ok

Mini Shell

Direktori : /opt/imunify360/venv/lib64/python3.11/site-packages/im360/subsys/
Upload File :
Current File : //opt/imunify360/venv/lib64/python3.11/site-packages/im360/subsys/pam.py

import asyncio
import functools
import logging
import signal
from enum import Enum
from typing import List, Dict

import yaml

from defence360agent.utils import CheckRunError, atomic_rewrite, check_run, run
from defence360agent.utils.kwconfig import KWConfig


_PAM_EXECUTABLE = "imunify360-pam"
logger = logging.getLogger(__name__)


class PamService:
    DOVECOT_NATIVE = "dovecot-native"
    DOVECOT_PAM = "dovecot-pam"
    FTP = "ftp"
    SSHD = "sshd"


class PamServiceStatusValue:
    enabled = "enabled"
    disabled = "disabled"


class DovecotStatus(str, Enum):
    DISABLED = "disabled"
    PAM = "pam"
    NATIVE = "native"

    def __str__(self):
        return self.value


_DEFAULT_STATUS = {
    PamService.DOVECOT_NATIVE: PamServiceStatusValue.disabled,
    PamService.DOVECOT_PAM: PamServiceStatusValue.disabled,
    PamService.FTP: PamServiceStatusValue.disabled,
    PamService.SSHD: PamServiceStatusValue.disabled,
}


class PAMError(Exception):
    pass


class _Config(KWConfig):
    SEARCH_PATTERN = r"^\s*{}\s*=\s*(.*?)\s*$"
    WRITE_PATTERN = "{}={}"
    DEFAULT_FILENAME = "/etc/pam_imunify/i360.ini"

    _IP_WHITELIST_OPTION = "whitelisted_ips_path"
    _IP_WHITELIST_DEFAULT = "/var/i360_pam_imunify/wl/ips.txt"

    def get_default(self, default: str) -> str:
        v = self.get()
        return v if v is not None else default

    @classmethod
    def ip_whitelist_path(cls) -> str:
        try:
            return (
                cls(cls._IP_WHITELIST_OPTION).get_default(
                    cls._IP_WHITELIST_DEFAULT
                )
                # whitelisted_ips_path is comma separated list
                # where user ip list path goes the last
                .split(",")[-1]
            )
        except FileNotFoundError:
            return cls._IP_WHITELIST_DEFAULT


async def _export_list(path: str, values: List[str]) -> None:
    loop = asyncio.get_event_loop()
    content = "".join([v + "\n" for v in values])
    writer = functools.partial(atomic_rewrite, path, content, backup=False)
    await loop.run_in_executor(None, writer)


async def export_ip_whitelist(networks: List[str]) -> None:
    """Save a list of `networks` into IP address whitelist."""
    await _export_list(_Config.ip_whitelist_path(), networks)


async def get_status() -> Dict:
    cmd = [_PAM_EXECUTABLE, "status", "--yaml"]
    try:
        returncode, output, err = await run(cmd)
    except FileNotFoundError:
        return _DEFAULT_STATUS
    except OSError as exc:
        raise PAMError("PAM status failed") from exc
    else:
        if returncode == -signal.SIGTERM:
            # Don't send SIGTERM to Sentry
            # (presumably on shutdown on systemctl stop imunify360)
            logger.warning(
                "SIGTERM while getting pam status, rc: %s, out: %s, err: %s",
                returncode,
                output,
                err,
            )
            return _DEFAULT_STATUS
        elif returncode != 0 or output.strip() == b"":
            raise PAMError(
                "PAM status failed: run(%r) = %r"
                % (cmd, (returncode, output, err))
            )
    log_response_warnings(output)
    try:
        return yaml.safe_load(output.decode())["status"]
    except (UnicodeDecodeError, yaml.YAMLError, TypeError, KeyError) as e:
        raise PAMError(f"Can't get pam status from {output!r}") from e


async def enable(module, dry_run=False) -> None:
    """Enable PAM module. Raises PAMError."""
    pam_command = {
        PamService.SSHD: ["enable"],
        PamService.DOVECOT_PAM: ["set-dovecot", "pam"],
        PamService.DOVECOT_NATIVE: ["set-dovecot", "native"],
        PamService.FTP: ["enable-ftp"],
    }[module]
    try:
        output = await check_run(
            [
                _PAM_EXECUTABLE,
                *pam_command,
                *(["--dry-run"] if dry_run else []),
                "--yaml",
            ]
        )
        log_response_warnings(output)
    except CheckRunError as exc:
        raise PAMError("failed to enable PAM for %s" % module) from exc


async def disable(module) -> None:
    """Disable PAM module. Raises PAMError."""
    pam_command = {
        PamService.SSHD: ["disable"],
        PamService.DOVECOT_PAM: ["set-dovecot", "disabled"],
        PamService.DOVECOT_NATIVE: ["set-dovecot", "disabled"],
        PamService.FTP: ["disable-ftp"],
    }[module]
    try:
        output = await check_run([_PAM_EXECUTABLE, *pam_command, "--yaml"])
        log_response_warnings(output)
    except CheckRunError as exc:
        raise PAMError("failed to disable PAM for %s" % module) from exc


def log_response_warnings(output):
    try:
        response = yaml.safe_load(output.decode())
    except (yaml.YAMLError, UnicodeDecodeError):
        logger.warning("Not yaml response for %s: %s", _PAM_EXECUTABLE, output)
        response = None
    warnings = response and response.get("warnings")
    if warnings:
        logger.warning("imunify360-pam warnings: %s", warnings)

Zerion Mini Shell 1.0