def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False) defaults = signature()[1] output_objects.append({'object_type': 'header', 'text' : 'Show runtime environment details'}) (validate_status, accepted) = validate_input_and_cert( user_arguments_dict, defaults, output_objects, client_id, configuration, allow_rejects=False, ) if not validate_status: return (accepted, returnvalues.CLIENT_ERROR) re_name = accepted['re_name'][-1] if not valid_dir_input(configuration.re_home, re_name): logger.warning( "possible illegal directory traversal attempt re_name '%s'" % re_name) output_objects.append({'object_type': 'error_text', 'text' : 'Illegal runtime environment name: "%s"' % re_name}) return (output_objects, returnvalues.CLIENT_ERROR) if not is_runtime_environment(re_name, configuration): output_objects.append({'object_type': 'error_text', 'text' : "'%s' is not an existing runtime environment!" % re_name}) return (output_objects, returnvalues.CLIENT_ERROR) title_entry = find_entry(output_objects, 'title') title_entry['text'] = 'Runtime environment details' (re_dict, msg) = get_re_dict(re_name, configuration) if not re_dict: output_objects.append({'object_type': 'error_text', 'text' : 'Could not read details for "%s"' % msg}) return (output_objects, returnvalues.SYSTEM_ERROR) output_objects.append(build_reitem_object(configuration, re_dict)) return (output_objects, returnvalues.OK)
def init_vgrid_script_list(vgrid_name, client_id, configuration): """Helper for vgrid scripts""" msg = '' if not vgrid_name: msg += 'Please specify vgrid_name in the query string' return (False, msg, None) if not valid_dir_input(configuration.vgrid_home, vgrid_name): msg += 'Illegal vgrid_name: %s' % vgrid_name return (False, msg, None) if not vgrid_is_owner_or_member(vgrid_name, client_id, configuration): msg += 'Failure: You must be an owner or member of '\ + vgrid_name\ + ' vgrid to get a list of members/owners/resources/triggers' return (False, msg, None) return (True, msg, [])
def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False, op_title=False, op_menu=client_id) defaults = signature()[1] (validate_status, accepted) = validate_input(user_arguments_dict, defaults, output_objects, allow_rejects=False) if not validate_status: return (accepted, returnvalues.CLIENT_ERROR) remote_ip = str(os.getenv('REMOTE_ADDR')) res_type = accepted['type'][-1] unique_resource_name = accepted['unique_resource_name'][-1] exe_name = accepted['exe_name'][-1] status = returnvalues.OK # Web format for cert access and no header for SID access if client_id: output_objects.append({'object_type': 'title', 'text' : 'Load resource script PGID'}) output_objects.append({'object_type': 'header', 'text' : 'Load resource script PGID'}) else: output_objects.append({'object_type': 'start'}) # Please note that base_dir must end in slash to avoid access to other # resource dirs when own name is a prefix of another resource name base_dir = os.path.abspath(os.path.join(configuration.resource_home, unique_resource_name)) + os.sep if not is_owner(client_id, unique_resource_name, configuration.resource_home, logger): output_objects.append( {'object_type': 'error_text', 'text': "Failure: You must be an owner of '%s' to get the PGID!" % \ unique_resource_name}) return (output_objects, returnvalues.CLIENT_ERROR) # is_owner incorporates unique_resource_name verification - no need to # specifically check for illegal directory traversal on that variable. # exe_name is not automatically checked however - do it manually if not valid_dir_input(base_dir, 'EXE_' + exe_name + '.PGID'): # out of bounds - rogue resource!?!? output_objects.append({'object_type': 'error_text', 'text': 'invalid exe_name! %s' % exe_name}) logger.error('''getrespgid called with illegal parameter(s) in what appears to be an illegal directory traversal attempt!: unique_resource_name %s, exe %s, client_id %s''' % (unique_resource_name, exe_name, client_id)) return (output_objects, returnvalues.CLIENT_ERROR) # Check that resource address matches request source to make DoS harder try: check_source_ip(remote_ip, unique_resource_name) except ValueError, vae: output_objects.append({'object_type': 'error_text', 'text': 'invalid request: %s' % vae}) logger.error("Invalid put pgid: %s" % vae) return (output_objects, returnvalues.CLIENT_ERROR)
localjobname = fieldstorage.getfirst('localjobname', '') sessionid = fieldstorage.getfirst('sessionid', '') o.out('interactivejob request from %s %s %s %s' % (remote_ip, exe_name, unique_resource_name, jobid)) # Please note that base_dir must end in slash to avoid access to other # resource dirs when own name is a prefix of another resource name base_dir = os.path.abspath(configuration.resource_home + os.sep + unique_resource_name) + os.sep # No owner check here so we need to specifically check for illegal # directory traversals if not valid_dir_input(configuration.resource_home, unique_resource_name): # out of bounds - rogue resource!?!? o.out('invalid unique_resource_name! %s' % unique_resource_name) o.internal('requestinteractivejob called with illegal parameter(s) in what appears to be an illegal directory traversal attempt!: unique_resource_name %s, exe_name %s, client_id %s' % (unique_resource_name, exe_name, client_id)) o.reply_and_exit(o.CLIENT_ERROR) if exe_name == '': o.out('requestinteractivejob error! exe was not specified in the query string. Looks like a mis-configured resource!' ) o.reply_and_exit(o.ERROR) if jobid == '': o.out('requestinteractivejob error! jobid was not specified in the query string. Looks like a mis-configured resource!'
def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False) title_entry = find_entry(output_objects, 'title') title_entry['text'] = 'Delete runtime environment' output_objects.append({'object_type': 'header', 'text' : 'Delete runtime environment'}) defaults = signature()[1] (validate_status, accepted) = validate_input_and_cert( user_arguments_dict, defaults, output_objects, client_id, configuration, allow_rejects=False, ) if not validate_status: return (accepted, returnvalues.CLIENT_ERROR) if not correct_handler('POST'): output_objects.append( {'object_type': 'error_text', 'text' : 'Only accepting POST requests to prevent unintended updates'}) return (output_objects, returnvalues.CLIENT_ERROR) re_name = accepted['re_name'][-1] if not valid_dir_input(configuration.re_home, re_name): logger.warning( "possible illegal directory traversal attempt re_name '%s'" % re_name) output_objects.append({'object_type': 'error_text', 'text' : 'Illegal runtime environment name: "%s"' % re_name}) return (output_objects, returnvalues.CLIENT_ERROR) # Check whether re_name represents a runtime environment if not is_runtime_environment(re_name, configuration): output_objects.append({'object_type': 'error_text', 'text': "No such runtime environment: '%s'" % re_name}) return (output_objects, returnvalues.CLIENT_ERROR) re_dict = get_re_dict(re_name, configuration) if not re_dict[0]: output_objects.append( {'object_type': 'error_text', 'text': 'Could not read runtime environment details for %s' % re_name}) return (output_objects, returnvalues.SYSTEM_ERROR) # Make sure the runtime environment belongs to the user trying to delete it if client_id != re_dict[0]['CREATOR']: output_objects.append({'object_type': 'error_text', 'text': \ 'You are not the owner of runtime environment "%s"' % re_name}) return (output_objects, returnvalues.CLIENT_ERROR) # Prevent delete if the runtime environment is used by any resources actives = resources_using_re(configuration, re_name) # If the runtime environment is active, an error message is printed, along # with a list of the resources using the runtime environment if actives: output_objects.append( {'object_type': 'error_text', 'text': "Can't delete runtime environment '%s' in use by resources:" % re_name}) output_objects.append({'object_type': 'list', 'list' : actives}) output_objects.append({'object_type': 'link', 'destination': 'redb.py', 'class': 'infolink', 'title': 'Show runtime environments', 'text': 'Show runtime environments'}) return (output_objects, returnvalues.CLIENT_ERROR) # Delete the runtime environment (status, msg) = delete_runtimeenv(re_name, configuration) # If something goes wrong when trying to delete runtime environment # re_name, an error is displayed. if not status: output_objects.append({'object_type': 'error_text', 'text' : 'Could not remove %s runtime environment: %s' % (re_name, msg)}) return (output_objects, returnvalues.SYSTEM_ERROR) # If deletion of runtime environment re_name is successful, we just # return OK else: output_objects.append( {'object_type': 'text', 'text' : 'Successfully deleted runtime environment: "%s"' % re_name}) output_objects.append({'object_type': 'link', 'destination': 'redb.py', 'class': 'infolink', 'title': 'Show runtime environments', 'text': 'Show runtime environments'}) return (output_objects, returnvalues.OK)
def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False, op_title=False, op_menu=client_id) defaults = signature()[1] (validate_status, accepted) = validate_input(user_arguments_dict, defaults, output_objects, allow_rejects=False) if not validate_status: return (accepted, returnvalues.CLIENT_ERROR) remote_ip = str(os.getenv('REMOTE_ADDR')) res_type = accepted['type'][-1] unique_resource_name = accepted['unique_resource_name'][-1] exe_name = accepted['exe_name'][-1] pgid = accepted['pgid'][-1] status = returnvalues.OK # Web format for cert access and no header for SID access if client_id: output_objects.append({'object_type': 'title', 'text' : 'Load resource script PGID'}) output_objects.append({'object_type': 'header', 'text' : 'Load resource script PGID'}) else: output_objects.append({'object_type': 'start'}) # Please note that base_dir must end in slash to avoid access to other # resource dirs when own name is a prefix of another resource name base_dir = os.path.abspath(os.path.join(configuration.resource_home, unique_resource_name)) + os.sep # We do not have a trusted base dir here since there's no certificate data. # Manually check input variables if not valid_dir_input(configuration.resource_home, unique_resource_name): # out of bounds - rogue resource!?!? msg = 'invalid unique_resource_name! %s' % unique_resource_name logger.error('putrespgid FE called with illegal parameter(s) in what appears to be an illegal directory traversal attempt!: unique_resource_name %s, exe %s, client_id %s' \ % (unique_resource_name, exe_name, client_id)) return (output_objects, returnvalues.CLIENT_ERROR) if not valid_dir_input(base_dir, 'EXE_%s.PGID' % exe_name): # out of bounds - rogue resource!?!? msg = 'invalid unique_resource_name / exe_name! %s / %s' \ % (unique_resource_name, exe_name) logger.error('putrespgid EXE called with illegal parameter(s) in what appears to be an illegal directory traversal attempt!: unique_resource_name %s, exe %s, client_id %s' \ % (unique_resource_name, exe_name, client_id)) return (output_objects, returnvalues.CLIENT_ERROR) # Check that resource address matches request source to make DoS harder try: check_source_ip(remote_ip, unique_resource_name) except ValueError, vae: output_objects.append({'object_type': 'error_text', 'text': 'invalid request: %s' % vae}) logger.error("Invalid put pgid: %s" % vae) return (output_objects, returnvalues.CLIENT_ERROR)
def init_vgrid_script_add_rem( vgrid_name, client_id, subject, subject_type, configuration, ): """Initialize vgrid specific add and remove scripts""" msg = '' if not vgrid_name: msg += 'Please specify vgrid_name in the querystring' return (False, msg, None) if not subject: msg += 'Please provide the name of the %s' % subject_type return (False, msg, None) if not valid_dir_input(configuration.vgrid_home, vgrid_name): msg += 'Illegal vgrid_name: %s' % vgrid_name return (False, msg, None) if subject_type == 'member' or subject_type == 'owner': if not is_user(subject, configuration.mig_server_home): msg += '%s is not a valid %s user!' % \ (subject, configuration.short_title) return (False, msg, None) elif subject_type == 'resource': if not is_resource(subject, configuration.resource_home): msg += '%s is not a valid %s resource' % \ (subject, configuration.short_title) msg += \ ' (OK, if removing or e.g. the resource creation is pending)' elif subject_type == 'trigger': # Rules are checked later pass else: msg += 'unknown subject type in init_vgrid_script_add_rem' return (False, msg, []) # special case: members may terminate own membership if (subject_type == 'member') and (client_id == subject) \ and (vgrid_is_member(vgrid_name, subject, configuration)): return (True, msg, []) # special case: members may remove own triggers and add new ones if (subject_type == 'trigger') and \ (not vgrid_is_trigger(vgrid_name, subject, configuration) or \ vgrid_is_trigger_owner(vgrid_name, subject, client_id, configuration)): return (True, msg, []) # otherwise: only owners may add or remove: if not vgrid_is_owner(vgrid_name, client_id, configuration): msg += 'You must be an owner of the %s vgrid to add/remove %s'\ % (vgrid_name, subject_type) return (False, msg, None) return (True, msg, [])
def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False) client_dir = client_id_dir(client_id) defaults = signature()[1] (validate_status, accepted) = validate_input_and_cert( user_arguments_dict, defaults, output_objects, client_id, configuration, allow_rejects=False, ) if not validate_status: return (accepted, returnvalues.CLIENT_ERROR) if not correct_handler('POST'): output_objects.append( {'object_type': 'error_text', 'text' : 'Only accepting POST requests to prevent unintended updates'}) return (output_objects, returnvalues.CLIENT_ERROR) vgrid_name = accepted['vgrid_name'][-1].strip() title_entry = find_entry(output_objects, 'title') title_entry['text'] = 'Create %s' % configuration.site_vgrid_label output_objects.append({'object_type': 'header', 'text': 'Create %s' % \ configuration.site_vgrid_label}) # No owner check here so we need to specifically check for illegal # directory access reserved_names = (default_vgrid, any_vgrid, all_vgrids) if vgrid_name in reserved_names or \ not valid_dir_input(configuration.vgrid_home, vgrid_name): output_objects.append({'object_type': 'error_text', 'text' : 'Illegal vgrid_name: %s' % vgrid_name}) logger.warning("""createvgrid possible illegal directory access attempt by '%s': vgrid_name '%s'""" % (client_id, vgrid_name)) return (output_objects, returnvalues.CLIENT_ERROR) user_map = get_full_user_map(configuration) user_dict = user_map.get(client_id, None) # Optional limitation of create vgrid permission if not user_dict or \ not vgrid_create_allowed(configuration, user_dict): logger.warning("user %s is not allowed to create %ss!" % \ (client_id, configuration.site_vgrid_label)) output_objects.append( {'object_type': 'error_text', 'text' : 'Only privileged users can create %ss' % \ configuration.site_vgrid_label}) return (output_objects, returnvalues.CLIENT_ERROR) # Please note that base_dir must end in slash to avoid access to other # user dirs when own name is a prefix of another user name base_dir = os.path.abspath(os.path.join(configuration.vgrid_home, vgrid_name)) + os.sep public_base_dir = \ os.path.abspath(os.path.join(configuration.vgrid_public_base, vgrid_name)) + os.sep public_scm_dir = \ os.path.abspath(os.path.join(configuration.vgrid_public_base, vgrid_name, '.vgridscm')) + os.sep public_tracker_dir = \ os.path.abspath(os.path.join(configuration.vgrid_public_base, vgrid_name, '.vgridtracker')) + os.sep private_base_dir = \ os.path.abspath(os.path.join(configuration.vgrid_private_base, vgrid_name)) + os.sep private_scm_dir = \ os.path.abspath(os.path.join(configuration.vgrid_private_base, vgrid_name, '.vgridscm')) + os.sep private_tracker_dir = \ os.path.abspath(os.path.join(configuration.vgrid_private_base, vgrid_name, '.vgridtracker')) + os.sep private_forum_dir = \ os.path.abspath(os.path.join(configuration.vgrid_private_base, vgrid_name, '.vgridforum')) + os.sep vgrid_files_dir = \ os.path.abspath(os.path.join(configuration.vgrid_files_home, vgrid_name)) + os.sep vgrid_scm_dir = \ os.path.abspath(os.path.join(configuration.vgrid_files_home, vgrid_name, '.vgridscm')) + os.sep vgrid_tracker_dir = \ os.path.abspath(os.path.join(configuration.vgrid_files_home, vgrid_name, '.vgridtracker')) + os.sep # does vgrid exist? if os.path.isdir(base_dir): output_objects.append( {'object_type': 'error_text', 'text' : '%s %s cannot be created because it already exists!' % (configuration.site_vgrid_label, vgrid_name)}) return (output_objects, returnvalues.CLIENT_ERROR) # verify that client is owner of imada or imada/topology if trying to # create imada/topology/test vgrid_name_list = vgrid_name.split('/') vgrid_name_list_length = len(vgrid_name_list) if vgrid_name_list_length <= 0: output_objects.append({'object_type': 'error_text', 'text' : 'vgrid_name not specified?'}) return (output_objects, returnvalues.SYSTEM_ERROR) elif vgrid_name_list_length == 1: # anyone can create base vgrid new_base_vgrid = True else: new_base_vgrid = False vgrid_name_without_last_fragment = \ '/'.join(vgrid_name_list[0:vgrid_name_list_length - 1]) parent_base = os.path.dirname(base_dir.rstrip(os.sep)) if not os.path.isdir(parent_base): output_objects.append( {'object_type': 'error_text', 'text' : 'Parent %s %s does not exist!' % \ (configuration.site_vgrid_label, vgrid_name_without_last_fragment) }) return (output_objects, returnvalues.CLIENT_ERROR) if not vgrid_is_owner(vgrid_name_without_last_fragment, client_id, configuration): output_objects.append( {'object_type': 'error_text', 'text' : 'You must own a parent %s to create a sub vgrid' % \ configuration.site_vgrid_label }) return (output_objects, returnvalues.CLIENT_ERROR) # make sure all dirs can be created (that a file or directory with the same # name do not exist prior to the vgrid creation) try_again_string = \ """%s cannot be created, a file or directory exists with the same name, please try again with a new name!""" % configuration.site_vgrid_label if os.path.exists(public_base_dir): output_objects.append({'object_type': 'error_text', 'text' : try_again_string}) return (output_objects, returnvalues.CLIENT_ERROR) if os.path.exists(private_base_dir): output_objects.append({'object_type': 'error_text', 'text' : try_again_string}) return (output_objects, returnvalues.CLIENT_ERROR) if os.path.exists(vgrid_files_dir): output_objects.append({'object_type': 'error_text', 'text' : try_again_string}) return (output_objects, returnvalues.CLIENT_ERROR) # create directory to store vgrid files try: os.mkdir(base_dir) except Exception, exc: output_objects.append( {'object_type': 'error_text', 'text' : """Could not create %(_label)s directory, remember to create parent %(_label)s before creating a sub-%(_label)s.""" % \ {'_label': configuration.site_vgrid_label} }) return (output_objects, returnvalues.CLIENT_ERROR)
def main(client_id, user_arguments_dict): """Main function used by front end""" (configuration, logger, output_objects, op_name) = \ initialize_main_variables(client_id, op_header=False) title_entry = find_entry(output_objects, 'title') title_entry['text'] = 'Runtime env support' output_objects.append({'object_type': 'header', 'text' : 'Test runtime environment support'}) client_dir = client_id_dir(client_id) defaults = signature()[1] (validate_status, accepted) = validate_input_and_cert( user_arguments_dict, defaults, output_objects, client_id, configuration, allow_rejects=False, ) if not validate_status: logger.warning('%s invalid input: %s' % (op_name, accepted)) return (accepted, returnvalues.CLIENT_ERROR) resource_list = accepted['unique_resource_name'] re_name = accepted['re_name'][-1] status = returnvalues.OK visible_res = user_visible_res_confs(configuration, client_id) if not re_name: output_objects.append( {'object_type': 'error_text', 'text' : 'Please specify the name of the runtime environment!'}) return (output_objects, returnvalues.CLIENT_ERROR) if not valid_dir_input(configuration.re_home, re_name): logger.warning( "possible illegal directory traversal attempt re_name '%s'" % re_name) output_objects.append({'object_type': 'error_text', 'text' : 'Illegal runtime environment name: "%s"' % re_name}) return (output_objects, returnvalues.CLIENT_ERROR) # Please note that base_dir must end in slash to avoid access to other # user dirs when own name is a prefix of another user name base_dir = os.path.abspath(os.path.join(configuration.user_home, client_dir)) + os.sep for visible_res_name in resource_list: if not visible_res_name in visible_res.keys(): logger.warning('User %s not allowed to view %s (%s)' % \ (client_id, visible_res_name, visible_res.keys())) output_objects.append({'object_type': 'error_text', 'text': 'invalid resource %s' % \ visible_res_name}) status = returnvalues.CLIENT_ERROR continue if not is_owner(client_id, visible_res_name, configuration.resource_home, logger): output_objects.append( {'object_type': 'error_text', 'text': 'You must be an owner of the resource to validate runtime ' 'environment support. (resource %s)' % visible_res_name}) status = returnvalues.CLIENT_ERROR continue (re_dict, re_msg) = get_re_dict(re_name, configuration) if not re_dict: output_objects.append( {'object_type': 'error_text', 'text': 'Could not get re_dict %s' % re_msg}) status = returnvalues.SYSTEM_ERROR continue if not testresource_has_re_specified(visible_res_name, re_name, configuration): output_objects.append( {'object_type': 'error_text', 'text': 'You must specify the runtime environment in the resource' 'configuration before verifying if it is supported!'}) status = returnvalues.CLIENT_ERROR continue base64string = '' for stringpart in re_dict['TESTPROCEDURE']: base64string += stringpart mrslfile_content = base64.decodestring(base64string) try: (filehandle, mrslfile) = tempfile.mkstemp(text=True) os.write(filehandle, mrslfile_content) os.close(filehandle) create_verify_files(['status', 'stdout', 'stderr'], re_name, re_dict, base_dir, logger) except Exception, exc: output_objects.append( {'object_type': 'error_text', 'text': 'Could not write test job for %s: %s' % (visible_res_name, exc)}) status = returnvalues.SYSTEM_ERROR continue forceddestination_dict = {'UNIQUE_RESOURCE_NAME': visible_res_name, 'RE_NAME': re_name} (success, msg) = new_job(mrslfile, client_id, configuration, forceddestination_dict) if not success: output_objects.append( {'object_type': 'error_text', 'text': 'Submit test job failed %s: %s' % (visible_res_name, msg)}) status = returnvalues.SYSTEM_ERROR try: os.remove(mrslfile) except: pass output_objects.append( {'object_type': 'text', 'text': 'Runtime environment test job for %s successfuly submitted! %s' \ % (visible_res_name, msg)})