2014-10-01 16:42:40 +00:00
|
|
|
import os
|
2014-07-25 15:17:50 +00:00
|
|
|
import textwrap
|
|
|
|
|
2014-05-08 16:59:35 +00:00
|
|
|
from django.utils.translation import ugettext_lazy as _
|
|
|
|
|
2015-04-05 18:02:36 +00:00
|
|
|
from orchestra.contrib.orchestration import ServiceController, replace
|
2015-04-05 10:46:24 +00:00
|
|
|
from orchestra.contrib.resources import ServiceMonitor
|
2014-05-08 16:59:35 +00:00
|
|
|
|
2014-10-01 16:42:40 +00:00
|
|
|
from . import settings
|
2014-05-08 16:59:35 +00:00
|
|
|
|
2014-10-01 16:42:40 +00:00
|
|
|
|
2015-04-05 18:02:36 +00:00
|
|
|
class UNIXUserBackend(ServiceController):
|
2015-04-23 19:46:23 +00:00
|
|
|
"""
|
2015-04-24 11:39:20 +00:00
|
|
|
Basic UNIX system user/group support based on <tt>useradd</tt>, <tt>usermod</tt>, <tt>userdel</tt> and <tt>groupdel</tt>.
|
2015-04-23 19:46:23 +00:00
|
|
|
"""
|
2015-04-05 18:02:36 +00:00
|
|
|
verbose_name = _("UNIX user")
|
2014-09-30 16:06:42 +00:00
|
|
|
model = 'systemusers.SystemUser'
|
2015-05-11 14:05:39 +00:00
|
|
|
actions = ('save', 'delete', 'set_permission', 'validate_path')
|
2015-04-24 11:39:20 +00:00
|
|
|
doc_settings = (settings,
|
|
|
|
('SYSTEMUSERS_DEFAULT_GROUP_MEMBERS', 'SYSTEMUSERS_MOVE_ON_DELETE_PATH')
|
|
|
|
)
|
2014-10-01 16:42:40 +00:00
|
|
|
|
|
|
|
def save(self, user):
|
|
|
|
context = self.get_context(user)
|
2015-04-04 17:44:07 +00:00
|
|
|
if not context['user']:
|
|
|
|
return
|
2014-10-01 16:42:40 +00:00
|
|
|
groups = ','.join(self.get_groups(user))
|
|
|
|
context['groups_arg'] = '--groups %s' % groups if groups else ''
|
2015-03-26 16:00:30 +00:00
|
|
|
# TODO userd add will fail if %(user)s group already exists
|
2014-10-01 16:42:40 +00:00
|
|
|
self.append(textwrap.dedent("""
|
2015-03-10 21:51:10 +00:00
|
|
|
if [[ $( id %(user)s ) ]]; then
|
|
|
|
usermod %(user)s --password '%(password)s' --shell %(shell)s %(groups_arg)s
|
2014-10-01 16:42:40 +00:00
|
|
|
else
|
2015-03-10 21:51:10 +00:00
|
|
|
useradd %(user)s --home %(home)s --password '%(password)s' --shell %(shell)s %(groups_arg)s
|
2014-10-01 16:42:40 +00:00
|
|
|
fi
|
|
|
|
mkdir -p %(home)s
|
2015-02-27 16:57:39 +00:00
|
|
|
chmod 750 %(home)s
|
2015-03-10 21:51:10 +00:00
|
|
|
chown %(user)s:%(user)s %(home)s""") % context
|
2015-03-10 16:57:23 +00:00
|
|
|
)
|
2015-04-05 22:34:47 +00:00
|
|
|
if context['home'] != context['base_home']:
|
|
|
|
self.append(textwrap.dedent("""
|
|
|
|
mkdir -p %(base_home)s
|
|
|
|
chmod 750 %(base_home)s
|
|
|
|
chown %(user)s:%(user)s %(base_home)s""") % context
|
|
|
|
)
|
2014-10-28 09:51:27 +00:00
|
|
|
for member in settings.SYSTEMUSERS_DEFAULT_GROUP_MEMBERS:
|
|
|
|
context['member'] = member
|
2015-04-09 14:32:10 +00:00
|
|
|
self.append('usermod -a -G %(user)s %(member)s || exit_code=$?' % context)
|
2014-10-28 09:51:27 +00:00
|
|
|
if not user.is_main:
|
2015-04-09 14:32:10 +00:00
|
|
|
self.append('usermod -a -G %(user)s %(mainuser)s || exit_code=$?' % context)
|
2014-10-01 16:42:40 +00:00
|
|
|
|
|
|
|
def delete(self, user):
|
|
|
|
context = self.get_context(user)
|
2015-04-04 17:44:07 +00:00
|
|
|
if not context['user']:
|
|
|
|
return
|
2015-03-02 12:07:27 +00:00
|
|
|
self.append(textwrap.dedent("""\
|
2015-03-10 21:51:10 +00:00
|
|
|
{ sleep 2 && killall -u %(user)s -s KILL; } &
|
|
|
|
killall -u %(user)s || true
|
2015-04-26 13:53:00 +00:00
|
|
|
userdel %(user)s || exit_code=$?
|
|
|
|
groupdel %(group)s || exit_code=$?
|
2015-04-05 22:34:47 +00:00
|
|
|
""") % context
|
2015-03-10 16:57:23 +00:00
|
|
|
)
|
2015-04-09 14:32:10 +00:00
|
|
|
if context['deleted_home']:
|
2015-04-26 13:53:00 +00:00
|
|
|
self.append("mv %(base_home)s %(deleted_home)s || exit_code=$?" % context)
|
2015-04-09 14:32:10 +00:00
|
|
|
else:
|
|
|
|
self.append("rm -fr %(base_home)s" % context)
|
2014-10-17 10:04:47 +00:00
|
|
|
|
2015-05-11 14:05:39 +00:00
|
|
|
def set_permission(self, user):
|
2014-11-14 16:52:54 +00:00
|
|
|
context = self.get_context(user)
|
2015-05-08 14:05:57 +00:00
|
|
|
context.update({
|
2015-05-11 14:05:39 +00:00
|
|
|
'perm_action': user.set_perm_action,
|
|
|
|
'perm_home': user.set_perm_base_home,
|
|
|
|
'perm_to': os.path.join(user.set_perm_base_home, user.set_perm_home_extension),
|
|
|
|
'exclude': '',
|
2015-05-08 14:05:57 +00:00
|
|
|
})
|
2015-05-11 14:05:39 +00:00
|
|
|
|
|
|
|
exclude_acl = []
|
|
|
|
for exclude in settings.SYSTEMUSERS_EXLUDE_ACL_PATHS:
|
|
|
|
context['exclude'] = exclude
|
|
|
|
exclude_acl.append('-not -path "%(perm_home)s/%(exclude)s"' % context)
|
|
|
|
if exclude_acl:
|
|
|
|
context['exclude'] = ' \\\n -a '.join(exclude_acl)
|
|
|
|
|
|
|
|
if user.set_perm_perms == 'read-write':
|
|
|
|
context['perm_perms'] = 'rwx' if user.set_perm_action == 'grant' else '---'
|
|
|
|
elif user.set_perm_perms == 'read-only':
|
|
|
|
context['perm_perms'] = 'r-x' if user.set_perm_action == 'grant' else '-wx'
|
|
|
|
elif user.set_perm_perms == 'write-only':
|
|
|
|
context['perm_perms'] = '-wx' if user.set_perm_action == 'grant' else 'r-x'
|
|
|
|
if user.set_perm_action == 'grant':
|
|
|
|
self.append(textwrap.dedent("""\
|
|
|
|
# Home access
|
|
|
|
setfacl -m u:%(user)s:--x '%(perm_home)s'
|
|
|
|
# Grant perms to existing and future files
|
|
|
|
find '%(perm_to)s' %(exclude)s \\
|
|
|
|
-exec setfacl -m u:%(user)s:%(perm_perms)s {} \\;
|
|
|
|
find '%(perm_to)s' -type d %(exclude)s \\
|
|
|
|
-exec setfacl -m d:u:%(user)s:%(perm_perms)s {} \\;
|
|
|
|
# Account group as the owner of new files
|
|
|
|
chmod g+s '%(perm_to)s'
|
|
|
|
""") % context
|
|
|
|
)
|
|
|
|
if not user.is_main:
|
|
|
|
self.append(textwrap.dedent("""\
|
|
|
|
# Grant access to main user
|
|
|
|
find '%(perm_to)s' -type d %(exclude)s \\
|
|
|
|
-exec setfacl -m d:u:%(mainuser)s:rwx {} \\;
|
|
|
|
""") % context
|
|
|
|
)
|
|
|
|
elif user.set_perm_action == 'revoke':
|
|
|
|
self.append(textwrap.dedent("""\
|
|
|
|
# Revoke permissions
|
|
|
|
find '%(perm_to)s' %(exclude)s \\
|
|
|
|
-exec setfacl -m u:%(user)s:%(perm_perms)s {} \\;
|
|
|
|
""") % context
|
|
|
|
)
|
2015-05-08 14:05:57 +00:00
|
|
|
else:
|
2015-05-11 14:05:39 +00:00
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
|
|
def validate_path(self, user):
|
|
|
|
context = {
|
|
|
|
'perm_to': os.path.join(user.set_perm_base_home, user.set_perm_home_extension)
|
|
|
|
}
|
|
|
|
self.append(textwrap.dedent("""\
|
|
|
|
if [[ ! -e '%(perm_to)s' ]]; then
|
|
|
|
echo "%(perm_to)s path does not exists." >&2
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
""") % context
|
|
|
|
)
|
2014-11-14 16:52:54 +00:00
|
|
|
|
2014-10-01 16:42:40 +00:00
|
|
|
def get_groups(self, user):
|
|
|
|
if user.is_main:
|
2014-10-02 15:58:27 +00:00
|
|
|
return user.account.systemusers.exclude(username=user.username).values_list('username', flat=True)
|
2014-10-28 09:51:27 +00:00
|
|
|
return list(user.groups.values_list('username', flat=True))
|
2014-10-01 16:42:40 +00:00
|
|
|
|
|
|
|
def get_context(self, user):
|
|
|
|
context = {
|
2014-11-18 17:47:26 +00:00
|
|
|
'object_id': user.pk,
|
2015-03-10 21:51:10 +00:00
|
|
|
'user': user.username,
|
|
|
|
'group': user.username,
|
2014-10-01 16:42:40 +00:00
|
|
|
'password': user.password if user.active else '*%s' % user.password,
|
|
|
|
'shell': user.shell,
|
2015-03-10 21:51:10 +00:00
|
|
|
'mainuser': user.username if user.is_main else user.account.username,
|
2015-04-05 22:34:47 +00:00
|
|
|
'home': user.get_home(),
|
2015-04-07 15:14:49 +00:00
|
|
|
'base_home': user.get_base_home(),
|
2014-10-01 16:42:40 +00:00
|
|
|
}
|
2015-04-09 14:32:10 +00:00
|
|
|
context['deleted_home'] = settings.SYSTEMUSERS_MOVE_ON_DELETE_PATH % context
|
2015-04-05 18:02:36 +00:00
|
|
|
return replace(context, "'", '"')
|
2014-10-01 16:42:40 +00:00
|
|
|
|
|
|
|
|
2015-04-05 18:02:36 +00:00
|
|
|
class UNIXUserDisk(ServiceMonitor):
|
2015-04-23 19:46:23 +00:00
|
|
|
"""
|
2015-04-24 11:39:20 +00:00
|
|
|
<tt>du -bs <home></tt>
|
2015-04-23 19:46:23 +00:00
|
|
|
"""
|
2014-10-01 16:42:40 +00:00
|
|
|
model = 'systemusers.SystemUser'
|
|
|
|
resource = ServiceMonitor.DISK
|
2015-04-05 18:02:36 +00:00
|
|
|
verbose_name = _('UNIX user disk')
|
2014-11-18 17:47:26 +00:00
|
|
|
|
|
|
|
def prepare(self):
|
2015-04-05 18:02:36 +00:00
|
|
|
super(UNIXUserDisk, self).prepare()
|
2014-11-18 17:47:26 +00:00
|
|
|
self.append(textwrap.dedent("""\
|
|
|
|
function monitor () {
|
|
|
|
{ du -bs "$1" || echo 0; } | awk {'print $1'}
|
|
|
|
}"""
|
|
|
|
))
|
2014-10-01 16:42:40 +00:00
|
|
|
|
|
|
|
def monitor(self, user):
|
|
|
|
context = self.get_context(user)
|
2015-04-05 22:34:47 +00:00
|
|
|
self.append("echo %(object_id)s $(monitor %(base_home)s)" % context)
|
2014-10-01 16:42:40 +00:00
|
|
|
|
|
|
|
def get_context(self, user):
|
2015-03-20 15:13:08 +00:00
|
|
|
context = {
|
2014-10-01 16:42:40 +00:00
|
|
|
'object_id': user.pk,
|
2015-04-05 22:34:47 +00:00
|
|
|
'base_home': user.get_base_home(),
|
2014-10-01 16:42:40 +00:00
|
|
|
}
|
2015-04-05 18:02:36 +00:00
|
|
|
return replace(context, "'", '"')
|
2015-03-20 15:13:08 +00:00
|
|
|
|
|
|
|
|
|
|
|
class Exim4Traffic(ServiceMonitor):
|
2015-04-23 19:46:23 +00:00
|
|
|
"""
|
2015-04-24 11:39:20 +00:00
|
|
|
Exim4 mainlog parser for mails sent on the webserver by system users (e.g. via PHP <tt>mail()</tt>)
|
2015-04-23 19:46:23 +00:00
|
|
|
"""
|
2015-03-20 15:13:08 +00:00
|
|
|
model = 'systemusers.SystemUser'
|
|
|
|
resource = ServiceMonitor.TRAFFIC
|
2015-04-05 18:02:36 +00:00
|
|
|
verbose_name = _("Exim4 traffic")
|
2015-03-20 15:13:08 +00:00
|
|
|
script_executable = '/usr/bin/python'
|
2015-04-24 11:39:20 +00:00
|
|
|
doc_settings = (settings,
|
|
|
|
('SYSTEMUSERS_MAIL_LOG_PATH',)
|
|
|
|
)
|
2015-03-20 15:13:08 +00:00
|
|
|
|
|
|
|
def prepare(self):
|
2015-04-07 15:14:49 +00:00
|
|
|
mainlog = settings.SYSTEMUSERS_MAIL_LOG_PATH
|
2015-03-20 15:13:08 +00:00
|
|
|
context = {
|
|
|
|
'current_date': self.current_date.strftime("%Y-%m-%d %H:%M:%S %Z"),
|
|
|
|
'mainlogs': str((mainlog, mainlog+'.1')),
|
|
|
|
}
|
|
|
|
self.append(textwrap.dedent("""\
|
|
|
|
import re
|
|
|
|
import sys
|
|
|
|
from datetime import datetime
|
|
|
|
from dateutil import tz
|
|
|
|
|
|
|
|
def to_local_timezone(date, tzlocal=tz.tzlocal()):
|
|
|
|
date = datetime.strptime(date, '%Y-%m-%d %H:%M:%S %Z')
|
|
|
|
date = date.replace(tzinfo=tz.tzutc())
|
|
|
|
date = date.astimezone(tzlocal)
|
|
|
|
return date
|
|
|
|
|
|
|
|
mainlogs = {mainlogs}
|
|
|
|
# Use local timezone
|
|
|
|
end_date = to_local_timezone('{current_date}')
|
|
|
|
end_date = int(end_date.strftime('%Y%m%d%H%M%S'))
|
|
|
|
users = {{}}
|
|
|
|
|
|
|
|
def prepare(object_id, username, ini_date):
|
|
|
|
global users
|
|
|
|
ini_date = to_local_timezone(ini_date)
|
|
|
|
ini_date = int(ini_date.strftime('%Y%m%d%H%M%S'))
|
|
|
|
users[username] = [ini_date, object_id, 0]
|
|
|
|
|
|
|
|
def monitor(users, end_date, mainlogs):
|
|
|
|
user_regex = re.compile(r' U=([^ ]+) ')
|
|
|
|
for mainlog in mainlogs:
|
|
|
|
try:
|
|
|
|
with open(mainlog, 'r') as mainlog:
|
|
|
|
for line in mainlog.readlines():
|
|
|
|
if ' <= ' in line and 'P=local' in line:
|
2015-03-29 16:10:07 +00:00
|
|
|
username = user_regex.search(line).groups()[0]
|
2015-03-20 15:13:08 +00:00
|
|
|
try:
|
|
|
|
sender = users[username]
|
|
|
|
except KeyError:
|
|
|
|
continue
|
|
|
|
else:
|
|
|
|
date, time, id, __, __, user, protocol, size = line.split()[:8]
|
|
|
|
date = date.replace('-', '')
|
|
|
|
date += time.replace(':', '')
|
|
|
|
if sender[0] < int(date) < end_date:
|
|
|
|
sender[2] += int(size[2:])
|
|
|
|
except IOError as e:
|
|
|
|
sys.stderr.write(e)
|
|
|
|
|
2015-04-16 13:15:21 +00:00
|
|
|
for username, opts in users.iteritems():
|
2015-03-20 15:13:08 +00:00
|
|
|
__, object_id, size = opts
|
|
|
|
print object_id, size
|
|
|
|
""").format(**context)
|
|
|
|
)
|
|
|
|
|
|
|
|
def commit(self):
|
|
|
|
self.append('monitor(users, end_date, mainlogs)')
|
|
|
|
|
|
|
|
def monitor(self, user):
|
|
|
|
context = self.get_context(user)
|
|
|
|
self.append("prepare(%(object_id)s, '%(username)s', '%(last_date)s')" % context)
|
|
|
|
|
|
|
|
def get_context(self, user):
|
2015-04-05 18:02:36 +00:00
|
|
|
context = {
|
2015-03-20 15:13:08 +00:00
|
|
|
'username': user.username,
|
|
|
|
'object_id': user.pk,
|
|
|
|
'last_date': self.get_last_date(user.pk).strftime("%Y-%m-%d %H:%M:%S %Z"),
|
|
|
|
}
|
2015-04-05 18:02:36 +00:00
|
|
|
return replace(context, "'", '"')
|
2015-03-20 15:13:08 +00:00
|
|
|
|
|
|
|
|
2015-04-05 18:02:36 +00:00
|
|
|
class VsFTPdTraffic(ServiceMonitor):
|
2015-04-23 19:46:23 +00:00
|
|
|
"""
|
|
|
|
vsFTPd log parser.
|
|
|
|
"""
|
2015-03-20 15:13:08 +00:00
|
|
|
model = 'systemusers.SystemUser'
|
|
|
|
resource = ServiceMonitor.TRAFFIC
|
2015-04-05 18:02:36 +00:00
|
|
|
verbose_name = _('VsFTPd traffic')
|
2015-03-20 15:13:08 +00:00
|
|
|
script_executable = '/usr/bin/python'
|
2015-04-24 11:39:20 +00:00
|
|
|
doc_settings = (settings,
|
|
|
|
('SYSTEMUSERS_FTP_LOG_PATH',)
|
|
|
|
)
|
2015-03-20 15:13:08 +00:00
|
|
|
|
|
|
|
def prepare(self):
|
|
|
|
vsftplog = settings.SYSTEMUSERS_FTP_LOG_PATH
|
|
|
|
context = {
|
|
|
|
'current_date': self.current_date.strftime("%Y-%m-%d %H:%M:%S %Z"),
|
|
|
|
'vsftplogs': str((vsftplog, vsftplog+'.1')),
|
|
|
|
}
|
|
|
|
self.append(textwrap.dedent("""\
|
|
|
|
import re
|
|
|
|
import sys
|
|
|
|
from datetime import datetime
|
|
|
|
from dateutil import tz
|
2015-04-05 18:02:36 +00:00
|
|
|
|
2015-03-20 15:13:08 +00:00
|
|
|
def to_local_timezone(date, tzlocal=tz.tzlocal()):
|
|
|
|
date = datetime.strptime(date, '%Y-%m-%d %H:%M:%S %Z')
|
|
|
|
date = date.replace(tzinfo=tz.tzutc())
|
|
|
|
date = date.astimezone(tzlocal)
|
|
|
|
return date
|
2015-04-05 18:02:36 +00:00
|
|
|
|
2015-03-20 15:13:08 +00:00
|
|
|
vsftplogs = {vsftplogs}
|
|
|
|
# Use local timezone
|
|
|
|
end_date = to_local_timezone('{current_date}')
|
|
|
|
end_date = int(end_date.strftime('%Y%m%d%H%M%S'))
|
|
|
|
users = {{}}
|
2015-04-29 10:51:30 +00:00
|
|
|
months = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec')
|
|
|
|
months = dict((m, '%02d' % n) for n, m in enumerate(months, 1))
|
2015-04-05 18:02:36 +00:00
|
|
|
|
2015-03-20 15:13:08 +00:00
|
|
|
def prepare(object_id, username, ini_date):
|
|
|
|
global users
|
|
|
|
ini_date = to_local_timezone(ini_date)
|
|
|
|
ini_date = int(ini_date.strftime('%Y%m%d%H%M%S'))
|
|
|
|
users[username] = [ini_date, object_id, 0]
|
2015-04-05 18:02:36 +00:00
|
|
|
|
2015-03-20 15:13:08 +00:00
|
|
|
def monitor(users, end_date, months, vsftplogs):
|
2015-03-29 16:10:07 +00:00
|
|
|
user_regex = re.compile(r'\] \[([^ ]+)\] (OK|FAIL) ')
|
2015-03-20 15:13:08 +00:00
|
|
|
bytes_regex = re.compile(r', ([0-9]+) bytes, ')
|
|
|
|
for vsftplog in vsftplogs:
|
|
|
|
try:
|
|
|
|
with open(vsftplog, 'r') as vsftplog:
|
|
|
|
for line in vsftplog.readlines():
|
|
|
|
if ' bytes, ' in line:
|
|
|
|
username = user_regex.search(line).groups()[0]
|
|
|
|
try:
|
|
|
|
user = users[username]
|
|
|
|
except KeyError:
|
|
|
|
continue
|
|
|
|
else:
|
|
|
|
__, month, day, time, year = line.split()[:5]
|
|
|
|
date = year + months[month] + day + time.replace(':', '')
|
|
|
|
if user[0] < int(date) < end_date:
|
|
|
|
bytes = bytes_regex.search(line).groups()[0]
|
|
|
|
user[2] += int(bytes)
|
|
|
|
except IOError as e:
|
|
|
|
sys.stderr.write(e)
|
|
|
|
|
2015-04-02 16:14:55 +00:00
|
|
|
for username, opts in users.items():
|
2015-03-20 15:13:08 +00:00
|
|
|
__, object_id, size = opts
|
|
|
|
print object_id, size
|
|
|
|
""").format(**context)
|
|
|
|
)
|
|
|
|
|
|
|
|
def monitor(self, user):
|
|
|
|
context = self.get_context(user)
|
|
|
|
self.append("prepare(%(object_id)s, '%(username)s', '%(last_date)s')" % context)
|
|
|
|
|
|
|
|
def commit(self):
|
|
|
|
self.append('monitor(users, end_date, months, vsftplogs)')
|
|
|
|
|
|
|
|
def get_context(self, user):
|
2015-04-05 18:02:36 +00:00
|
|
|
context = {
|
2015-03-20 15:13:08 +00:00
|
|
|
'last_date': self.get_last_date(user.pk).strftime("%Y-%m-%d %H:%M:%S %Z"),
|
|
|
|
'object_id': user.pk,
|
|
|
|
'username': user.username,
|
|
|
|
}
|
2015-04-05 18:02:36 +00:00
|
|
|
return replace(context, "'", '"')
|