Ajout de la possibilité de trigger le déclenchement de generate par ssh depuis le réseau adm par le groupe adm

Bundler/rpcssh.xml

@@ -0,0 +1,6 @@
+<Bundle name="rpcssh">
+<!--  <POSIXUser name="rpcssh" />-->
+  <Path type="directory" name="/var/local/rpcssh/.ssh"/>
+  <Python name="/var/local/rpcssh/.ssh/authorized_keys"/>
+  <Action name="rpcssh-user"/>
+</Bundle>

Bundler/secrets.xml

@@ -11,6 +11,8 @@
      <Python name="/etc/crans/secrets/slon.py"/>
      <Python name="/etc/crans/secrets/nols.py"/>
      <Python name="/etc/crans/secrets/dhcp.py"/>
+     <Python name="/etc/crans/secrets/trigger-generate"/>
+     <Python name="/etc/crans/secrets/trigger-generate.pub"/>
      <Python name="/etc/crans/secrets/README"/>
      <!-- Il faut penser au setfacl sur le serveur de l'intranet2 (o2) -->
      <Group name="secrets-acl">

Metadata/groups.xml

@@ -1041,6 +1041,11 @@
 
   <Group name="generate">
     <Bundle name="generate"/>
+    <Group name="rpcssh"/>
+  </Group>
+
+  <Group name="rpcssh">
+    <Bundle name="rpcssh"/>
   </Group>
 
   <Group name="wifi-auth" > <!-- Service d'authentification wifi -->

Python/etc/crans/secrets/trigger-generate

@@ -0,0 +1,4 @@
+info["perms"] = 0440
+info["owner"] = "root"
+info["group"] = "adm"
+print file("/etc/crans/secrets/trigger-generate").read()

Python/etc/crans/secrets/trigger-generate.pub

@@ -0,0 +1,4 @@
+info["perms"] = 0444
+info["owner"] = "root"
+info["group"] = "adm"
+print file("/etc/crans/secrets/trigger-generate.pub").read()

Python/etc/sudoers

@@ -90,6 +90,8 @@ if has("users"):
 monit_path = '/usr/%sbin/monit' % ('' if has('wheezy') else 's')
 print "%%respbats   ALL=(ALL) NOPASSWD: %s summary, %s status" % (monit_path, monit_path)
 
+if has('generate'):
+    print "rpcssh ALL=(ALL) NOPASSWD: /usr/scripts/gestion/gen_confs/generate.py"
 if has('arpwatch'):
     @# arpwatch
     print "arpwatch   ALL=(arpwatch%s) NOPASSWD:/usr/scripts/surveillance/arpwatch_sendmail.py" % (addit)

Python/var/local/rpcssh/.ssh/authorized_keys

@@ -0,0 +1,12 @@
+# -*- mode: python; encoding: utf-8 -*-
+
+info["owner"] = "rpcssh"
+info["group"] = "users"
+info["perms"] = 0644
+
+comment_start = "#"
+
+header("Clef pour lancer des commandes en temps réel sur les serveurs")
+
+if has("generate"):
+    print 'command="sudo /usr/scripts/gestion/gen_confs/generate.py",from="10.231.136.0/24,2a01:240:fe3d:c804::/64",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding %s' % open('/etc/crans/secrets/trigger-generate.pub').read()

Rules/rpcssh.xml

@@ -0,0 +1,13 @@
+<Rules priority="1">
+  <Group name="rpcssh">
+    <Path name="/var/local/rpcssh/.ssh" type="directory" owner="rpcssh" group="users" perms="0700"/>
+   <!-- Uniquement à partir de la version 1.3 -->
+    <POSIXUser name="rpcssh" home="/var/local/rpcssh" shell="/bin/bash"
+           gecos="rpcssh" uid="666" group="users">
+      <!--<MemberOf group="lp"/>-->
+    </POSIXUser>
+<!-- action useradd -b /var/local/ -m -s /bin/bash -g users -r -u 666 rpcssh ? -->
+    <Action name="rpcssh-user" timing="post" when="modified" status="check"
+      command="useradd -b /var/local/ -m -s /bin/bash -g users -r -u 666 rpcssh"/>
+  </Group>
+</Rules>