def read_authorized_keys(username=None): """Read public keys from specified user's authorized_keys file. args: username (str): username. returns: list: Authorised keys for the specified user. """ authorized_keys_path = '{0}/.ssh/authorized_keys'.format(os.path.expanduser('~{0}'.format(username))) rnd_chars = random_string(length=RANDOM_FILE_EXT_LENGTH) tmp_authorized_keys_path = '/tmp/authorized_keys_{0}_{1}'.format(username, rnd_chars) authorized_keys = list() copy_result = execute_command( shlex.split(str('{0} cp {1} {2}'.format(sudo_check(), authorized_keys_path, tmp_authorized_keys_path)))) result_message = copy_result[0][1].decode('UTF-8') if 'you must have a tty to run sudo' in result_message: # pragma: no cover raise OSError("/etc/sudoers is blocked sudo. Remove entry: 'Defaults requiretty'.") elif 'No such file or directory' not in result_message: execute_command(shlex.split(str('{0} chmod 755 {1}'.format(sudo_check(), tmp_authorized_keys_path)))) with open(tmp_authorized_keys_path) as keys_file: for key in keys_file: authorized_keys.append(PublicKey(raw=key)) execute_command(shlex.split(str('{0} rm {1}'.format(sudo_check(), tmp_authorized_keys_path)))) return authorized_keys
def execute_plan(plan=None): """Create, Modify or Delete, depending on plan item.""" execution_result = list() for task in plan: action = task['action'] if action == 'delete': command = generate_delete_user_command( username=task.get('username'), manage_home=task['manage_home']) command_output = execute_command(command) execution_result.append( dict(task=task, command_output=command_output)) remove_sudoers_entry(username=task.get('username')) elif action == 'add': command = generate_add_user_command( proposed_user=task.get('proposed_user'), manage_home=task['manage_home']) command_output = execute_command(command) if task['proposed_user'].public_keys and task[ 'manage_home'] and task['manage_keys']: write_authorized_keys(task['proposed_user']) if task['proposed_user'].sudoers_entry: write_sudoers_entry( username=task['proposed_user'].name, sudoers_entry=task['proposed_user'].sudoers_entry) execution_result.append( dict(task=task, command_output=command_output)) elif action == 'update': result = task['user_comparison'].get('result') # Don't modify user if only keys have changed action_count = 0 for k, _ in iteritems(result): if '_action' in k: action_count += 1 command_output = None if task['manage_home'] and task[ 'manage_keys'] and action_count == 1 and 'public_keys_action' in result: write_authorized_keys(task['proposed_user']) elif action_count == 1 and 'sudoers_entry_action' in result: write_sudoers_entry(username=task['proposed_user'].name, sudoers_entry=task['user_comparison'] ['result']['replacement_sudoers_entry']) else: command = generate_modify_user_command(task=task) command_output = execute_command(command) if task['manage_home'] and task['manage_keys'] and result.get( 'public_keys_action'): write_authorized_keys(task['proposed_user']) if result.get('sudoers_entry_action'): write_sudoers_entry( username=task['proposed_user'].name, sudoers_entry=task['user_comparison']['result'] ['replacement_sudoers_entry']) execution_result.append( dict(task=task, command_output=command_output))
def create_test_group(): if PLATFORM in ('Linux', 'OpenBSD'): command = shlex.split( str('{0} {1} -g 59999 testuserx1234'.format( sudo_check(), LINUX_CMD_GROUP_ADD))) elif PLATFORM == 'FreeBSD': command = shlex.split( str('{0} {1} groupadd -g 59999 -n testuserx1234'.format( sudo_check(), FREEBSD_CMD_PW))) assert execute_command(command=command)
def create_test_user(): if PLATFORM in ('Linux', 'OpenBSD'): command = shlex.split( str('{0} {1} -u 59999 -c \"test user gecos\" -m -s /bin/bash testuserx1234' .format(sudo_check(), LINUX_CMD_USERADD))) elif PLATFORM == 'FreeBSD': command = shlex.split( str('{0} {1} useradd -u 59999 -c \"test user gecos\" -m -s /bin/bash -n testuserx1234' .format(sudo_check(), FREEBSD_CMD_PW))) assert execute_command(command=command)
def execute_plan(plan=None): """Create, Modify or Delete, depending on plan item.""" execution_result = list() for task in plan: action = task['action'] if action == 'delete': command = generate_delete_user_command(username=task.get('username'), manage_home=task['manage_home']) command_output = execute_command(command) execution_result.append(dict(task=task, command_output=command_output)) remove_sudoers_entry(username=task.get('username')) elif action == 'add': command = generate_add_user_command(proposed_user=task.get('proposed_user'), manage_home=task['manage_home']) command_output = execute_command(command) if task['proposed_user'].public_keys and task['manage_home'] and task['manage_keys']: write_authorized_keys(task['proposed_user']) if task['proposed_user'].sudoers_entry: write_sudoers_entry(username=task['proposed_user'].name, sudoers_entry=task['proposed_user'].sudoers_entry) execution_result.append(dict(task=task, command_output=command_output)) elif action == 'update': result = task['user_comparison'].get('result') # Don't modify user if only keys have changed action_count = 0 for k, _ in iteritems(result): if '_action' in k: action_count += 1 command_output = None if task['manage_home'] and task['manage_keys'] and action_count == 1 and 'public_keys_action' in result: write_authorized_keys(task['proposed_user']) elif action_count == 1 and 'sudoers_entry_action' in result: write_sudoers_entry(username=task['proposed_user'].name, sudoers_entry=task['user_comparison']['result']['replacement_sudoers_entry']) else: command = generate_modify_user_command(task=task) command_output = execute_command(command) if task['manage_home'] and task['manage_keys'] and result.get('public_keys_action'): write_authorized_keys(task['proposed_user']) if result.get('sudoers_entry_action'): write_sudoers_entry(username=task['proposed_user'].name, sudoers_entry=task['user_comparison']['result']['replacement_sudoers_entry']) execution_result.append(dict(task=task, command_output=command_output))
def read_authorized_keys(username=None): """Read public keys from specified user's authorized_keys file. args: username (str): username. returns: list: Authorised keys for the specified user. """ authorized_keys_path = '{0}/.ssh/authorized_keys'.format( os.path.expanduser('~{0}'.format(username))) rnd_chars = random_string(length=RANDOM_FILE_EXT_LENGTH) tmp_authorized_keys_path = '/tmp/authorized_keys_{0}_{1}'.format( username, rnd_chars) authorized_keys = list() copy_result = execute_command( shlex.split( str('{0} cp {1} {2}'.format(sudo_check(), authorized_keys_path, tmp_authorized_keys_path)))) result_message = copy_result[0][1].decode('UTF-8') if 'you must have a tty to run sudo' in result_message: # pragma: no cover raise OSError( "/etc/sudoers is blocked sudo. Remove entry: 'Defaults requiretty'." ) elif 'No such file or directory' not in result_message: execute_command( shlex.split( str('{0} chmod 755 {1}'.format(sudo_check(), tmp_authorized_keys_path)))) with open(tmp_authorized_keys_path) as keys_file: for key in keys_file: authorized_keys.append(PublicKey(raw=key)) execute_command( shlex.split( str('{0} rm {1}'.format(sudo_check(), tmp_authorized_keys_path)))) return authorized_keys
def delete_test_user_and_group(): if PLATFORM == 'Linux': del_user_command = shlex.split( str('{0} {1} -r -f testuserx1234'.format(sudo_check(), LINUX_CMD_USERDEL))) execute_command(command=del_user_command) elif PLATFORM == 'OpenBSD': del_user_command = shlex.split( str('{0} {1} -r testuserx1234'.format(sudo_check(), LINUX_CMD_USERDEL))) execute_command(command=del_user_command) elif PLATFORM == 'FreeBSD': del_user_command = shlex.split( str('{0} {1} userdel -r -n testuserx1234'.format( sudo_check(), FREEBSD_CMD_PW))) execute_command(command=del_user_command) if PLATFORM in ('Linux', 'OpenBSD'): del_group_command = shlex.split( str('{0} {1} testuserx1234'.format(sudo_check(), GROUPDEL))) execute_command(command=del_group_command) del_user_ssh_dir_command = shlex.split(str('/bin/rm -rf /tmp/.ssh')) execute_command(command=del_user_ssh_dir_command) remove_sudoers_entry(username='******') execute_command(command=shlex.split( str('{0} rm -rf /home/testuserx1234'.format(sudo_check()))))
def write_authorized_keys(user=None): """Write public keys back to authorized_keys file. Create keys directory if it doesn't already exist. args: user (User): Instance of User containing keys. returns: list: Authorised keys for the specified user. """ authorized_keys = list() authorized_keys_dir = '{0}/.ssh'.format( os.path.expanduser('~{0}'.format(user.name))) rnd_chars = random_string(length=RANDOM_FILE_EXT_LENGTH) authorized_keys_path = '{0}/authorized_keys'.format(authorized_keys_dir) tmp_authorized_keys_path = '/tmp/authorized_keys_{0}_{1}'.format( user.name, rnd_chars) if not os.path.isdir(authorized_keys_dir): execute_command( shlex.split( str('{0} mkdir -p {1}'.format(sudo_check(), authorized_keys_dir)))) for key in user.public_keys: authorized_keys.append('{0}\n'.format(key.raw)) with open(tmp_authorized_keys_path, mode=text_type('w+')) as keys_file: keys_file.writelines(authorized_keys) execute_command( shlex.split( str('{0} cp {1} {2}'.format(sudo_check(), tmp_authorized_keys_path, authorized_keys_path)))) execute_command( shlex.split( str('{0} chown -R {1} {2}'.format(sudo_check(), user.name, authorized_keys_dir)))) execute_command( shlex.split( str('{0} chmod 700 {1}'.format(sudo_check(), authorized_keys_dir)))) execute_command( shlex.split( str('{0} chmod 600 {1}'.format(sudo_check(), authorized_keys_path)))) execute_command( shlex.split( str('{0} rm {1}'.format(sudo_check(), tmp_authorized_keys_path))))
def write_authorized_keys(user=None): """Write public keys back to authorized_keys file. Create keys directory if it doesn't already exist. args: user (User): Instance of User containing keys. returns: list: Authorised keys for the specified user. """ authorized_keys = list() authorized_keys_dir = '{0}/.ssh'.format(os.path.expanduser('~{0}'.format(user.name))) rnd_chars = random_string(length=RANDOM_FILE_EXT_LENGTH) authorized_keys_path = '{0}/authorized_keys'.format(authorized_keys_dir) tmp_authorized_keys_path = '/tmp/authorized_keys_{0}_{1}'.format(user.name, rnd_chars) if not os.path.isdir(authorized_keys_dir): execute_command(shlex.split(str('{0} mkdir -p {1}'.format(sudo_check(), authorized_keys_dir)))) for key in user.public_keys: authorized_keys.append('{0}\n'.format(key.raw)) with open(tmp_authorized_keys_path, mode=text_type('w+')) as keys_file: keys_file.writelines(authorized_keys) execute_command( shlex.split(str('{0} cp {1} {2}'.format(sudo_check(), tmp_authorized_keys_path, authorized_keys_path)))) execute_command(shlex.split(str('{0} chown -R {1} {2}'.format(sudo_check(), user.name, authorized_keys_dir)))) execute_command(shlex.split(str('{0} chmod 700 {1}'.format(sudo_check(), authorized_keys_dir)))) execute_command(shlex.split(str('{0} chmod 600 {1}'.format(sudo_check(), authorized_keys_path)))) execute_command(shlex.split(str('{0} rm {1}'.format(sudo_check(), tmp_authorized_keys_path))))