def check_and_repair_disk(hutil): public_settings = hutil.get_public_settings() if public_settings: check_disk = public_settings.get('check_disk') repair_disk = public_settings.get('repair_disk') disk_name = public_settings.get('disk_name') if check_disk and repair_disk: err_msg = ("check_disk and repair_disk was both specified." "Only one of them can be specified") hutil.error(err_msg) hutil.do_exit(1, 'Enable', 'error', '0', 'Enable failed.') if check_disk: ext_utils.add_extension_event(name=hutil.get_name(), op="scenario", is_success=True, message="check_disk") outretcode = _fsck_check(hutil) hutil.log("Successfully checked disk") return outretcode if repair_disk: ext_utils.add_extension_event(name=hutil.get_name(), op="scenario", is_success=True, message="repair_disk") outdata = _fsck_repair(hutil, disk_name) hutil.log("Repaired and remounted disk") return outdata
def _forcibly_reset_chap(hutil): name = "ChallengeResponseAuthentication" config = ext_utils.get_file_contents(SshdConfigPath).split("\n") for i in range(0, len(config)): if config[i].startswith(name) and "no" in config[i].lower(): ext_utils.add_extension_event(name=hutil.get_name(), op="sshd", is_success=True, message="ChallengeResponseAuthentication no") return ext_utils.add_extension_event(name=hutil.get_name(), op="sshd", is_success=True, message="ChallengeResponseAuthentication yes") _backup_sshd_config(SshdConfigPath) _set_sshd_config(config, name, "no") ext_utils.replace_file_with_contents_atomic(SshdConfigPath, "\n".join(config)) MyDistro.restart_ssh_service()
def _remove_user_account(user_name, hutil): hutil.log("Removing user account") try: sudoers = _get_other_sudoers(user_name) MyDistro.delete_account(user_name) _save_other_sudoers(sudoers) except Exception as e: ext_utils.add_extension_event(name=hutil.get_name(), op=constants.WALAEventOperation.Enable, is_success=False, message="(02102)Failed to remove user.") raise Exception("Failed to remove user {0}".format(e)) ext_utils.add_extension_event(name=hutil.get_name(), op=constants.WALAEventOperation.Enable, is_success=True, message="Successfully removed user")
def enable(): hutil = handler_util.HandlerUtility() hutil.do_parse_context('Enable') try: hutil.exit_if_enabled( remove_protected_settings=True) # If no new seqNum received, exit. reset_ssh = None remove_user = None protect_settings = hutil.get_protected_settings() if protect_settings: reset_ssh = protect_settings.get('reset_ssh') remove_user = protect_settings.get('remove_user') if remove_user and _is_sshd_config_modified(protect_settings): ext_utils.add_extension_event( name=hutil.get_name(), op=constants.WALAEventOperation.Enable, is_success=False, message="(03002)Argument error, conflicting operations") raise Exception( "Cannot reset sshd_config and remove a user in one operation.") _forcibly_reset_chap(hutil) if _is_sshd_config_modified(protect_settings): _backup_sshd_config(SshdConfigPath) if reset_ssh: _open_ssh_port() hutil.log("Succeeded in check and open ssh port.") ext_utils.add_extension_event(name=hutil.get_name(), op="scenario", is_success=True, message="reset-ssh") _reset_sshd_config(SshdConfigPath) hutil.log("Succeeded in reset sshd_config.") if remove_user: ext_utils.add_extension_event(name=hutil.get_name(), op="scenario", is_success=True, message="remove-user") _remove_user_account(remove_user, hutil) _set_user_account_pub_key(protect_settings, hutil) if _is_sshd_config_modified(protect_settings): MyDistro.restart_ssh_service() check_and_repair_disk(hutil) hutil.do_exit(0, 'Enable', 'success', '0', 'Enable succeeded.') except Exception as e: hutil.error(("Failed to enable the extension with error: {0}, " "stack trace: {1}").format(str(e), traceback.format_exc())) hutil.do_exit(1, 'Enable', 'error', '0', "Enable failed: {0}".format(str(e)))
def _set_user_account_pub_key(protect_settings, hutil): ovf_xml = None ovf_env = None try: ovf_xml = ext_utils.get_file_contents('/var/lib/waagent/ovf-env.xml') ovf_env = ovf_utils.OvfEnv.parse(ovf_xml, Configuration) except (EnvironmentError, ValueError, KeyError, AttributeError): pass if ovf_xml is None or ovf_env is None: # default ovf_env with empty data ovf_env = ovf_utils.OvfEnv() logger.log("could not load ovf-env.xml") # user name must be provided if set ssh key or password if not protect_settings or 'username' not in protect_settings: return user_name = protect_settings['username'] user_pass = protect_settings.get('password') cert_txt = protect_settings.get('ssh_key') expiration = protect_settings.get('expiration') no_convert = False if not user_pass and not cert_txt and not ovf_env.SshPublicKeys: raise Exception("No password or ssh_key is specified.") if user_pass is not None and len(user_pass) == 0: user_pass = None hutil.log("empty passwords are not allowed, ignoring password reset") # Reset user account and password, password could be empty sudoers = _get_other_sudoers(user_name) error_string = MyDistro.create_account(user_name, user_pass, expiration, None) _save_other_sudoers(sudoers) if error_string is not None: err_msg = "Failed to create the account or set the password" ext_utils.add_extension_event(name=hutil.get_name(), op=constants.WALAEventOperation.Enable, is_success=False, message="(02101)" + err_msg) raise Exception(err_msg + " with " + error_string) hutil.log("Succeeded in creating the account or setting the password.") # Allow password authentication if user_pass is provided if user_pass is not None: ext_utils.add_extension_event(name=hutil.get_name(), op="scenario", is_success=True, message="create-user-with-password") _allow_password_auth() # Reset ssh key with the new public key passed in or reuse old public key. if cert_txt: if cert_txt and cert_txt.strip().lower().startswith("ssh-rsa"): no_convert = True try: pub_path = os.path.join('/home/', user_name, '.ssh', 'authorized_keys') ovf_env.UserName = user_name if no_convert: if cert_txt: pub_path = ovf_env.prepare_dir(pub_path, MyDistro) final_cert_txt = cert_txt if not cert_txt.endswith("\n"): final_cert_txt = final_cert_txt + "\n" ext_utils.append_file_contents(pub_path, final_cert_txt) MyDistro.set_se_linux_context( pub_path, 'unconfined_u:object_r:ssh_home_t:s0') ext_utils.change_owner(pub_path, user_name) ext_utils.add_extension_event(name=hutil.get_name(), op="scenario", is_success=True, message="create-user") hutil.log("Succeeded in resetting ssh_key.") else: err_msg = "Failed to reset ssh key because the cert content is empty." ext_utils.add_extension_event( name=hutil.get_name(), op=constants.WALAEventOperation.Enable, is_success=False, message="(02100)" + err_msg) else: # do the certificate conversion # we support PKCS8 certificates besides ssh-rsa public keys _save_cert_str_as_file(cert_txt, 'temp.crt') pub_path = ovf_env.prepare_dir(pub_path, MyDistro) retcode = ext_utils.run_command_and_write_stdout_to_file([ constants.Openssl, 'x509', '-in', 'temp.crt', '-noout', '-pubkey' ], "temp.pub") if retcode > 0: raise Exception("Failed to generate public key file.") MyDistro.ssh_deploy_public_key('temp.pub', pub_path) os.remove('temp.pub') os.remove('temp.crt') ext_utils.add_extension_event(name=hutil.get_name(), op="scenario", is_success=True, message="create-user") hutil.log("Succeeded in resetting ssh_key.") except Exception as e: hutil.log(str(e)) ext_utils.add_extension_event( name=hutil.get_name(), op=constants.WALAEventOperation.Enable, is_success=False, message="(02100)Failed to reset ssh key.") raise e