2021-11-11 18:31:28 +00:00
|
|
|
#!/usr/bin/env python3
|
2021-11-16 16:14:01 +00:00
|
|
|
"""Various utility functions"""
|
2022-06-24 17:08:58 +00:00
|
|
|
import datetime
|
2022-01-14 05:38:53 +00:00
|
|
|
from enum import Enum
|
2021-11-22 16:50:50 +00:00
|
|
|
import json
|
2022-07-05 05:14:37 +00:00
|
|
|
import os
|
|
|
|
import subprocess
|
2021-11-22 16:50:50 +00:00
|
|
|
import portalocker
|
2024-11-15 00:35:07 +00:00
|
|
|
from typing import Optional
|
2024-10-14 11:29:00 +00:00
|
|
|
import glob
|
2021-11-16 16:14:01 +00:00
|
|
|
|
2024-08-28 15:18:10 +00:00
|
|
|
from traceback import format_tb as format_traceback
|
|
|
|
|
2024-07-26 15:33:04 +00:00
|
|
|
from selfprivacy_api.utils.default_subdomains import (
|
|
|
|
DEFAULT_SUBDOMAINS,
|
|
|
|
RESERVED_SUBDOMAINS,
|
|
|
|
)
|
|
|
|
|
2021-11-11 18:31:28 +00:00
|
|
|
|
2024-01-09 18:58:09 +00:00
|
|
|
USERDATA_FILE = "/etc/nixos/userdata.json"
|
|
|
|
SECRETS_FILE = "/etc/selfprivacy/secrets.json"
|
2023-12-25 13:49:36 +00:00
|
|
|
DKIM_DIR = "/var/dkim/"
|
2021-11-29 19:16:08 +00:00
|
|
|
|
2024-10-14 11:29:00 +00:00
|
|
|
ACCOUNT_PATH_PATTERN = (
|
|
|
|
"/var/lib/acme/.lego/accounts/*/acme-v02.api.letsencrypt.org/*/account.json"
|
|
|
|
)
|
|
|
|
|
2021-11-30 21:53:39 +00:00
|
|
|
|
2022-01-14 05:38:53 +00:00
|
|
|
class UserDataFiles(Enum):
|
|
|
|
"""Enum for userdata files"""
|
|
|
|
|
|
|
|
USERDATA = 0
|
2024-01-09 18:58:09 +00:00
|
|
|
SECRETS = 3
|
2022-01-14 05:38:53 +00:00
|
|
|
|
|
|
|
|
2021-11-11 18:31:28 +00:00
|
|
|
def get_domain():
|
2024-01-09 18:58:09 +00:00
|
|
|
"""Get domain from userdata.json"""
|
|
|
|
with ReadUserData() as user_data:
|
|
|
|
return user_data["domain"]
|
2021-11-22 16:50:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
class WriteUserData(object):
|
|
|
|
"""Write userdata.json with lock"""
|
|
|
|
|
2022-01-14 05:38:53 +00:00
|
|
|
def __init__(self, file_type=UserDataFiles.USERDATA):
|
|
|
|
if file_type == UserDataFiles.USERDATA:
|
|
|
|
self.userdata_file = open(USERDATA_FILE, "r+", encoding="utf-8")
|
2024-01-09 18:58:09 +00:00
|
|
|
elif file_type == UserDataFiles.SECRETS:
|
2022-08-25 17:03:56 +00:00
|
|
|
# Make sure file exists
|
2024-01-09 18:58:09 +00:00
|
|
|
if not os.path.exists(SECRETS_FILE):
|
|
|
|
with open(SECRETS_FILE, "w", encoding="utf-8") as secrets_file:
|
|
|
|
secrets_file.write("{}")
|
|
|
|
self.userdata_file = open(SECRETS_FILE, "r+", encoding="utf-8")
|
2022-01-14 05:38:53 +00:00
|
|
|
else:
|
|
|
|
raise ValueError("Unknown file type")
|
2021-11-22 16:50:50 +00:00
|
|
|
portalocker.lock(self.userdata_file, portalocker.LOCK_EX)
|
|
|
|
self.data = json.load(self.userdata_file)
|
|
|
|
|
|
|
|
def __enter__(self):
|
|
|
|
return self.data
|
|
|
|
|
|
|
|
def __exit__(self, exc_type, exc_value, traceback):
|
|
|
|
if exc_type is None:
|
|
|
|
self.userdata_file.seek(0)
|
|
|
|
json.dump(self.data, self.userdata_file, indent=4)
|
|
|
|
self.userdata_file.truncate()
|
|
|
|
portalocker.unlock(self.userdata_file)
|
|
|
|
self.userdata_file.close()
|
|
|
|
|
|
|
|
|
|
|
|
class ReadUserData(object):
|
|
|
|
"""Read userdata.json with lock"""
|
|
|
|
|
2022-01-14 05:38:53 +00:00
|
|
|
def __init__(self, file_type=UserDataFiles.USERDATA):
|
|
|
|
if file_type == UserDataFiles.USERDATA:
|
|
|
|
self.userdata_file = open(USERDATA_FILE, "r", encoding="utf-8")
|
2024-01-09 18:58:09 +00:00
|
|
|
elif file_type == UserDataFiles.SECRETS:
|
|
|
|
if not os.path.exists(SECRETS_FILE):
|
|
|
|
with open(SECRETS_FILE, "w", encoding="utf-8") as secrets_file:
|
|
|
|
secrets_file.write("{}")
|
|
|
|
self.userdata_file = open(SECRETS_FILE, "r", encoding="utf-8")
|
2022-01-14 05:38:53 +00:00
|
|
|
else:
|
|
|
|
raise ValueError("Unknown file type")
|
2021-11-22 16:50:50 +00:00
|
|
|
portalocker.lock(self.userdata_file, portalocker.LOCK_SH)
|
|
|
|
self.data = json.load(self.userdata_file)
|
|
|
|
|
2022-07-25 14:08:31 +00:00
|
|
|
def __enter__(self) -> dict:
|
2021-11-22 16:50:50 +00:00
|
|
|
return self.data
|
|
|
|
|
|
|
|
def __exit__(self, *args):
|
|
|
|
portalocker.unlock(self.userdata_file)
|
|
|
|
self.userdata_file.close()
|
2021-11-23 18:32:51 +00:00
|
|
|
|
|
|
|
|
2024-11-02 23:15:51 +00:00
|
|
|
def ensure_ssh_and_users_fields_exist(data):
|
|
|
|
if "ssh" not in data:
|
|
|
|
data["ssh"] = {}
|
|
|
|
data["ssh"]["rootKeys"] = []
|
|
|
|
|
|
|
|
elif data["ssh"].get("rootKeys") is None:
|
|
|
|
data["ssh"]["rootKeys"] = []
|
|
|
|
|
|
|
|
if "sshKeys" not in data:
|
|
|
|
data["sshKeys"] = []
|
|
|
|
|
|
|
|
if "users" not in data:
|
|
|
|
data["users"] = []
|
|
|
|
|
|
|
|
|
2021-11-23 18:32:51 +00:00
|
|
|
def validate_ssh_public_key(key):
|
2023-10-03 13:51:06 +00:00
|
|
|
"""Validate SSH public key.
|
|
|
|
It may be ssh-ed25519, ssh-rsa or ecdsa-sha2-nistp256."""
|
2021-11-23 18:32:51 +00:00
|
|
|
if not key.startswith("ssh-ed25519"):
|
|
|
|
if not key.startswith("ssh-rsa"):
|
2023-10-03 13:51:06 +00:00
|
|
|
if not key.startswith("ecdsa-sha2-nistp256"):
|
|
|
|
return False
|
2021-11-23 18:32:51 +00:00
|
|
|
return True
|
2022-01-10 20:35:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
def is_username_forbidden(username):
|
|
|
|
forbidden_prefixes = ["systemd", "nixbld"]
|
|
|
|
|
|
|
|
forbidden_usernames = [
|
|
|
|
"root",
|
|
|
|
"messagebus",
|
|
|
|
"postfix",
|
|
|
|
"polkituser",
|
|
|
|
"dovecot2",
|
|
|
|
"dovenull",
|
|
|
|
"nginx",
|
|
|
|
"postgres",
|
|
|
|
"prosody",
|
|
|
|
"opendkim",
|
|
|
|
"rspamd",
|
|
|
|
"sshd",
|
|
|
|
"selfprivacy-api",
|
|
|
|
"restic",
|
|
|
|
"redis",
|
|
|
|
"pleroma",
|
|
|
|
"ocserv",
|
|
|
|
"nextcloud",
|
|
|
|
"memcached",
|
|
|
|
"knot-resolver",
|
|
|
|
"gitea",
|
|
|
|
"bitwarden_rs",
|
|
|
|
"vaultwarden",
|
|
|
|
"acme",
|
|
|
|
"virtualMail",
|
|
|
|
"nobody",
|
|
|
|
]
|
|
|
|
|
|
|
|
for prefix in forbidden_prefixes:
|
|
|
|
if username.startswith(prefix):
|
|
|
|
return True
|
|
|
|
|
|
|
|
for forbidden_username in forbidden_usernames:
|
|
|
|
if username == forbidden_username:
|
|
|
|
return True
|
|
|
|
|
|
|
|
return False
|
2022-06-24 17:08:58 +00:00
|
|
|
|
2022-06-24 18:14:20 +00:00
|
|
|
|
2024-07-26 15:33:04 +00:00
|
|
|
def check_if_subdomain_is_taken(subdomain: str) -> bool:
|
|
|
|
"""Check if subdomain is already taken or reserved"""
|
|
|
|
if subdomain in RESERVED_SUBDOMAINS:
|
|
|
|
return True
|
|
|
|
with ReadUserData() as data:
|
|
|
|
for module in data["modules"]:
|
|
|
|
if (
|
2024-07-30 13:55:57 +00:00
|
|
|
data["modules"][module].get(
|
|
|
|
"subdomain", DEFAULT_SUBDOMAINS.get(module, "")
|
|
|
|
)
|
2024-07-26 15:33:04 +00:00
|
|
|
== subdomain
|
|
|
|
):
|
|
|
|
return True
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
2022-06-24 17:08:58 +00:00
|
|
|
def parse_date(date_str: str) -> datetime.datetime:
|
2022-07-08 15:28:08 +00:00
|
|
|
"""Parse date string which can be in one of these formats:
|
|
|
|
- %Y-%m-%dT%H:%M:%S.%fZ
|
|
|
|
- %Y-%m-%dT%H:%M:%S.%f
|
|
|
|
- %Y-%m-%d %H:%M:%S.%fZ
|
|
|
|
- %Y-%m-%d %H:%M:%S.%f
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
return datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S.%fZ")
|
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
return datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S.%f")
|
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
return datetime.datetime.strptime(date_str, "%Y-%m-%dT%H:%M:%S.%fZ")
|
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
return datetime.datetime.strptime(date_str, "%Y-%m-%dT%H:%M:%S.%f")
|
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
raise ValueError("Invalid date string")
|
2022-07-05 05:14:37 +00:00
|
|
|
|
2022-07-07 13:53:19 +00:00
|
|
|
|
2023-12-25 13:49:36 +00:00
|
|
|
def parse_dkim(dkim: str) -> str:
|
|
|
|
# extract key from file
|
|
|
|
dkim = dkim.split("(")[1]
|
|
|
|
dkim = dkim.split(")")[0]
|
|
|
|
# replace all quotes with nothing
|
|
|
|
dkim = dkim.replace('"', "")
|
|
|
|
# trim whitespace, remove newlines and tabs
|
|
|
|
dkim = dkim.strip()
|
|
|
|
dkim = dkim.replace("\n", "")
|
|
|
|
dkim = dkim.replace("\t", "")
|
|
|
|
# remove all redundant spaces
|
|
|
|
dkim = " ".join(dkim.split())
|
|
|
|
return dkim
|
|
|
|
|
|
|
|
|
2024-11-15 00:35:07 +00:00
|
|
|
def get_dkim_key(domain: str, parse: bool = True) -> Optional[str]:
|
2022-07-05 05:14:37 +00:00
|
|
|
"""Get DKIM key from /var/dkim/<domain>.selector.txt"""
|
2023-12-25 13:49:36 +00:00
|
|
|
|
|
|
|
dkim_path = os.path.join(DKIM_DIR, domain + ".selector.txt")
|
|
|
|
if os.path.exists(dkim_path):
|
|
|
|
with open(dkim_path, encoding="utf-8") as dkim_file:
|
|
|
|
dkim = dkim_file.read()
|
|
|
|
if parse:
|
|
|
|
dkim = parse_dkim(dkim)
|
|
|
|
return dkim
|
2022-07-05 05:14:37 +00:00
|
|
|
return None
|
2022-08-01 10:40:40 +00:00
|
|
|
|
|
|
|
|
|
|
|
def hash_password(password):
|
|
|
|
hashing_command = ["mkpasswd", "-m", "sha-512", password]
|
|
|
|
password_hash_process_descriptor = subprocess.Popen(
|
|
|
|
hashing_command,
|
|
|
|
shell=False,
|
|
|
|
stdout=subprocess.PIPE,
|
|
|
|
stderr=subprocess.STDOUT,
|
|
|
|
)
|
|
|
|
hashed_password = password_hash_process_descriptor.communicate()[0]
|
|
|
|
hashed_password = hashed_password.decode("ascii")
|
|
|
|
hashed_password = hashed_password.rstrip()
|
|
|
|
return hashed_password
|
2024-07-26 15:33:04 +00:00
|
|
|
|
|
|
|
|
|
|
|
def write_to_log(message):
|
|
|
|
with open("/etc/selfprivacy/log", "a") as log:
|
|
|
|
log.write(f"{datetime.datetime.now()} {message}\n")
|
|
|
|
log.flush()
|
|
|
|
os.fsync(log.fileno())
|
2024-08-28 15:18:10 +00:00
|
|
|
|
|
|
|
|
|
|
|
def pretty_error(e: Exception) -> str:
|
|
|
|
traceback = "/r".join(format_traceback(e.__traceback__))
|
|
|
|
return type(e).__name__ + ": " + str(e) + ": " + traceback
|
2024-10-14 11:29:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
def read_account_uri() -> str:
|
|
|
|
account_file = glob.glob(ACCOUNT_PATH_PATTERN)
|
|
|
|
|
|
|
|
if not account_file:
|
|
|
|
raise FileNotFoundError(
|
|
|
|
f"No account files found matching: {ACCOUNT_PATH_PATTERN}"
|
|
|
|
)
|
|
|
|
|
|
|
|
with open(account_file[0], "r") as file:
|
|
|
|
account_info = json.load(file)
|
|
|
|
return account_info["registration"]["uri"]
|