def POST(self): """ Test authentication """ # LDAP authentication is_auth, message = tools.ldap_authentification(SERVER_OPTS) if not is_auth: return tools.response_render(message, http_code='401 Unauthorized') return tools.response_render('OK')
def POST(self): """ Search user's principals by filter """ # LDAP authentication is_admin_auth, message = tools.ldap_authentification(SERVER_OPTS, admin=True) if not is_admin_auth: return tools.response_render(message, http_code='401 Unauthorized') pg_conn, message = TOOLS.pg_connection() if pg_conn is None: return tools.response_render(message, http_code='503 Service Unavailable') cur = pg_conn.cursor() payload, message = tools.data2map() if message: return tools.response_render(message, http_code='400 Bad Request') if 'filter' not in payload: return tools.response_render( '[ERROR] Unknown action', http_code='400 Bad Request') cur.execute( """ SELECT NAME,PRINCIPALS FROM USERS """) all_principals = cur.fetchall() pg_conn.commit() cur.close() pg_conn.close() result = dict() for key, value in payload.items(): value = unquote_plus(value) if key == 'filter' and value == '': for name, principals in all_principals: if isinstance(principals, str): result[name] = principals.split(',') elif key == 'filter': for principal in value.split(','): for name, principals in all_principals: if isinstance(principals, str) and principal in principals.split(','): if name not in result: result[name] = list() result[name].append(principal) return tools.response_render(dumps(result))
def GET(self): """ Return ca. """ return tools.response_render( open(SERVER_OPTS['ca'] + '.pub', 'rb'), content_type='application/octet-stream')
def GET(self): """ Return a health check """ health = {} health['name'] = 'cassh' health['version'] = VERSION return tools.response_render(dumps(health, indent=4, sort_keys=True), content_type='application/json')
def GET(self): """ /cluster/status """ message = dict() alive_nodes, dead_nodes = TOOLS.cluster_alived() for node in alive_nodes: message.update({node: {'status': 'OK'}}) for node in dead_nodes: message.update({node: {'status': 'KO'}}) return tools.response_render(dumps(message), content_type='application/json')
def POST(self): """ Get client key status. /client/status """ # LDAP authentication is_auth, message = tools.ldap_authentification(SERVER_OPTS) if not is_auth: return tools.response_render(message, http_code='401 Unauthorized') payload, message = tools.data2map() if message: return tools.response_render(message, http_code='400 Bad Request') if 'realname' in payload: realname = unquote_plus(payload['realname']) else: return tools.response_render('Error: No realname option given.', http_code='400 Bad Request') return tools.response_render(TOOLS.list_keys(realname=realname), content_type='application/json')
def DELETE(self, username): """ Delete keys (but DOESN'T REVOKE) /admin/<username> """ # LDAP authentication is_admin_auth, message = tools.ldap_authentification(SERVER_OPTS, admin=True) if not is_admin_auth: return tools.response_render(message, http_code='401 Unauthorized') pg_conn, message = TOOLS.pg_connection() if pg_conn is None: return tools.response_render(message, http_code='503 Service Unavailable') cur = pg_conn.cursor() # Search if key already exists cur.execute( """ DELETE FROM USERS WHERE NAME=(%s) """, (username,)) pg_conn.commit() cur.close() pg_conn.close() return tools.response_render('OK')
def PATCH(self, username): """ Set the first founded value. /admin/<username> key=value => Set the key value. Keys are in status output. """ # LDAP authentication is_admin_auth, message = tools.ldap_authentification(SERVER_OPTS, admin=True) if not is_admin_auth: return tools.response_render(message, http_code='401 Unauthorized') pg_conn, message = TOOLS.pg_connection() if pg_conn is None: return tools.response_render(message, http_code='503 Service Unavailable') cur = pg_conn.cursor() payload, message = tools.data2map() if message: return tools.response_render(message, http_code='400 Bad Request') for key, value in payload.items(): if key == 'expiry': cur.execute( """ UPDATE USERS SET EXPIRY=(%s) WHERE NAME=(%s) """, (value, username)) pg_conn.commit() cur.close() pg_conn.close() return tools.response_render( 'OK: %s=%s for %s' % (key, value, username)) # Deprecated endpoint for principals if key == 'principals': value = unquote_plus(value) cur.execute( """ UPDATE USERS SET PRINCIPALS=(%s) WHERE NAME=(%s) """, (value, username)) pg_conn.commit() cur.close() pg_conn.close() return tools.response_render( 'WARNING: ' + \ 'This endpoint is deprecated, upgrade your client cassh to 1.7.0\n'+ 'OK: %s=%s for %s' % (key, value, username)) return tools.response_render('WARNING: No key found...')
def POST(self): """ Search user's principals by filter """ # LDAP authentication is_admin_auth, message = tools.ldap_authentification(SERVER_OPTS, admin=True) if not is_admin_auth: return tools.response_render(message, http_code='401 Unauthorized') pg_conn, message = TOOLS.pg_connection() if pg_conn is None: return tools.response_render(message, http_code='503 Service Unavailable') cur = pg_conn.cursor() payload, message = tools.data2map() if message: return tools.response_render(message, http_code='400 Bad Request') if 'filter' not in payload: return tools.response_render( '[ERROR] Unknown action', http_code='400 Bad Request') cur.execute( """ SELECT NAME,PRINCIPALS,REALNAME FROM USERS """) all_principals = cur.fetchall() pg_conn.commit() cur.close() pg_conn.close() if SERVER_OPTS['ldap']: ldap_conn, _ = tools.get_ldap_conn( SERVER_OPTS['ldap_host'], SERVER_OPTS['ldap_username'], SERVER_OPTS['ldap_password']) result = dict() for key, value in payload.items(): value = unquote_plus(value) if key == 'filter' and value == '': for name, custom_principals, realname in all_principals: if not isinstance(custom_principals, str): continue list_membership, _ = tools.get_memberof( realname, SERVER_OPTS, reuse=ldap_conn) result[name] = tools.merge_principals( custom_principals, list_membership, SERVER_OPTS).split(',') elif key == 'filter': for principal in value.split(','): for name, custom_principals, realname in all_principals: if not isinstance(custom_principals, str): continue list_membership, _ = tools.get_memberof( realname, SERVER_OPTS, reuse=ldap_conn) principals = tools.merge_principals( custom_principals, list_membership, SERVER_OPTS).split(',') if principal in principals: if name not in result: result[name] = list() result[name].append(principal) return tools.response_render(dumps(result))
def POST(self, username): """ Manage user principals """ # LDAP authentication is_admin_auth, message = tools.ldap_authentification(SERVER_OPTS, admin=True) if not is_admin_auth: return tools.response_render(message, http_code='401 Unauthorized') pg_conn, message = TOOLS.pg_connection() if pg_conn is None: return tools.response_render(message, http_code='503 Service Unavailable') cur = pg_conn.cursor() payload, message = tools.data2map() if message: return tools.response_render(message, http_code='400 Bad Request') if 'add' not in payload and \ 'remove' not in payload and \ 'update' not in payload and \ 'purge' not in payload: return tools.response_render( '[ERROR] Unknown action', http_code='400 Bad Request') # Search if username exists values = {'username': username} cur.execute( """ SELECT NAME,PRINCIPALS,REALNAME FROM USERS WHERE NAME=(%(username)s) """, values) user = cur.fetchone() # If user dont exist if user is None: cur.close() pg_conn.close() return tools.response_render( "ERROR: {} doesn't exist".format(username), http_code='400 Bad Request') values['principals'] = user[1] for key, value in payload.items(): value = unquote_plus(value) if key == 'add': for principal in value.split(','): if constants.PATTERN_PRINCIPALS.match(principal) is None: return tools.response_render( "Error: principal doesn't match pattern {}".format( constants.PATTERN_PRINCIPALS.pattern), http_code='400 Bad Request') if values['principals']: values['principals'] += ',' + value else: values['principals'] = value elif key == 'remove': principals = values['principals'].split(',') for principal in value.split(','): if constants.PATTERN_PRINCIPALS.match(principal) is None: return tools.response_render( "Error: principal doesn't match pattern {}".format( constants.PATTERN_PRINCIPALS.pattern), http_code='400 Bad Request') if principal in principals: principals.remove(principal) values['principals'] = ','.join(principals) elif key == 'update': for principal in value.split(','): if constants.PATTERN_PRINCIPALS.match(principal) is None: return tools.response_render( "Error: principal doesn't match pattern {}".format( constants.PATTERN_PRINCIPALS.pattern), http_code='400 Bad Request') values['principals'] = value elif key == 'purge': values['principals'] = username list_membership, _ = tools.get_memberof( user[2], SERVER_OPTS) values['principals'] = tools.truncate_principals( values['principals'], list_membership, SERVER_OPTS) cur.execute( """ UPDATE USERS SET PRINCIPALS=(%(principals)s) WHERE NAME=(%(username)s) """, values) pg_conn.commit() cur.close() pg_conn.close() # Add LDAP principals values['principals'] = tools.merge_principals( values['principals'], list_membership, SERVER_OPTS) return tools.response_render( "OK: {} principals are '{}'".format(username, values['principals']))
def GET(self): """ Return a pong """ return tools.response_render('pong')
def POST(self, username): """ Revoke or Active keys. /admin/<username> revoke=true/false => Revoke user status=true/false => Display status """ # LDAP authentication is_admin_auth, message = tools.ldap_authentification(SERVER_OPTS, admin=True) if not is_admin_auth: return tools.response_render(message, http_code='401 Unauthorized') payload, message = tools.data2map() if message: return tools.response_render(message, http_code='400 Bad Request') if 'revoke' in payload: do_revoke = payload['revoke'].lower() == 'true' else: do_revoke = False if 'status' in payload: do_status = payload['status'].lower() == 'true' else: do_status = False pg_conn, message = TOOLS.pg_connection() if pg_conn is None: return tools.response_render(message, http_code='503 Service Unavailable') cur = pg_conn.cursor() if username == 'all' and do_status: return tools.response_render( TOOLS.list_keys(), content_type='application/json') # Search if key already exists cur.execute( """ SELECT STATE FROM USERS WHERE NAME=(%s) """, (username,)) user_state = cur.fetchone() # If user dont exist if user_state is None: cur.close() pg_conn.close() message = 'User does not exists.' elif do_revoke: cur.execute( """ UPDATE USERS SET STATE=1 WHERE NAME=(%s) """, (username,)) pg_conn.commit() pubkey = tools.get_pubkey(username, pg_conn) cur.execute( """ SELECT 1 FROM REVOCATION WHERE SSH_KEY=(%s) """, (pubkey,)) if cur.fetchone() is None: cur.execute( """ INSERT INTO REVOCATION VALUES ((%s), (%s), (%s)) """, (pubkey, tools.timestamp(), username)) pg_conn.commit() message = 'Revoke user={}.'.format(username) else: message = 'user {} already revoked.'.format(username) cur.close() pg_conn.close() # Display status elif do_status: return tools.response_render( TOOLS.list_keys(username=username), content_type='application/json') # If user is in PENDING state elif user_state[0] == constants.STATES['PENDING']: cur.execute( """ UPDATE USERS SET STATE=0 WHERE NAME=(%s) """, (username,)) pg_conn.commit() cur.close() pg_conn.close() message = 'Active user=%s. SSH Key active but need to be signed.' % username # If user is in REVOKED state elif user_state[0] == constants.STATES['REVOKED']: cur.execute('UPDATE USERS SET STATE=0 WHERE NAME=(%s)', (username,)) pg_conn.commit() cur.close() pg_conn.close() message = 'Active user=%s. SSH Key active but need to be signed.' % username else: cur.close() pg_conn.close() message = 'user=%s already active. Nothing done.' % username return tools.response_render(message)
def PUT(self): """ This function permit to add or update a ssh public key. /client username=xxxxxx => Unique username. Used by default to connect on server. [email protected] => This LDAP/AD user. """ # LDAP authentication is_auth, message = tools.ldap_authentification(SERVER_OPTS) if not is_auth: return tools.response_render(message, http_code='401 Unauthorized') payload, message = tools.data2map() if message: return tools.response_render(message, http_code='400 Bad Request') if 'username' in payload: username = payload['username'] else: return tools.response_render( 'Error: No username option given.', http_code='400 Bad Request') if username == 'all': return tools.response_render( "Error: username not valid.", http_code='400 Bad Request') if 'realname' in payload: realname = unquote_plus(payload['realname']) else: return tools.response_render( 'Error: No realname option given.', http_code='400 Bad Request') if constants.PATTERN_REALNAME.match(realname) is None: return tools.response_render( "Error: realname doesn't match pattern", http_code='400 Bad Request') # Get public key if 'pubkey' in payload: pubkey = tools.unquote_custom(payload['pubkey']) else: return tools.response_render( 'Error: No pubkey given.', http_code='400 Bad Request') tmp_pubkey = NamedTemporaryFile(delete=False) tmp_pubkey.write(bytes(pubkey, 'utf-8')) tmp_pubkey.close() pubkey_fingerprint = get_fingerprint(tmp_pubkey.name) if pubkey_fingerprint == 'Unknown': remove(tmp_pubkey.name) return tools.response_render( 'Error : Public key unprocessable', http_code='422 Unprocessable Entity') pg_conn, message = TOOLS.pg_connection() if pg_conn is None: remove(tmp_pubkey.name) return tools.response_render(message, http_code='503 Service Unavailable') cur = pg_conn.cursor() # Search if key already exists cur.execute( """ SELECT 1 FROM USERS WHERE NAME=(%s) """, (username,)) user = cur.fetchone() # CREATE NEW USER if user is None: cur.execute( """ INSERT INTO USERS VALUES ((%s), (%s), (%s), (%s), (%s), (%s), (%s), (%s)) """, ( username, realname, constants.STATES['PENDING'], 0, pubkey_fingerprint, pubkey, '+12h', username)) pg_conn.commit() cur.close() pg_conn.close() remove(tmp_pubkey.name) return tools.response_render( 'Create user=%s. Pending request.' % username, http_code='201 Created') # Check if realname is the same cur.execute( """ SELECT 1 FROM USERS WHERE NAME=(%s) AND REALNAME=lower((%s)) """, (username, realname)) if cur.fetchone() is None: pg_conn.commit() cur.close() pg_conn.close() remove(tmp_pubkey.name) return tools.response_render( 'Error : (username, realname) couple mismatch.', http_code='401 Unauthorized') # Update entry into database cur.execute( """ UPDATE USERS SET SSH_KEY=(%s),SSH_KEY_HASH=(%s), STATE=(%s), EXPIRATION=0 WHERE NAME=(%s) """, (pubkey, pubkey_fingerprint, constants.STATES['PENDING'], username)) pg_conn.commit() cur.close() pg_conn.close() remove(tmp_pubkey.name) return tools.response_render('Update user=%s. Pending request.' % username)
def POST(self): """ Ask to sign pub key. /client username=xxxxxx => Unique username. Used by default to connect on server. [email protected] => This LDAP/AD user. # Optionnal admin_force=true|false """ # LDAP authentication is_auth, message = tools.ldap_authentification(SERVER_OPTS) if not is_auth: return tools.response_render(message, http_code='401 Unauthorized') # Check if user is an admin and want to force signature when db fail force_sign = False # LDAP ADMIN authentication is_admin_auth, message = tools.ldap_authentification( SERVER_OPTS, admin=True) payload, message = tools.data2map() if message: return tools.response_render(message, http_code='400 Bad Request') if is_admin_auth and SERVER_OPTS['admin_db_failover'] \ and 'admin_force' in payload and payload['admin_force'].lower() == 'true': force_sign = True # Get username if 'username' in payload: username = payload['username'] else: return tools.response_render( 'Error: No username option given.', http_code='400 Bad Request') if username == 'all': return tools.response_render( "Error: username not valid.", http_code='400 Bad Request') # Get realname if 'realname' in payload: realname = unquote_plus(payload['realname']) else: return tools.response_render( 'Error: No realname option given.', http_code='400 Bad Request') # Get public key if 'pubkey' in payload: pubkey = tools.unquote_custom(payload['pubkey']) else: return tools.response_render( 'Error: No pubkey given.', http_code='400 Bad Request') tmp_pubkey = NamedTemporaryFile(delete=False) tmp_pubkey.write(bytes(pubkey, 'utf-8')) tmp_pubkey.close() pubkey_fingerprint = get_fingerprint(tmp_pubkey.name) if pubkey_fingerprint == 'Unknown': remove(tmp_pubkey.name) return tools.response_render( 'Error : Public key unprocessable', http_code='422 Unprocessable Entity') pg_conn, message = TOOLS.pg_connection() # Admin force signature case if pg_conn is None and force_sign: cert_contents = TOOLS.sign_key(tmp_pubkey.name, username, '+12h', username) remove(tmp_pubkey.name) return tools.response_render(cert_contents, content_type='application/octet-stream') # Check if db is up if pg_conn is None: remove(tmp_pubkey.name) return tools.response_render(message, http_code='503 Service Unavailable') cur = pg_conn.cursor() # Search if user already exists cur.execute( """ SELECT NAME,REALNAME,STATE,EXPIRY,PRINCIPALS,SSH_KEY FROM USERS WHERE NAME=lower(%s) """, (username,)) user = cur.fetchone() if user is None: cur.close() pg_conn.close() remove(tmp_pubkey.name) return tools.response_render( 'Error : User absent, please create an account.', http_code='400 Bad Request') # Get database key fingerprint db_pubkey = NamedTemporaryFile(delete=False) db_pubkey.write(bytes(user[5], 'utf-8')) db_pubkey.close() db_pubkey_fingerprint = get_fingerprint(db_pubkey.name) remove(db_pubkey.name) if db_pubkey_fingerprint == 'Unknown': remove(tmp_pubkey.name) return tools.response_render( 'Error : Public key from database unprocessable', http_code='422 Unprocessable Entity') if username != user[0] or \ realname != user[1] or \ db_pubkey_fingerprint != pubkey_fingerprint: cur.close() pg_conn.close() remove(tmp_pubkey.name) return tools.response_render( 'Error : (username, realname, pubkey) triple mismatch.', http_code='401 Unauthorized') status = user[2] expiry = user[3] custom_principals = tools.clean_principals_output(user[4], username, shell=True) list_membership, _ = tools.get_memberof( realname, SERVER_OPTS) full_principals = tools.merge_principals(custom_principals, list_membership, SERVER_OPTS) if status > 0: cur.close() pg_conn.close() remove(tmp_pubkey.name) return tools.response_render("Status: %s" % constants.STATES[user[2]]) cert_contents = TOOLS.sign_key( tmp_pubkey.name, username, expiry, full_principals, db_cursor=cur) remove(tmp_pubkey.name) pg_conn.commit() cur.close() pg_conn.close() return tools.response_render( cert_contents, content_type='application/octet-stream')