crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

radius: on se débarasse du fils ssh

Browse source 
Et on a presque un truc qui marche.
Bon le trigger_generate, on va vite le virer parce que c'est mauche tout de
même.
This commit is contained in:
Daniel STAN 2014-03-01 20:17:31 +01:00
parent b372b52c76
commit d5bd1ec23e
3 changed files with 57 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

41
freeradius/auth.py
View file

@ -19,14 +19,15 @@
# Voir des exemples plus complets ici:
# https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_python/
from lc_ldap.shortcuts import with_ldap_conn, lc_ldap_admin
import lc_ldap.shortcuts
from lc_ldap.crans_utils import escape as escape_ldap
import lc_ldap.crans_utils
from gestion.config.config import vlans
import lc_ldap.objets
import radiusd
import netaddr
from gestion.gen_confs.generate import trigger as trigger_generate
import traceback
from gestion.gen_confs.trigger import trigger_generate_cochon as trigger_generate
# Voilà, pour faire marcher le V6Only, il faut se retirer l'ipv4 de sa machine
# ou en enregistrer une nouvelle (sans ipv4) avec une autre mac. Moi j'ai la
@ -37,6 +38,15 @@ u'dc:9f:db:5c:c3:ea', # polynice-wlan0
u'00:26:c7:a6:9e:16', # cerveaulent
]
# TODO (à metre dans bcfg2)
#setfacl -m u:freerad:rx /etc/crans/
#setfacl -m u:freerad:rx /etc/crans/secrets
#setfacl -m u:freerad:r /etc/crans/secrets/dhcp.py
#setfacl -m u:freerad:r /etc/crans/secrets/secrets.py
#setfacl -m u:freerad:r /etc/crans/secrets/trigger-generate.pub
#setfacl -m m::r /etc/crans/secrets/trigger-generate
#setfacl -m u:freerad:r /etc/crans/secrets/trigger-generate
bl_reject = [u'bloq']
bl_isolement = [u'virus', u'autodisc_virus', u'autodisc_p2p', u'ipv6_ra']
# TODO carte_etudiant: dépend si sursis ou non (regarder lc_ldap)
@ -44,7 +54,10 @@ bl_isolement = [u'virus', u'autodisc_virus', u'autodisc_p2p', u'ipv6_ra']
bl_accueil = [u'carte_etudiant', u'chambre_invalide', u'paiement']
# Decorateur utilisé plus tard (same connection)
use_ldap = with_ldap_conn(retries=2, delay=5, constructor=lc_ldap_admin)
use_ldap_admin = lc_ldap.shortcuts.with_ldap_conn(retries=2, delay=5,
constructor=lc_ldap.shortcuts.lc_ldap_admin)
use_ldap = lc_ldap.shortcuts.with_ldap_conn(retries=2, delay=5,
constructor=lc_ldap.shortcuts.lc_ldap_anonymous)
@use_ldap
def get_machines(auth_data, conn):
@ -84,7 +97,7 @@ def get_machines(auth_data, conn):
]
for filter_s in search_strats:
res = conn.search(filter_s, mode='rw')
res = conn.search(filter_s)
if res:
break
@ -120,8 +133,9 @@ def get_prise(auth_data):
return bat_name + "%01d%02d" % (bat_num, port)
@use_ldap
@use_ldap_admin
def register_mac(auth_data, machine, conn):
machine = conn.search(unicode(machine.dn.split(',',1)[0]), mode='rw')[0]
for (key, value) in auth_data:
if key == 'Calling-Station-Id':
try:
@ -129,19 +143,25 @@ def register_mac(auth_data, machine, conn):
mac = lc_ldap.crans_utils.format_mac(value)
except:
radiusd.radlog(radiusd.L_ERR, 'Cannot format MAC !')
if mac is not None:
mac = unicode(mac.lower())
radiusd.radlog(radiusd.L_INFO, 'Registering mac %s' % mac)
machine['macAddress'] = mac
machine.history_add(u'auth.py', u'macAddress ( %s )' % mac)
machine.history_add(u'auth.py', u'macAddress (<automatique> -> %s)' % mac)
machine.save()
radiusd.radlog(radiusd.L_INFO, 'Mac set')
trigger_generate('komaz', background=True)
radiusd.radlog(radiusd.L_INFO, 'Triggering komaz')
trigger_generate('komaz')
radiusd.radlog(radiusd.L_INFO, 'done ! (triggered komaz)')
else:
radiusd.radlog(radiusd.L_ERR, 'Cannot find MAC')
@use_ldap_admin
@use_ldap
def instantiate(p, conn):
"""Utile pour initialiser la connexion ldap une première fois (otherwise,
def instantiate(p, *conns):
"""Utile pour initialiser les connexions ldap une première fois (otherwise,
do nothing)"""
pass
@ -249,7 +269,10 @@ def post_auth(auth_data, conn):
# return (0, "Hébergeur non à jour", "accueil")
#
#<!>
# Pour l'instant, on ne met pas d'infos de vlans dans la réponse
return radiusd.RLM_MODULE_OK
# This is dead code (for now)
return (radiusd.RLM_MODULE_UPDATED,
(
("Tunnel-Type", "VLAN"),

10
freeradius/test.py
View file

@ -5,13 +5,17 @@ import auth
import sys
import time
if len(sys.argv) < 2 and False:
print "Give me a mac !"
sys.exit(1)
delattr(sys, 'argv')
#if len(sys.argv) < 2 and False:
# print "Give me a mac !"
# sys.exit(1)
# Machine à s'authentifier (cerveaulent)
#p=(('Calling-Station-Id', sys.argv[1]),)
auth.instantiate(())
p=(
('Calling-Station-Id', 'ba:27:eb:3c:54:d5'),
('User-Name', 'test18'),

23
gestion/gen_confs/trigger.py
View file

@ -3,16 +3,22 @@
import subprocess
def trigger_generate(host, background=False):
_options = ['PasswordAuthentication=no', 'ConnectTimeout=1', 'VerifyHostKeyDNS=yes',
'BatchMode=yes', 'ServerAliveInterval=5', 'ServerAliveCountMax=1']
_args = ["ssh", "-4", "-i", "/etc/crans/secrets/trigger-generate" ]
def build_args(host):
if not 'adm.crans.org' in host:
host=host + '.adm.crans.org'
options = ['PasswordAuthentication=no', 'ConnectTimeout=1', 'VerifyHostKeyDNS=yes',
'BatchMode=yes', 'ServerAliveInterval=5', 'ServerAliveCountMax=1']
args = ["ssh", "-4", "-i", "/etc/crans/secrets/trigger-generate" ]
for opt in options:
args = list(_args)
for opt in _options:
args.append('-o')
args.append(opt)
args.extend(["rpcssh@%s" % host, "generate"])
return args
def trigger_generate(host, background=False):
args = build_args(host)
if background:
subprocess.Popen(args)
else:
@ -22,3 +28,10 @@ def trigger_generate(host, background=False):
raise Exception(err)
return out
def trigger_generate_cochon(host):
"""Ceci est une fonction crade qui permet de se débarraser du process enfant
que l'on aurait laissé en arrière plan"""
args = build_args(host)
p = subprocess.Popen(['/bin/bash'],
stdin=subprocess.PIPE, )
p.communicate(' '.join(args) + ' &> /dev/null &')