Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Manage bastion email aliases using fasjson

Browse source
This commit is contained in:
Stephen Coady 2021-02-10 14:43:02 +00:00 committed by nphilipp
parent 2fde74e20f
commit 7ada76d200
6 changed files with 534 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
inventory/group_vars/bastion
View file

@ -51,6 +51,11 @@ postfix_transport_filename: transports.gateway
#
fas_aliases: true
#
# Set this to get fasjson-client cron to make the aliases file
#
fasjson_aliases: false
#
# Sometimes there are lots of postfix processes
#

5
inventory/group_vars/bastion_stg
View file

@ -39,6 +39,11 @@ bastion_ipa_client_shell_groups:
ipa_client_shell_groups: "{{ (bastion_ipa_client_shell_groups + batcave_ipa_client_shell_groups) | sort | unique }}"
#
# Set this to get fasjson-client cron to make the aliases file
#
fasjson_aliases: true
#
# Sometimes there are lots of postfix processes
#

359
roles/fasjson/files/aliases.static Normal file
View file

@ -0,0 +1,359 @@
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: sysadmin-main
# General redirections for pseudo accounts.
bin: root
daemon: root
adm: root
lp: root
sync: root
shutdown: root
halt: root
mail: root
#news: root
uucp: root
operator: root
games: root
gopher: root
ftp: root
#nobody: root
radiusd: root
nut: root
dbus: root
vcsa: root
canna: root
wnn: root
rpm: root
nscd: root
pcap: root
apache: root
webalizer: root
dovecot: root
fax: root
quagga: root
radvd: root
pvm: root
amanda: root
privoxy: root
ident: root
named: root
xfs: root
gdm: root
mailnull: root
postgres: root
sshd: root
smmsp: root
postfix: root
netdump: root
ldap: root
squid: root
ntp: root
mysql: root
desktop: root
rpcuser: root
rpc: root
nfsnobody: root
ingres: root
system: root
toor: root
manager: root
dumper: root
abuse: root
nagios: root
newsadm: news
newsadmin: news
usenet: news
ftpadm: ftp
ftpadmin: ftp
ftp-adm: ftp
ftp-admin: ftp
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: sysadmin-main
# Mail blackholes for various services
nobody: /dev/null
fedorawiki-noreply: /dev/null
extras-orphan: /dev/null
orphan: /dev/null
retired-packages: /dev/null
control-center-maint: /dev/null
gecko-bugs-nobody: /dev/null
ftbfs: /dev/null
trac: /dev/null
taskotron: /dev/null
# Fedora Scholarship
scholarship: /dev/null
# Asterisk
asterisk: /dev/null
# Old stuff
fedoraextras-qa: /dev/null
extras-qa: /dev/null
notifications: /dev/null
# Bodhi & pkgdb aliases
updates: /dev/null
pkgdb: /dev/null
fudcon-cfp: /dev/null
download-logs: /dev/null
# Administrative & Management Aliases
accounts: sysadmin-main
admin: sysadmin-main
s3-mirror: sysadmin-main
fedora-admin-xmlrpc: kevin
hostmaster: admin,sysadmin-dns-members
sysadmin-main: sysadmin-main-members
# For vendors to email us
vendor-support: vendor-support-members
cpe-managers: pfrields@redhat.com,lgriffin@redhat.com,jperrin@redhat.com
## Cruft aliases because we used cvs
cvsextras: scm-commits@lists.fedoraproject.org
cvsdirsec: 389-commits@lists.fedoraproject.org
cvseclipse: eclipse-commits@lists.fedoraproject.org
cvsfont: lohit-devel-list@redhat.com
cvs-sysadmin: fedora-sysadmin-list@redhat.com
# GDK is the human who suggested this redirection
legal-cla-archive: fedora-lit@redhat.com
vendors: distribution-members
# Fedora Council
legal: spot@redhat.com
fpl: chair
board: council-private@lists.fedoraproject.org
chairman: chair
directors: board
## Fedora Project Leader (FPL)
## https://docs.fedoraproject.org/fedora-project/council/fpl.html
chair: mattdm
## Fedora Community Action and Impact Coordinator
## https://docs.fedoraproject.org/fedora-project/council/fcaic.html
fcaic: bex
# FESCo
fesco-chair: kevin
fesco: fesco@lists.fedoraproject.org
sponsors-feedback: packager-sponsors@fedoraproject.org,fesco@lists.fedoraproject.org
# Fedora Hosted Inquiries
#hosted-issues: mmcgrath,lmacken,pfrields,spot
# Fedora Mentors
rave-review: mentors@lists.fedoraproject.org
# FUDCon
fudcon-register: flock-admin
fudcon-paper: flock-admin
# Fudcon regional aliases - point to point person before that fudcon
fudcon-emea: flock-admin
# fudcon-apac:
# fudcon-na:
fudcon-latam: flock-admin
# flock
flockpress: fcaic,fpl
flockinfo: fcaic,fpl
flock-staff: fcaic,fpl,jmadriag@redhat.com
flock-admin: fcaic,fpl,jmadriag@redhat.com
flock-coc: fcaic,fpl
flock-access: flock-admin
# gnome backups
gnomebackup: backups@gnome.org
# News
#news: nman64,pfrields,sundaram,tchung,kwade
news: news-members@fedoraproject.org
askfedora: sysadmin-ask-members
security: security-private@lists.fedoraproject.org
secalert: security-private@lists.fedoraproject.org
# Infrastructure security officer
infra-security: puiterwijk,kevin,smooge,codeblock
webmaster: websites@lists.fedoraproject.org
logo: rlerch@redhat.com,duffy@redhat.com
ham-radio-exams: nb,jbwillia
# Misc Aliases
cvs-access: accounts
ftpsync: kevin,smooge
# Used for openshift census instance
census: npmccallum,kevin,ianweller,tflink
# User for openshift fedora-status instance
fedora-status: kevin,codeblock
# User for openshift fedora magazine wordpress instance.
fedora-mag-admin: kevin,duffy,chrisroberts,mitzie,jzb,nb
endoflife: triage@lists.fedoraproject.org
fas: admin@fedoraproject.org
# Fedora server working group. ticket 4093
server-wg: sgallagh,jperrin,davidstrauss,tuanta,duffy,mitr,simo,johannbg
# Amazon cloud account, ticket #1903
community-cloud: mattdm@redhat.com,cpe-managers,dustymabe
# People always confuse things this is a special case
dgilmore: ausil
gregdek: gdk
keys: pnasrat@redhat.com
relnotes: relnotes-content@lists.fedoraproject.org
jaboutboul: jack
kwade: quaid
stickster: pfrields
spevack: mspevack
rsc: robert
patrick: puiterwijk
masta: parasense
relrod: codeblock
rbergeron: rbergero
jwf: jflory7
axk4545: abkahrs
bexelbie: bex
# Mirror admin alias
mirror-admin: mirror-admin@lists.fedoraproject.org
# Fedora Marketing and Fedora Ambassadors
famsco: famsco-members@fedoraproject.org
fedora-marketing: famsco
info: marketing@lists.fedoraproject.org
fedorarewards: famsco@lists.fedoraproject.org
openvideo: tchung
freemedia: tchung,susmit
fama: robyduck,nb
# Firstname.lastname exceptions (preferrably only for people with a good reason)
# History: these are people wishing to keep their firstname.lastname email
# We offered it once but no longer do. Exceptions should be rare.
johan.cwiklinski: trashy
maxime.carron: mxcarron
bart.de.soete: badeso
david.nalley: ke4qqq
guillaume.kulakowski: llaumgui
thierry.delmonte: titax
fabian.affolter: fab
nick.bebout: nb
dan.mashal: vicodan
# Wiki
wikiadmin: wikiadmin-members
# torrent
opentracker: admin
# DNS
dnsadmin: sysadmin-dns-members
# docker trusted email
fedora-docker-trusted: scollier,lsm5,mattdm
# Fedora-qa-devel alias
fedoraqa-devel-admin: tflink,kparal,frantisekz
# fedora kernel aliases
kernel-team: jwboyer@redhat.com,jforbes@redhat.com,labbott@redhat.com,jcline@redhat.com
kernel-maint: kernel-maint@redhat.com
lvm-team: lvm-team@redhat.com
fedora-kernel-acpi: acpi@linux.intel.com,len.brown@intel.com,mjg59@srcf.ucam.org
fedora-kernel-audit: rgb@redhat.com,eparis@redhat.com
fedora-kernel-block: jmoyer@redhat.com
fedora-kernel-dmar: dwmw2@infradead.org
fedora-kernel-ethernet: nhorman@redhat.com
fedora-kernel-ethernet-ath: jogreene@redhat.com,linville@redhat.com
fedora-kernel-ethernet-broadcom: mcarlson@broadcom.com
fedora-kernel-ethernet-realtek: romieu@fr.zoreil.com
fedora-kernel-aio: jmoyer@redhat.com
fedora-kernel-directio: jmoyer@redhat.com
fedora-kernel-fsbuffer: jmoyer@redhat.com
fedora-kernel-btrfs: fs-maint@redhat.com,josef@toxicpanda.com,bugzilla@colorremedies.com
fedora-kernel-extfs: fs-maint@redhat.com,tytso@mit.edu
fedora-kernel-xfs: fs-maint@redhat.com
fedora-kernel-firewire: fenlason@redhat.com,stefan-r-rhbz@s5r6.in-berlin.de
fedora-kernel-drm: airlied@redhat.com
fedora-kernel-input: benjamin.tissoires@redhat.com
fedora-kernel-intelpstate: dirk.brandewie@gmail.com
fedora-kernel-ata: dmilburn@redhat.com
fedora-kernel-networking: nhorman@redhat.com
fedora-kernel-nfc: sameo@linux.intel.com,linville@redhat.com
fedora-kernel-openvswitch: tgraf@redhat.com
fedora-kernel-ptrace: oleg@redhat.com
fedora-kernel-pci: bhelgaas@google.com
fedora-kernel-raid: Jes.Sorensen@redhat.com
fedora-kernel-scsi: dmilburn@redhat.com
fedora-kernel-selinux: dwalsh@redhat.com,eparis@redhat.com
fedora-kernel-uefi: mjg59@srcf.ucam.org
fedora-kernel-usb-cameras: hdegoede@redhat.com
fedora-kernel-v4l: mchehab@redhat.com
fedora-kernel-kvm: mtosatti@redhat.com,fedora-virt-maint@redhat.com
fedora-kernel-xen: ketuzsezr@darnok.org
fedora-kernel-wireless: linville@redhat.com,sgruszka@redhat.com,jogreene@redhat.com
fedora-kernel-wireless-ath: jogreene@redhat.com,linville@redhat.com
fedora-kernel-wireless-b43: larry.finger@lwfinger.net
fedora-kernel-wireless-brcm80211: jogreene@redhat.com,linville@redhat.com,brcm80211-dev-list@broadcom.com
fedora-kernel-wireless-iwl: sgruszka@redhat.com,linville@redhat.com
fedora-kernel-wireless-ralink: sgruszka@redhat.com,linville@redhat.com
fedora-kernel-wireless-realtek: larry.finger@lwfinger.net,jogreene@redhat.com
anaconda-maint: anaconda-maint-list@redhat.com
xen-maint: xen-maint@redhat.com
xgl-maint: xgl-maint@redhat.com
perl-sig: perl-devel@lists.fedoraproject.org
retired: retired-packages@fedoraproject.org
ctrl-center-team: control-center-maint@fedoraproject.org
fonts-sig: fonts-bugs@lists.fedoraproject.org
gecko-maint: gecko-bugs-nobody@fedoraproject.org
astronomy-sig: astronomy@lists.fedoraproject.org
systems: admin+systems@fedoraproject.org
hams-sig: fedora-hams@fedoraunity.org
i18n-team: i18n-bugs@lists.fedoraproject.org
haskell-sig: haskell-devel@lists.fedoraproject.org
mono-sig: mono@lists.fedoraproject.org
virtmaint: virt-maint@lists.fedoraproject.org
fcommunity: johnp@fedoraproject.org
ocamlmaint: ocaml-devel@lists.fedoraproject.org
mingwmaint: mingw@lists.fedoraproject.org
java-sig: java-devel@lists.fedoraproject.org
upstream-release-monitoring: pingou,ralph
aws: aws-members
awsci: kevin@scrye.com
msftazure: msftazure-members
relicensing: relicensing@lists.fedoraproject.org
abrt-bot: jmoskovc@redhat.com,kklic@redhat.com,mtoman@redhat.com,mlichvar@redhat.com
packaging-team: ffesti,james,pmatilai,timlau,zpavlas,jnovy,jbowes,lmacken
blockerbugs: tflink+blockerbugs@redhat.com
epel: /dev/null
# fedora release engineering
releng-team: mohanboddu,parasense,kellin
containerbuild: cverna
#### The rest of this file is automatically generated - edit using the accounts system!

1
roles/fasjson/files/fasjson-aliases.cron Normal file
View file

@ -0,0 +1 @@
00 19 * * * root /usr/local/bin/lock-wrapper fasjson-aliases "/usr/local/bin/fasjson-aliases.py 2>&1"

36
roles/fasjson/tasks/main.yml Normal file
View file

@ -0,0 +1,36 @@
---
#
# This task sets up fasjson-client on a machine.
# It installs the fasjson-client package and a cron job update.
#
- name: install fasjson-client
package:
state: present
name:
- fasjson-client
tags:
- packages
- fasjson
- name: fasjson-aliases script
copy: src=fasjson-aliases.j2 dest=/usr/local/bin/fasjson-aliases owner=root mode=0755
tags:
- config
- fasjson
when: fasjson_aliases is defined
- name: fasjson-aliases cron job
copy: src=fasjson-aliases.cron dest=/etc/cron.d/fasjson-aliases owner=root mode=0644
tags:
- config
- fasjson
when: fasjson_aliases is defined
- name: fasjson-aliases base static file
copy: src=aliases.static dest=/etc/aliases.static owner=root mode=0644
tags:
- config
- fasjson
when: fasjson_aliases is defined

128
roles/fasjson/templates/fasjson-aliases.j2 Normal file
View file

@ -0,0 +1,128 @@
#!/usr/bin/python3
import os
import sys
import tempfile
from fasjson_client import Client, errors
fasjson_url = "{{ fasjson_url }}"
aliases_static_file = "/etc/aliases.static"
aliases_file = "/etc/aliases"
def gen_all_aliases():
# API query
try:
client = Client(url=fasjson_url)
try:
users = client.list_users().result
groups = client.list_groups().result
temporary_file = tempfile.NamedTemporaryFile(
"w+", delete=False, dir=os.getcwd()
)
with open(temporary_file.name, "w+") as temp:
with open(aliases_static_file, "r") as aliases_static:
for line in aliases_static:
temp.write(line)
for user in users:
username = user['username']
email = user['emails'][0]
temp.write(f'{username}: {email} \n')
for group in groups:
groupname = group['groupname']
# even though there are no admins of groups anymore
# we should probably leave this here and just
# link to the sponsors list
temp.write(
f'{groupname}-administrators: {groupname}-sponsors \n'
)
sponsor_list = ','.join(
sponsor['username']
for sponsor in client.list_group_sponsors(
groupname=groupname).result
)
temp.write(f"{groupname}-sponsors: {sponsor_list} \n")
member_list = ','.join(
member['username']
for member in client.list_group_members(
groupname=groupname).result
)
temp.write(f"{groupname}-members: {member_list} \n")
rename(temporary_file.name, aliases_file)
except errors.APIError as e:
print(f"Something went wrong querying the fasjson API. {e}", file=sys.stderr)
raise
except IOError as e:
print(e, file=sys.stderr)
raise
except errors.ClientSetupError as e:
print(f"Something went wrong creating the fasjson client: {e}", file=sys.stderr)
raise
def update_user(username):
try:
client = Client(url=fasjson_url)
user = client.get_user(username=username).result
email = user['emails'][0]
try:
# get the user and their new email address
temporary_file = tempfile.NamedTemporaryFile(
"w+", delete=False, dir=os.getcwd()
)
with open(aliases_file, 'r') as aliases:
with open(temporary_file.name, 'w+') as temp:
for line in aliases:
if not line.startswith(f"{username}: "):
temp.write(line)
else:
temp.write(f"{username}: {email} \n")
rename(temporary_file.name, aliases_file)
except IOError as e:
print(e, file=sys.stderr)
raise
except errors.ClientError as e:
print(f"Something went wrong contacting fasjson {e}", file=sys.stderr)
raise
def rename(filename, aliases_file):
try:
os.rename(filename, aliases_file)
if (os.path.exists(filename)):
os.remove(filename)
else:
print("Aliases updated. Temporary files removed.")
except IOError as e:
print(f"Error updating aliases file {e}", file=sys.stderr)
raise
def main():
args = sys.argv[1:]
try:
if not args:
gen_all_aliases()
elif len(args) == 2 and args[0] == "update":
update_user(args[1])
else:
print(f"Usage: {sys.argv[0]} [update <username>]", file=sys.stderr)
raise RuntimeError()
except Exception:
sys.exit(1)
if __name__ == "__main__":
main()