Merge pull request #242 from dw/dmw
su method, CTRL+C exception handler, real host key checking modespull/246/head
commit
4f46d8a1e3
@ -0,0 +1,43 @@
|
||||
# Copyright 2017, David Wilson
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright notice,
|
||||
# this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
# this list of conditions and the following disclaimer in the documentation
|
||||
# and/or other materials provided with the distribution.
|
||||
#
|
||||
# 3. Neither the name of the copyright holder nor the names of its contributors
|
||||
# may be used to endorse or promote products derived from this software without
|
||||
# specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
import os.path
|
||||
import sys
|
||||
|
||||
try:
|
||||
import ansible_mitogen.connection
|
||||
except ImportError:
|
||||
base_dir = os.path.dirname(__file__)
|
||||
sys.path.insert(0, os.path.abspath(os.path.join(base_dir, '../../..')))
|
||||
del base_dir
|
||||
|
||||
import ansible_mitogen.connection
|
||||
|
||||
|
||||
class Connection(ansible_mitogen.connection.Connection):
|
||||
transport = 'mitogen_su'
|
@ -0,0 +1,113 @@
|
||||
# Copyright 2017, David Wilson
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright notice,
|
||||
# this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
# this list of conditions and the following disclaimer in the documentation
|
||||
# and/or other materials provided with the distribution.
|
||||
#
|
||||
# 3. Neither the name of the copyright holder nor the names of its contributors
|
||||
# may be used to endorse or promote products derived from this software without
|
||||
# specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
import logging
|
||||
import os
|
||||
|
||||
import mitogen.core
|
||||
import mitogen.parent
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class PasswordError(mitogen.core.StreamError):
|
||||
pass
|
||||
|
||||
|
||||
class Stream(mitogen.parent.Stream):
|
||||
# TODO: BSD su cannot handle stdin being a socketpair, but it does let the
|
||||
# child inherit fds from the parent. So we can still pass a socketpair in
|
||||
# for hybrid_tty_create_child(), there just needs to be either a shell
|
||||
# snippet or bootstrap support for fixing things up afterwards.
|
||||
create_child = staticmethod(mitogen.parent.tty_create_child)
|
||||
|
||||
#: Once connected, points to the corresponding TtyLogStream, allowing it to
|
||||
#: be disconnected at the same time this stream is being torn down.
|
||||
|
||||
username = 'root'
|
||||
password = None
|
||||
su_path = 'su'
|
||||
password_prompt = 'password:'
|
||||
incorrect_prompts = (
|
||||
'su: sorry', # BSD
|
||||
'su: authentication failure', # Linux
|
||||
)
|
||||
|
||||
def construct(self, username=None, password=None, su_path=None,
|
||||
password_prompt=None, incorrect_prompts=None, **kwargs):
|
||||
super(Stream, self).construct(**kwargs)
|
||||
if username is not None:
|
||||
self.username = username
|
||||
if password is not None:
|
||||
self.password = password
|
||||
if su_path is not None:
|
||||
self.su_path = su_path
|
||||
if password_prompt is not None:
|
||||
self.password_prompt = password_prompt.lower()
|
||||
if incorrect_prompts is not None:
|
||||
self.incorrect_prompts = map(str.lower, incorrect_prompts)
|
||||
|
||||
def connect(self):
|
||||
super(Stream, self).connect()
|
||||
self.name = 'su.' + self.username
|
||||
|
||||
def on_disconnect(self, broker):
|
||||
super(Stream, self).on_disconnect(broker)
|
||||
|
||||
def get_boot_command(self):
|
||||
argv = mitogen.parent.Argv(super(Stream, self).get_boot_command())
|
||||
return [self.su_path, self.username, '-c', str(argv)]
|
||||
|
||||
password_incorrect_msg = 'su password is incorrect'
|
||||
password_required_msg = 'su password is required'
|
||||
|
||||
def _connect_bootstrap(self, extra_fd):
|
||||
password_sent = False
|
||||
it = mitogen.parent.iter_read(
|
||||
fds=[self.receive_side.fd],
|
||||
deadline=self.connect_deadline,
|
||||
)
|
||||
|
||||
for buf in it:
|
||||
LOG.debug('%r: received %r', self, buf)
|
||||
if buf.endswith('EC0\n'):
|
||||
self._ec0_received()
|
||||
return
|
||||
if any(s in buf.lower() for s in self.incorrect_prompts):
|
||||
if password_sent:
|
||||
raise PasswordError(self.password_incorrect_msg)
|
||||
elif self.password_prompt in buf.lower():
|
||||
if self.password is None:
|
||||
raise PasswordError(self.password_required_msg)
|
||||
if password_sent:
|
||||
raise PasswordError(self.password_incorrect_msg)
|
||||
LOG.debug('sending password')
|
||||
self.transmit_side.write(self.password + '\n')
|
||||
password_sent = True
|
||||
raise mitogen.core.StreamError('bootstrap failed')
|
@ -0,0 +1,58 @@
|
||||
# Verify passwordful su behaviour
|
||||
# Ansible can't handle this on OS X. I don't care why.
|
||||
|
||||
- name: integration/become/su_password.yml
|
||||
hosts: test-targets
|
||||
become_method: su
|
||||
any_errors_fatal: true
|
||||
tasks:
|
||||
|
||||
- name: Ensure su password absent but required.
|
||||
shell: whoami
|
||||
become: true
|
||||
become_user: mitogen__user1
|
||||
register: out
|
||||
ignore_errors: true
|
||||
when: is_mitogen
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- out.failed
|
||||
- (
|
||||
('password is required' in out.msg) or
|
||||
('password is required' in out.module_stderr)
|
||||
)
|
||||
when: is_mitogen
|
||||
|
||||
|
||||
- name: Ensure password su incorrect.
|
||||
shell: whoami
|
||||
become: true
|
||||
become_user: mitogen__user1
|
||||
register: out
|
||||
vars:
|
||||
ansible_become_pass: nopes
|
||||
ignore_errors: true
|
||||
when: is_mitogen
|
||||
|
||||
- assert:
|
||||
that: |
|
||||
out.failed and (
|
||||
('Incorrect su password' in out.msg) or
|
||||
('su password is incorrect' in out.msg)
|
||||
)
|
||||
when: is_mitogen
|
||||
|
||||
- name: Ensure password su succeeds.
|
||||
shell: whoami
|
||||
become: true
|
||||
become_user: mitogen__user1
|
||||
register: out
|
||||
vars:
|
||||
ansible_become_pass: user1_password
|
||||
when: is_mitogen
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- out.stdout == 'mitogen__user1'
|
||||
when: is_mitogen
|
Loading…
Reference in New Issue