2021-11-11 18:31:28 +00:00
|
|
|
#!/usr/bin/env python3
|
2021-11-16 16:14:01 +00:00
|
|
|
"""SSH management module"""
|
|
|
|
from flask_restful import Resource, reqparse
|
2021-11-11 18:31:28 +00:00
|
|
|
|
|
|
|
from selfprivacy_api.resources.services import api
|
2021-11-23 18:32:51 +00:00
|
|
|
from selfprivacy_api.utils import WriteUserData, ReadUserData, validate_ssh_public_key
|
2021-11-11 18:31:28 +00:00
|
|
|
|
2021-11-16 16:14:01 +00:00
|
|
|
|
2021-11-11 18:31:28 +00:00
|
|
|
class EnableSSH(Resource):
|
2021-11-16 16:14:01 +00:00
|
|
|
"""Enable SSH"""
|
|
|
|
|
2021-11-11 18:31:28 +00:00
|
|
|
def post(self):
|
2021-11-16 16:14:01 +00:00
|
|
|
"""
|
|
|
|
Enable SSH
|
|
|
|
---
|
|
|
|
tags:
|
|
|
|
- SSH
|
|
|
|
security:
|
|
|
|
- bearerAuth: []
|
|
|
|
responses:
|
|
|
|
200:
|
|
|
|
description: SSH enabled
|
|
|
|
401:
|
|
|
|
description: Unauthorized
|
|
|
|
"""
|
2021-11-22 16:50:50 +00:00
|
|
|
with WriteUserData() as data:
|
|
|
|
if "ssh" not in data:
|
|
|
|
data["ssh"] = {}
|
|
|
|
data["ssh"]["enable"] = True
|
2021-11-11 18:31:28 +00:00
|
|
|
|
|
|
|
return {
|
|
|
|
"status": 0,
|
|
|
|
"message": "SSH enabled",
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-11-22 16:50:50 +00:00
|
|
|
class SSHSettings(Resource):
|
|
|
|
"""Enable/disable SSH"""
|
|
|
|
|
|
|
|
def get(self):
|
|
|
|
"""
|
|
|
|
Get current SSH settings
|
|
|
|
---
|
|
|
|
tags:
|
|
|
|
- SSH
|
|
|
|
security:
|
|
|
|
- bearerAuth: []
|
|
|
|
responses:
|
|
|
|
200:
|
|
|
|
description: SSH settings
|
|
|
|
400:
|
|
|
|
description: Bad request
|
|
|
|
"""
|
|
|
|
with ReadUserData() as data:
|
|
|
|
if "ssh" not in data:
|
|
|
|
return {"enable": True, "passwordAuthentication": True}
|
|
|
|
if "enable" not in data["ssh"]:
|
|
|
|
data["ssh"]["enable"] = True
|
|
|
|
if "passwordAuthentication" not in data["ssh"]:
|
|
|
|
data["ssh"]["passwordAuthentication"] = True
|
|
|
|
return {
|
|
|
|
"enable": data["ssh"]["enable"],
|
|
|
|
"passwordAuthentication": data["ssh"]["passwordAuthentication"],
|
|
|
|
}
|
|
|
|
|
|
|
|
def put(self):
|
|
|
|
"""
|
|
|
|
Change SSH settings
|
|
|
|
---
|
|
|
|
tags:
|
|
|
|
- SSH
|
|
|
|
security:
|
|
|
|
- bearerAuth: []
|
|
|
|
parameters:
|
|
|
|
- name: sshSettings
|
|
|
|
in: body
|
|
|
|
required: true
|
|
|
|
description: SSH settings
|
|
|
|
schema:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- enable
|
|
|
|
- passwordAuthentication
|
|
|
|
properties:
|
|
|
|
enable:
|
|
|
|
type: boolean
|
|
|
|
passwordAuthentication:
|
|
|
|
type: boolean
|
|
|
|
responses:
|
|
|
|
200:
|
|
|
|
description: New settings saved
|
|
|
|
400:
|
|
|
|
description: Bad request
|
|
|
|
"""
|
|
|
|
parser = reqparse.RequestParser()
|
|
|
|
parser.add_argument("enable", type=bool, required=False)
|
|
|
|
parser.add_argument("passwordAuthentication", type=bool, required=False)
|
|
|
|
args = parser.parse_args()
|
|
|
|
enable = args["enable"]
|
|
|
|
password_authentication = args["passwordAuthentication"]
|
|
|
|
|
|
|
|
with WriteUserData() as data:
|
|
|
|
if "ssh" not in data:
|
|
|
|
data["ssh"] = {}
|
|
|
|
if enable is not None:
|
|
|
|
data["ssh"]["enable"] = enable
|
|
|
|
if password_authentication is not None:
|
|
|
|
data["ssh"]["passwordAuthentication"] = password_authentication
|
|
|
|
|
|
|
|
return "SSH settings changed"
|
|
|
|
|
|
|
|
|
2021-11-11 18:31:28 +00:00
|
|
|
class WriteSSHKey(Resource):
|
2021-11-16 16:14:01 +00:00
|
|
|
"""Write new SSH key"""
|
|
|
|
|
2021-11-11 18:31:28 +00:00
|
|
|
def put(self):
|
2021-11-16 16:14:01 +00:00
|
|
|
"""
|
|
|
|
Add a SSH root key
|
|
|
|
---
|
|
|
|
consumes:
|
|
|
|
- application/json
|
|
|
|
tags:
|
|
|
|
- SSH
|
|
|
|
security:
|
|
|
|
- bearerAuth: []
|
|
|
|
parameters:
|
|
|
|
- in: body
|
|
|
|
name: body
|
|
|
|
required: true
|
|
|
|
description: Public key to add
|
|
|
|
schema:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- public_key
|
|
|
|
properties:
|
|
|
|
public_key:
|
|
|
|
type: string
|
|
|
|
description: ssh-ed25519 public key.
|
|
|
|
responses:
|
|
|
|
201:
|
|
|
|
description: Key added
|
|
|
|
400:
|
|
|
|
description: Bad request
|
|
|
|
401:
|
|
|
|
description: Unauthorized
|
|
|
|
409:
|
|
|
|
description: Key already exists
|
|
|
|
"""
|
2021-11-11 18:45:57 +00:00
|
|
|
parser = reqparse.RequestParser()
|
|
|
|
parser.add_argument(
|
|
|
|
"public_key", type=str, required=True, help="Key cannot be blank!"
|
|
|
|
)
|
|
|
|
args = parser.parse_args()
|
2021-11-11 18:31:28 +00:00
|
|
|
|
2021-11-16 16:14:01 +00:00
|
|
|
public_key = args["public_key"]
|
2021-11-11 18:31:28 +00:00
|
|
|
|
2021-11-23 18:32:51 +00:00
|
|
|
if not validate_ssh_public_key(public_key):
|
|
|
|
return {
|
|
|
|
"error": "Invalid key type. Only ssh-ed25519 and ssh-rsa are supported.",
|
|
|
|
}, 400
|
2021-11-22 16:50:50 +00:00
|
|
|
|
|
|
|
with WriteUserData() as data:
|
|
|
|
if "ssh" not in data:
|
|
|
|
data["ssh"] = {}
|
|
|
|
if "rootKeys" not in data["ssh"]:
|
|
|
|
data["ssh"]["rootKeys"] = []
|
|
|
|
# Return 409 if key already in array
|
|
|
|
for key in data["ssh"]["rootKeys"]:
|
|
|
|
if key == public_key:
|
|
|
|
return {
|
|
|
|
"error": "Key already exists",
|
|
|
|
}, 409
|
|
|
|
data["ssh"]["rootKeys"].append(public_key)
|
|
|
|
|
|
|
|
return {
|
|
|
|
"status": 0,
|
|
|
|
"message": "New SSH key successfully written",
|
|
|
|
}, 201
|
|
|
|
|
|
|
|
|
|
|
|
class SSHKeys(Resource):
|
|
|
|
"""List SSH keys"""
|
|
|
|
|
|
|
|
def get(self, username):
|
|
|
|
"""
|
|
|
|
List SSH keys
|
|
|
|
---
|
|
|
|
tags:
|
|
|
|
- SSH
|
|
|
|
security:
|
|
|
|
- bearerAuth: []
|
|
|
|
parameters:
|
|
|
|
- in: path
|
|
|
|
name: username
|
|
|
|
type: string
|
|
|
|
required: true
|
|
|
|
description: User to list keys for
|
|
|
|
responses:
|
|
|
|
200:
|
|
|
|
description: SSH keys
|
|
|
|
401:
|
|
|
|
description: Unauthorized
|
|
|
|
"""
|
|
|
|
with ReadUserData() as data:
|
|
|
|
if username == "root":
|
|
|
|
if "ssh" not in data:
|
|
|
|
data["ssh"] = {}
|
|
|
|
if "rootKeys" not in data["ssh"]:
|
|
|
|
data["ssh"]["rootKeys"] = []
|
|
|
|
return data["ssh"]["rootKeys"]
|
|
|
|
if username == data["username"]:
|
|
|
|
if "sshKeys" not in data:
|
|
|
|
data["sshKeys"] = []
|
|
|
|
return data["sshKeys"]
|
2022-02-16 13:03:38 +00:00
|
|
|
if "users" not in data:
|
|
|
|
data["users"] = []
|
|
|
|
for user in data["users"]:
|
|
|
|
if user["username"] == username:
|
|
|
|
if "sshKeys" not in user:
|
|
|
|
user["sshKeys"] = []
|
|
|
|
return user["sshKeys"]
|
|
|
|
return {
|
|
|
|
"error": "User not found",
|
|
|
|
}, 404
|
2021-11-22 16:50:50 +00:00
|
|
|
|
|
|
|
def post(self, username):
|
|
|
|
"""
|
|
|
|
Add SSH key to the user
|
|
|
|
---
|
|
|
|
tags:
|
|
|
|
- SSH
|
|
|
|
security:
|
|
|
|
- bearerAuth: []
|
|
|
|
parameters:
|
|
|
|
- in: body
|
|
|
|
required: true
|
|
|
|
name: public_key
|
|
|
|
schema:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- public_key
|
|
|
|
properties:
|
|
|
|
public_key:
|
|
|
|
type: string
|
|
|
|
- in: path
|
|
|
|
name: username
|
|
|
|
type: string
|
|
|
|
required: true
|
|
|
|
description: User to add keys for
|
|
|
|
responses:
|
|
|
|
201:
|
|
|
|
description: SSH key added
|
|
|
|
401:
|
|
|
|
description: Unauthorized
|
|
|
|
404:
|
|
|
|
description: User not found
|
|
|
|
409:
|
|
|
|
description: Key already exists
|
|
|
|
"""
|
|
|
|
parser = reqparse.RequestParser()
|
|
|
|
parser.add_argument(
|
|
|
|
"public_key", type=str, required=True, help="Key cannot be blank!"
|
|
|
|
)
|
|
|
|
args = parser.parse_args()
|
|
|
|
|
|
|
|
if username == "root":
|
|
|
|
return {
|
|
|
|
"error": "Use /ssh/key/send to add root keys",
|
|
|
|
}, 400
|
|
|
|
|
2021-11-23 18:32:51 +00:00
|
|
|
if not validate_ssh_public_key(args["public_key"]):
|
|
|
|
return {
|
|
|
|
"error": "Invalid key type. Only ssh-ed25519 and ssh-rsa are supported.",
|
|
|
|
}, 400
|
2021-11-22 16:50:50 +00:00
|
|
|
|
|
|
|
with WriteUserData() as data:
|
|
|
|
if username == data["username"]:
|
|
|
|
if "sshKeys" not in data:
|
|
|
|
data["sshKeys"] = []
|
2021-11-29 19:16:08 +00:00
|
|
|
# Return 409 if key already in array
|
|
|
|
for key in data["sshKeys"]:
|
|
|
|
if key == args["public_key"]:
|
|
|
|
return {
|
|
|
|
"error": "Key already exists",
|
|
|
|
}, 409
|
2021-11-22 16:50:50 +00:00
|
|
|
data["sshKeys"].append(args["public_key"])
|
|
|
|
return {
|
|
|
|
"message": "New SSH key successfully written",
|
|
|
|
}, 201
|
|
|
|
|
|
|
|
if "users" not in data:
|
|
|
|
data["users"] = []
|
|
|
|
for user in data["users"]:
|
|
|
|
if user["username"] == username:
|
|
|
|
if "sshKeys" not in user:
|
|
|
|
user["sshKeys"] = []
|
|
|
|
# Return 409 if key already in array
|
|
|
|
for key in user["sshKeys"]:
|
|
|
|
if key == args["public_key"]:
|
|
|
|
return {
|
|
|
|
"error": "Key already exists",
|
|
|
|
}, 409
|
|
|
|
user["sshKeys"].append(args["public_key"])
|
|
|
|
return {
|
|
|
|
"message": "New SSH key successfully written",
|
|
|
|
}, 201
|
|
|
|
return {
|
|
|
|
"error": "User not found",
|
|
|
|
}, 404
|
|
|
|
|
|
|
|
def delete(self, username):
|
|
|
|
"""
|
|
|
|
Delete SSH key
|
|
|
|
---
|
|
|
|
tags:
|
|
|
|
- SSH
|
|
|
|
security:
|
|
|
|
- bearerAuth: []
|
|
|
|
parameters:
|
|
|
|
- in: body
|
|
|
|
name: public_key
|
|
|
|
required: true
|
|
|
|
description: Key to delete
|
|
|
|
schema:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- public_key
|
|
|
|
properties:
|
|
|
|
public_key:
|
|
|
|
type: string
|
|
|
|
- in: path
|
|
|
|
name: username
|
|
|
|
type: string
|
|
|
|
required: true
|
|
|
|
description: User to delete keys for
|
|
|
|
responses:
|
|
|
|
200:
|
|
|
|
description: SSH key deleted
|
|
|
|
401:
|
|
|
|
description: Unauthorized
|
|
|
|
404:
|
|
|
|
description: Key not found
|
|
|
|
"""
|
|
|
|
parser = reqparse.RequestParser()
|
|
|
|
parser.add_argument(
|
|
|
|
"public_key", type=str, required=True, help="Key cannot be blank!"
|
|
|
|
)
|
|
|
|
args = parser.parse_args()
|
|
|
|
|
|
|
|
with WriteUserData() as data:
|
|
|
|
if username == "root":
|
2021-11-15 13:49:06 +00:00
|
|
|
if "ssh" not in data:
|
|
|
|
data["ssh"] = {}
|
2021-11-18 18:54:45 +00:00
|
|
|
if "rootKeys" not in data["ssh"]:
|
|
|
|
data["ssh"]["rootKeys"] = []
|
2021-11-22 16:50:50 +00:00
|
|
|
# Return 404 if key not in array
|
2021-11-17 09:18:17 +00:00
|
|
|
for key in data["ssh"]["rootKeys"]:
|
2021-11-22 16:50:50 +00:00
|
|
|
if key == args["public_key"]:
|
|
|
|
data["ssh"]["rootKeys"].remove(key)
|
2021-11-15 13:49:06 +00:00
|
|
|
return {
|
2021-11-22 16:50:50 +00:00
|
|
|
"message": "SSH key deleted",
|
|
|
|
}, 200
|
|
|
|
return {
|
|
|
|
"error": "Key not found",
|
|
|
|
}, 404
|
|
|
|
if username == data["username"]:
|
|
|
|
if "sshKeys" not in data:
|
|
|
|
data["sshKeys"] = []
|
|
|
|
# Return 404 if key not in array
|
|
|
|
for key in data["sshKeys"]:
|
|
|
|
if key == args["public_key"]:
|
|
|
|
data["sshKeys"].remove(key)
|
|
|
|
return {
|
|
|
|
"message": "SSH key deleted",
|
|
|
|
}, 200
|
|
|
|
return {
|
|
|
|
"error": "Key not found",
|
|
|
|
}, 404
|
|
|
|
if "users" not in data:
|
|
|
|
data["users"] = []
|
|
|
|
for user in data["users"]:
|
|
|
|
if user["username"] == username:
|
|
|
|
if "sshKeys" not in user:
|
|
|
|
user["sshKeys"] = []
|
|
|
|
# Return 404 if key not in array
|
|
|
|
for key in user["sshKeys"]:
|
|
|
|
if key == args["public_key"]:
|
|
|
|
user["sshKeys"].remove(key)
|
|
|
|
return {
|
|
|
|
"message": "SSH key successfully deleted",
|
|
|
|
}, 200
|
|
|
|
return {
|
|
|
|
"error": "Key not found",
|
|
|
|
}, 404
|
2021-11-11 18:31:28 +00:00
|
|
|
return {
|
2021-11-22 16:50:50 +00:00
|
|
|
"error": "User not found",
|
|
|
|
}, 404
|
2021-11-11 18:31:28 +00:00
|
|
|
|
|
|
|
|
|
|
|
api.add_resource(EnableSSH, "/ssh/enable")
|
2021-11-22 16:50:50 +00:00
|
|
|
api.add_resource(SSHSettings, "/ssh")
|
|
|
|
|
2021-11-11 18:31:28 +00:00
|
|
|
api.add_resource(WriteSSHKey, "/ssh/key/send")
|
2021-11-22 16:50:50 +00:00
|
|
|
api.add_resource(SSHKeys, "/ssh/keys/<string:username>")
|