2012-05-30 16:41:38 -04:00
|
|
|
#!/usr/bin/env python
|
2012-07-28 17:02:16 -04:00
|
|
|
"""
|
|
|
|
Ansible module to add authorized_keys for ssh logins.
|
2012-05-30 16:41:38 -04:00
|
|
|
(c) 2012, Brad Olson <brado@movedbylight.com>
|
|
|
|
|
|
|
|
This file is part of Ansible
|
|
|
|
|
|
|
|
Ansible is free software: you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
Ansible is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
"""
|
|
|
|
|
2012-07-28 17:02:16 -04:00
|
|
|
# Makes sure the public key line is present or absent in the user's .ssh/authorized_keys.
|
|
|
|
#
|
|
|
|
# Arguments
|
|
|
|
# =========
|
|
|
|
# user = username
|
|
|
|
# key = line to add to authorized_keys for user
|
|
|
|
# state = absent|present (default: present)
|
|
|
|
#
|
|
|
|
# see example in examples/playbooks
|
|
|
|
|
|
|
|
import sys
|
|
|
|
import os
|
|
|
|
import pwd
|
|
|
|
import os.path
|
2012-05-30 16:41:38 -04:00
|
|
|
|
2012-07-02 19:16:57 +00:00
|
|
|
def keyfile(user, write=False):
|
2012-07-28 17:02:16 -04:00
|
|
|
"""
|
|
|
|
Calculate name of authorized keys file, optionally creating the
|
2012-05-30 16:41:38 -04:00
|
|
|
directories and file, properly setting permissions.
|
|
|
|
|
|
|
|
:param str user: name of user in passwd file
|
2012-07-02 19:16:57 +00:00
|
|
|
:param bool write: if True, write changes to authorized_keys file (creating directories if needed)
|
2012-05-30 16:41:38 -04:00
|
|
|
:return: full path string to authorized_keys for user
|
|
|
|
"""
|
|
|
|
|
|
|
|
user_entry = pwd.getpwnam(user)
|
2012-07-28 17:02:16 -04:00
|
|
|
homedir = user_entry.pw_dir
|
|
|
|
sshdir = os.path.join(homedir, ".ssh")
|
|
|
|
keysfile = os.path.join(sshdir, "authorized_keys")
|
|
|
|
|
|
|
|
if not write:
|
|
|
|
return keysfile
|
|
|
|
|
2012-05-30 16:41:38 -04:00
|
|
|
uid = user_entry.pw_uid
|
|
|
|
gid = user_entry.pw_gid
|
2012-07-28 17:02:16 -04:00
|
|
|
|
|
|
|
if not os.path.exists(sshdir):
|
|
|
|
os.mkdir(sshdir, 0700)
|
2012-05-30 16:41:38 -04:00
|
|
|
os.chown(sshdir, uid, gid)
|
|
|
|
os.chmod(sshdir, 0700)
|
2012-07-28 17:02:16 -04:00
|
|
|
|
|
|
|
if not os.path.exists( keysfile):
|
2012-07-02 17:57:38 +00:00
|
|
|
try:
|
2012-07-02 19:16:57 +00:00
|
|
|
f = open(keysfile, "w") #touches file so we can set ownership and perms
|
2012-07-02 17:57:38 +00:00
|
|
|
finally:
|
|
|
|
f.close()
|
2012-07-28 17:02:16 -04:00
|
|
|
|
2012-05-30 16:41:38 -04:00
|
|
|
os.chown(keysfile, uid, gid)
|
|
|
|
os.chmod(keysfile, 0600)
|
|
|
|
return keysfile
|
|
|
|
|
2012-07-28 17:02:16 -04:00
|
|
|
def readkeys(filename):
|
|
|
|
|
|
|
|
if not os.path.isfile(filename):
|
|
|
|
return []
|
|
|
|
f = open(filename)
|
|
|
|
keys = [line.rstrip() for line in f.readlines()]
|
|
|
|
f.close()
|
2012-05-30 16:41:38 -04:00
|
|
|
return keys
|
|
|
|
|
|
|
|
def writekeys( filename, keys):
|
2012-07-28 17:02:16 -04:00
|
|
|
|
|
|
|
f = open(filename,"w")
|
|
|
|
f.writelines( (key + "\n" for key in keys) )
|
|
|
|
f.close()
|
|
|
|
|
|
|
|
def enforce_state(module, params):
|
|
|
|
"""
|
|
|
|
Add or remove key.
|
2012-05-30 16:41:38 -04:00
|
|
|
"""
|
|
|
|
|
2012-07-28 17:02:16 -04:00
|
|
|
user = params["user"]
|
|
|
|
key = params["key"]
|
2012-05-30 16:41:38 -04:00
|
|
|
state = params.get("state", "present")
|
|
|
|
|
2012-07-28 17:02:16 -04:00
|
|
|
# check current state -- just get the filename, don't create file
|
|
|
|
params["keyfile"] = keyfile(user, write=False)
|
|
|
|
keys = readkeys(params["keyfile"])
|
2012-05-30 16:41:38 -04:00
|
|
|
present = key in keys
|
|
|
|
|
2012-07-28 17:02:16 -04:00
|
|
|
# handle idempotent state=present
|
2012-05-30 16:41:38 -04:00
|
|
|
if state=="present":
|
2012-07-28 17:02:16 -04:00
|
|
|
if present:
|
|
|
|
module.exit_json(changed=False)
|
2012-05-30 16:41:38 -04:00
|
|
|
keys.append(key)
|
2012-07-02 19:16:57 +00:00
|
|
|
writekeys(keyfile(user,write=True), keys)
|
2012-07-28 17:02:16 -04:00
|
|
|
|
2012-05-30 16:41:38 -04:00
|
|
|
elif state=="absent":
|
2012-07-28 17:02:16 -04:00
|
|
|
if not present:
|
|
|
|
module.exit_json(changed=False)
|
2012-05-30 16:41:38 -04:00
|
|
|
keys.remove(key)
|
2012-07-02 19:16:57 +00:00
|
|
|
writekeys(keyfile(user,write=True), keys)
|
2012-07-28 17:02:16 -04:00
|
|
|
|
|
|
|
params['changed'] = True
|
|
|
|
return params
|
|
|
|
|
|
|
|
def main():
|
|
|
|
|
|
|
|
module = AnsibleModule(
|
|
|
|
argument_spec = dict(
|
|
|
|
user = dict(required=True),
|
|
|
|
key = dict(required=True),
|
|
|
|
state = dict(default='present', choices=['absent','present'])
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
params = module.params
|
|
|
|
results = enforce_state(module, module.params)
|
|
|
|
module.exit_json(**results)
|
|
|
|
|
|
|
|
# this is magic, see lib/ansible/module_common.py
|
|
|
|
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
|
|
|
|
main()
|