1
# IVLE - Informatics Virtual Learning Environment
2
# Copyright (C) 2007-2009 The University of Melbourne
4
# This program is free software; you can redistribute it and/or modify
5
# it under the terms of the GNU General Public License as published by
6
# the Free Software Foundation; either version 2 of the License, or
7
# (at your option) any later version.
9
# This program is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU General Public License for more details.
14
# You should have received a copy of the GNU General Public License
15
# along with this program; if not, write to the Free Software
16
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18
"""User and group filesystem management helpers."""
30
from storm.expr import Select, Max
33
from ivle.database import (User, ProjectGroup, Assessed, ProjectSubmission,
34
Project, ProjectSet, Offering, Enrolment, Subject, Semester)
36
def chown_to_webserver(filename):
37
"""chown a directory and its contents to the web server.
39
Recursively chowns a file or directory so the web server user owns it.
42
subprocess.call(['chown', '-R', 'www-data:www-data', filename])
44
def make_svn_repo(path, throw_on_error=True):
45
"""Create a Subversion repository at the given path."""
47
res = subprocess.call(['svnadmin', 'create', path])
48
if res != 0 and throw_on_error:
49
raise Exception("Cannot create repository: %s" % path)
50
except Exception, exc:
55
chown_to_webserver(path)
57
def rebuild_svn_config(store, config):
58
"""Build the complete SVN configuration file.
60
@param config: An ivle.config.Config object.
62
users = store.find(User)
63
conf_name = config['paths']['svn']['conf']
64
temp_name = conf_name + ".new"
65
f = open(temp_name, "w")
67
# IVLE SVN repository authorisation configuration
69
""" % {'time': time.asctime()})
75
""" % {'login': u.login.encode('utf-8')})
77
# Now we need to grant offering tutors and lecturers access to the latest
78
# submissions in their offerings. There are much prettier ways to do this,
79
# but a lot of browser requests call this function, so it needs to be
80
# fast. We can grab all of the paths needing authorisation directives with
81
# a single query, and we cache the list of viewers for each offering.
82
offering_viewers_cache = {}
83
for (login, psid, pspath, offeringid) in store.find(
84
(User.login, ProjectSubmission.id, ProjectSubmission.path,
86
Assessed.id == ProjectSubmission.assessed_id,
87
User.id == Assessed.user_id,
88
Project.id == Assessed.project_id,
89
ProjectSet.id == Project.project_set_id,
90
Offering.id == ProjectSet.offering_id,
91
ProjectSubmission.date_submitted == Select(
92
Max(ProjectSubmission.date_submitted),
93
ProjectSubmission.assessed_id == Assessed.id,
94
tables=ProjectSubmission
98
# Do we already have the list of logins authorised for this offering
99
# cached? If not, get it.
100
if offeringid not in offering_viewers_cache:
101
offering_viewers_cache[offeringid] = list(store.find(
103
User.id == Enrolment.user_id,
104
Enrolment.offering_id == offeringid,
105
Enrolment.role.is_in((u'tutor', u'lecturer')),
106
Enrolment.active == True,
113
""" % {'login': login.encode('utf-8'), 'id': psid,
114
'path': pspath.encode('utf-8')})
116
for viewer_login in offering_viewers_cache[offeringid]:
117
# We don't want to override the owner's write privilege,
118
# so we don't add them to the read-only ACL.
119
if login != viewer_login:
120
f.write("%s = r\n" % viewer_login.encode('utf-8'))
123
os.rename(temp_name, conf_name)
124
chown_to_webserver(conf_name)
126
def rebuild_svn_group_config(store, config):
127
"""Build the complete SVN configuration file for groups
129
@param config: An ivle.config.Config object.
131
conf_name = config['paths']['svn']['group_conf']
132
temp_name = conf_name + ".new"
133
f = open(temp_name, "w")
136
# IVLE SVN group repository authorisation configuration
137
# Generated: %(time)s
139
""" % {'time': time.asctime()})
141
group_members_cache = {}
142
for group in store.find(ProjectGroup):
143
offering = group.project_set.offering
144
reponame = "_".join([offering.subject.short_name,
145
offering.semester.year,
146
offering.semester.semester,
149
f.write("[%s:/]\n" % reponame.encode('utf-8'))
150
if group.id not in group_members_cache:
151
group_members_cache[group.id] = set()
152
for user in group.members:
153
group_members_cache[group.id].add(user.login)
154
f.write("%s = rw\n" % user.login.encode('utf-8'))
157
# Now we need to grant offering tutors and lecturers access to the latest
158
# submissions in their offerings. There are much prettier ways to do this,
159
# but a lot of browser requests call this function, so it needs to be
160
# fast. We can grab all of the paths needing authorisation directives with
161
# a single query, and we cache the list of viewers for each offering.
162
offering_viewers_cache = {}
163
for (ssn, year, sem, name, psid, pspath, gid, offeringid) in store.find(
164
(Subject.short_name, Semester.year, Semester.semester,
165
ProjectGroup.name, ProjectSubmission.id, ProjectSubmission.path,
166
ProjectGroup.id, Offering.id),
167
Assessed.id == ProjectSubmission.assessed_id,
168
ProjectGroup.id == Assessed.project_group_id,
169
Project.id == Assessed.project_id,
170
ProjectSet.id == Project.project_set_id,
171
Offering.id == ProjectSet.offering_id,
172
Subject.id == Offering.subject_id,
173
Semester.id == Offering.semester_id,
174
ProjectSubmission.date_submitted == Select(
175
Max(ProjectSubmission.date_submitted),
176
ProjectSubmission.assessed_id == Assessed.id,
177
tables=ProjectSubmission
181
reponame = "_".join([ssn, year, sem, name])
183
# Do we already have the list of logins authorised for this offering
184
# cached? If not, get it.
185
if offeringid not in offering_viewers_cache:
186
offering_viewers_cache[offeringid] = list(store.find(
188
User.id == Enrolment.user_id,
189
Enrolment.offering_id == offeringid,
190
Enrolment.role.is_in((u'tutor', u'lecturer')),
191
Enrolment.active == True,
198
""" % {'repo': reponame.encode('utf-8'), 'id': psid,
199
'path': pspath.encode('utf-8')})
201
for viewer_login in offering_viewers_cache[offeringid]:
202
# Skip existing group members, or they can't write to it any more.
203
if viewer_login not in group_members_cache[gid]:
204
f.write("%s = r\n" % viewer_login)
207
os.rename(temp_name, conf_name)
208
chown_to_webserver(conf_name)
210
def make_svn_auth(store, login, config, throw_on_error=True):
211
"""Create a Subversion password for a user.
213
Generates a new random Subversion password, and assigns it to the user.
214
The password is added to Apache's Subversion authentication file.
216
# filename is, eg, /var/lib/ivle/svn/ivle.auth
217
filename = config['paths']['svn']['auth_ivle']
218
if os.path.exists(filename):
223
user = User.get_by_login(store, login)
225
if user.svn_pass is None:
226
passwd = hashlib.md5(uuid.uuid4().bytes).hexdigest()
227
user.svn_pass = unicode(passwd)
229
res = subprocess.call(['htpasswd', '-%smb' % create,
230
filename, login, user.svn_pass])
231
if res != 0 and throw_on_error:
232
raise Exception("Unable to create ivle-auth for %s" % login)
234
# Make sure the file is owned by the web server
236
chown_to_webserver(filename)
240
def make_jail(user, config, force=True):
241
"""Create or update a user's jail.
243
Only the user-specific parts of the jail are created here - everything
244
else is expected to be part of another aufs branch.
246
Returns the path to the user's home directory.
248
Chowns the user's directory within the jail to the given UID.
250
@param force: If False, raise an exception if the user already has a jail.
251
If True (default), rebuild the jail preserving /home.
253
# MUST run as root or some of this may fail
255
raise Exception("Must run make_jail as root")
257
# tempdir is for putting backup homes in
258
jail_src_base = config['paths']['jails']['src']
259
tempdir = os.path.join(jail_src_base, '__temp__')
260
if not os.path.exists(tempdir):
262
elif not os.path.isdir(tempdir):
265
userdir = os.path.join(jail_src_base, user.login)
266
homedir = os.path.join(userdir, 'home')
267
tmpdir = os.path.join(userdir, 'tmp')
268
userhomedir = os.path.join(homedir, user.login) # Return value
270
if os.path.exists(userdir):
272
raise Exception("User's jail already exists")
273
# User jail already exists. Blow it away but preserve their home
274
# directory. It should be all that is there anyway, but you never
276
# Ignore warnings about the use of tempnam
277
warnings.simplefilter('ignore')
278
homebackup = os.tempnam(tempdir)
279
warnings.resetwarnings()
280
# Back up the /home directory, delete the entire jail, recreate the
281
# jail directory tree, then copy the /home back
282
# NOTE that shutil.move changed in Python 2.6, it now moves a
283
# directory INTO the target (like `mv`), which it didn't use to do.
284
# This code works regardless.
285
shutil.move(userhomedir, homebackup)
286
shutil.rmtree(userdir)
288
shutil.move(homebackup, userhomedir)
289
# Change the ownership of all the files to the right unixid
290
logging.debug("chown %s's home directory files to uid %d"
291
%(user.login, user.unixid))
292
os.spawnvp(os.P_WAIT, 'chown', ['chown', '-R', '%d:%d' % (user.unixid,
293
user.unixid), userhomedir])
295
# No user jail exists
296
# Set up the user's home directory
297
os.makedirs(userhomedir)
298
# Chown (and set the GID to the same as the UID).
299
os.chown(userhomedir, user.unixid, user.unixid)
300
# Chmod to rwxr-xr-x (755)
301
os.chmod(userhomedir, 0755)
303
make_ivle_conf(user.login, userdir, user.svn_pass, config)
304
make_etc_passwd(user.login, userdir, config['paths']['jails']['template'],
307
os.chmod(tmpdir, 01777)
311
def make_ivle_conf(username, user_jail_dir, svn_pass, sys_config):
312
"""Generate an ivle.conf for a user's jail.
314
Creates (overwriting any existing file, and creating directories) a
315
file /etc/ivle/ivle.conf in a given user's jail.
317
@param username: Username.
318
@param user_jail_dir: User's jail dir, ie. ['jails']['src'] + username
319
@param svn_pass: User's SVN password.
320
@param sys_config: An ivle.config.Config object (the system-wide config).
322
conf_path = os.path.join(user_jail_dir, "home/.ivle.conf")
323
if not os.path.exists(os.path.dirname(conf_path)):
324
os.makedirs(os.path.dirname(conf_path))
326
# In the "in-jail" version of conf, we don't need MOST of the details
327
# (it would be a security risk to have them here).
328
# So we just write root_dir.
329
conf_obj = ivle.config.Config(blank=True)
330
conf_obj.filename = conf_path
331
conf_obj['urls'] = {}
332
conf_obj['urls']['root'] = sys_config['urls']['root']
333
conf_obj['urls']['public_host'] = sys_config['urls']['public_host']
334
conf_obj['urls']['svn_addr'] = sys_config['urls']['svn_addr']
335
conf_obj['user_info'] = {}
336
conf_obj['user_info']['login'] = username
337
conf_obj['user_info']['svn_pass'] = svn_pass
340
# Make this file world-readable
341
# (chmod 644 conf_path)
342
os.chmod(conf_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP
345
def make_etc_passwd(username, user_jail_dir, template_dir, unixid):
346
"""Create a passwd file for a user's jail.
348
Creates /etc/passwd in the given user's jail. This will be identical to
349
that in the template jail, except for the added entry for this user.
351
template_passwd_path = os.path.join(template_dir, "home/.passwd")
352
passwd_path = os.path.join(user_jail_dir, "home/.passwd")
353
passwd_dir = os.path.dirname(passwd_path)
354
if not os.path.exists(passwd_dir):
355
os.makedirs(passwd_dir)
356
shutil.copy(template_passwd_path, passwd_path)
357
passwd_file = open(passwd_path, 'a')
358
passwd_file.write('%s:x:%d:%d::/home/%s:/bin/bash'
359
% (username, unixid, unixid, username))