ffho_auth.py 1.4 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253
  1. #!/usr/bin/python
  2. #
  3. # Maximilian Wilhelm <max@rfc2324.org>
  4. # -- Mon 23 Jan 2017 12:21:22 AM CET
  5. #
  6. import collections
  7. def _ssh_user_allowed (access_config, node_id, node_config, entry_name):
  8. roles = node_config.get ('roles', [])
  9. # Access config for the given user is the string "global"
  10. if type (access_config) == str:
  11. if access_config == "global":
  12. return True
  13. if type (access_config) not in [ dict, collections.OrderedDict ]:
  14. raise Exception ("SSH configuration for entry %s seems broken!" % (entry_name))
  15. # String "global" found in the access config?
  16. elif "global" in access_config:
  17. return True
  18. # Is there an entry for this node_id in the 'nodes' list?
  19. elif node_id in access_config.get ('nodes', {}):
  20. return True
  21. # Should the key be allowed for any of the roles configured for this node?
  22. for allowed_role in access_config.get ('roles', []):
  23. if allowed_role in roles:
  24. return True
  25. return False
  26. def get_ssh_authkeys (ssh_config, node_config, node_id, username):
  27. auth_keys = []
  28. for entry_name, entry in ssh_config['keys'].items ():
  29. access = entry.get ('access', {})
  30. add_keys = False
  31. # Skip this key if there's no entry for the given username
  32. if username not in access:
  33. continue
  34. user_access = access.get (username)
  35. if _ssh_user_allowed (user_access, node_id, node_config, entry_name):
  36. for key in entry.get ('pubkeys', []):
  37. if key not in auth_keys:
  38. auth_keys.append (key)
  39. return sorted (auth_keys)