def PUT(self):
"""
This function permit to add or update a ssh public key.
/client
username=xxxxxx => Unique username. Used by default to connect on server.
[email protected] => This LDAP/AD user.
"""
# LDAP authentication
is_auth, message = tools.ldap_authentification(SERVER_OPTS)
if not is_auth:
return tools.response_render(message, http_code='401 Unauthorized')
payload, message = tools.data2map()
if message:
return tools.response_render(message, http_code='400 Bad Request')
if 'username' in payload:
username = payload['username']
else:
return tools.response_render(
'Error: No username option given.',
http_code='400 Bad Request')
if username == 'all':
return tools.response_render(
"Error: username not valid.",
http_code='400 Bad Request')
if 'realname' in payload:
realname = unquote_plus(payload['realname'])
else:
return tools.response_render(
'Error: No realname option given.',
http_code='400 Bad Request')
if constants.PATTERN_REALNAME.match(realname) is None:
return tools.response_render(
"Error: realname doesn't match pattern",
http_code='400 Bad Request')
# Get public key
if 'pubkey' in payload:
pubkey = tools.unquote_custom(payload['pubkey'])
else:
return tools.response_render(
'Error: No pubkey given.',
http_code='400 Bad Request')
tmp_pubkey = NamedTemporaryFile(delete=False)
tmp_pubkey.write(bytes(pubkey, 'utf-8'))
tmp_pubkey.close()
pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
if pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return tools.response_render(
'Error : Public key unprocessable',
http_code='422 Unprocessable Entity')
pg_conn, message = TOOLS.pg_connection()
if pg_conn is None:
remove(tmp_pubkey.name)
return tools.response_render(message, http_code='503 Service Unavailable')
cur = pg_conn.cursor()
# Search if key already exists
cur.execute(
"""
SELECT 1 FROM USERS WHERE NAME=(%s)
""", (username,))
user = cur.fetchone()
# CREATE NEW USER
if user is None:
cur.execute(
"""
INSERT INTO USERS VALUES ((%s), (%s), (%s), (%s), (%s), (%s), (%s), (%s))
""", (
username, realname, constants.STATES['PENDING'],
0, pubkey_fingerprint, pubkey, '+12h', username))
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return tools.response_render(
'Create user=%s. Pending request.' % username,
http_code='201 Created')
# Check if realname is the same
cur.execute(
"""
SELECT 1 FROM USERS WHERE NAME=(%s) AND REALNAME=lower((%s))
""", (username, realname))
if cur.fetchone() is None:
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return tools.response_render(
'Error : (username, realname) couple mismatch.',
http_code='401 Unauthorized')
# Update entry into database
cur.execute(
"""
UPDATE USERS
SET SSH_KEY=(%s),SSH_KEY_HASH=(%s), STATE=(%s), EXPIRATION=0
WHERE NAME=(%s)
""", (pubkey, pubkey_fingerprint, constants.STATES['PENDING'], username))
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return tools.response_render('Update user=%s. Pending request.' % username)
def PUT(self):
"""
This function permit to add or update a ssh public key.
/client
username=xxxxxx => Unique username. Used by default to connect on server.
[email protected] => This LDAP/AD user.
"""
# LDAP authentication
is_auth, message = ldap_authentification()
if not is_auth:
return message
payload = data2map()
if payload.has_key('username'):
username = payload['username']
else:
return "Error: No username option given."
username_pattern = re_compile("^([a-z]+)$")
if username_pattern.match(username) is None or username == 'all':
return "Error: Username %s doesn't match pattern %s" \
% (username, username_pattern.pattern)
if payload.has_key('realname'):
realname = unquote_plus(payload['realname'])
else:
return "Error: No realname option given."
# Get public key
if payload.has_key('pubkey'):
pubkey = unquote_custom(payload['pubkey'])
else:
return "Error: No pubkey given."
tmp_pubkey = NamedTemporaryFile(delete=False)
tmp_pubkey.write(pubkey)
tmp_pubkey.close()
pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
if pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return 'Error : Public key unprocessable'
pg_conn, message = pg_connection()
if pg_conn is None:
remove(tmp_pubkey.name)
return message
cur = pg_conn.cursor()
# Search if key already exists
cur.execute('SELECT * FROM USERS WHERE NAME=(%s)', (username, ))
user = cur.fetchone()
# CREATE NEW USER
if user is None:
cur.execute('INSERT INTO USERS VALUES \
((%s), (%s), (%s), (%s), (%s), (%s), (%s), (%s))' , \
(username, realname, 2, 0, pubkey_fingerprint, pubkey, '+12h', ''))
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return 'Create user=%s. Pending request.' % username
else:
# Check if realname is the same
cur.execute('SELECT * FROM USERS WHERE NAME=(%s) AND REALNAME=lower((%s))', \
(username, realname))
if cur.fetchone() is None:
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return 'Error : (username, realname) couple mismatch.'
# Update entry into database
cur.execute(
'UPDATE USERS SET SSH_KEY=(%s), SSH_KEY_HASH=(%s), STATE=2, EXPIRATION=0 \
WHERE NAME=(%s)', (pubkey, pubkey_fingerprint, username))
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return 'Update user=%s. Pending request.' % username
def POST(self):
"""
Ask to sign pub key.
/client
username=xxxxxx => Unique username. Used by default to connect on server.
[email protected] => This LDAP/AD user.
# Optionnal
admin_force=true|false
"""
# LDAP authentication
is_auth, message = tools.ldap_authentification(SERVER_OPTS)
if not is_auth:
return tools.response_render(message, http_code='401 Unauthorized')
# Check if user is an admin and want to force signature when db fail
force_sign = False
# LDAP ADMIN authentication
is_admin_auth, message = tools.ldap_authentification(
SERVER_OPTS, admin=True)
payload, message = tools.data2map()
if message:
return tools.response_render(message, http_code='400 Bad Request')
if is_admin_auth and SERVER_OPTS['admin_db_failover'] \
and 'admin_force' in payload and payload['admin_force'].lower() == 'true':
force_sign = True
# Get username
if 'username' in payload:
username = payload['username']
else:
return tools.response_render(
'Error: No username option given.',
http_code='400 Bad Request')
if username == 'all':
return tools.response_render(
"Error: username not valid.",
http_code='400 Bad Request')
# Get realname
if 'realname' in payload:
realname = unquote_plus(payload['realname'])
else:
return tools.response_render(
'Error: No realname option given.',
http_code='400 Bad Request')
# Get public key
if 'pubkey' in payload:
pubkey = tools.unquote_custom(payload['pubkey'])
else:
return tools.response_render(
'Error: No pubkey given.',
http_code='400 Bad Request')
tmp_pubkey = NamedTemporaryFile(delete=False)
tmp_pubkey.write(bytes(pubkey, 'utf-8'))
tmp_pubkey.close()
pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
if pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return tools.response_render(
'Error : Public key unprocessable',
http_code='422 Unprocessable Entity')
pg_conn, message = TOOLS.pg_connection()
# Admin force signature case
if pg_conn is None and force_sign:
cert_contents = TOOLS.sign_key(tmp_pubkey.name, username, '+12h', username)
remove(tmp_pubkey.name)
return tools.response_render(cert_contents, content_type='application/octet-stream')
# Check if db is up
if pg_conn is None:
remove(tmp_pubkey.name)
return tools.response_render(message, http_code='503 Service Unavailable')
cur = pg_conn.cursor()
# Search if user already exists
cur.execute(
"""
SELECT NAME,REALNAME,STATE,EXPIRY,PRINCIPALS,SSH_KEY FROM USERS
WHERE NAME=lower(%s)
""", (username,))
user = cur.fetchone()
if user is None:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return tools.response_render(
'Error : User absent, please create an account.',
http_code='400 Bad Request')
# Get database key fingerprint
db_pubkey = NamedTemporaryFile(delete=False)
db_pubkey.write(bytes(user[5], 'utf-8'))
db_pubkey.close()
db_pubkey_fingerprint = get_fingerprint(db_pubkey.name)
remove(db_pubkey.name)
if db_pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return tools.response_render(
'Error : Public key from database unprocessable',
http_code='422 Unprocessable Entity')
if username != user[0] or \
realname != user[1] or \
db_pubkey_fingerprint != pubkey_fingerprint:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return tools.response_render(
'Error : (username, realname, pubkey) triple mismatch.',
http_code='401 Unauthorized')
status = user[2]
expiry = user[3]
custom_principals = tools.clean_principals_output(user[4], username, shell=True)
list_membership, _ = tools.get_memberof(
realname,
SERVER_OPTS)
full_principals = tools.merge_principals(custom_principals, list_membership, SERVER_OPTS)
if status > 0:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return tools.response_render("Status: %s" % constants.STATES[user[2]])
cert_contents = TOOLS.sign_key(
tmp_pubkey.name, username, expiry, full_principals, db_cursor=cur)
remove(tmp_pubkey.name)
pg_conn.commit()
cur.close()
pg_conn.close()
return tools.response_render(
cert_contents,
content_type='application/octet-stream')
def POST(self):
"""
Ask to sign pub key.
/client
username=xxxxxx => Unique username. Used by default to connect on server.
[email protected] => This LDAP/AD user.
# Optionnal
admin_force=true|false
"""
# LDAP authentication
is_auth, message = ldap_authentification()
if not is_auth:
return message
# Check if user is an admin and want to force signature when db fail
force_sign = False
# LDAP ADMIN authentication
is_admin_auth, _ = ldap_authentification(admin=True)
payload = data2map()
if is_admin_auth and SERVER_OPTS['admin_db_failover'] \
and payload.has_key('admin_force') and payload['admin_force'].lower() == 'true':
force_sign = True
# Get username
if payload.has_key('username'):
username = payload['username']
else:
return "Error: No username option given. Update your CASSH >= 1.3.0"
username_pattern = re_compile("^([a-z]+)$")
if username_pattern.match(username) is None or username == 'all':
return "Error: Username %s doesn't match pattern %s" \
% (username, username_pattern.pattern)
# Get realname
if payload.has_key('realname'):
realname = unquote_plus(payload['realname'])
else:
return "Error: No realname option given."
# Get public key
if payload.has_key('pubkey'):
pubkey = unquote_custom(payload['pubkey'])
else:
return "Error: No pubkey given."
tmp_pubkey = NamedTemporaryFile(delete=False)
tmp_pubkey.write(pubkey)
tmp_pubkey.close()
pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
if pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return 'Error : Public key unprocessable'
pg_conn, message = pg_connection()
# Admin force signature case
if pg_conn is None and force_sign:
cert_contents = sign_key(tmp_pubkey.name, username, '+12h',
username)
remove(tmp_pubkey.name)
return cert_contents
# Else, if db is down it fails.
elif pg_conn is None:
remove(tmp_pubkey.name)
return message
cur = pg_conn.cursor()
# Search if key already exists
cur.execute(
'SELECT * FROM USERS WHERE SSH_KEY=(%s) AND NAME=lower(%s)',
(pubkey, username))
user = cur.fetchone()
if user is None:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return 'Error : User or Key absent, add your key again.'
if username != user[0] or realname != user[1]:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return 'Error : (username, realname) couple mismatch.'
status = user[2]
expiry = user[6]
principals = get_principals(user[7], username, shell=True)
if status > 0:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return "Status: %s" % STATES[user[2]]
cert_contents = sign_key(tmp_pubkey.name,
username,
expiry,
principals,
db_cursor=cur)
remove(tmp_pubkey.name)
pg_conn.commit()
cur.close()
pg_conn.close()
return cert_contents
def PUT(self):
"""
This function permit to add or update a ssh public key.
/client
username=xxxxxx => Unique username. Used by default to connect on server.
[email protected] => This LDAP/AD user.
"""
# LDAP authentication
is_auth, message = ldap_authentification()
if not is_auth:
return response_render(message, http_code='401 Unauthorized')
payload = data2map()
if 'username' in payload:
username = payload['username']
else:
return response_render(
'Error: No username option given.',
http_code='400 Bad Request')
username_pattern = re_compile("^([a-z]+)$")
if username_pattern.match(username) is None or username == 'all':
return response_render(
"Error: Username doesn't match pattern %s" \
% username_pattern.pattern,
http_code='400 Bad Request')
if 'realname' in payload:
realname = unquote_plus(payload['realname'])
else:
return response_render(
'Error: No realname option given.',
http_code='400 Bad Request')
realname_pattern = re_compile(
r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*"
r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-011\013\014\016-\177])*"'
r')@(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?$', IGNORECASE)
if realname_pattern.match(realname) is None:
return response_render(
"Error: Realname doesn't match pattern",
http_code='400 Bad Request')
# Get public key
if 'pubkey' in payload:
pubkey = unquote_custom(payload['pubkey'])
else:
return response_render(
'Error: No pubkey given.',
http_code='400 Bad Request')
tmp_pubkey = NamedTemporaryFile(delete=False)
tmp_pubkey.write(bytes(pubkey, 'utf-8'))
tmp_pubkey.close()
pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
if pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return response_render(
'Error : Public key unprocessable',
http_code='422 Unprocessable Entity')
pg_conn, message = TOOLS.pg_connection()
if pg_conn is None:
remove(tmp_pubkey.name)
return response_render(message, http_code='503 Service Unavailable')
cur = pg_conn.cursor()
# Search if key already exists
cur.execute('SELECT * FROM USERS WHERE NAME=(%s)', (username,))
user = cur.fetchone()
# CREATE NEW USER
if user is None:
cur.execute('INSERT INTO USERS VALUES \
((%s), (%s), (%s), (%s), (%s), (%s), (%s), (%s))', \
(username, realname, 2, 0, pubkey_fingerprint, pubkey, '+12h', ''))
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render(
'Create user=%s. Pending request.' % username,
http_code='201 Created')
else:
# Check if realname is the same
cur.execute('SELECT * FROM USERS WHERE NAME=(%s) AND REALNAME=lower((%s))', \
(username, realname))
if cur.fetchone() is None:
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render(
'Error : (username, realname) couple mismatch.',
http_code='401 Unauthorized')
# Update entry into database
cur.execute('UPDATE USERS SET SSH_KEY=(%s), SSH_KEY_HASH=(%s), STATE=2, EXPIRATION=0 \
WHERE NAME=(%s)', (pubkey, pubkey_fingerprint, username))
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render('Update user=%s. Pending request.' % username)
def POST(self):
"""
Ask to sign pub key.
/client
username=xxxxxx => Unique username. Used by default to connect on server.
[email protected] => This LDAP/AD user.
# Optionnal
admin_force=true|false
"""
# LDAP authentication
is_auth, message = ldap_authentification()
if not is_auth:
return response_render(message, http_code='401 Unauthorized')
# Check if user is an admin and want to force signature when db fail
force_sign = False
# LDAP ADMIN authentication
is_admin_auth, _ = ldap_authentification(admin=True)
payload = data2map()
if is_admin_auth and SERVER_OPTS['admin_db_failover'] \
and 'admin_force' in payload and payload['admin_force'].lower() == 'true':
force_sign = True
# Get username
if 'username' in payload:
username = payload['username']
else:
return response_render(
'Error: No username option given. Update your CASSH >= 1.3.0',
http_code='400 Bad Request')
username_pattern = re_compile("^([a-z]+)$")
if username_pattern.match(username) is None or username == 'all':
return response_render(
"Error: Username doesn't match pattern %s" \
% username_pattern.pattern,
http_code='400 Bad Request')
# Get realname
if 'realname' in payload:
realname = unquote_plus(payload['realname'])
else:
return response_render(
'Error: No realname option given.',
http_code='400 Bad Request')
# Get public key
if 'pubkey' in payload:
pubkey = unquote_custom(payload['pubkey'])
else:
return response_render(
'Error: No pubkey given.',
http_code='400 Bad Request')
tmp_pubkey = NamedTemporaryFile(delete=False)
tmp_pubkey.write(bytes(pubkey, 'utf-8'))
tmp_pubkey.close()
pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
if pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return response_render(
'Error : Public key unprocessable',
http_code='422 Unprocessable Entity')
pg_conn, message = TOOLS.pg_connection()
# Admin force signature case
if pg_conn is None and force_sign:
cert_contents = TOOLS.sign_key(tmp_pubkey.name, username, '+12h', username)
remove(tmp_pubkey.name)
return response_render(cert_contents, content_type='application/octet-stream')
# Else, if db is down it fails.
elif pg_conn is None:
remove(tmp_pubkey.name)
return response_render(message, http_code='503 Service Unavailable')
cur = pg_conn.cursor()
# Search if key already exists
cur.execute('SELECT * FROM USERS WHERE SSH_KEY=(%s) AND NAME=lower(%s)', (pubkey, username))
user = cur.fetchone()
if user is None:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render(
'Error : User or Key absent, add your key again.',
http_code='400 Bad Request')
if username != user[0] or realname != user[1]:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render(
'Error : (username, realname) couple mismatch.',
http_code='401 Unauthorized')
status = user[2]
expiry = user[6]
principals = get_principals(user[7], username, shell=True)
if status > 0:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render("Status: %s" % STATES[user[2]])
cert_contents = TOOLS.sign_key(tmp_pubkey.name, username, expiry, principals, db_cursor=cur)
remove(tmp_pubkey.name)
pg_conn.commit()
cur.close()
pg_conn.close()
return response_render(
cert_contents,
content_type='application/octet-stream')
def PUT(self):
"""
This function permit to add or update a ssh public key.
/client
username=xxxxxx => Unique username. Used by default to connect on server.
[email protected] => This LDAP/AD user.
"""
# LDAP authentication
is_auth, message = ldap_authentification()
if not is_auth:
return response_render(message, http_code='401 Unauthorized')
payload = data2map()
if 'username' in payload:
username = payload['username']
else:
return response_render(
'Error: No username option given.',
http_code='400 Bad Request')
username_pattern = re_compile("^([a-z]+)$")
if username_pattern.match(username) is None or username == 'all':
return response_render(
"Error: Username doesn't match pattern %s" \
% username_pattern.pattern,
http_code='400 Bad Request')
if 'realname' in payload:
realname = unquote_plus(payload['realname'])
else:
return response_render(
'Error: No realname option given.',
http_code='400 Bad Request')
realname_pattern = re_compile("^([a-zA-Z0-9\.]+@[a-zA-Z0-9\.]+)$")
if realname_pattern.match(realname) is None:
return response_render(
"Error: Realname doesn't match pattern",
http_code='400 Bad Request')
# Get public key
if 'pubkey' in payload:
pubkey = unquote_custom(payload['pubkey'])
else:
return response_render(
'Error: No pubkey given.',
http_code='400 Bad Request')
tmp_pubkey = NamedTemporaryFile(delete=False)
tmp_pubkey.write(bytes(pubkey, 'utf-8'))
tmp_pubkey.close()
pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
if pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return response_render(
'Error : Public key unprocessable',
http_code='422 Unprocessable Entity')
pg_conn, message = TOOLS.pg_connection()
if pg_conn is None:
remove(tmp_pubkey.name)
return response_render(message, http_code='503 Service Unavailable')
cur = pg_conn.cursor()
# Search if key already exists
cur.execute('SELECT * FROM USERS WHERE NAME=(%s)', (username,))
user = cur.fetchone()
# CREATE NEW USER
if user is None:
cur.execute('INSERT INTO USERS VALUES \
((%s), (%s), (%s), (%s), (%s), (%s), (%s), (%s))', \
(username, realname, 2, 0, pubkey_fingerprint, pubkey, '+12h', ''))
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render(
'Create user=%s. Pending request.' % username,
http_code='201 Created')
else:
# Check if realname is the same
cur.execute('SELECT * FROM USERS WHERE NAME=(%s) AND REALNAME=lower((%s))', \
(username, realname))
if cur.fetchone() is None:
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render(
'Error : (username, realname) couple mismatch.',
http_code='401 Unauthorized')
# Update entry into database
cur.execute('UPDATE USERS SET SSH_KEY=(%s), SSH_KEY_HASH=(%s), STATE=2, EXPIRATION=0 \
WHERE NAME=(%s)', (pubkey, pubkey_fingerprint, username))
pg_conn.commit()
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render('Update user=%s. Pending request.' % username)
def POST(self):
"""
Ask to sign pub key.
/client
username=xxxxxx => Unique username. Used by default to connect on server.
[email protected] => This LDAP/AD user.
# Optionnal
admin_force=true|false
"""
# LDAP authentication
is_auth, message = ldap_authentification()
if not is_auth:
return response_render(message, http_code='401 Unauthorized')
# Check if user is an admin and want to force signature when db fail
force_sign = False
# LDAP ADMIN authentication
is_admin_auth, _ = ldap_authentification(admin=True)
payload = data2map()
if is_admin_auth and SERVER_OPTS['admin_db_failover'] \
and 'admin_force' in payload and payload['admin_force'].lower() == 'true':
force_sign = True
# Get username
if 'username' in payload:
username = payload['username']
else:
return response_render(
'Error: No username option given. Update your CASSH >= 1.3.0',
http_code='400 Bad Request')
username_pattern = re_compile("^([a-z]+)$")
if username_pattern.match(username) is None or username == 'all':
return response_render(
"Error: Username doesn't match pattern %s" \
% username_pattern.pattern,
http_code='400 Bad Request')
# Get realname
if 'realname' in payload:
realname = unquote_plus(payload['realname'])
else:
return response_render(
'Error: No realname option given.',
http_code='400 Bad Request')
# Get public key
if 'pubkey' in payload:
pubkey = unquote_custom(payload['pubkey'])
else:
return response_render(
'Error: No pubkey given.',
http_code='400 Bad Request')
tmp_pubkey = NamedTemporaryFile(delete=False)
tmp_pubkey.write(bytes(pubkey, 'utf-8'))
tmp_pubkey.close()
pubkey_fingerprint = get_fingerprint(tmp_pubkey.name)
if pubkey_fingerprint == 'Unknown':
remove(tmp_pubkey.name)
return response_render(
'Error : Public key unprocessable',
http_code='422 Unprocessable Entity')
pg_conn, message = TOOLS.pg_connection()
# Admin force signature case
if pg_conn is None and force_sign:
cert_contents = TOOLS.sign_key(tmp_pubkey.name, username, '+12h', username)
remove(tmp_pubkey.name)
return response_render(cert_contents, content_type='application/octet-stream')
# Else, if db is down it fails.
elif pg_conn is None:
remove(tmp_pubkey.name)
return response_render(message, http_code='503 Service Unavailable')
cur = pg_conn.cursor()
# Search if key already exists
cur.execute('SELECT * FROM USERS WHERE SSH_KEY=(%s) AND NAME=lower(%s)', (pubkey, username))
user = cur.fetchone()
if user is None:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render(
'Error : User or Key absent, add your key again.',
http_code='400 Bad Request')
if username != user[0] or realname != user[1]:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render(
'Error : (username, realname) couple mismatch.',
http_code='401 Unauthorized')
status = user[2]
expiry = user[6]
principals = get_principals(user[7], username, shell=True)
if status > 0:
cur.close()
pg_conn.close()
remove(tmp_pubkey.name)
return response_render("Status: %s" % STATES[user[2]])
cert_contents = TOOLS.sign_key(tmp_pubkey.name, username, expiry, principals, db_cursor=cur)
remove(tmp_pubkey.name)
pg_conn.commit()
cur.close()
pg_conn.close()
return response_render(
cert_contents,
content_type='application/octet-stream')
