Merge pull request #3936 from cycloidio/gl_3551
Add new yaml-team-authorized-keys flag to provide authorized team key in one yaml file
This commit is contained in:
commit
de4a6c2ada
|
@ -8,6 +8,9 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"io/ioutil"
|
||||||
|
yaml "gopkg.in/yaml.v2"
|
||||||
|
|
||||||
"code.cloudfoundry.org/lager"
|
"code.cloudfoundry.org/lager"
|
||||||
"github.com/concourse/concourse/atc"
|
"github.com/concourse/concourse/atc"
|
||||||
"github.com/concourse/concourse/tsa"
|
"github.com/concourse/concourse/tsa"
|
||||||
|
@ -29,9 +32,10 @@ type TSACommand struct {
|
||||||
DebugBindIP flag.IP `long:"debug-bind-ip" default:"127.0.0.1" description:"IP address on which to listen for the pprof debugger endpoints."`
|
DebugBindIP flag.IP `long:"debug-bind-ip" default:"127.0.0.1" description:"IP address on which to listen for the pprof debugger endpoints."`
|
||||||
DebugBindPort uint16 `long:"debug-bind-port" default:"2221" description:"Port on which to listen for the pprof debugger endpoints."`
|
DebugBindPort uint16 `long:"debug-bind-port" default:"2221" description:"Port on which to listen for the pprof debugger endpoints."`
|
||||||
|
|
||||||
HostKey *flag.PrivateKey `long:"host-key" required:"true" description:"Path to private key to use for the SSH server."`
|
HostKey *flag.PrivateKey `long:"host-key" required:"true" description:"Path to private key to use for the SSH server."`
|
||||||
AuthorizedKeys flag.AuthorizedKeys `long:"authorized-keys" description:"Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line)."`
|
AuthorizedKeys flag.AuthorizedKeys `long:"authorized-keys" description:"Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line)."`
|
||||||
TeamAuthorizedKeys map[string]flag.AuthorizedKeys `long:"team-authorized-keys" value-name:"NAME:PATH" description:"Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line)."`
|
TeamAuthorizedKeys map[string]flag.AuthorizedKeys `long:"team-authorized-keys" value-name:"NAME:PATH" description:"Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line)."`
|
||||||
|
TeamAuthorizedKeysFile flag.File `long:"team-authorized-keys-file" description:"Path to file containing a YAML array of teams and their authorized SSH keys, e.g. [{team:foo,ssh_keys:[key1,key2]}]."`
|
||||||
|
|
||||||
ATCURLs []flag.URL `long:"atc-url" required:"true" description:"ATC API endpoints to which workers will be registered."`
|
ATCURLs []flag.URL `long:"atc-url" required:"true" description:"ATC API endpoints to which workers will be registered."`
|
||||||
|
|
||||||
|
@ -48,6 +52,11 @@ type TeamAuthKeys struct {
|
||||||
AuthKeys []ssh.PublicKey
|
AuthKeys []ssh.PublicKey
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type yamlTeamAuthorizedKey struct {
|
||||||
|
Team string `yaml:"team"`
|
||||||
|
Keys []string `yaml:"ssh_keys,flow"`
|
||||||
|
}
|
||||||
|
|
||||||
func (cmd *TSACommand) Execute(args []string) error {
|
func (cmd *TSACommand) Execute(args []string) error {
|
||||||
runner, err := cmd.Runner(args)
|
runner, err := cmd.Runner(args)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -143,6 +152,35 @@ func (cmd *TSACommand) loadTeamAuthorizedKeys() ([]TeamAuthKeys, error) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// load TeamAuthorizedKeysFile
|
||||||
|
if cmd.TeamAuthorizedKeysFile != "" {
|
||||||
|
logger, _ := cmd.constructLogger()
|
||||||
|
var rawTeamAuthorizedKeys []yamlTeamAuthorizedKey
|
||||||
|
|
||||||
|
authorizedKeysBytes, err := ioutil.ReadFile(cmd.TeamAuthorizedKeysFile.Path())
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to read yaml authorized keys file: %s", err)
|
||||||
|
}
|
||||||
|
err = yaml.Unmarshal([]byte(authorizedKeysBytes), &rawTeamAuthorizedKeys)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse yaml authorized keys file: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, t := range rawTeamAuthorizedKeys {
|
||||||
|
var teamAuthorizedKeys []ssh.PublicKey
|
||||||
|
for _, k := range t.Keys {
|
||||||
|
key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(k))
|
||||||
|
if err != nil {
|
||||||
|
logger.Error("load-team-authorized-keys-parse", fmt.Errorf("Invalid format, ignoring (%s): %s", k, err.Error()))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
logger.Info("load-team-authorized-keys-loaded", lager.Data{"team": t.Team, "key": k})
|
||||||
|
teamAuthorizedKeys = append(teamAuthorizedKeys, key)
|
||||||
|
}
|
||||||
|
teamKeys = append(teamKeys, TeamAuthKeys{Team: t.Team, AuthKeys: teamAuthorizedKeys})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return teamKeys, nil
|
return teamKeys, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue