1
# IVLE - Informatics Virtual Learning Environment
2
# Copyright (C) 2007-2009 The University of Melbourne
4
# This program is free software; you can redistribute it and/or modify
5
# it under the terms of the GNU General Public License as published by
6
# the Free Software Foundation; either version 2 of the License, or
7
# (at your option) any later version.
9
# This program is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU General Public License for more details.
14
# You should have received a copy of the GNU General Public License
15
# along with this program; if not, write to the Free Software
16
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18
"""User and group filesystem management helpers."""
30
from storm.expr import Select, Max
33
from ivle.database import (User, ProjectGroup, Assessed, ProjectSubmission,
34
Project, ProjectSet, Offering, Enrolment, Subject, Semester)
36
def chown_to_webserver(filename):
37
"""chown a directory and its contents to the web server.
39
Recursively chowns a file or directory so the web server user owns it.
42
subprocess.call(['chown', '-R', 'www-data:www-data', filename])
44
def make_svn_repo(path, throw_on_error=True):
45
"""Create a Subversion repository at the given path."""
47
res = subprocess.call(['svnadmin', 'create', path])
48
if res != 0 and throw_on_error:
49
raise Exception("Cannot create repository: %s" % path)
50
except Exception, exc:
55
chown_to_webserver(path)
57
def rebuild_svn_config(store, config):
58
"""Build the complete SVN configuration file.
60
@param config: An ivle.config.Config object.
62
users = store.find(User)
63
conf_name = config['paths']['svn']['conf']
64
temp_name = conf_name + ".new"
65
f = open(temp_name, "w")
67
# IVLE SVN repository authorisation configuration
69
""" % {'time': time.asctime()})
75
""" % {'login': u.login})
77
# Now we need to grant offering tutors and lecturers access to the latest
78
# submissions in their offerings. There are much prettier ways to do this,
79
# but a lot of browser requests call this function, so it needs to be
80
# fast. We can grab all of the paths needing authorisation directives with
81
# a single query, and we cache the list of viewers for each offering.
82
offering_viewers_cache = {}
83
for (login, psid, pspath, offeringid) in store.find(
84
(User.login, ProjectSubmission.id, ProjectSubmission.path,
86
Assessed.id == ProjectSubmission.assessed_id,
87
User.id == Assessed.user_id,
88
Project.id == Assessed.project_id,
89
ProjectSet.id == Project.project_set_id,
90
Offering.id == ProjectSet.id,
91
ProjectSubmission.date_submitted == Select(
92
Max(ProjectSubmission.date_submitted),
93
ProjectSubmission.assessed_id == Assessed.id,
94
tables=ProjectSubmission
98
# Do we already have the list of logins authorised for this offering
99
# cached? If not, get it.
100
if offeringid not in offering_viewers_cache:
101
offering_viewers_cache[offeringid] = list(store.find(
103
User.id == Enrolment.user_id,
104
Enrolment.offering_id == offeringid,
105
Enrolment.role.is_in((u'tutor', u'lecturer'))
112
""" % {'login': login, 'id': psid, 'path': pspath})
114
for viewer_login in offering_viewers_cache[offeringid]:
115
# We don't want to override the owner's write privilege,
116
# so we don't add them to the read-only ACL.
117
if login != viewer_login:
118
f.write("%s = r\n" % viewer_login)
121
os.rename(temp_name, conf_name)
122
chown_to_webserver(conf_name)
124
def rebuild_svn_group_config(store, config):
125
"""Build the complete SVN configuration file for groups
127
@param config: An ivle.config.Config object.
129
conf_name = config['paths']['svn']['group_conf']
130
temp_name = conf_name + ".new"
131
f = open(temp_name, "w")
134
# IVLE SVN group repository authorisation configuration
135
# Generated: %(time)s
137
""" % {'time': time.asctime()})
139
group_members_cache = {}
140
for group in store.find(ProjectGroup):
141
offering = group.project_set.offering
142
reponame = "_".join([offering.subject.short_name,
143
offering.semester.year,
144
offering.semester.semester,
147
f.write("[%s:/]\n" % reponame)
148
if group.id not in group_members_cache:
149
group_members_cache[group.id] = set()
150
for user in group.members:
151
group_members_cache[group.id].add(user.login)
152
f.write("%s = rw\n" % user.login)
155
# Now we need to grant offering tutors and lecturers access to the latest
156
# submissions in their offerings. There are much prettier ways to do this,
157
# but a lot of browser requests call this function, so it needs to be
158
# fast. We can grab all of the paths needing authorisation directives with
159
# a single query, and we cache the list of viewers for each offering.
160
offering_viewers_cache = {}
161
for (ssn, year, sem, name, psid, pspath, gid, offeringid) in store.find(
162
(Subject.short_name, Semester.year, Semester.semester,
163
ProjectGroup.name, ProjectSubmission.id, ProjectSubmission.path,
164
ProjectGroup.id, Offering.id),
165
Assessed.id == ProjectSubmission.assessed_id,
166
ProjectGroup.id == Assessed.project_group_id,
167
Project.id == Assessed.project_id,
168
ProjectSet.id == Project.project_set_id,
169
Offering.id == ProjectSet.offering_id,
170
Subject.id == Offering.subject_id,
171
Semester.id == Offering.semester_id,
172
ProjectSubmission.date_submitted == Select(
173
Max(ProjectSubmission.date_submitted),
174
ProjectSubmission.assessed_id == Assessed.id,
175
tables=ProjectSubmission
179
reponame = "_".join([ssn, year, sem, name])
181
# Do we already have the list of logins authorised for this offering
182
# cached? If not, get it.
183
if offeringid not in offering_viewers_cache:
184
offering_viewers_cache[offeringid] = list(store.find(
186
User.id == Enrolment.user_id,
187
Enrolment.offering_id == offeringid,
188
Enrolment.role.is_in((u'tutor', u'lecturer'))
195
""" % {'repo': reponame, 'id': psid, 'path': pspath})
197
for viewer_login in offering_viewers_cache[offeringid]:
198
# Skip existing group members, or they can't write to it any more.
199
if viewer_login not in group_members_cache[gid]:
200
f.write("%s = r\n" % viewer_login)
203
os.rename(temp_name, conf_name)
204
chown_to_webserver(conf_name)
206
def make_svn_auth(store, login, config, throw_on_error=True):
207
"""Create a Subversion password for a user.
209
Generates a new random Subversion password, and assigns it to the user.
210
The password is added to Apache's Subversion authentication file.
212
# filename is, eg, /var/lib/ivle/svn/ivle.auth
213
filename = config['paths']['svn']['auth_ivle']
214
if os.path.exists(filename):
219
user = User.get_by_login(store, login)
221
if user.svn_pass is None:
222
passwd = hashlib.md5(uuid.uuid4().bytes).hexdigest()
223
user.svn_pass = unicode(passwd)
225
res = subprocess.call(['htpasswd', '-%smb' % create,
226
filename, login, user.svn_pass])
227
if res != 0 and throw_on_error:
228
raise Exception("Unable to create ivle-auth for %s" % login)
230
# Make sure the file is owned by the web server
232
chown_to_webserver(filename)
236
def make_jail(user, config, force=True):
237
"""Create or update a user's jail.
239
Only the user-specific parts of the jail are created here - everything
240
else is expected to be part of another aufs branch.
242
Returns the path to the user's home directory.
244
Chowns the user's directory within the jail to the given UID.
246
@param force: If False, raise an exception if the user already has a jail.
247
If True (default), rebuild the jail preserving /home.
249
# MUST run as root or some of this may fail
251
raise Exception("Must run make_jail as root")
253
# tempdir is for putting backup homes in
254
jail_src_base = config['paths']['jails']['src']
255
tempdir = os.path.join(jail_src_base, '__temp__')
256
if not os.path.exists(tempdir):
258
elif not os.path.isdir(tempdir):
261
userdir = os.path.join(jail_src_base, user.login)
262
homedir = os.path.join(userdir, 'home')
263
tmpdir = os.path.join(userdir, 'tmp')
264
userhomedir = os.path.join(homedir, user.login) # Return value
266
if os.path.exists(userdir):
268
raise Exception("User's jail already exists")
269
# User jail already exists. Blow it away but preserve their home
270
# directory. It should be all that is there anyway, but you never
272
# Ignore warnings about the use of tmpnam
273
warnings.simplefilter('ignore')
274
homebackup = os.tempnam(tempdir)
275
warnings.resetwarnings()
276
# Back up the /home directory, delete the entire jail, recreate the
277
# jail directory tree, then copy the /home back
278
# NOTE that shutil.move changed in Python 2.6, it now moves a
279
# directory INTO the target (like `mv`), which it didn't use to do.
280
# This code works regardless.
281
shutil.move(userhomedir, homebackup)
282
shutil.rmtree(userdir)
284
shutil.move(homebackup, userhomedir)
285
# Change the ownership of all the files to the right unixid
286
logging.debug("chown %s's home directory files to uid %d"
287
%(user.login, user.unixid))
288
os.spawnvp(os.P_WAIT, 'chown', ['chown', '-R', '%d:%d' % (user.unixid,
289
user.unixid), userhomedir])
291
# No user jail exists
292
# Set up the user's home directory
293
os.makedirs(userhomedir)
294
# Chown (and set the GID to the same as the UID).
295
os.chown(userhomedir, user.unixid, user.unixid)
296
# Chmod to rwxr-xr-x (755)
297
os.chmod(userhomedir, 0755)
299
make_ivle_conf(user.login, userdir, user.svn_pass, config)
300
make_etc_passwd(user.login, userdir, config['paths']['jails']['template'],
303
os.chmod(tmpdir, 01777)
307
def make_ivle_conf(username, user_jail_dir, svn_pass, sys_config):
308
"""Generate an ivle.conf for a user's jail.
310
Creates (overwriting any existing file, and creating directories) a
311
file /etc/ivle/ivle.conf in a given user's jail.
313
@param username: Username.
314
@param user_jail_dir: User's jail dir, ie. ['jails']['src'] + username
315
@param svn_pass: User's SVN password.
316
@param sys_config: An ivle.config.Config object (the system-wide config).
318
conf_path = os.path.join(user_jail_dir, "home/.ivle.conf")
319
if not os.path.exists(os.path.dirname(conf_path)):
320
os.makedirs(os.path.dirname(conf_path))
322
# In the "in-jail" version of conf, we don't need MOST of the details
323
# (it would be a security risk to have them here).
324
# So we just write root_dir.
325
conf_obj = ivle.config.Config(blank=True)
326
conf_obj.filename = conf_path
327
conf_obj['urls']['root'] = sys_config['urls']['root']
328
conf_obj['urls']['public_host'] = sys_config['urls']['public_host']
329
conf_obj['urls']['svn_addr'] = sys_config['urls']['svn_addr']
330
conf_obj['user_info']['login'] = username
331
conf_obj['user_info']['svn_pass'] = svn_pass
334
# Make this file world-readable
335
# (chmod 644 conf_path)
336
os.chmod(conf_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP
339
def make_etc_passwd(username, user_jail_dir, template_dir, unixid):
340
"""Create a passwd file for a user's jail.
342
Creates /etc/passwd in the given user's jail. This will be identical to
343
that in the template jail, except for the added entry for this user.
345
template_passwd_path = os.path.join(template_dir, "home/.passwd")
346
passwd_path = os.path.join(user_jail_dir, "home/.passwd")
347
passwd_dir = os.path.dirname(passwd_path)
348
if not os.path.exists(passwd_dir):
349
os.makedirs(passwd_dir)
350
shutil.copy(template_passwd_path, passwd_path)
351
passwd_file = open(passwd_path, 'a')
352
passwd_file.write('%s:x:%d:%d::/home/%s:/bin/bash'
353
% (username, unixid, unixid, username))