mkproj.in 14 KB
Newer Older
1
#!/usr/bin/perl -wT
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2 3
#
# EMULAB-COPYRIGHT
4
# Copyright (c) 2000-2010 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
5 6
# All rights reserved.
#
7
use English;
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
use Getopt::Std;

#
# Perform project approval. Does a lot of stuff, see below!
#
sub usage()
{
    print(STDERR
	  "Usage: mkproj [-s] [-h leader_uid] [-m <message> | -f <file>] ".
	  "<pid>\n".
	  "switches and arguments:\n".
	  "-s         - silent; do not send approval email to leader\n".
	  "-h <uid>   - switch project leader to specified uid\n".
	  "-m <text>  - Include text in approval email message\n".
	  "-f <file>  - Include text from file in approval email message\n".
	  "<pid>      - project to approve.\n");
    exit(-1);
}
my $optlist    = "qsh:m:f:";
my $quiet      = 0;
my $silent     = 0;
29
my $newleader_uid;
30 31 32 33 34
my $message;
my $mfilename;
my $pid;

# Protos
35 36
sub fatal($);

37 38 39
#
# Configure variables
#
40 41
my $TB            = "@prefix@";
my $TBOPS         = "@TBOPSEMAIL@";
42
my $TBAPPROVAL    = "@TBAPPROVALEMAIL@";
43
my $TBAUDIT	  = "@TBAUDITEMAIL@";
44
my $TBBASE        = "@TBBASE@";
45
my $TBWWW         = "@TBWWW@";
46 47 48 49 50 51
my $MKGROUP       = "$TB/sbin/mkgroup";
my $MODGROUPS     = "$TB/sbin/modgroups";
my $MKACCT        = "$TB/sbin/tbacct add";
my $CVSBIN        = "/usr/bin/cvs";
my $CHOWN         = "/usr/sbin/chown";
my $GRANTTYPE     = "$TB/sbin/grantnodetype -d";
52
my $UPDATEPERMS   = "$TB/sbin/update_permissions";
53
my $ELABINELAB    = @ELABINELAB@;
54 55
my $WIKISUPPORT   = @WIKISUPPORT@;
my $BUGDBSUPPORT  = @BUGDBSUPPORT@;
56
my $OPSDBSUPPORT  = @OPSDBSUPPORT@;
57 58
my $CVSSUPPORT    = @CVSSUPPORT@;
my $MAILMANSUPPORT= @MAILMANSUPPORT@;
59 60 61 62
my $ADDWIKIPROJ   = "$TB/sbin/addwikiproj";
my $ADDBUGDBPROJ  = "$TB/sbin/addbugdbproj";
my $ADDMMLIST     = "$TB/sbin/addmmlist";
my $OPSDBCONTROL  = "$TB/sbin/opsdb_control";
63
my $CLOSEPROJADMINLIST = "$TB/sbin/closeprojadminlist";
64
	  
65
my @DIRLIST  = ("exp", "images", "logs", "deltas", "tarfiles", "rpms",
66
		"groups", "tiplogs", "images/sigs", "templates");
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82

#
# Untaint the path
# 
$ENV{'PATH'} = "/bin:/usr/bin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

#
# Turn off line buffering on output
#
$| = 1;

#
# Load the Testbed support stuff. 
#
use lib "@prefix@/lib";
83
use libaudit;
84 85
use libdb;
use libtestbed;
86 87
use User;
use Project;
88

89 90 91 92 93 94 95 96 97 98
my $PROJROOT     = PROJROOT();
my $GRPROOT      = GROUPROOT();
my $SCRATCHROOT  = SCRATCHROOT();

#
# XXX semi-hardwired, oddball paths
#
my $TFTPDIR  = "/tftpboot/$PROJROOT";
my $CVSREPOS = "$PROJROOT/cvsrepos";

99 100
# Locals
my $leader;
101
my $oldleader;
102

103
#
104
# We do not want to run this script unless its the real version.
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
#
if ($EUID != 0) {
    die("*** $0:\n".
	"    Must be setuid! Maybe its a development version?\n");
}

#
# This script is setuid, so please do not run it as root. Hard to track
# what has happened.
# 
if ($UID == 0) {
    die("*** $0:\n".
	"    Please do not run this as root! Its already setuid!\n");
}

#
# Check args.
#
123 124 125 126 127 128
my %options = ();
if (! getopts($optlist, \%options)) {
    usage();
}
if (defined($options{"q"})) {
    $quiet = 1;
129
}
130 131 132 133 134 135 136 137 138 139 140 141
if (defined($options{"s"})) {
    $silent = 1;
}
if (defined($options{"m"})) {
    $message = $options{"m"};
}
if (defined($options{"f"})) {
    $mfilename = $options{"f"};
    fatal("$mfilename does not exist!")
	if (! -e $mfilename);
}
if (defined($options{"h"})) {
142
    $newleader_uid = $options{"h"};
143 144 145 146 147
}
usage()
    if (! @ARGV);

$pid = $ARGV[0];
148 149 150 151

#
# Untaint the argument.
#
152
if ($pid =~ /^([-\w]+)$/) {
153 154 155 156 157 158
    $pid = $1;
}
else {
    die("Invalid pid '$pid' contains illegal characters.\n");
}

159 160 161 162
# Map invoking user to object.
my $this_user = User->ThisUser();
if (! defined($this_user)) {
    fatal("You ($UID) do not exist!");
163 164 165
}

#
166
# Figure out who called us. Must have admin status to do this.
167
#
168 169
if (!TBAdmin()) {
    fatal("You must be a TB administrator to run this script!");
170 171
}

172 173 174 175 176 177 178 179 180 181
#
# This script is always audited. Mail is sent automatically upon exit.
#
if (AuditStart(0)) {
    #
    # Parent exits normally
    #
    exit(0);
}

182 183 184 185 186 187 188
#
# Map project name to object.
#
my $target_project = Project->Lookup($pid);
if (! defined($target_project)) {
    fatal("Could not map project $pid to its object!");
}
189 190
my $pid_idx = $target_project->pid_idx();
my $gid_idx = $target_project->gid_idx();
191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210

#
# The welcome message ...
#
if (defined($mfilename)) {
    open(MFILE, $mfilename) or
	fatal("Could not open $mfilename");

    $message = "";
    while (<MFILE>) {
	$message .= $_;
    }
    close(MFILE);
}

#
# If a leader uid was provided on the command line, we are changing the
# leader. Note that this is allowed *only* for projects that have not
# been approved yet. 
#
211 212
if (defined($newleader_uid)) {
    $leader = User->Lookup($newleader_uid);
213
    if (!defined($leader)) {
214
	fatal("Could not map user $newleader_uid to its object!");
215 216 217 218 219 220 221 222 223 224
    }
    # See if already did this; is so skip the following checks.
    my $curleader = $target_project->GetLeader();
    if (!defined($curleader)) {
	fatal("Could not map current leader of project $pid to its object!");
    }
    if (! $curleader->SameUser($leader)) {
	fatal("Not allowed to change the leader of an approved project!")
	    if ($target_project->approved());

225 226 227
	# Save for email below.
	$oldleader = $curleader;

228 229 230 231
	# Update the project structure with the new leader. We are going
	# to set the approved bit below, so this is the last chance to do
	# this until we have code in place to change it later.
	$target_project->ChangeLeader($leader) == 0 or
232
	    fatal("Could not change leader for $pid to $newleader_uid!");
233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254
    }
}
else {
    $leader = $target_project->GetLeader();
    if (!defined($leader)) {
	fatal("Could not map current leader of project $pid to its object!");
    }
}
# Avoid taint check problem.
$leader_uid = $leader->uid();

# Approve the project; we are committed to the leader.
$target_project->SetApproved(1) == 0 or
    fatal("Could not set the approval bit on project $target_project!");

#
# Leader needs to have his approved bit set. Eventually this should be done
# in mkaccount when that code moves from the web interface.
#
$leader->SetStatus(USERSTATUS_ACTIVE()) == 0 or
    fatal("Could not change $leader to active!");

255 256 257 258
#
# Before we can proceed, we need to create the project (unix) group
# and then create an account for the project leader. We pass this off
# to sub scripts, but because they are also setuid, we need to flip
259
# our UID (perl sillyness).
260
#
261
$EUID = $UID;
262

263
system("$MKGROUP $gid_idx") == 0 or
264
    fatal("$MKGROUP $pid failed!");
265

266 267 268 269
if ($WIKISUPPORT) {
    system("$ADDWIKIPROJ $pid") == 0 or
	fatal("$ADDWIKIPROJ $pid failed!");
}
270 271 272 273
if ($BUGDBSUPPORT) {
    system("$ADDBUGDBPROJ $pid") == 0 or
	fatal("$ADDBUGDBPROJ $pid failed!");
}
274 275 276 277
if ($OPSDBSUPPORT) {
    system("$OPSDBCONTROL addproj $pid") == 0 or
	fatal("$OPSDBCONTROL addproj $pid failed!");
}
278 279 280 281
if ($MAILMANSUPPORT) {
    system("$ADDMMLIST -a ${pid}-users") == 0 or
	fatal("$ADDMMLIST -a ${pid}-users failed!");
}
282

283 284
system("$MKACCT $leader_uid") == 0 or
    fatal("$MKACCT $leader_uid failed!");
285

286 287
system("$MODGROUPS -a $pid:$pid:project_root $leader_uid") == 0 or
    fatal("$MODGROUPS -a $pid:$pid:project_root $leader_uid failed!");
288

289
$EUID = 0;
290 291 292 293

#
# This acts as check (and we need the numeric uid) in case mkacct failed!
# 
294 295
my (undef,undef,$uid) = getpwnam($leader_uid)
    or fatal("$leader_uid not in passwd file");
296 297 298 299 300 301 302

my (undef,undef,$gid) = getgrnam($pid)
    or fatal("$pid not in group file");

#
# Okay, do it.
#
303 304 305 306
if (! -e "$PROJROOT/$pid") {
    if (! mkdir("$PROJROOT/$pid", 0770)) {
	fatal("Could not make directory $PROJROOT/$pid: $!");
    }
307

308 309 310
    if (! chmod(0770, "$PROJROOT/$pid")) {
	fatal("Could not chmod directory $PROJROOT/$pid: $!");
    }
311

312 313 314
    if (! chown($uid, $gid, "$PROJROOT/$pid")) {
	fatal("Could not chown $PROJROOT/$pid to $uid/$gid: $!");
    }
315
}
316
if ($SCRATCHROOT && ! -e "$SCRATCHROOT/$pid") {
317 318 319 320 321 322
    if (! -e "$SCRATCHROOT") {
        if (! mkdir("$SCRATCHROOT", 0770)) {
            fatal("Could not make a directory $SCRATCHROOT: $!");
        }
    }

323 324 325 326 327 328 329 330 331 332 333 334
    if (! mkdir("$SCRATCHROOT/$pid", 0770)) {
	fatal("Could not make directory $SCRATCHROOT/$pid: $!");
    }

    if (! chmod(0770, "$SCRATCHROOT/$pid")) {
	fatal("Could not chmod directory $SCRATCHROOT/$pid: $!");
    }

    if (! chown($uid, $gid, "$SCRATCHROOT/$pid")) {
	fatal("Could not chown $SCRATCHROOT/$pid to $uid/$gid: $!");
    }
}
335 336 337 338 339

#
# Make project subdirs.
#
foreach my $dir (@DIRLIST) {
340 341 342 343 344 345 346 347 348 349
    if (! -e "$PROJROOT/$pid/$dir") {
	if (! mkdir("$PROJROOT/$pid/$dir", 0770)) {
	    fatal("Could not make directory $PROJROOT/$pid/$dir: $!");
	}
	if (! chmod(0770, "$PROJROOT/$pid/$dir")) {
	    fatal("Could not chmod directory $PROJROOT/$pid/$dir: $!");
	}
	if (! chown($uid, $gid, "$PROJROOT/$pid/$dir")) {
	    fatal("Could not chown $PROJROOT/$pid/$dir to $uid/$gid: $!");
	}
350 351 352 353 354
    }
}

#
# Create a tftp directory for oskit kernels.
355
#
356 357 358
if (! -e "$TFTPDIR/$pid") {
    if (! mkdir("$TFTPDIR/$pid", 0770)) {
	fatal("Could not make directory $TFTPDIR/$pid: $!");
359
    }
360 361
    if (! chmod(0777, "$TFTPDIR/$pid")) {
	fatal("Could not chmod directory $TFTPDIR/$pid: $!");
362
    }
363 364
    if (! chown($uid, $gid, "$TFTPDIR/$pid")) {
	fatal("Could not chown $TFTPDIR/$pid to $uid/$gid: $!");
365
    }
366 367
}

368 369 370
#
# Do the CVS stuff if its turned on.
#
371 372
if ($CVSSUPPORT) {
    my $CVSDIR = "$CVSREPOS/$pid";
373

374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389
    if (! -e "$CVSDIR") {
	if (! mkdir("$CVSDIR", 0770)) {
	    fatal("Could not make directory $CVSDIR: $!");
	}
    }
    if (! chmod(0770, "$CVSDIR")) {
	fatal("Could not chmod directory $CVSDIR: $!");
    }
    if (! chown($uid, $gid, "$CVSDIR")) {
	fatal("Could not chown $CVSDIR to $uid/$gid: $!");
    }
    if (! -e "$CVSDIR/CVSROOT") {
	system("$CVSBIN -d $CVSDIR init");
	if ($?) {
	    fatal("Could not cvs init $CVSDIR!");
	}
390 391 392 393 394 395 396 397
    }
    # Chown the tree.
    system("$CHOWN -R ${uid}:${gid} $CVSDIR");
    if ($?) {
	fatal("Could not chown ${uid}:${gid} $CVSDIR!");
    }
}

398 399
#
# Create groups directory.
400 401 402 403 404
#
if (! -e "$GRPROOT/$pid") {
    if (! mkdir("$GRPROOT/$pid", 0770)) {
	fatal("Could not make directory $GRPROOT/$pid: $!");
    }
405
    if (! chmod(0770, "$GRPROOT/$pid")) {
406 407 408 409 410
	fatal("Could not chmod directory $GRPROOT/$pid: $!");
    }
    if (! chown($uid, $gid, "$GRPROOT/$pid")) {
	fatal("Could not chown $GRPROOT/$pid to $uid/$gid: $!");
    }
411 412 413 414 415 416 417

    # Create a group link for the default group.
    if (! -e "$GRPROOT/$pid/$pid") {    
	if (system("ln -s $PROJROOT/$pid $GRPROOT/$pid/$pid")) {
	    fatal("Could not symlink $PROJROOT/$pid to $GRPROOT/$pid/$pid");
	}
    }
418 419
}

420 421 422
#
# Create experiment working directory.
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
423
my $workdir = TBDB_EXPT_WORKDIR() . "/$pid";
424

425
if (! -e $workdir) {
426
    if (! mkdir("$workdir", 0775)) {
427 428
	fatal("Could not make directory $workdir: $!");
    }
429
    if (! chmod(0775, "$workdir")) {
430 431 432 433 434
	fatal("Could not chmod directory $workdir: $!");
    }
    if (! chown($uid, $gid, "$workdir")) {
	fatal("Could not chown $workdir to $uid/$gid: $!");
    }
435 436
}

437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453
#
# Create experiment info (long term archive) directory.
#
my $infodir = "$TB/expinfo/$pid";

if (! -e $infodir) {
    if (! mkdir("$infodir", 0775)) {
	fatal("Could not make directory $infodir: $!");
    }
    if (! chmod(0775, "$infodir")) {
	fatal("Could not chmod directory $infodir: $!");
    }
    if (! chown($uid, $gid, "$infodir")) {
	fatal("Could not chown $infodir to $uid/$gid: $!");
    }
}

454 455 456 457 458 459 460 461
#
# If approved to use remote nodes, then grant permission to use the
# specific types of virtual nodes on those remote physical nodes.
# Unfortunately, the node_types table does not store a relationship
# between the phys type and the virtual types that are hosted on them.
# Need to add that I guess, but in the meantime we have just 3 remote
# phys types to worry about. 
#
462 463 464 465 466
if (!$ELABINELAB) {
    my $query_result =
	DBQueryFatal("select pcremote_ok from projects where pid='$pid'");
    if ($query_result->num_rows) {
	my ($pcremote) = $query_result->fetchrow_array();
467

468 469
	if (defined($pcremote)) {
	    print "$pcremote\n";
470
	
471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493
	    foreach my $type (split(",", $pcremote)) {
		print "$type\n";
		
		if ($type eq "pcplabphys") {
		    $type = "pcplab";
		}
		elsif ($type eq "pcron") {
		    $type = "pcvwa";
		}
		elsif ($type eq "pcwa") {
		    $type = "pcvwa";
		}
		else {
		    fatal("Unknown remote type $type!");
		}
		print "$type\n";

		$EUID = $UID;

		system("$GRANTTYPE -p $pid $type") == 0 or
		    fatal("Could not grant permission to use type $type!");
		
		$EUID = 0;
494 495 496
	    }
	}
    }
497 498 499 500 501 502 503 504 505 506 507
    else {
	#
	# Need to update the permissions table.
	#
	$EUID = $UID;

	system("$UPDATEPERMS") == 0 or
	    fatal("Could not update permissions table!");
		
	$EUID = 0;
    }
508 509
}

510 511 512 513 514 515 516 517 518 519 520 521 522
#
# Close proj admin list and remove testbed-approval as a member
#
#
# XXX: DISABLED FOR NOW.
#
#if ($MAILMANSUPPORT) {
#    $EUID = $UID;
#    system("$CLOSEPROJADMINLIST $pid") == 0 or
#        fatal("$CLOSEPROJADMINLIST failed");
#    $EUID = 0;
#}

523 524 525 526 527
# Send email, unless silent option given.
if (!$silent) {
    my $leader_name  = $leader->name();
    my $leader_email = $leader->email();
    
528 529 530 531 532 533 534 535 536 537 538 539 540
    SendProjAdminMail
	($pid, "ADMIN", "$leader_name <$leader_email>",
	 "Project '$pid' Approval",
	 "\n".
	 "This message is to notify you that your project '$pid'\n".
	 "has been approved.  We recommend that you save this link so that\n".
	 "you can send it to people you wish to have join your project.\n".
	 "Otherwise, tell them to go to ${TBBASE} and join it.\n".
	 "\n".
	 "    ${TBBASE}/joinproject.php3?target_pid=$pid\n".
	 (defined($message) ? "\n${message}\n" : "") .
	 "\n".
	 "Thanks,\n".
541 542
	 "Testbed Operations\n",
	 "Bcc: $TBAPPROVAL");
543 544 545 546 547 548

    #
    # If the leader was switched, then generate a second message to the
    # new leader telling him to approve the original leader to the project.
    #
    if (defined($oldleader)) {
549 550 551
	my $oldleader_uid   = $oldleader->uid();
	my $oldleader_name  = $oldleader->name();
	my $oldleader_email = $oldleader->email();
552
	
553 554
	SENDMAIL
	    ("$leader_name <$leader_email>",
555 556 557 558 559 560 561 562
	     "$oldleader_uid $pid Project Join Request",
	     "$oldleader_name wants to join project $pid.\n".
	     "\n".
	     "Please return to $TBWWW,\n".
	     "log in, select the 'New User Approval' page, and enter\n".
	     "your decision regarding ${oldleader_name}'s membership.\n".
	     "\n".
	     "Thanks,\n".
563 564
	     "Testbed Operations\n",
	     "$oldleader_name <$oldleader_email>");
565
    }
566 567
}

568
print "Project Creation Completed!\n";
569 570
exit(0);

571 572
sub fatal($) {
    my($mesg) = $_[0];
573

574 575
    die("*** $0:\n".
	"    $mesg\n");
576
}