Initial commit

[ta/infra-ansible.git] / roles / ssh_conf_hardening / library / ssh_conf.py

#!/bin/python

# Copyright 2019 Nokia

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import os
import re
from ansible.module_utils.basic import AnsibleModule

class SshdConf(object):

    def __init__(self):
        self.module = AnsibleModule(argument_spec=dict(regexp=dict(required=True),
                                                       values=dict(required=True)))
        self.used_regexp = self.module.params["regexp"]
        self.set_values = self.module.params["values"]
        self.sshd_contents = None
        self.changed = False
        self.target = "/etc/ssh/sshd_config"

    def _read_sshd_conf(self):
        os.system("sync")
        with open(self.target, "r") as sshd_file:
            self.sshd_contents = sshd_file.readlines()

    def _write_sshd_conf(self):
        os.system("sync")
        os.remove(self.target)
        os.system("sync")
        for line in self.sshd_contents:
            with open(self.target, "a") as out:
                out.write(line)
                os.system("sync")
        os.system("sync")
        os.system("chmod 600 "+ self.target)
        os.system("sync")
        os.system("chown root:root "+ self.target)
        os.system("sync")

    def _start_finder(self):
        end = start = None
        index = 0

        for line in self.sshd_contents:
            if start is None and re.compile("^[A-Za-z].*").search(line):
                start = index + 1
            if re.compile("^[#\s]*Match ").search(line):
                end = index
                break
            index += 1

        if end is None:
            end = index - 1

        if start is None:
            start = 0

        return start, end

    def ssh_checker_and_setter(self, line):
        if self.changed:
            self.sshd_contents[line] = ''
        else:
            self.sshd_contents[line] = self.module.params["values"]
            self.changed = True

    def _configuration(self, start, end):
        for line in range(0, end):
            if re.compile("^"+self.module.params["regexp"]).search(self.sshd_contents[line]):
                self.ssh_checker_and_setter(line)
        if not self.changed:
            for line in range(0, end):
                if re.compile("^#"+self.module.params["regexp"]).search(self.sshd_contents[line]) and not self.changed:
                    self.sshd_contents[line] = self.sshd_contents[line]+self.module.params["values"]
                    self.changed = True
            if not self.changed:
                self.sshd_contents.insert(start, self.module.params["values"])
                self.changed = True

    def run(self):
        self._read_sshd_conf()

        indexes = self._start_finder()
        start_index = indexes[0]
        end_index = indexes[1]

        self._configuration(start_index, end_index)

        self._write_sshd_conf()

        self.module.exit_json(changed=self.changed, msg=self.module.params["values"]+" configured")

    @staticmethod
    def main():
        SshdConf().run()

if __name__ == '__main__':
    SshdConf.main()