From dab1d03d81c538966d03fb9318a4588a9e803b44 Mon Sep 17 00:00:00 2001
From: Sol Jerome <sol.jerome@gmail.com>
Date: Sat, 24 Mar 2012 11:20:07 -0500
Subject: Allow to run directly from a git checkout (#1037)

Signed-off-by: Sol Jerome <sol.jerome@gmail.com>
---
 src/lib/Bcfg2/Server/Plugins/Account.py | 101 ++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 src/lib/Bcfg2/Server/Plugins/Account.py

(limited to 'src/lib/Bcfg2/Server/Plugins/Account.py')

diff --git a/src/lib/Bcfg2/Server/Plugins/Account.py b/src/lib/Bcfg2/Server/Plugins/Account.py
new file mode 100644
index 000000000..f2703dccb
--- /dev/null
+++ b/src/lib/Bcfg2/Server/Plugins/Account.py
@@ -0,0 +1,101 @@
+"""This handles authentication setup."""
+
+import Bcfg2.Server.Plugin
+
+
+class Account(Bcfg2.Server.Plugin.Plugin,
+              Bcfg2.Server.Plugin.Generator):
+    """This module generates account config files,
+    based on an internal data repo:
+    static.(passwd|group|limits.conf) -> static entries
+    dyn.(passwd|group) -> dynamic entries (usually acquired from yp or somesuch)
+    useraccess -> users to be granted login access on some hosts
+    superusers -> users to be granted root privs on all hosts
+    rootlike -> users to be granted root privs on some hosts
+
+    """
+    name = 'Account'
+    __author__ = 'bcfg-dev@mcs.anl.gov'
+
+    def __init__(self, core, datastore):
+        Bcfg2.Server.Plugin.Plugin.__init__(self, core, datastore)
+        Bcfg2.Server.Plugin.Generator.__init__(self)
+        self.Entries = {'ConfigFile': {'/etc/passwd': self.from_yp_cb,
+                                       '/etc/group': self.from_yp_cb,
+                                       '/etc/security/limits.conf': self.gen_limits_cb,
+                                       '/root/.ssh/authorized_keys': self.gen_root_keys_cb,
+                                       '/etc/sudoers': self.gen_sudoers}}
+        try:
+            self.repository = Bcfg2.Server.Plugin.DirectoryBacked(self.data,
+                                                                  self.core.fam)
+        except:
+            self.logger.error("Failed to load repos: %s, %s" % \
+                              (self.data, "%s/ssh" % (self.data)))
+            raise Bcfg2.Server.Plugin.PluginInitError
+
+    def from_yp_cb(self, entry, metadata):
+        """Build password file from cached yp data."""
+        fname = entry.attrib['name'].split('/')[-1]
+        entry.text = self.repository.entries["static.%s" % (fname)].data
+        entry.text += self.repository.entries["dyn.%s" % (fname)].data
+        perms = {'owner': 'root',
+                 'group': 'root',
+                 'perms': '0644'}
+        [entry.attrib.__setitem__(key, value) for (key, value) in \
+         list(perms.items())]
+
+    def gen_limits_cb(self, entry, metadata):
+        """Build limits entries based on current ACLs."""
+        entry.text = self.repository.entries["static.limits.conf"].data
+        superusers = self.repository.entries["superusers"].data.split()
+        useraccess = [line.split(':') for line in \
+                      self.repository.entries["useraccess"].data.split()]
+        users = [user for (user, host) in \
+                 useraccess if host == metadata.hostname.split('.')[0]]
+        perms = {'owner': 'root',
+                 'group': 'root',
+                 'perms': '0600'}
+        [entry.attrib.__setitem__(key, value) for (key, value) in \
+         list(perms.items())]
+        entry.text += "".join(["%s hard maxlogins 1024\n" % uname for uname in superusers + users])
+        if "*" not in users:
+            entry.text += "* hard maxlogins 0\n"
+
+    def gen_root_keys_cb(self, entry, metadata):
+        """Build root authorized keys file based on current ACLs."""
+        superusers = self.repository.entries['superusers'].data.split()
+        try:
+            rootlike = [line.split(':', 1) for line in \
+                        self.repository.entries['rootlike'].data.split()]
+            superusers += [user for (user, host) in rootlike \
+                           if host == metadata.hostname.split('.')[0]]
+        except:
+            pass
+        rdata = self.repository.entries
+        entry.text = "".join([rdata["%s.key" % user].data for user \
+                              in superusers if \
+                              ("%s.key" % user) in rdata])
+        perms = {'owner': 'root',
+                 'group': 'root',
+                 'perms': '0600'}
+        [entry.attrib.__setitem__(key, value) for (key, value) \
+         in list(perms.items())]
+
+    def gen_sudoers(self, entry, metadata):
+        """Build root authorized keys file based on current ACLs."""
+        superusers = self.repository.entries['superusers'].data.split()
+        try:
+            rootlike = [line.split(':', 1) for line in \
+                        self.repository.entries['rootlike'].data.split()]
+            superusers += [user for (user, host) in rootlike \
+                           if host == metadata.hostname.split('.')[0]]
+        except:
+            pass
+        entry.text = self.repository.entries['static.sudoers'].data
+        entry.text += "".join(["%s ALL=(ALL) ALL\n" % uname \
+                               for uname in superusers])
+        perms = {'owner': 'root',
+                 'group': 'root',
+                 'perms': '0440'}
+        [entry.attrib.__setitem__(key, value) for (key, value) \
+         in list(perms.items())]
-- 
cgit v1.2.3-1-g7c22