Home Explore Help
Sign In
bignose
/
debian_nm2
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
debian_nm2
/
debsso

debsso 2.3 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. #!/usr/bin/python3
    2. 

  2. # coding: utf-8
    3. 

  3. import subprocess
    4. 

  4. import tempfile
    5. 

  5. import requests
    6. 

  6. import ssl
    7. 

  7. import os
    8. 

  8. 

  9. class Certs:
    10. 

  10.     def __init__(self, workdir):
    11. 

  11.         self.workdir = workdir
    12. 

  12.         self.dbname = "sql:" + os.path.expanduser("~/.pki/nssdb")
    13. 

  13. 

  14.     def run_certutil(self, args, input=None):
    15. 

  15.         cmd = ["certutil", "-d", self.dbname]
    16. 

  16.         cmd.extend(args)
    17. 

  17.         output = subprocess.check_output(cmd, universal_newlines=True, input=input)
    18. 

  18.         return output
    19. 

  19. 

  20.     def run_pk12util(self, args, input=None):
    21. 

  21.         cmd = ["pk12util", "-d", self.dbname]
    22. 

  22.         cmd.extend(args)
    23. 

  23.         output = subprocess.check_output(cmd, universal_newlines=False, input=input)
    24. 

  24.         return output
    25. 

  25. 

  26.     def get_key_nicks(self):
    27. 

  27.         output = self.run_certutil(["-L"])
    28. 

  28.         payload = output.split("\n\n")[1]
    29. 

  29.         for line in payload.splitlines():
    30. 

  30.             nick, flags = line.rsplit(None, 1)
    31. 

  31.             yield nick, flags
    32. 

  32. 

  33.     def get_sso_cert_nickname(self):
    34. 

  34.         debemail = os.environ.get("DEBEMAIL", None)
    35. 

  35.         if debemail is None: raise RuntimeError("$DEBEMAIL is not set")
    36. 

  36.         for nick, flags in self.get_key_nicks():
    37. 

  37.             if flags != "u,u,u": continue
    38. 

  38.             if not nick.startswith(debemail): continue
    39. 

  39.             if not "SSO" in nick: continue
    40. 

  40.             return nick
    41. 

  41. 

  42.     def get_cert(self, nick, outfile):
    43. 

  43.         self.run_certutil(["-L", "-n", nick, "-a", "-o", outfile])
    44. 

  44. 

  45.     def get_key(self, nick, outfile):
    46. 

  46.         pkcs12 = self.run_pk12util(["-n", nick, "-o", "/dev/stdout", "-W", ""])
    47. 

  47.         pem = subprocess.check_output(["openssl", "pkcs12", "-nodes", "-passin", "pass:"], input=pkcs12, stderr=open("/dev/null", "wb"))
    48. 

  48.         with open(outfile, "wb") as out:
    49. 

  49.             out.write(pem)
    50. 

  50. 

  51. 

  52. # Try to get SSO keys out of the browser and connect to nm.debian.org with
    53. 

  53. # them.
    54. 

  54. # Requires $DEBEMAIL to be set.
    55. 

  55. # Requires libnss3-tools, openssl, python3-requests
    56. 

  56. # Tested with chromium.
    57. 

  57. 

  58. with tempfile.TemporaryDirectory() as tmpdir:
    59. 

  59.     certs = Certs(tmpdir)
    60. 

  60.     nick = certs.get_sso_cert_nickname()
    61. 

  61.     #print("Nickname:", repr(nick))
    62. 

  62.     cert_file = os.path.join(certs.workdir, "tmp.cert")
    63. 

  63.     key_file = os.path.join(certs.workdir, "tmp.key")
    64. 

  64.     certs.get_cert(nick, cert_file)
    65. 

  65.     certs.get_key(nick, key_file)
    66. 

  66.     res = requests.get("https://nm.debian.org/api/whoami", cert=(cert_file, key_file))
    67. 

  67.     print(res.text)
    68. 

  68.