diff options
author | Matt Hart <matthew.hart@linaro.org> | 2015-06-14 20:21:18 +0100 |
---|---|---|
committer | Matt Hart <matthew.hart@linaro.org> | 2015-06-25 16:17:41 +0100 |
commit | de9753cbbcd031cf9c654374d41bfd10cbc7392d (patch) | |
tree | b58cc07d63245ad6dd90c0d4b282f7084078b1b3 /grok-slave-keys | |
parent | a2046fa8256863c97dee78c6ccc39d764adf42db (diff) |
Use a library for accessing LDAP for ssh keys etc
Wrapper for the python LDAP library which uses config from local ldap.conf
or override LDAP_CONF in the environment
Command line credentials are now ignored.
grok-slave-keys:
use the linaro_ldap library to greatly simplify the script
gitolite-tools/gitolite-keys:
use the linaro_ldap library, remove logging and config parsing for
simplicity
Change-Id: I002efbc1f7d47d3120855038aa1c5cc3d8292c98
Diffstat (limited to 'grok-slave-keys')
-rwxr-xr-x | grok-slave-keys | 91 |
1 files changed, 11 insertions, 80 deletions
diff --git a/grok-slave-keys b/grok-slave-keys index 837fdcb..460a2ab 100755 --- a/grok-slave-keys +++ b/grok-slave-keys @@ -14,96 +14,27 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import argparse -import logging import os -import subprocess -import tempfile +import linaro_ldap -import ldap -log = logging.getLogger() - - -class LdapClient(): - - def __init__(self, uri, user, key, base_dn): - self.client = ldap.initialize(uri, trace_level=0) - self.client.set_option(ldap.OPT_REFERRALS, 0) - self.client.simple_bind(user, key) - self.base_dn = base_dn - - def __del__(self): - self.client.unbind() - - def get_users_and_keys(self): - """Gets all the users and their associated SSH key. - - :return A list of tuples (uid, ssh_key), only if the user has an SSH - key. - """ - searchFilter = "(uid=*)" - log.info("Retrieving uid and SSH keys from LDAP.") - result = self.client.search_s(self.base_dn, ldap.SCOPE_SUBTREE, - searchFilter, - attrlist=['uid', 'sshPublicKey']) - - users_and_keys = [] - for user in result: - try: - # Just pick the first UID, it does not really matter how the - # user is called, it will access the git repository via the - # 'git' user. - uid = user[1]['uid'][0] - # But keep all the public keys a user has. - # This might lead to problems when running the trigger to - # update the SSH keys for gitolite, since a key can be broken - # in so many ways, and we cannot do anything about that. - # Manual intervention is needed in this cases. - ssh_keys = user[1]['sshPublicKey'] - for index, ssh_key in enumerate(ssh_keys): - if validate_key(ssh_key): - users_and_keys.append((uid, ssh_key)) - except KeyError: - # If there are no SSH keys, skip this user. - pass - - users_and_keys.sort() - return users_and_keys - - -def validate_key(pubkey): - with tempfile.NamedTemporaryFile(delete=True) as f: - f.write(pubkey) - f.flush() - try: - args = ['ssh-keygen', '-l', '-f', f.name] - subprocess.check_output(args, stderr=subprocess.PIPE) - except: - return False - return True +def grok_slave_format(user, keysets): + fmt = 'command="/srv/linaro-git-tools/grok-shell slave %s",' \ + 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s' + tempstring = "" + for keyset in keysets: + tempstring = tempstring + (fmt % (user, keyset[1])) + "\n" + return tempstring if __name__ == '__main__': - parser = argparse.ArgumentParser(description='Sync ssh keys for git user') - parser.add_argument( - '-U', '--uri', default='ldaps://login.linaro.org') - parser.add_argument( - '-b', '--base-dn', default='ou=accounts,dc=linaro,dc=org') - parser.add_argument('-u', '--user') - parser.add_argument('-k', '--key') - - args = parser.parse_args() keys_file = os.path.expanduser('~/.ssh/authorized_keys') keys_file_tmp = keys_file + '.tmp' - client = LdapClient(args.uri, args.user, args.key, args.base_dn) + result = linaro_ldap.get_users_and_keys(only_validated=True) - fmt = 'command="/srv/linaro-git-tools/grok-shell slave %s",' \ - 'no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s' with open(keys_file_tmp, 'w') as f: - for user, key in client.get_users_and_keys(): - f.write(fmt % (user, key)) - f.write('\n') + for user, keysets in result.iteritems(): + f.write(grok_slave_format(user, keysets)) os.rename(keys_file_tmp, keys_file) |