1
# IVLE - Informatics Virtual Learning Environment
2
# Copyright (C) 2007-2009 The University of Melbourne
4
# This program is free software; you can redistribute it and/or modify
5
# it under the terms of the GNU General Public License as published by
6
# the Free Software Foundation; either version 2 of the License, or
7
# (at your option) any later version.
9
# This program is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU General Public License for more details.
14
# You should have received a copy of the GNU General Public License
15
# along with this program; if not, write to the Free Software
16
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18
"""User and group filesystem management helpers."""
30
from storm.expr import Select, Max
33
from ivle.database import (User, ProjectGroup, Assessed, ProjectSubmission,
34
Project, ProjectSet, Offering, Enrolment, Subject, Semester)
36
def chown_to_webserver(filename):
37
"""chown a directory and its contents to the web server.
39
Recursively chowns a file or directory so the web server user owns it.
42
subprocess.call(['chown', '-R', 'www-data:www-data', filename])
44
def make_svn_repo(path, throw_on_error=True):
45
"""Create a Subversion repository at the given path."""
47
res = subprocess.call(['svnadmin', 'create', path])
48
if res != 0 and throw_on_error:
49
raise Exception("Cannot create repository: %s" % path)
50
except Exception, exc:
55
chown_to_webserver(path)
57
def rebuild_svn_config(store, config):
58
"""Build the complete SVN configuration file.
60
@param config: An ivle.config.Config object.
62
users = store.find(User)
63
conf_name = config['paths']['svn']['conf']
64
temp_name = conf_name + ".new"
65
f = open(temp_name, "w")
67
# IVLE SVN repository authorisation configuration
69
""" % {'time': time.asctime()})
75
""" % {'login': u.login})
77
# Now we need to grant offering tutors and lecturers access to the latest
78
# submissions in their offerings. There are much prettier ways to do this,
79
# but a lot of browser requests call this function, so it needs to be
80
# fast. We can grab all of the paths needing authorisation directives with
81
# a single query, and we cache the list of viewers for each offering.
82
offering_viewers_cache = {}
83
for (login, psid, pspath, offeringid) in store.find(
84
(User.login, ProjectSubmission.id, ProjectSubmission.path,
86
Assessed.id == ProjectSubmission.assessed_id,
87
User.id == Assessed.user_id,
88
Project.id == Assessed.project_id,
89
ProjectSet.id == Project.project_set_id,
90
Offering.id == ProjectSet.id,
91
ProjectSubmission.date_submitted == Select(
92
Max(ProjectSubmission.date_submitted),
93
ProjectSubmission.assessed_id == Assessed.id,
94
tables=ProjectSubmission
98
# Do we already have the list of logins authorised for this offering
99
# cached? If not, get it.
100
if offeringid not in offering_viewers_cache:
101
offering_viewers_cache[offeringid] = list(store.find(
103
User.id == Enrolment.user_id,
104
Enrolment.offering_id == offeringid,
105
Enrolment.role.is_in((u'tutor', u'lecturer')),
106
Enrolment.active == True,
113
""" % {'login': login, 'id': psid, 'path': pspath})
115
for viewer_login in offering_viewers_cache[offeringid]:
116
# We don't want to override the owner's write privilege,
117
# so we don't add them to the read-only ACL.
118
if login != viewer_login:
119
f.write("%s = r\n" % viewer_login)
122
os.rename(temp_name, conf_name)
123
chown_to_webserver(conf_name)
125
def rebuild_svn_group_config(store, config):
126
"""Build the complete SVN configuration file for groups
128
@param config: An ivle.config.Config object.
130
conf_name = config['paths']['svn']['group_conf']
131
temp_name = conf_name + ".new"
132
f = open(temp_name, "w")
135
# IVLE SVN group repository authorisation configuration
136
# Generated: %(time)s
138
""" % {'time': time.asctime()})
140
group_members_cache = {}
141
for group in store.find(ProjectGroup):
142
offering = group.project_set.offering
143
reponame = "_".join([offering.subject.short_name,
144
offering.semester.year,
145
offering.semester.semester,
148
f.write("[%s:/]\n" % reponame)
149
if group.id not in group_members_cache:
150
group_members_cache[group.id] = set()
151
for user in group.members:
152
group_members_cache[group.id].add(user.login)
153
f.write("%s = rw\n" % user.login)
156
# Now we need to grant offering tutors and lecturers access to the latest
157
# submissions in their offerings. There are much prettier ways to do this,
158
# but a lot of browser requests call this function, so it needs to be
159
# fast. We can grab all of the paths needing authorisation directives with
160
# a single query, and we cache the list of viewers for each offering.
161
offering_viewers_cache = {}
162
for (ssn, year, sem, name, psid, pspath, gid, offeringid) in store.find(
163
(Subject.short_name, Semester.year, Semester.semester,
164
ProjectGroup.name, ProjectSubmission.id, ProjectSubmission.path,
165
ProjectGroup.id, Offering.id),
166
Assessed.id == ProjectSubmission.assessed_id,
167
ProjectGroup.id == Assessed.project_group_id,
168
Project.id == Assessed.project_id,
169
ProjectSet.id == Project.project_set_id,
170
Offering.id == ProjectSet.offering_id,
171
Subject.id == Offering.subject_id,
172
Semester.id == Offering.semester_id,
173
ProjectSubmission.date_submitted == Select(
174
Max(ProjectSubmission.date_submitted),
175
ProjectSubmission.assessed_id == Assessed.id,
176
tables=ProjectSubmission
180
reponame = "_".join([ssn, year, sem, name])
182
# Do we already have the list of logins authorised for this offering
183
# cached? If not, get it.
184
if offeringid not in offering_viewers_cache:
185
offering_viewers_cache[offeringid] = list(store.find(
187
User.id == Enrolment.user_id,
188
Enrolment.offering_id == offeringid,
189
Enrolment.role.is_in((u'tutor', u'lecturer')),
190
Enrolment.active == True,
197
""" % {'repo': reponame, 'id': psid, 'path': pspath})
199
for viewer_login in offering_viewers_cache[offeringid]:
200
# Skip existing group members, or they can't write to it any more.
201
if viewer_login not in group_members_cache[gid]:
202
f.write("%s = r\n" % viewer_login)
205
os.rename(temp_name, conf_name)
206
chown_to_webserver(conf_name)
208
def make_svn_auth(store, login, config, throw_on_error=True):
209
"""Create a Subversion password for a user.
211
Generates a new random Subversion password, and assigns it to the user.
212
The password is added to Apache's Subversion authentication file.
214
# filename is, eg, /var/lib/ivle/svn/ivle.auth
215
filename = config['paths']['svn']['auth_ivle']
216
if os.path.exists(filename):
221
user = User.get_by_login(store, login)
223
if user.svn_pass is None:
224
passwd = hashlib.md5(uuid.uuid4().bytes).hexdigest()
225
user.svn_pass = unicode(passwd)
227
res = subprocess.call(['htpasswd', '-%smb' % create,
228
filename, login, user.svn_pass])
229
if res != 0 and throw_on_error:
230
raise Exception("Unable to create ivle-auth for %s" % login)
232
# Make sure the file is owned by the web server
234
chown_to_webserver(filename)
238
def make_jail(user, config, force=True):
239
"""Create or update a user's jail.
241
Only the user-specific parts of the jail are created here - everything
242
else is expected to be part of another aufs branch.
244
Returns the path to the user's home directory.
246
Chowns the user's directory within the jail to the given UID.
248
@param force: If False, raise an exception if the user already has a jail.
249
If True (default), rebuild the jail preserving /home.
251
# MUST run as root or some of this may fail
253
raise Exception("Must run make_jail as root")
255
# tempdir is for putting backup homes in
256
jail_src_base = config['paths']['jails']['src']
257
tempdir = os.path.join(jail_src_base, '__temp__')
258
if not os.path.exists(tempdir):
260
elif not os.path.isdir(tempdir):
263
userdir = os.path.join(jail_src_base, user.login)
264
homedir = os.path.join(userdir, 'home')
265
tmpdir = os.path.join(userdir, 'tmp')
266
userhomedir = os.path.join(homedir, user.login) # Return value
268
if os.path.exists(userdir):
270
raise Exception("User's jail already exists")
271
# User jail already exists. Blow it away but preserve their home
272
# directory. It should be all that is there anyway, but you never
274
# Ignore warnings about the use of tempnam
275
warnings.simplefilter('ignore')
276
homebackup = os.tempnam(tempdir)
277
warnings.resetwarnings()
278
# Back up the /home directory, delete the entire jail, recreate the
279
# jail directory tree, then copy the /home back
280
# NOTE that shutil.move changed in Python 2.6, it now moves a
281
# directory INTO the target (like `mv`), which it didn't use to do.
282
# This code works regardless.
283
shutil.move(userhomedir, homebackup)
284
shutil.rmtree(userdir)
286
shutil.move(homebackup, userhomedir)
287
# Change the ownership of all the files to the right unixid
288
logging.debug("chown %s's home directory files to uid %d"
289
%(user.login, user.unixid))
290
os.spawnvp(os.P_WAIT, 'chown', ['chown', '-R', '%d:%d' % (user.unixid,
291
user.unixid), userhomedir])
293
# No user jail exists
294
# Set up the user's home directory
295
os.makedirs(userhomedir)
296
# Chown (and set the GID to the same as the UID).
297
os.chown(userhomedir, user.unixid, user.unixid)
298
# Chmod to rwxr-xr-x (755)
299
os.chmod(userhomedir, 0755)
301
make_ivle_conf(user.login, userdir, user.svn_pass, config)
302
make_etc_passwd(user.login, userdir, config['paths']['jails']['template'],
305
os.chmod(tmpdir, 01777)
309
def make_ivle_conf(username, user_jail_dir, svn_pass, sys_config):
310
"""Generate an ivle.conf for a user's jail.
312
Creates (overwriting any existing file, and creating directories) a
313
file /etc/ivle/ivle.conf in a given user's jail.
315
@param username: Username.
316
@param user_jail_dir: User's jail dir, ie. ['jails']['src'] + username
317
@param svn_pass: User's SVN password.
318
@param sys_config: An ivle.config.Config object (the system-wide config).
320
conf_path = os.path.join(user_jail_dir, "home/.ivle.conf")
321
if not os.path.exists(os.path.dirname(conf_path)):
322
os.makedirs(os.path.dirname(conf_path))
324
# In the "in-jail" version of conf, we don't need MOST of the details
325
# (it would be a security risk to have them here).
326
# So we just write root_dir.
327
conf_obj = ivle.config.Config(blank=True)
328
conf_obj.filename = conf_path
329
conf_obj['urls'] = {}
330
conf_obj['urls']['root'] = sys_config['urls']['root']
331
conf_obj['urls']['public_host'] = sys_config['urls']['public_host']
332
conf_obj['urls']['svn_addr'] = sys_config['urls']['svn_addr']
333
conf_obj['user_info'] = {}
334
conf_obj['user_info']['login'] = username
335
conf_obj['user_info']['svn_pass'] = svn_pass
338
# Make this file world-readable
339
# (chmod 644 conf_path)
340
os.chmod(conf_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP
343
def make_etc_passwd(username, user_jail_dir, template_dir, unixid):
344
"""Create a passwd file for a user's jail.
346
Creates /etc/passwd in the given user's jail. This will be identical to
347
that in the template jail, except for the added entry for this user.
349
template_passwd_path = os.path.join(template_dir, "home/.passwd")
350
passwd_path = os.path.join(user_jail_dir, "home/.passwd")
351
passwd_dir = os.path.dirname(passwd_path)
352
if not os.path.exists(passwd_dir):
353
os.makedirs(passwd_dir)
354
shutil.copy(template_passwd_path, passwd_path)
355
passwd_file = open(passwd_path, 'a')
356
passwd_file.write('%s:x:%d:%d::/home/%s:/bin/bash'
357
% (username, unixid, unixid, username))
added
removed
ivle/makeuser.py
