webshscr is a lightweight web platform useful to expose shell script via web. It provide user authorization and account, reserving execution of specific shell scripts to specific groups.
webshscr is multiplatform; required packages are:
To install additional packages pip can be used:
python -m pip install flask flask_login
python -m pip install subprocess32
python -m pip install xmltodict
webshscr can be started as '.zip' file:
python webshscr.zip [<base_dir>]
or from source files with command:
python __main__.py [<base_dir>]
If <base_dir>
is not specified, base directory is considered current directory.
Under base directory following folders are used:
config
: contains config filesscripts
: contains shell script to be calledtemplates
: contains html templates (using Jinja 2 syntax)static
: contains static files called by html templates (images, .css files, .js files, etc.)
In config directory following files are used:
config.properties
: general configuration file.
Format: is Java properties, with indexed values in formkey=format
and comments starting with '#':TLS_enabled
: [0|1] enable TLS using https (with 0 http is used)crt_file
: optional, speciofy absolute path of Certificate File used by flask for https; if not specified and TLS is enabled, a bogus certificate is usedkey_file
: optional, speciofy absolute path of Key File used by flask for https; if not specified and TLS is enabled, a bogus certificate is usedLOG_LEVEL
: optional, is logging level. Permitted levels are:
0: log none (default)
1: log only Warnings
2: log Warnings and Errors
3: log Warnings, Errors and Info
4: log Warnings, Errors, Info and DebugLOG_FILE
: optional, is file to store log; if not specified isSTDOUT
.
pages.csv
: list of html pages permitted (listed in home page)
Format: is CSV with pipe separator (|
) with headers in 1st row; following are permitted fields:- page_name: page name in html (only page name, accessed with following URL:
http://host/pages/<html_page>
) - groups: groups separated by comma (
,
); those will be only authorized to access specified page - description: description that appear in list automatically generated in home page
- page_name: page name in html (only page name, accessed with following URL:
scripts.acl
: ACLs for running script files (specifying groups)
Format: fields are<script_name>:<groups>
with comment lines beginning with#
:- script_name is filename (not path) of a script in
scripts
subdirectory - groups: groups separated by commas; those will be only authorized to access specified script
- script_name is filename (not path) of a script in
users.dat
: user storing users with associated password and groups
Format:<user>:<encoded user/password>:<groups>
:- user: is user name
- enconded user/password: SHA-256 hashing of sequence
<user>:<password>
, then Base 64 encoded - groups: are groups containing specified user, separated by comma (
,
)
Following paths are reserved, and must be known by developer of web pages and scripts.
http(s)://<host>:<port>/login
: reserved path for login page (a cookie to store session for a specific user is used)http(s)://<host>:<port>/logout
: reserved path to logout current userhttp(s)://<host>:<port>/users
: reserved path for a predefined page to create / delete / modify users, password and groups. Only authenticated users of group admins are allowed to do so.http(s)://<host>:<port>/pages/<html_template>
: under this URL are mapped files contained intemplates
directory (they support Jinja 2 syntax)http(s)://<host>:<port>/static/<file>
: under this URL are mapped files contained instatic
directory, exposed verbatim via webhttp(s)://<host>:<port>/script.<xxx>/<script_file>
: under this path are mapped files contained inscripts
directory.
<xxx>
is protocol used to exchange values with scripts: permitted values areform
,json
,xml
(see Calling scripts)
Platform admit 3 protocol to call scripts (see URL paths and platform behavior).
Parameters are sent to script with key/value pair (optionally only key for a flag) and 3 values are returned:
code
: a numeric value indicating output code from script (0 = OK)out
: STDOUT output (used only if code is OK)err
: STDERR output (used only if code is not OK)
Formats:
- form: data is passed via GET or POST request with form format:
- Input:
key-1=value_1&...&key_n=value_n
- Output:
code=<num><CR>out|err=<message>
- Input:
- JSON: data is passed in JSON format:
- Input:
{"key_1": "value_1", ..., "key_n": "value_n"}
- Output:
{"code": <num>, "out": "<message", "err": "<message>"}
- Input:
- XML: data is passed in XML format with following structure:
- Input:
<key_1>value_1</key_1> ... <key_n>value_n</key_n>
- Output:
<code>num</code><out>message</out><err>message</err>
- Input:
In all cases parameters are passed to script with following syntax (conforming to getopt syntax):
script -k [value]
if key is 1 char widescript --key [value]
if key is 2+ char wide
User creation is permitted from CLI using command:
python createuser.py <options>
Options are:
-u
|--user
: specify user to create; if not specified default is admin-p
|--password
: specify password pwd for new user; if not specified default is admin-g
|--groups
<group_1>,...,<group_n>: specify groups for user, separated by comma (,); if not specified default is admins-o
|--output
<out_file>: specify file for output (using format expected for users.dat); if not specified is printed to STDOUT
This program is licensed under MIT license.
Commercial use is granted freely, but please inform me about this.