Created
May 9, 2016 16:09
-
-
Save mcm/0df7d1d860b764afc199d87c82e367ec to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import json | |
| import os | |
| import socket | |
| import sys | |
| import urllib2 | |
| PAM_SERVICE = os.environ.get("PAM_SERVICE", None) | |
| PAM_USER = os.environ.get("PAM_USER", None) | |
| if PAM_SERVICE != "sshd": | |
| sys.exit(0) | |
| secret = "" | |
| d = { | |
| "username": PAM_USER, | |
| "resource": { | |
| "hostname": socket.gethostname() | |
| } | |
| } | |
| req = urllib2.Request( | |
| "http://169.254.169.254/latest/meta-data/instance-id" | |
| ) | |
| try: | |
| r = urllib2.urlopen(req, timeout=1) | |
| except: | |
| pass | |
| else: | |
| d["resource"]["aws_instance_id"] = r.read() | |
| req = urllib2.Request( | |
| "https://api.foxpass.com/v1/authz/", | |
| json.dumps(d), | |
| { | |
| "Authorization": "Token {0}".format(secret) | |
| } | |
| ) | |
| try: | |
| r = urllib2.urlopen(req, timeout=3) | |
| response = json.loads(r.read()) | |
| except urllib2.HTTPError as e: | |
| if r.code == 400: | |
| sys.exit(0) | |
| sys.exit(1) | |
| except: | |
| sys.exit(1) | |
| if response["access"]: | |
| sys.exit(0) | |
| else: | |
| sys.exit(1) |
The json.loads should take care of converting the true/false but I'll double check that. The API returns a 400 when the user doesn't exist, and that allows local accounts to continue to work. If the API provided that as part of the response instead we could let a 400 return a failure.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HTTP 400 response will grant access? What's the rationale?