confluent/misc/sshca.py

#!/usr/bin/python

import confluent.collective.manager as collective
import eventlet.green.subprocess as subprocess
import glob
import os

def normalize_uid():
    curruid = os.getuid()
    neededuid = os.stat('/etc/confluent').st_uid
    if curruid != neededuid:
        os.setuid(neededuid)    
    if os.getuid() != neededuid:
        raise Exception('Need to run as root or owner of /etc/confluent')

def initialize_ca():
    normalize_uid()
    try:
        os.makedirs('/etc/confluent/ssh', mode=0o700)
    except OSError as e:
        if e.errno != 17:
            raise
    caname = '{0} SSH CA'.format(collective.get_myname())
    subprocess.check_call(['ssh-keygen', '-C', caname, '-t', 'ed25519', '-f', '/etc/confluent/ssh/ca', '-N', ''])
    try:
        os.makedirs('/var/lib/confluent/ssh', mode=0o755)
    except OSError as e:
        if e.errno != 17:
            raise
    currknownhosts = []
    try:
        with open('/var/lib/confluent/ssh/ssh_known_hosts', 'r') as skh:
            for ent in skh:
                descr = ent.split(' ', 4)[-1].strip()
                if descr != caname:
                    currknownhosts.append(ent)
    except OSError as e:
        if e.errno != 2:
            raise
    with open('/etc/confluent/ssh/ca.pub', 'r') as capub:
        newent = '@cert-authority * ' + capub.read()
        currknownhosts.append(newent)
    with open('/var/lib/confluent/ssh/ssh_known_hosts', 'w') as skh:
        for ckh in currknownhosts:
            skh.write(ckh)

def initialize_root_key():
    authorized = []
    for currkey in glob.glob('/root/.ssh/*.pub'):
        authorized.append(open(currkey).read())
    if not authorized:
        subprocess.check_call(['ssh-keygen', '-t', 'ed25519', '-f', '/root/.ssh/id_ed25519', '-N', ''])
        for currkey in glob.glob('/root/.ssh/*.pub'):
            authorized.append(open(currkey).read())
    try:
        os.makedirs('/var/lib/confluent/ssh', mode=0o755)
        neededuid = os.stat('/etc/confluent').st_uid
        os.chown('/var/lib/confluent/ssh', neededuid, -1)
    except OSError as e:
        if e.errno != 17:
            raise
    for auth in authorized:
        if 'PRIVATE' in auth:
            continue
        currcomment = auth.split(' ', 2)[-1].strip()
        curralgo = auth.split(' ', 1)[0]
        authed = []
        try:
            with open('/var/lib/confluent/ssh/authorized_keys', 'r') as ak:
                for keyline in ak:
                    comment = keyline.split(' ', 2)[-1].strip()
                    algo = keyline.split(' ', 1)[0]
                    if currcomment != comment or algo != curralgo:
                        authed.append(keyline)
        except OSError as e:
            if e.errno != 2:
                raise
        authed.append(auth)
        with open('/var/lib/confluent/ssh/authorized_keys', 'w') as ak:
            for auth in authed:
                ak.write(auth)
        

def ca_exists():
    return os.path.exists('/etc/confluent/ssh/ca')


if __name__ == '__main__':
    initialize_root_key()
    if not ca_exists():
        initialize_ca()
Add a sample for doing SSH CA This will explore the concept for the backend of the get certificate api. 2020-03-06 13:43:54 -05:00			`#!/usr/bin/python`

			`import confluent.collective.manager as collective`
			`import eventlet.green.subprocess as subprocess`
Flesh out the SSH code more Notably add user key management and start poking things in /var/lib/confluent 2020-03-06 16:17:53 -05:00			`import glob`
Add a sample for doing SSH CA This will explore the concept for the backend of the get certificate api. 2020-03-06 13:43:54 -05:00			`import os`

Flesh out the SSH code more Notably add user key management and start poking things in /var/lib/confluent 2020-03-06 16:17:53 -05:00			`def normalize_uid():`
			`curruid = os.getuid()`
			`neededuid = os.stat('/etc/confluent').st_uid`
			`if curruid != neededuid:`
			`os.setuid(neededuid)`
			`if os.getuid() != neededuid:`
			`raise Exception('Need to run as root or owner of /etc/confluent')`

Add a sample for doing SSH CA This will explore the concept for the backend of the get certificate api. 2020-03-06 13:43:54 -05:00			`def initialize_ca():`
Flesh out the SSH code more Notably add user key management and start poking things in /var/lib/confluent 2020-03-06 16:17:53 -05:00			`normalize_uid()`
Add a sample for doing SSH CA This will explore the concept for the backend of the get certificate api. 2020-03-06 13:43:54 -05:00			`try:`
Flesh out the SSH code more Notably add user key management and start poking things in /var/lib/confluent 2020-03-06 16:17:53 -05:00			`os.makedirs('/etc/confluent/ssh', mode=0o700)`
Add a sample for doing SSH CA This will explore the concept for the backend of the get certificate api. 2020-03-06 13:43:54 -05:00			`except OSError as e:`
			`if e.errno != 17:`
			`raise`
			`caname = '{0} SSH CA'.format(collective.get_myname())`
Flesh out the SSH code more Notably add user key management and start poking things in /var/lib/confluent 2020-03-06 16:17:53 -05:00			`subprocess.check_call(['ssh-keygen', '-C', caname, '-t', 'ed25519', '-f', '/etc/confluent/ssh/ca', '-N', ''])`
			`try:`
			`os.makedirs('/var/lib/confluent/ssh', mode=0o755)`
			`except OSError as e:`
			`if e.errno != 17:`
			`raise`
			`currknownhosts = []`
			`try:`
			`with open('/var/lib/confluent/ssh/ssh_known_hosts', 'r') as skh:`
			`for ent in skh:`
			`descr = ent.split(' ', 4)[-1].strip()`
			`if descr != caname:`
			`currknownhosts.append(ent)`
			`except OSError as e:`
			`if e.errno != 2:`
			`raise`
			`with open('/etc/confluent/ssh/ca.pub', 'r') as capub:`
			`newent = '@cert-authority * ' + capub.read()`
			`currknownhosts.append(newent)`
			`with open('/var/lib/confluent/ssh/ssh_known_hosts', 'w') as skh:`
			`for ckh in currknownhosts:`
			`skh.write(ckh)`
Add a sample for doing SSH CA This will explore the concept for the backend of the get certificate api. 2020-03-06 13:43:54 -05:00
Flesh out the SSH code more Notably add user key management and start poking things in /var/lib/confluent 2020-03-06 16:17:53 -05:00			`def initialize_root_key():`
			`authorized = []`
			`for currkey in glob.glob('/root/.ssh/*.pub'):`
			`authorized.append(open(currkey).read())`
			`if not authorized:`
			`subprocess.check_call(['ssh-keygen', '-t', 'ed25519', '-f', '/root/.ssh/id_ed25519', '-N', ''])`
			`for currkey in glob.glob('/root/.ssh/*.pub'):`
			`authorized.append(open(currkey).read())`
			`try:`
			`os.makedirs('/var/lib/confluent/ssh', mode=0o755)`
			`neededuid = os.stat('/etc/confluent').st_uid`
			`os.chown('/var/lib/confluent/ssh', neededuid, -1)`
			`except OSError as e:`
			`if e.errno != 17:`
			`raise`
			`for auth in authorized:`
			`if 'PRIVATE' in auth:`
			`continue`
			`currcomment = auth.split(' ', 2)[-1].strip()`
			`curralgo = auth.split(' ', 1)[0]`
			`authed = []`
			`try:`
			`with open('/var/lib/confluent/ssh/authorized_keys', 'r') as ak:`
			`for keyline in ak:`
			`comment = keyline.split(' ', 2)[-1].strip()`
			`algo = keyline.split(' ', 1)[0]`
			`if currcomment != comment or algo != curralgo:`
			`authed.append(keyline)`
			`except OSError as e:`
			`if e.errno != 2:`
			`raise`
			`authed.append(auth)`
			`with open('/var/lib/confluent/ssh/authorized_keys', 'w') as ak:`
			`for auth in authed:`
			`ak.write(auth)`

Add a sample for doing SSH CA This will explore the concept for the backend of the get certificate api. 2020-03-06 13:43:54 -05:00
			`def ca_exists():`
			`return os.path.exists('/etc/confluent/ssh/ca')`


			`if __name__ == '__main__':`
Flesh out the SSH code more Notably add user key management and start poking things in /var/lib/confluent 2020-03-06 16:17:53 -05:00			`initialize_root_key()`
Add a sample for doing SSH CA This will explore the concept for the backend of the get certificate api. 2020-03-06 13:43:54 -05:00			`if not ca_exists():`
			`initialize_ca()`