##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
ssh: rollback temp changes as it creates even more problems with cross drive linking
super-admin -
r4840:01f10166 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,133 +1,133 b''
1 1 # -*- coding: utf-8 -*-
2 2
3 3 # Copyright (C) 2016-2020 RhodeCode GmbH
4 4 #
5 5 # This program is free software: you can redistribute it and/or modify
6 6 # it under the terms of the GNU Affero General Public License, version 3
7 7 # (only), as published by the Free Software Foundation.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU Affero General Public License
15 15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 16 #
17 17 # This program is dual-licensed. If you wish to learn more about the
18 18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20 20
21 21 import os
22 22 import stat
23 23 import logging
24 24 import tempfile
25 25 import datetime
26 26
27 27 from . import config_keys
28 28 from rhodecode.model.db import true, joinedload, User, UserSshKeys
29 29
30 30
31 31 log = logging.getLogger(__name__)
32 32
33 33 HEADER = \
34 34 "# This file is managed by RhodeCode, please do not edit it manually. # \n" \
35 35 "# Current entries: {}, create date: UTC:{}.\n"
36 36
37 37 # Default SSH options for authorized_keys file, can be override via .ini
38 38 SSH_OPTS = 'no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding'
39 39
40 40
41 41 def get_all_active_keys():
42 42 result = UserSshKeys.query() \
43 43 .options(joinedload(UserSshKeys.user)) \
44 44 .filter(UserSshKeys.user != User.get_default_user()) \
45 45 .filter(User.active == true()) \
46 46 .all()
47 47 return result
48 48
49 49
50 50 def _generate_ssh_authorized_keys_file(
51 51 authorized_keys_file_path, ssh_wrapper_cmd, allow_shell, ssh_opts, debug):
52 52 import rhodecode
53 53
54 54 authorized_keys_file_path = os.path.abspath(
55 55 os.path.expanduser(authorized_keys_file_path))
56 tmp_file_dir = tempfile.gettempdir()
56 tmp_file_dir = os.path.dirname(authorized_keys_file_path)
57 57
58 58 all_active_keys = get_all_active_keys()
59 59
60 60 if allow_shell:
61 61 ssh_wrapper_cmd = ssh_wrapper_cmd + ' --shell'
62 62 if debug:
63 63 ssh_wrapper_cmd = ssh_wrapper_cmd + ' --debug'
64 64
65 65 if not os.path.isfile(authorized_keys_file_path):
66 66 log.debug('Creating file at %s', authorized_keys_file_path)
67 67 with open(authorized_keys_file_path, 'w'):
68 68 pass
69 69
70 70 if not os.access(authorized_keys_file_path, os.R_OK):
71 71 raise OSError('Access to file {} is without read access'.format(
72 72 authorized_keys_file_path))
73 73
74 74 line_tmpl = '{ssh_opts},command="{wrapper_command} {ini_path} --user-id={user_id} --user={user} --key-id={user_key_id}" {key}\n'
75 75
76 76 fd, tmp_authorized_keys = tempfile.mkstemp(
77 77 '.authorized_keys_write_operation',
78 78 dir=tmp_file_dir)
79 79
80 80 now = datetime.datetime.utcnow().isoformat()
81 81 keys_file = os.fdopen(fd, 'wb')
82 82 keys_file.write(HEADER.format(len(all_active_keys), now))
83 83 ini_path = rhodecode.CONFIG['__file__']
84 84
85 85 for user_key in all_active_keys:
86 86 username = user_key.user.username
87 87 user_id = user_key.user.user_id
88 88 # replace all newline from ends and inside
89 89 safe_key_data = user_key.ssh_key_data\
90 90 .strip()\
91 91 .replace('\n', ' ') \
92 92 .replace('\t', ' ') \
93 93 .replace('\r', ' ')
94 94
95 95 line = line_tmpl.format(
96 96 ssh_opts=ssh_opts or SSH_OPTS,
97 97 wrapper_command=ssh_wrapper_cmd,
98 98 ini_path=ini_path,
99 99 user_id=user_id,
100 100 user=username,
101 101 user_key_id=user_key.ssh_key_id,
102 102 key=safe_key_data)
103 103
104 104 keys_file.write(line)
105 105 log.debug('addkey: Key added for user: `%s`', username)
106 106 keys_file.close()
107 107
108 108 # Explicitly setting read-only permissions to authorized_keys
109 109 os.chmod(tmp_authorized_keys, stat.S_IRUSR | stat.S_IWUSR)
110 110 # Rename is atomic operation
111 111 os.rename(tmp_authorized_keys, authorized_keys_file_path)
112 112
113 113
114 114 def generate_ssh_authorized_keys_file(registry):
115 115 log.info('Generating new authorized key file')
116 116
117 117 authorized_keys_file_path = registry.settings.get(
118 118 config_keys.authorized_keys_file_path)
119 119
120 120 ssh_wrapper_cmd = registry.settings.get(
121 121 config_keys.wrapper_cmd)
122 122 allow_shell = registry.settings.get(
123 123 config_keys.wrapper_allow_shell)
124 124 ssh_opts = registry.settings.get(
125 125 config_keys.authorized_keys_line_ssh_opts)
126 126 debug = registry.settings.get(
127 127 config_keys.enable_debug_logging)
128 128
129 129 _generate_ssh_authorized_keys_file(
130 130 authorized_keys_file_path, ssh_wrapper_cmd, allow_shell, ssh_opts,
131 131 debug)
132 132
133 133 return 0
General Comments 0
You need to be logged in to leave comments. Login now