diff --git a/bin/bastion.py b/bin/bastion.py index ec50cbb..7074482 100755 --- a/bin/bastion.py +++ b/bin/bastion.py @@ -5,6 +5,7 @@ import pathlib import logging import traceback +import socket from ruamel.yaml import YAML from ruamel.yaml.scalarstring import PreservedScalarString @@ -108,6 +109,13 @@ def configured(self): self.conf.load(folder / confile) return self + @property + def hostname(self): + if 'host.name' in self.conf: + return self.conf['host.name'] + else: + return socket.getfqdn() + def site(self, name): return Site(name).configured(self.conf) @@ -209,7 +217,7 @@ def do_update_asset(self, comargs, comdex): site = self.site(ark.site) asset = site.asset(ark) vault = self.vault(asset.policy.vault) - flag, stdout, stderr = vault.push(asset, detail = ) + flag, stdout, stderr = vault.push(asset, detail = 'D', client = self.hostname) if flag: return SUCCESS(stdout, {'stdout': stdout}) else: @@ -224,7 +232,7 @@ def do_backup_asset(self, comargs, comdex): site = self.site(ark.site) asset = site.asset(ark) vault = self.vault(asset.policy.vault) - flag, stdout, stderr = vault.push(asset) + flag, stdout, stderr = vault.push(asset, client = self.hostname) if flag: return SUCCESS(stdout, {'stdout': stdout}) else: @@ -268,6 +276,21 @@ def do_list_zone_assets(self, comargs, comdex): return self.do_export_zone_assets(comargs, comdex) + def do_refresh_keytab(self, comargs, comdex): + """ + refresh keytab {vault} + * uses ssh+scp to regenerate the private keytab for the named vault. + """ + vault = self.vault(comdex[2]) + vault.refresh_keytab() + flag, stdout, stderr = vault.refresh_keytab() + if flag: + return SUCCESS(stdout, {'stdout': stdout, 'stderr': stderr}) + else: + return FAILED(stdout, {'stdout': stdout, 'stderr': stderr}) + + + if __name__ == '__main__': app = App().configured() diff --git a/lib/Bastion/HPSS.py b/lib/Bastion/HPSS.py index dd6c3eb..94d58e2 100644 --- a/lib/Bastion/HPSS.py +++ b/lib/Bastion/HPSS.py @@ -333,6 +333,14 @@ def __init__(self, name, **kwargs): self._hsi = None self.client = kwargs.get('client', socket.gethostname()) + self.keytab = Thing() + self.keytab.halo = pathlib.Path( kwargs.get('keytab', "~/.private/hpss.unix.keytab") ).expanduser() + self.keytab.regen = Thing() + self.keytab.regen.host = None + self.keytab.regen.user = getpass.getuser() + self.keytab.regen.key = pathlib.Path("~/.ssh/id_rsa") + self.keytab.regen.command = 'keytab' + def configured(self, conf): confkey = "vaults.{}".format(self.name) if confkey in conf: @@ -341,6 +349,12 @@ def configured(self, conf): self.login = section['login'] if 'root' in section: self.root = pathlib.PurePosixPath( section['root'] ) + if 'key' in section: + self.keytab.halo = section.get('key.path', self.keytab.halo) + self.keytab.regen.host = section.get('key.refresh.ssh.host', self.keytab.regen.host) + self.keytab.regen.user = section.get('key.refresh.ssh.user', self.keytab.regen.user) + self.keytab.regen.key = section.get('key.refresh.ssh.key', self.keytab.regen.key) + self.keytab.regen.command = section.get('key.refresh.ssh.command', self.keytab.regen.command) return self @property @@ -466,5 +480,12 @@ def _provision_ark(self, ark): def _provision_site_zone_asset(self, site, zone, asset_name): return self._provision_ark( ARK(site, zone, asset_name) ) + def refresh_keytab(self): + """ + Use ssh+scp to regenerate the authenticating keytab file. + """ + regencmd = "ssh {}@{} {}" + proc = subprocess.run(comargs, stdout = subprocess.PIPE, stderr = subprocess.STDOUT, check = False, env = exports) + #hsi = HSI("/opt/hsi/bin/hsi", login = "ndenny") diff --git a/lib/Bastion/Model.py b/lib/Bastion/Model.py index 01147f9..6cd7bc2 100644 --- a/lib/Bastion/Model.py +++ b/lib/Bastion/Model.py @@ -29,6 +29,9 @@ def __new__(cls, *args): elif isinstance(arg, str): return ARK(CURIE(arg)) + elif isinstance(arg, isAsset): + return ARK( RDN(arg.site), RDN(arg.zone), RDN(arg.asset) ) + if len(args) == 3: site, zone, asset = args s = RDN(site)