def read_authorized_keys(username=None):
"""Read public keys from specified user's authorized_keys file.
args:
username (str): username.
returns:
list: Authorised keys for the specified user.
"""
authorized_keys_path = '{0}/.ssh/authorized_keys'.format(os.path.expanduser('~{0}'.format(username)))
rnd_chars = random_string(length=RANDOM_FILE_EXT_LENGTH)
tmp_authorized_keys_path = '/tmp/authorized_keys_{0}_{1}'.format(username, rnd_chars)
authorized_keys = list()
copy_result = execute_command(
shlex.split(str('{0} cp {1} {2}'.format(sudo_check(), authorized_keys_path, tmp_authorized_keys_path))))
result_message = copy_result[0][1].decode('UTF-8')
if 'you must have a tty to run sudo' in result_message: # pragma: no cover
raise OSError("/etc/sudoers is blocked sudo. Remove entry: 'Defaults requiretty'.")
elif 'No such file or directory' not in result_message:
execute_command(shlex.split(str('{0} chmod 755 {1}'.format(sudo_check(), tmp_authorized_keys_path))))
with open(tmp_authorized_keys_path) as keys_file:
for key in keys_file:
authorized_keys.append(PublicKey(raw=key))
execute_command(shlex.split(str('{0} rm {1}'.format(sudo_check(), tmp_authorized_keys_path))))
return authorized_keys
def execute_plan(plan=None):
"""Create, Modify or Delete, depending on plan item."""
execution_result = list()
for task in plan:
action = task['action']
if action == 'delete':
command = generate_delete_user_command(
username=task.get('username'), manage_home=task['manage_home'])
command_output = execute_command(command)
execution_result.append(
dict(task=task, command_output=command_output))
remove_sudoers_entry(username=task.get('username'))
elif action == 'add':
command = generate_add_user_command(
proposed_user=task.get('proposed_user'),
manage_home=task['manage_home'])
command_output = execute_command(command)
if task['proposed_user'].public_keys and task[
'manage_home'] and task['manage_keys']:
write_authorized_keys(task['proposed_user'])
if task['proposed_user'].sudoers_entry:
write_sudoers_entry(
username=task['proposed_user'].name,
sudoers_entry=task['proposed_user'].sudoers_entry)
execution_result.append(
dict(task=task, command_output=command_output))
elif action == 'update':
result = task['user_comparison'].get('result')
# Don't modify user if only keys have changed
action_count = 0
for k, _ in iteritems(result):
if '_action' in k:
action_count += 1
command_output = None
if task['manage_home'] and task[
'manage_keys'] and action_count == 1 and 'public_keys_action' in result:
write_authorized_keys(task['proposed_user'])
elif action_count == 1 and 'sudoers_entry_action' in result:
write_sudoers_entry(username=task['proposed_user'].name,
sudoers_entry=task['user_comparison']
['result']['replacement_sudoers_entry'])
else:
command = generate_modify_user_command(task=task)
command_output = execute_command(command)
if task['manage_home'] and task['manage_keys'] and result.get(
'public_keys_action'):
write_authorized_keys(task['proposed_user'])
if result.get('sudoers_entry_action'):
write_sudoers_entry(
username=task['proposed_user'].name,
sudoers_entry=task['user_comparison']['result']
['replacement_sudoers_entry'])
execution_result.append(
dict(task=task, command_output=command_output))
def create_test_group():
if PLATFORM in ('Linux', 'OpenBSD'):
command = shlex.split(
str('{0} {1} -g 59999 testuserx1234'.format(
sudo_check(), LINUX_CMD_GROUP_ADD)))
elif PLATFORM == 'FreeBSD':
command = shlex.split(
str('{0} {1} groupadd -g 59999 -n testuserx1234'.format(
sudo_check(), FREEBSD_CMD_PW)))
assert execute_command(command=command)
def create_test_user():
if PLATFORM in ('Linux', 'OpenBSD'):
command = shlex.split(
str('{0} {1} -u 59999 -c \"test user gecos\" -m -s /bin/bash testuserx1234'
.format(sudo_check(), LINUX_CMD_USERADD)))
elif PLATFORM == 'FreeBSD':
command = shlex.split(
str('{0} {1} useradd -u 59999 -c \"test user gecos\" -m -s /bin/bash -n testuserx1234'
.format(sudo_check(), FREEBSD_CMD_PW)))
assert execute_command(command=command)
def execute_plan(plan=None):
"""Create, Modify or Delete, depending on plan item."""
execution_result = list()
for task in plan:
action = task['action']
if action == 'delete':
command = generate_delete_user_command(username=task.get('username'), manage_home=task['manage_home'])
command_output = execute_command(command)
execution_result.append(dict(task=task, command_output=command_output))
remove_sudoers_entry(username=task.get('username'))
elif action == 'add':
command = generate_add_user_command(proposed_user=task.get('proposed_user'), manage_home=task['manage_home'])
command_output = execute_command(command)
if task['proposed_user'].public_keys and task['manage_home'] and task['manage_keys']:
write_authorized_keys(task['proposed_user'])
if task['proposed_user'].sudoers_entry:
write_sudoers_entry(username=task['proposed_user'].name,
sudoers_entry=task['proposed_user'].sudoers_entry)
execution_result.append(dict(task=task, command_output=command_output))
elif action == 'update':
result = task['user_comparison'].get('result')
# Don't modify user if only keys have changed
action_count = 0
for k, _ in iteritems(result):
if '_action' in k:
action_count += 1
command_output = None
if task['manage_home'] and task['manage_keys'] and action_count == 1 and 'public_keys_action' in result:
write_authorized_keys(task['proposed_user'])
elif action_count == 1 and 'sudoers_entry_action' in result:
write_sudoers_entry(username=task['proposed_user'].name,
sudoers_entry=task['user_comparison']['result']['replacement_sudoers_entry'])
else:
command = generate_modify_user_command(task=task)
command_output = execute_command(command)
if task['manage_home'] and task['manage_keys'] and result.get('public_keys_action'):
write_authorized_keys(task['proposed_user'])
if result.get('sudoers_entry_action'):
write_sudoers_entry(username=task['proposed_user'].name,
sudoers_entry=task['user_comparison']['result']['replacement_sudoers_entry'])
execution_result.append(dict(task=task, command_output=command_output))
def read_authorized_keys(username=None):
"""Read public keys from specified user's authorized_keys file.
args:
username (str): username.
returns:
list: Authorised keys for the specified user.
"""
authorized_keys_path = '{0}/.ssh/authorized_keys'.format(
os.path.expanduser('~{0}'.format(username)))
rnd_chars = random_string(length=RANDOM_FILE_EXT_LENGTH)
tmp_authorized_keys_path = '/tmp/authorized_keys_{0}_{1}'.format(
username, rnd_chars)
authorized_keys = list()
copy_result = execute_command(
shlex.split(
str('{0} cp {1} {2}'.format(sudo_check(), authorized_keys_path,
tmp_authorized_keys_path))))
result_message = copy_result[0][1].decode('UTF-8')
if 'you must have a tty to run sudo' in result_message: # pragma: no cover
raise OSError(
"/etc/sudoers is blocked sudo. Remove entry: 'Defaults requiretty'."
)
elif 'No such file or directory' not in result_message:
execute_command(
shlex.split(
str('{0} chmod 755 {1}'.format(sudo_check(),
tmp_authorized_keys_path))))
with open(tmp_authorized_keys_path) as keys_file:
for key in keys_file:
authorized_keys.append(PublicKey(raw=key))
execute_command(
shlex.split(
str('{0} rm {1}'.format(sudo_check(),
tmp_authorized_keys_path))))
return authorized_keys
def delete_test_user_and_group():
if PLATFORM == 'Linux':
del_user_command = shlex.split(
str('{0} {1} -r -f testuserx1234'.format(sudo_check(),
LINUX_CMD_USERDEL)))
execute_command(command=del_user_command)
elif PLATFORM == 'OpenBSD':
del_user_command = shlex.split(
str('{0} {1} -r testuserx1234'.format(sudo_check(),
LINUX_CMD_USERDEL)))
execute_command(command=del_user_command)
elif PLATFORM == 'FreeBSD':
del_user_command = shlex.split(
str('{0} {1} userdel -r -n testuserx1234'.format(
sudo_check(), FREEBSD_CMD_PW)))
execute_command(command=del_user_command)
if PLATFORM in ('Linux', 'OpenBSD'):
del_group_command = shlex.split(
str('{0} {1} testuserx1234'.format(sudo_check(), GROUPDEL)))
execute_command(command=del_group_command)
del_user_ssh_dir_command = shlex.split(str('/bin/rm -rf /tmp/.ssh'))
execute_command(command=del_user_ssh_dir_command)
remove_sudoers_entry(username='******')
execute_command(command=shlex.split(
str('{0} rm -rf /home/testuserx1234'.format(sudo_check()))))
def write_authorized_keys(user=None):
"""Write public keys back to authorized_keys file. Create keys directory if it doesn't already exist.
args:
user (User): Instance of User containing keys.
returns:
list: Authorised keys for the specified user.
"""
authorized_keys = list()
authorized_keys_dir = '{0}/.ssh'.format(
os.path.expanduser('~{0}'.format(user.name)))
rnd_chars = random_string(length=RANDOM_FILE_EXT_LENGTH)
authorized_keys_path = '{0}/authorized_keys'.format(authorized_keys_dir)
tmp_authorized_keys_path = '/tmp/authorized_keys_{0}_{1}'.format(
user.name, rnd_chars)
if not os.path.isdir(authorized_keys_dir):
execute_command(
shlex.split(
str('{0} mkdir -p {1}'.format(sudo_check(),
authorized_keys_dir))))
for key in user.public_keys:
authorized_keys.append('{0}\n'.format(key.raw))
with open(tmp_authorized_keys_path, mode=text_type('w+')) as keys_file:
keys_file.writelines(authorized_keys)
execute_command(
shlex.split(
str('{0} cp {1} {2}'.format(sudo_check(), tmp_authorized_keys_path,
authorized_keys_path))))
execute_command(
shlex.split(
str('{0} chown -R {1} {2}'.format(sudo_check(), user.name,
authorized_keys_dir))))
execute_command(
shlex.split(
str('{0} chmod 700 {1}'.format(sudo_check(),
authorized_keys_dir))))
execute_command(
shlex.split(
str('{0} chmod 600 {1}'.format(sudo_check(),
authorized_keys_path))))
execute_command(
shlex.split(
str('{0} rm {1}'.format(sudo_check(), tmp_authorized_keys_path))))
def write_authorized_keys(user=None):
"""Write public keys back to authorized_keys file. Create keys directory if it doesn't already exist.
args:
user (User): Instance of User containing keys.
returns:
list: Authorised keys for the specified user.
"""
authorized_keys = list()
authorized_keys_dir = '{0}/.ssh'.format(os.path.expanduser('~{0}'.format(user.name)))
rnd_chars = random_string(length=RANDOM_FILE_EXT_LENGTH)
authorized_keys_path = '{0}/authorized_keys'.format(authorized_keys_dir)
tmp_authorized_keys_path = '/tmp/authorized_keys_{0}_{1}'.format(user.name, rnd_chars)
if not os.path.isdir(authorized_keys_dir):
execute_command(shlex.split(str('{0} mkdir -p {1}'.format(sudo_check(), authorized_keys_dir))))
for key in user.public_keys:
authorized_keys.append('{0}\n'.format(key.raw))
with open(tmp_authorized_keys_path, mode=text_type('w+')) as keys_file:
keys_file.writelines(authorized_keys)
execute_command(
shlex.split(str('{0} cp {1} {2}'.format(sudo_check(), tmp_authorized_keys_path, authorized_keys_path))))
execute_command(shlex.split(str('{0} chown -R {1} {2}'.format(sudo_check(), user.name, authorized_keys_dir))))
execute_command(shlex.split(str('{0} chmod 700 {1}'.format(sudo_check(), authorized_keys_dir))))
execute_command(shlex.split(str('{0} chmod 600 {1}'.format(sudo_check(), authorized_keys_path))))
execute_command(shlex.split(str('{0} rm {1}'.format(sudo_check(), tmp_authorized_keys_path))))