| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 |
- #!/usr/bin/python
- #
- # Maximilian Wilhelm <max@rfc2324.org>
- # -- Mon 23 Jan 2017 12:21:22 AM CET
- #
- import collections
- def _ssh_user_allowed (access_config, node_id, node_config, entry_name):
- if type (node_config) not in [ dict, collections.OrderedDict ]:
- raise Exception ("The pillar node config of node \"%s\" seem to be broken or missing!" % node_id)
- roles = node_config.get ('roles', [])
- # Access config for the given user is the string "global"
- if type (access_config) == str:
- if access_config == "global":
- return True
- if type (access_config) not in [ dict, collections.OrderedDict ]:
- raise Exception ("SSH configuration for entry %s seems broken!" % (entry_name))
- # String "global" found in the access config?
- elif "global" in access_config:
- return True
- # Is there an entry for this node_id in the 'nodes' list?
- elif node_id in access_config.get ('nodes', {}):
- return True
- # Should the key be allowed for any of the roles configured for this node?
- for allowed_role in access_config.get ('roles', []):
- if allowed_role in roles:
- return True
- return False
- def get_ssh_authkeys (ssh_config, node_config, node_id, username):
- auth_keys = []
- for entry_name, entry in ssh_config['keys'].items ():
- access = entry.get ('access', {})
- add_keys = False
- # Skip this key if there's no entry for the given username
- if username not in access:
- continue
- user_access = access.get (username)
- if _ssh_user_allowed (user_access, node_id, node_config, entry_name):
- for key in entry.get ('pubkeys', []):
- if key not in auth_keys:
- auth_keys.append (key)
- return sorted (auth_keys)
|
