X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=FS%2FFS%2Fpart_export%2Fshellcommands.pm;h=faf06559314df8c5862b7de9f62ae24cfa9f7a3a;hb=01b857aa5fb209905d569844bc44710999df84e6;hp=cee54b48880a7b57f64cb5bf476c2c74c97aa9cf;hpb=dabdf357484badff95afcae50b08ec1c3bb58343;p=freeside.git diff --git a/FS/FS/part_export/shellcommands.pm b/FS/FS/part_export/shellcommands.pm index cee54b488..faf065593 100644 --- a/FS/FS/part_export/shellcommands.pm +++ b/FS/FS/part_export/shellcommands.pm @@ -1,9 +1,10 @@ package FS::part_export::shellcommands; -use vars qw(@ISA %info @saltset); +use vars qw(@ISA %info); use Tie::IxHash; use String::ShellQuote; use FS::part_export; +use FS::Record qw( qsearch qsearchs ); @ISA = qw(FS::part_export); @@ -26,7 +27,7 @@ tie my %options, 'Tie::IxHash', default=>'', }, 'usermod' => { label=>'Modify command', - default=>'usermod -c $new_finger -d $new_dir -m -l $new_username -s $new_shell -u $new_uid -p $new_crypt_password $old_username', + default=>'usermod -c $new_finger -d $new_dir -m -l $new_username -s $new_shell -u $new_uid -g $new_gid -p $new_crypt_password $old_username', #default=>'[ -d $old_dir ] && mv $old_dir $new_dir || ( '. # 'chmod u+t $old_dir; mkdir $new_dir; cd $old_dir; '. # 'find . -depth -print | cpio -pdm $new_dir; '. @@ -38,9 +39,12 @@ tie my %options, 'Tie::IxHash', type =>'textarea', default=>'', }, - 'usermod_pwonly' => { label=>'Disallow username changes', + 'usermod_pwonly' => { label=>'Disallow username, domain, uid, gid, and dir changes', #and RADIUS group changes', type =>'checkbox', }, + 'usermod_nousername' => { label=>'Disallow just username changes', + type =>'checkbox', + }, 'suspend' => { label=>'Suspension command', default=>'usermod -L $username', }, @@ -53,6 +57,17 @@ tie my %options, 'Tie::IxHash', 'unsuspend_stdin' => { label=>'Unsuspension command STDIN', default=>'', }, + 'crypt' => { label => 'Default password encryption', + type=>'select', options=>[qw(crypt md5)], + default => 'crypt', + }, + 'groups_susp_reason' => { label => + 'Radius group mapping to reason (via template user)', + type => 'textarea', + }, + 'no_queue' => { label => 'Run command immediately', + type => 'checkbox', + }, ; %info = ( @@ -75,7 +90,7 @@ running will not accept a domain as a parameter. You will need to this.form.useradd_stdin.value = ""; this.form.userdel.value = "userdel -r $username"; this.form.userdel_stdin.value=""; - this.form.usermod.value = "usermod -c $new_finger -d $new_dir -m -l $new_username -s $new_shell -u $new_uid -p $new_crypt_password $old_username"; + this.form.usermod.value = "usermod -c $new_finger -d $new_dir -m -l $new_username -s $new_shell -u $new_uid -g $new_gid -p $new_crypt_password $old_username"; this.form.usermod_stdin.value = ""; this.form.suspend.value = "usermod -L $username"; this.form.suspend_stdin.value=""; @@ -83,28 +98,29 @@ running will not accept a domain as a parameter. You will need to this.form.unsuspend_stdin.value=""; '>
  • - - Note: On FreeBSD versions before 5.2.1, due to deficient locking in pw(1), - you must disable the chpass(1), chsh(1), chfn(1), passwd(1), and vipw(1) - commands, or replace them with wrappers that prepend - "lockf /etc/passwd.lock". Alternatively, apply the patch in + Note: On FreeBSD versions before 5.3 and 4.10 (4.10 is after 4.9, not + 4.1!), due to deficient locking in pw(1), you must disable the chpass(1), + chsh(1), chfn(1), passwd(1), and vipw(1) commands, or replace them with + wrappers that prepend "lockf /etc/passwd.lock". Alternatively, apply the + patch in FreeBSD PR#23501 - and use the "FreeBSD 5.2.1 or later" button below. + and use the "FreeBSD 4.10 / 5.3 or later" button below.
  • -
  • $username
  • $_password -
  • $quoted_password - unencrypted password quoted for the shell -
  • $crypt_password - encrypted password +
  • $quoted_password - unencrypted password, already quoted for the shell (do not add additional quotes). +
  • $crypt_password - encrypted password. When used on the command line (rather than STDIN), it will be quoted for the shell already (do not add additional quotes). +
  • $ldap_password - Password in LDAP/RFC2307 format (for example, "{PLAIN}himom", "{CRYPT}94pAVyK/4oIBk" or "{MD5}5426824942db4253f87a1009fd5d2d4"). When used on the command line (rather than STDIN), it will be quoted for the shell already (do not add additional quotes).
  • $uid
  • $gid -
  • $finger - GECOS, already quoted for the shell (do not add additional quotes) +
  • $finger - GECOS. When used on the command line (rather than STDIN), it will be quoted for the shell already (do not add additional quotes). +
  • $first - First name of GECOS. When used on the command line (rather than STDIN), it will be quoted for the shell already (do not add additional quotes). +
  • $last - Last name of GECOS. When used on the command line (rather than STDIN), it will be quoted for the shell already (do not add additional quotes).
  • $dir - home directory
  • $shell
  • $quota +
  • @radius_groups +
  • $reasonnum (when suspending) +
  • $reasontext (when suspending) +
  • $reasontypenum (when suspending) +
  • $reasontypetext (when suspending)
  • All other fields in svc_acct are also available. END ); -@saltset = ( 'a'..'z' , 'A'..'Z' , '0'..'9' , '.' , '/' ); +sub _groups_susp_reason_map { shift->_map('groups_susp_reason'); } + +sub _map { + my $self = shift; + map { reverse(/^\s*(\S+)\s*(.*)\s*$/) } split("\n", $self->option(shift) ); +} sub rebless { shift; } @@ -172,14 +201,24 @@ sub _export_delete { sub _export_suspend { my($self) = shift; - $self->_export_command('suspend', @_); + $self->_export_command_or_super('suspend', @_); } sub _export_unsuspend { my($self) = shift; - $self->_export_command('unsuspend', @_); + $self->_export_command_or_super('unsuspend', @_); } +sub _export_command_or_super { + my($self, $action) = (shift, shift); + if ( $self->option($action) =~ /^\s*$/ ) { + my $method = "SUPER::_export_$action"; + $self->$method(@_); + } else { + $self->_export_command($action, @_); + } +}; + sub _export_command { my ( $self, $action, $svc_acct) = (shift, shift, shift); my $command = $self->option($action); @@ -191,6 +230,7 @@ sub _export_command { no strict 'refs'; ${$_} = $svc_acct->getfield($_) foreach $svc_acct->fields; + # snarfs are unused at this point? my $count = 1; foreach my $acct_snarf ( $svc_acct->acct_snarf ) { ${"snarf_$_$count"} = shell_quote( $acct_snarf->get($_) ) @@ -201,32 +241,83 @@ sub _export_command { my $cust_pkg = $svc_acct->cust_svc->cust_pkg; if ( $cust_pkg ) { - $email = ( grep { $_ ne 'POST' } $cust_pkg->cust_main->invoicing_list )[0]; + $email = ( grep { $_ !~ /^(POST|FAX)$/ } $cust_pkg->cust_main->invoicing_list )[0]; } else { $email = ''; } - $finger = shell_quote $finger; - $quoted_password = shell_quote $_password; + $finger =~ /^(.*)\s+(\S+)$/ or $finger =~ /^((.*))$/; + ($first, $last ) = ( $1, $2 ); $domain = $svc_acct->domain; - #eventually should check a "password-encoding" field - if ( length($svc_acct->_password) == 13 - || $svc_acct->_password =~ /^\$(1|2a?)\$/ ) { - $crypt_password = shell_quote $svc_acct->_password; + $quoted_password = shell_quote $_password; + + $crypt_password = $svc_acct->crypt_password( $self->option('crypt') ); + $ldap_password = $svc_acct->ldap_password( $self->option('crypt') ); + + @radius_groups = $svc_acct->radius_groups; + + my ($reasonnum, $reasontext, $reasontypenum, $reasontypetext); + if ( $cust_pkg && $action eq 'suspend' && + (my $r = $cust_pkg->last_reason('susp')) ) + { + $reasonnum = $r->reasonnum; + $reasontext = $r->reason; + $reasontypenum = $r->reason_type; + $reasontypetext = $r->reasontype->type; + + my %reasonmap = $self->_groups_susp_reason_map; + my $userspec = ''; + $userspec = $reasonmap{$reasonnum} + if exists($reasonmap{$reasonnum}); + $userspec = $reasonmap{$reasontext} + if (!$userspec && exists($reasonmap{$reasontext})); + + my $suspend_user; + if ( $userspec =~ /^\d+$/ ) { + $suspend_user = qsearchs( 'svc_acct', { 'svcnum' => $userspec } ); + } elsif ( $userspec =~ /^\S+\@\S+$/ ) { + my ($username,$domain) = split(/\@/, $userspec); + for my $user (qsearch( 'svc_acct', { 'username' => $username } )){ + $suspend_user = $user if $userspec eq $user->email; + } + } elsif ($userspec) { + $suspend_user = qsearchs( 'svc_acct', { 'username' => $userspec } ); + } + + @radius_groups = $suspend_user->radius_groups + if $suspend_user; + } else { - $crypt_password = crypt( - $svc_acct->_password, - $saltset[int(rand(64))].$saltset[int(rand(64))] - ); + $reasonnum = $reasontext = $reasontypenum = $reasontypetext = ''; } - $self->shellcommands_queue( $svc_acct->svcnum, - user => $self->option('user')||'root', - host => $self->machine, - command => eval(qq("$command")), - stdin_string => eval(qq("$stdin")), + my $stdin_string = eval(qq("$stdin")); + + $first = shell_quote $first; + $last = shell_quote $last; + $finger = shell_quote $finger; + $crypt_password = shell_quote $crypt_password; + $ldap_password = shell_quote $ldap_password; + + my $command_string = eval(qq("$command")); + my @ssh_cmd_args = ( + user => $self->option('user') || 'root', + host => $self->machine, + command => $command_string, + stdin_string => $stdin_string, ); + + if($self->option('no_queue')) { + # discard return value just like freeside-queued. + eval { ssh_cmd(@ssh_cmd_args) }; + $error = $@; + return $error. ' ('. $self->exporttype. ' to '. $self->machine. ')' + if $error; + } + else { + $self->shellcommands_queue( $new->svcnum, @ssh_cmd_args ); + } } sub _export_replace { @@ -239,45 +330,73 @@ sub _export_replace { ${"old_$_"} = $old->getfield($_) foreach $old->fields; ${"new_$_"} = $new->getfield($_) foreach $new->fields; } - $new_finger = shell_quote $new_finger; + $new_finger =~ /^(.*)\s+(\S+)$/ or $new_finger =~ /^((.*))$/; + ($new_first, $new_last ) = ( $1, $2 ); $quoted_new__password = shell_quote $new__password; #old, wrong? $new_quoted_password = shell_quote $new__password; #new, better? $old_domain = $old->domain; $new_domain = $new->domain; - #eventuall should check a "password-encoding" field - if ( length($new->_password) == 13 - || $new->_password =~ /^\$(1|2a?)\$/ ) { - $new_crypt_password = shell_quote $new->_password; - } else { - $new_crypt_password = - crypt( $new->_password, $saltset[int(rand(64))].$saltset[int(rand(64))] - ); - } + $new_crypt_password = $new->crypt_password( $self->option('crypt') ); + $new_ldap_password = $new->ldap_password( $self->option('crypt') ); - if ( $self->option('usermod_pwonly') ) { - my $error = ''; + @old_radius_groups = $old->radius_groups; + @new_radius_groups = $new->radius_groups; + + my $error = ''; + if ( $self->option('usermod_pwonly') || $self->option('usermod_nousername') ){ if ( $old_username ne $new_username ) { $error ||= "can't change username"; } + } + if ( $self->option('usermod_pwonly') ) { if ( $old_domain ne $new_domain ) { $error ||= "can't change domain"; } if ( $old_uid != $new_uid ) { $error ||= "can't change uid"; } + if ( $old_gid != $new_gid ) { + $error ||= "can't change gid"; + } if ( $old_dir ne $new_dir ) { $error ||= "can't change dir"; } + #if ( join("\n", sort @old_radius_groups) ne + # join("\n", sort @new_radius_groups) ) { + # $error ||= "can't change RADIUS groups"; + #} + } + return $error. ' ('. $self->exporttype. ' to '. $self->machine. ')' + if $error; + + my $stdin_string = eval(qq("$stdin")); + + $new_first = shell_quote $new_first; + $new_last = shell_quote $new_last; + $new_finger = shell_quote $new_finger; + $new_crypt_password = shell_quote $new_crypt_password; + $new_ldap_password = shell_quote $new_ldap_password; + + my $command_string = eval(qq("$command")); + + my @ssh_cmd_args = ( + user => $self->option('user') || 'root', + host => $self->machine, + command => $command_string, + stdin_string => $stdin_string, + ); + + if($self->option('no_queue')) { + # discard return value just like freeside-queued. + eval { ssh_cmd(@ssh_cmd_args) }; + $error = $@; return $error. ' ('. $self->exporttype. ' to '. $self->machine. ')' if $error; } - $self->shellcommands_queue( $new->svcnum, - user => $self->option('user')||'root', - host => $self->machine, - command => eval(qq("$command")), - stdin_string => eval(qq("$stdin")), - ); + else { + $self->shellcommands_queue( $new->svcnum, @ssh_cmd_args ); + } } #a good idea to queue anything that could fail or take any time