bootstrap-vz/bootstrapvz/plugins/admin_user/tasks.py

from bootstrapvz.base import Task
from bootstrapvz.common import phases
from bootstrapvz.common.tasks.initd import InstallInitScripts
from bootstrapvz.providers.ec2.tasks.initd import AddEC2InitScripts

import logging
import os


class AddSudoPackage(Task):
	description = 'Adding `sudo\' to the image packages'
	phase = phases.preparation

	@classmethod
	def run(cls, info):
		info.packages.add('sudo')


class CreateAdminUser(Task):
	description = 'Creating the admin user'
	phase = phases.system_modification

	@classmethod
	def run(cls, info):
		from bootstrapvz.common.tools import log_check_call
		log_check_call(['chroot', info.root,
		                'useradd',
		                '--create-home', '--shell', '/bin/bash',
		                info.manifest.plugins['admin_user']['username']])


class PasswordlessSudo(Task):
	description = 'Allowing the admin user to use sudo without a password'
	phase = phases.system_modification

	@classmethod
	def run(cls, info):
		sudo_admin_path = os.path.join(info.root, 'etc/sudoers.d/99_admin')
		username = info.manifest.plugins['admin_user']['username']
		with open(sudo_admin_path, 'w') as sudo_admin:
			sudo_admin.write('{username} ALL=(ALL) NOPASSWD:ALL'.format(username=username))
		import stat
		ug_read_only = (stat.S_IRUSR | stat.S_IRGRP)
		os.chmod(sudo_admin_path, ug_read_only)


class AdminUserCredentialsPassword(Task):
	description = 'Set up access credentials for the admin user with a given password'
	phase = phases.system_modification
	predecessors = [InstallInitScripts, CreateAdminUser]

	@classmethod
	def run(cls, info):
		from bootstrapvz.common.tools import log_check_call
		log = logging.getLogger(__name__)

		log.debug('Setting the password for the admin user.')
		log_check_call(
			['chroot', info.root, 'chpasswd'],
			info.manifest.plugins['admin_user']['username'] +
			':' + info.manifest.plugins['admin_user']['password']
		)
		return


class AdminUserCredentialsPublicKey(Task):
	description = 'Set up access credentials for the admin user with a given public key'
	phase = phases.system_modification
	predecessors = [AddEC2InitScripts, CreateAdminUser]
	successors = [InstallInitScripts]

	@classmethod
	def run(cls, info):
		from bootstrapvz.common.tools import log_check_call

		log = logging.getLogger(__name__)

		import stat
		from shutil import copy
		full_path = info.manifest.plugins['admin_user']['pubkey']
		log.debug('Copying public key from {path}'.format(path=full_path))

		if 'ec2-get-credentials' in info.initd['install']:
			log.warn(
				'You are using a static public key for the admin account.'
				' This will conflict with the ec2 public key injection mechanisn.'
				' The ec2-get-credentials startup script has therefore been disabled.')
			del info.initd['install']['ec2-get-credentials']

		username = info.manifest.plugins['admin_user']['username']

		ssh_file = os.path.join('/home', username, '.ssh/authorized_keys')
		rel_ssh_file = os.path.join(info.root, 'home', username, '.ssh/authorized_keys')

		ssh_dir = os.path.dirname(ssh_file)
		rel_ssh_dir = os.path.dirname(rel_ssh_file)
		if not os.path.exists(rel_ssh_dir):
			log.debug('Creating %s.' % rel_ssh_dir)
			os.mkdir(rel_ssh_dir)

		log.debug('setting %s mode 700' % rel_ssh_dir)
		mode = (stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
		os.chmod(rel_ssh_dir, mode)

		copy(full_path, rel_ssh_file)

		mode = (stat.S_IRUSR | stat.S_IWUSR)
		os.chmod(rel_ssh_file, mode)

		log_check_call(['chroot', info.root, 'chown', '-R', username, ssh_dir])
		return


class AdminUserCredentialsEC2(Task):
	description = 'Set up access credentials for the admin user using the EC2 credentials'
	phase = phases.system_modification
	predecessors = [InstallInitScripts, CreateAdminUser]

	@classmethod
	def run(cls, info):
		from bootstrapvz.common.tools import sed_i
		log = logging.getLogger(__name__)

		getcreds_path = os.path.join(info.root, 'etc/init.d/ec2-get-credentials')
		log.debug('Updating EC2 get credentials script.')
		username = info.manifest.plugins['admin_user']['username']
		sed_i(getcreds_path, "username='root'",
		      "username='{username}'".format(username=username))
Properly fix imports and make bootstrapvz work like a package 2014-03-23 23:12:07 +01:00			`from bootstrapvz.base import Task`
			`from bootstrapvz.common import phases`
			`from bootstrapvz.common.tasks.initd import InstallInitScripts`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00			`from bootstrapvz.providers.ec2.tasks.initd import AddEC2InitScripts`

[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00			`import logging`
Implemented admin user task 2013-08-10 18:24:27 +02:00			`import os`


			`class AddSudoPackage(Task):`
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			description = 'Adding `sudo\' to the image packages'
			`phase = phases.preparation`
Implemented admin user task 2013-08-10 18:24:27 +02:00
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`@classmethod`
			`def run(cls, info):`
			`info.packages.add('sudo')`
Implemented admin user task 2013-08-10 18:24:27 +02:00

			`class CreateAdminUser(Task):`
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`description = 'Creating the admin user'`
			`phase = phases.system_modification`
Implemented admin user task 2013-08-10 18:24:27 +02:00
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`@classmethod`
			`def run(cls, info):`
			`from bootstrapvz.common.tools import log_check_call`
			`log_check_call(['chroot', info.root,`
			`'useradd',`
			`'--create-home', '--shell', '/bin/bash',`
			`info.manifest.plugins['admin_user']['username']])`
Implemented admin user task 2013-08-10 18:24:27 +02:00

			`class PasswordlessSudo(Task):`
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`description = 'Allowing the admin user to use sudo without a password'`
			`phase = phases.system_modification`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`@classmethod`
			`def run(cls, info):`
			`sudo_admin_path = os.path.join(info.root, 'etc/sudoers.d/99_admin')`
			`username = info.manifest.plugins['admin_user']['username']`
			`with open(sudo_admin_path, 'w') as sudo_admin:`
			`sudo_admin.write('{username} ALL=(ALL) NOPASSWD:ALL'.format(username=username))`
			`import stat`
			`ug_read_only = (stat.S_IRUSR \| stat.S_IRGRP)`
			`os.chmod(sudo_admin_path, ug_read_only)`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00

			`class AdminUserCredentialsPassword(Task):`
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`description = 'Set up access credentials for the admin user with a given password'`
			`phase = phases.system_modification`
			`predecessors = [InstallInitScripts, CreateAdminUser]`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`@classmethod`
			`def run(cls, info):`
			`from bootstrapvz.common.tools import log_check_call`
			`log = logging.getLogger(__name__)`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`log.debug('Setting the password for the admin user.')`
			`log_check_call(`
			`['chroot', info.root, 'chpasswd'],`
			`info.manifest.plugins['admin_user']['username'] +`
			`':' + info.manifest.plugins['admin_user']['password']`
			`)`
			`return`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00

[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00			`class AdminUserCredentialsPublicKey(Task):`
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`description = 'Set up access credentials for the admin user with a given public key'`
			`phase = phases.system_modification`
			`predecessors = [AddEC2InitScripts, CreateAdminUser]`
			`successors = [InstallInitScripts]`

			`@classmethod`
			`def run(cls, info):`
			`from bootstrapvz.common.tools import log_check_call`

			`log = logging.getLogger(__name__)`

			`import stat`
			`from shutil import copy`
			`full_path = info.manifest.plugins['admin_user']['pubkey']`
			`log.debug('Copying public key from {path}'.format(path=full_path))`

			`if 'ec2-get-credentials' in info.initd['install']:`
			`log.warn(`
			`'You are using a static public key for the admin account.'`
			`' This will conflict with the ec2 public key injection mechanisn.'`
			`' The ec2-get-credentials startup script has therefore been disabled.')`
			`del info.initd['install']['ec2-get-credentials']`

			`username = info.manifest.plugins['admin_user']['username']`

Bit by os.path.join not liking leading / join ignores all path components to the left of any component that starts with a /. Tested and found working. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-02-08 02:50:55 -08:00			`ssh_file = os.path.join('/home', username, '.ssh/authorized_keys')`
			`rel_ssh_file = os.path.join(info.root, 'home', username, '.ssh/authorized_keys')`
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00
			`ssh_dir = os.path.dirname(ssh_file)`
Bit by os.path.join not liking leading / join ignores all path components to the left of any component that starts with a /. Tested and found working. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-02-08 02:50:55 -08:00			`rel_ssh_dir = os.path.dirname(rel_ssh_file)`
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`if not os.path.exists(rel_ssh_dir):`
			`log.debug('Creating %s.' % rel_ssh_dir)`
			`os.mkdir(rel_ssh_dir)`

			`log.debug('setting %s mode 700' % rel_ssh_dir)`
			`mode = (stat.S_IRUSR \| stat.S_IWUSR \| stat.S_IXUSR)`
			`os.chmod(rel_ssh_dir, mode)`

			`copy(full_path, rel_ssh_file)`

			`mode = (stat.S_IRUSR \| stat.S_IWUSR)`
			`os.chmod(rel_ssh_file, mode)`

			`log_check_call(['chroot', info.root, 'chown', '-R', username, ssh_dir])`
			`return`
[admin_user]: Added support for password and static pubkey auth This commit adds authentication optionally with passwords or static ssh pubkeys for the admin user. There are now three ways to grant access to the admin user: - Set a password for the user, or - Provide a ssh public key to allow remote ssh login, or - Use the EC2 public key (EC2 machines only) If a password is provided, this plugin sets the admin password. This also re-enables password login (off by default in Jessie). If the optional argument pubkey is present (it should be a full path to a ssh public key), it will ensure that the ssh public key is used to set up password less remote login for the admin user. Only one of these options (password, or pubkey) may be specified. If neither the password not a ssh public key location are specified, and if the EC2 init scripts are installed, the script for fetching the SSH authorized keys will be adjust to match the username specified. Fixes: https://github.com/andsens/bootstrap-vz/issues/248 Signed-off-by: Manoj Srivastava <srivasta@google.com> 2015-09-28 11:49:50 -07:00

			`class AdminUserCredentialsEC2(Task):`
[admin_user]: Update per comments As requested, this commit converts to tab indentation. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-01-10 02:12:58 -08:00			`description = 'Set up access credentials for the admin user using the EC2 credentials'`
			`phase = phases.system_modification`
			`predecessors = [InstallInitScripts, CreateAdminUser]`

			`@classmethod`
			`def run(cls, info):`
			`from bootstrapvz.common.tools import sed_i`
			`log = logging.getLogger(__name__)`

			`getcreds_path = os.path.join(info.root, 'etc/init.d/ec2-get-credentials')`
[admin_user]: More cleanups. Remove uneeded tests. Signed-off-by: Manoj Srivastava <srivasta@golden-gryphon.com> 2016-02-06 02:15:52 -08:00			`log.debug('Updating EC2 get credentials script.')`
			`username = info.manifest.plugins['admin_user']['username']`
			`sed_i(getcreds_path, "username='root'",`
			`"username='{username}'".format(username=username))`