????
Current Path : /opt/imunify360/venv/lib64/python3.11/site-packages/defence360agent/subsys/panels/cpanel/ |
Current File : //opt/imunify360/venv/lib64/python3.11/site-packages/defence360agent/subsys/panels/cpanel/panel.py |
import json import logging import os import os.path import glob import pwd import shutil import sys from collections import OrderedDict, defaultdict from contextlib import suppress from pathlib import Path from typing import Dict, List, Set from urllib.parse import urlparse from packaging.version import Version from defence360agent.application.determine_hosting_panel import ( is_cpanel_installed, ) from defence360agent.contracts import config from defence360agent.utils import ( antivirus_mode, async_lru_cache, check_run, CheckRunError, run, get_external_ip, ) from defence360agent.utils.kwconfig import KWConfig from . import packages from .whm import WHMAPILicenseError, whmapi1 from .. import base CPANEL_PACKAGE_EXTENSIONS_PATH = Path("/var/cpanel/packages/extensions") CPANEL_HOOKS_PATH = Path("/usr/local/cpanel") PREINSTALL_PACKAGE_EXTENSIONS_PATH = ( Path(config.Packaging.DATADIR) / "cpanel/packages/extensions" ) CPANEL_USERPLANS_PATH = "/etc/userplans" CPANEL_USERDATADOMAINS_PATH = ( "/etc/userdatadomains;/var/cpanel/userdata/{user}/cache" ) AV_PLUGIN_NAME = "imunify-antivirus" IM360_PLUGIN_NAME = "imunify360" PLUGIN_NAME = AV_PLUGIN_NAME if antivirus_mode.enabled else IM360_PLUGIN_NAME PLUGIN_INSTALL_SCRIPT = "/usr/local/cpanel/scripts/install_plugin" PLUGIN_UNINSTALL_SCRIPT = "/usr/local/cpanel/scripts/uninstall_plugin" CONFIG_PATH = "/etc/sysconfig/imunify360/cpanel/" logger = logging.getLogger(__name__) CONFIG_FILE_TEMPLATE = "/etc/sysconfig/imunify360/cpanel/{name}.conf" TCP_PORTS_CPANEL = base.TCP_PORTS_COMMON + ["2086-2087"] BASE_DIR = "/home" WWWACT_CONF = "/etc/wwwacct.conf" _CACHE = {"userplans": {}, "userdatadomains": {}} class cPanelException(base.PanelException): pass def forbid_dns_only(fn): """Decorator for functions on cPanel instance methods. Calls original function if _is_dns_only() returns False, otherwise throws cPanelException.""" async def wrapper(self, *args, **kwargs): if self._is_dns_only(): raise self.exception("Method is not allowed for dnsonly panel") return await fn(self, *args, **kwargs) return wrapper class AccountConfig(KWConfig): SEARCH_PATTERN = r"^{}\s+(.*)?$" WRITE_PATTERN = "{} {}" DEFAULT_FILENAME = WWWACT_CONF class cPanel(base.AbstractPanel): NAME = "cPanel" OPEN_PORTS = { "tcp": { "in": ["143", "465", "2077-2080", "2082-2083", "2095", "2096"] + TCP_PORTS_CPANEL, "out": [ "37", "43", "113", "873", "2073", "2089", "2195", "2703", "6277", "24441", ] + TCP_PORTS_CPANEL, }, "udp": { "in": ["20", "21", "53", "443"], "out": ["20", "21", "53", "113", "123", "873", "6277", "24441"], }, } exception = cPanelException smtp_allow_users = ["cpanel"] # type: List[str] USER_INFO_DIR = "/var/cpanel/users.cache/" RESELLERS_INFO = "/var/cpanel/resellers" @staticmethod def _is_dns_only(): return os.path.isfile("/var/cpanel/dnsonly") @classmethod def get_server_ip(cls): ip_conf = "/var/cpanel/mainip" # fallback: in case there is not ip file if not os.path.exists(ip_conf): return get_external_ip() with open(ip_conf) as f: return f.read().strip() @classmethod def is_installed(cls): return is_cpanel_installed() @classmethod async def version(cls): _, data, _ = await run(["/usr/local/cpanel/cpanel", "-V"]) version = data.decode().split() return version[0] if version else "unknown" @base.ensure_valid_panel() async def enable_imunify360_plugin(self, name=None): plugin_name = name or PLUGIN_NAME assert plugin_name in [AV_PLUGIN_NAME, IM360_PLUGIN_NAME] config_filename = CONFIG_FILE_TEMPLATE.format(name=plugin_name) new_conf = config_filename + ".rpmnew" if os.path.exists(new_conf): shutil.move(new_conf, config_filename) if Version(await self.version()) > Version("65.0"): os.system( '/bin/sed -i -e "s@^target=.*@target=%s@g" ' % "_self" + config_filename ) # (re-) register plugin sys.stdout.write("cPanel: register_appconfig...\n") os.system( "/usr/local/cpanel/bin/register_appconfig " + config_filename ) @base.ensure_valid_panel() async def disable_imunify360_plugin(self, plugin_name=None): config_filename = CONFIG_FILE_TEMPLATE.format( name=plugin_name or PLUGIN_NAME ) if os.path.exists(config_filename): sys.stderr.write("cPanel: unregister_appconfig...\n") os.system( "/usr/local/cpanel/bin/unregister_appconfig " + config_filename ) @forbid_dns_only async def get_user_domains(self): """ :return: list: domains hosted on server via cpanel """ return [ domain for user in await self.get_users() for domain, user_path in self._userdomains(user) ] @classmethod def get_user_domains_details( cls, username, _path=CPANEL_USERDATADOMAINS_PATH, quiet=True ): domains = [] def parser(path, d, domain_data): user_ = domain_data[0] if user_ != username: return doc_type = domain_data[2] docroot = domain_data[4] domains.append( { "docroot": docroot, "domain": d, "type": doc_type, } ) cls._parse_userdatadomains(_path, parser, quiet=quiet) return domains async def _do_get_users(self, userplans_path: str) -> List[str]: if not os.path.isfile(userplans_path): return [] _cached_mtime = _CACHE["userplans"].get("mtime", 0) if _cached_mtime == os.path.getmtime(userplans_path): return _CACHE["userplans"]["users"] with open( userplans_path, encoding="utf-8", errors="surrogateescape" ) as f: users = [] for line in f: if ( not line.startswith("#") and line.count(":") == 1 and len(line.strip()) > 3 ): users.append(line.split(":")[0].strip()) _CACHE["userplans"]["mtime"] = os.path.getmtime(userplans_path) _CACHE["userplans"]["users"] = users return users async def get_users( self, ) -> List[str]: return await self._do_get_users(CPANEL_USERPLANS_PATH) async def get_domain_to_owner(self) -> Dict[str, List[str]]: """ Returns dict with domain to list of users pairs :return: dict domain to list of users: """ domain_to_users = defaultdict(list) # type: Dict[str, List[str]] for user in await self.get_users(): for domain, _ in self._userdomains(user): domain_to_users[domain].append(user) return domain_to_users async def get_domains_per_user(self): """ Returns dict with users to list of domains pairs :return: dict user to list of domains """ user_to_domains = defaultdict(list) for user in await self.get_users(): for domain, _ in self._userdomains(user): user_to_domains[user].append(domain) return user_to_domains @async_lru_cache(maxsize=128) async def panel_user_link(self, username) -> str: """ Returns panel url :return: str """ link = ( await whmapi1( "create_user_session", user=username, service="cpaneld" ) )["url"] if len(link) == 0: return "" parsed = urlparse(link) return f"{parsed.scheme}://{parsed.netloc}/cpsess0000000000/frontend/jupiter/imunify/imunify.live.pl" async def switch_ui_config(self, myimunify_enabled: bool) -> None: """ Switch UI panel configuration between Im360 and MyImunify """ if antivirus_mode.enabled: return None if not Path("/var/imunify360/av-userside-plugin.installed").exists(): return None config_to_enable = "myimunify_conf" if myimunify_enabled else "conf" config_to_disable = "conf" if myimunify_enabled else "myimunify_conf" for theme_path in glob.glob("/usr/local/cpanel/base/frontend/*"): if Path(theme_path).is_dir(): theme_name = os.path.basename(theme_path) await self.disable_config(config_to_disable, theme_name) await self.enable_config(config_to_enable, theme_name) async def enable_config(self, config: str, theme: str) -> None: try: await check_run( [ PLUGIN_INSTALL_SCRIPT, f"{CONFIG_PATH}{config}", "--theme", theme, ] ) except CheckRunError as e: logger.warning("Error in enabling config '%s': %s", config, e) async def disable_config(self, config: str, theme: str) -> None: try: await check_run( [ PLUGIN_UNINSTALL_SCRIPT, f"{CONFIG_PATH}{config}", "--theme", theme, ] ) except CheckRunError as e: logger.warning("Error in disabling config '%s': %s", config, e) async def get_user_details(self) -> Dict[str, Dict[str, str]]: """ Returns dict with user to email and locale pairs """ user_details = {} # noinspection PyBroadException try: resellers = { line.split(":", 1)[0] for line in Path(self.RESELLERS_INFO).read_text().splitlines() } except Exception: resellers = None for user in await self.get_users(): level = base.UserLevel.REGULAR_USER if user == "root": try: with open("/etc/wwwacct.conf.cache") as f: user_info = json.load(f) email = user_info.get("CONTACTEMAIL", "") except (FileNotFoundError, json.JSONDecodeError): email = "" locale = "en" parent = "root" suspended = False level = base.UserLevel.ADMIN else: try: with open(os.path.join(self.USER_INFO_DIR, user)) as f: user_info = json.load(f) email = user_info.get("CONTACTEMAIL", "") locale = user_info.get("LOCALE", "") parent = user_info.get("OWNER", "") suspended = user_info.get("SUSPENDED", "") == "1" except (FileNotFoundError, json.JSONDecodeError): email = "" locale = "" parent = "" suspended = False if resellers and user in resellers: # 1 for the root (see above) # 2 for a reseller # 3 for a regular customer level = base.UserLevel.RESSELER user_details[user] = { "email": email, "locale": locale, "parent": parent, "suspended": suspended, "level": int(level), } return user_details @classmethod def _get_max_mtime(cls, _path): """checks mtime of userdatadomains files (including cache) returns max mtime of all files""" _mtimes = [] if "{user}" in _path: call_as_user = pwd.getpwuid(os.getuid()).pw_name _path = _path.replace("{user}", call_as_user) path_list = _path.split(";") for path_ in path_list: if os.path.exists(path_): _mtimes.append(os.path.getmtime(path_)) return max(_mtimes) if _mtimes else 0 @classmethod def _get_from_cache(cls, cpuser, _path): """check and invalidate cache if needed""" _cached_mtime = ( _CACHE["userdatadomains"].get(cpuser, {}).get("mtime", 0) ) if _cached_mtime < cls._get_max_mtime(_path): _CACHE["userdatadomains"][cpuser] = {} return None return _CACHE["userdatadomains"].get(cpuser, {}).get("domains", []) @classmethod def _userdomains( cls, cpuser, _path=CPANEL_USERDATADOMAINS_PATH, quiet=True ): cached_data = cls._get_from_cache(cpuser, _path) if cached_data is not None: return cached_data # use dict to avoid duplicates domains_tmp = OrderedDict() domains = OrderedDict() def parser(path, d, domain_data): user_ = domain_data[0] if user_ == cpuser: document_root = domain_data[4] if "main" == domain_data[2]: # main domain must be first in list domains.update({d: document_root}) else: domains_tmp.update({d: document_root}) cls._parse_userdatadomains(_path, parser, quiet=quiet) domains.update(domains_tmp) _CACHE["userdatadomains"][cpuser] = { "mtime": cls._get_max_mtime(_path), "domains": domains.items(), } return domains.items() @staticmethod def _parse_userdatadomains(_path, parser, quiet=True): if "{user}" in _path: call_as_user = pwd.getpwuid(os.getuid()).pw_name _path = _path.replace("{user}", call_as_user) path_list = _path.split(";") for path_ in path_list: try: file_ = open(path_, "rb") except Exception as e: if not quiet: logger.warning("Can't open file %s [%s]", path_, e) continue try: # example line: # test.russianguns.ru: russianguns==root==sub==russianguns.ru== # /home/russianguns/fla==192.168.122.40:80======0 for i, line in enumerate(file_): try: line = line.decode() except UnicodeDecodeError as e: logger.warning( 'Broken %s line in file "%s"; line was ignored', i, path_, ) continue if not line.strip(): # ignore the empty string continue if line.count(": ") != 1: if not quiet: logger.warning( "Can't parse %s line in file '%s'; " "line was ignored", i, path_, ) continue domain, domain_raw_data = line.split(": ") domain_data = domain_raw_data.strip().split("==") parser(path_, domain, domain_data) finally: file_.close() @classmethod def is_extension_installed(cls, pkgs): return all( CPANEL_PACKAGE_EXTENSIONS_PATH.joinpath(file).is_file() for file in pkgs ) @classmethod async def is_hook_installed(cls): try: hooks = await whmapi1("list_hooks") category = next( cat for cat in hooks["categories"] if cat["category"] == "Whostmgr" ) for event_name in ( "Accounts::change_package", "Accounts::Create", "Accounts::Modify", ): event = next( ev for ev in category["events"] if ev["event"] == event_name ) stage = next( st for st in event["stages"] if st["stage"] == "post" ) if not any( action["hook"] == "ImunifyHook::hook_processing" for action in stage["actions"] ): return False except (StopIteration, WHMAPILicenseError): return False return True @classmethod async def install_extension( cls, extention_name: str, extention_files, **kwargs, ) -> None: # copy cpanel's package extension files CPANEL_PACKAGE_EXTENSIONS_PATH.mkdir( mode=0o700, parents=True, exist_ok=True ) for filename in extention_files: shutil.copy2( PREINSTALL_PACKAGE_EXTENSIONS_PATH / filename, CPANEL_PACKAGE_EXTENSIONS_PATH, ) # enable extension for all packages await packages.add_extension_for_all(extention_name, **kwargs) # add hooks for native feature management os.makedirs(config.Core.INBOX_HOOKS_DIR, mode=0o700, exist_ok=True) shutil.copy2( PREINSTALL_PACKAGE_EXTENSIONS_PATH / "ImunifyHook.pm", CPANEL_HOOKS_PATH, ) await check_run( [ "/usr/local/cpanel/bin/manage_hooks", "add", "module", "ImunifyHook", ] ) @classmethod async def uninstall_extension(cls, extension_name: str, extention_files): # remove the hook await check_run( [ "/usr/local/cpanel/bin/manage_hooks", "del", "module", "ImunifyHook", ] ) with suppress(FileNotFoundError): (CPANEL_HOOKS_PATH / "ImunifyHook.pm").unlink() # remove the package extension from all packages await packages.remove_extension_from_all(extension_name) # remove cpanel's package extension files for filename in extention_files: with suppress(FileNotFoundError): (CPANEL_PACKAGE_EXTENSIONS_PATH / filename).unlink() @staticmethod def mounts(): mounts = [] with open("/proc/mounts", "r") as f: for line in f: values = line.strip().split() if len(values) > 1: mounts.append(values[1]) return mounts def basedirs(self) -> Set[str]: """Fetch list of basedirs. On cPanel, basedir is configured as HOMEDIR variable in /etc/wwwacct.conf. Also, there is a way to specify additional mount points as containing user folders, through HOMEMATCH variable. If value from HOMEMATCH variable is contained within a mount point path, cPanel uses this directory too.""" homedir = AccountConfig("HOMEDIR").get() homematch = AccountConfig("HOMEMATCH").get() homedir = BASE_DIR if homedir is None else homedir basedirs = {BASE_DIR, homedir} if homematch is None: return basedirs for mount in self.mounts(): # exclude virtfs from basedirs (DEF-14266) if homematch in mount and not mount.startswith("/home/virtfs/"): basedirs.add(mount) return basedirs @classmethod async def notify(cls, *, message_type, params, user=None): """ Notify a customer using cPanel iContact Notifications """ if not config.AdminContacts.ENABLE_ICONTACT_NOTIFICATIONS: return False if not config.should_send_user_notifications(username=user): return False data = {"message_type": message_type, "params": params, "user": user} logger.info(f"{cls.__name__}.notify(%s)", data) cmd = ( "/usr/local/cpanel/whostmgr/docroot/cgi" "/imunify/handlers/notify.cgi" ) stdin = json.dumps(data) out = await check_run([cmd], input=stdin.encode()) return json.loads(out.decode(errors="surrogateescape")) async def list_docroots(self) -> Dict[str, str]: result = dict() def parser(path, d, domain_data): result[domain_data[4]] = domain_data[3] self._parse_userdatadomains( CPANEL_USERDATADOMAINS_PATH, parser, quiet=True ) return result async def get_domain_paths(self) -> Dict[str, List[str]]: result = {} def parser(_, d, domain_data): result[d] = [domain_data[4]] self._parse_userdatadomains( CPANEL_USERDATADOMAINS_PATH, parser, quiet=True ) return result