Use a library for accessing LDAP for ssh keys etc

Wrapper for the python LDAP library which uses config from local ldap.conf
or override LDAP_CONF in the environment

Command line credentials are now ignored.

grok-slave-keys:
use the linaro_ldap library to greatly simplify the script

gitolite-tools/gitolite-keys:
use the linaro_ldap library, remove logging and config parsing for
simplicity

Change-Id: I002efbc1f7d47d3120855038aa1c5cc3d8292c98

1 files changed, 11 insertions, 80 deletions

diff --git a/grok-slave-keys b/grok-slave-keys
index 837fdcb..460a2ab 100755
--- a/grok-slave-keys
+++ b/grok-slave-keys
@@ -14,96 +14,27 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import argparse
-import logging
 import os
-import subprocess
-import tempfile
+import linaro_ldap
 
-import ldap
 
-log = logging.getLogger()
-
-
-class LdapClient():
-
-    def __init__(self, uri, user, key, base_dn):
-        self.client = ldap.initialize(uri, trace_level=0)
-        self.client.set_option(ldap.OPT_REFERRALS, 0)
-        self.client.simple_bind(user, key)
-        self.base_dn = base_dn
-
-    def __del__(self):
-        self.client.unbind()
-
-    def get_users_and_keys(self):
-        """Gets all the users and their associated SSH key.
-
-        :return A list of tuples (uid, ssh_key), only if the user has an SSH
-        key.
-        """
-        searchFilter = "(uid=*)"
-        log.info("Retrieving uid and SSH keys from LDAP.")
-        result = self.client.search_s(self.base_dn, ldap.SCOPE_SUBTREE,
-                                      searchFilter,
-                                      attrlist=['uid', 'sshPublicKey'])
-
-        users_and_keys = []
-        for user in result:
-            try:
-                # Just pick the first UID, it does not really matter how the
-                # user is called, it will access the git repository via the
-                # 'git' user.
-                uid = user[1]['uid'][0]
-                # But keep all the public keys a user has.
-                # This might lead to problems when running the trigger to
-                # update the SSH keys for gitolite, since a key can be broken
-                # in so many ways, and we cannot do anything about that.
-                # Manual intervention is needed in this cases.
-                ssh_keys = user[1]['sshPublicKey']
-                for index, ssh_key in enumerate(ssh_keys):
-                    if validate_key(ssh_key):
-                        users_and_keys.append((uid, ssh_key))
-            except KeyError:
-                # If there are no SSH keys, skip this user.
-                pass
-
-        users_and_keys.sort()
-        return users_and_keys
-
-
-def validate_key(pubkey):
-    with tempfile.NamedTemporaryFile(delete=True) as f:
-        f.write(pubkey)
-        f.flush()
-        try:
-            args = ['ssh-keygen', '-l', '-f', f.name]
-            subprocess.check_output(args, stderr=subprocess.PIPE)
-        except:
-            return False
-    return True
+def grok_slave_format(user, keysets):
+    fmt = 'command="/srv/linaro-git-tools/grok-shell slave %s",' \
+          'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s'
+    tempstring = ""
+    for keyset in keysets:
+        tempstring = tempstring + (fmt % (user, keyset[1])) + "\n"
+    return tempstring
 
 
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Sync ssh keys for git user')
-    parser.add_argument(
-        '-U', '--uri', default='ldaps://login.linaro.org')
-    parser.add_argument(
-        '-b', '--base-dn', default='ou=accounts,dc=linaro,dc=org')
-    parser.add_argument('-u', '--user')
-    parser.add_argument('-k', '--key')
-
-    args = parser.parse_args()
 
     keys_file = os.path.expanduser('~/.ssh/authorized_keys')
     keys_file_tmp = keys_file + '.tmp'
 
-    client = LdapClient(args.uri, args.user, args.key, args.base_dn)
+    result = linaro_ldap.get_users_and_keys(only_validated=True)
 
-    fmt = 'command="/srv/linaro-git-tools/grok-shell slave %s",' \
-          'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s'
     with open(keys_file_tmp, 'w') as f:
-        for user, key in client.get_users_and_keys():
-            f.write(fmt % (user, key))
-            f.write('\n')
+        for user, keysets in result.iteritems():
+            f.write(grok_slave_format(user, keysets))
     os.rename(keys_file_tmp, keys_file)