Change watchdog to a single binary

Cargo.toml

@@ -12,22 +12,13 @@ toml = "0.5.3"
 reqwest = "0.9.20"
 base64 = "0.10.1"
 rust-crypto = "0.2.36"
-simplelog = "^0.7.3"
-log = "^0.4.8"
+clap = "2.19"
+error-chain="0.12.1"
 
-[[bin]]
-name = "pam_sudo"
-path = "src/sudo/main.rs"
-
-[[bin]]
-name = "pam_su"
-path = "src/su/main.rs"
-
-[[bin]]
-name = "pam_ssh"
-path = "src/ssh/main.rs"
-
-[[bin]]
-name = "auth_keys_cmd"
-path = "src/auth_keys_cmd/main.rs"
+[[ bin ]]
+name = "watchdog"
+path = "src/main.rs"
 
+[lib]
+name = "lib"
+path = "src/lib/lib.rs"

install/edit-sshd-config.py

@@ -1,17 +1,16 @@
-
 watchdog_config = """
 # SDSLabs Watchdog configuration START
 
 UsePAM yes
 PasswordAuthentication no
-AuthorizedKeysCommand /opt/watchdog/bin/auth_keys_cmd %u %h %t %f %k
+AuthorizedKeysCommand /opt/watchdog/bin/watchdog auth -u %u -t %t -p %k
 AuthorizedKeysCommandUser root
 
 # SDSLabs Watchdog configuration END
 """
 
 
-modified_keys = [
+modified_options = [
 	'AuthorizedKeysCommand',
 	'AuthorizedKeysCommandUser',
 	'PasswordAuthentication',
@@ -52,24 +51,24 @@ def process_line(line):
 		i = min(i, j)
 	key = l[:i]
 	value = l[i+1:].strip()
-	if key in modified_keys:
+	if key in modified_options:
 		# comment this line
 		return '# Watchdog: Commenting the line below out\n#' + line
 	else:
 		return line
 
 def main():
-	iput = open("/etc/ssh/sshd_config")
-	oput = open("tmp_sshd_config", "w")
-	lines = iput.readlines()
+	inp = open("/etc/ssh/sshd_config")
+	out = open("watchdog_tmp_sshd_config", "w")
+	lines = inp.readlines()
 	for l in lines:
-		oputline = process_line(l)
-		oput.write(oputline)
+		output_line = process_line(l)
+		out.write(oputline)
 
-	oput.write(watchdog_config)
+	out.write(watchdog_config)
 
-	iput.close()
-	oput.close()
+	inp.close()
+	out.close()
 
 
 main()

install/install.sh

@@ -2,45 +2,34 @@
 
 # Install all the files at right place
 mkdir -p /opt/watchdog/bin
+mkdir -p /opt/watchdog/logs
+touch /opt/watchdog/logs/sudo.logs
+touch /opt/watchdog/logs/su.logs
+touch /opt/watchdog/logs/ssh.logs
 
-cp ../target/debug/pam_ssh /opt/watchdog/bin/pam_ssh
-chown root /opt/watchdog/bin/pam_ssh
-chgrp root /opt/watchdog/bin/pam_ssh
-chmod  700 /opt/watchdog/bin/pam_ssh
-
-cp ../target/debug/pam_su /opt/watchdog/bin/pam_su
-chown root /opt/watchdog/bin/pam_su
-chgrp root /opt/watchdog/bin/pam_su
-chmod  700 /opt/watchdog/bin/pam_su
-
-cp ../target/debug/pam_sudo /opt/watchdog/bin/pam_sudo
-chown root /opt/watchdog/bin/pam_sudo
-chgrp root /opt/watchdog/bin/pam_sudo
-chmod  700 /opt/watchdog/bin/pam_sudo
-
-cp ../target/debug/auth_keys_cmd /opt/watchdog/bin/auth_keys_cmd
-chown root /opt/watchdog/bin/auth_keys_cmd
-chgrp root /opt/watchdog/bin/auth_keys_cmd
-chmod  700 /opt/watchdog/bin/auth_keys_cmd
+cp ../target/release/watchdog /opt/watchdog/bin/watchdog
+chown root /opt/watchdog/bin/watchdog
+chgrp root /opt/watchdog/bin/watchdog
+chmod  700 /opt/watchdog/bin/watchdog
 
 cp ../config.toml /opt/watchdog/config.toml
 
 # edit `sshd_config` file
 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.watchdog.bak
 python3 edit-sshd-config.py
-cp tmp_sshd_config /etc/ssh/sshd_config
-rm tmp_sshd_config
+cp watchdog_tmp_sshd_config /etc/ssh/sshd_config
+rm watchdog_tmp_sshd_config
 service sshd restart
 
 # installing pam_exec lines
 python3 pam-install-sudo.py
 python3 pam-install-su.py
 python3 pam-install-ssh.py
 
-cp tmp_sudo /etc/pam.d/sudo
-cp tmp_su /etc/pam.d/su
-cp tmp_ssh /etc/pam.d/sshd
+cp watchdog_tmp_sudo /etc/pam.d/sudo
+cp watchdog_tmp_su /etc/pam.d/su
+cp watchdog_tmp_ssh /etc/pam.d/sshd
 
-rm tmp_sudo
-rm tmp_su
-rm tmp_ssh
+rm watchdog_tmp_sudo
+rm watchdog_tmp_su
+rm watchdog_tmp_ssh

install/pam-install-ssh.py

@@ -1,33 +1,32 @@
-
 watchdog_config = """
 # SDSLabs Watchdog configuration START
 
-session optional pam_exec.so seteuid /opt/watchdog/bin/pam_ssh
+session optional pam_exec.so seteuid log=/opt/watchdog/logs/ssh.logs /opt/watchdog/bin/watchdog ssh
 
 # SDSLabs Watchdog configuration END
 """
 
-inside_watchdog_config = False
+inside_watchdog_config_section = False
 
 def process_line(line):
-	global inside_watchdog_config
+	global inside_watchdog_config_section
 
-	if inside_watchdog_config and line == "# SDSLabs Watchdog configuration END\n":
-		inside_watchdog_config = False
+	if inside_watchdog_config_section and line == "# SDSLabs Watchdog configuration END\n":
+		inside_watchdog_config_section = False
 		return ''
 
-	if inside_watchdog_config:
+	if inside_watchdog_config_section:
 		return ''
 
 	if line == "# SDSLabs Watchdog configuration START\n":
-		inside_watchdog_config = True
+		inside_watchdog_config_section = True
 		return ''
 
 	return line
 
 def main():
 	iput = open("/etc/pam.d/sshd")
-	oput = open("tmp_ssh", "w")
+	oput = open("watchdog_tmp_ssh", "w")
 	lines = iput.readlines()
 	for l in lines:
 		oputline = process_line(l)

install/pam-install-su.py

@@ -1,33 +1,32 @@
-
 watchdog_config = """
 # SDSLabs Watchdog configuration START
 
-session optional pam_exec.so seteuid /opt/watchdog/bin/pam_su
+session optional pam_exec.so seteuid log=/opt/watchdog/logs/su.logs /opt/watchdog/bin/watchdog su
 
 # SDSLabs Watchdog configuration END
 """
 
-inside_watchdog_config = False
+inside_watchdog_config_section = False
 
 def process_line(line):
-	global inside_watchdog_config
+	global inside_watchdog_config_section
 
-	if inside_watchdog_config and line == "# SDSLabs Watchdog configuration END\n":
-		inside_watchdog_config = False
+	if inside_watchdog_config_section and line == "# SDSLabs Watchdog configuration END\n":
+		inside_watchdog_config_section = False
 		return ''
 
-	if inside_watchdog_config:
+	if inside_watchdog_config_section:
 		return ''
 
 	if line == "# SDSLabs Watchdog configuration START\n":
-		inside_watchdog_config = True
+		inside_watchdog_config_section = True
 		return ''
 
 	return line
 
 def main():
 	iput = open("/etc/pam.d/su")
-	oput = open("tmp_su", "w")
+	oput = open("watchdog_tmp_su", "w")
 	lines = iput.readlines()
 	for l in lines:
 		oputline = process_line(l)

install/pam-install-sudo.py

@@ -1,33 +1,32 @@
-
 watchdog_config = """
 # SDSLabs Watchdog configuration START
 
-session optional pam_exec.so seteuid /opt/watchdog/bin/pam_sudo
+session optional pam_exec.so seteuid log=/opt/watchdog/logs/sudo.logs /opt/watchdog/bin/watchdog sudo
 
 # SDSLabs Watchdog configuration END
 """
 
-inside_watchdog_config = False
+inside_watchdog_config_section = False
 
 def process_line(line):
-	global inside_watchdog_config
+	global inside_watchdog_config_section
 
-	if inside_watchdog_config and line == "# SDSLabs Watchdog configuration END\n":
-		inside_watchdog_config = False
+	if inside_watchdog_config_section and line == "# SDSLabs Watchdog configuration END\n":
+		inside_watchdog_config_section = False
 		return ''
 
-	if inside_watchdog_config:
+	if inside_watchdog_config_section:
 		return ''
 
 	if line == "# SDSLabs Watchdog configuration START\n":
-		inside_watchdog_config = True
+		inside_watchdog_config_section = True
 		return ''
 
 	return line
 
 def main():
 	iput = open("/etc/pam.d/sudo")
-	oput = open("tmp_sudo", "w")
+	oput = open("watchdog_tmp_sudo", "w")
 	lines = iput.readlines()
 	for l in lines:
 		oputline = process_line(l)

sample.config.toml

@@ -1,6 +1,4 @@
 slack_api_url = 'https://hooks.slack.com/services/ABCDEFGHI/ABCDEFGHI/abcdefghijklmnopqrstuvwx'
-keyhouse_base_url = 'https://organization.github.io/keyhouse-repo'
+keyhouse_base_url = 'https://api.github.com/repos/sdslabs/keyhouse-template/contents'
 keyhouse_token = 'secret_token'
 keyhouse_hostname = 'virtual-machine'
-watchdog_base_url = 'https://api.github.com/repos/sdslabs/watchdog/contents'
-temp_env_file = '/opt/watchdog/ssh_env'

src/auth.rs

@@ -0,0 +1,44 @@
+use std::fs;
+
+use lib::config::read_config;
+use lib::errors::*;
+use lib::init::init;
+use lib::keyhouse::{get_name, validate_user};
+use lib::notifier::{Notifier, Slack};
+
+pub fn handle_auth(ssh_host_username: &str, ssh_key: &str) -> Result<()> {
+    let config = read_config()?;
+    init(&config)?;
+
+    match validate_user(&config, ssh_host_username.to_string(), ssh_key) {
+        Ok(true) => {
+            let data = format!(
+                "ssh_host_username = '{}'\nssh_key = '{}'\n",
+                ssh_host_username, ssh_key
+            );
+
+            fs::write("/opt/watchdog/ssh_env", data)
+                        .chain_err(|| "Cannot write temporary environment file. Please check if the watchdog `auth_keys_cmd` is run by the root user")?;
+
+            println!("{}", ssh_key);
+            Ok(())
+        }
+
+        Ok(false) => {
+            let name = get_name(&config, ssh_key)?;
+
+            match Slack::new(&config) {
+                Some(notifier) => notifier.post_ssh_summary(
+                    &config,
+                    false,
+                    name,
+                    ssh_host_username.to_string(),
+                )?,
+                None => {}
+            };
+            Ok(())
+        }
+
+        Err(e) => Err(e).chain_err(|| "Error while validating user from keyhouse"),
+    }
+}