def _save_cert_str_as_file(cert_txt, file_name):
cert_start = cert_txt.find(BeginCertificateTag)
if cert_start >= 0:
cert_txt = cert_txt[cert_start + len(BeginCertificateTag):]
cert_end = cert_txt.find(EndCertificateTag)
if cert_end >= 0:
cert_txt = cert_txt[:cert_end]
cert_txt = cert_txt.strip()
cert_txt = "{0}\n{1}\n{2}\n".format(BeginCertificateTag, cert_txt, EndCertificateTag)
ext_utils.set_file_contents(file_name, cert_txt)
def _reset_sshd_config(sshd_file_path):
ssh_default_config_filename = _get_default_ssh_config_filename()
ssh_default_config_file_path = os.path.join(os.getcwd(), 'resources',
ssh_default_config_filename)
if not (os.path.exists(ssh_default_config_file_path)):
ssh_default_config_file_path = os.path.join(os.getcwd(), 'resources',
'default')
# handle CoreOS differently
if isinstance(MyDistro, dist_utils.CoreOSDistro):
# Parse sshd port from ssh_default_config_file_path
sshd_port = 22
regex = re.compile(r"^Port\s+(\d+)", re.VERBOSE)
with open(ssh_default_config_file_path) as f:
for line in f:
match = regex.match(line)
if match:
sshd_port = match.group(1)
break
# Prepare cloud init config for coreos-cloudinit
f = tempfile.NamedTemporaryFile(delete=False)
f.close()
cfg_tempfile = f.name
cfg_content = "#cloud-config\n\n"
# Overwrite /etc/ssh/sshd_config
cfg_content += "write_files:\n"
cfg_content += " - path: {0}\n".format(sshd_file_path)
cfg_content += " permissions: 0600\n"
cfg_content += " owner: root:root\n"
cfg_content += " content: |\n"
for line in ext_utils.get_file_contents(
ssh_default_config_file_path).split('\n'):
cfg_content += " {0}\n".format(line)
# Change the sshd port in /etc/systemd/system/sshd.socket
cfg_content += "\ncoreos:\n"
cfg_content += " units:\n"
cfg_content += " - name: sshd.socket\n"
cfg_content += " command: restart\n"
cfg_content += " content: |\n"
cfg_content += " [Socket]\n"
cfg_content += " ListenStream={0}\n".format(sshd_port)
cfg_content += " Accept=yes\n"
ext_utils.set_file_contents(cfg_tempfile, cfg_content)
ext_utils.run(['coreos-cloudinit', '-from-file', cfg_tempfile],
chk_err=False)
os.remove(cfg_tempfile)
else:
shutil.copyfile(ssh_default_config_file_path, sshd_file_path)
MyDistro.restart_ssh_service()
def create_account(self, user, password, expiration, thumbprint):
"""
Create a user account, with 'user', 'password', 'expiration', ssh keys
and sudo permissions.
Returns None if successful, error string on failure.
"""
userentry = None
try:
userentry = pwd.getpwnam(user)
except (EnvironmentError, KeyError):
pass
uidmin = None
try:
uidmin = int(ext_utils.get_line_starting_with("UID_MIN", "/etc/login.defs").split()[1])
except (ValueError, KeyError, AttributeError, EnvironmentError):
pass
if uidmin is None:
uidmin = 100
if userentry is not None and userentry[2] < uidmin and userentry[2] != self.CORE_UID:
logger.error(
"CreateAccount: " + user + " is a system user. Will not set password.")
return "Failed to set password for system user: "******" (0x06)."
if userentry is None:
command = ['useradd', '--create-home', '--password', '*', user]
if expiration is not None:
command += ['--expiredate', expiration.split('.')[0]]
if ext_utils.run(command):
logger.error("Failed to create user account: " + user)
return "Failed to create user account: " + user + " (0x07)."
else:
logger.log("CreateAccount: " + user + " already exists. Will update password.")
if password is not None:
self.change_password(user, password)
try:
if password is None:
ext_utils.set_file_contents("/etc/sudoers.d/waagent", user + " ALL = (ALL) NOPASSWD: ALL\n")
else:
ext_utils.set_file_contents("/etc/sudoers.d/waagent", user + " ALL = (ALL) ALL\n")
os.chmod("/etc/sudoers.d/waagent", 0o440)
except EnvironmentError:
logger.error("CreateAccount: Failed to configure sudo access for user.")
return "Failed to configure sudo privileges (0x08)."
home = self.get_home()
if thumbprint is not None:
ssh_dir = home + "/" + user + "/.ssh"
ext_utils.create_dir(ssh_dir, user, 0o700)
pub = ssh_dir + "/id_rsa.pub"
prv = ssh_dir + "/id_rsa"
ext_utils.run_command_and_write_stdout_to_file(['ssh-keygen', '-y', '-f', thumbprint + '.prv'], pub)
ext_utils.set_file_contents(prv, ext_utils.get_file_contents(thumbprint + ".prv"))
for f in [pub, prv]:
os.chmod(f, 0o600)
ext_utils.change_owner(f, user)
ext_utils.set_file_contents(ssh_dir + "/authorized_keys", ext_utils.get_file_contents(pub))
ext_utils.change_owner(ssh_dir + "/authorized_keys", user)
logger.log("Created user account: " + user)
return None
def scrub_settings_file(self):
content = ext_utils.get_file_contents(self._context._settings_file)
redacted = HandlerUtility.redact_protected_settings(content)
ext_utils.set_file_contents(self._context._settings_file, redacted)
def do_heartbeat_report(self, heartbeat_file, status, code, message):
# heartbeat
health_report = '[{"version":"1.0","heartbeat":{"status":"' + status + '","code":"' + code + '","Message":"' + message + '"}}]'
if ext_utils.set_file_contents(heartbeat_file, health_report) is None:
self.error('Unable to wite heartbeat info to ' + heartbeat_file)
def _set_most_recent_seq(self, seq):
ext_utils.set_file_contents('mrseq', str(seq))
def parse(xml_text, configuration, is_deprovision=False):
"""
Parse xml tree, retrieving user and ssh key information.
Return self.
"""
ofv_env = OvfEnv()
logger.log_if_verbose(re.sub("<UserPassword>.*?<", "<UserPassword>*<", xml_text))
dom = xml.dom.minidom.parseString(xml_text)
if len(dom.getElementsByTagNameNS(ofv_env.OvfNs, "Environment")) != 1:
logger.error("Unable to parse OVF XML.")
section = None
newer = False
for p in dom.getElementsByTagNameNS(ofv_env.WaNs, "ProvisioningSection"):
for n in p.childNodes:
if n.localName == "Version":
verparts = get_node_text_data(n).split('.')
major = int(verparts[0])
minor = int(verparts[1])
if major > ofv_env.MajorVersion:
newer = True
if major != ofv_env.MajorVersion:
break
if minor > ofv_env.MinorVersion:
newer = True
section = p
if newer:
logger.warning(
"Newer provisioning configuration detected. Please consider updating waagent.")
if section is None:
logger.error(
"Could not find ProvisioningSection with major version=" + str(ofv_env.MajorVersion))
return None
ofv_env.ComputerName = get_node_text_data(section.getElementsByTagNameNS(ofv_env.WaNs, "HostName")[0])
ofv_env.UserName = get_node_text_data(section.getElementsByTagNameNS(ofv_env.WaNs, "UserName")[0])
if is_deprovision:
return ofv_env
try:
ofv_env.UserPassword = get_node_text_data(section.getElementsByTagNameNS(ofv_env.WaNs, "UserPassword")[0])
except (KeyError, ValueError, AttributeError, IndexError):
pass
try:
cd_section = section.getElementsByTagNameNS(ofv_env.WaNs, "CustomData")
if len(cd_section) > 0:
ofv_env.CustomData = get_node_text_data(cd_section[0])
if len(ofv_env.CustomData) > 0:
ext_utils.set_file_contents(constants.LibDir + '/CustomData', bytearray(
translate_custom_data(ofv_env.CustomData, configuration)))
logger.log('Wrote ' + constants.LibDir + '/CustomData')
else:
logger.error('<CustomData> contains no data!')
except Exception as e:
logger.error(str(e) + ' occured creating ' + constants.LibDir + '/CustomData')
disable_ssh_passwd = section.getElementsByTagNameNS(ofv_env.WaNs, "DisableSshPasswordAuthentication")
if len(disable_ssh_passwd) != 0:
ofv_env.DisableSshPasswordAuthentication = (get_node_text_data(disable_ssh_passwd[0]).lower() == "true")
for pkey in section.getElementsByTagNameNS(ofv_env.WaNs, "PublicKey"):
logger.log_if_verbose(repr(pkey))
fp = None
path = None
for c in pkey.childNodes:
if c.localName == "Fingerprint":
fp = get_node_text_data(c).upper()
logger.log_if_verbose(fp)
if c.localName == "Path":
path = get_node_text_data(c)
logger.log_if_verbose(path)
ofv_env.SshPublicKeys += [[fp, path]]
for keyp in section.getElementsByTagNameNS(ofv_env.WaNs, "KeyPair"):
fp = None
path = None
logger.log_if_verbose(repr(keyp))
for c in keyp.childNodes:
if c.localName == "Fingerprint":
fp = get_node_text_data(c).upper()
logger.log_if_verbose(fp)
if c.localName == "Path":
path = get_node_text_data(c)
logger.log_if_verbose(path)
ofv_env.SshKeyPairs += [[fp, path]]
return ofv_env
