[tryton-commits] changeset in tryton-tools:default Generate ssh authorized_key fi...

[Cédric Krier]

changeset 50a4668f37de in tryton-tools:default
details: https://hg.tryton.org/tryton-tools?cmd=changeset;node=50a4668f37de
description:
        Generate ssh authorized_key file from roundup

        issue9158
        review306431002
diffstat:

 roundup_sshkeys.py |  64 ++++++++++++++++++++---------------------------------
 1 files changed, 24 insertions(+), 40 deletions(-)

diffs (94 lines):

diff -r f578e09cb16a -r 50a4668f37de roundup_sshkeys.py
--- a/roundup_sshkeys.py        Wed Sep 23 00:33:19 2020 +0200
+++ b/roundup_sshkeys.py        Sun Sep 27 12:18:21 2020 +0200
@@ -1,66 +1,50 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 import optparse
-import os
-import shutil
-import subprocess
 
 import psycopg2
 
 from sql import Table, Null
 
-MERCURIAL_SERVER_KEYS = '/etc/mercurial-server/keys/'
-GROUPS = ['committers', 'translators', 'users']
+AUTHORIZED_KEY = (
+    'no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,'
+    'command="cd repos && '
+    'LOGNAME=\'%(username)s\' /usr/bin/hg-ssh * */* */*/*" '
+    '%(key)s')
 
 
-def main(dsn):
+def main(dsn, output, include):
     with psycopg2.connect(dsn) as conn:
         cursor = conn.cursor()
         cursor.execute('SET TRANSACTION READ ONLY')
 
-        for group in GROUPS:
-            path = os.path.join(MERCURIAL_SERVER_KEYS, group)
-            if os.path.exists(path):
-                shutil.rmtree(path)
-
         user = Table('_user')
         cursor.execute(*user.select(
                 user._username,
-                user._iscommitter,
-                user._istranslator,
                 user._sshkeys,
-                where=user._sshkeys != Null))
+                where=(user._sshkeys != Null) & user._iscommitter))
 
-        for username, iscommitter, istranslator, sshkeys in cursor:
-            if iscommitter:
-                group = 'committers'
-            elif istranslator:
-                group = 'translators'
-            else:
-                group = 'users'
-            if not sshkeys:
-                continue
-            groupdir = os.path.join(MERCURIAL_SERVER_KEYS, group)
-            userdir = os.path.join(groupdir, username)
-            userdir = os.path.normpath(userdir)
-            if os.path.dirname(userdir) != groupdir:
-                # Attempt to write outside keys directory
-                continue
-            os.makedirs(userdir, 0o755)
-            for i, key in enumerate(sshkeys.splitlines()):
-                if not key.strip():
-                    pass
-                name = os.path.join(userdir, 'key%s' % i)
-                with open(name, 'w') as f:
-                    f.write(key)
+        with open(output, 'w') as f:
+            for username, sshkeys in cursor:
+                for key in sshkeys.splitlines():
+                    line = AUTHORIZED_KEY % {
+                        'username': username,
+                        'key': key,
+                        }
+                    f.write(line + '\n')
 
-    subprocess.call('doas -u hg /usr/share/mercurial-server/refresh-auth',
-        shell=True)
+            if include:
+                with open(include, 'r') as g:
+                    for line in g:
+                        f.write(line)
 
 
 if __name__ == '__main__':
     parser = optparse.OptionParser(version='0.1')
     parser.add_option('-d', dest='dsn', help='database source name')
+    parser.add_option('-o', dest='output', help="output authorized_keys file")
+    parser.add_option(
+        '-i', dest='include', help="include content in authorized_keys")
 
     opt, args = parser.parse_args()
 
-    main(opt.dsn)
+    main(opt.dsn, opt.output or '/dev/stdout', opt.include)