def auth_update(self, conn, users_id, raw_password):
""" Re-calculate user's encrypted password. Update new password,
salt, hash_algorithm, hash_iteration_count into database.
"""
auth_token, result = encrypt_password(raw_password)
db_utils.update(conn, 'users', values=result, where={'id': users_id})
return auth_token
def get_push_system_user_tasks(system_user):
# Set root as system user is dangerous
if system_user.username == "root":
return []
tasks = []
if system_user.password:
tasks.append({
'name': 'Add user {}'.format(system_user.username),
'action': {
'module': 'user',
'args': 'name={} shell={} state=present password={}'.format(
system_user.username, system_user.shell,
encrypt_password(system_user.password, salt="K3mIlKK"),
),
}
})
tasks.extend([
{
'name': 'Check home dir exists',
'action': {
'module': 'stat',
'args': 'path=/home/{}'.format(system_user.username)
},
'register': 'home_existed'
},
{
'name': "Set home dir permission",
'action': {
'module': 'file',
'args': "path=/home/{0} owner={0} group={0} mode=700".format(system_user.username)
},
'when': 'home_existed.stat.exists == true'
}
])
if system_user.public_key:
tasks.append({
'name': 'Set {} authorized key'.format(system_user.username),
'action': {
'module': 'authorized_key',
'args': "user={} state=present key='{}'".format(
system_user.username, system_user.public_key
)
}
})
if system_user.sudo:
tasks.append({
'name': 'Set {} sudo setting'.format(system_user.username),
'action': {
'module': 'lineinfile',
'args': "dest=/etc/sudoers state=present regexp='^{0} ALL=' "
"line='{0} ALL=(ALL) NOPASSWD: {1}' "
"validate='visudo -cf %s'".format(
system_user.username,
system_user.sudo,
)
}
})
return tasks
def get_push_system_user_tasks(system_user):
# Set root as system user is dangerous
if system_user.username == "root":
return []
tasks = []
if system_user.password:
tasks.append({
'name': 'Add user {}'.format(system_user.username),
'action': {
'module':
'user',
'args':
'name={} shell={} state=present password={}'.format(
system_user.username,
system_user.shell,
encrypt_password(system_user.password, salt="K3mIlKK"),
),
}
})
if system_user.public_key:
tasks.append({
'name':
'Set {} authorized key'.format(system_user.username),
'action': {
'module':
'authorized_key',
'args':
"user={} state=present key='{}'".format(
system_user.username, system_user.public_key)
}
})
if system_user.sudo:
tasks.append({
'name': 'Set {} sudo setting'.format(system_user.username),
'action': {
'module':
'lineinfile',
'args':
"dest=/etc/sudoers state=present regexp='^{0} ALL=' "
"line='{0} ALL=(ALL) NOPASSWD: {1}' "
"validate='visudo -cf %s'".format(
system_user.username,
system_user.sudo,
)
}
})
return tasks
def get_push_system_user_tasks(system_user):
# Set root as system user is dangerous
if system_user.username == "root":
return []
tasks = []
if system_user.password:
tasks.append({
'name': 'Add user {}'.format(system_user.username),
'action': {
'module': 'user',
'args': 'name={} shell={} state=present password={}'.format(
system_user.username, system_user.shell,
encrypt_password(system_user.password, salt="K3mIlKK"),
),
}
})
if system_user.public_key:
tasks.append({
'name': 'Set {} authorized key'.format(system_user.username),
'action': {
'module': 'authorized_key',
'args': "user={} state=present key='{}'".format(
system_user.username, system_user.public_key
)
}
})
if system_user.sudo:
tasks.append({
'name': 'Set {} sudo setting'.format(system_user.username),
'action': {
'module': 'lineinfile',
'args': "dest=/etc/sudoers state=present regexp='^{0} ALL=' "
"line='{0} ALL=(ALL) NOPASSWD: {1}' "
"validate='visudo -cf %s'".format(
system_user.username,
system_user.sudo,
)
}
})
return tasks
def push_users(self, assets, users):
"""
user: {
name: 'web',
username: '******',
shell: '/bin/bash',
password: '******',
public_key: 'string',
sudo: '/bin/whoami,/sbin/ifconfig'
}
"""
if isinstance(users, dict):
users = [users]
if isinstance(assets, dict):
assets = [assets]
task_tuple = []
for user in users:
# 添加用户, 设置公钥, 设置sudo
task_tuple.extend([
('user', 'name={} shell={} state=present password={}'.format(
user['username'], user.get('shell', '/bin/bash'),
encrypt_password(user.get('password', None)))),
('authorized_key',
"user={} state=present key='{}'".format(user['username'],
user['public_key'])),
('lineinfile',
"dest=/etc/sudoers state=present regexp='^{0} ALL=' "
"line='{0} ALL=(ALL) NOPASSWD: {1}' "
"validate='visudo -cf %s'".format(
user['username'], user.get('sudo', '/sbin/ifconfig')))
])
task_name = 'Push user {}'.format(','.join(
[user['name'] for user in users]))
task = run_AdHoc(task_tuple,
assets,
pattern='all',
task_name=task_name,
task_id=self.request.id)
return task
def get_push_linux_system_user_tasks(system_user):
tasks = [{
'name': 'Add user {}'.format(system_user.username),
'action': {
'module':
'user',
'args':
'name={} shell={} state=present'.format(
system_user.username,
system_user.shell,
),
}
}, {
'name': 'Add group {}'.format(system_user.username),
'action': {
'module': 'group',
'args': 'name={} state=present'.format(system_user.username, ),
}
}, {
'name': 'Check home dir exists',
'action': {
'module': 'stat',
'args': 'path=/home/{}'.format(system_user.username)
},
'register': 'home_existed'
}, {
'name': "Set home dir permission",
'action': {
'module':
'file',
'args':
"path=/home/{0} owner={0} group={0} mode=700".format(
system_user.username)
},
'when': 'home_existed.stat.exists == true'
}]
if system_user.password:
tasks.append({
'name': 'Set {} password'.format(system_user.username),
'action': {
'module':
'user',
'args':
'name={} shell={} state=present password={}'.format(
system_user.username,
system_user.shell,
encrypt_password(system_user.password, salt="K3mIlKK"),
),
}
})
if system_user.public_key:
tasks.append({
'name':
'Set {} authorized key'.format(system_user.username),
'action': {
'module':
'authorized_key',
'args':
"user={} state=present key='{}'".format(
system_user.username, system_user.public_key)
}
})
if system_user.sudo:
sudo = system_user.sudo.replace('\r\n', '\n').replace('\r', '\n')
sudo_list = sudo.split('\n')
sudo_tmp = []
for s in sudo_list:
sudo_tmp.append(s.strip(','))
sudo = ','.join(sudo_tmp)
tasks.append({
'name': 'Set {} sudo setting'.format(system_user.username),
'action': {
'module':
'lineinfile',
'args':
"dest=/etc/sudoers state=present regexp='^{0} ALL=' "
"line='{0} ALL=(ALL) NOPASSWD: {1}' "
"validate='visudo -cf %s'".format(
system_user.username,
sudo,
)
}
})
return tasks
def get_push_unixlike_system_user_tasks(system_user, username=None):
comment = system_user.name
if username is None:
username = system_user.username
if system_user.username_same_with_user:
from users.models import User
user = User.objects.filter(username=username).only('name',
'username').first()
if user:
comment = f'{system_user.name}[{str(user)}]'
password = system_user.password
public_key = system_user.public_key
groups = _split_by_comma(system_user.system_groups)
if groups:
groups = '"%s"' % ','.join(groups)
add_user_args = {
'name': username,
'shell': system_user.shell or Empty,
'state': 'present',
'home': system_user.home or Empty,
'expires': -1,
'groups': groups or Empty,
'comment': comment
}
tasks = [{
'name': 'Add user {}'.format(username),
'action': {
'module': 'user',
'args': _dump_args(add_user_args),
}
}, {
'name': 'Add group {}'.format(username),
'action': {
'module': 'group',
'args': 'name={} state=present'.format(username),
}
}]
if not system_user.home:
tasks.extend([{
'name': 'Check home dir exists',
'action': {
'module': 'stat',
'args': 'path=/home/{}'.format(username)
},
'register': 'home_existed'
}, {
'name': "Set home dir permission",
'action': {
'module':
'file',
'args':
"path=/home/{0} owner={0} group={0} mode=700".format(username)
},
'when': 'home_existed.stat.exists == true'
}])
if password:
tasks.append({
'name': 'Set {} password'.format(username),
'action': {
'module':
'user',
'args':
'name={} shell={} state=present password={}'.format(
username,
system_user.shell,
encrypt_password(password, salt="K3mIlKK"),
),
}
})
if public_key:
tasks.append({
'name': 'Set {} authorized key'.format(username),
'action': {
'module':
'authorized_key',
'args':
"user={} state=present key='{}'".format(username, public_key)
}
})
if system_user.sudo:
sudo = system_user.sudo.replace('\r\n', '\n').replace('\r', '\n')
sudo_list = sudo.split('\n')
sudo_tmp = []
for s in sudo_list:
sudo_tmp.append(s.strip(','))
sudo = ','.join(sudo_tmp)
tasks.append({
'name': 'Set {} sudo setting'.format(username),
'action': {
'module':
'lineinfile',
'args':
"dest=/etc/sudoers state=present regexp='^{0} ALL=' "
"line='{0} ALL=(ALL) NOPASSWD: {1}' "
"validate='visudo -cf %s'".format(username, sudo)
}
})
return tasks
def get_push_system_user_tasks(system_user):
# Set root as system user is dangerous
if system_user.username == "root":
return []
tasks = []
if system_user.password:
tasks.append({
'name': 'Add user {}'.format(system_user.username),
'action': {
'module': 'user',
'args': 'name={} shell={} state=present password={}'.format(
system_user.username, system_user.shell,
encrypt_password(system_user.password, salt="K3mIlKK"),
),
}
})
tasks.extend([
{
'name': 'Check home dir exists',
'action': {
'module': 'stat',
'args': 'path=/home/{}'.format(system_user.username)
},
'register': 'home_existed'
},
{
'name': "Set home dir permission",
'action': {
'module': 'file',
'args': "path=/home/{0} owner={0} group={0} mode=700".format(system_user.username)
},
'when': 'home_existed.stat.exists == true'
}
])
if system_user.public_key:
tasks.append({
'name': 'Set {} authorized key'.format(system_user.username),
'action': {
'module': 'authorized_key',
'args': "user={} state=present key='{}'".format(
system_user.username, system_user.public_key
)
}
})
if system_user.sudo:
sudo = system_user.sudo.replace('\r\n', '\n').replace('\r', '\n')
sudo_list = sudo.split('\n')
sudo_tmp = []
for s in sudo_list:
sudo_tmp.append(s.strip(','))
sudo = ','.join(sudo_tmp)
tasks.append({
'name': 'Set {} sudo setting'.format(system_user.username),
'action': {
'module': 'lineinfile',
'args': "dest=/etc/sudoers state=present regexp='^{0} ALL=' "
"line='{0} ALL=(ALL) NOPASSWD: {1}' "
"validate='visudo -cf %s'".format(
system_user.username, sudo,
)
}
})
return tasks
def get_push_system_user_tasks(system_user):
# Set root as system user is dangerous
if system_user.username == "root":
return []
tasks = []
if system_user.password:
tasks.append({
'name': 'Add user {}'.format(system_user.username),
'action': {
'module':
'user',
'args':
'name={} shell={} state=present password={}'.format(
system_user.username,
system_user.shell,
encrypt_password(system_user.password, salt="K3mIlKK"),
),
}
})
if system_user.public_key:
tasks.append({
'name':
'Set {} authorized key'.format(system_user.username),
'action': {
'module':
'authorized_key',
'args':
"user={} state=present key='{}'".format(
system_user.username, system_user.public_key)
}
})
if system_user.sudo:
tasks.append({
'name': 'Set {} sudo setting'.format(system_user.username),
'action': {
'module':
'lineinfile',
'args':
"dest=/etc/sudoers state=present insertafter='includedir' regexp='^{0} ALL=' "
# {0} should be username
# {1} should be something like this ALL=(ALL:ALL) NOPASSWD: /bin/whoami,/bin/ls
"line='{0} {1}' "
"validate='visudo -cf %s'".format(
system_user.username,
system_user.sudo,
)
}
})
if system_user.rootsudo:
tasks.append({
'name':
'Set {} root sudo setting'.format(system_user.username),
'action': {
'module':
'lineinfile',
'args':
"dest=/etc/sudoers state=present insertafter='includedir' regexp='^{0} ALL=\(root\)' "
# {0} should be username
# {1} should be something like this ALL=(root) NOPASSWD:/usr/sbin/nginx,/usr/sbin/iptables
"line='{0} {1}' "
"validate='visudo -cf %s'".format(
system_user.username,
system_user.rootsudo,
)
}
})
if system_user.bashrc_snippet:
tasks.append({
'name': 'Create /home/{0}/.lc_bashrc_snippet.bashrc file '.format(system_user.username),
'action': {
'module': 'copy',
'args': "dest=/home/{0}/.lc_bashrc_snippet.bashrc content='{1}' force=yes mode='0600' owner='{0}' group='{0}'"
# {0} should be username
# {1} should be bashrc_snippet
.format(system_user.username, system_user.bashrc_snippet)
}
})
tasks.append({
'name':
'Make sure .lc_bashrc_snippet.bashrc will always be sourced in /home/{0}/.bashrc '
.format(system_user.username),
'action': {
'module':
'lineinfile',
'args':
"dest=/home/{0}/.bashrc state=present regexp='^. /home/{0}/.lc_bashrc_snippet.bashrc$' "
# {0} should be username
"line='. /home/{0}/.lc_bashrc_snippet.bashrc' ".format(
system_user.username)
}
})
return tasks
def _update_password(self, conn, email, raw_password):
_, result = encrypt_password(raw_password)
db_utils.update(conn, "users", values=result, where={'email': email})
def insert(self, conn, email, raw_password):
_, result = encrypt_password(raw_password)
values = {"email": email}
values.update(result)
return db_utils.insert(conn, "users", values=values)
