git.squeep.com Git - awsible/blob - addAccount.sh

   1 #!/bin/bash
   2
   3 set -e
   4
   5 PROFILE=${CLOUD_ENVIRONMENT}
   6 SSH_KEY_DIR="SSHConfigs"
   7 DDBTABLE="userManager"
   8 DDBREGION="us-east-1"
   9 DDB_TEMPLATE="userManagementTemplates/ddb.templ"
  10 DTS_TEMPLATE="userManagementTemplates/ddbts.templ"
  11 VPN_SCRIPT="./createVPNAccount.sh"
  12 TGZDIR="userPackage"
  13 AUTOPASS=0
  14
  15 usage(){
  16         SELF=$(basename "$0")
  17         cat<<EOF
  18
  19 ${SELF} - create account for local users
  20 --------------------------------------
  21 ${SELF} [-p]
  22
  23 ${SELF} is used to create the account information that is stored in DDB
  24 this information is used to push out accounts to the machines in the cluster.
  25
  26 You can only add a single group using this interface, to add additional groups
  27 use the DDB tool to turn groups into an array, where each machine type is an available group.
  28 User details are stored in the DynamoDB table: ${DDBTABLE}.
  29
  30 If you want to use a machine generated password (instead of having a user come to your desk)
  31 pass in '-p' to the script. If you use an auto generated password, it will be written out to
  32 ${SSH_KEY_DIR}/${PROFILE}-\$Username.pass
  33
  34 After running this script, you'll need to give the user the following files:
  35   - ${SSH_KEY_DIR}/${PROFILE}-\$Username -- This is the SSH private key
  36   - ${SSH_KEY_DIR}/${PROFILE}-\$Username.pass -- This is the user's password if using -p
  37   - VPNConfigs/${PROFILE}-\$EMAIL.ovpn -- This is the VPN Config unique to the users
  38
  39 EOF
  40         exit
  41 }
  42
  43 function valid_password(){
  44         # we don't want quotes or escapes in passwords, for reasons
  45         case "$1" in
  46                 (*[\'\"\\]*)
  47                         return 1
  48                 ;;
  49         esac
  50 }
  51
  52 if [ "x${1}" == "x-h" ]; then
  53         usage
  54 elif [ "x${1}" == "x-p" ]; then
  55         while :
  56         do
  57                 PASS1=$(pwgen -y -N 1 15)
  58                 valid_password "${PASS1}" && break
  59         done
  60         PASS2="${PASS1}"
  61         AUTOPASS=1
  62 fi
  63
  64 read -p "Username: " UNAME
  65 read -p "Email: " EMAIL
  66
  67 # Check to see if we have an existing .pass file to reuse (*shame*)
  68 if [ -e "${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pass" ]; then
  69         echo "Reusing exsting .pass file"
  70         PASS1=$(cat ${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pass)
  71         PASS2="${PASS1}"
  72         AUTOPASS=1
  73 fi
  74
  75 if [ ${AUTOPASS} -eq 0 ]; then
  76         while :
  77         do
  78                 read -s -p "Password: " PASS1
  79                 echo ""
  80                 read -s -p "Password (again):" PASS2
  81                 echo ""
  82
  83                 if [[ "x${PASS1}" != "x${PASS2}" ]]
  84                 then
  85                         echo "Passwords do not match, please try again."
  86                         continue
  87                 fi
  88
  89                 if ! valid_password "${PASS1}"
  90                 then
  91                         echo "Please do not use escape characters, nor single or double quotes in passwords.  Enter a different password."
  92                         continue
  93                 fi
  94
  95                 break
  96         done
  97 else
  98         # save the autogenerated password somewhere
  99         echo "${PASS1}" > "${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pass"
 100 fi
 101
 102 PASS_CRYPT=$(python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(\"${PASS1}\")";)
 103
 104 if [ ! -e "${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pub" ]; then
 105         ssh-keygen -b 521 -t ecdsa -C "${PROFILE}-${UNAME}-${EMAIL}" -N '' -f "${SSH_KEY_DIR}/${PROFILE}-${UNAME}" > /dev/null
 106 else
 107         echo "Using existing SSH key"
 108 fi
 109 SSHPUB=$(cat ${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pub)
 110
 111 echo ""
 112 echo "Available Groups:"
 113 for i in us-east-1 us-west-2; do
 114         echo 'unix.admins'
 115         aws --region "${i}" ec2 describe-instances --query 'Reservations[*].Instances[*].Tags[?Key==`module`].Value' --output text
 116 done | sort -u | xargs -n1 echo ' -'
 117 echo ""
 118 read -p "Group for this user: " MYGROUPS
 119
 120 echo ""
 121 echo "Groups: $MYGROUPS"
 122
 123 cat ${DDB_TEMPLATE} | sed -e "s/%UNAME%/${UNAME}/g" -e "s#%SSHPUB%#${SSHPUB}#g" -e "s#%PASS_CRYPT%#${PASS_CRYPT}#g" -e "s/%GROUPS%/${MYGROUPS}/g" -e "s/%EMAIL%/${EMAIL}/g" > /tmp/ddb-${UNAME}.json
 124 cat ${DTS_TEMPLATE} | sed -e "s/%TS%/`date +%s`/g" > /tmp/ddbts-${UNAME}.json
 125
 126 for f in ddb ddbts
 127 do
 128         aws --region "${DDBREGION}" dynamodb put-item --table-name "${DDBTABLE}" --item file:///tmp/${f}-${UNAME}.json
 129         rm -f /tmp/${f}-${UNAME}.json
 130 done
 131
 132 echo ""
 133 echo "Generating VPN Configuration:"
 134 ${VPN_SCRIPT} ${PROFILE} ${EMAIL}
 135
 136
 137 echo ""
 138 echo "In additon to the VPN Config, you'll need to give the user the following files:"
 139 echo "  - ${SSH_KEY_DIR}/${PROFILE}-${UNAME} -- This is the SSH private key"
 140 if [ $AUTOPASS -eq 1 ]; then
 141         echo "  - ${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pass -- This is the user's password in plaintext"
 142 fi
 143 echo ""
 144 echo ""
 145
 146 echo "I'll create a tarball of the important files for you to download."
 147 echo "You can find it at ${TGZDIR}/${PROFILE}-${UNAME}.tgz"
 148 tar zcf ${TGZDIR}/${PROFILE}-${UNAME}.tgz $(find ${SSH_KEY_DIR} -name "*${PROFILE}-${UNAME}*"; find VPNConfigs -name "*${PROFILE}-${UNAME}*")
 149 echo "You're welcome..."