authorized_key

#!/usr/bin/env python
# -*- coding: utf-8 -*-

"""
Ansible module to add authorized_keys for ssh logins.
(c) 2012, Brad Olson <brado@movedbylight.com>

This file is part of Ansible

Ansible is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

Ansible is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
"""

DOCUMENTATION = '''
---
module: authorized_key
short_description: Adds or removes an SSH authorized key
description:
     - Adds or removes an SSH authorized key for a user from a remote host.
version_added: "0.5"
options:
  user:
    description:
      - Name of the user who should have access to the remote host
    required: true
    default: null
    aliases: []
  key:
    description:
      - the SSH public key, as a string
    required: true
    default: null
  state:
    description:
      - whether the given key should or should not be in the file
    required: false
    choices: [ "present", "absent" ]
    default: "present"
examples:
   - code: 'authorized_key: user=charlie key="ssh-dss ASDF1234L+8BTwaRYr/rycsBF1D8e5pTxEsXHQs4iq+mZdyWqlW++L6pMiam1A8yweP+rKtgjK2httVS6GigVsuWWfOd7/sdWippefq74nppVUELHPKkaIOjJNN1zUHFoL/YMwAAAEBALnAsQN10TNGsRDe5arBsW8cTOjqLyYBcIqgPYTZW8zENErFxt7ij3fW3Jh/sCpnmy8rkS7FyK8ULX0PEy/2yDx8/5rXgMIICbRH/XaBy9Ud5bRBFVkEDu/r+rXP33wFPHjWjwvHAtfci1NRBAudQI/98DbcGQw5HmE89CjgZRo5ktkC5yu/8agEPocVjdHyZr7PaHfxZGUDGKtGRL2QzRYukCmWo1cZbMBHcI5FzImvTHS9/8B3SATjXMPgbfBuEeBwuBK5EjL+CtHY5bWs9kmYjmeo0KfUMH8hY4MAXDoKhQ7DhBPIrcjS5jPtoGxIREZjba67r6/P2XKXaCZH6Fc= charlie@example.org 2011-01-17"'
     description: "Example from Ansible Playbooks"
   - code: "authorized_key: user=charlie key='$FILE(/home/charlie/.ssh/id_rsa.pub)'"
     description: "Shorthand available in Ansible 0.8 and later"
author: Brad Olson
'''

# Makes sure the public key line is present or absent in the user's .ssh/authorized_keys.
#
# Arguments
# =========
#    user = username
#    key = line to add to authorized_keys for user
#    state = absent|present (default: present)
#
# see example in examples/playbooks

import sys
import os
import pwd
import os.path
import tempfile
import shutil

def keyfile(module, user, write=False):
    """
    Calculate name of authorized keys file, optionally creating the
    directories and file, properly setting permissions.

    :param str user: name of user in passwd file
    :param bool write: if True, write changes to authorized_keys file (creating directories if needed)
    :return: full path string to authorized_keys for user
    """

    try:
        user_entry = pwd.getpwnam(user)
    except KeyError, e:
        module.fail_json(msg="Failed to lookup user %s: %s" % (user, str(e)))
    homedir    = user_entry.pw_dir
    sshdir     = os.path.join(homedir, ".ssh")
    keysfile   = os.path.join(sshdir, "authorized_keys")

    if not write:
        return keysfile

    uid = user_entry.pw_uid
    gid = user_entry.pw_gid

    if not os.path.exists(sshdir):
        os.mkdir(sshdir, 0700)
    os.chown(sshdir, uid, gid)
    os.chmod(sshdir, 0700)

    if not os.path.exists( keysfile):
        try:
            f = open(keysfile, "w") #touches file so we can set ownership and perms
        finally:
            f.close()

    os.chown(keysfile, uid, gid)
    os.chmod(keysfile, 0600)
    return keysfile

def readkeys(filename):

    if not os.path.isfile(filename):
        return []
    f = open(filename)
    keys = [line.rstrip() for line in f.readlines()]
    f.close()
    return keys

def writekeys(module, filename, keys):

    fd, tmp_path = tempfile.mkstemp('', 'tmp', os.path.dirname(filename))
    f = open(tmp_path,"w")
    try:
        f.writelines( (key + "\n" for key in keys) )
    except IOError, e:
        module.fail_json(msg="Failed to write to file %s: %s" % (tmp_path, str(e)))
    f.close()
    module.atomic_replace(tmp_path, filename)

def enforce_state(module, params):
    """
    Add or remove key.
    """

    user  = params["user"]
    key   = params["key"]
    state = params.get("state", "present")

    # check current state -- just get the filename, don't create file
    params["keyfile"] = keyfile(module, user, write=False)
    keys = readkeys(params["keyfile"])
    present = key in keys

    # handle idempotent state=present
    if state=="present":
        if present:
            module.exit_json(changed=False)
        keys.append(key)
        writekeys(module, keyfile(module, user,write=True), keys)

    elif state=="absent":
        if not present:
            module.exit_json(changed=False)
        keys.remove(key)
        writekeys(module, keyfile(module, user,write=True), keys)

    params['changed'] = True
    return params

def main():

    module = AnsibleModule(
        argument_spec = dict(
           user  = dict(required=True),
           key   = dict(required=True),
           state = dict(default='present', choices=['absent','present'])
        )
    )

    params = module.params
    results = enforce_state(module, module.params)
    module.exit_json(**results)

# this is magic, see lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
main()