55
75
chown_to_webserver(path)
57
def rebuild_svn_config(store, config):
77
def rebuild_svn_config(store):
58
78
"""Build the complete SVN configuration file.
60
@param config: An ivle.config.Config object.
62
users = store.find(User)
63
conf_name = config['paths']['svn']['conf']
64
temp_name = conf_name + ".new"
65
f = open(temp_name, "w")
67
# IVLE SVN repository authorisation configuration
69
""" % {'time': time.asctime()})
80
users = store.find(ivle.database.User)
82
# TODO: Populate groups with per-offering tutors/lecturers/etc.
83
f = open(ivle.conf.svn_conf + ".new", "w")
84
f.write("# IVLE SVN Repositories Configuration\n")
85
f.write("# Auto-generated on %s\n" % time.asctime())
88
for (g,ls) in groups.iteritems():
89
f.write("%s = %s\n" % (g, ",".join(ls)))
75
""" % {'login': u.login.encode('utf-8')})
77
# Now we need to grant offering tutors and lecturers access to the latest
78
# submissions in their offerings. There are much prettier ways to do this,
79
# but a lot of browser requests call this function, so it needs to be
80
# fast. We can grab all of the paths needing authorisation directives with
81
# a single query, and we cache the list of viewers for each offering.
82
offering_viewers_cache = {}
83
for (login, psid, pspath, offeringid) in store.find(
84
(User.login, ProjectSubmission.id, ProjectSubmission.path,
86
Assessed.id == ProjectSubmission.assessed_id,
87
User.id == Assessed.user_id,
88
Project.id == Assessed.project_id,
89
ProjectSet.id == Project.project_set_id,
90
Offering.id == ProjectSet.offering_id,
91
ProjectSubmission.date_submitted == Select(
92
Max(ProjectSubmission.date_submitted),
93
ProjectSubmission.assessed_id == Assessed.id,
94
tables=ProjectSubmission
98
# Do we already have the list of logins authorised for this offering
99
# cached? If not, get it.
100
if offeringid not in offering_viewers_cache:
101
offering_viewers_cache[offeringid] = list(store.find(
103
User.id == Enrolment.user_id,
104
Enrolment.offering_id == offeringid,
105
Enrolment.role.is_in((u'tutor', u'lecturer')),
106
Enrolment.active == True,
113
""" % {'login': login.encode('utf-8'), 'id': psid,
114
'path': pspath.encode('utf-8')})
116
for viewer_login in offering_viewers_cache[offeringid]:
117
# We don't want to override the owner's write privilege,
118
# so we don't add them to the read-only ACL.
119
if login != viewer_login:
120
f.write("%s = r\n" % viewer_login.encode('utf-8'))
92
f.write("[%s:/]\n" % u.login)
93
f.write("%s = rw\n" % u.login)
94
#f.write("@tutor = r\n")
95
#f.write("@lecturer = rw\n")
96
#f.write("@admin = rw\n")
123
os.rename(temp_name, conf_name)
124
chown_to_webserver(conf_name)
99
os.rename(ivle.conf.svn_conf + ".new", ivle.conf.svn_conf)
100
chown_to_webserver(ivle.conf.svn_conf)
126
def rebuild_svn_group_config(store, config):
102
def rebuild_svn_group_config(store):
127
103
"""Build the complete SVN configuration file for groups
129
@param config: An ivle.config.Config object.
131
conf_name = config['paths']['svn']['group_conf']
132
temp_name = conf_name + ".new"
133
f = open(temp_name, "w")
136
# IVLE SVN group repository authorisation configuration
137
# Generated: %(time)s
139
""" % {'time': time.asctime()})
141
group_members_cache = {}
105
f = open(ivle.conf.svn_group_conf + ".new", "w")
106
f.write("# IVLE SVN Group Repositories Configuration\n")
107
f.write("# Auto-generated on %s\n" % time.asctime())
142
109
for group in store.find(ProjectGroup):
143
110
offering = group.project_set.offering
144
111
reponame = "_".join([offering.subject.short_name,
145
112
offering.semester.year,
146
113
offering.semester.semester,
149
f.write("[%s:/]\n" % reponame.encode('utf-8'))
150
if group.id not in group_members_cache:
151
group_members_cache[group.id] = set()
115
f.write("[%s:/]\n"%reponame)
152
116
for user in group.members:
153
group_members_cache[group.id].add(user.login)
154
f.write("%s = rw\n" % user.login.encode('utf-8'))
117
f.write("%s = rw\n" % user.login)
157
# Now we need to grant offering tutors and lecturers access to the latest
158
# submissions in their offerings. There are much prettier ways to do this,
159
# but a lot of browser requests call this function, so it needs to be
160
# fast. We can grab all of the paths needing authorisation directives with
161
# a single query, and we cache the list of viewers for each offering.
162
offering_viewers_cache = {}
163
for (ssn, year, sem, name, psid, pspath, gid, offeringid) in store.find(
164
(Subject.short_name, Semester.year, Semester.semester,
165
ProjectGroup.name, ProjectSubmission.id, ProjectSubmission.path,
166
ProjectGroup.id, Offering.id),
167
Assessed.id == ProjectSubmission.assessed_id,
168
ProjectGroup.id == Assessed.project_group_id,
169
Project.id == Assessed.project_id,
170
ProjectSet.id == Project.project_set_id,
171
Offering.id == ProjectSet.offering_id,
172
Subject.id == Offering.subject_id,
173
Semester.id == Offering.semester_id,
174
ProjectSubmission.date_submitted == Select(
175
Max(ProjectSubmission.date_submitted),
176
ProjectSubmission.assessed_id == Assessed.id,
177
tables=ProjectSubmission
181
reponame = "_".join([ssn, year, sem, name])
183
# Do we already have the list of logins authorised for this offering
184
# cached? If not, get it.
185
if offeringid not in offering_viewers_cache:
186
offering_viewers_cache[offeringid] = list(store.find(
188
User.id == Enrolment.user_id,
189
Enrolment.offering_id == offeringid,
190
Enrolment.role.is_in((u'tutor', u'lecturer')),
191
Enrolment.active == True,
198
""" % {'repo': reponame.encode('utf-8'), 'id': psid,
199
'path': pspath.encode('utf-8')})
201
for viewer_login in offering_viewers_cache[offeringid]:
202
# Skip existing group members, or they can't write to it any more.
203
if viewer_login not in group_members_cache[gid]:
204
f.write("%s = r\n" % viewer_login)
207
os.rename(temp_name, conf_name)
208
chown_to_webserver(conf_name)
210
def make_svn_auth(store, login, config, throw_on_error=True):
211
"""Create a Subversion password for a user.
213
Generates a new random Subversion password, and assigns it to the user.
214
The password is added to Apache's Subversion authentication file.
120
os.rename(ivle.conf.svn_group_conf + ".new", ivle.conf.svn_group_conf)
121
chown_to_webserver(ivle.conf.svn_group_conf)
123
def make_svn_auth(store, login, throw_on_error=True):
124
"""Setup svn authentication for the given user.
125
Uses the given DB store object. Does not commit to the db.
216
# filename is, eg, /var/lib/ivle/svn/ivle.auth
217
filename = config['paths']['svn']['auth_ivle']
218
if os.path.exists(filename):
127
passwd = md5.new(uuid.uuid4().bytes).digest().encode('hex')
128
if os.path.exists(ivle.conf.svn_auth_ivle):
223
user = User.get_by_login(store, login)
225
if user.svn_pass is None:
226
passwd = hashlib.md5(uuid.uuid4().bytes).hexdigest()
227
user.svn_pass = unicode(passwd)
229
res = subprocess.call(['htpasswd', '-%smb' % create,
230
filename, login, user.svn_pass])
133
user = ivle.database.User.get_by_login(store, login)
134
user.svn_pass = unicode(passwd)
136
res = os.system("htpasswd -%smb %s %s %s" % (create,
137
ivle.conf.svn_auth_ivle,
231
139
if res != 0 and throw_on_error:
232
140
raise Exception("Unable to create ivle-auth for %s" % login)
234
142
# Make sure the file is owned by the web server
235
143
if create == "c":
236
chown_to_webserver(filename)
240
def make_jail(user, config, force=True):
241
"""Create or update a user's jail.
243
Only the user-specific parts of the jail are created here - everything
244
else is expected to be part of another aufs branch.
144
chown_to_webserver(ivle.conf.svn_auth_ivle)
148
def generate_manifest(basedir, targetdir, parent=''):
149
""" From a basedir and a targetdir work out which files are missing or out
150
of date and need to be added/updated and which files are redundant and need
153
parent: This is used for the recursive call to track the relative paths
154
that we have decended.
157
cmp = filecmp.dircmp(basedir, targetdir)
159
# Add all new files and files that have changed
160
to_add = [os.path.join(parent,x) for x in (cmp.left_only + cmp.diff_files)]
162
# Remove files that are redundant
163
to_remove = [os.path.join(parent,x) for x in cmp.right_only]
166
for d in cmp.common_dirs:
167
newbasedir = os.path.join(basedir, d)
168
newtargetdir = os.path.join(targetdir, d)
169
newparent = os.path.join(parent, d)
170
(sadd,sremove) = generate_manifest(newbasedir, newtargetdir, newparent)
174
return (to_add, to_remove)
177
def make_jail(user, force=True):
178
"""Creates a new user's jail space, in the jail directory as configured in
181
This only creates things within /home - everything else is expected to be
182
part of another UnionFS branch.
246
184
Returns the path to the user's home directory.
248
186
Chowns the user's directory within the jail to the given UID.
250
@param force: If False, raise an exception if the user already has a jail.
251
If True (default), rebuild the jail preserving /home.
188
force: If false, exception if jail already exists for this user.
189
If true (default), overwrites it, but preserves home directory.
253
191
# MUST run as root or some of this may fail
254
192
if os.getuid() != 0:
255
193
raise Exception("Must run make_jail as root")
257
195
# tempdir is for putting backup homes in
258
jail_src_base = config['paths']['jails']['src']
259
tempdir = os.path.join(jail_src_base, '__temp__')
196
tempdir = os.path.join(ivle.conf.jail_src_base, '__temp__')
260
197
if not os.path.exists(tempdir):
261
198
os.makedirs(tempdir)
262
199
elif not os.path.isdir(tempdir):
263
200
os.unlink(tempdir)
264
201
os.mkdir(tempdir)
265
userdir = os.path.join(jail_src_base, user.login)
202
userdir = os.path.join(ivle.conf.jail_src_base, user.login)
266
203
homedir = os.path.join(userdir, 'home')
267
tmpdir = os.path.join(userdir, 'tmp')
268
204
userhomedir = os.path.join(homedir, user.login) # Return value
270
206
if os.path.exists(userdir):
300
234
# Chmod to rwxr-xr-x (755)
301
235
os.chmod(userhomedir, 0755)
303
make_ivle_conf(user.login, userdir, user.svn_pass, config)
304
make_etc_passwd(user.login, userdir, config['paths']['jails']['template'],
307
os.chmod(tmpdir, 01777)
237
make_conf_py(user.login, userdir, user.svn_pass)
238
make_etc_passwd(user.login, userdir, ivle.conf.jail_system, user.unixid)
309
240
return userhomedir
311
def make_ivle_conf(username, user_jail_dir, svn_pass, sys_config):
312
"""Generate an ivle.conf for a user's jail.
242
def make_conf_py(username, user_jail_dir, svn_pass):
314
244
Creates (overwriting any existing file, and creating directories) a
315
file /etc/ivle/ivle.conf in a given user's jail.
317
@param username: Username.
318
@param user_jail_dir: User's jail dir, ie. ['jails']['src'] + username
319
@param svn_pass: User's SVN password.
320
@param sys_config: An ivle.config.Config object (the system-wide config).
245
file ${python_site_packages}/ivle/conf/conf.py in a given user's jail.
247
user_jail_dir: User's jail dir, ie. ivle.conf.jail_base + username
248
svn_pass: User's SVN password.
322
conf_path = os.path.join(user_jail_dir, "home/.ivle.conf")
323
if not os.path.exists(os.path.dirname(conf_path)):
324
os.makedirs(os.path.dirname(conf_path))
250
conf_path = os.path.join(user_jail_dir,
251
ivle.conf.python_site_packages[1:], "ivle/conf/conf.py")
252
os.makedirs(os.path.dirname(conf_path))
326
254
# In the "in-jail" version of conf, we don't need MOST of the details
327
255
# (it would be a security risk to have them here).
328
# So we just write root_dir.
329
conf_obj = ivle.config.Config(blank=True)
330
conf_obj.filename = conf_path
331
conf_obj['urls'] = {}
332
conf_obj['urls']['root'] = sys_config['urls']['root']
333
conf_obj['urls']['public_host'] = sys_config['urls']['public_host']
334
conf_obj['urls']['svn_addr'] = sys_config['urls']['svn_addr']
335
conf_obj['user_info'] = {}
336
conf_obj['user_info']['login'] = username
337
conf_obj['user_info']['svn_pass'] = svn_pass
256
# So we just write root_dir, and jail_base is "/".
257
# (jail_base being "/" means "jail-relative" paths are relative to "/"
258
# when inside the jail.)
260
# XXX: jail_base is wrong and shouldn't be here. Unfortunately, jail code
261
# uses ivle.studpath.url_to_{local,jailpaths}, both of which use
262
# jail_base. Note that they don't use the bits of the return value
263
# that depend on jail_base, so it can be any string.
264
conf_file = open(conf_path, "w")
265
conf_file.write("""# IVLE jail configuration
267
# In URL space, where in the site is IVLE located. (All URLs will be prefixed
269
# eg. "/" or "/ivle".
270
root_dir = %(root_dir)r
272
# This value is not relevant inside the jail, but must remain for now. See
273
# the XXX in ivle.makeuser.make_conf_py.
276
# The hostname for serving publicly accessible pages
277
public_host = %(public_host)r
279
# The URL under which the Subversion repositories are located.
280
svn_addr = %(svn_addr)r
282
# The login name for the owner of the jail
285
# The subversion-only password for the owner of the jail
286
svn_pass = %(svn_pass)r
287
""" % {'root_dir': ivle.conf.root_dir,
288
'public_host': ivle.conf.public_host,
289
'svn_addr': ivle.conf.svn_addr,
290
'username': username,
291
'svn_pass': svn_pass,
340
295
# Make this file world-readable
341
296
# (chmod 644 conf_path)