ffho_auth.py 1.6 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
  1. #!/usr/bin/python
  2. #
  3. # Maximilian Wilhelm <max@rfc2324.org>
  4. # -- Mon 23 Jan 2017 12:21:22 AM CET
  5. #
  6. import collections
  7. def _ssh_user_allowed (access_config, node_id, node_config, entry_name):
  8. if type (node_config) not in [ dict, collections.OrderedDict ]:
  9. raise Exception ("The pillar node config of node \"%s\" seem to be broken or missing!" % node_id)
  10. roles = node_config.get ('roles', [])
  11. # Access config for the given user is the string "global"
  12. if type (access_config) == str:
  13. if access_config == "global":
  14. return True
  15. if type (access_config) not in [ dict, collections.OrderedDict ]:
  16. raise Exception ("SSH configuration for entry %s seems broken!" % (entry_name))
  17. # String "global" found in the access config?
  18. elif "global" in access_config:
  19. return True
  20. # Is there an entry for this node_id in the 'nodes' list?
  21. elif node_id in access_config.get ('nodes', {}):
  22. return True
  23. # Should the key be allowed for any of the roles configured for this node?
  24. for allowed_role in access_config.get ('roles', []):
  25. if allowed_role in roles:
  26. return True
  27. return False
  28. def get_ssh_authkeys (ssh_config, node_config, node_id, username):
  29. auth_keys = []
  30. for entry_name, entry in ssh_config['keys'].items ():
  31. access = entry.get ('access', {})
  32. add_keys = False
  33. # Skip this key if there's no entry for the given username
  34. if username not in access:
  35. continue
  36. user_access = access.get (username)
  37. if _ssh_user_allowed (user_access, node_id, node_config, entry_name):
  38. for key in entry.get ('pubkeys', []):
  39. if key not in auth_keys:
  40. auth_keys.append (key)
  41. return sorted (auth_keys)