bootstrap-vz/bootstrapvz/plugins/admin_user/tasks.py

from bootstrapvz.base import Task
from bootstrapvz.common import phases
from bootstrapvz.common.tasks.initd import InstallInitScripts
import logging
import os


class AddSudoPackage(Task):
	description = 'Adding `sudo\' to the image packages'
	phase = phases.preparation

	@classmethod
	def run(cls, info):
		info.packages.add('sudo')


class CreateAdminUser(Task):
	description = 'Creating the admin user'
	phase = phases.system_modification

	@classmethod
	def run(cls, info):
		from bootstrapvz.common.tools import log_check_call
		log_check_call(['chroot', info.root,
		                'useradd',
		                '--create-home', '--shell', '/bin/bash',
		                info.manifest.plugins['admin_user']['username']])


class PasswordlessSudo(Task):
	description = 'Allowing the admin user to use sudo without a password'
	phase = phases.system_modification

	@classmethod
	def run(cls, info):
		sudo_admin_path = os.path.join(info.root, 'etc/sudoers.d/99_admin')
		username = info.manifest.plugins['admin_user']['username']
		with open(sudo_admin_path, 'w') as sudo_admin:
			sudo_admin.write('{username} ALL=(ALL) NOPASSWD:ALL'.format(username=username))
		import stat
		ug_read_only = (stat.S_IRUSR | stat.S_IRGRP)
		os.chmod(sudo_admin_path, ug_read_only)


class AdminUserCredentials(Task):
	description = 'Set up access credentials for the admin user'
	phase = phases.system_modification
	predecessors = [InstallInitScripts, CreateAdminUser]

	@classmethod
	def run(cls, info):
                from bootstrapvz.common.exceptions import TaskError
                from bootstrapvz.common.tools import sed_i
                from bootstrapvz.common.tools import log_check_call
                log = logging.getLogger(__name__)

                if 'password' in info.manifest.plugins['admin_user']:
                        if 'pubkey' in info.manifest.plugins['admin_user']:
                                msg = 'The options password and pubkey are mutually exclusive'
                                raise TaskError(msg)
                        log_check_call(['chroot', info.root, 'chpasswd'],
                                       info.manifest.plugins['admin_user']['username'] +
                                       ':' + info.manifest.plugins['admin_user']['password'])
                        return

                getcreds_path = os.path.join(info.root, 'etc/init.d/ec2-get-credentials')
                if 'pubkey' in info.manifest.plugins['admin_user']:
                        import stat
                        from shutil import copy
                        full_path = info.manifest.plugins['admin_user']['pubkey']
                        if not os.path.exists(full_path):
                                msg = 'Could not find public key at {full_path}'.format(full_path=full_path)
                                raise TaskError(msg)
                        log.debug('Copying public key from {path}'.format(path=full_path))

                        if os.path.exists(getcreds_path):
                                log.warn('You are using a static public key for the admin account.'
                                         ' This will conflict with the ec2 public key njection mechanisn.'
                                         ' The ec2-get-credentials startup script has therefore been disabled.')
                                log_check_call(['chroot', info.root, 'insserv', '--remove',
                                                'ec2-get-credentials'])
                        username = info.manifest.plugins['admin_user']['username']

                        ssh_file = os.path.join('/home/'
                                                '{username}/.ssh/authorized_keys'.format(username=username))
                        rel_ssh_file = os.path.realpath(info.root + '/{ssh_file}'.format(ssh_file=ssh_file))

                        ssh_dir = os.path.dirname(ssh_file)
                        rel_ssh_dir = os.path.realpath(info.root + '/{ssh_dir}'.format(ssh_dir=ssh_dir))
                        if not os.path.exists(rel_ssh_dir):
                                log.debug('Creating {ssh_dir} mode 700'.format(ssh_dir=rel_ssh_dir))
                                os.mkdir(rel_ssh_dir, 0700)
                        else:
				log.debug('setting {ssh_dir} mode 700'.format(ssh_dir=rel_ssh_dir))
                                os.chmod(rel_ssh_dir, 0700)
                        copy(full_path, rel_ssh_file)
                        mode = (stat.S_IRUSR | stat.S_IWUSR)
                        os.chmod(rel_ssh_file, mode)
                        log_check_call(['chroot', info.root, 'chown', '-R', username, ssh_dir])
                        return

                log.debug('Updating EC2 get credentials script.')
                username = info.manifest.plugins['admin_user']['username']
                sed_i(getcreds_path, 'username=\'root\'', 'username=\'{username}\''.format(username=username))
Properly fix imports and make bootstrapvz work like a package 2014-03-23 23:12:07 +01:00			`from bootstrapvz.base import Task`
			`from bootstrapvz.common import phases`
			`from bootstrapvz.common.tasks.initd import InstallInitScripts`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00			`import logging`
Implemented admin user task 2013-08-10 18:24:27 +02:00			`import os`


			`class AddSudoPackage(Task):`
``quoted'' -> `quoted' 2013-12-29 20:54:36 +01:00			description = 'Adding `sudo\' to the image packages'
Implemented admin user task 2013-08-10 18:24:27 +02:00			`phase = phases.preparation`

Don't instantiate tasks In practice they are just typed functions with attributes, having a reference to an object is just confusing. So: Task.run() is now a classmethod 2014-01-05 15:57:11 +01:00			`@classmethod`
			`def run(cls, info):`
Integrated package plugin with base system New phase introduced "package installation" (fixes #114) Apt source lines are now parsed, this allows to verify the target release of added packages. All packages (except locales) are now installed after bootstrapping (fixes #123) Added env argument to log_(check_)call HostDependencies have been refactored a little 2013-12-29 16:09:47 +01:00			`info.packages.add('sudo')`
Implemented admin user task 2013-08-10 18:24:27 +02:00

			`class CreateAdminUser(Task):`
			`description = 'Creating the admin user'`
			`phase = phases.system_modification`

Don't instantiate tasks In practice they are just typed functions with attributes, having a reference to an object is just confusing. So: Task.run() is now a classmethod 2014-01-05 15:57:11 +01:00			`@classmethod`
			`def run(cls, info):`
Properly fix imports and make bootstrapvz work like a package 2014-03-23 23:12:07 +01:00			`from bootstrapvz.common.tools import log_check_call`
Rely on $PATH to resolve commands. Fixes #12 2014-02-23 22:16:10 +01:00			`log_check_call(['chroot', info.root,`
			`'useradd',`
Correct mirror entry, turn on admin user; fix chroot call to create admin user (--shell and /bin/bash as two entries, not one argument). 2013-08-15 22:17:37 +00:00			`'--create-home', '--shell', '/bin/bash',`
Implemented admin user task 2013-08-10 18:24:27 +02:00			`info.manifest.plugins['admin_user']['username']])`


			`class PasswordlessSudo(Task):`
			`description = 'Allowing the admin user to use sudo without a password'`
			`phase = phases.system_modification`

Don't instantiate tasks In practice they are just typed functions with attributes, having a reference to an object is just confusing. So: Task.run() is now a classmethod 2014-01-05 15:57:11 +01:00			`@classmethod`
			`def run(cls, info):`
Implemented admin user task 2013-08-10 18:24:27 +02:00			`sudo_admin_path = os.path.join(info.root, 'etc/sudoers.d/99_admin')`
			`username = info.manifest.plugins['admin_user']['username']`
			`with open(sudo_admin_path, 'w') as sudo_admin:`
			`sudo_admin.write('{username} ALL=(ALL) NOPASSWD:ALL'.format(username=username))`
			`import stat`
			`ug_read_only = (stat.S_IRUSR \| stat.S_IRGRP)`
			`os.chmod(sudo_admin_path, ug_read_only)`


			`class AdminUserCredentials(Task):`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00			`description = 'Set up access credentials for the admin user'`
Implemented admin user task 2013-08-10 18:24:27 +02:00			`phase = phases.system_modification`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00			`predecessors = [InstallInitScripts, CreateAdminUser]`
Implemented admin user task 2013-08-10 18:24:27 +02:00
Don't instantiate tasks In practice they are just typed functions with attributes, having a reference to an object is just confusing. So: Task.run() is now a classmethod 2014-01-05 15:57:11 +01:00			`@classmethod`
			`def run(cls, info):`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00			`from bootstrapvz.common.exceptions import TaskError`
			`from bootstrapvz.common.tools import sed_i`
			`from bootstrapvz.common.tools import log_check_call`
			`log = logging.getLogger(__name__)`

			`if 'password' in info.manifest.plugins['admin_user']:`
			`if 'pubkey' in info.manifest.plugins['admin_user']:`
			`msg = 'The options password and pubkey are mutually exclusive'`
			`raise TaskError(msg)`
			`log_check_call(['chroot', info.root, 'chpasswd'],`
			`info.manifest.plugins['admin_user']['username'] +`
			`':' + info.manifest.plugins['admin_user']['password'])`
			`return`

			`getcreds_path = os.path.join(info.root, 'etc/init.d/ec2-get-credentials')`
			`if 'pubkey' in info.manifest.plugins['admin_user']:`
			`import stat`
			`from shutil import copy`
			`full_path = info.manifest.plugins['admin_user']['pubkey']`
			`if not os.path.exists(full_path):`
			`msg = 'Could not find public key at {full_path}'.format(full_path=full_path)`
			`raise TaskError(msg)`
			`log.debug('Copying public key from {path}'.format(path=full_path))`

			`if os.path.exists(getcreds_path):`
			`log.warn('You are using a static public key for the admin account.'`
			`' This will conflict with the ec2 public key njection mechanisn.'`
			`' The ec2-get-credentials startup script has therefore been disabled.')`
			`log_check_call(['chroot', info.root, 'insserv', '--remove',`
			`'ec2-get-credentials'])`
			`username = info.manifest.plugins['admin_user']['username']`

			`ssh_file = os.path.join('/home/'`
			`'{username}/.ssh/authorized_keys'.format(username=username))`
			`rel_ssh_file = os.path.realpath(info.root + '/{ssh_file}'.format(ssh_file=ssh_file))`

			`ssh_dir = os.path.dirname(ssh_file)`
			`rel_ssh_dir = os.path.realpath(info.root + '/{ssh_dir}'.format(ssh_dir=ssh_dir))`
			`if not os.path.exists(rel_ssh_dir):`
			`log.debug('Creating {ssh_dir} mode 700'.format(ssh_dir=rel_ssh_dir))`
			`os.mkdir(rel_ssh_dir, 0700)`
			`else:`
			`log.debug('setting {ssh_dir} mode 700'.format(ssh_dir=rel_ssh_dir))`
			`os.chmod(rel_ssh_dir, 0700)`
			`copy(full_path, rel_ssh_file)`
			`mode = (stat.S_IRUSR \| stat.S_IWUSR)`
			`os.chmod(rel_ssh_file, mode)`
			`log_check_call(['chroot', info.root, 'chown', '-R', username, ssh_dir])`
			`return`

			`log.debug('Updating EC2 get credentials script.')`
			`username = info.manifest.plugins['admin_user']['username']`
			`sed_i(getcreds_path, 'username=\'root\'', 'username=\'{username}\''.format(username=username))`