hall757 · December 8, 2023 14:29
diff --git a/aspera_functions.sh b/aspera_functions.sh
 alias ssh='ssh -o ServerAliveInterval=5 -o ServerAliveCountMax=1'
 export RPROXYKEY=/opt/aspera/proxy/var/aspera_rproxy_id_rsa.pub
 export HSTSKEY=/opt/aspera/var/aspera_tokenauth_id_rsa.pub
 export ASPERAPUBLICKEY1="command=\"/bin/aspshell -t\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3MAAACBAOQpAcPqbjIjGCOx7Lo+fLjppxlcRGwkfLnin8GpcjJiRU4CQSkqC9PepNM2bKRZbDii84/X4OLVz/YWlhyWVxOmGRZxLyUDuPTXaZQR5xdq9eM88bSLe3m+0HzEvLfeRDd72/38vCHTFxF+5rR3lR8XCikEgBe8kCvcHqtqmzz5AAAAFQC8LMnqrMdxKJQmglVyX/utXHiaaQAAAIA+g+0Q/jLMcbZe1zEJ9dpvi73MTrA/Ph48m3RROfd9S+dCYlPuLQpUJGveDYfY5kxYXXbLSNSrxAG5nayjcId57tbVWYB1s3sXFz5zJX2cTrNRGoBo/K3ZsT6uAzWk/otBRjGAPfEp2/Vkb6QMgMR/pTeieNwpuYDpyTFPoZq+gAAAAIEAobapDv5p2foH+cG5K07sIFD9r0RD7uKJnlqjYAXzFc8U76wXKgu6WXup2ac0Co+RnZp7Hsa9G+E+iJ6poI9pOR08XTdPly4yDULNST4PwlfrbSFT9FVhzkWfpOvAUc8fkQAhZqv/PE6VhFQ8w03Z8GpqXx7b3NvBR+EfIx368Ko= Aspera public access"
 export ASPERAPUBLICKEY2="command=\"/bin/aspshell -t\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgVtYAGrv/GSypo1IlauFMjDCawMoRQAvLO71Tc5KwlrAFRXklcTRZ2QXsiDHssh0KTVjmNSy7FXccMlJCXMATyXeR3sjY2Jdck3NWE89KFIaSp/+A6AFYv6rJqpq8axbHmBuQA7GRbOShWt15tZ0axWCP0sRr0291bDr9uWbgkFS0ljr53839AOZ9ebWcNWpAavB9FU5RMPwmYm2hhvhKM7S0qaq30gN3HmrERcNf3MenKXSuTp6hKO00D8ohWS5SJPsjut6O/aV4d66L3VD6PmN+JdxWrzzNWX7syvQd/W7ppfw2Z/Su8xh2nUC09G7ON3j6rlKX4Rk3jYgOM0i1y8VwCPnY2+DdRWyqwOFZlv5tmZVIYkC8UdhRu3hdImnnuDvHDL88g/CaEzuOGYLoMVtRH82gaoQY4n7jyJk4inc4d9i8Jknl6JtOPfc5peHRmHjnSupvuHaAs4aZp0waid/F4UyI0mCfIKe+/VbxyOZn9m4b38XCMoTyfEmjS7s59RhxfK7JEdzJC1lpWD93bZ/J6jzMzDJfJpN4cDISY9p3hLfR1M1tulF44scv56n38XDyzktj6dqa1P/hJOgOWhnsRe8TaiwdEA6EEqHwUEp2sSnLNnk5jfQetni3evzai4Ly58DKY+E31l5M60+CC2dMcHEJvF/5AqJmoPjOzQ== Aspera public access"

 function randompassword {
 ## parameter: length
 ## generates a random value that can be used as a password
 ## based on lenth provided.  length defaults to 24
 ##
  len=$1
  if [ "_${len}_" == "__" ]; then
    len=24
  fi
  pw=failed
  false # force first pass through while loop
  while [ $? -eq 1 ]; do
    pw=$(cat /dev/urandom | tr -dc 'A-Za-z0-9#_.+=;' | head -c$len)
    echo $pw|egrep -q '[#_\.+=;]' # keep going if no special characters
  done
  echo $pw
 }

 function add_aspera_connect_user {
 ## parameters: user docroot optional_encryption_key
 ## create hsts account and configure aspera.conf
 ## if optional_encryption_key in included, the
 ## account will be provisioned as a connect user
 ## using the aspera public access ssh key and
 ## token authentication
 ##
  if [ "__" == "_$1_" ]; then
    echo no user passed to add_aspera_connect_user
    exit 1
  fi
  if [ "__" == "_$2_" ]; then
    echo no docroot passed to add_aspera_connect_user
    exit 1
  fi
  adduser $1
  chsh -s /bin/aspshell ${1}
  chage -I -1 -m 0 -M 99999 -E -1 ${1}
  asconfigurator \
    -x "set_user_data;user_name,${1};absolute,${2}" \
    -x "set_user_data;user_name,${1};dir_allowed,true" \
    -x "set_user_data;user_name,${1};write_allowed,true" \
    -x "set_user_data;user_name,${1};read_allowed,true"
  if [ ! "_${3}_" == "__" ]; then
    # This account is for use by aspara connect plugin
    mkdir -p /home/${1}/.ssh
    \cp -a ${HSTSKEY} /home/${1}/.ssh/authorized_keys
    chown -R ${1}.${1} /home/${1}
    chmod -R go-rwx /home/${1}/.ssh
    asconfigurator \
      -x "set_user_data;user_name,${1};token_encryption_key,${3}" \
      -x "set_user_data;user_name,${1};authorization_transfer_in_value,token" \
      -x "set_user_data;user_name,${1};authorization_transfer_out_value,token"
  fi
 }

 function private_public_from_private {
  ssh-keygen -yf /dev/stdin <<< "$1"
 }
 function private_fix_rsa_key_format {
   echo "$1" | sed -e 's/ /\n/g' -e 's/-----\([A-Z]*\).RSA.PRIVATE.KEY-----/-----\1 RSA PRIVATE KEY-----/g'
 }

 function private_aws_token {
  curl -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
 }
 function aws_localip {
 ## returns localip of host on aws
 ##
  curl -sS -H "X-aws-ec2-metadata-token: $(private_aws_token)" http://169.254.169.254/latest/meta-data/local-ipv4
 }
 function aws_publicip {
 ## aws_publicip - returns publicip of host on aws if present
 ##
  curl -sS -H "X-aws-ec2-metadata-token: $(private_aws_token)" http://169.254.169.254/latest/meta-data/public-ipv4
 }
 function private_configure_nonprod_params {
 if [ "_$(secrets_get env)_" == "_nonprod_" ]; then
   sed -i 's/^TMOUT=.*/TMOUT=6000/' /etc/profile.d/tmout.sh
   sed -i 's/^cloud-user\s*.*/cloud-user ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers.d/90-cloud-init-users
   sed -i 's/^%wheel\s*.*/cloud-user ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers.d/local-admin-groups
 fi
 }

 function fix_password_expirations {
 ## set all aspshell users to not expire
 ##
  users="$(grep bin.aspshell /etc/passwd | sed 's/:.*//')"
  for u in $users; do
    sudo chage -I -1 -m 0 -M 99999 -E -1 $u
  done
 }

 function token_users_from_aspera_conf {
 ## returns users with token authentication based on aspera.conf
 ##
  CONF=/opt/aspera/etc/aspera.conf
  if [ -f $CONF ]; then
    egrep "(encryption_key|name)" $CONF | grep encryption_key -B 1 | grep name | sed -e 's:[[:space:]]*::g' -e 's:</*name>::g' | uniq | sort
  else
    echo "This can only be run on an hsts node"
  fi
 }

 function token_users_from_authorized_keys {
 ## returns users with token authencitaion based on authorized keys
 ##
  CONF=/opt/aspera/etc/aspera.conf
  if [ ! -f $CONF ]; then
    CONF=/opt/aspera/proxy/etc/aspera.conf
  fi
  if [ -f $CONF ]; then
    grep -i "aspera public access" $(find /home -type f -name "authorized_keys") | sed -e 's:/\.ssh.*::' -e 's:^/home/::' | uniq | sort
  else
    echo "This can only be run on an hsts node or proxy"
  fi
 }

 function enable_nodeapi_through_proxy {
 ## parameters: user
 ## enable the proxy to pass authenticated api calls directly to the hsts
 ## servers.  Doing this is the exception rather than the norm.
 ##
  if [[ "_$(whoami)_" == "_root_" ]]&&[ -f /opt/aspera/proxy/etc/aspera.conf ]; then
    add_proxy_user $1
    sed -i "s/${1}.*//" /etc/nginx/.htpasswd
    secrets_get hsts_user_node_$1 | htpasswd -i -c /etc/nginx/.htpasswd.tmp $1
    cat /etc/nginx/.htpasswd.tmp >> /etc/nginx/.htpasswd
  else
    echo must be root on aspera proxy
  fi
 }

 function ascp_logs_from_uuid {
 ## parameters: transfer_uuid
 ## gets the associated ascp pid for a transfer id and outouts all logs
 ## for that pid
 ##
  LOG=/var/log/aspera*
  pid=$(egrep "ascp.*$1" $LOG | head -n 1 | awk '{print $5}' | sed -e 's/ascp.\(.*\).:/\1/')
  grep ascp.${pid}.: $LOG
 }
	alias ssh='ssh -o ServerAliveInterval=5 -o ServerAliveCountMax=1'
	export RPROXYKEY=/opt/aspera/proxy/var/aspera_rproxy_id_rsa.pub
	export HSTSKEY=/opt/aspera/var/aspera_tokenauth_id_rsa.pub
	export ASPERAPUBLICKEY1="command=\"/bin/aspshell -t\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3MAAACBAOQpAcPqbjIjGCOx7Lo+fLjppxlcRGwkfLnin8GpcjJiRU4CQSkqC9PepNM2bKRZbDii84/X4OLVz/YWlhyWVxOmGRZxLyUDuPTXaZQR5xdq9eM88bSLe3m+0HzEvLfeRDd72/38vCHTFxF+5rR3lR8XCikEgBe8kCvcHqtqmzz5AAAAFQC8LMnqrMdxKJQmglVyX/utXHiaaQAAAIA+g+0Q/jLMcbZe1zEJ9dpvi73MTrA/Ph48m3RROfd9S+dCYlPuLQpUJGveDYfY5kxYXXbLSNSrxAG5nayjcId57tbVWYB1s3sXFz5zJX2cTrNRGoBo/K3ZsT6uAzWk/otBRjGAPfEp2/Vkb6QMgMR/pTeieNwpuYDpyTFPoZq+gAAAAIEAobapDv5p2foH+cG5K07sIFD9r0RD7uKJnlqjYAXzFc8U76wXKgu6WXup2ac0Co+RnZp7Hsa9G+E+iJ6poI9pOR08XTdPly4yDULNST4PwlfrbSFT9FVhzkWfpOvAUc8fkQAhZqv/PE6VhFQ8w03Z8GpqXx7b3NvBR+EfIx368Ko= Aspera public access"
	export ASPERAPUBLICKEY2="command=\"/bin/aspshell -t\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgVtYAGrv/GSypo1IlauFMjDCawMoRQAvLO71Tc5KwlrAFRXklcTRZ2QXsiDHssh0KTVjmNSy7FXccMlJCXMATyXeR3sjY2Jdck3NWE89KFIaSp/+A6AFYv6rJqpq8axbHmBuQA7GRbOShWt15tZ0axWCP0sRr0291bDr9uWbgkFS0ljr53839AOZ9ebWcNWpAavB9FU5RMPwmYm2hhvhKM7S0qaq30gN3HmrERcNf3MenKXSuTp6hKO00D8ohWS5SJPsjut6O/aV4d66L3VD6PmN+JdxWrzzNWX7syvQd/W7ppfw2Z/Su8xh2nUC09G7ON3j6rlKX4Rk3jYgOM0i1y8VwCPnY2+DdRWyqwOFZlv5tmZVIYkC8UdhRu3hdImnnuDvHDL88g/CaEzuOGYLoMVtRH82gaoQY4n7jyJk4inc4d9i8Jknl6JtOPfc5peHRmHjnSupvuHaAs4aZp0waid/F4UyI0mCfIKe+/VbxyOZn9m4b38XCMoTyfEmjS7s59RhxfK7JEdzJC1lpWD93bZ/J6jzMzDJfJpN4cDISY9p3hLfR1M1tulF44scv56n38XDyzktj6dqa1P/hJOgOWhnsRe8TaiwdEA6EEqHwUEp2sSnLNnk5jfQetni3evzai4Ly58DKY+E31l5M60+CC2dMcHEJvF/5AqJmoPjOzQ== Aspera public access"

	function randompassword {
	## parameter: length
	## generates a random value that can be used as a password
	## based on lenth provided. length defaults to 24
	##
	len=$1
	if [ "_${len}_" == "__" ]; then
	len=24
	fi
	pw=failed
	false # force first pass through while loop
	while [ $? -eq 1 ]; do
	pw=$(cat /dev/urandom \| tr -dc 'A-Za-z0-9#_.+=;' \| head -c$len)
	echo $pw\|egrep -q '[#_\.+=;]' # keep going if no special characters
	done
	echo $pw
	}

	function add_aspera_connect_user {
	## parameters: user docroot optional_encryption_key
	## create hsts account and configure aspera.conf
	## if optional_encryption_key in included, the
	## account will be provisioned as a connect user
	## using the aspera public access ssh key and
	## token authentication
	##
	if [ "__" == "_$1_" ]; then
	echo no user passed to add_aspera_connect_user
	exit 1
	fi
	if [ "__" == "_$2_" ]; then
	echo no docroot passed to add_aspera_connect_user
	exit 1
	fi
	adduser $1
	chsh -s /bin/aspshell ${1}
	chage -I -1 -m 0 -M 99999 -E -1 ${1}
	asconfigurator \
	-x "set_user_data;user_name,${1};absolute,${2}" \
	-x "set_user_data;user_name,${1};dir_allowed,true" \
	-x "set_user_data;user_name,${1};write_allowed,true" \
	-x "set_user_data;user_name,${1};read_allowed,true"
	if [ ! "_${3}_" == "__" ]; then
	# This account is for use by aspara connect plugin
	mkdir -p /home/${1}/.ssh
	\cp -a ${HSTSKEY} /home/${1}/.ssh/authorized_keys
	chown -R ${1}.${1} /home/${1}
	chmod -R go-rwx /home/${1}/.ssh
	asconfigurator \
	-x "set_user_data;user_name,${1};token_encryption_key,${3}" \
	-x "set_user_data;user_name,${1};authorization_transfer_in_value,token" \
	-x "set_user_data;user_name,${1};authorization_transfer_out_value,token"
	fi
	}

	function private_public_from_private {
	ssh-keygen -yf /dev/stdin <<< "$1"
	}
	function private_fix_rsa_key_format {
	echo "$1" \| sed -e 's/ /\n/g' -e 's/-----\([A-Z]*\).RSA.PRIVATE.KEY-----/-----\1 RSA PRIVATE KEY-----/g'
	}

	function private_aws_token {
	curl -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
	}
	function aws_localip {
	## returns localip of host on aws
	##
	curl -sS -H "X-aws-ec2-metadata-token: $(private_aws_token)" http://169.254.169.254/latest/meta-data/local-ipv4
	}
	function aws_publicip {
	## aws_publicip - returns publicip of host on aws if present
	##
	curl -sS -H "X-aws-ec2-metadata-token: $(private_aws_token)" http://169.254.169.254/latest/meta-data/public-ipv4
	}
	function private_configure_nonprod_params {
	if [ "_$(secrets_get env)_" == "_nonprod_" ]; then
	sed -i 's/^TMOUT=.*/TMOUT=6000/' /etc/profile.d/tmout.sh
	sed -i 's/^cloud-user\s./cloud-user ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers.d/90-cloud-init-users
	sed -i 's/^%wheel\s./cloud-user ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers.d/local-admin-groups
	fi
	}

	function fix_password_expirations {
	## set all aspshell users to not expire
	##
	users="$(grep bin.aspshell /etc/passwd \| sed 's/:.*//')"
	for u in $users; do
	sudo chage -I -1 -m 0 -M 99999 -E -1 $u
	done
	}

	function token_users_from_aspera_conf {
	## returns users with token authentication based on aspera.conf
	##
	CONF=/opt/aspera/etc/aspera.conf
	if [ -f $CONF ]; then
	egrep "(encryption_key\|name)" $CONF \| grep encryption_key -B 1 \| grep name \| sed -e 's:[[:space:]]::g' -e 's:</name>::g' \| uniq \| sort
	else
	echo "This can only be run on an hsts node"
	fi
	}

	function token_users_from_authorized_keys {
	## returns users with token authencitaion based on authorized keys
	##
	CONF=/opt/aspera/etc/aspera.conf
	if [ ! -f $CONF ]; then
	CONF=/opt/aspera/proxy/etc/aspera.conf
	fi
	if [ -f $CONF ]; then
	grep -i "aspera public access" $(find /home -type f -name "authorized_keys") \| sed -e 's:/\.ssh.*::' -e 's:^/home/::' \| uniq \| sort
	else
	echo "This can only be run on an hsts node or proxy"
	fi
	}

	function enable_nodeapi_through_proxy {
	## parameters: user
	## enable the proxy to pass authenticated api calls directly to the hsts
	## servers. Doing this is the exception rather than the norm.
	##
	if [[ "_$(whoami)_" == "_root_" ]]&&[ -f /opt/aspera/proxy/etc/aspera.conf ]; then
	add_proxy_user $1
	sed -i "s/${1}.*//" /etc/nginx/.htpasswd
	secrets_get hsts_user_node_$1 \| htpasswd -i -c /etc/nginx/.htpasswd.tmp $1
	cat /etc/nginx/.htpasswd.tmp >> /etc/nginx/.htpasswd
	else
	echo must be root on aspera proxy
	fi
	}

	function ascp_logs_from_uuid {
	## parameters: transfer_uuid
	## gets the associated ascp pid for a transfer id and outouts all logs
	## for that pid
	##
	LOG=/var/log/aspera*
	pid=$(egrep "ascp.$1" $LOG \| head -n 1 \| awk '{print $5}' \| sed -e 's/ascp.\(.\).:/\1/')
	grep ascp.${pid}.: $LOG
	}