auth_api_client/ssh_service_accounts.py at main · kcl-eresearch/auth_api_client · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/python3
#
# Version of ssh.py which is for service accounts
# These don't use MFA but are IP address restricted

import os
import pwd
import sys
from auth_api_client import config
from auth_api_client.common import get_ssh_keys, load_config, log_error

load_config()

if len(sys.argv) < 2:
    log_error("No user specified")
    sys.exit(1)

try:
    user = pwd.getpwnam(sys.argv[1])
except Exception as e:
    log_error("Invalid user specified")
    sys.exit(1)

if "service_account_restrict_users" in config.config and user.pw_name in config.config["service_account_restrict_users"]:
    ip_allowed = config.config["service_account_restrict_users"][user.pw_name]
elif "service_account_restrict" in config.config:
    ip_allowed = config.config["service_account_restrict"]
else:
    ip_allowed = ["127.0.0.0/8"]

ip_allowed_csv = ",".join(ip_allowed)

# Drop root privileges no longer required
pwentry = pwd.getpwnam(config.config["run_as"])
os.setgid(pwentry.pw_gid)
os.setgroups([])
os.setuid(pwentry.pw_uid)

for key in get_ssh_keys(user.pw_name):
    print(f"from=\"{ip_allowed_csv}\" {key['type']} {key['pub_key']}")

sys.stdout.flush()