mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2024-09-14 20:13:21 +02:00 
			
		
		
		
	Three changes: * Add set_default_selinux_context() to module_common that sets a file's context according to the defaults in the policy * In atomic_replace(), set the default context for the file if selinux is enabled and the destination file does not exist. * In authorized_key, set the default context when creating $HOME/.ssh and $HOME/.ssh/authorized_keys. If these already exist, this won't touch them.
		
			
				
	
	
		
			183 lines
		
	
	
	
		
			5.6 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			183 lines
		
	
	
	
		
			5.6 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #!/usr/bin/python
 | |
| # -*- coding: utf-8 -*-
 | |
| 
 | |
| """
 | |
| Ansible module to add authorized_keys for ssh logins.
 | |
| (c) 2012, Brad Olson <brado@movedbylight.com>
 | |
| 
 | |
| This file is part of Ansible
 | |
| 
 | |
| Ansible is free software: you can redistribute it and/or modify
 | |
| it under the terms of the GNU General Public License as published by
 | |
| the Free Software Foundation, either version 3 of the License, or
 | |
| (at your option) any later version.
 | |
| 
 | |
| Ansible is distributed in the hope that it will be useful,
 | |
| but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| GNU General Public License for more details.
 | |
| 
 | |
| You should have received a copy of the GNU General Public License
 | |
| along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 | |
| """
 | |
| 
 | |
| DOCUMENTATION = '''
 | |
| ---
 | |
| module: authorized_key
 | |
| short_description: Adds or removes an SSH authorized key
 | |
| description:
 | |
|      - Adds or removes an SSH authorized key for a user from a remote host.
 | |
| version_added: "0.5"
 | |
| options:
 | |
|   user:
 | |
|     description:
 | |
|       - Name of the user who should have access to the remote host
 | |
|     required: true
 | |
|     default: null
 | |
|     aliases: []
 | |
|   key:
 | |
|     description:
 | |
|       - the SSH public key, as a string
 | |
|     required: true
 | |
|     default: null
 | |
|   state:
 | |
|     description:
 | |
|       - whether the given key should or should not be in the file
 | |
|     required: false
 | |
|     choices: [ "present", "absent" ]
 | |
|     default: "present"
 | |
| examples:
 | |
|    - code: 'authorized_key: user=charlie key="ssh-dss ASDF1234L+8BTwaRYr/rycsBF1D8e5pTxEsXHQs4iq+mZdyWqlW++L6pMiam1A8yweP+rKtgjK2httVS6GigVsuWWfOd7/sdWippefq74nppVUELHPKkaIOjJNN1zUHFoL/YMwAAAEBALnAsQN10TNGsRDe5arBsW8cTOjqLyYBcIqgPYTZW8zENErFxt7ij3fW3Jh/sCpnmy8rkS7FyK8ULX0PEy/2yDx8/5rXgMIICbRH/XaBy9Ud5bRBFVkEDu/r+rXP33wFPHjWjwvHAtfci1NRBAudQI/98DbcGQw5HmE89CjgZRo5ktkC5yu/8agEPocVjdHyZr7PaHfxZGUDGKtGRL2QzRYukCmWo1cZbMBHcI5FzImvTHS9/8B3SATjXMPgbfBuEeBwuBK5EjL+CtHY5bWs9kmYjmeo0KfUMH8hY4MAXDoKhQ7DhBPIrcjS5jPtoGxIREZjba67r6/P2XKXaCZH6Fc= charlie@example.org 2011-01-17"'
 | |
|      description: "Example from Ansible Playbooks"
 | |
|    - code: "authorized_key: user=charlie key='$FILE(/home/charlie/.ssh/id_rsa.pub)'"
 | |
|      description: "Shorthand available in Ansible 0.8 and later"
 | |
| author: Brad Olson
 | |
| '''
 | |
| 
 | |
| # Makes sure the public key line is present or absent in the user's .ssh/authorized_keys.
 | |
| #
 | |
| # Arguments
 | |
| # =========
 | |
| #    user = username
 | |
| #    key = line to add to authorized_keys for user
 | |
| #    state = absent|present (default: present)
 | |
| #
 | |
| # see example in examples/playbooks
 | |
| 
 | |
| import sys
 | |
| import os
 | |
| import pwd
 | |
| import os.path
 | |
| import tempfile
 | |
| import shutil
 | |
| 
 | |
| def keyfile(module, user, write=False):
 | |
|     """
 | |
|     Calculate name of authorized keys file, optionally creating the
 | |
|     directories and file, properly setting permissions.
 | |
| 
 | |
|     :param str user: name of user in passwd file
 | |
|     :param bool write: if True, write changes to authorized_keys file (creating directories if needed)
 | |
|     :return: full path string to authorized_keys for user
 | |
|     """
 | |
| 
 | |
|     try:
 | |
|         user_entry = pwd.getpwnam(user)
 | |
|     except KeyError, e:
 | |
|         module.fail_json(msg="Failed to lookup user %s: %s" % (user, str(e)))
 | |
|     homedir    = user_entry.pw_dir
 | |
|     sshdir     = os.path.join(homedir, ".ssh")
 | |
|     keysfile   = os.path.join(sshdir, "authorized_keys")
 | |
| 
 | |
|     if not write:
 | |
|         return keysfile
 | |
| 
 | |
|     uid = user_entry.pw_uid
 | |
|     gid = user_entry.pw_gid
 | |
| 
 | |
|     if not os.path.exists(sshdir):
 | |
|         os.mkdir(sshdir, 0700)
 | |
|         if module.selinux_enabled():
 | |
|             module.set_default_selinux_context(sshdir, False)
 | |
|     os.chown(sshdir, uid, gid)
 | |
|     os.chmod(sshdir, 0700)
 | |
| 
 | |
|     if not os.path.exists( keysfile):
 | |
|         try:
 | |
|             f = open(keysfile, "w") #touches file so we can set ownership and perms
 | |
|         finally:
 | |
|             f.close()
 | |
|         if module.selinux_enabled():
 | |
|             module.set_default_selinux_context(keysfile, False)
 | |
| 
 | |
|     os.chown(keysfile, uid, gid)
 | |
|     os.chmod(keysfile, 0600)
 | |
|     return keysfile
 | |
| 
 | |
| def readkeys(filename):
 | |
| 
 | |
|     if not os.path.isfile(filename):
 | |
|         return []
 | |
|     f = open(filename)
 | |
|     keys = [line.rstrip() for line in f.readlines()]
 | |
|     f.close()
 | |
|     return keys
 | |
| 
 | |
| def writekeys(module, filename, keys):
 | |
| 
 | |
|     fd, tmp_path = tempfile.mkstemp('', 'tmp', os.path.dirname(filename))
 | |
|     f = open(tmp_path,"w")
 | |
|     try:
 | |
|         f.writelines( (key + "\n" for key in keys) )
 | |
|     except IOError, e:
 | |
|         module.fail_json(msg="Failed to write to file %s: %s" % (tmp_path, str(e)))
 | |
|     f.close()
 | |
|     module.atomic_replace(tmp_path, filename)
 | |
| 
 | |
| def enforce_state(module, params):
 | |
|     """
 | |
|     Add or remove key.
 | |
|     """
 | |
| 
 | |
|     user  = params["user"]
 | |
|     key   = params["key"]
 | |
|     state = params.get("state", "present")
 | |
| 
 | |
|     # check current state -- just get the filename, don't create file
 | |
|     params["keyfile"] = keyfile(module, user, write=False)
 | |
|     keys = readkeys(params["keyfile"])
 | |
|     present = key in keys
 | |
| 
 | |
|     # handle idempotent state=present
 | |
|     if state=="present":
 | |
|         if present:
 | |
|             module.exit_json(changed=False)
 | |
|         keys.append(key)
 | |
|         writekeys(module, keyfile(module, user,write=True), keys)
 | |
| 
 | |
|     elif state=="absent":
 | |
|         if not present:
 | |
|             module.exit_json(changed=False)
 | |
|         keys.remove(key)
 | |
|         writekeys(module, keyfile(module, user,write=True), keys)
 | |
| 
 | |
|     params['changed'] = True
 | |
|     return params
 | |
| 
 | |
| def main():
 | |
| 
 | |
|     module = AnsibleModule(
 | |
|         argument_spec = dict(
 | |
|            user  = dict(required=True),
 | |
|            key   = dict(required=True),
 | |
|            state = dict(default='present', choices=['absent','present'])
 | |
|         )
 | |
|     )
 | |
| 
 | |
|     params = module.params
 | |
|     results = enforce_state(module, module.params)
 | |
|     module.exit_json(**results)
 | |
| 
 | |
| # this is magic, see lib/ansible/module_common.py
 | |
| #<<INCLUDE_ANSIBLE_MODULE_COMMON>>
 | |
| main()
 |