1
# IVLE - Informatics Virtual Learning Environment
2
# Copyright (C) 2007-2009 The University of Melbourne
4
# This program is free software; you can redistribute it and/or modify
5
# it under the terms of the GNU General Public License as published by
6
# the Free Software Foundation; either version 2 of the License, or
7
# (at your option) any later version.
9
# This program is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU General Public License for more details.
14
# You should have received a copy of the GNU General Public License
15
# along with this program; if not, write to the Free Software
16
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18
"""User and group filesystem management helpers."""
30
from storm.expr import Select, Max
33
from ivle.database import (User, ProjectGroup, Assessed, ProjectSubmission,
34
Project, ProjectSet, Offering, Enrolment, Subject, Semester)
36
def chown_to_webserver(filename):
37
"""chown a directory and its contents to the web server.
39
Recursively chowns a file or directory so the web server user owns it.
42
subprocess.call(['chown', '-R', 'www-data:www-data', filename])
44
def make_svn_repo(path, throw_on_error=True):
45
"""Create a Subversion repository at the given path."""
47
res = subprocess.call(['svnadmin', 'create', path])
48
if res != 0 and throw_on_error:
49
raise Exception("Cannot create repository: %s" % path)
50
except Exception, exc:
55
chown_to_webserver(path)
57
def rebuild_svn_config(store, config):
58
"""Build the complete SVN configuration file.
60
@param config: An ivle.config.Config object.
62
users = store.find(User)
63
conf_name = config['paths']['svn']['conf']
64
temp_name = conf_name + ".new"
65
f = open(temp_name, "w")
67
# IVLE SVN repository authorisation configuration
69
""" % {'time': time.asctime()})
75
""" % {'login': u.login})
77
# Now we need to grant offering tutors and lecturers access to the latest
78
# submissions in their offerings. There are much prettier ways to do this,
79
# but a lot of browser requests call this function, so it needs to be
80
# fast. We can grab all of the paths needing authorisation directives with
81
# a single query, and we cache the list of viewers for each offering.
82
offering_viewers_cache = {}
83
for (login, psid, pspath, offeringid) in store.find(
84
(User.login, ProjectSubmission.id, ProjectSubmission.path,
86
Assessed.id == ProjectSubmission.assessed_id,
87
User.id == Assessed.user_id,
88
Project.id == Assessed.project_id,
89
ProjectSet.id == Project.project_set_id,
90
Offering.id == ProjectSet.id,
91
ProjectSubmission.date_submitted == Select(
92
Max(ProjectSubmission.date_submitted),
93
ProjectSubmission.assessed_id == Assessed.id,
94
tables=ProjectSubmission
98
# Do we already have the list of logins authorised for this offering
99
# cached? If not, get it.
100
if offeringid not in offering_viewers_cache:
101
offering_viewers_cache[offeringid] = list(store.find(
103
User.id == Enrolment.user_id,
104
Enrolment.offering_id == offeringid,
105
Enrolment.role.is_in((u'tutor', u'lecturer'))
112
""" % {'login': login, 'id': psid, 'path': pspath})
114
for viewer_login in offering_viewers_cache[offeringid]:
115
# We don't want to override the owner's write privilege,
116
# so we don't add them to the read-only ACL.
117
if login != viewer_login:
118
f.write("%s = r\n" % viewer_login)
121
os.rename(temp_name, conf_name)
122
chown_to_webserver(conf_name)
124
def rebuild_svn_group_config(store, config):
125
"""Build the complete SVN configuration file for groups
127
@param config: An ivle.config.Config object.
129
conf_name = config['paths']['svn']['group_conf']
130
temp_name = conf_name + ".new"
131
f = open(temp_name, "w")
134
# IVLE SVN group repository authorisation configuration
135
# Generated: %(time)s
137
""" % {'time': time.asctime()})
139
group_members_cache = {}
140
for group in store.find(ProjectGroup):
141
offering = group.project_set.offering
142
reponame = "_".join([offering.subject.short_name,
143
offering.semester.year,
144
offering.semester.semester,
147
f.write("[%s:/]\n" % reponame)
148
if group.id not in group_members_cache:
149
group_members_cache[group.id] = set()
150
for user in group.members:
151
group_members_cache[group.id].add(user.login)
152
f.write("%s = rw\n" % user.login)
155
# Now we need to grant offering tutors and lecturers access to the latest
156
# submissions in their offerings. There are much prettier ways to do this,
157
# but a lot of browser requests call this function, so it needs to be
158
# fast. We can grab all of the paths needing authorisation directives with
159
# a single query, and we cache the list of viewers for each offering.
160
offering_viewers_cache = {}
161
for (ssn, year, sem, name, psid, pspath, gid, offeringid) in store.find(
162
(Subject.short_name, Semester.year, Semester.semester,
163
ProjectGroup.name, ProjectSubmission.id, ProjectSubmission.path,
164
ProjectGroup.id, Offering.id),
165
Assessed.id == ProjectSubmission.assessed_id,
166
ProjectGroup.id == Assessed.project_group_id,
167
Project.id == Assessed.project_id,
168
ProjectSet.id == Project.project_set_id,
169
Offering.id == ProjectSet.offering_id,
170
Subject.id == Offering.subject_id,
171
Semester.id == Offering.semester_id,
172
ProjectSubmission.date_submitted == Select(
173
Max(ProjectSubmission.date_submitted),
174
ProjectSubmission.assessed_id == Assessed.id,
175
tables=ProjectSubmission
179
reponame = "_".join([ssn, year, sem, name])
181
# Do we already have the list of logins authorised for this offering
182
# cached? If not, get it.
183
if offeringid not in offering_viewers_cache:
184
offering_viewers_cache[offeringid] = list(store.find(
186
User.id == Enrolment.user_id,
187
Enrolment.offering_id == offeringid,
188
Enrolment.role.is_in((u'tutor', u'lecturer'))
195
""" % {'repo': reponame, 'id': psid, 'path': pspath})
197
for viewer_login in offering_viewers_cache[offeringid]:
198
# Skip existing group members, or they can't write to it any more.
199
if viewer_login not in group_members_cache[gid]:
200
f.write("%s = r\n" % viewer_login)
203
os.rename(temp_name, conf_name)
204
chown_to_webserver(conf_name)
206
def make_svn_auth(store, login, config, throw_on_error=True):
207
"""Create a Subversion password for a user.
209
Generates a new random Subversion password, and assigns it to the user.
210
The password is added to Apache's Subversion authentication file.
212
# filename is, eg, /var/lib/ivle/svn/ivle.auth
213
filename = config['paths']['svn']['auth_ivle']
214
passwd = hashlib.md5(uuid.uuid4().bytes).hexdigest()
215
if os.path.exists(filename):
220
user = User.get_by_login(store, login)
221
user.svn_pass = unicode(passwd)
223
res = subprocess.call(['htpasswd', '-%smb' % create,
224
filename, login, passwd])
225
if res != 0 and throw_on_error:
226
raise Exception("Unable to create ivle-auth for %s" % login)
228
# Make sure the file is owned by the web server
230
chown_to_webserver(filename)
234
def make_jail(user, config, force=True):
235
"""Create or update a user's jail.
237
Only the user-specific parts of the jail are created here - everything
238
else is expected to be part of another aufs branch.
240
Returns the path to the user's home directory.
242
Chowns the user's directory within the jail to the given UID.
244
@param force: If False, raise an exception if the user already has a jail.
245
If True (default), rebuild the jail preserving /home.
247
# MUST run as root or some of this may fail
249
raise Exception("Must run make_jail as root")
251
# tempdir is for putting backup homes in
252
jail_src_base = config['paths']['jails']['src']
253
tempdir = os.path.join(jail_src_base, '__temp__')
254
if not os.path.exists(tempdir):
256
elif not os.path.isdir(tempdir):
259
userdir = os.path.join(jail_src_base, user.login)
260
homedir = os.path.join(userdir, 'home')
261
tmpdir = os.path.join(userdir, 'tmp')
262
userhomedir = os.path.join(homedir, user.login) # Return value
264
if os.path.exists(userdir):
266
raise Exception("User's jail already exists")
267
# User jail already exists. Blow it away but preserve their home
268
# directory. It should be all that is there anyway, but you never
270
# Ignore warnings about the use of tmpnam
271
warnings.simplefilter('ignore')
272
homebackup = os.tempnam(tempdir)
273
warnings.resetwarnings()
274
# Back up the /home directory, delete the entire jail, recreate the
275
# jail directory tree, then copy the /home back
276
# NOTE that shutil.move changed in Python 2.6, it now moves a
277
# directory INTO the target (like `mv`), which it didn't use to do.
278
# This code works regardless.
279
shutil.move(userhomedir, homebackup)
280
shutil.rmtree(userdir)
282
shutil.move(homebackup, userhomedir)
283
# Change the ownership of all the files to the right unixid
284
logging.debug("chown %s's home directory files to uid %d"
285
%(user.login, user.unixid))
286
os.spawnvp(os.P_WAIT, 'chown', ['chown', '-R', '%d:%d' % (user.unixid,
287
user.unixid), userhomedir])
289
# No user jail exists
290
# Set up the user's home directory
291
os.makedirs(userhomedir)
292
# Chown (and set the GID to the same as the UID).
293
os.chown(userhomedir, user.unixid, user.unixid)
294
# Chmod to rwxr-xr-x (755)
295
os.chmod(userhomedir, 0755)
297
make_ivle_conf(user.login, userdir, user.svn_pass, config)
298
make_etc_passwd(user.login, userdir, config['paths']['jails']['template'],
301
os.chmod(tmpdir, 01777)
305
def make_ivle_conf(username, user_jail_dir, svn_pass, sys_config):
306
"""Generate an ivle.conf for a user's jail.
308
Creates (overwriting any existing file, and creating directories) a
309
file /etc/ivle/ivle.conf in a given user's jail.
311
@param username: Username.
312
@param user_jail_dir: User's jail dir, ie. ['jails']['src'] + username
313
@param svn_pass: User's SVN password.
314
@param sys_config: An ivle.config.Config object (the system-wide config).
316
conf_path = os.path.join(user_jail_dir, "home/.ivle.conf")
317
if not os.path.exists(os.path.dirname(conf_path)):
318
os.makedirs(os.path.dirname(conf_path))
320
# In the "in-jail" version of conf, we don't need MOST of the details
321
# (it would be a security risk to have them here).
322
# So we just write root_dir.
323
conf_obj = ivle.config.Config(blank=True)
324
conf_obj.filename = conf_path
325
conf_obj['urls']['root'] = sys_config['urls']['root']
326
conf_obj['urls']['public_host'] = sys_config['urls']['public_host']
327
conf_obj['urls']['svn_addr'] = sys_config['urls']['svn_addr']
328
conf_obj['user_info']['login'] = username
329
conf_obj['user_info']['svn_pass'] = svn_pass
332
# Make this file world-readable
333
# (chmod 644 conf_path)
334
os.chmod(conf_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP
337
def make_etc_passwd(username, user_jail_dir, template_dir, unixid):
338
"""Create a passwd file for a user's jail.
340
Creates /etc/passwd in the given user's jail. This will be identical to
341
that in the template jail, except for the added entry for this user.
343
template_passwd_path = os.path.join(template_dir, "home/.passwd")
344
passwd_path = os.path.join(user_jail_dir, "home/.passwd")
345
passwd_dir = os.path.dirname(passwd_path)
346
if not os.path.exists(passwd_dir):
347
os.makedirs(passwd_dir)
348
shutil.copy(template_passwd_path, passwd_path)
349
passwd_file = open(passwd_path, 'a')
350
passwd_file.write('%s:x:%d:%d::/home/%s:/bin/bash'
351
% (username, unixid, unixid, username))
added
removed
ivle/makeuser.py
