From: Justin Wind <j.wind@partner.samsung.com>
Date: Wed, 20 Sep 2017 19:15:30 +0000 (-0700)
Subject: add rudimentary ddb account creation scripts
X-Git-Url: http://git.squeep.com/?p=awsible;a=commitdiff_plain;h=ce8e955b6c67be317f3082df611ff2bafb9f098e

add rudimentary ddb account creation scripts
---

diff --git a/.gitignore b/.gitignore
index 81bbbae..646627d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,7 @@
+.terraform
+sqs-dispatcher
 keys/
+VPNConfigs/
+SSHConfigs/
+userPackage/
+ddb-users.lastruntime
diff --git a/addAccount.sh b/addAccount.sh
new file mode 100755
index 0000000..cd73f16
--- /dev/null
+++ b/addAccount.sh
@@ -0,0 +1,149 @@
+#!/bin/bash
+
+set -e
+
+PROFILE=${CLOUD_ENVIRONMENT}
+SSH_KEY_DIR="SSHConfigs"
+DDBTABLE="userManager"
+DDBREGION="us-east-1"
+DDB_TEMPLATE="userManagementTemplates/ddb.templ"
+DTS_TEMPLATE="userManagementTemplates/ddbts.templ"
+VPN_SCRIPT="./createVPNAccount.sh"
+TGZDIR="userPackage"
+AUTOPASS=0
+
+usage(){
+	SELF=$(basename "$0")
+	cat<<EOF
+
+${SELF} - create account for local users
+--------------------------------------
+${SELF} [-p]
+
+${SELF} is used to create the account information that is stored in DDB
+this information is used to push out accounts to the machines in the cluster.
+
+You can only add a single group using this interface, to add additional groups
+use the DDB tool to turn groups into an array, where each machine type is an available group.
+User details are stored in the DynamoDB table: ${DDBTABLE}.
+
+If you want to use a machine generated password (instead of having a user come to your desk)
+pass in '-p' to the script. If you use an auto generated password, it will be written out to
+${SSH_KEY_DIR}/${PROFILE}-\$Username.pass
+
+After running this script, you'll need to give the user the following files:
+  - ${SSH_KEY_DIR}/${PROFILE}-\$Username -- This is the SSH private key
+  - ${SSH_KEY_DIR}/${PROFILE}-\$Username.pass -- This is the user's password if using -p
+  - VPNConfigs/${PROFILE}-\$EMAIL.ovpn -- This is the VPN Config unique to the users
+
+EOF
+	exit
+}
+
+function valid_password(){
+	# we don't want quotes or escapes in passwords, for reasons
+	case "$1" in
+		(*[\'\"\\]*)
+			return 1
+		;;
+	esac
+}
+
+if [ "x${1}" == "x-h" ]; then
+	usage
+elif [ "x${1}" == "x-p" ]; then
+	while :
+	do
+		PASS1=$(pwgen -y -N 1 15)
+		valid_password "${PASS1}" && break
+	done
+	PASS2="${PASS1}"
+	AUTOPASS=1
+fi
+
+read -p "Username: " UNAME
+read -p "Email: " EMAIL
+
+# Check to see if we have an existing .pass file to reuse (*shame*)
+if [ -e "${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pass" ]; then
+	echo "Reusing exsting .pass file"
+	PASS1=$(cat ${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pass)
+	PASS2="${PASS1}"
+	AUTOPASS=1
+fi
+
+if [ ${AUTOPASS} -eq 0 ]; then
+	while :
+	do
+		read -s -p "Password: " PASS1
+		echo ""
+		read -s -p "Password (again):" PASS2
+		echo ""
+
+		if [[ "x${PASS1}" != "x${PASS2}" ]]
+		then
+			echo "Passwords do not match, please try again."
+			continue
+		fi
+
+		if ! valid_password "${PASS1}"
+		then
+			echo "Please do not use escape characters, nor single or double quotes in passwords.  Enter a different password."
+			continue
+		fi
+
+		break
+	done
+else
+	# save the autogenerated password somewhere
+	echo "${PASS1}" > "${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pass"
+fi
+
+PASS_CRYPT=$(python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(\"${PASS1}\")";)
+
+if [ ! -e "${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pub" ]; then
+	ssh-keygen -b 521 -t ecdsa -C "${PROFILE}-${UNAME}-${EMAIL}" -N '' -f "${SSH_KEY_DIR}/${PROFILE}-${UNAME}" > /dev/null
+else
+	echo "Using existing SSH key"
+fi
+SSHPUB=$(cat ${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pub)
+
+echo ""
+echo "Available Groups:"
+for i in us-east-1 us-west-2; do
+	echo 'unix.admins'
+	aws --region "${i}" ec2 describe-instances --query 'Reservations[*].Instances[*].Tags[?Key==`module`].Value' --output text
+done | sort -u | xargs -n1 echo ' -'
+echo ""
+read -p "Group for this user: " MYGROUPS
+
+echo ""
+echo "Groups: $MYGROUPS"
+
+cat ${DDB_TEMPLATE} | sed -e "s/%UNAME%/${UNAME}/g" -e "s#%SSHPUB%#${SSHPUB}#g" -e "s#%PASS_CRYPT%#${PASS_CRYPT}#g" -e "s/%GROUPS%/${MYGROUPS}/g" -e "s/%EMAIL%/${EMAIL}/g" > /tmp/ddb-${UNAME}.json
+cat ${DTS_TEMPLATE} | sed -e "s/%TS%/`date +%s`/g" > /tmp/ddbts-${UNAME}.json
+
+for f in ddb ddbts
+do
+	aws --region "${DDBREGION}" dynamodb put-item --table-name "${DDBTABLE}" --item file:///tmp/${f}-${UNAME}.json
+	rm -f /tmp/${f}-${UNAME}.json
+done
+
+echo ""
+echo "Generating VPN Configuration:"
+${VPN_SCRIPT} ${PROFILE} ${EMAIL}
+
+
+echo ""
+echo "In additon to the VPN Config, you'll need to give the user the following files:"
+echo "  - ${SSH_KEY_DIR}/${PROFILE}-${UNAME} -- This is the SSH private key"
+if [ $AUTOPASS -eq 1 ]; then
+	echo "  - ${SSH_KEY_DIR}/${PROFILE}-${UNAME}.pass -- This is the user's password in plaintext"
+fi
+echo ""
+echo ""
+
+echo "I'll create a tarball of the important files for you to download."
+echo "You can find it at ${TGZDIR}/${PROFILE}-${UNAME}.tgz"
+tar zcf ${TGZDIR}/${PROFILE}-${UNAME}.tgz $(find ${SSH_KEY_DIR} -name "*${PROFILE}-${UNAME}*"; find VPNConfigs -name "*${PROFILE}-${UNAME}*")
+echo "You're welcome..."
diff --git a/roles/management/tasks/main.yml b/roles/management/tasks/main.yml
index ba24f86..e42e471 100644
--- a/roles/management/tasks/main.yml
+++ b/roles/management/tasks/main.yml
@@ -21,6 +21,7 @@
   with_items:
   - ansible
   - boto3
+  - passlib
   pip:
     name: "{{ item }}"
     state: latest
@@ -28,10 +29,13 @@
 - name: Gather AWS info
   action: ec2_facts
 
-- name: Install queue-watching cron
+- name: Install crons
+  with_items:
+  - sqs-poll.cron
+  - ddb-users.cron
   template:
-    src: sqs-poll.cron.j2
-    dest: /etc/cron.d/sqs-poll.cron
+    src: "{{ item }}.j2"
+    dest: /etc/cron.d/{{ item }}
     mode: "0644"
     owner: root
     group: root
diff --git a/roles/management/templates/ddb-users.cron.j2 b/roles/management/templates/ddb-users.cron.j2
new file mode 100644
index 0000000..7c41f66
--- /dev/null
+++ b/roles/management/templates/ddb-users.cron.j2
@@ -0,0 +1,4 @@
+{% if MANAGEMENT_EMAIL is defined %}
+MAILTO={{ MANAGEMENT_EMAIL }}
+{% endif %}
+*/5 * * * * ec2-user {{ MANAGEMENT_DATA_ROOT }}/run-ddb-users.sh
diff --git a/roles/msca-openvpn/templates/user-server.conf.j2 b/roles/msca-openvpn/templates/user-server.conf.j2
index 02742d2..1d6aaf2 100644
--- a/roles/msca-openvpn/templates/user-server.conf.j2
+++ b/roles/msca-openvpn/templates/user-server.conf.j2
@@ -15,6 +15,8 @@ cipher AES-256-CBC
 keepalive 30 90
 management 127.0.0.1 31339
 
+comp-lzo
+
 server {{ vpn_subnet }} 255.255.255.0
 topology subnet
 
@@ -24,8 +26,8 @@ verb 3
 log /var/log/openvpn/openvpn.log
 status-version 3
 status /var/log/openvpn/status.log
-client-connect /etc/openvpn/scripts/event-log.sh
-client-disconnect /etc/openvpn/scripts/event-log.sh
+client-connect "/etc/openvpn/scripts/event-log.sh"
+client-disconnect "/etc/openvpn/scripts/event-log.sh"
 
 tmp-dir /dev/shm
 {% if phase|default() == 'prod' %}
diff --git a/roles/msca-openvpn/templates/vpc-server.conf.j2 b/roles/msca-openvpn/templates/vpc-server.conf.j2
index a8864ba..9d9c7b5 100644
--- a/roles/msca-openvpn/templates/vpc-server.conf.j2
+++ b/roles/msca-openvpn/templates/vpc-server.conf.j2
@@ -24,7 +24,8 @@ verb 3
 log /var/log/openvpn/openvpn-vpc.log
 status-version 3
 status /var/log/openvpn/status-vpc.log
-client-connect /etc/openvpn/scripts/event-log.sh
+client-connect "/etc/openvpn/scripts/event-log.sh"
+client-disconnect "/etc/openvpn/scripts/event-log.sh"
 
 tmp-dir /dev/shm
 
diff --git a/userManagementTemplates/ddb.templ b/userManagementTemplates/ddb.templ
new file mode 100644
index 0000000..98fa9a9
--- /dev/null
+++ b/userManagementTemplates/ddb.templ
@@ -0,0 +1,21 @@
+{
+  "userName": {
+    "S": "%UNAME%"
+  },
+  "sshPublicKey": {
+    "S": "%SSHPUB%"
+  },
+  "passwordHash": {
+    "S": "%PASS_CRYPT%"
+  },
+  "emailAddress": {
+    "S": "%EMAIL%"
+  },
+  "groups": {
+    "L": [
+      {
+        "S": "%GROUPS%"
+      }
+    ]
+  }
+}
diff --git a/userManagementTemplates/ddbts.templ b/userManagementTemplates/ddbts.templ
new file mode 100644
index 0000000..510a425
--- /dev/null
+++ b/userManagementTemplates/ddbts.templ
@@ -0,0 +1,8 @@
+{
+  "userName": {
+    "S": "lastUpdate"
+  },
+  "timeStamp": {
+    "N": "%TS%"
+  }
+}