diff --git a/config/plugins.d/secure.conf b/config/plugins.d/secure.conf new file mode 100644 index 00000000..b70f167b --- /dev/null +++ b/config/plugins.d/secure.conf @@ -0,0 +1,8 @@ +### Example Plugin Configuration for EasyEngine + +[secure] + +### If enabled, load a plugin named `example` either from the Python module +### `ee.cli.plugins.example` or from the file path +### `/var/lib/ee/plugins/example.py` +enable_plugin = true diff --git a/ee/cli/plugins/secure.py b/ee/cli/plugins/secure.py new file mode 100644 index 00000000..82dbdd01 --- /dev/null +++ b/ee/cli/plugins/secure.py @@ -0,0 +1,116 @@ +from cement.core.controller import CementBaseController, expose +from cement.core import handler, hook +from ee.core.shellexec import EEShellExec +from ee.core.variables import EEVariables +import string +import random +import sys +import hashlib +import getpass + + +def secure_plugin_hook(app): + # do something with the ``app`` object here. + pass + + +class EEsecureController(CementBaseController): + class Meta: + label = 'secure' + stacked_on = 'base' + stacked_type = 'nested' + description = 'clean command cleans different cache with following \ + options' + arguments = [ + (['--auth'], + dict(help='secure auth', action='store_true')), + (['--port'], + dict(help='secure port', action='store_true')), + (['--ip'], + dict(help='secure ip', action='store_true')) + ] + + @expose(hide=True) + def default(self): + # TODO Default action for ee clean command here + if self.app.pargs.auth: + self.secure_auth() + if self.app.pargs.port: + self.secure_port() + if self.app.pargs.ip: + self.secure_ip() + + @expose(hide=True) + def secure_auth(self): + print("Securing auth.....") + passwd = ''.join([random.choice + (string.ascii_letters + string.digits) + for n in range(6)]) + username = input("Provide HTTP authentication user " + "name [{0}] :".format(EEVariables.ee_user)) + password = input("Provide HTTP authentication " + "password [{0}]".format(passwd)) + if password == "": + password = passwd + print(password) + if username == "": + username = EEVariables.ee_user + print(username) + EEShellExec.cmd_exec(self, "printf \"{username}:" + "$(openssl passwd -crypt " + "{password} 2> /dev/null)\n\"" + "> /etc/nginx/htpasswd-ee 2>/dev/null" + .format(username=username, + password=password)) + + @expose(hide=True) + def secure_port(self): + #TODO:remaining with ee.conf updation in file + port = input("EasyEngine admin port [22222]:") + if port == "": + port = 22222 + if EEVariables.ee_platform_distro == 'Ubuntu': + EEShellExec.cmd_exec(self, "sed -i \"s/listen.*/listen " + "{port} default_server ssl spdy;/\" " + "/etc/nginx/sites-available/22222" + .format(port=port)) + elif EEVariables.ee_platform_distro == 'Debian': + EEShellExec.cmd_exec(self, "sed -i \"s/listen.*/listen " + "{port} default_server ssl;/\" " + "/etc/nginx/sites-available/22222" + .format(port=port)) + + @expose(hide=True) + def secure_ip(self): + newlist = [] + ip = input("Enter the comma separated IP addresses " + "to white list [127.0.0.1]:") + ip_found = False + try: + user_list_ip = ip.split(',') + except Exception as e: + ip = ['127.0.0.1'] + self.app.config.set('mysql', 'grant-host', "hello") + exist_ip_list = self.app.config.get('stack', 'ip-address').split() + print(exist_ip_list) + for check_ip in user_list_ip: + if check_ip not in exist_ip_list: + newlist.extend(exist_ip_list) + else: + print("IP found") + # changes in acl.conf file + if len(newlist) != 0: + EEShellExec.cmd_exec(self, "sed -i \"/allow.*/d\" /etc/nginx" + "/common/acl.conf") + for whitelist_adre in newlist: + EEShellExec.cmd_exec(self, "sed -i \"/deny/i " + "echo allow {whitelist_adre}\\;\" " + "/etc/nginx/common/acl.conf" + .format(whitelist_adre=whitelist_adre)) + + +def load(app): + # register the plugin class.. this only happens if the plugin is enabled + handler.register(EEsecureController) + # register a hook (function) to run after arguments are parsed. + hook.register('post_argument_parsing', secure_plugin_hook)