File: keyhelper.py

package info (click to toggle)
pagure 5.11.3%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 15,640 kB
  • sloc: python: 113,281; javascript: 23,100; makefile: 194; sh: 66
file content (89 lines) | stat: -rw-r--r-- 2,494 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
#!/usr/bin/python3
# -*- coding: utf-8 -*-

"""
 (c) 2014-2018 - Copyright Red Hat Inc

 Authors:
   Patrick Uiterwijk <puiterwijk@redhat.com>

"""

from __future__ import unicode_literals, print_function, absolute_import

import sys
import os

import requests

# Since this is run by sshd, we don't have a way to set environment
# variables ahead of time
if "PAGURE_CONFIG" not in os.environ and os.path.exists(
    "/etc/pagure/pagure.cfg"
):
    os.environ["PAGURE_CONFIG"] = "/etc/pagure/pagure.cfg"

# Here starts the code
from pagure.config import config as pagure_config


# Get the arguments
# Expect sshd config:
# AuthorizedKeysCommand: <scriptpath> "%u" "%h" "%t" "%f"
# <us> <username> <homedir> <keytype> <fingerprint>
# At this moment, we ignore the homedir and fingerprint, since looking
# up a key by fingerprint would require some model changes (ssh keys would
#   need to be stored in a fashion like DeployKeys).
# But to not break installations in the future, we should ask installations
# to set up sshd in a way that it will work if we use them in the future.
if len(sys.argv) < 5:
    print("Invalid call, too few arguments", file=sys.stderr)
    sys.exit(1)


username, userhome, keytype, fingerprint = sys.argv[1:5]
username_lookup = pagure_config["SSH_KEYS_USERNAME_LOOKUP"]
expect_username = pagure_config["SSH_KEYS_USERNAME_EXPECT"]


if username in pagure_config["SSH_KEYS_USERNAME_FORBIDDEN"]:
    print("User is forbidden for keyhelper.", file=sys.stderr)
    sys.exit(1)


if not username_lookup:
    if not expect_username:
        print("Pagure keyhelper configured incorrectly", file=sys.stderr)
        sys.exit(1)

    if username != expect_username:
        # Nothing to look up, this user is not git-related
        sys.exit(0)


pagure_url = pagure_config["APP_URL"].rstrip("/")
url = "%s/pv/ssh/lookupkey/" % pagure_url
data = {"search_key": fingerprint}
if username_lookup:
    data["username"] = username
headers = {}
if pagure_config.get("SSH_ADMIN_TOKEN"):
    headers["Authorization"] = "token %s" % pagure_config["SSH_ADMIN_TOKEN"]
resp = requests.post(url, data=data, headers=headers)
if not resp.status_code == 200:
    print(
        "Error during lookup request: status: %s" % resp.status_code,
        file=sys.stderr,
    )
    sys.exit(1)

result = resp.json()

if not result["found"]:
    # Everything OK, key just didn't exist.
    sys.exit(0)

print(
    "%s %s"
    % (pagure_config["SSH_KEYS_OPTIONS"] % result, result["public_key"])
)