|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
1 |
# IVLE - Informatics Virtual Learning Environment
|
2 |
# Copyright (C) 2007-2008 The University of Melbourne
|
|
3 |
#
|
|
4 |
# This program is free software; you can redistribute it and/or modify
|
|
5 |
# it under the terms of the GNU General Public License as published by
|
|
6 |
# the Free Software Foundation; either version 2 of the License, or
|
|
7 |
# (at your option) any later version.
|
|
8 |
#
|
|
9 |
# This program is distributed in the hope that it will be useful,
|
|
10 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
11 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
12 |
# GNU General Public License for more details.
|
|
13 |
#
|
|
14 |
# You should have received a copy of the GNU General Public License
|
|
15 |
# along with this program; if not, write to the Free Software
|
|
16 |
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
17 |
||
18 |
# Module: MakeUser
|
|
19 |
# Author: Matt Giuca
|
|
20 |
# Date: 1/2/2008
|
|
21 |
||
22 |
# Allows creation of users. This sets up the following:
|
|
23 |
# * User's jail and home directory within the jail.
|
|
24 |
# * Subversion repository (TODO)
|
|
25 |
# * Check out Subversion workspace into jail (TODO)
|
|
26 |
# * Database details for user
|
|
27 |
# * Unix user account
|
|
28 |
||
29 |
# TODO: Sanitize login name and other fields.
|
|
30 |
# Users must not be called "temp" or "template".
|
|
31 |
||
32 |
# TODO: When creating a new home directory, chown it to its owner
|
|
33 |
||
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
34 |
import md5 |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
35 |
import os |
|
412
by mattgiuca
lib/common/makeuser: Removed function makeuser. This top-level function is too |
36 |
import stat |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
37 |
import shutil |
|
471
by drtomc
doc/setup/ivle-svn.conf: a non-configured apache config for the svn server |
38 |
import time |
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
39 |
import uuid |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
40 |
import warnings |
41 |
||
42 |
import conf |
|
43 |
import db |
|
44 |
||
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
45 |
def make_svn_repo(login, throw_on_error=True): |
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
46 |
"""Create a repository for the given user.
|
47 |
"""
|
|
48 |
path = os.path.join(conf.svn_repo_path, login) |
|
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
49 |
try: |
50 |
res = os.system("svnadmin create '%s'" % path) |
|
51 |
if res != 0 and throw_on_error: |
|
52 |
raise Exception("Cannot create repository for %s" % login) |
|
53 |
except Exception, exc: |
|
54 |
print repr(exc) |
|
55 |
if throw_on_error: |
|
56 |
raise
|
|
|
528
by drtomc
usrmgt-server: robustify svn url handling a bit. |
57 |
try: |
58 |
os.system("chown -R www-data:www-data %s" % path) |
|
59 |
except Exception: |
|
60 |
pass
|
|
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
61 |
|
|
471
by drtomc
doc/setup/ivle-svn.conf: a non-configured apache config for the svn server |
62 |
def rebuild_svn_config(): |
63 |
"""Build the complete SVN configuration file.
|
|
64 |
"""
|
|
65 |
conn = db.DB() |
|
66 |
res = conn.query("SELECT login, rolenm FROM login;").dictresult() |
|
67 |
groups = {} |
|
68 |
for r in res: |
|
69 |
role = r['rolenm'] |
|
70 |
if role not in groups: |
|
71 |
groups[role] = [] |
|
72 |
groups[role].append(r['login']) |
|
73 |
f = open(conf.svn_conf + ".new", "w") |
|
74 |
f.write("# IVLE SVN Repositories Configuration\n") |
|
75 |
f.write("# Auto-generated on %s\n" % time.asctime()) |
|
76 |
f.write("\n") |
|
77 |
f.write("[groups]\n") |
|
78 |
for (g,ls) in groups.iteritems(): |
|
79 |
f.write("%s = %s\n" % (g, ",".join(ls))) |
|
80 |
f.write("\n") |
|
81 |
for r in res: |
|
82 |
login = r['login'] |
|
83 |
f.write("[%s:/]\n" % login) |
|
84 |
f.write("%s = rw\n" % login) |
|
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
85 |
#f.write("@tutor = r\n")
|
86 |
#f.write("@lecturer = rw\n")
|
|
87 |
#f.write("@admin = rw\n")
|
|
|
471
by drtomc
doc/setup/ivle-svn.conf: a non-configured apache config for the svn server |
88 |
f.write("\n") |
89 |
f.close() |
|
90 |
os.rename(conf.svn_conf + ".new", conf.svn_conf) |
|
91 |
||
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
92 |
def make_svn_config(login, throw_on_error=True): |
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
93 |
"""Add an entry to the apache-svn config file for the given user.
|
|
471
by drtomc
doc/setup/ivle-svn.conf: a non-configured apache config for the svn server |
94 |
Assumes the given user is either a guest or a student.
|
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
95 |
"""
|
96 |
f = open(conf.svn_conf, "a") |
|
97 |
f.write("[%s:/]\n" % login) |
|
|
471
by drtomc
doc/setup/ivle-svn.conf: a non-configured apache config for the svn server |
98 |
f.write("%s = rw\n" % login) |
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
99 |
#f.write("@tutor = r\n")
|
100 |
#f.write("@lecturer = rw\n")
|
|
101 |
#f.write("@admin = rw\n")
|
|
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
102 |
f.write("\n") |
103 |
f.close() |
|
104 |
||
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
105 |
def make_svn_auth(login, throw_on_error=True): |
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
106 |
"""Setup svn authentication for the given user.
|
107 |
FIXME: create local.auth entry
|
|
108 |
"""
|
|
109 |
passwd = md5.new(uuid.uuid4().bytes).digest().encode('hex') |
|
110 |
if os.path.exists(conf.svn_auth_ivle): |
|
111 |
create = "" |
|
112 |
else: |
|
113 |
create = "c" |
|
114 |
||
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
115 |
db.DB().update_user(login, svn_pass=passwd) |
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
116 |
|
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
117 |
res = os.system("htpasswd -%smb %s %s %s" % (create, |
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
118 |
conf.svn_auth_ivle, |
119 |
login, passwd)) |
|
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
120 |
if res != 0 and throw_on_error: |
|
467
by drtomc
makeuser: Add some of the helper functions for activating users. |
121 |
raise Exception("Unable to create ivle-auth for %s" % login) |
122 |
||
|
522
by drtomc
Add quite a lot of stuff to get usrmgt happening. |
123 |
return passwd |
124 |
||
|
412
by mattgiuca
lib/common/makeuser: Removed function makeuser. This top-level function is too |
125 |
def make_jail(username, uid, force=True): |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
126 |
"""Creates a new user's jail space, in the jail directory as configured in
|
127 |
conf.py.
|
|
128 |
||
129 |
This expects there to be a "template" directory within the jail root which
|
|
130 |
contains all the files for a sample student jail. It creates the student's
|
|
131 |
directory in the jail root, by making a hard-link copy of every file in the
|
|
132 |
template directory, recursively.
|
|
133 |
||
134 |
Returns the path to the user's home directory.
|
|
135 |
||
|
412
by mattgiuca
lib/common/makeuser: Removed function makeuser. This top-level function is too |
136 |
Chowns the user's directory within the jail to the given UID.
|
137 |
||
138 |
Note: This takes separate username and uid arguments. The UID need not
|
|
139 |
*necessarily* correspond to a Unix username at all, if all you are
|
|
140 |
planning to do is setuid to it. This allows the caller the freedom of
|
|
141 |
deciding the binding between username and uid, if any.
|
|
142 |
||
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
143 |
force: If false, exception if jail already exists for this user.
|
144 |
If true (default), overwrites it, but preserves home directory.
|
|
145 |
"""
|
|
146 |
# MUST run as root or some of this may fail
|
|
147 |
if os.getuid() != 0: |
|
148 |
raise Exception("Must run make_jail as root") |
|
149 |
||
150 |
templatedir = os.path.join(conf.jail_base, 'template') |
|
151 |
if not os.path.isdir(templatedir): |
|
152 |
raise Exception("Template jail directory does not exist: " + |
|
153 |
templatedir) |
|
154 |
# tempdir is for putting backup homes in
|
|
155 |
tempdir = os.path.join(conf.jail_base, 'temp') |
|
156 |
if not os.path.exists(tempdir): |
|
157 |
os.makedirs(tempdir) |
|
158 |
elif not os.path.isdir(tempdir): |
|
159 |
os.unlink(tempdir) |
|
160 |
os.mkdir(tempdir) |
|
161 |
userdir = os.path.join(conf.jail_base, username) |
|
162 |
homedir = os.path.join(userdir, 'home') |
|
163 |
||
164 |
if os.path.exists(userdir): |
|
165 |
if not force: |
|
166 |
raise Exception("User's jail already exists") |
|
167 |
# User jail already exists. Blow it away but preserve their home
|
|
168 |
# directory.
|
|
169 |
# Ignore warnings about the use of tmpnam
|
|
170 |
warnings.simplefilter('ignore') |
|
171 |
homebackup = os.tempnam(tempdir) |
|
172 |
warnings.resetwarnings() |
|
173 |
# Note: shutil.move does not behave like "mv" - it does not put a file
|
|
174 |
# into a directory if it already exists, just fails. Therefore it is
|
|
175 |
# not susceptible to tmpnam symlink attack.
|
|
176 |
shutil.move(homedir, homebackup) |
|
177 |
try: |
|
178 |
# Any errors that occur after making the backup will be caught and
|
|
179 |
# the backup will be un-made.
|
|
180 |
# XXX This will still leave the user's jail in an unusable state,
|
|
181 |
# but at least they won't lose their files.
|
|
182 |
shutil.rmtree(userdir) |
|
183 |
||
184 |
# Hard-link (copy aliasing) the entire tree over
|
|
185 |
linktree(templatedir, userdir) |
|
186 |
finally: |
|
187 |
# Set up the user's home directory (restore backup)
|
|
188 |
# First make sure the directory is empty and its parent exists
|
|
189 |
try: |
|
190 |
shutil.rmtree(homedir) |
|
191 |
except: |
|
192 |
pass
|
|
193 |
# XXX If this fails the user's directory will be lost (in the temp
|
|
194 |
# directory). But it shouldn't fail as homedir should not exist.
|
|
195 |
os.makedirs(homedir) |
|
196 |
shutil.move(homebackup, homedir) |
|
197 |
return os.path.join(homedir, username) |
|
198 |
else: |
|
199 |
# No user jail exists
|
|
200 |
# Hard-link (copy aliasing) the entire tree over
|
|
201 |
linktree(templatedir, userdir) |
|
202 |
||
203 |
# Set up the user's home directory
|
|
204 |
userhomedir = os.path.join(homedir, username) |
|
205 |
os.mkdir(userhomedir) |
|
|
412
by mattgiuca
lib/common/makeuser: Removed function makeuser. This top-level function is too |
206 |
# Chown (and set the GID to the same as the UID).
|
207 |
os.chown(userhomedir, uid, uid) |
|
|
439
by drtomc
makeuser: Fix the default jail home directory permissions so that the |
208 |
# Chmod to rwxr-xr-x (755)
|
209 |
os.chmod(userhomedir, 0755) |
|
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
210 |
return userhomedir |
211 |
||
212 |
def linktree(src, dst): |
|
213 |
"""Recursively hard-link a directory tree using os.link().
|
|
214 |
||
215 |
The destination directory must not already exist.
|
|
216 |
If exception(s) occur, an Error is raised with a list of reasons.
|
|
217 |
||
218 |
Symlinks are preserved (in fact, hard links are created which point to the
|
|
219 |
symlinks).
|
|
220 |
||
221 |
Code heavily based upon shutil.copytree from Python 2.5 library.
|
|
222 |
"""
|
|
223 |
names = os.listdir(src) |
|
224 |
os.makedirs(dst) |
|
225 |
errors = [] |
|
226 |
for name in names: |
|
227 |
srcname = os.path.join(src, name) |
|
228 |
dstname = os.path.join(dst, name) |
|
229 |
try: |
|
230 |
if os.path.isdir(srcname): |
|
231 |
linktree(srcname, dstname) |
|
232 |
else: |
|
233 |
os.link(srcname, dstname) |
|
234 |
# XXX What about devices, sockets etc.?
|
|
235 |
except (IOError, os.error), why: |
|
236 |
errors.append((srcname, dstname, str(why))) |
|
237 |
# catch the Error from the recursive copytree so that we can
|
|
238 |
# continue with other files
|
|
239 |
except Exception, err: |
|
240 |
errors.append(err.args[0]) |
|
241 |
try: |
|
242 |
shutil.copystat(src, dst) |
|
243 |
except WindowsError: |
|
244 |
# can't copy file access times on Windows
|
|
245 |
pass
|
|
246 |
except OSError, why: |
|
247 |
errors.extend((src, dst, str(why))) |
|
248 |
if errors: |
|
249 |
raise Exception, errors |
|
250 |
||
|
472
by mattgiuca
db.py: No longer exceptions if password is not supplied. |
251 |
def make_user_db(**kwargs): |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
252 |
"""Creates a user's entry in the database, filling in all the fields.
|
|
472
by mattgiuca
db.py: No longer exceptions if password is not supplied. |
253 |
All arguments must be keyword args. They are the fields in the table.
|
254 |
However, instead of supplying a "passhash", you must supply a
|
|
255 |
"password" argument, which will be hashed internally.
|
|
256 |
Also do not supply a state. All users are created in the "no_agreement"
|
|
257 |
state.
|
|
258 |
Throws an exception if the user already exists.
|
|
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
259 |
"""
|
260 |
dbconn = db.DB() |
|
|
472
by mattgiuca
db.py: No longer exceptions if password is not supplied. |
261 |
dbconn.create_user(**kwargs) |
|
409
by mattgiuca
Moved www/conf and www/common to a new directory lib. This separates the "web" |
262 |
dbconn.close() |
|
542
by drtomc
makeuser: create svn auth for local users. |
263 |
|
264 |
if kwargs['password']: |
|
265 |
if os.path.exists(conf.svn_auth_local): |
|
266 |
create = "" |
|
267 |
else: |
|
268 |
create = "c" |
|
269 |
res = os.system("htpasswd -%smb %s %s %s" % (create, |
|
270 |
conf.svn_auth_local, |
|
271 |
kwargs['login'], |
|
272 |
kwargs['password'])) |
|
273 |
if res != 0 and throw_on_error: |
|
274 |
raise Exception("Unable to create local-auth for %s" % kwargs['login']) |
|
275 |