[MediaWiki-commits] [Gerrit] ssh: Allow direct login as servicegroups - change (operations/puppet)

Mon, 26 Oct 2015 16:48:06 -0700 

Yuvipanda has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/249024

Change subject: ssh: Allow direct login as servicegroups
......................................................................

ssh: Allow direct login as servicegroups

Can be turned on with ssh config if necessary. Isn't actually
turned on anywhere atm, since it requires ssh 6.9 to be able
to specify parameters

Bug: T113979
Change-Id: Iec3b944cfd0cf095cbc22554b5a8ba99d1262510
---
M modules/ldap/files/scripts/ssh-key-ldap-lookup
1 file changed, 37 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/24/249024/1

diff --git a/modules/ldap/files/scripts/ssh-key-ldap-lookup 
b/modules/ldap/files/scripts/ssh-key-ldap-lookup
index d5c0f92..6faad48 100755
--- a/modules/ldap/files/scripts/ssh-key-ldap-lookup
+++ b/modules/ldap/files/scripts/ssh-key-ldap-lookup
@@ -24,6 +24,9 @@
 import yaml
 import argparse
 
+with open('/etc/wmflabs-project') as f:
+    PROJECT_NAME = f.read().strip()
+
 
 def connect(server, username, password):
     conn = ldap.initialize('ldap://%s:389' % server)
@@ -33,26 +36,55 @@
     return conn
 
 
-def get_keys(conn, basedn, username):
+def get_user_keys(conn, user):
     response = conn.search_s(
-        'ou=people,%s' % basedn,
-        ldap.SCOPE_SUBTREE,
-        '(uid=%s)' % username
+        user,
+        ldap.SCOPE_BASE
     )
     for _, user in response:
         return user['sshPublicKey']
 
 
+def get_group_keys(conn, groupname):
+    response = conn.search_s(
+        groupname,
+        ldap.SCOPE_BASE
+    )
+    # only one service group can have that name
+    assert len(response) <= 1
+    if response:
+        sg = response[0][1]
+        keys = []
+        for member in sg['member']:
+            keys += get_user_keys(conn, member)
+        return keys
+    else:
+        return []
+
+
 def main():
     parser = argparse.ArgumentParser()
     parser.add_argument('username', help='Username to list ssh keys for')
+    parser.add_argument(
+        '--enable-servicegroups',
+        action='store_true',
+        default=False,
+        help='Allow direct ssh login for service groups',
+    )
     args = parser.parse_args()
 
     with open('/etc/ldap.yaml') as f:
         config = yaml.safe_load(f)
 
     conn = connect(config['servers'][0], config['user'], config['password'])
-    keys = get_keys(conn, config['basedn'], args.username)
+    if args.enable_servicegroups and args.username.startswith(PROJECT_NAME + 
'.'):
+        groupname = 'cn=%s,ou=servicegroups,%s' % (
+            args.username, config['basedn']
+        )
+        keys = get_group_keys(conn, groupname)
+    else:
+        username = 'uid=%s,ou=people,%s' % (args.username, config['basedn'])
+        keys = get_user_keys(conn, username)
     for key in keys:
         # Some keys have an accidental newline at the end, see T77902
         print key.strip()

-- 
To view, visit https://gerrit.wikimedia.org/r/249024
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iec3b944cfd0cf095cbc22554b5a8ba99d1262510
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to