def make_extra_dev(newroot_norm, extra_devices, owner):
"""Create all the configured "extra" passthrough devices.
:param ``str`` newroot_norm:
Path to the container root directory.
:param ``list`` extra_devices:
List of extra device specification.
:param ``str`` owner:
Username of the owner of the new devices.
"""
(uid, gid) = utils.get_uid_gid(owner)
for extra_dev in extra_devices:
if not extra_dev.startswith('/dev'):
_LOGGER.warning('Bad passthrough device %r.', extra_dev)
continue
try:
dev_stat = os.stat(extra_dev)
except OSError as err:
_LOGGER.warning('Failed to stat() %r: Skipping.', extra_dev)
continue
if stat.S_ISDIR(dev_stat.st_mode):
_LOGGER.warning('Cannot Passthrough directory %r', extra_dev)
continue
passthrough_dev = os.path.join(newroot_norm, extra_dev[1:])
if os.path.dirname(extra_dev) != '/dev':
# We have to create more directories under '/dev'
fs.mkdir_safe(os.path.dirname(passthrough_dev))
os.mknod(passthrough_dev,
stat.S_IFMT(dev_stat.st_mode) | 0o600, dev_stat.st_rdev)
os.chown(passthrough_dev, uid, gid)
def __init__(self, princ, ticket):
self.princ = princ
self.ticket = ticket
self.user = princ[:princ.find('@') if '@' in princ else len(princ)]
try:
self.uid = utils.get_uid_gid(self.user)[0]
except KeyError:
_LOGGER.warning('princ/user does not exist: %s', self.user)
self.uid = None
def _create_overlay_group(root_dir, proid):
"""create a overlay /etc/group in oder to mount into container
"""
path = os.path.join(root_dir, _CONTAINER_DOCKER_ETC_DIR, 'group')
(_uid, gid) = utils.get_uid_gid(proid)
with io.open(path, 'w') as f:
root = _GROUP_PATTERN.format(NAME='root', GID=0)
f.write('{}\n'.format(root))
group = _GROUP_PATTERN.format(NAME=grp.getgrgid(gid).gr_name, GID=gid)
f.write('{}\n'.format(group))
def make_keytab(kt_target, kt_components, owner=None):
"""Construct target keytab from individial components."""
_LOGGER.info('Creating keytab: %s %r, owner=%s', kt_target, kt_components,
owner)
cmd_line = ['kt_add', kt_target] + kt_components
subproc.check_call(cmd_line)
if owner:
(uid, _gid) = utils.get_uid_gid(owner)
os.chown(kt_target, uid, -1)
def _prepare_hosts(container_dir, app):
"""Create a hosts file for the container.
overlay/
/etc/
hosts # hosts file to be bind mounted in container.
/run/
/host-aliases/ # Directory to be bind mounted in container.
"""
etc_dir = os.path.join(container_dir, 'overlay', 'etc')
ha_dir = os.path.join(container_dir, 'overlay', 'run', 'host-aliases')
fs.mkdir_safe(etc_dir)
fs.mkdir_safe(ha_dir)
shutil.copyfile('/etc/hosts', os.path.join(etc_dir, 'hosts'))
(uid, gid) = utils.get_uid_gid(app.proid)
os.chown(ha_dir, uid, gid)
def _create_overlay_passwd(root_dir, proid):
"""create a overlay /etc/passwd in order to mount into container
"""
path = os.path.join(root_dir, _CONTAINER_DOCKER_ETC_DIR, 'passwd')
(uid, gid) = utils.get_uid_gid(proid)
with io.open(path, 'w') as f:
root = _PASSWD_PATTERN.format(NAME='root',
UID=0,
GID=0,
INFO='root',
HOME='/root',
SHELL='/bin/sh')
f.write('{}\n'.format(root))
user = _PASSWD_PATTERN.format(NAME=proid,
UID=uid,
GID=gid,
INFO='',
HOME='/',
SHELL='/sbin/nologin')
f.write('{}\n'.format(user))
def _ensure_table_exists(database, owner=None):
"""Creates table if table does not exist.
:param database: Path to SQLite3 db file.
"""
conn = sqlite3.connect(database)
cur = conn.cursor()
# store virtual => proid map
# keytab: keytab file name e.g. host#vip1.domain.com@realm
# table columns definitions:
# proid: matched proid for the VIP keytab
# vip: vip1.domain.com
cur.execute('''
CREATE TABLE IF NOT EXISTS %s
(proid text, vip text)
''' % keytabs2.TABLE)
conn.commit()
conn.close()
if owner is not None:
(uid, gid) = utils.get_uid_gid(owner)
os.chown(database, uid, gid)
def _install(package, src_dir, dst_dir, params, prefix_len=None, rec=None):
"""Interpolate source directory into target directory with params.
"""
package_name = package.__name__
_LOGGER.info(
'Installing package: %s %s %s', package_name, src_dir, dst_dir
)
contents = pkg_resources.resource_listdir(package_name, src_dir)
if prefix_len is None:
prefix_len = len(src_dir) + 1
for item in contents:
resource_path = os.path.join(src_dir, item)
dst_path = os.path.join(dst_dir, resource_path[prefix_len:])
if pkg_resources.resource_isdir(package_name,
os.path.join(src_dir, item)):
fs.mkdir_safe(dst_path)
# Check directory ownership.
owner_rsrc = os.path.join(resource_path, '.owner')
if pkg_resources.resource_exists(package_name, owner_rsrc):
owner = bootstrap.interpolate(
pkg_resources.resource_string(
package_name, owner_rsrc
).decode(),
params
).strip()
try:
_LOGGER.info('Setting owner: %r - %r', dst_path, owner)
(uid, gid) = utils.get_uid_gid(owner)
os.chown(dst_path, uid, gid)
except (IOError, OSError) as err:
if err.errno != errno.ENOENT:
raise
if rec:
rec.write('%s\n' % os.path.join(dst_path, ''))
install_fn = _install
# Test if is a scan dir first
if _is_scan_dir(package, os.path.join(src_dir, item), dst_path):
_LOGGER.info('Scan dir found: %s => %s', resource_path,
dst_path)
install_fn = _install_scan_dir
install_fn(
package,
os.path.join(src_dir, item),
dst_dir,
params,
prefix_len=prefix_len,
rec=rec
)
else:
if resource_path.endswith('.swp'):
continue
if resource_path.endswith('.owner'):
continue
resource_str = pkg_resources.resource_string(
package_name,
resource_path
)
if rec:
rec.write('%s\n' % dst_path)
_update(dst_path,
bootstrap.render(resource_str.decode('utf8'), params))
def __init__(self, **kwargs):
users = kwargs.get('users', [])
self._users = [utils.get_uid_gid(user) for user in users]
_LOGGER.debug('Allowed uid, gid: %r', self._users)
# TODO: add schema validation
def authzreq(data):
"""implement AuthZPlugin.AuthZReq
"""
if 'RequestBody' in data:
request_body = base64.b64decode(data['RequestBody'])
_LOGGER.debug('request body: %s', request_body)
request_obj = json.loads(request_body.decode())
else:
request_obj = {}
for plugin in self._plugins:
(allow, msg) = plugin.run_req(data['RequestMethod'],
data['RequestUri'],
request_obj,
users=self._users)
if not allow:
break
else:
allow = True
_LOGGER.info(
'Request: %s %s %s (%s)',
data['RequestMethod'],
data['RequestUri'],
('Authorized' if allow else 'Not authorized'),
msg,
)
return (allow, msg)
# TODO: add schema validation
def authzres(data):
"""implement AuthZPlugin.AuthZReq
"""
if 'RequestBody' in data:
request_body = base64.b64decode(data['RequestBody'])
_LOGGER.debug('request body: %s', request_body)
request_obj = json.loads(request_body.decode())
else:
request_obj = {}
if 'ResponseBody' in data:
response_body = base64.b64decode(data['ResponseBody'])
_LOGGER.debug('response body: %s', response_body)
response_obj = json.loads(response_body.decode())
else:
response_obj = {}
for plugin in self._plugins:
(allow, msg) = plugin.run_res(
data['RequestMethod'],
data['RequestUri'],
request_obj,
response_obj,
users=self._users,
)
if not allow:
break
else:
allow = True
_LOGGER.info(
'Response: %s %s %s %s',
data['RequestMethod'],
data['RequestUri'],
data.get('ResponseStatusCode', None),
('Authorized' if allow else 'Not authorized'),
)
return (allow, msg)
# TODO: add schema validation
def activate():
"""Implement Plugin.Activate
"""
return {'Implements': [_PLUGIN_NAME]}
self.authzreq = authzreq
self.authzres = authzres
self.activate = activate