Home Explore Help
Sign In
RISCI_ATOM
/
pagure
mirror of https://pagure.io/pagure.git
1
0
Fork 0
Files Issues 3 Wiki
Tree: 3a32d9e38d
Branches Tags
pagure
/
files
/
keyhelper.py

keyhelper.py 2.4 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 
  1. #!/usr/bin/env python
    2. 

  2. # -*- coding: utf-8 -*-
    3. 

  3. 

  4. """
    5. 

  5.  (c) 2014-2018 - Copyright Red Hat Inc
    6. 

  6. 

  7.  Authors:
    8. 

  8.    Patrick Uiterwijk <puiterwijk@redhat.com>
    9. 

  9. 

  10. """
    11. 

  11. 

  12. from __future__ import unicode_literals, print_function, absolute_import
    13. 

  13. 

  14. import sys
    15. 

  15. import os
    16. 

  16. 

  17. import requests
    18. 

  18. 

  19. # Since this is run by sshd, we don't have a way to set environment
    20. 

  20. # variables ahead of time
    21. 

  21. if "PAGURE_CONFIG" not in os.environ and os.path.exists(
    22. 

  22.     "/etc/pagure/pagure.cfg"
    23. 

  23. ):
    24. 

  24.     os.environ["PAGURE_CONFIG"] = "/etc/pagure/pagure.cfg"
    25. 

  25. 

  26. # Here starts the code
    27. 

  27. from pagure.config import config as pagure_config
    28. 

  28. 

  29. 

  30. # Get the arguments
    31. 

  31. # Expect sshd config:
    32. 

  32. # AuthorizedKeysCommand: <scriptpath> "%u" "%h" "%t" "%f"
    33. 

  33. # <us> <username> <homedir> <keytype> <fingerprint>
    34. 

  34. # At this moment, we ignore the homedir and fingerprint, since looking
    35. 

  35. # up a key by fingerprint would require some model changes (ssh keys would
    36. 

  36. #   need to be stored in a fashion like DeployKeys).
    37. 

  37. # But to not break installations in the future, we should ask installations
    38. 

  38. # to set up sshd in a way that it will work if we use them in the future.
    39. 

  39. if len(sys.argv) < 5:
    40. 

  40.     print("Invalid call, too few arguments", file=sys.stderr)
    41. 

  41.     sys.exit(1)
    42. 

  42. 

  43. 

  44. username, userhome, keytype, fingerprint = sys.argv[1:5]
    45. 

  45. username_lookup = pagure_config["SSH_KEYS_USERNAME_LOOKUP"]
    46. 

  46. expect_username = pagure_config["SSH_KEYS_USERNAME_EXPECT"]
    47. 

  47. 

  48. 

  49. if username in pagure_config["SSH_KEYS_USERNAME_FORBIDDEN"]:
    50. 

  50.     print("User is forbidden for keyhelper.", file=sys.stderr)
    51. 

  51.     sys.exit(1)
    52. 

  52. 

  53. 

  54. if not username_lookup:
    55. 

  55.     if not expect_username:
    56. 

  56.         print("Pagure keyhelper configured incorrectly", file=sys.stderr)
    57. 

  57.         sys.exit(1)
    58. 

  58. 

  59.     if username != expect_username:
    60. 

  60.         # Nothing to look up, this user is not git-related
    61. 

  61.         sys.exit(0)
    62. 

  62. 

  63. 

  64. pagure_url = pagure_config["APP_URL"].rstrip("/")
    65. 

  65. url = "%s/pv/ssh/lookupkey/" % pagure_url
    66. 

  66. data = {"search_key": fingerprint}
    67. 

  67. if username_lookup:
    68. 

  68.     data["username"] = username
    69. 

  69. headers = {}
    70. 

  70. if pagure_config.get("SSH_ADMIN_TOKEN"):
    71. 

  71.     headers["Authorization"] = "token %s" % pagure_config["SSH_ADMIN_TOKEN"]
    72. 

  72. resp = requests.post(url, data=data, headers=headers)
    73. 

  73. if not resp.status_code == 200:
    74. 

  74.     print(
    75. 

  75.         "Error during lookup request: status: %s" % resp.status_code,
    76. 

  76.         file=sys.stderr,
    77. 

  77.     )
    78. 

  78.     sys.exit(1)
    79. 

  79. 

  80. result = resp.json()
    81. 

  81. 

  82. if not result["found"]:
    83. 

  83.     # Everything OK, key just didn't exist.
    84. 

  84.     sys.exit(0)
    85. 

  85. 

  86. print(
    87. 

  87.     "%s %s"
    88. 

  88.     % (pagure_config["SSH_KEYS_OPTIONS"] % result, result["public_key"])
    89. 

  89. )
    90.