X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-generate;h=7b9ca4cf21d562cf6930b2b8512e97dfb17093d7;hp=5b64a8443ecb3408bab01a8dacbaf51eef7c72af;hb=871ab5f2e8bda25130c70834052fa8fb020a5373;hpb=b0a9e0cc20d43db1040f39f151fb95f353b3a7f1 diff --git a/ud-generate b/ud-generate index 5b64a84..7b9ca4c 100755 --- a/ud-generate +++ b/ud-generate @@ -28,7 +28,10 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -import string, re, time, ldap, optparse, sys, os, pwd, posix, socket, base64, hashlib, shutil, errno, tarfile, grp, fcntl +from dsa_mq.connection import Connection +from dsa_mq.config import Config + +import string, re, time, ldap, optparse, sys, os, pwd, posix, socket, base64, hashlib, shutil, errno, tarfile, grp, fcntl, dbm from userdir_ldap import * from userdir_exceptions import * import UDLdap @@ -71,6 +74,7 @@ isSSHFP = re.compile("^\s*IN\s+SSHFP") DNSZone = ".debian.net" Keyrings = ConfModule.sync_keyrings.split(":") GitoliteSSHRestrictions = getattr(ConfModule, "gitolitesshrestrictions", None) +GitoliteSSHCommand = getattr(ConfModule, "gitolitesshcommand", None) GitoliteExportHosts = re.compile(getattr(ConfModule, "gitoliteexporthosts", ".")) MX_remap = json.loads(ConfModule.MX_remap) @@ -157,9 +161,6 @@ def IsRetired(account): return False -#def IsGidDebian(account): -# return account['gidNumber'] == 800 - # See if this user is in the group list def IsInGroup(account, allowed, current_host): # See if the primary group is in the list @@ -303,7 +304,7 @@ def GenShadowSudo(accounts, File, untrusted, current_host): Pass = '*' if 'sudoPassword' in a: for entry in a['sudoPassword']: - Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry) + Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*-]+) ([^ ]+)$').match(entry) if Match == None: continue uuid = Match.group(1) @@ -337,8 +338,10 @@ def GenShadowSudo(accounts, File, untrusted, current_host): Done(File, F, None) # Generate the sudo passwd file -def GenSSHGitolite(accounts, hosts, File): +def GenSSHGitolite(accounts, hosts, File, sshcommand=None, current_host=None): F = None + if sshcommand is None: + sshcommand = GitoliteSSHCommand try: OldMask = os.umask(0022) F = open(File + ".tmp", "w", 0600) @@ -349,19 +352,30 @@ def GenSSHGitolite(accounts, hosts, File): if not 'sshRSAAuthKey' in a: continue User = a['uid'] - prefix = GitoliteSSHRestrictions.replace('@@USER@@', User) + prefix = GitoliteSSHRestrictions + prefix = prefix.replace('@@COMMAND@@', sshcommand) + prefix = prefix.replace('@@USER@@', User) for I in a["sshRSAAuthKey"]: + if I.startswith("allowed_hosts=") and ' ' in line: + if current_host is None: + continue + machines, I = I.split('=', 1)[1].split(' ', 1) + if current_host not in machines.split(','): + continue # skip this key + if I.startswith('ssh-'): line = "%s %s"%(prefix, I) else: - line = "%s,%s"%(prefix, I) + continue # do not allow keys with other restrictions that might conflict line = Sanitize(line) + "\n" F.write(line) for dn, attrs in hosts: if not 'sshRSAHostKey' in attrs: continue hostname = "host-" + attrs['hostname'][0] - prefix = GitoliteSSHRestrictions.replace('@@USER@@', hostname) + prefix = GitoliteSSHRestrictions + prefix = prefix.replace('@@COMMAND@@', sshcommand) + prefix = prefix.replace('@@USER@@', hostname) for I in attrs["sshRSAHostKey"]: line = "%s %s"%(prefix, I) line = Sanitize(line) + "\n" @@ -410,39 +424,21 @@ def GenWebPassword(accounts, File): Die(File, None, F) raise -# Generate the voipPassword list -def GenVoipPassword(accounts, File): +# Generate the rtcPassword list +def GenRtcPassword(accounts, File): F = None try: OldMask = os.umask(0077) F = open(File, "w", 0600) os.umask(OldMask) - root = Element('include') - for a in accounts: - if not 'voipPassword' in a: continue + if not 'rtcPassword' in a: continue if not a.pw_active(): continue - Pass = str(a['voipPassword']) - user = Element('user') - user.attrib['id'] = "%s" % (a['uid']) - root.append(user) - params = Element('params') - user.append(params) - param = Element('param') - params.append(param) - param.attrib['name'] = "a1-hash" - param.attrib['value'] = "%s" % (Pass) - variables = Element('variables') - user.append(variables) - variable = Element('variable') - variable.attrib['name'] = "toll_allow" - variable.attrib['value'] = "domestic,international,local" - variables.append(variable) - - F.write("%s" % (prettify(root))) - + Line = "%s@debian.org:%s:rtc.debian.org:AUTHORIZED" % (a['uid'], str(a['rtcPassword'])) + Line = Sanitize(Line) + "\n" + F.write("%s" % (Line)) except: Die(File, None, F) @@ -645,6 +641,34 @@ def GenCDB(accounts, File, key): if Fdb.close() != None: raise "cdbmake gave an error" +def GenDBM(accounts, File, key): + Fdb = None + OldMask = os.umask(0022) + fn = os.path.join(File).encode('ascii', 'ignore') + try: + posix.remove(fn) + except: + pass + + try: + Fdb = dbm.open(fn, "c") + os.umask(OldMask) + + # Write out the email address for each user + for a in accounts: + if not key in a: continue + value = a[key] + user = a['uid'] + Fdb[user] = value + + Fdb.close() + except: + # python-dbm names the files Fdb.db.db so we want to them to be Fdb.db + os.remove(File + ".db") + raise + # python-dbm names the files Fdb.db.db so we want to them to be Fdb.db + os.rename (File + ".db", File) + # Generate the anon XEarth marker file def GenMarkers(accounts, File): F = None @@ -859,10 +883,14 @@ def ExtractDNSInfo(x): Algorithm = 1 if Split[0] == 'ssh-dss': Algorithm = 2 + if Split[0] == 'ssh-ed25519': + Algorithm = 4 if Algorithm == None: continue Fingerprint = hashlib.new('sha1', base64.decodestring(Split[1])).hexdigest() DNSInfo.append("%sIN\tSSHFP\t%u 1 %s" % (TTLprefix, Algorithm, Fingerprint)) + Fingerprint = hashlib.new('sha256', base64.decodestring(Split[1])).hexdigest() + DNSInfo.append("%sIN\tSSHFP\t%u 2 %s" % (TTLprefix, Algorithm, Fingerprint)) if 'architecture' in x[1]: Arch = GetAttr(x, "architecture") @@ -1092,7 +1120,8 @@ def get_accounts(ldap_conn): "keyFingerPrint", "privateSub", "mailDisableMessage",\ "mailGreylisting", "mailCallout", "mailRBL", "mailRHSBL",\ "mailWhitelist", "sudoPassword", "objectClass", "accountStatus",\ - "mailContentInspectionAction", "webPassword", "voipPassword"]) + "mailContentInspectionAction", "webPassword", "rtcPassword",\ + "bATVToken"]) if passwd_attrs is None: raise UDEmptyList, "No Users" @@ -1163,13 +1192,14 @@ def generate_all(global_dir, ldap_conn): accounts_disabled = GenDisabledAccounts(accounts, global_dir + "disabled-accounts") accounts = filter(lambda x: not IsRetired(x), accounts) - #accounts_DDs = filter(lambda x: IsGidDebian(x), accounts) CheckForward(accounts) GenMailDisable(accounts, global_dir + "mail-disable") GenCDB(accounts, global_dir + "mail-forward.cdb", 'emailForward') + GenDBM(accounts, global_dir + "mail-forward.db", 'emailForward') GenCDB(accounts, global_dir + "mail-contentinspectionaction.cdb", 'mailContentInspectionAction') + GenDBM(accounts, global_dir + "mail-contentinspectionaction.db", 'mailContentInspectionAction') GenPrivate(accounts, global_dir + "debian-private") GenSSHKnown(host_attrs, global_dir+"authorized_keys", 'authorized_keys', global_dir+'ud-generate.lock') GenMailBool(accounts, global_dir + "mail-greylist", "mailGreylisting") @@ -1178,7 +1208,7 @@ def generate_all(global_dir, ldap_conn): GenMailList(accounts, global_dir + "mail-rhsbl", "mailRHSBL") GenMailList(accounts, global_dir + "mail-whitelist", "mailWhitelist") GenWebPassword(accounts, global_dir + "web-passwords") - GenVoipPassword(accounts, global_dir + "voip-passwords") + GenRtcPassword(accounts, global_dir + "rtc-passwords") GenKeyrings(global_dir) # Compatibility. @@ -1252,7 +1282,9 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys): if not 'NOMARKERS' in ExtraList: DoLink(global_dir, OutDir, "markers") DoLink(global_dir, OutDir, "mail-forward.cdb") + DoLink(global_dir, OutDir, "mail-forward.db") DoLink(global_dir, OutDir, "mail-contentinspectionaction.cdb") + DoLink(global_dir, OutDir, "mail-contentinspectionaction.db") DoLink(global_dir, OutDir, "mail-disable") DoLink(global_dir, OutDir, "mail-greylist") DoLink(global_dir, OutDir, "mail-callout") @@ -1261,8 +1293,11 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys): DoLink(global_dir, OutDir, "mail-whitelist") DoLink(global_dir, OutDir, "all-accounts.json") GenCDB(accounts, OutDir + "user-forward.cdb", 'emailForward') + GenDBM(accounts, OutDir + "user-forward.db", 'emailForward') GenCDB(accounts, OutDir + "batv-tokens.cdb", 'bATVToken') + GenDBM(accounts, OutDir + "batv-tokens.db", 'bATVToken') GenCDB(accounts, OutDir + "default-mail-options.cdb", 'mailDefaultOptions') + GenDBM(accounts, OutDir + "default-mail-options.db", 'mailDefaultOptions') # Compatibility. DoLink(global_dir, OutDir, "forward-alias") @@ -1286,15 +1321,24 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys): for entry in host[1]['exportOptions']: v = entry.split('=',1) if v[0] != 'GITOLITE' or len(v) != 2: continue - gitolite_accounts = filter(lambda x: IsInGroup(x, [v[1]], current_host), all_accounts) - gitolite_hosts = filter(lambda x: GitoliteExportHosts.match(x[1]["hostname"][0]), all_hosts) - GenSSHGitolite(gitolite_accounts, gitolite_hosts, OutDir + "ssh-gitolite-%s"%(v[1],)) + options = v[1].split(',') + group = options.pop(0); + gitolite_accounts = filter(lambda x: IsInGroup(x, [group], current_host), all_accounts) + if not 'nohosts' in options: + gitolite_hosts = filter(lambda x: GitoliteExportHosts.match(x[1]["hostname"][0]), all_hosts) + else: + gitolite_hosts = [] + command = None + for opt in options: + if opt.startswith('sshcmd='): + command = opt.split('=',1)[1] + GenSSHGitolite(gitolite_accounts, gitolite_hosts, OutDir + "ssh-gitolite-%s"%(group,), sshcommand=command, current_host=current_host) if 'WEB-PASSWORDS' in ExtraList: DoLink(global_dir, OutDir, "web-passwords") - if 'VOIP-PASSWORDS' in ExtraList: - DoLink(global_dir, OutDir, "voip-passwords") + if 'RTC-PASSWORDS' in ExtraList: + DoLink(global_dir, OutDir, "rtc-passwords") if 'KEYRING' in ExtraList: for k in Keyrings: @@ -1365,6 +1409,34 @@ def getLastBuildTime(gdir): return (cache_last_ldap_mod, cache_last_unix_mod, cache_last_run) +def mq_notify(options, message): + options.section = 'dsa-udgenerate' + options.config = '/etc/dsa/pubsub.conf' + + config = Config(options) + conf = { + 'rabbit_userid': config.username, + 'rabbit_password': config.password, + 'rabbit_virtual_host': config.vhost, + 'rabbit_hosts': ['pubsub02.debian.org', 'pubsub01.debian.org'], + 'use_ssl': False + } + + msg = { + 'message': message, + 'timestamp': int(time.time()) + } + conn = None + try: + conn = Connection(conf=conf) + conn.topic_send(config.topic, + json.dumps(msg), + exchange_name=config.exchange, + timeout=5) + finally: + if conn: + conn.close() + def ud_generate(): parser = optparse.OptionParser() parser.add_option("-g", "--generatedir", dest="generatedir", metavar="DIR", @@ -1400,16 +1472,15 @@ def ud_generate(): need_update = (ldap_last_mod > cache_last_ldap_mod) or (unix_last_mod > cache_last_unix_mod) or (time_started - last_run > MAX_UD_AGE) - if not options.force and not need_update: - fd = open(os.path.join(generate_dir, "last_update.trace"), "w") - fd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, last_run)) - fd.close() - sys.exit(0) - - tracefd = open(os.path.join(generate_dir, "last_update.trace"), "w") - generate_all(generate_dir, l) - tracefd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, time_started)) - tracefd.close() + fd = open(os.path.join(generate_dir, "last_update.trace"), "w") + if need_update or options.force: + msg = 'Update forced' if options.force else 'Update needed' + generate_all(generate_dir, l) + mq_notify(options, msg) + last_run = int(time.time()) + fd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, last_run)) + fd.close() + sys.exit(0) if __name__ == "__main__":