From e9ee5e01c39ba1b35a8b1dd3595c50ea87fe2afe Mon Sep 17 00:00:00 2001 From: Stephane Lesimple Date: Tue, 26 Jan 2021 15:54:08 +0100 Subject: [PATCH] First public release Signed-off-by: Stephane Lesimple --- .gitignore | 1 + .pre-commit-config.yaml | 21 +++++ AUTHORS | 13 +++ CONTRIBUTING.md | 72 ++++++++++++++++ CONTRIBUTORS | 15 ++++ LICENSE | 176 ++++++++++++++++++++++++++++++++++++++++ MAINTAINERS | 12 +++ README.md | 110 +++++++++++++++++++++++++ __init__.py | 0 lib.py | 73 +++++++++++++++++ scpbastion.sh | 2 + scpwrapper.py | 83 +++++++++++++++++++ sshwrapper.py | 70 ++++++++++++++++ 13 files changed, 648 insertions(+) create mode 100644 .gitignore create mode 100644 .pre-commit-config.yaml create mode 100644 AUTHORS create mode 100644 CONTRIBUTING.md create mode 100644 CONTRIBUTORS create mode 100644 LICENSE create mode 100644 MAINTAINERS create mode 100644 README.md create mode 100644 __init__.py create mode 100755 lib.py create mode 100755 scpbastion.sh create mode 100755 scpwrapper.py create mode 100755 sshwrapper.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0d20b64 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.pyc diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..e14840d --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,21 @@ +--- +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: master + hooks: + - id: check-executables-have-shebangs + - id: check-merge-conflict + - id: end-of-file-fixer + - id: fix-encoding-pragma + args: ['--remove'] + - id: requirements-txt-fixer + - id: trailing-whitespace + - repo: https://github.com/FalconSocial/pre-commit-python-sorter + rev: master + hooks: + - id: python-import-sorter + args: ['--silent-overwrite'] + - repo: https://github.com/psf/black + rev: stable + hooks: + - id: black diff --git a/AUTHORS b/AUTHORS new file mode 100644 index 0000000..b3e3f13 --- /dev/null +++ b/AUTHORS @@ -0,0 +1,13 @@ +# This is the official list of authors for copyright purposes. +# This file is distinct from the CONTRIBUTORS files +# and it lists the copyright holders only. + +# Names should be added to this file as one of +# Organization's name +# Individual's name +# Individual's name +# See CONTRIBUTORS for the meaning of multiple email addresses. + +# Please keep the list sorted. + +OVH SAS diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..7021d59 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,72 @@ +# Contributing to The Bastion Ansible Wrapper + +This project accepts contributions. In order to contribute, you should +pay attention to a few things: + +1. your code must follow the coding style rules +2. your code must be unit-tested +3. your code must be documented +4. your work must be signed (see below) +5. you may contribute through GitHub Pull Requests + +# Coding and documentation Style + +Given the relatively small size of the project, please refer to the +actual files and respect the coding style you observe there. + +# Submitting Modifications + +The contributions should be submitted through Github Pull Requests +and follow the DCO which is defined below. + +# Licensing for new files + +The Bastion Ansible Wrapperr is licensed under an Apache 2 license. Anything +contributed to The Bastion Ansible Wrapper must be released under this license. + +When introducing a new file into the project, please make sure it has a +copyright header making clear under which license it's being released. + +# Developer Certificate of Origin (DCO) + +To improve tracking of contributions to this project we will use a +process modeled on the modified DCO 1.1 and use a "sign-off" procedure +on patches that are being emailed around or contributed in any other +way. + +The sign-off is a simple line at the end of the explanation for the +patch, which certifies that you wrote it or otherwise have the right +to pass it on as an open-source patch. The rules are pretty simple: +if you can certify the below: + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I have + the right to submit it under the open source license indicated in + the file; or + +(b) The contribution is based upon previous work that, to the best of + my knowledge, is covered under an appropriate open source License + and I have the right under that license to submit that work with + modifications, whether created in whole or in part by me, under + the same open source license (unless I am permitted to submit + under a different license), as indicated in the file; or + +(c) The contribution was provided directly to me by some other person + who certified (a), (b) or (c) and I have not modified it. + +(d) The contribution is made free of any other party's intellectual + property claims or rights. + +(e) I understand and agree that this project and the contribution are + public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. + + +then you just add a line saying + + Signed-off-by: Random J Developer + +using your real name (sorry, no pseudonyms or anonymous contributions.) diff --git a/CONTRIBUTORS b/CONTRIBUTORS new file mode 100644 index 0000000..ae8736e --- /dev/null +++ b/CONTRIBUTORS @@ -0,0 +1,15 @@ +# This is the official list of people who can contribute +# (and typically have contributed) code to the repository. +# +# Names should be added to this file only after verifying that +# the individual or the individual's organization has agreed to +# the appropriate CONTRIBUTING.md file. +# +# Names should be added to this file like so: +# Individual's name +# Individual's name +# +# Please keep the list sorted. +# +Stéphane Lesimple +Wifried Roset diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..6ecb8b1 --- /dev/null +++ b/LICENSE @@ -0,0 +1,176 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS diff --git a/MAINTAINERS b/MAINTAINERS new file mode 100644 index 0000000..9fb3398 --- /dev/null +++ b/MAINTAINERS @@ -0,0 +1,12 @@ +# This is the official list of the project maintainers. +# This is mostly useful for contributors that want to push +# significant pull requests or for project management issues. +# +# +# Names should be added to this file like so: +# Individual's name +# Individual's name +# +# Please keep the list sorted. +# +Stéphane Lesimple diff --git a/README.md b/README.md new file mode 100644 index 0000000..56a4b0c --- /dev/null +++ b/README.md @@ -0,0 +1,110 @@ +# Using Ansible SSH Connection through The Bastion + +The three scripts in this directory are a wrapper around Ansible native SSH +connection, so that [The Bastion](https://github.com/ovh/the-bastion/) can be transparently used along with Ansible. +You have to set some os SSH Ansible variables as defined in +https://docs.ansible.com/ansible/latest/plugins/connection/ssh.html in addition +with `BASTION_USER`, `BASTION_PORT` and `BASTION_HOST`. It can also rely on +`ansible-inventory` to identify `bastion_user`, `bastion_host`, `bastion_port`. +`ansible-inventory` takes precedences over environment variables as this will +allow to use different bastion for different hosts. + +## Simple usage with environment variables + +Ensure the scripts are executable (`chmod +x`) + +```bash +export BASTION_USER="bastion_user" +export BASTION_HOST="bastion.example.org" +export BASTION_PORT=22 +export ANSIBLE_PIPELINING=1 +export ANSIBLE_SCP_IF_SSH="True" +export ANSIBLE_PRIVATE_KEY_FILE="${HOME}/.ssh/id_rsa" +export ANSIBLE_SSH_EXECUTABLE="CHANGE_THIS_PATH_TO_THE_PROPER_ONE/sshwrapper.py" +export ANSIBLE_SCP_EXECUTABLE="CHANGE_THIS_PATH_TO_THE_PROPER_ONE/scpbastion.sh" + +ansible all -i hosts -m raw -a uptime + +ansible all -i hosts -m ping +``` + +## Leveraging Ansible inventory + +`ansible-inventory` provides access to host's variables. This plugin takes +advantage of this to look for `bastion_*`. + +In the following example all hosts will use the same `your-bastion-user`. The hosts +in `zone_secure` will reach the bastion `your-supersecure-bastion` on port 222 +the others hosts will use `your-bastion` on port 22. + +```yaml +$ grep -ri bastion group_vars/ +group_vars/all.yml:bastion_user: +group_vars/all.yml:bastion_host: +group_vars/all.yml:bastion_port: 22 +group_vars/zone_secure.yml:bastion_port: 222 +group_vars/zone_secure.yml:bastion_host: +``` + +For more information have a look at [the official documentation](https://docs.ansible.com/ansible/latest/network/getting_started/first_inventory.html) + +## Configuration via ansible.cfg + +```ini +[ssh_connection] +scp_if_ssh = True +# Rely on bastion wrapper +pipelining = True +ssh_executable = ./extra/bastion/sshwrapper.py +scp_executable = ./extra/bastion/scpbastion.sh +transfer_method = scp +``` + +## Integration via submodule + +You can include this repository as a submodule in your playbook repository + +```bash +git submodule add https://github.com/ovh/the-bastion-ansible-wrapper.git extra/bastion +``` + +## Requirements + +This has been tested with + +* Ansible 2.9.6 +* Python 3.7.3 +* SSH OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d + +## Debug + +If this doesn't seem to work, run your ansible with `-vvvv`, you'll see whether it actually attempts to use the wrappers or not. + +## Lint + +Just use [pre-commit](https://pre-commit.com/). + +TLDR: +* pip install --user pre-commit +* pre-commit install +* git commit + +# Related + +- [The Bastion](https://github.com/ovh/the-bastion) - Authentication, authorization, traceability and auditability for SSH accesses. + +# License + +Copyright OVH SAS + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/__init__.py b/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/lib.py b/lib.py new file mode 100755 index 0000000..c3e210f --- /dev/null +++ b/lib.py @@ -0,0 +1,73 @@ +#! /usr/bin/env python + +import json +import logging +import os +import subprocess + + +def find_executable(executable, path=None): + """Find the absolute path of an executable + + :return: path + :rtype: str + """ + _, ext = os.path.splitext(executable) + + if os.path.isfile(executable): + return executable + + if path is None: + path = os.environ.get("PATH", os.defpath) + + for p in path.split(os.pathsep): + f = os.path.join(p, executable) + if os.path.isfile(f): + return f + + +def get_inventory(): + """Fetch ansible-inventory --list + + :return: inventory + :rtype: dict + """ + inventory_cmd = find_executable("ansible-inventory") + if not inventory_cmd: + raise Exception("Failed to identify path of ansible-inventory") + command = "{} --list".format(inventory_cmd) + p = subprocess.Popen( + command, + shell=True, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + ) + output, error = p.communicate() + if type(output) is bytes: + output = output.decode() + if not p.returncode: + return json.loads(output) + else: + logging.error(error) + raise Exception("failed to query ansible-inventory") + + +def get_hostvars(ipaddr): + """Fetch hostvars for the given ipaddr + + As ansible-inventory use fqdn and not ipaddr we must fetch all inventory and + browse it to select the correct variables + + :return: hostvars + :rtype: dict + """ + try: + inventory = get_inventory() + return [ + v + for v in inventory.get("_meta", {}).get("hostvars", {}).values() + if v.get("ansible_host") == ipaddr + ][0] + except IndexError: # ipaddr not found in inventory, should never happen as this is called by ansible + return {} diff --git a/scpbastion.sh b/scpbastion.sh new file mode 100755 index 0000000..a0fe8c9 --- /dev/null +++ b/scpbastion.sh @@ -0,0 +1,2 @@ +#!/bin/sh +exec scp -S $(dirname $0)/scpwrapper.py "$@" diff --git a/scpwrapper.py b/scpwrapper.py new file mode 100755 index 0000000..7e3e676 --- /dev/null +++ b/scpwrapper.py @@ -0,0 +1,83 @@ +#! /usr/bin/env python + +import getpass +import os +import sys + +from lib import find_executable, get_hostvars + + +def main(): + argv = list(sys.argv[1:]) # Copy + + remote_user = None + remote_port = 22 + + iteration = enumerate(argv) + sshcmdline = [] + for i, e in iteration: + if e == "-l": + remote_user = argv[i + 1] + next(iteration) + elif e == "-p": + remote_port = argv[i + 1] + next(iteration) + elif e == "-o" and argv[i + 1].startswith("User="): + remote_user = argv[i + 1].split("=")[-1] + next(iteration) + elif e == "-o" and argv[i + 1].startswith("Port="): + remote_port = argv[i + 1].split("=")[-1] + next(iteration) + elif e == "--": + sshcmdline.extend(argv[i + 1 :]) + break + else: + sshcmdline.append(e) + + scpcmd = sshcmdline.pop() + host = sshcmdline.pop() + scpcmd = scpcmd.replace("#", "##").replace(" ", "#") + + hostvar = get_hostvars(host) # dict + + bastion_port = hostvar.get("bastion_port", os.environ.get("BASTION_PORT", 22)) + bastion_user = hostvar.get( + "bastion_user", os.environ.get("BASTION_USER", getpass.getuser()) + ) + bastion_host = hostvar.get("bastion_host", os.environ.get("BASTION_HOST")) + + # syscall exec + args = ( + [ + "ssh", + "{}@{}".format(bastion_user, bastion_host), + "-p", + bastion_port, + "-o", + "StrictHostKeyChecking=no", + "-T", + ] + + sshcmdline + + [ + "--", + "--user", + remote_user, + "--port", + remote_port, + "--host", + host, + "--osh", + "scp", + "--scp-cmd", + scpcmd, + ] + ) + + os.execv( + find_executable("ssh"), # absolute path mandatory + [str(e).strip() for e in args], # execv() arg 2 must contain only strings + ) + + +if __name__ == "__main__": + main() diff --git a/sshwrapper.py b/sshwrapper.py new file mode 100755 index 0000000..c6dd427 --- /dev/null +++ b/sshwrapper.py @@ -0,0 +1,70 @@ +#! /usr/bin/env python + +import getpass +import os +import sys + +from lib import find_executable, get_hostvars + + +def main(): + argv = list(sys.argv[1:]) # Copy + + remote_user = None + remote_port = 22 + + cmd = argv.pop() + host = argv.pop() + hostvar = get_hostvars(host) # dict + + bastion_port = hostvar.get("bastion_port", os.environ.get("BASTION_PORT", 22)) + bastion_user = hostvar.get( + "bastion_user", os.environ.get("BASTION_USER", getpass.getuser()) + ) + bastion_host = hostvar.get("bastion_host", os.environ.get("BASTION_HOST")) + + for i, e in enumerate(argv): + + if e.startswith("User="): + remote_user = e.split("=")[-1] + argv[i] = "User={}".format(bastion_user) + elif e.startswith("Port="): + remote_port = e.split("=")[-1] + argv[i] = "Port={}".format(bastion_port) + + # syscall exec + args = ( + [ + "ssh", + "-p", + bastion_port, + "-q", + "-o", + "StrictHostKeyChecking=no", + "-l", + bastion_user, + bastion_host, + "-t", + ] + + argv + + [ + "--", + "-q", + "--never-escape", + "--user", + remote_user, + "--port", + remote_port, + host, + "--", + cmd, + ] + ) + os.execv( + find_executable("ssh"), # full path mandatory + [str(e).strip() for e in args], # execv() arg 2 must contain only strings + ) + + +if __name__ == "__main__": + main()