Standa Lukeš
1 year ago
commit
302f3f8529
4 changed files with 388 additions and 0 deletions
@ -0,0 +1,25 @@ |
|||
## Skripty a configy pro KSP VM |
|||
|
|||
### Hadí skripty na synchronizaci uživatelů z gimliho: [./user-sync](./user-sync) |
|||
|
|||
[`collect_keys.py`](./user-sync/collect_keys.py) vykrade .ssh/authorized_keys z home adresářů specifikovaných uživatelů. |
|||
|
|||
[`copy_users.py`](./user-sync/copy_users.py) je zkopíruje na zadaný server, případně na něm pak spustí nějaký příkaz. |
|||
|
|||
[`accept-users.py`](./user-sync/accept-users.py) vyrobí, případně modifikuje uživatele na cílovém stroji. |
|||
|
|||
Zamýšlené schéma použití |
|||
```bash |
|||
sudo ./collect-keys.py --output ./ssh_keys.json --groups ksp --users případně nějací další uživatelé --verbose |
|||
|
|||
./copy_users.py --user_file ./ssh_keys.json --server root@ksp-vm --server-transfer-file /var/db/gimliusersync/new-users.json --execute 'skript.sh' |
|||
``` |
|||
na ksp-vm skript.sh |
|||
``` |
|||
./accept-users.py --new-file /var/db/gimliusersync/new-users.json \ |
|||
--old-file /var/db/gimliusersync/current-users.json \ |
|||
--ssh-keys-location /etc/ssh/gimli-authorized_keys.d \ |
|||
--marker-group gimli-user |
|||
--extra-groups ksp-org cokoli-dalsiho |
|||
--removed-group gimli-removed-user |
|||
``` |
@ -0,0 +1,166 @@ |
|||
#!/usr/bin/env python3 |
|||
|
|||
import os, sys, argparse, json, datetime, tempfile, pwd, grp, subprocess |
|||
from dataclasses import dataclass |
|||
from typing import Optional, Any |
|||
|
|||
def report_persistent_problem(*msg): |
|||
print(*msg, file=sys.stderr) |
|||
with open("./errors", "a") as f: |
|||
print(*msg, file=f) |
|||
|
|||
@dataclass(frozen=True) |
|||
class UserData: |
|||
uid: int |
|||
name: str |
|||
homedir: str |
|||
full_name: str |
|||
shell: str |
|||
ssh_keys: list[str] |
|||
|
|||
def read_file(path: str) -> Optional[dict[str, Any]]: |
|||
if not os.path.exists(path): |
|||
return None |
|||
with open(path) as f: |
|||
return json.load(f) |
|||
|
|||
def validate_shell(user: UserData) -> str: |
|||
if not os.path.exists(user.shell): |
|||
report_persistent_problem(f"Shell {user.shell} is not installed on this system (user {user.name})!") |
|||
return "/bin/bash" |
|||
return user.shell |
|||
|
|||
def execute_maybe(cmd: list[str], dry_run: bool, verbose: bool): |
|||
if verbose or dry_run: |
|||
print(f"Executing", *cmd) |
|||
if not dry_run: |
|||
subprocess.check_call(cmd) |
|||
|
|||
def create_user(user: UserData, marker_group: str, extra_groups: list[str], dry_run: bool, verbose: bool): |
|||
try: |
|||
pwd.getpwnam(user.name) |
|||
report_persistent_problem(f"Cannot create {user.name}:{user.uid} - username already taken!") |
|||
return |
|||
except KeyError: |
|||
pass |
|||
try: |
|||
pwd.getpwuid(user.uid) |
|||
report_persistent_problem(f"Cannot create {user.name}:{user.uid} - uid already taken!") |
|||
return |
|||
except KeyError: |
|||
pass |
|||
|
|||
|
|||
cmd = [ "useradd", |
|||
"--uid", str(user.uid), |
|||
"--user-group", |
|||
"--create-home", |
|||
"--comment", user.full_name, |
|||
"--groups", ",".join([marker_group, *extra_groups]), |
|||
"--shell", validate_shell(user), |
|||
# TODO: subuid and subgid are handled? |
|||
] |
|||
execute_maybe(cmd, dry_run, verbose) |
|||
|
|||
def modify_user(old: UserData, new: UserData, marker_group: str, dry_run: bool, verbose: bool): |
|||
if old.uid != new.uid or old.name != new.name: |
|||
report_persistent_problem(f"Cannot modify {old.name}:{old.uid} to {new.name}:{new.uid} - uid or name changed!") |
|||
return |
|||
|
|||
if new.name not in grp.getgrnam(marker_group).gr_mem: |
|||
if verbose: |
|||
print(f"Skipping {new.name}:{new.uid} - not in {marker_group} group") |
|||
return |
|||
|
|||
cmd = [ "usermod" ] |
|||
if old.full_name != new.full_name: |
|||
cmd.extend([ "--comment", new.full_name ]) |
|||
if old.shell != new.shell: |
|||
cmd.extend([ "--shell", validate_shell(new) ]) |
|||
|
|||
if cmd == [ "usermod" ]: |
|||
return |
|||
execute_maybe(cmd, dry_run, verbose) |
|||
|
|||
def add_group(user_name: str, group: str, dry_run: bool, verbose: bool): |
|||
if user_name not in grp.getgrnam(group).gr_mem: |
|||
cmd = [ "usermod", "--append", "--groups", group, user_name ] |
|||
execute_maybe(cmd, dry_run, verbose) |
|||
|
|||
|
|||
def save_keys(users: list[UserData], ssh_keys_location: str, dry_run: bool, verbose: bool): |
|||
remove_files = set(os.listdir(ssh_keys_location)).difference(u.name for u in users if len(u.ssh_keys) > 0) |
|||
if remove_files: |
|||
if verbose or dry_run: |
|||
print(f"Removing SSH keys: {remove_files}") |
|||
if not dry_run: |
|||
for f in remove_files: |
|||
os.remove(os.path.join(ssh_keys_location, f)) |
|||
|
|||
for user in users: |
|||
# doesn't matter if it changed on source, always overwrite if different |
|||
# users should not overwrite these files |
|||
if len(user.ssh_keys) == 0: |
|||
continue |
|||
file = os.path.join(ssh_keys_location, user.name) |
|||
new_content = "".join(line.rstrip() + "\n" for line in user.ssh_keys) |
|||
if os.path.exists(file): |
|||
with open(file) as f: |
|||
old_content = f.read() |
|||
if old_content == new_content: |
|||
continue |
|||
|
|||
if verbose or dry_run: |
|||
print(f"Saving {len(user.ssh_keys)} SSH keys for {user.name}:{user.uid}") |
|||
if not dry_run: |
|||
with open(file, "w") as f: |
|||
f.write(new_content) |
|||
|
|||
def main_args(new_file_path: str, old_file_path: str, ssh_keys_location, marker_group: str, extra_groups: list[str], removed_group: Optional[str], dry_run: bool, verbose: bool): |
|||
if os.getuid() != 0: |
|||
print("WARNING: This script should be executed as root", file=sys.stderr) |
|||
|
|||
new_file = read_file(new_file_path) |
|||
if new_file is None: |
|||
raise Exception(f"File {new_file_path} does not exist") |
|||
old_file = read_file(old_file_path) |
|||
|
|||
if old_file and datetime.datetime.fromisoformat(old_file["timestamp"]) > datetime.datetime.fromisoformat(new_file["timestamp"]): |
|||
raise Exception(f"Old file {old_file_path} is newer than {new_file_path}") |
|||
|
|||
new_users = [UserData(**u) for u in new_file["users"] ] |
|||
old_users = {u["name"]: UserData(**u) for u in old_file["users"] } if old_file else {} |
|||
|
|||
created_users = [u for u in new_users if u.name not in old_users] |
|||
modified_users = [u for u in new_users if u.name in old_users and u != old_users[u.name]] |
|||
removed_users = set(u.name for u in old_users.values() if u.name).difference(u.name for u in new_users) |
|||
|
|||
allowed_users = set(grp.getgrnam(marker_group).gr_mem).union(u.name for u in created_users) |
|||
|
|||
for u in created_users: |
|||
create_user(u, marker_group, extra_groups, dry_run, verbose) |
|||
for u in modified_users: |
|||
if u.name in allowed_users: |
|||
modify_user(old_users[u.name], u, marker_group, dry_run, verbose) |
|||
for u in removed_users: |
|||
if u in allowed_users and removed_group is not None: |
|||
add_group(u, removed_group, dry_run, verbose) |
|||
|
|||
save_keys(new_users, ssh_keys_location, dry_run, verbose) |
|||
|
|||
|
|||
|
|||
def main(): |
|||
parser = argparse.ArgumentParser(description='Creates or modifies users on this machine based on data created by copy_users.py') |
|||
parser.add_argument("--new-file", help="The file generated using collect-users.py script", required=True) |
|||
parser.add_argument("--old-file", help="Files used to compare differences, when script finishes this file is overwritten with new_file", required=True) |
|||
parser.add_argument("--ssh-keys-location", help="Directory where all ssh keys are stored", required=True) |
|||
parser.add_argument("--marker-group", help="Group name to add to users created by this script. Only users with this group will be updated", required=True) |
|||
parser.add_argument("--extra-groups", nargs="+", help="Additional groups") |
|||
parser.add_argument("--removed-group", help="Add this group to users which disappeared from source") |
|||
parser.add_argument("--dry_run", action="store_true", help="Only print which commands would be executed") |
|||
parser.add_argument("--verbose", action="store_true", help="Print debug messages") |
|||
args = parser.parse_args() |
|||
main_args(args.new_file, args.old_file, args.ssh_keys_location, args.marker_group, args.extra_groups, args.removed_group, args.dry_run, args.verbose) |
|||
|
|||
main() |
@ -0,0 +1,103 @@ |
|||
#!/usr/bin/env python3 |
|||
|
|||
import os, sys, argparse, json, datetime, pwd, grp |
|||
from dataclasses import dataclass |
|||
from typing import Optional, Any |
|||
|
|||
@dataclass(frozen=True, order=True) |
|||
class UserInfo: |
|||
uid: int |
|||
name: str |
|||
homedir: str |
|||
|
|||
def __repr__(self) -> str: |
|||
return f"{self.name}:{self.uid}" |
|||
|
|||
@staticmethod |
|||
def create(struct: pwd.struct_passwd) -> 'UserInfo': |
|||
return UserInfo(struct.pw_uid, struct.pw_name, struct.pw_dir) |
|||
|
|||
def get_users(users: list[str], groups: list[str], verbose: bool) -> list[UserInfo]: |
|||
result = [] |
|||
|
|||
for user in users: |
|||
try: |
|||
if user.isdigit(): |
|||
result.append(UserInfo.create(pwd.getpwuid(int(user)))) |
|||
else: |
|||
result.append(UserInfo.create(pwd.getpwnam(user))) |
|||
except KeyError: |
|||
print(f"User {user} does not exist", file=sys.stderr) |
|||
if verbose: |
|||
print(f"Added hardcoded users: {result}") |
|||
|
|||
for group in groups: |
|||
try: |
|||
if group.isdigit(): |
|||
g = grp.getgrgid(int(group)) |
|||
else: |
|||
g = grp.getgrnam(group) |
|||
except KeyError: |
|||
print(f"Group {group} does not exist", file=sys.stderr) |
|||
continue |
|||
|
|||
# gp_mem contains only those members which don't have gid == g.gr_gid |
|||
members = [ UserInfo.create(pwd.getpwnam(member)) for member in g.gr_mem ] |
|||
members.extend(UserInfo.create(p) for p in pwd.getpwall() if p.pw_gid == g.gr_gid) |
|||
if verbose: |
|||
print(f"Added all group '{group}' members: {members}") |
|||
result.extend(members) |
|||
|
|||
return list(sorted(set(result))) |
|||
|
|||
def read_authorized_keys(user: UserInfo) -> list[str]: |
|||
original_uid = os.geteuid() |
|||
try: |
|||
os.seteuid(user.uid) |
|||
keys_file = os.path.join(user.homedir, ".ssh", "authorized_keys") |
|||
if not os.path.exists(keys_file): |
|||
return [] |
|||
with open(keys_file) as f: |
|||
return f.readlines() |
|||
finally: |
|||
os.seteuid(original_uid) |
|||
|
|||
def main_args(user_names: list[str], group_names: list[str], output_file: str, verbose: bool): |
|||
if os.getuid() != 0: |
|||
print("WARNING: This script should be executed as root", file=sys.stderr) |
|||
|
|||
users = get_users(user_names, group_names, verbose) |
|||
|
|||
result = [] |
|||
for user in users: |
|||
user_row: dict[str, Any] = { |
|||
"name": user.name, |
|||
"uid": user.uid, |
|||
} |
|||
try: |
|||
keys = read_authorized_keys(user) |
|||
user_row["keys"] = keys |
|||
if verbose: |
|||
print(f"Read {len(keys)} keys for {user}") |
|||
except Exception as e: |
|||
print(f"Error reading keys for {user}: {e}", file=sys.stderr) |
|||
user_row["failure"] = True |
|||
result.append(user_row) |
|||
|
|||
with open(output_file + ".part", "w") as f: |
|||
json.dump({ |
|||
"users": result, |
|||
"timestamp": datetime.datetime.now(datetime.timezone.utc).isoformat(), |
|||
}, f, indent=4) |
|||
os.rename(output_file + ".part", output_file) |
|||
|
|||
def main(): |
|||
parser = argparse.ArgumentParser(description='Collect .ssh/authorized_keys files from a specified list of users') |
|||
parser.add_argument("--users", nargs="+", default=[], help="Collect keys from these users (username or uid)") |
|||
parser.add_argument("--groups", nargs="+", default=[], help="Collect keys from all users in these groups (group name or gid)") |
|||
parser.add_argument("--output", help="Output file to write authorized_keys to", required=True) |
|||
parser.add_argument("--verbose", action="store_true", help="Print debug messages") |
|||
args = parser.parse_args() |
|||
main_args(args.users, args.groups, args.output, args.verbose) |
|||
|
|||
main() |
@ -0,0 +1,94 @@ |
|||
#!/usr/bin/env python3 |
|||
|
|||
import os, sys, argparse, json, datetime, tempfile, pwd, grp, subprocess |
|||
from dataclasses import dataclass, asdict |
|||
from typing import Optional, Any |
|||
|
|||
|
|||
@dataclass(frozen=True) |
|||
class UserData: |
|||
uid: int |
|||
name: str |
|||
homedir: str |
|||
full_name: str |
|||
shell: str |
|||
ssh_keys: list[str] |
|||
|
|||
@staticmethod |
|||
def create(struct: pwd.struct_passwd, ssh_keys: list[str]) -> 'UserData': |
|||
return UserData(struct.pw_uid, struct.pw_name, struct.pw_gecos, struct.pw_shell, struct.pw_dir, []) |
|||
|
|||
def get_userdata(user_file: dict[str, Any], verbose: bool) -> tuple[datetime.datetime, list[UserData]]: |
|||
users: list[dict[str, Any]] = user_file["users"] |
|||
created_at = datetime.datetime.fromisoformat(user_file["timestamp"]) |
|||
now = datetime.datetime.now(datetime.timezone.utc) |
|||
|
|||
if (now - created_at) > datetime.timedelta(days=1): |
|||
print(f"WARNING: The user file is older than 1 day ({created_at=})", file=sys.stderr) |
|||
|
|||
if verbose: |
|||
print(f"Loaded {len(users)} users, datafile age = {now - created_at}") |
|||
|
|||
result = [] |
|||
for user in users: |
|||
uid = int(user["uid"]) |
|||
keys = user["ssh_keys"] |
|||
try: |
|||
struct = pwd.getpwuid(uid) |
|||
except KeyError: |
|||
print(f"User {user['name']}:{uid} does not exist", file=sys.stderr) |
|||
continue |
|||
result.append(UserData.create(struct, keys)) |
|||
return created_at, result |
|||
|
|||
def copy_file(local_path, server, remote_path, verbose): |
|||
cmd = [ "rsync", local_path, f"{server}:{remote_path}" ] |
|||
if verbose: |
|||
cmd.append("--verbose") |
|||
print(f"Executing", *cmd) |
|||
subprocess.check_call(cmd) |
|||
|
|||
def execute_command(server, command, verbose): |
|||
cmd = [ "ssh", server, command ] |
|||
if verbose: |
|||
print(f"Executing", *cmd) |
|||
subprocess.check_call(cmd) |
|||
|
|||
def main_args(keys_file: str, server: str, command: Optional[str], transfer_file: Optional[str], server_transfer_file: str, verbose: bool): |
|||
if os.getuid() == 0: |
|||
print("WARNING: This script should be not executed as root, only collect_keys.py requires that", file=sys.stderr) |
|||
|
|||
with open(keys_file, "r") as f: |
|||
user_list = json.load(f) |
|||
keys_ts, users = get_userdata(user_list, verbose) |
|||
transfer_json = { |
|||
"keys_timestamp": keys_ts.isoformat(), |
|||
"timestamp": datetime.datetime.now(datetime.timezone.utc).isoformat(), |
|||
"users": [ asdict(user) for user in users ] |
|||
} |
|||
|
|||
if transfer_file is None: |
|||
with tempfile.NamedTemporaryFile("w") as f: |
|||
json.dump(transfer_json, f) |
|||
f.flush() |
|||
copy_file(f.name, server, server_transfer_file, verbose) |
|||
else: |
|||
with open(transfer_file, "w") as f: |
|||
json.dump(transfer_json, f) |
|||
copy_file(transfer_file, server, server_transfer_file, verbose) |
|||
|
|||
if command is not None: |
|||
execute_command(server, command, verbose) |
|||
|
|||
def main(): |
|||
parser = argparse.ArgumentParser(description='Copies list of users to a remote server') |
|||
parser.add_argument("--keys-file", help="The file generated using collect_keys.py script", required=True) |
|||
parser.add_argument("--server", help="SSH server where to copy the file and execute the command", required=True) |
|||
parser.add_argument("--command", default=None, help="Command to execute on the remote server. Will be executed using default shell of ssh") |
|||
parser.add_argument("--transfer-file", default=None, help="Write the transfer JSON file to this path. Otherwise, temporary file is used.") |
|||
parser.add_argument("--server-transfer-file", help="The file generated using collect_keys.py script", default="/var/ksp-user-sync/new-users.json") |
|||
parser.add_argument("--verbose", action="store_true", help="Print debug messages") |
|||
args = parser.parse_args() |
|||
main_args(args.keys_file, args.server, args.command, args.transfer_file, args.server_transfer_file, args.verbose) |
|||
|
|||
main() |
Loading…
Reference in new issue