From ab9e365d2dfc6a6de12da5de208a2415ac808db2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakobus=20Sch=C3=BCrz?= <jakobus.schuerz@schuerz.at>
Date: Tue, 3 Sep 2019 13:23:14 +0200
Subject: [PATCH] add authorizedprincipalscommand

---
 scripts/authorizedprincipals.py | 85 +++++++++++++++++++++++++++++++++
 scripts/authorizedprincipals.sh | 51 ++++++++++++++++++++
 2 files changed, 136 insertions(+)
 create mode 100755 scripts/authorizedprincipals.py
 create mode 100755 scripts/authorizedprincipals.sh

diff --git a/scripts/authorizedprincipals.py b/scripts/authorizedprincipals.py
new file mode 100755
index 0000000..456eef9
--- /dev/null
+++ b/scripts/authorizedprincipals.py
@@ -0,0 +1,85 @@
+#!/usr/bin/env python
+#
+# A Dovecot post-login script for IMAP. This creates environment
+# ACL_GROUPS with a comma-separated list of the user's LDAP group
+# memberships and then execs the Dovecot IMAP handler.
+#
+
+import ldap;
+import logging
+import os, sys, platform
+import re
+logging.basicConfig(level=logging.DEBUG,filename='/var/log/ssh-principalcommand.log')
+logger = logging.getLogger(__name__)
+hostname = platform.node()
+dnFilter = re.compile("^ldap_default_bind_dn *=")
+pwFilter = re.compile("^ldap_default_authtok *=")
+with open('/etc/sssd/sssd.conf') as f:
+    content = f.readlines()
+content = [x.strip() for x in content]
+for line in content:
+    if dnFilter.search(line):
+        bindAccount = line.partition('=')[2].strip()
+    if pwFilter.search(line):
+        bindPw = line.partition('=')[2].strip()
+ldapUrl = "ldap://ldap.schuerz.at"
+
+hostDn = bindAccount.split(',')
+hostDn.pop(0)
+hostDn = ','.join(hostDn)
+
+searchBase = "dc=schuerz,dc=at"
+searchFilter = "(&(dcAccountStatus=active)(|(memberof=cn=perm-sys_local_admins," + hostDn + ") (memberof=cn=perm-sys_local_users," + hostDn + ") ( memberof=cn=perm-sys_admins,ou=all_hosts,ou=posix,ou=groups,dc=schuerz,dc=at) (memberof=cn=perm-sys_users,ou=all_hosts,ou=posix,ou=groups,dc=schuerz,dc=at)))" 
+groupBase = re.compile("ou=groups,dc=schuerz,dc=at|cn=perm-svc-mailserver_admins,ou=mailserver,ou=system,ou=services,dc=schuerz,dc=at")
+logger.debug(searchFilter)
+logger.debug(groupBase)
+
+logger.debug("ENV: %s" % (os.environ))
+user = {0}
+groups = []
+
+l = ldap.initialize(ldapUrl)
+l.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/ssl/certs/Xunde_Energie_Chain-CA.pem')
+l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
+l.set_option(ldap.OPT_X_TLS_DEMAND, True)
+l.set_option(ldap.OPT_DEBUG_LEVEL, 255)
+l.set_option(ldap.OPT_REFERRALS, 0)
+l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
+l.start_tls_s()
+l.bind(bindAccount, bindPw, ldap.AUTH_SIMPLE)
+res = l.search_s(searchBase, ldap.SCOPE_SUBTREE,
+                 searchFilter,
+                 ['uid'])
+
+for dn, entry in res:
+    try:
+        for g in entry['uid']:
+            # Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc.
+            # Fish out 'All UK staff' as group name.
+            #print g
+            groups.append(g)
+    except KeyError:
+        pass    # User in no groups.
+
+#logger.debug('USERDB_KEYS: (before) '+str(os.environ["USERDB_KEYS"]))
+print ' '.join(groups)
+sys.exit(0)
+os.environ["ACL_GROUPS"] = ",".join(set(groups))
+try:
+    logger.debug('try')
+    #os.environ["USERDB_KEYS"] += " GROUPS"
+    os.environ["USERDB_KEYS"] += "acl_groups"
+except KeyError:
+    logger.debug('except')
+    #os.environ["USERDB_KEYS"] = "GROUPS"
+    os.environ["USERDB_KEYS"] = "acl_groups"
+
+logger.debug('ACL_GROUPS: '+str(os.environ["ACL_GROUPS"]))
+logger.debug('USERDB_KEYS: '+str(os.environ["USERDB_KEYS"]))
+logger.debug("ENV(after): %s" % (os.environ))
+logger.debug('sys.argv[1]: '+str(sys.argv[1]))
+logger.debug('sys.argv[1:]: '+str(sys.argv[1:]))
+logger.debug('sys.argv: '+str(sys.argv))
+logger.debug('-------------------------')
+os.execv(sys.argv[1], sys.argv[1:])
+sys.exit(1) # In case above fails
diff --git a/scripts/authorizedprincipals.sh b/scripts/authorizedprincipals.sh
new file mode 100755
index 0000000..86cc6f9
--- /dev/null
+++ b/scripts/authorizedprincipals.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+LDAPSEARCH=/usr/bin/ldapsearch
+SSSD_CONFIG=/etc/sssd/sssd.conf
+SEARCHBASE="dc=schuerz,dc=at"
+BindDN=$(sed -n -e '/^ldap_default_bind_dn/s/^ldap_default_bind_dn[ ]*=[ ]*//p' $SSSD_CONFIG)
+BindPW=$(sed -n -e '/^ldap_default_authtok/s/^ldap_default_authtok[ ]*=[ ]*//p' $SSSD_CONFIG)
+LDAPHost="ldap://ldap.schuerz.at"
+HostDN=""
+
+function join_by { local d=$1; shift; echo -n "$1"; shift; printf "%s" "${@/#/$d}"; }
+
+#echo BindDN: $BindDN
+#echo BindPW: $BindPW
+#echo HostDN: $HostDN
+
+regex='([^,]+),([^,]+),([^,]+),([^,]+),([^,]+),([^,]+)'
+#regex='(([^,]+),)+[^,]+'
+if [[ $BindDN =~ $regex ]]; then
+    i=2
+    n=${#BASH_REMATCH[*]}
+    #echo BR ${BASH_REMATCH[*]}
+#    delete=( ${BASH_REMATCH[1]} )
+#    echo delete ${delete[*]}
+#    echo deleted ${BASH_REMATCH[*]/$delete}
+#    HostDN=("${BASH_REMATCH[@]/$delete}")
+    while [[ $i -lt $n ]]
+    do
+        #echo "  capture[$i]: ${BASH_REMATCH[$i]}"
+        if [[ -z "$HostDN" ]]; then
+            HostDN="${BASH_REMATCH[$i]}"
+            #echo $HostDN
+        else
+            HostDN="${HostDN},${BASH_REMATCH[$i]}"
+            #echo $HostDN
+        fi
+        let i++
+    done
+
+else
+    echo BindDN does not match regex
+    echo $BindDN
+    echo $regex
+
+fi
+
+#echo "HostDN: $HostDN"
+SEARCHFILTER="(&(dcAccountStatus=active)(|(memberof=cn=perm-sys_local_admins,${HostDN}) (memberof=cn=perm-sys_local_users,${HostDN}) ( memberof=cn=perm-sys_admins,ou=all_hosts,ou=posix,ou=groups,dc=schuerz,dc=at) (memberof=cn=perm-sys_users,ou=all_hosts,ou=posix,ou=groups,dc=schuerz,dc=at)))" 
+#echo "SEARCHFILTER: $SEARCHFILTER"
+
+ldapsearch -LLL -Z -w $BindPW -D $BindDN  "${SEARCHFILTER}" uid|awk 'BEGIN{ORS=" "}$1=="uid:" {print $2}'