X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=ud-generate;h=7b9ca4cf21d562cf6930b2b8512e97dfb17093d7;hp=fa15b3a0f7e1f49743620e0e0b1f847ac0873a3c;hb=871ab5f2e8bda25130c70834052fa8fb020a5373;hpb=2303e436c1bd45b0c1da7fb658102e40636c74ae

diff --git a/ud-generate b/ud-generate
index fa15b3a..7b9ca4c 100755
--- a/ud-generate
+++ b/ud-generate
@@ -74,6 +74,7 @@ isSSHFP = re.compile("^\s*IN\s+SSHFP")
 DNSZone = ".debian.net"
 Keyrings = ConfModule.sync_keyrings.split(":")
 GitoliteSSHRestrictions = getattr(ConfModule, "gitolitesshrestrictions", None)
+GitoliteSSHCommand = getattr(ConfModule, "gitolitesshcommand", None)
 GitoliteExportHosts = re.compile(getattr(ConfModule, "gitoliteexporthosts", "."))
 MX_remap = json.loads(ConfModule.MX_remap)
 
@@ -160,9 +161,6 @@ def IsRetired(account):
 
    return False
 
-#def IsGidDebian(account):
-#   return account['gidNumber'] == 800
-
 # See if this user is in the group list
 def IsInGroup(account, allowed, current_host):
   # See if the primary group is in the list
@@ -306,7 +304,7 @@ def GenShadowSudo(accounts, File, untrusted, current_host):
          Pass = '*'
          if 'sudoPassword' in a:
             for entry in a['sudoPassword']:
-               Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*]+) ([^ ]+)$').match(entry)
+               Match = re.compile('^('+UUID_FORMAT+') (confirmed:[0-9a-f]{40}|unconfirmed) ([a-z0-9.,*-]+) ([^ ]+)$').match(entry)
                if Match == None:
                   continue
                uuid = Match.group(1)
@@ -340,8 +338,10 @@ def GenShadowSudo(accounts, File, untrusted, current_host):
    Done(File, F, None)
 
 # Generate the sudo passwd file
-def GenSSHGitolite(accounts, hosts, File):
+def GenSSHGitolite(accounts, hosts, File, sshcommand=None, current_host=None):
    F = None
+   if sshcommand is None:
+      sshcommand = GitoliteSSHCommand
    try:
       OldMask = os.umask(0022)
       F = open(File + ".tmp", "w", 0600)
@@ -352,19 +352,30 @@ def GenSSHGitolite(accounts, hosts, File):
             if not 'sshRSAAuthKey' in a: continue
 
             User = a['uid']
-            prefix = GitoliteSSHRestrictions.replace('@@USER@@', User)
+            prefix = GitoliteSSHRestrictions
+            prefix = prefix.replace('@@COMMAND@@', sshcommand)
+            prefix = prefix.replace('@@USER@@', User)
             for I in a["sshRSAAuthKey"]:
+               if I.startswith("allowed_hosts=") and ' ' in line:
+                  if current_host is None:
+                     continue
+                  machines, I = I.split('=', 1)[1].split(' ', 1)
+                  if current_host not in machines.split(','):
+                     continue # skip this key
+
                if I.startswith('ssh-'):
                   line = "%s %s"%(prefix, I)
                else:
-                  line = "%s,%s"%(prefix, I)
+                  continue # do not allow keys with other restrictions that might conflict
                line = Sanitize(line) + "\n"
                F.write(line)
 
          for dn, attrs in hosts:
             if not 'sshRSAHostKey' in attrs: continue
             hostname = "host-" + attrs['hostname'][0]
-            prefix = GitoliteSSHRestrictions.replace('@@USER@@', hostname)
+            prefix = GitoliteSSHRestrictions
+            prefix = prefix.replace('@@COMMAND@@', sshcommand)
+            prefix = prefix.replace('@@USER@@', hostname)
             for I in attrs["sshRSAHostKey"]:
                line = "%s %s"%(prefix, I)
                line = Sanitize(line) + "\n"
@@ -413,8 +424,8 @@ def GenWebPassword(accounts, File):
       Die(File, None, F)
       raise
 
-# Generate the voipPassword list
-def GenVoipPassword(accounts, File):
+# Generate the rtcPassword list
+def GenRtcPassword(accounts, File):
    F = None
    try:
       OldMask = os.umask(0077)
@@ -422,10 +433,10 @@ def GenVoipPassword(accounts, File):
       os.umask(OldMask)
 
       for a in accounts:
-         if not 'voipPassword' in a: continue
+         if not 'rtcPassword' in a: continue
          if not a.pw_active(): continue
 
-         Line = "%s@debian.org:%s:sip.debian.org:AUTHORIZED" % (a['uid'], str(a['voipPassword']))
+         Line = "%s@debian.org:%s:rtc.debian.org:AUTHORIZED" % (a['uid'], str(a['rtcPassword']))
          Line = Sanitize(Line) + "\n"
          F.write("%s" % (Line))
 
@@ -872,10 +883,14 @@ def ExtractDNSInfo(x):
             Algorithm = 1
          if Split[0] == 'ssh-dss':
             Algorithm = 2
+         if Split[0] == 'ssh-ed25519':
+            Algorithm = 4
          if Algorithm == None:
             continue
          Fingerprint = hashlib.new('sha1', base64.decodestring(Split[1])).hexdigest()
          DNSInfo.append("%sIN\tSSHFP\t%u 1 %s" % (TTLprefix, Algorithm, Fingerprint))
+         Fingerprint = hashlib.new('sha256', base64.decodestring(Split[1])).hexdigest()
+         DNSInfo.append("%sIN\tSSHFP\t%u 2 %s" % (TTLprefix, Algorithm, Fingerprint))
 
    if 'architecture' in x[1]:
       Arch = GetAttr(x, "architecture")
@@ -1105,7 +1120,8 @@ def get_accounts(ldap_conn):
                     "keyFingerPrint", "privateSub", "mailDisableMessage",\
                     "mailGreylisting", "mailCallout", "mailRBL", "mailRHSBL",\
                     "mailWhitelist", "sudoPassword", "objectClass", "accountStatus",\
-                    "mailContentInspectionAction", "webPassword", "voipPassword"])
+                    "mailContentInspectionAction", "webPassword", "rtcPassword",\
+                    "bATVToken"])
 
    if passwd_attrs is None:
       raise UDEmptyList, "No Users"
@@ -1176,7 +1192,6 @@ def generate_all(global_dir, ldap_conn):
    accounts_disabled = GenDisabledAccounts(accounts, global_dir + "disabled-accounts")
 
    accounts = filter(lambda x: not IsRetired(x), accounts)
-   #accounts_DDs = filter(lambda x: IsGidDebian(x), accounts)
 
    CheckForward(accounts)
 
@@ -1193,7 +1208,7 @@ def generate_all(global_dir, ldap_conn):
    GenMailList(accounts, global_dir + "mail-rhsbl", "mailRHSBL")
    GenMailList(accounts, global_dir + "mail-whitelist", "mailWhitelist")
    GenWebPassword(accounts, global_dir + "web-passwords")
-   GenVoipPassword(accounts, global_dir + "voip-passwords")
+   GenRtcPassword(accounts, global_dir + "rtc-passwords")
    GenKeyrings(global_dir)
 
    # Compatibility.
@@ -1306,15 +1321,24 @@ def generate_host(host, global_dir, all_accounts, all_hosts, ssh_userkeys):
       for entry in host[1]['exportOptions']:
          v = entry.split('=',1)
          if v[0] != 'GITOLITE' or len(v) != 2: continue
-         gitolite_accounts = filter(lambda x: IsInGroup(x, [v[1]], current_host), all_accounts)
-         gitolite_hosts = filter(lambda x: GitoliteExportHosts.match(x[1]["hostname"][0]), all_hosts)
-         GenSSHGitolite(gitolite_accounts, gitolite_hosts, OutDir + "ssh-gitolite-%s"%(v[1],))
+         options = v[1].split(',')
+         group = options.pop(0);
+         gitolite_accounts = filter(lambda x: IsInGroup(x, [group], current_host), all_accounts)
+         if not 'nohosts' in options:
+            gitolite_hosts = filter(lambda x: GitoliteExportHosts.match(x[1]["hostname"][0]), all_hosts)
+         else:
+            gitolite_hosts = []
+         command = None
+         for opt in options:
+            if opt.startswith('sshcmd='):
+               command = opt.split('=',1)[1]
+         GenSSHGitolite(gitolite_accounts, gitolite_hosts, OutDir + "ssh-gitolite-%s"%(group,), sshcommand=command, current_host=current_host)
 
    if 'WEB-PASSWORDS' in ExtraList:
       DoLink(global_dir, OutDir, "web-passwords")
 
-   if 'VOIP-PASSWORDS' in ExtraList:
-      DoLink(global_dir, OutDir, "voip-passwords")
+   if 'RTC-PASSWORDS' in ExtraList:
+      DoLink(global_dir, OutDir, "rtc-passwords")
 
    if 'KEYRING' in ExtraList:
       for k in Keyrings:
@@ -1385,7 +1409,7 @@ def getLastBuildTime(gdir):
 
    return (cache_last_ldap_mod, cache_last_unix_mod, cache_last_run)
 
-def mq_notify(options):
+def mq_notify(options, message):
    options.section = 'dsa-udgenerate'
    options.config = '/etc/dsa/pubsub.conf'
 
@@ -1397,11 +1421,16 @@ def mq_notify(options):
       'rabbit_hosts': ['pubsub02.debian.org', 'pubsub01.debian.org'],
       'use_ssl': False
    }
+
+   msg = {
+      'message': message,
+      'timestamp': int(time.time())
+   }
    conn = None
    try:
       conn = Connection(conf=conf)
       conn.topic_send(config.topic,
-            'update',
+            json.dumps(msg),
             exchange_name=config.exchange,
             timeout=5)
    finally:
@@ -1414,8 +1443,6 @@ def ud_generate():
      help="Output directory.")
    parser.add_option("-f", "--force", dest="force", action="store_true",
      help="Force generation, even if no update to LDAP has happened.")
-   parser.add_option("-m", "--mq", action="store_true", default=False,
-     help="Send update trigger over MQ")
 
    (options, args) = parser.parse_args()
    if len(args) > 0:
@@ -1445,18 +1472,15 @@ def ud_generate():
 
    need_update = (ldap_last_mod > cache_last_ldap_mod) or (unix_last_mod > cache_last_unix_mod) or (time_started - last_run > MAX_UD_AGE)
 
-   if not options.force and not need_update:
-      fd = open(os.path.join(generate_dir, "last_update.trace"), "w")
-      fd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, last_run))
-      fd.close()
-      sys.exit(0)
-
-   tracefd = open(os.path.join(generate_dir, "last_update.trace"), "w")
-   generate_all(generate_dir, l)
-   tracefd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, time_started))
-   tracefd.close()
-   if options.mq:
-      mq_notify(options)
+   fd = open(os.path.join(generate_dir, "last_update.trace"), "w")
+   if need_update or options.force:
+      msg = 'Update forced' if options.force else 'Update needed'
+      generate_all(generate_dir, l)
+      mq_notify(options, msg)
+      last_run = int(time.time())
+   fd.write("%s\n%s\n%s\n" % (ldap_last_mod, unix_last_mod, last_run))
+   fd.close()
+   sys.exit(0)
 
 
 if __name__ == "__main__":