Initial commit

[ta/infra-ansible.git] / roles / ssh_conf_hardening / library / ssh_conf.py

diff --git a/roles/ssh_conf_hardening/library/ssh_conf.py b/roles/ssh_conf_hardening/library/ssh_conf.py
new file mode 100644 (file)
index 0000000..aebe74b
--- /dev/null
+++ b/roles/ssh_conf_hardening/library/ssh_conf.py
@@ -0,0 +1,109 @@
+#!/bin/python
+
+# Copyright 2019 Nokia
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import re
+from ansible.module_utils.basic import AnsibleModule
+
+class SshdConf(object):
+
+    def __init__(self):
+        self.module = AnsibleModule(argument_spec=dict(regexp=dict(required=True),
+                                                       values=dict(required=True)))
+        self.used_regexp = self.module.params["regexp"]
+        self.set_values = self.module.params["values"]
+        self.sshd_contents = None
+        self.changed = False
+        self.target = "/etc/ssh/sshd_config"
+
+    def _read_sshd_conf(self):
+        os.system("sync")
+        with open(self.target, "r") as sshd_file:
+            self.sshd_contents = sshd_file.readlines()
+
+    def _write_sshd_conf(self):
+        os.system("sync")
+        os.remove(self.target)
+        os.system("sync")
+        for line in self.sshd_contents:
+            with open(self.target, "a") as out:
+                out.write(line)
+                os.system("sync")
+        os.system("sync")
+        os.system("chmod 600 "+ self.target)
+        os.system("sync")
+        os.system("chown root:root "+ self.target)
+        os.system("sync")
+
+    def _start_finder(self):
+        end = start = None
+        index = 0
+
+        for line in self.sshd_contents:
+            if start is None and re.compile("^[A-Za-z].*").search(line):
+                start = index + 1
+            if re.compile("^[#\s]*Match ").search(line):
+                end = index
+                break
+            index += 1
+
+        if end is None:
+            end = index - 1
+
+        if start is None:
+            start = 0
+
+        return start, end
+
+    def ssh_checker_and_setter(self, line):
+        if self.changed:
+            self.sshd_contents[line] = ''
+        else:
+            self.sshd_contents[line] = self.module.params["values"]
+            self.changed = True
+
+    def _configuration(self, start, end):
+        for line in range(0, end):
+            if re.compile("^"+self.module.params["regexp"]).search(self.sshd_contents[line]):
+                self.ssh_checker_and_setter(line)
+        if not self.changed:
+            for line in range(0, end):
+                if re.compile("^#"+self.module.params["regexp"]).search(self.sshd_contents[line]) and not self.changed:
+                    self.sshd_contents[line] = self.sshd_contents[line]+self.module.params["values"]
+                    self.changed = True
+            if not self.changed:
+                self.sshd_contents.insert(start, self.module.params["values"])
+                self.changed = True
+
+    def run(self):
+        self._read_sshd_conf()
+
+        indexes = self._start_finder()
+        start_index = indexes[0]
+        end_index = indexes[1]
+
+        self._configuration(start_index, end_index)
+
+        self._write_sshd_conf()
+
+        self.module.exit_json(changed=self.changed, msg=self.module.params["values"]+" configured")
+
+    @staticmethod
+    def main():
+        SshdConf().run()
+
+if __name__ == '__main__':
+    SshdConf.main()