linux-hub 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1835a8518e08f8db5864552b7c9730ae9e152a0f
+  data.tar.gz: 9c17f6eef9941130b02201af019c1e3ff2b00d75
+SHA512:
+  metadata.gz: efa0448c9cc2a2b548bca6cc7616e62c0502424b6142dbc3357b71f53f01d8acc228264f279babd1ee4fdea3626eafceabea8c8cb262a8dff405c9729ddb5148
+  data.tar.gz: 3c45d0df7255e256f63d7461b42227e633228b342aae63ce394cde747b07e7af069ae417b75fce97cdfc925a40ac2962b78194a4414ee995f6fd1141c439b8ce

data/.gitignore

@@ -0,0 +1 @@
+config/*

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,29 @@
+PATH
+  remote: .
+  specs:
+    linux-hub (0.0.1)
+      octokit
+      trollop
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.4.0)
+    faraday (0.9.2)
+      multipart-post (>= 1.2, < 3)
+    multipart-post (2.0.0)
+    octokit (4.3.0)
+      sawyer (~> 0.7.0, >= 0.5.3)
+    sawyer (0.7.0)
+      addressable (>= 2.3.5, < 2.5)
+      faraday (~> 0.8, < 0.10)
+    trollop (2.1.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  linux-hub!
+
+BUNDLED WITH
+   1.11.2

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2016 Patrick Robinson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,39 @@
+# linux-hub
+
+Create Linux users from Github Teams
+
+## Challenges
+
+If you want to use immutable AMIs it can be difficult to give users access,
+you need to deploy a new version of your AMI.
+
+Netflix [BLESS](https://github.com/Netflix/bless) serves to solve a similar problem, but is much more complicated (and feature rich).
+
+## Solution
+
+Github exposes all users public SSH keys via their API
+We can associate users to a Github Team
+We can query the members of a team via the Github API, provided we have an access key with 'read:org' permissions
+
+So we can therefore use the Github API to provide authorization and authentication of users to systems.
+
+## Usage
+
+The idea of this gem is to be run as a cron job, to synchronise users at a regular interval. You need to create a config file that specifies:
+- The organisation to find the team in
+- The team who are permitted access
+- The access key to query team membership
+
+Example config:
+```yaml
+---
+organisation: github
+team: sysadmins
+access_key: baconfoobar
+```
+
+Example command:
+
+```
+linux-hub --config-file config/config.yaml --sync-users
+```

data/bin/linux-hub

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require 'trollop'
+require 'linux-hub'
+
+LinuxHub.invoke

data/lib/linux-hub.rb

@@ -0,0 +1,42 @@
+require 'yaml'
+require 'octokit'
+require 'linux-hub/github_team'
+require 'linux-hub/github_user'
+require 'linux-hub/github'
+require 'linux-hub/linux_user'
+require 'linux-hub/cli'
+
+module LinuxHub
+  ACTIONS = [:list, :create_users, :sync_users]
+
+  def self.invoke
+    options = Trollop::options do
+      opt :config_file, "The config file to read options from", type: :string, required: true
+      opt :list, "List users in the Github Team", type: :boolean
+      opt :create_users, "Create users in the Github Team", type: :boolean
+      opt :sync_users, "Manage all users in the Github Team", type: :boolean
+    end
+
+    config = load_config(options[:config_file])
+    if config["access_token"].nil?
+      puts "You need an access token with 'read:org' permissions for the organisation"
+      exit 1
+    elsif config["organisation"].nil? || config["team"].nil?
+      puts "Please provide the team and organisation in the relevant config file"
+    end
+
+    action = options.select { |k,v| ACTIONS.include?(k) && v == true }
+
+    unless action.length == 1
+      puts "Please specify one of the following action commands\n#{ACTIONS}"
+      exit 1
+    end
+
+    cli = CLI.new(config)
+    cli.send(action.keys.first)
+  end
+
+  def self.load_config(config_file)
+    YAML.load_file(config_file)
+  end
+end

data/lib/linux-hub/cli.rb

@@ -0,0 +1,58 @@
+module LinuxHub
+  class CLI
+    def initialize(config)
+      @organization = config["organisation"]
+      @team = config["team"]
+      @groups = config["groups"]
+
+      Github.instance.access_token = config["access_token"]
+    end
+
+    def list
+      puts github_users.collect(&:authorized_keys)
+    end
+
+    def sync_users
+      linux_users = LinuxUser.users_in_group
+      linux_usernames = linux_users.collect(&:username)
+      github_usernames = github_users.collect(&:username)
+      # Equivalent to github_users - linux_users
+      users_to_add = github_users.reject { |u| linux_usernames.include? u.username }
+      # Equivalent to linux_users - github_users
+      users_to_delete = linux_users.reject { |u| github_usernames.include? u.username }
+      add_users(users_to_add)
+      delete_users(users_to_delete)
+    end
+
+    def create_users
+      add_users(github_users)
+    end
+
+    private
+
+    def add_users(users)
+      users.each do |user|
+        LinuxUser.new(
+          username: user.username,
+          groups: @groups,
+          ssh_keys: user.ssh_keys
+        ).create
+      end
+    end
+
+    def delete_users(users)
+      users.each do |user|
+        LinuxUser.new(
+          username: user.username
+        ).delete
+      end
+    end
+
+    def github_users
+      GithubTeam.new(
+        organisation: @organization,
+        team: @team,
+      ).users
+    end
+  end
+end

data/lib/linux-hub/github.rb

@@ -0,0 +1,13 @@
+require 'singleton'
+
+module LinuxHub
+  class Github
+    include Singleton
+
+    attr_writer :access_token
+
+    def client
+      @client ||= Octokit::Client.new(access_token: @access_token)
+    end
+  end
+end

data/lib/linux-hub/github_team.rb

@@ -0,0 +1,35 @@
+module LinuxHub
+  class GithubTeam
+    def initialize(organisation:, team:)
+      @org = organisation
+      @team = team
+    end
+
+    def users
+      @users ||= fetch_users
+    end
+
+    def team_id
+      @team_id ||= fetch_team_id
+    end
+
+    private
+
+    def fetch_users
+      client.team_members(team_id).collect do |member|
+        GithubUser.new(member.login)
+      end
+    end
+
+    def fetch_team_id
+      client.auto_paginate = true
+      team = client.organization_teams(@org).find { |t| t[:name] == @team }
+      client.auto_paginate = false
+      team.id
+    end
+
+    def client
+      Github.instance.client
+    end
+  end
+end

data/lib/linux-hub/github_user.rb

@@ -0,0 +1,27 @@
+module LinuxHub
+  class GithubUser
+    attr_reader :username, :email, :ssh_keys
+
+    def initialize(username)
+      @username = username
+      fetch_user_details
+    end
+
+    def authorized_keys
+      ssh_keys.map do |key|
+        "#{key} #{email}"
+      end
+    end
+
+    private
+
+    def fetch_user_details
+      @email = client.user(@username).email || "#{@username}@github"
+      @ssh_keys = client.user_keys(@username).collect(&:key)
+    end
+
+    def client
+      Github.instance.client
+    end
+  end
+end

data/lib/linux-hub/linux_user.rb

@@ -0,0 +1,106 @@
+module LinuxHub
+  class LinuxUser
+    # The default group is used to keep track of members
+    # Members in this group not in the appropriate Github Team are purged
+    DEFAULT_GROUP = 'linuxhub'
+
+    def self.users_in_group
+      File.open("/etc/group") do |f|
+        f.each_line do |line|
+          user = line.split(":")
+          if user.first == DEFAULT_GROUP
+            return user[3].chomp.split(',').collect { |u| new(username: u) }
+          end
+        end
+      end
+      []
+    end
+
+    attr_reader :username
+
+    def initialize(username:, groups: [], ssh_keys: [])
+      @username = username
+      @groups = (groups || []) + [DEFAULT_GROUP]
+      @ssh_keys = ssh_keys
+    end
+
+    def create
+      create_default_group
+      create_user
+      create_user_keys
+    end
+
+    def delete
+      delete_home
+      delete_user
+    end
+
+    private
+
+    def create_default_group
+      return if group_exists?
+      %x(groupadd #{DEFAULT_GROUP})
+    end
+
+    def group_exists?
+      thing_exists? "/etc/group", DEFAULT_GROUP
+    end
+
+    def create_user
+      return if user_exists?
+      # Create the user and assign them to some groups
+      # Don't create a group for this user
+      # Create the home directory for this user
+      %x(useradd -G #{@groups.join(',')} -N -m #{@username})
+    end
+
+    def delete_user
+      return unless user_exists?
+      %x(userdel #{@username})
+    end
+
+    def delete_home
+      FileUtils.rm_r(home_dir)
+    end
+
+    def create_user_keys
+      ssh_dir = File.join(home_dir, ".ssh")
+      Dir.mkdir(ssh_dir, 0700) unless Dir.exist? ssh_dir
+      File.open(File.join(ssh_dir, "authorized_keys"), "w", 0600) do |f|
+        @ssh_keys.each do |key|
+          f.write "#{key}\n"
+        end
+      end
+      FileUtils.chown_R(@username, nil, ssh_dir)
+    end
+
+    def home_dir
+      File.open("/etc/passwd") do |f|
+        f.each_line do |line|
+          user = line.split(":")
+          if user.first == @username
+            return user[5]
+          end
+        end
+      end
+      fail "User not found!"
+    end
+
+    def user_exists?
+      thing_exists? "/etc/passwd", @username
+    end
+
+    def thing_exists?(file, value)
+      File.open(file) do |f|
+        f.each_line do |line|
+          user = line.split(":")
+          if user.first == value
+            f.close
+            return true
+          end
+        end
+      end
+      false
+    end
+  end
+end

data/linux-hub.gemspec

@@ -0,0 +1,17 @@
+Gem::Specification.new do |s|
+  s.name        = 'linux-hub'
+  s.version     = '0.0.1'
+  s.summary     = "Linux users from Github"
+  s.description = "Import linux users from Github Organisations and Teams"
+  s.authors     = ["Patrick Robinson"]
+  s.email       = 'therealpatrobinson@gmail.com'
+  s.files       = `git ls-files`.split($/)
+  s.executables   = s.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  s.test_files    = s.files.grep(%r{^(test|spec|features)/})
+  s.require_paths = ['lib']
+  s.homepage    = 'https://github.com/patrobinson/linux-hub'
+  s.license     = 'MIT'
+
+  s.add_dependency 'octokit'
+  s.add_dependency 'trollop'
+end

metadata

@@ -0,0 +1,86 @@
+--- !ruby/object:Gem::Specification
+name: linux-hub
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Patrick Robinson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-08-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: octokit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: trollop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Import linux users from Github Organisations and Teams
+email: therealpatrobinson@gmail.com
+executables:
+- linux-hub
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- bin/linux-hub
+- lib/linux-hub.rb
+- lib/linux-hub/cli.rb
+- lib/linux-hub/github.rb
+- lib/linux-hub/github_team.rb
+- lib/linux-hub/github_user.rb
+- lib/linux-hub/linux_user.rb
+- linux-hub.gemspec
+homepage: https://github.com/patrobinson/linux-hub
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Linux users from Github
+test_files: []
+has_rdoc: