예제 #1
0
    def PUT(self):
        """
        This function permit to add or update a ssh public key.
        /client
            username=xxxxxx          => Unique username. Used by default to connect on server.
            [email protected] => This LDAP/AD user.
        """
        # LDAP authentication
        is_auth, message = tools.ldap_authentification(SERVER_OPTS)
        if not is_auth:
            return tools.response_render(message, http_code='401 Unauthorized')

        payload, message = tools.data2map()
        if message:
            return tools.response_render(message, http_code='400 Bad Request')

        if 'username' in payload:
            username = payload['username']
        else:
            return tools.response_render(
                'Error: No username option given.',
                http_code='400 Bad Request')

        if username == 'all':
            return tools.response_render(
                "Error: username not valid.",
                http_code='400 Bad Request')


        if 'realname' in payload:
            realname = unquote_plus(payload['realname'])
        else:
            return tools.response_render(
                'Error: No realname option given.',
                http_code='400 Bad Request')

        if constants.PATTERN_REALNAME.match(realname) is None:
            return tools.response_render(
                "Error: realname doesn't match pattern",
                http_code='400 Bad Request')

        # Get public key
        if 'pubkey' in payload:
            pubkey = tools.unquote_custom(payload['pubkey'])
        else:
            return tools.response_render(
                'Error: No pubkey given.',
                http_code='400 Bad Request')
        tmp_pubkey = NamedTemporaryFile(delete=False)
        tmp_pubkey.write(bytes(pubkey, 'utf-8'))
        tmp_pubkey.close()

        pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
        if pubkey_fingerprint == 'Unknown':
            remove(tmp_pubkey.name)
            return tools.response_render(
                'Error : Public key unprocessable',
                http_code='422 Unprocessable Entity')

        pg_conn, message = TOOLS.pg_connection()
        if pg_conn is None:
            remove(tmp_pubkey.name)
            return tools.response_render(message, http_code='503 Service Unavailable')
        cur = pg_conn.cursor()

        # Search if key already exists
        cur.execute(
            """
            SELECT 1 FROM USERS WHERE NAME=(%s)
            """, (username,))
        user = cur.fetchone()
        # CREATE NEW USER
        if user is None:
            cur.execute(
                """
                INSERT INTO USERS VALUES ((%s), (%s), (%s), (%s), (%s), (%s), (%s), (%s))
                """, (
                    username, realname, constants.STATES['PENDING'],
                    0, pubkey_fingerprint, pubkey, '+12h', username))
            pg_conn.commit()
            cur.close()
            pg_conn.close()
            remove(tmp_pubkey.name)
            return tools.response_render(
                'Create user=%s. Pending request.' % username,
                http_code='201 Created')
        # Check if realname is the same
        cur.execute(
            """
            SELECT 1 FROM USERS WHERE NAME=(%s) AND REALNAME=lower((%s))
            """, (username, realname))
        if cur.fetchone() is None:
            pg_conn.commit()
            cur.close()
            pg_conn.close()
            remove(tmp_pubkey.name)
            return tools.response_render(
                'Error : (username, realname) couple mismatch.',
                http_code='401 Unauthorized')
        # Update entry into database
        cur.execute(
            """
            UPDATE USERS
            SET SSH_KEY=(%s),SSH_KEY_HASH=(%s), STATE=(%s), EXPIRATION=0
            WHERE NAME=(%s)
            """, (pubkey, pubkey_fingerprint, constants.STATES['PENDING'], username))
        pg_conn.commit()
        cur.close()
        pg_conn.close()
        remove(tmp_pubkey.name)
        return tools.response_render('Update user=%s. Pending request.' % username)
예제 #2
0
    def POST(self):
        """
        Ask to sign pub key.
        /client
            username=xxxxxx          => Unique username. Used by default to connect on server.
            [email protected] => This LDAP/AD user.

            # Optionnal
            admin_force=true|false
        """
        # LDAP authentication
        is_auth, message = tools.ldap_authentification(SERVER_OPTS)
        if not is_auth:
            return tools.response_render(message, http_code='401 Unauthorized')

        # Check if user is an admin and want to force signature when db fail
        force_sign = False

        # LDAP ADMIN authentication
        is_admin_auth, message = tools.ldap_authentification(
            SERVER_OPTS, admin=True)

        payload, message = tools.data2map()
        if message:
            return tools.response_render(message, http_code='400 Bad Request')

        if is_admin_auth and SERVER_OPTS['admin_db_failover'] \
            and 'admin_force' in payload and payload['admin_force'].lower() == 'true':
            force_sign = True

        # Get username
        if 'username' in payload:
            username = payload['username']
        else:
            return tools.response_render(
                'Error: No username option given.',
                http_code='400 Bad Request')
        if username == 'all':
            return tools.response_render(
                "Error: username not valid.",
                http_code='400 Bad Request')

        # Get realname
        if 'realname' in payload:
            realname = unquote_plus(payload['realname'])
        else:
            return tools.response_render(
                'Error: No realname option given.',
                http_code='400 Bad Request')

        # Get public key
        if 'pubkey' in payload:
            pubkey = tools.unquote_custom(payload['pubkey'])
        else:
            return tools.response_render(
                'Error: No pubkey given.',
                http_code='400 Bad Request')
        tmp_pubkey = NamedTemporaryFile(delete=False)
        tmp_pubkey.write(bytes(pubkey, 'utf-8'))
        tmp_pubkey.close()

        pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
        if pubkey_fingerprint == 'Unknown':
            remove(tmp_pubkey.name)
            return tools.response_render(
                'Error : Public key unprocessable',
                http_code='422 Unprocessable Entity')

        pg_conn, message = TOOLS.pg_connection()
        # Admin force signature case
        if pg_conn is None and force_sign:
            cert_contents = TOOLS.sign_key(tmp_pubkey.name, username, '+12h', username)
            remove(tmp_pubkey.name)
            return tools.response_render(cert_contents, content_type='application/octet-stream')
        # Check if db is up
        if pg_conn is None:
            remove(tmp_pubkey.name)
            return tools.response_render(message, http_code='503 Service Unavailable')
        cur = pg_conn.cursor()

        # Search if user already exists
        cur.execute(
            """
            SELECT NAME,REALNAME,STATE,EXPIRY,PRINCIPALS,SSH_KEY FROM USERS
            WHERE NAME=lower(%s)
            """, (username,))
        user = cur.fetchone()
        if user is None:
            cur.close()
            pg_conn.close()
            remove(tmp_pubkey.name)
            return tools.response_render(
                'Error : User absent, please create an account.',
                http_code='400 Bad Request')

        # Get database key fingerprint
        db_pubkey = NamedTemporaryFile(delete=False)
        db_pubkey.write(bytes(user[5], 'utf-8'))
        db_pubkey.close()
        db_pubkey_fingerprint = get_fingerprint(db_pubkey.name)
        remove(db_pubkey.name)

        if db_pubkey_fingerprint == 'Unknown':
            remove(tmp_pubkey.name)
            return tools.response_render(
                'Error : Public key from database unprocessable',
                http_code='422 Unprocessable Entity')

        if username != user[0] or \
            realname != user[1] or \
            db_pubkey_fingerprint != pubkey_fingerprint:
            cur.close()
            pg_conn.close()
            remove(tmp_pubkey.name)
            return tools.response_render(
                'Error : (username, realname, pubkey) triple mismatch.',
                http_code='401 Unauthorized')

        status = user[2]
        expiry = user[3]
        custom_principals = tools.clean_principals_output(user[4], username, shell=True)
        list_membership, _ = tools.get_memberof(
            realname,
            SERVER_OPTS)
        full_principals = tools.merge_principals(custom_principals, list_membership, SERVER_OPTS)

        if status > 0:
            cur.close()
            pg_conn.close()
            remove(tmp_pubkey.name)
            return tools.response_render("Status: %s" % constants.STATES[user[2]])

        cert_contents = TOOLS.sign_key(
            tmp_pubkey.name, username, expiry, full_principals, db_cursor=cur)

        remove(tmp_pubkey.name)
        pg_conn.commit()
        cur.close()
        pg_conn.close()
        return tools.response_render(
            cert_contents,
            content_type='application/octet-stream')