), all_hosts) + else: + gitolite_hosts = [] + command = None + for opt in options: + if opt.startswith('sshcmd='): + command = opt.split('=',1)[1] + GenSSHGitolite(gitolite_accounts, gitolite_hosts, OutDir + "ssh-gitolite-%s"%(group,), sshcommand=command, current_host=current_host) if 'WEB-PASSWORDS' in ExtraList: DoLink(global_dir, OutDir, "web-passwords") @@ -1420,8 +1443,6 @@ def ud_generate(): help="Output directory.") parser.add_option("-f", "--force", dest="force", action="store_true", help="Force generation, even if no update to LDAP has happened.") - parser.add_option("-m", "--mq", action="store_true", default=False, - help="Send update trigger over MQ") (options, args) = parser.parse_args() if len(args) > 0: @@ -1455,8 +1476,7 @@ def ud_generate(): if need_update or options.force: msg = 'Update forced' if options.force else 'Update needed' generate_all(generate_dir, l) - if options.mq: - mq_notify(options, msg) + mq_notify(options, msg) last_run = int(time.time()) fd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, last_run)) fd.close()