def _get_last_website_login(username):
""" Retrieve from FAS the last time this user has been seen.
:arg username, the fas username from who we would like to see the
last connection in FAS.
"""
from fedora.client import AccountSystem
fasclient = AccountSystem()
log.debug('Querying FAS for user: {0}'.format(username))
try:
import fedora_cert
fasusername = fedora_cert.read_user_cert()
except Exception:
log.debug('Could not read Fedora cert, using login name')
if PY3:
fasusername = input('FAS username: '******'FAS username: '******'FAS password for %s: ' % fasusername)
fasclient.username = fasusername
fasclient.password = password
person = fasclient.person_by_username(username)
print('Last login in FAS:')
print(' %s %s' % (username, person['last_seen'].split(' ')[0]))
print()
def validateFedoraUser(request):
# Setup FAS client
fasclient = AccountSystem()
try:
fasusername = fedora_cert.read_user_cert()
print " * FAS username: %s" % fasusername
except:
fasusername = raw_input(' * FAS username: '******' * FAS password: ')
fasclient.username = fasusername
fasclient.password = password
# Query user
fasid = request["fasid"]
email = request["email"]
person = fasclient.person_by_username(fasid)
# Validate user
if not person:
raise Exception("Request submitter %s does not match a known FAS username" % fasid)
if not person["bugzilla_email"] == email:
raise Exception("Email %s of request submitter does not match email of specified FAS user %s" % (email, fasid))
if "cla_fpca" not in person["group_roles"] or person["group_roles"]["cla_fpca"]["role_status"] != "approved":
raise Exception("Request submitter %s has not signed the Fedora Project Contributor Agreement" % fasid)
if "packager" not in person["group_roles"] or person["group_roles"]["packager"]["role_status"] != "approved":
if request["branches"].difference(set(["master"])):
raise Exception("Request contains patches for stable-release branches, but user %s is not a packager" % fasid)
print " => User %s successfully validated" % fasid
def _get_fas(url=rfpkgdb2client.FAS_URL, insecure=False):
''' Return a bugzilla object. '''
global FASCLIENT
if not FASCLIENT or FASCLIENT.base_url != url:
FASCLIENT = AccountSystem(url, username=USERNAME)
FASCLIENT.insecure = insecure
return FASCLIENT
def _get_fas(url=pkgdb2client.FAS_URL, insecure=False):
''' Return a bugzilla object. '''
global FASCLIENT
if not FASCLIENT or FASCLIENT.base_url != url:
FASCLIENT = AccountSystem(
url, username=USERNAME)
FASCLIENT.insecure = insecure
return FASCLIENT
def group_users(self, group_name):
group_json = dict()
account = AccountSystem(username=self.username, password=self.password)
try:
group_json = account.group_members(group_name)
except AuthError:
print("[*] Invalid Username / Password")
return 1
userlist = [user_desc.values()[0] for user_desc in group_json]
return userlist
def group_users(self, group_name):
group_json = dict()
account = AccountSystem(username=self.username,
password=self.password)
try:
group_json = account.group_members(group_name)
except AuthError:
print("[*] Invalid Username / Password")
return 1
userlist = [user_desc.values()[0] for user_desc in group_json]
return userlist
def group_users(self, group_name):
userlist = list()
group_json = {}
account = AccountSystem(username=self.username,
password=self.password)
try:
group_json = account.group_members(group_name)
except AuthError:
print("[*] Invalid Username / Password")
for user_desc in group_json:
userlist.append(user_desc.values()[0])
return userlist
def user_active(self, name):
user_json = dict()
account = AccountSystem(username=self.username, password=self.password)
try:
user_json = account.person_by_username(name)
except AuthError:
print("[*] Invalid Username / Password")
return 1
try:
if user_json['status'] == 'active':
return True
else:
return False
except KeyError:
return False
def user_active(self, name):
user_json = dict()
account = AccountSystem(username=self.username,
password=self.password)
try:
user_json = account.person_by_username(name)
except AuthError:
print("[*] Invalid Username / Password")
return 1
try:
if user_json['status'] == 'active':
return True
else:
return False
except KeyError:
return False
def _get_last_website_login(username):
""" Retrieve from FAS the last time this user has been seen.
:arg username, the fas username from who we would like to see the
last connection in FAS.
"""
from fedora.client import AccountSystem
fasclient = AccountSystem()
log.debug('Querying FAS for user: {0}'.format(username))
try:
fasusername = fedora_cert.read_user_cert()
except Exception:
log.debug('Could not read Fedora cert, using login name')
fasusername = raw_input('FAS username: '******'FAS password for %s: ' % fasusername)
fasclient.username = fasusername
fasclient.password = password
person = fasclient.person_by_username(username)
print('Last login in FAS:')
print(' %s %s' % (username, person['last_seen'].split(' ')[0]))
import logging
log = logging.getLogger('turbogears.identity.jsonfasprovider')
if config.get('identity.ssl', False):
fas_user = config.get('fas.username', None)
fas_password = config.get('fas.password', None)
if not (fas_user and fas_password):
raise identity.IdentityConfigurationException(
'Cannot enable ssl certificate auth via identity.ssl'
' without setting fas.usernamme and fas.password for'
' authorization')
__url = config.get('fas.url', None)
if __url:
fas = AccountSystem(__url,
username=config.get('fas.username'),
password=config.get('fas.password'),
retries=3)
class JsonFasIdentity(BaseClient):
'''Associate an identity with a person in the auth system.
'''
cookie_name = config.get('visit.cookie.name', 'tg-visit')
fas_url = config.get('fas.url',
'https://admin.fedoraproject.org/accounts/')
useragent = 'JsonFasIdentity/%s' % __version__
cache_session = False
def __init__(self,
visit_key=None,
user=None,
"""
import argparse
import fedora_cert
import getpass
import koji
import logging
import re
import sys
import time
import urllib
from fedora.client import AppError, ServerError, AccountSystem
from bugzilla.rhbugzilla import RHBugzilla3
kojiclient = koji.ClientSession('http://koji.fedoraproject.org/kojihub', {})
fasclient = AccountSystem()
bzclient = RHBugzilla3(url='https://bugzilla.redhat.com/xmlrpc.cgi')
# Initial simple logging stuff
logging.basicConfig()
log = logging.getLogger("pkgdb")
if '--debug' in sys.argv:
log.setLevel(logging.DEBUG)
#pkgdbclient.debug = True
elif '--verbose' in sys.argv:
log.setLevel(logging.INFO)
_table_keys = {
'user_perms': ['user_id', 'perm_id'],
'user_groups': ['user_id', 'group_id'],
'tag_inheritance': ['tag_id', 'parent_id'],
if verbose:
print('Adding the following keys:')
print(to_add)
for key in to_add:
add_key(openshift_host, openshift_user, openshift_pass, '%(prefix)s%(username)s' % {'prefix': prefix, 'username': key['username']}, key['type'], key['contents'], verbose=verbose)
if verbose:
print('Done')
if __name__ == '__main__':
parser = ArgumentParser()
parser.add_argument('-config_file', help='The configuration file to use', default='/etc/sync-openshift-keys.conf')
parser.add_argument('--verbose', '-v', help='Make the script more verbose', action='store_true')
args = parser.parse_args()
config = ConfigParser.ConfigParser()
config.read(args.config_file)
fas = AccountSystem(config.get('fas', 'url'), username=config.get('fas', 'user'), password=config.get('fas', 'pass'))
fas.insecure = True
if args.verbose:
print('Getting users...')
users = get_users_to_have_access(fas, string.split(config.get('general', 'groups'), ','))
if args.verbose:
print('Done: %s' % users)
print('Getting keys in FAS...')
keys_fas = get_users_ssh_keys(fas, users)
if args.verbose:
print('Done: %s')
print('Getting keys in Openshift...')
keys_openshift = get_keys(config.get('openshift', 'host'), config.get('openshift', 'user'), config.get('openshift', 'pass'))
if args.verbose:
print('Done')
print('Getting keys to remove...')
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# vim: noai:ts=4:sw=4:expandtab
from fedora.client import AuthError, AccountSystem
from six.moves import configparser
import bugzilla
import datetime
import getpass
import os
import six
DAYS_AGO = 60
client = AccountSystem()
bz = bugzilla.Bugzilla(url='https://bugzilla.redhat.com/xmlrpc.cgi')
# cache mapping of user id to name
map_id_to_name = {}
def convert_id_to_name(user_id):
if user_id not in map_id_to_name:
map_id_to_name[user_id] = client.person_by_id(user_id).username
return map_id_to_name[user_id]
def process_user(username):
fas_user = client.person_by_username(username)
if fas_user.status != u'active':
return None
human_name = bz.getuser(fas_user.bugzilla_email).real_name
if args.site == None:
args.site = 'https://admin.fedoraproject.org/accounts/'
if args.verbose:
print 'Using site: %(site)s' % {'site': args.site}
if args.verbose:
if args.gpg_home == None:
print 'Using default gpg_home'
else:
print 'Using gpg_home: %(gpghome)s' % {'gpghome': args.gpg_home}
if args.gpg_home != None:
os.putenv('GNUPGHOME', args.gpg_home)
fas = AccountSystem(args.site, username=args.admin_user, password=args.admin_pass, insecure=args.insecure)
if args.verbose:
print 'Getting user details...'
try:
details = fas.person_by_username(args.target_user)
except AuthError:
print 'Failed to login to FAS. Please check admin_user and admin_pass!'
sys.exit(2)
except ServerError:
print 'Failed to retrieve user details: the server reported an error!'
sys.exit(3)
if not 'username' in details.keys():
print 'Error: user %(username)s is not known on this FAS site!' % {'username': args.target_user}
sys.exit(4)
print _('''Please run this program as root as it will need to write
directly to the yubikey usb''')
sys.exit(5)
print _('''
Attention: You are about to reprogram your yubikey! Please ensure it is
plugged in to your USB slot before continuing. The secret key currently on
your yubikey will be destroyed as part of this operation!
''')
print 'Contacting %s' % opts.url
password = getpass('Password for %s: ' % opts.username)
fas = AccountSystem(username=opts.username,
password=password,
base_url=opts.url)
try:
new_key = fas.send_request('yubikey/genkey', auth=True)
except AuthError, e:
print e
sys.exit(1)
print
print _('New key generated in FAS, attempting to burn to yubikey')
print
opts = new_key['key'].split()
try:
retcode = subprocess.call([
import xmlrpclib
from bugzilla import Bugzilla
from fedora.client import AccountSystem, AuthError
import pkgdb2client
try:
USERNAME = fedora_cert.read_user_cert()
except fedora_cert.fedora_cert_error:
pkgdb2client.LOG.debug('Could not read Fedora cert, asking for username')
USERNAME = None
RH_BZ_API = 'https://bugzilla.redhat.com/xmlrpc.cgi'
BZCLIENT = None
FASCLIENT = AccountSystem('https://admin.fedoraproject.org/accounts',
username=USERNAME)
def _get_bz(url=RH_BZ_API, insecure=False):
''' Return a bugzilla object. '''
global BZCLIENT
if not BZCLIENT:
BZCLIENT = Bugzilla(url=url)
elif BZCLIENT.url != url:
BZCLIENT.url = url
BZCLIENT._sslverify = not insecure
try:
BZCLIENT.logged_in
except xmlrpclib.Error:
args.site = 'https://admin.fedoraproject.org/accounts/'
if args.verbose:
print('Using site: %(site)s' % {'site': args.site})
if args.verbose:
if args.gpg_home == None:
print('Using default gpg_home')
else:
print('Using gpg_home: %(gpghome)s' % {'gpghome': args.gpg_home})
if args.gpg_home != None:
os.putenv('GNUPGHOME', args.gpg_home)
fas = AccountSystem(args.site,
username=args.admin_user,
password=args.admin_pass,
insecure=args.insecure)
if args.verbose:
print('Getting user details...')
try:
details = fas.person_by_username(args.target_user)
except AuthError:
print('Failed to login to FAS. Please check admin_user and admin_pass!')
sys.exit(2)
except ServerError:
print('Failed to retrieve user details: the server reported an error!')
sys.exit(3)
if not 'username' in list(details.keys()):
print('Error: user %(username)s is not known on this FAS site!' %
print _('''Please run this program as root as it will need to write
directly to the yubikey usb''')
sys.exit(5)
print _(
'''
Attention: You are about to reprogram your yubikey! Please ensure it is
plugged in to your USB slot before continuing. The secret key currently on
your yubikey will be destroyed as part of this operation!
''')
print 'Contacting %s' % opts.url
password = getpass('Password for %s: ' % opts.username)
fas = AccountSystem(username=opts.username, password=password, base_url=opts.url)
try:
new_key = fas.send_request('yubikey/genkey', auth=True)
except AuthError, e:
print e
sys.exit(1)
print
print _('New key generated in FAS, attempting to burn to yubikey')
print
opts = new_key['key'].split()
try:
retcode = subprocess.call(['/usr/bin/ykpersonalize',
'-ofixed=%s' % opts[0],
json_in = open(sys.argv[1], 'r').readlines()
if os.path.isfile(sys.argv[1]) == False:
print "[Error] - Please check the file name and/or path."
exit()
except IndexError, error:
print "[Error] - File name is missing on the first parameter"
exit()
senderAddr = "*****@*****.**"
senderName = "Fedora Infrastructure"
username = raw_input('FAS Username: '******'\n', ''))
user = report['user']
url = report['url']
error = report['error']
user_data = fas2.person_by_username(user)
user_realname = user_data.human_name
user_email = user_data.email
if user_realname == None:
# Some users don't set the real name on FAS
