Merge branch '6np-stretch-testing-patch-00935' into 'stretch-testing'

6np stretch testing patch 00935 See merge request !202

Merge branch '6np-stretch-testing-patch-00935' into 'stretch-testing'
6np stretch testing patch 00935 See merge request !202
fc539c9f · Paul Cammish · 1dd35394 · 1a06f1dd · fc539c9f · fc539c9f
Commit fc539c9f authored May 12, 2020 by Paul Cammish
--- a/CHANGELOG
+++ b/CHANGELOG
 CHANGELOG
 ---------

+
+2020-05-12
+  sympl-core
+    * Added functionality to the sympl cli for managing FTP users
+
 2020-05-10
  sympl-core
    * Remove debug output from sympl-filesystem-security

--- a/core/bin/sympl
+++ b/core/bin/sympl
@@ -87,8 +87,19 @@ _is_domain() {
 }

 _is_email() {
+  
+  if [ "$1" == "all" ]; then _error "Please specify an email address."; fi
+
  _debug "Checking if '$1' is a valid email address..."
+  readarray -d @ -t part < <(printf '%s' "$1")
+  _is_domain ${part[1]}

+  _debug "Checking if '${part[0]}' is valid"
+  if [[ ${part[0]} =~ ^[0-9a-zA-Z._%+-]+$ ]]; then 
+    _debug "'${part[0]}' is valid"
+  else
+    _error "'${part[0]}' is not valid a valid mailbox name."
+  fi
  
 }

@@ -265,6 +276,7 @@ _web_audit() {

  if [ "$1" != "all" ]; then _is_domain $1 ; fi

+  ( umask 077; touch /dev/shm/sympl_web_audit )
  find /srv/*/public/ -type d -name '*htdocs' > /dev/shm/sympl_web_audit

  _verbose "Enabled sites:"
@@ -273,6 +285,7 @@ _web_audit() {
  _verbose "Disabled sites:"
  grep __disabled__ /dev/shm/sympl_web_audit | cut -d '/' -f 3 | sort

+  rm /dev/shm/sympl_web_audit
 }

 _web_set() {
@@ -468,31 +481,380 @@ _mail_audit() {
 ##############################################################################

 _ftp_none() {
-  _noop
+  echo "Sympl FTP command line interface
+
+Usage: sympl ftp [action] [target|user@target]
+ 
+Where action is one of: 
+  create, enable, disable, reset, destroy, set, audit
+And target is the domain or user to work on.
+
+Where create is the action:
+  the domain folder will be created if it is not already present
+Where enable is the action:
+  the password will be enabled if disabled and set if not present
+Where disable is the action: 
+  FTP Access will be disabled for per-domain or user access
+Where reset is the action:
+  The password will be reset either per-domain or per-user, even if the 
+  domain or user are disabled
+Where destroy is the action:
+  FTP Access will be removed for both per-domain and per-user access assuming 
+  accounts have been disabled
+Where set is the action: 
+  you can restrict per-user access for the user to a specific folder (by 
+  default access is granted to the root of the public folder for that domain)
+  or by quota. the '-' character can be used to clear the set value for both 
+  the folder and the quota so the folder reverts back to the domains public
+  folder and the quota reverts back to unlimited.
+   
+Examples:
+
+  sympl ftp create example.com
+
+  sympl ftp enable example.com
+
+  sympl ftp disable example.com
+
+  sympl ftp destroy user2@example.com
+
+  sympl ftp audit all|example.com
+
+  sympl ftp enable user1@example.com
+
+  sympl ftp reset user2@example.com
+
+  sympl ftp set folder <folder name> user2@example.com
+
+  sympl ftp set quota <10K|M|G> user2@example.com
+"
 }

 _ftp_create() {
-  _noop
+
+  if [[ "$1" =~ .*"@".* ]]; then
+    _is_email $1
+    readarray -d @ -t part < <(printf '%s' "$1")
+    mailbox=${part[0]}
+    domain=${part[1]}
+    else
+    _is_domain $1
+    domain=$1
+  fi
+
+  _debug "Check for disabled sites"
+  if [ -d /srv/__disabled__$domain/public ]; then
+    _error "The domain '$domain' is disabled. Use 'sympl enable $domain' to enable it."
+  fi
+
+  _debug "Check to see if '$domain' already exists"
+  if [ -d /srv/$domain/public ]; then
+    _error "$domain Already exists. No need to continue"
+  fi
+
+  _verbose "Creating FTP folder for '$domain' at /srv/$domain/public/"
+  mkdir -p "/srv/$domain/public"
+  chmod -R 2775 "/srv/$domain/public" > /dev/null 2>&1
+  chown -R sympl: "/srv/$domain/public" > /dev/null
 }

 _ftp_enable() {
-  _noop
+  
+  if [[ "$1" =~ .*"@".* ]]; then
+    _is_email $1
+    readarray -d @ -t part < <(printf '%s' "$1")
+    mailbox=${part[0]}
+    domain=${part[1]}
+    else
+    _is_domain $1
+    domain=$1
+  fi
+  
+
+  _debug "Check if domain is set up"
+  if [ ! -d /srv/$domain ]; then
+    _error "The domain $domain does not exist."
+  fi
+
+  _debug "Check if the domains config folder exists"
+  if [ ! -d /srv/$domain/config ]; then
+    _verbose "Creating the config folder for domain '$domain'."
+    mkdir -p /srv/$domain/config
+  fi
+
+  if [ "x$mailbox" != "x"  ]; then
+
+    _debug "Check for the ftp-users file and create a blank one if it is absent."
+    if [ ! -f /srv/$domain/config/ftp-users ]; then
+      _verbose "Setting up ftp-users file"
+      echo "#username:password:folder:quota" > /srv/$domain/config/ftp-users
+      chown sympl: /srv/$domain/config/ftp-users
+    fi
+
+    _debug "Checking for user $mailbox in domain $domain"
+    if [ "$( grep -R ^$mailbox: /srv/$domain/config/ftp-users )" ]; then
+      _error "FTP user $mailbox already enabled on domain $domain."
+    elif [ "$( grep -R ^#$mailbox: /srv/$domain/config/ftp-users )" ]; then
+      _verbose "Enabling disabled user '$mailbox' on domain '$domain'."
+      sed -ri "/^#$mailbox/s/#//" /srv/$domain/config/ftp-users
+    else 
+      _verbose "Adding user '$mailbox' to domain '$domain'."
+      password="$( openssl rand -base64 32 | sed 's/\///g' | cut -c 1-32 )"
+      echo "$mailbox:$password" >> /srv/$domain/config/ftp-users
+    fi
+
+  else
+
+    _debug "Check if per-domain access is already enabled"
+    if [ -f /srv/$domain/config/ftp-password ]; then
+      _error "The domain $domain is already enabled for FTP access, to reset the pasword use <sympl ftp reset $domain>."
+    fi
+    _debug "Check for disabled per-domain access for '$domain'"
+    if [ -f /srv/$domain/config/__disabled__ftp-password ]; then
+      _verbose "Re-enabling per-domain ftp access for $domain."
+      mv /srv/$domain/config/__disabled__ftp-password /srv/$domain/config/ftp-password
+    else
+      _verbose "Setting per-domain FTP password for '$domain'"
+      password="$( openssl rand -base64 32 | cut -c 1-32 )"
+      _debug "Password '$password' for user $domain on domain $domain;"
+      echo "$password" > /srv/$domain/config/ftp-password
+      _verbose "Access created for '$domain' with password '$password'"
+      chown sympl: "/srv/$domain/config/ftp-password"
+    fi
+  fi
+  
 }

 _ftp_disable() {
-  _noop
+  
+  if [[ "$1" =~ .*"@".* ]]; then
+    _is_email $1
+    readarray -d @ -t part < <(printf '%s' "$1")
+    mailbox=${part[0]}
+    domain=${part[1]}
+    else
+    _is_domain $1
+    domain=$1
+  fi
+
+  if [ ! -d /srv/$domain ]; then
+    _error "The domain '$domain' does not exist."
+  fi
+
+  if [ "x$mailbox" != "x"  ]; then
+
+    _debug "Checking for user $mailbox in domain $domain"
+    if [ "$( grep -R ^#$mailbox: /srv/$domain/config/ftp-users )" ]; then
+      _error "FTP user $mailbox already disabled on domain $domain."
+    elif [ "$( grep -R ^$mailbox: /srv/$domain/config/ftp-users )" ]; then
+      _verbose "Disabling user '$mailbox' on domain '$domain'."
+      sed -ri "s/(^$mailbox:)/#\1/" /srv/$domain/config/ftp-users
+      return 0;
+    else
+      _error "User '$mailbox' not found for domain '$domain'."
+    fi
+  
+  else 
+
+    _debug "Checking per-domain ftp access for $domain is enabled and exists"
+    if [ -f /srv/$domain/config/__disabled__ftp-password ]; then
+      _error "The per-domain ftp access for $domain is already disabled."
+    elif [ ! -f /srv/$domain/config/ftp-password ]; then
+      _error "The per-domain ftp access for $domain does not exist."
+    fi
+
+    _verbose "Disabling per-domain FTP access for $domain"
+    mv /srv/$domain/config/ftp-password /srv/$domain/config/__disabled__ftp-password
+  
+  fi
+}
+
+_ftp_reset() {
+
+  if [[ "$1" =~ .*"@".* ]]; then
+    _is_email $1
+    readarray -d @ -t part < <(printf '%s' "$1")
+    mailbox=${part[0]}
+    domain=${part[1]}
+  else
+    _is_domain $1
+    domain=$1
+  fi
+
+  if [ -d /srv/$domain ]; then
+    _error "The domain '$domain' does not exist."
+  fi
+
+  if [ "x$mailbox" != "x" ]; then
+
+    _debug "Checking for per user access on domain '$domain'"
+    password="$( openssl rand -base64 32 | sed 's/\///g' | cut -c 1-32 )"
+    if [ ! -f /srv/$domain/config/ftp-users ]; then
+      _error "per user access not set up for domain '$domain'. please use <sympl ftp enable $mailbox@$domain>."
+    elif [ "$( grep -R ^#*$mailbox: /srv/$domain/config/ftp-users )" ]; then
+      if [ "$( grep -R ^#$mailbox: /srv/$domain/config/ftp-users )" ]; then
+        _verbose "Resetting password for disabled user '$mailbox' on '$domain' to '$password'."
+      else
+        _verbose "Resetting password for '$mailbox' on '$domain' to '$password'."
+      fi
+      sed -ri "s/(^#*$mailbox:)[^:]*(.*)/\1$password\2/" /srv/$domain/config/ftp-users
+      return 0;
+    else
+      _error "User '$mailbox' not foung for per-user access on domain '$domain'."
+    fi
+
+  else
+
+    _debug "Resetting the per-domain access password for $domain"
+    password="$( openssl rand -base64 26 | cut -c 1-32 )"  
+    _debug "Checking if per-domain ftp access for $domain exists"
+    if [ -f /srv/$domain/config/__disabled__ftp-password ]; then
+      _debug "The per-domain ftp access for $domain is disabled. Resetting password"
+      echo "$password" > /srv/$domain/config/__disabled__ftp-password
+      _verbose "Setting the disabled per-domain FTP access password for '$domain' to $password"
+      return 0;
+    elif [ ! -f /srv/$domain/config/ftp-password ]; then
+      _error "The per-domain ftp access for $domain does not exist."
+    fi
+
+    _verbose "Resetting the password for per-domain FTP access for $domain"
+    printf '%s' "$password" > /srv/$domain/config/ftp-password
+
+  fi
+
 }

 _ftp_destroy() {
-  _noop
+
+  if [[ "$1" =~ .*"@".* ]]; then
+    _is_email $1
+    readarray -d @ -t part < <(printf '%s' "$1")
+    mailbox=${part[0]}
+    domain=${part[1]}
+    else
+    _is_domain $1
+    domain=$1
+  fi
+
+  if [ ! -d /srv/$domain ]; then
+    _error "The domain '$domain' does not exist."
+  fi
+
+  if [ "x$mailbox" != "x" ]; then
+    _debug "Confirm '$mailbox' is disabled and exists."
+    if [ "$( grep -R ^$mailbox: /srv/$domain/config/ftp-users )" ]; then
+      _error "The user '$mailbox' is enabled for domain '$domain'. It must be disabled before it can be destroyed."
+    elif [ "$( grep -R ^#mailbox: /srv/$domain/config/ftp-users )" ]; then
+      _verbose "destroying user '$mailbox' for domain '$domain'."
+      sed -ri "/^#$mailbox:/d" /srv/$domain/config/ftp-users
+      return 0;
+    elif [ ! -f /srv/$domain/config/ftp-users ]; then
+      _error "Per-user access is not set up for the domain '$domain'."
+    else
+      _error "User '$mailbox' not found for domain '$domain'"
+    fi
+
+  else
+
+    _debug "Confirm '$domain' is disabled and exists"
+    if [ -f /srv/$domain/config/ftp-password ]; then
+      _error "The ftp access for '$domain' is enabled. It must be disabled before it can be destroyed."
+    elif [ ! -f /srv/$domain/config/__disabled__ftp-password ]; then
+      _error "The ftp access for '$domain' does not exist."
+    fi
+
+    _verbose "Destroying /srv/$domain/config/__disabled__ftp-password..."
+    rm -r /srv/$domain/config/__disabled__ftp-password
+
+  fi
 }

 _ftp_set() {
-  _noop
+
+  _is_email $1
+  readarray -d @ -t part < <(printf '%s' "$1")
+  mailbox=${part[0]}
+  domain=${part[1]}
+
+  if [ -z "$3" ]; then
+    _error "Set requires quota or folder to have a size or location argument"
+  fi 
+ 
+  _debug "Check if domain is set up for FTP"
+  if [ ! -d /srv/$domain ]; then
+    _error "The domain $domain does not exist."
+  elif [ ! -d /srv/$domain/public ]; then
+    _error "The domain $domain is not set up for FTP access. Please use <sympl ftp create $domain>"
+  fi
+  
+  _debug "Check if the domains config folder exists"
+  if [ ! -d /srv/$domain/config ]; then
+    _verbose "Creating the config folder for domain $domain."
+    mkdir -p /srv/$domain/config
+  fi
+ 
+
+  if [[ "$2" == "folder" ]]; then
+    _debug "Checking for user $mailbox"
+    if [ "$3" == "-" ]; then set -- "${@:1:2}"; fi
+    if [ "$( grep -R ^#*$mailbox: /srv/$domain/config/ftp-users )" ]; then
+      _debug "Setting folder for $mailbox on $domain to $3" 
+      while read line; do
+        readarray -d : -t item < <(printf '%s' "$line")
+        sed -ri "s/(^#*$mailbox:).*/\1${item[1]}:$3:${item[3]}/" /srv/$domain/config/ftp-users
+      done <<< $( grep -R "^#*$mailbox:" /srv/$domain/config/ftp-users )
+      _verbose "Folder reset for '$mailbox' on domain '$domain' to '$3'"
+      return 0;
+    else
+      _error "User $mailbox not found in configuration, please use <sympl ftp enable username@domain>."
+    fi
+  fi
+
+  if [[ "$2" == "quota" ]]; then
+    _debug "Checking for user $mailbox"
+    if [ "$3" == "-" ]; then set -- "${@:1:2}"; fi
+    if [ "$( grep -R ^#*$mailbox: /srv/$domain/config/ftp-users )" ]; then
+      _debug "Setting quota for $mailbox on $domain to $3" 	
+      while read line; do
+        readarray -d : -t item < <(printf '%s' "$line")
+        sed -ri "s/(^#*$mailbox:).*/\1${item[1]}:${item[2]}:$3/" /srv/$domain/config/ftp-users
+      done <<< $( grep -R "^#*$mailbox:" /srv/$domain/config/ftp-users )
+      _verbose "Quota reset for '$mailbox' on domain '$domain' to '$3'"
+      return 0;
+    else
+      _error "User $mailbox not found in configuration, please use <sympl ftp set username@domain>."
+    fi
+  fi
+
 }

 _ftp_audit() {
-  _noop
+
+  if [ "$1" != "all" ]; then _is_domain $1 ; else set "*"; fi
+  
+  ( umask 077; touch /dev/shm/sympl_ftp_audit )
+  find /srv/$1/config/ -type f -name '*ftp-password' > /dev/shm/sympl_ftp_audit
+  find /srv/$1/config/ -type f -name 'ftp-users' >> /dev/shm/sympl_ftp_audit
+
+  _verbose "Enabled per-domain access:"
+  dom=$( grep '/ftp-password' /dev/shm/sympl_ftp_audit | cut -d '/' -f 3 | sort )
+  [ -z "$dom" ] && echo "None found." || echo "$dom"; unset dom
+ 
+  _verbose "Disabled per-domain access:"
+  dom=$( grep __disabled__ftp-password /dev/shm/sympl_ftp_audit | cut -d '/' -f 3 | sort )
+  [ -z "$dom" ] && echo "None found." || echo "$dom"; unset dom
+
+  for domain in $( grep ftp-users /dev/shm/sympl_ftp_audit | cut -d '/' -f 3 | sort ); do
+    _verbose "Per-user access exists for domain $domain:"
+    printf '\t%-25s%-10s%-10s\n' "<username>" "<folder>" "<quota>"
+    while read line; do
+      readarray -d : -t item <<< "$line"
+      printf '\t%-25s%-10s%-10s\n' "${item[0]}@$domain" "${item[2]}" "${item[3]::-1}"
+    done <<< $( sed '/^#.*username/d' /srv/$domain/config/ftp-users )
+  done 
+  _debug "Cleaning up audit file"
+  rm /dev/shm/sympl_ftp_audit
+
 }

 _ftp_update() {
@@ -503,6 +865,7 @@ _ftp_update() {
 #                                    Backup                                  #
 ##############################################################################

+
 _backup_none() {
  _noop
 }
@@ -622,6 +985,7 @@ _main() {
      enable)                   _action 'enable'         ; shift ;;
      disable)                  _action 'disable'        ; shift ;;
      audit|list)               _action 'audit'          ; shift ;;
+      reset)		        	_action 'reset'	      	 ; shift ;;
      update|upgrade)           _action 'update'         ; shift ;;
      set)                      _action 'set' "$2" "$3"  ; shift ; shift ; shift ;;
      *) # unhandled parameter

--- a/core/debian/changelog
+++ b/core/debian/changelog
+sympl-core (9.0.200512.0) stable; urgency=low
+ 
+  * Added functionality to the sympl cli for FTP user management
+
+ -- Doug Targett <dougtargett@gmail.com>  Tue, 05 May 2020 17:55:30 +0100
+
 sympl-core (9.0.200510.0) stable; urgency=medium

  * Remove debug output from sympl-filesystem-security