#!/usr/bin/env bash #===========================================================================# # # # Hestia Control Panel - Core Function Library # # # #===========================================================================# # Internal variables HOMEDIR='/home' BACKUP='/backup' BACKUP_GZIP=9 BACKUP_DISK_LIMIT=95 BACKUP_LA_LIMIT=$(cat /proc/cpuinfo | grep processor | wc -l) RRD_STEP=300 BIN=$HESTIA/bin if [ -f /etc/redhat-release ]; then HESTIA_INSTALL_DIR="$HESTIA/install/rpm" else HESTIA_INSTALL_DIR="$HESTIA/install/deb" fi HESTIA_COMMON_DIR="$HESTIA/install/common" HESTIA_BACKUP="/root/hst_backups/$(date +%d%m%Y%H%M)" HESTIA_PHP="$HESTIA/php/bin/php" USER_DATA=$HESTIA/data/users/$user WEBTPL=$HESTIA/data/templates/web MAILTPL=$HESTIA/data/templates/mail DNSTPL=$HESTIA/data/templates/dns RRD=$HESTIA/web/rrd SENDMAIL="$HESTIA/web/inc/mail-wrapper.php" HESTIA_GIT_REPO="https://dev.brepo.ru/bayrepo/hestiacp" HESTIA_THEMES="$HESTIA/web/css/themes" HESTIA_THEMES_CUSTOM="$HESTIA/web/css/themes/custom" SCRIPT="$(basename $0)" CHECK_RESULT_CALLBACK="" # Return codes OK=0 E_ARGS=1 E_INVALID=2 E_NOTEXIST=3 E_EXISTS=4 E_SUSPENDED=5 E_UNSUSPENDED=6 E_INUSE=7 E_LIMIT=8 E_PASSWORD=9 E_FORBIDEN=10 E_DISABLED=11 E_PARSING=12 E_DISK=13 E_LA=14 E_CONNECT=15 E_FTP=16 E_DB=17 E_RRD=18 E_UPDATE=19 E_RESTART=20 # Detect operating system detect_os() { if [ -e "/etc/os-release" ]; then get_os_type=$(grep "^ID=" /etc/os-release | cut -f 2 -d '=') if [ "$get_os_type" = "ubuntu" ]; then if [ -e '/usr/bin/lsb_release' ]; then OS_VERSION="$(lsb_release -s -r)" OS_TYPE='Ubuntu' fi elif [ "$get_os_type" = "debian" ]; then OS_TYPE='Debian' OS_VERSION=$(cat /etc/debian_version | grep -o "[0-9]\{1,2\}" | head -n1) fi else OS_TYPE="Unsupported OS" OS_VERSION="Unknown" fi } # Generate time stamp new_timestamp() { time_n_date=$(date +'%T %F') time=$(echo "$time_n_date" | cut -f 1 -d \ ) date=$(echo "$time_n_date" | cut -f 2 -d \ ) } # Event string for logger ARGS=("$@") for ((I = 1; I <= $#; I++)); do if [[ "$HIDE" != "$I" ]]; then ARGUMENTS="$ARGUMENTS '${ARGS[${I} - 1]}'" else ARGUMENTS="$ARGUMENTS '******'" fi done # Log event function log_event() { if [ -z "$time" ]; then LOG_TIME="$(date +'%F %T') $(basename $0)" else LOG_TIME="$date $time $(basename $0)" fi if [ "$1" -eq 0 ]; then echo "$LOG_TIME $2" >> $HESTIA/log/system.log else echo "$LOG_TIME $2 [Error $1]" >> $HESTIA/log/error.log fi } # Log user history log_history() { message=${1//\'/\ยด} # Avoid single quotes broken the log evt_level=${2:-$event_level} log_user=${3-$user} evt_category=${4:-$event_category} # Set default event level and category if not specified if [ -z "$evt_level" ]; then evt_level="Info" fi if [ -z "$evt_category" ]; then evt_category="System" fi # Log system events to system log file if [ "$log_user" = "system" ]; then log=$HESTIA/data/users/admin/system.log else if ! $BIN/v-list-user "$log_user" > /dev/null; then return $E_NOTEXIST fi log=$HESTIA/data/users/$log_user/history.log fi touch $log if [ '300' -lt "$(wc -l $log | cut -f 1 -d ' ')" ]; then tail -n 250 $log > $log.moved mv -f $log.moved $log chmod 660 $log fi if [ -z "$date" ]; then time_n_date=$(date +'%T %F') time=$(echo "$time_n_date" | cut -f 1 -d \ ) date=$(echo "$time_n_date" | cut -f 2 -d \ ) fi curr_str=$(tail -n1 $log | grep "ID=" --text | cut -f2 -d \') id="$((curr_str + 1))" echo "ID='$id' DATE='$date' TIME='$time' LEVEL='$evt_level' CATEGORY='$evt_category' MESSAGE='$message'" >> $log } # Result checker check_result() { if [ $1 -ne 0 ]; then local err_code="${3:-$1}" if [[ -n "$CHECK_RESULT_CALLBACK" && "$(type -t "$CHECK_RESULT_CALLBACK")" == 'function' ]]; then $CHECK_RESULT_CALLBACK "$err_code" "$2" else echo "Error: $2" log_event "$err_code" "$ARGUMENTS" fi exit $err_code fi } # Argument list checker check_args() { if [ "$1" -gt "$2" ]; then echo "Usage: $(basename $0) $3" check_result "$E_ARGS" "not enought arguments" > /dev/null fi } # Define version check function version_ge() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1" -o -n "$1" -a "$1" = "$2"; } # Subsystem checker is_system_enabled() { if [ -z "$1" ] || [ "$1" = no ]; then check_result "$E_DISABLED" "$2 is not enabled" fi } # User package check is_package_full() { case "$1" in WEB_DOMAINS) used=$(wc -l $USER_DATA/web.conf) ;; WEB_ALIASES) used=$(echo $aliases | tr ',' '\n' | wc -l) ;; DNS_DOMAINS) used=$(wc -l $USER_DATA/dns.conf) ;; DNS_RECORDS) used=$(wc -l $USER_DATA/dns/$domain.conf) ;; MAIL_DOMAINS) used=$(wc -l $USER_DATA/mail.conf) ;; MAIL_ACCOUNTS) used=$(wc -l $USER_DATA/mail/$domain.conf) ;; DATABASES) used=$(wc -l $USER_DATA/db.conf) ;; CRON_JOBS) used=$(wc -l $USER_DATA/cron.conf) ;; esac used=$(echo "$used" | cut -f 1 -d \ ) limit=$(grep "^$1=" $USER_DATA/user.conf | cut -f 2 -d \') if [ "$1" = WEB_ALIASES ]; then # Used is always calculated with the new alias added if [ "$limit" != 'unlimited' ] && [[ "$used" -gt "$limit" ]]; then check_result "$E_LIMIT" "$1 limit is reached :: upgrade user package" fi else if [ "$limit" != 'unlimited' ] && [[ "$used" -ge "$limit" ]]; then check_result "$E_LIMIT" "$1 limit is reached :: upgrade user package" fi fi } # User owner for reseller plugin get_user_owner() { if [ -z "$RESELLER_KEY" ]; then owner='admin' else owner=$(grep "^OWNER" $USER_DATA/user.conf | cut -f 2 -d \') if [ -z "$owner" ]; then owner='admin' fi fi } # Random password generator generate_password() { matrix=$1 length=$2 if [ -z "$matrix" ]; then matrix="A-Za-z0-9" fi if [ -z "$length" ]; then length=16 fi head /dev/urandom | tr -dc $matrix | head -c$length } # Package existence check is_package_valid() { if [ -z $1 ]; then if [ ! -e "$HESTIA/data/packages/$package.pkg" ]; then check_result "$E_NOTEXIST" "package $package doesn't exist" fi else if [ ! -e "$HESTIA/data/packages/$1.pkg" ]; then check_result "$E_NOTEXIST" "package $1 doesn't exist" fi fi } is_package_new() { if [ -e "$HESTIA/data/packages/$1.pkg" ]; then echo "Error: package $1 already exists." log_event "$E_EXISTS" "$ARGUMENTS" exit "$E_EXISTS" fi } # Validate system type is_type_valid() { if [ -z "$(echo $1 | grep -w $2)" ]; then check_result "$E_INVALID" "$2 type is invalid" fi } # Check user backup settings is_backup_enabled() { BACKUPS=$(grep "^BACKUPS=" $USER_DATA/user.conf | cut -f2 -d \') if [ -z "$BACKUPS" ] || [[ "$BACKUPS" -le '0' ]]; then check_result "$E_DISABLED" "user backup is disabled" fi } # Check user backup settings is_backup_scheduled() { if [ -e "$HESTIA/data/queue/backup.pipe" ]; then check_q=$(grep " $user " $HESTIA/data/queue/backup.pipe | grep $1) if [ -n "$check_q" ]; then check_result "$E_EXISTS" "$1 is already scheduled" fi fi } # Check if object is new is_object_new() { if [ $2 = 'USER' ]; then if [ -d "$USER_DATA" ]; then object="OK" fi else object=$(grep "$2='$3'" $USER_DATA/$1.conf) fi if [ -n "$object" ]; then check_result "$E_EXISTS" "$2=$3 already exists" fi } # Check if object is valid is_object_valid() { if [ $2 = 'USER' ]; then tstpath="$(readlink -f "$HESTIA/data/users/$3")" if [ "$(dirname "$tstpath")" != "$(readlink -f "$HESTIA/data/users")" ] || [ ! -d "$HESTIA/data/users/$3" ]; then check_result "$E_NOTEXIST" "$1 $3 doesn't exist" fi elif [ $2 = 'KEY' ]; then local key="$(basename "$3")" if [[ -z "$key" || ${#key} -lt 16 ]] || [[ ! -f "$HESTIA/data/access-keys/${key}" && ! -f "$HESTIA/data/access-keys/$key" ]]; then check_result "$E_NOTEXIST" "$1 $3 doesn't exist" fi else object=$(grep "$2='$3'" $HESTIA/data/users/$user/$1.conf) if [ -z "$object" ]; then arg1=$(basename $1) arg2=$(echo $2 | tr '[:upper:]' '[:lower:]') check_result "$E_NOTEXIST" "$arg1 $arg2 $3 doesn't exist" fi fi } # Check if a object string with key values pairs has the correct format and load it afterwards parse_object_kv_list_non_eval() { local str local objkv obj_key obj_val local OLD_IFS="$IFS" str=${@//$'\n'/ } str=${str//\"/\\\"} str=${str//$/\\$} IFS=$'\n' # Extract and loop trough each key-value pair. (Regex test: https://regex101.com/r/eiMufk/5) for objkv in $(echo "$str" | perl -n -e "while(/\b([a-zA-Z]+[\w]*)='(.*?)'(\s|\$)/g) {print \$1.'='.\$2 . \"\n\" }"); do if ! [[ "$objkv" =~ ^([[:alnum:]][_[:alnum:]]{0,64}[[:alnum:]])=(\'?[^\']+?\'?)?$ ]]; then check_result "$E_INVALID" "Invalid key value format [$objkv]" fi obj_key=${objkv%%=*} # strip everything after first '=' char obj_val=${objkv#*=} # strip everything before first '=' char declare -g $obj_key="$obj_val" done IFS="$OLD_IFS" } # Check if a object string with key values pairs has the correct format and load it afterwards parse_object_kv_list() { local str local objkv local suboutput local OLD_IFS="$IFS" str=${@//$'\n'/ } str=${str//\"/\\\"} str=${str//$/\\$} IFS=$'\n' if [ -e '/etc/redhat-release' ]; then suboutput=$(setpriv --clear-groups --reuid nobody --regid nobody bash -c "PS4=''; set -xe; eval \"${str}\"" 2>&1) else suboutput=$(setpriv --clear-groups --reuid nobody --regid nogroup bash -c "PS4=''; set -xe; eval \"${str}\"" 2>&1) fi check_result $? "Invalid object format: ${str}" $E_INVALID for objkv in $suboutput; do if [[ "$objkv" =~ ^'eval ' ]]; then continue fi if ! [[ "$objkv" =~ ^([[:alnum:]][_[:alnum:]]{0,64}[[:alnum:]])=(\'?[^\']+?\'?)?$ ]]; then check_result "$E_INVALID" "Invalid key value format [$objkv]" fi eval "$objkv" done IFS="$OLD_IFS" } # Check if object is supended is_object_suspended() { if [ $2 = 'USER' ]; then spnd=$(cat $USER_DATA/$1.conf | grep "SUSPENDED='yes'") else spnd=$(grep "$2='$3'" $USER_DATA/$1.conf | grep "SUSPENDED='yes'") fi if [ -z "$spnd" ]; then check_result "$E_UNSUSPENDED" "$(basename $1) $3 is not suspended" fi } # Check if object is unsupended is_object_unsuspended() { if [ $2 = 'USER' ]; then spnd=$(cat $USER_DATA/$1.conf | grep "SUSPENDED='yes'") else spnd=$(grep "$2='$3'" $USER_DATA/$1.conf | grep "SUSPENDED='yes'") fi if [ -n "$spnd" ]; then check_result "$E_SUSPENDED" "$(basename $1) $3 is suspended" fi } # Check if object value is empty is_object_value_empty() { str=$(grep "$2='$3'" $USER_DATA/$1.conf) parse_object_kv_list "$str" eval value=$4 if [ -n "$value" ] && [ "$value" != 'no' ]; then check_result "$E_EXISTS" "${4//$/}=$value already exists" fi } # Check if object value is empty is_object_value_exist() { str=$(grep "$2='$3'" $USER_DATA/$1.conf) parse_object_kv_list "$str" eval value=$4 if [ -z "$value" ] || [ "$value" = 'no' ]; then check_result "$E_NOTEXIST" "${4//$/}=$value doesn't exist" fi } # Check if password is transmitted via file is_password_valid() { if [[ "$password" =~ ^/tmp/ ]]; then if ! [[ "$password" == *../* ]]; then if [ -f "$password" ]; then password="$(head -n1 $password)" fi fi fi } # Check if hash is transmitted via file is_hash_valid() { if [[ "$hash" =~ ^/tmp/ ]]; then if ! [[ "$hash" == *../* ]]; then if [ -f "$hash" ]; then hash="$(head -n1 $hash)" fi fi fi } # Check if directory is a symlink is_dir_symlink() { if [[ -L "$1" ]]; then check_result "$E_FORBIDEN" "$1 directory is a symlink" fi } # Get object value get_object_value() { object=$(grep "$2='$3'" $USER_DATA/$1.conf) parse_object_kv_list "$object" eval echo $4 } get_object_values() { parse_object_kv_list $(grep "$2='$3'" $USER_DATA/$1.conf) } # Update object value update_object_value() { row=$(grep -nF "$2='$3'" $USER_DATA/$1.conf) lnr=$(echo $row | cut -f 1 -d ':') object=$(echo $row | sed "s/^$lnr://") parse_object_kv_list "$object" eval old="$4" old=$(echo "$old" | sed -e 's/\\/\\\\/g' -e 's/&/\\&/g' -e 's/\//\\\//g') new=$(echo "$5" | sed -e 's/\\/\\\\/g' -e 's/&/\\&/g' -e 's/\//\\\//g') sed -i "$lnr s/${4//$/}='${old//\*/\\*}'/${4//$/}='${new//\*/\\*}'/g" \ $USER_DATA/$1.conf } # Add object key add_object_key() { row=$(grep -n "$2='$3'" $USER_DATA/$1.conf) lnr=$(echo $row | cut -f 1 -d ':') object=$(echo $row | sed "s/^$lnr://") if [ -z "$(echo $object | grep $4=)" ]; then eval old="$4" sed -i "$lnr s/$5='/$4='' $5='/" $USER_DATA/$1.conf fi } # Search objects search_objects() { OLD_IFS="$IFS" IFS=$'\n' if [ -f $USER_DATA/$1.conf ]; then for line in $(grep $2=\'$3\' $USER_DATA/$1.conf); do parse_object_kv_list "$line" eval echo \$$4 done fi IFS="$OLD_IFS" } # Get user value get_user_value() { grep "^${1//$/}=" $USER_DATA/user.conf | head -1 | awk -F "'" '{print $2}' } # Update user value in user.conf update_user_value() { key="${2//$/}" lnr=$(grep -n "^$key='" $HESTIA/data/users/$1/user.conf | cut -f 1 -d ':') if [ -n "$lnr" ]; then sed -i "$lnr d" $HESTIA/data/users/$1/user.conf sed -i "$lnr i\\$key='${3}'" $HESTIA/data/users/$1/user.conf fi } # Increase user counter increase_user_value() { key="${2//$/}" factor="${3-1}" conf="$HESTIA/data/users/$1/user.conf" old=$(grep "$key=" $conf | cut -f 2 -d \') if [ -z "$old" ]; then old=0 fi new=$((old + factor)) sed -i "s/$key='$old'/$key='$new'/g" $conf } # Decrease user counter decrease_user_value() { key="${2//$/}" factor="${3-1}" conf="$HESTIA/data/users/$1/user.conf" old=$(grep "$key=" $conf | cut -f 2 -d \') if [ -z "$old" ]; then old=0 fi if [ "$old" -le 1 ]; then new=0 else new=$((old - factor)) fi if [ "$new" -lt 0 ]; then new=0 fi sed -i "s/$key='$old'/$key='$new'/g" $conf } # Notify user send_notice() { topic=$1 notice=$2 if [ "$notify" = 'yes' ]; then touch $USER_DATA/notifications.conf chmod 660 $USER_DATA/notifications.conf time_n_date=$(date +'%T %F') time=$(echo "$time_n_date" | cut -f 1 -d \ ) date=$(echo "$time_n_date" | cut -f 2 -d \ ) nid=$(grep "NID=" $USER_DATA/notifications.conf | cut -f 2 -d \') nid=$(echo "$nid" | sort -n | tail -n1) if [ -n "$nid" ]; then nid="$((nid + 1))" else nid=1 fi str="NID='$nid' TOPIC='$topic' NOTICE='$notice' TYPE='$type'" str="$str ACK='no' TIME='$time' DATE='$date'" echo "$str" >> $USER_DATA/notifications.conf if [ -z "$(grep NOTIFICATIONS $USER_DATA/user.conf)" ]; then sed -i "s/^TIME/NOTIFICATIONS='yes'\nTIME/g" $USER_DATA/user.conf else update_user_value "$user" '$NOTIFICATIONS' "yes" fi fi } # Recalculate U_DISK value recalc_user_disk_usage() { u_usage=0 if [ -f "$USER_DATA/web.conf" ]; then usage=0 dusage=$(grep 'U_DISK=' $USER_DATA/web.conf \ | awk -F "U_DISK='" '{print $2}' | cut -f 1 -d \') for disk_usage in $dusage; do usage=$((usage + disk_usage)) done d=$(grep "U_DISK_WEB='" $USER_DATA/user.conf | cut -f 2 -d \') sed -i "s/U_DISK_WEB='$d'/U_DISK_WEB='$usage'/g" $USER_DATA/user.conf u_usage=$((u_usage + usage)) fi if [ -f "$USER_DATA/mail.conf" ]; then usage=0 dusage=$(grep 'U_DISK=' $USER_DATA/mail.conf \ | awk -F "U_DISK='" '{print $2}' | cut -f 1 -d \') for disk_usage in $dusage; do usage=$((usage + disk_usage)) done d=$(grep "U_DISK_MAIL='" $USER_DATA/user.conf | cut -f 2 -d \') sed -i "s/U_DISK_MAIL='$d'/U_DISK_MAIL='$usage'/g" $USER_DATA/user.conf u_usage=$((u_usage + usage)) fi if [ -f "$USER_DATA/db.conf" ]; then usage=0 dusage=$(grep 'U_DISK=' $USER_DATA/db.conf \ | awk -F "U_DISK='" '{print $2}' | cut -f 1 -d \') for disk_usage in $dusage; do usage=$((usage + disk_usage)) done d=$(grep "U_DISK_DB='" $USER_DATA/user.conf | cut -f 2 -d \') sed -i "s/U_DISK_DB='$d'/U_DISK_DB='$usage'/g" $USER_DATA/user.conf u_usage=$((u_usage + usage)) fi usage=$(grep 'U_DISK_DIRS=' $USER_DATA/user.conf | cut -f 2 -d "'") u_usage=$((u_usage + usage)) old=$(grep "U_DISK='" $USER_DATA/user.conf | cut -f 2 -d \') sed -i "s/U_DISK='$old'/U_DISK='$u_usage'/g" $USER_DATA/user.conf } # Recalculate U_BANDWIDTH value recalc_user_bandwidth_usage() { usage=0 bandwidth_usage=$(grep 'U_BANDWIDTH=' $USER_DATA/web.conf \ | awk -F "U_BANDWIDTH='" '{print $2}' | cut -f 1 -d \') for bandwidth in $bandwidth_usage; do usage=$((usage + bandwidth)) done old=$(grep "U_BANDWIDTH='" $USER_DATA/user.conf | cut -f 2 -d \') sed -i "s/U_BANDWIDTH='$old'/U_BANDWIDTH='$usage'/g" $USER_DATA/user.conf } # Get next cron job id get_next_cronjob() { if [ -z "$job" ]; then curr_str=$(grep "JOB=" $USER_DATA/cron.conf | cut -f 2 -d \' \ | sort -n | tail -n1) job="$((curr_str + 1))" fi } # Sort cron jobs by id sort_cron_jobs() { cat $USER_DATA/cron.conf | sort -n -k 2 -t \' > $USER_DATA/cron.tmp mv -f $USER_DATA/cron.tmp $USER_DATA/cron.conf } # Sync cronjobs with system cron sync_cron_jobs() { source_conf "$USER_DATA/user.conf" if [ -e "/var/spool/cron/crontabs" ]; then crontab="/var/spool/cron/crontabs/$user" else crontab="/var/spool/cron/$user" fi # remove file if exists if [ -e "$crontab" ]; then rm -f $crontab fi # touch new crontab file touch $crontab if [ "$CRON_REPORTS" = 'yes' ]; then echo "MAILTO=$CONTACT" > $crontab echo 'CONTENT_TYPE="text/plain; charset=utf-8"' >> $crontab else echo 'MAILTO=""' > $crontab fi while read line; do parse_object_kv_list "$line" if [ "$SUSPENDED" = 'no' ]; then echo "$MIN $HOUR $DAY $MONTH $WDAY $CMD" \ | sed -e "s/%quote%/'/g" -e "s/%dots%/:/g" \ >> $crontab fi done < $USER_DATA/cron.conf chown $user:$user $crontab chmod 600 $crontab } # User format validator is_user_format_valid() { if [ ${#1} -eq 1 ]; then if ! [[ "$1" =~ ^^[[:alnum:]]$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi else if [ -n "$3" ]; then maxlenght=$(($3 - 2)) if ! [[ "$1" =~ ^[[:alnum:]][-|\.|_[:alnum:]]{0,$maxlenght}[[:alnum:]]$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi else if ! [[ "$1" =~ ^[[:alnum:]][-|\.|_[:alnum:]]{0,28}[[:alnum:]]$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi fi fi if [ "$1" != "${1//[^[:ascii:]]/}" ]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } # Domain format validator is_domain_format_valid() { object_name=${2-domain} exclude="[!|@|#|$|^|&|*|(|)|+|=|{|}|:|,|<|>|?|_|/|\|\"|'|;|%|\`| ]" if [[ $1 =~ $exclude ]] || [[ $1 =~ ^[0-9]+$ ]] || [[ $1 =~ \.\. ]] || [[ $1 =~ $(printf '\t') ]] || [[ "$1" = "www" ]]; then check_result "$E_INVALID" "invalid $object_name format :: $1" fi is_no_new_line_format "$1" } # Alias forman validator is_alias_format_valid() { for object in ${1//,/ }; do exclude="[!|@|#|$|^|&|(|)|+|=|{|}|:|<|>|?|_|/|\|\"|'|;|%|\`| ]" if [[ "$object" =~ $exclude ]]; then check_result "$E_INVALID" "invalid alias format :: $object" fi if [[ "$object" =~ [*] ]] && ! [[ "$object" =~ ^[*]\..* ]]; then check_result "$E_INVALID" "invalid alias format :: $object" fi done } # IP format validator is_ip_format_valid() { object_name=${2-ip} ip_regex='([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])' ip_clean=$(echo "${1%/*}") if ! [[ $ip_clean =~ ^$ip_regex\.$ip_regex\.$ip_regex\.$ip_regex$ ]]; then check_result "$E_INVALID" "invalid $object_name format :: $1" fi if [ $1 != "$ip_clean" ]; then ip_cidr="$ip_clean/" ip_cidr=$(echo "${1#$ip_cidr}") if [[ "$ip_cidr" -gt 32 ]] || [[ "$ip_cidr" =~ [:alnum:] ]]; then check_result "$E_INVALID" "invalid $object_name format :: $1" fi fi } # IPv6 format validator is_ipv6_format_valid() { object_name=${2-ipv6} ip_regex='([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])' t_ip=$(echo $1 | awk -F / '{print $1}') t_cidr=$(echo $1 | awk -F / '{print $2}') valid_cidr=1 WORD="[0-9A-Fa-f]\{1,4\}" # flat address, no compressed words FLAT="^${WORD}\(:${WORD}\)\{7\}$" COMP2="^\(${WORD}:\)\{1,1\}\(:${WORD}\)\{1,6\}$" COMP3="^\(${WORD}:\)\{1,2\}\(:${WORD}\)\{1,5\}$" COMP4="^\(${WORD}:\)\{1,3\}\(:${WORD}\)\{1,4\}$" COMP5="^\(${WORD}:\)\{1,4\}\(:${WORD}\)\{1,3\}$" COMP6="^\(${WORD}:\)\{1,5\}\(:${WORD}\)\{1,2\}$" COMP7="^\(${WORD}:\)\{1,6\}\(:${WORD}\)\{1,1\}$" # trailing :: edge case, includes case of only :: (all 0's) EDGE_TAIL="^\(\(${WORD}:\)\{1,7\}\|:\):$" # leading :: edge case EDGE_LEAD="^:\(:${WORD}\)\{1,7\}$" echo $t_ip | grep --silent "\(${FLAT}\)\|\(${COMP2}\)\|\(${COMP3}\)\|\(${COMP4}\)\|\(${COMP5}\)\|\(${COMP6}\)\|\(${COMP7}\)\|\(${EDGE_TAIL}\)\|\(${EDGE_LEAD}\)" if [ $? -ne 0 ]; then check_result "$E_INVALID" "invalid $object_name format :: $1" fi if [ -n "$(echo $1 | grep '/')" ]; then if [[ "$t_cidr" -lt 0 ]] || [[ "$t_cidr" -gt 128 ]]; then valid_cidr=0 fi if ! [[ "$t_cidr" =~ ^[0-9]+$ ]]; then valid_cidr=0 fi fi if [ "$valid_cidr" -eq 0 ]; then check_result "$E_INVALID" "invalid $object_name format :: $1" fi } is_ip46_format_valid() { t_ip=$(echo $1 | awk -F / '{print $1}') t_cidr=$(echo $1 | awk -F / '{print $2}') valid_octets=0 valid_cidr=1 for octet in ${t_ip//./ }; do if [[ $octet =~ ^[0-9]{1,3}$ ]] && [[ $octet -le 255 ]]; then ((++valid_octets)) fi done if [ -n "$(echo $1 | grep '/')" ]; then if [[ "$t_cidr" -lt 0 ]] || [[ "$t_cidr" -gt 32 ]]; then valid_cidr=0 fi if ! [[ "$t_cidr" =~ ^[0-9]+$ ]]; then valid_cidr=0 fi fi if [ "$valid_octets" -lt 4 ] || [ "$valid_cidr" -eq 0 ]; then #Check IPV6 ipv6_valid="" WORD="[0-9A-Fa-f]\{1,4\}" # flat address, no compressed words FLAT="^${WORD}\(:${WORD}\)\{7\}$" COMP2="^\(${WORD}:\)\{1,1\}\(:${WORD}\)\{1,6\}$" COMP3="^\(${WORD}:\)\{1,2\}\(:${WORD}\)\{1,5\}$" COMP4="^\(${WORD}:\)\{1,3\}\(:${WORD}\)\{1,4\}$" COMP5="^\(${WORD}:\)\{1,4\}\(:${WORD}\)\{1,3\}$" COMP6="^\(${WORD}:\)\{1,5\}\(:${WORD}\)\{1,2\}$" COMP7="^\(${WORD}:\)\{1,6\}\(:${WORD}\)\{1,1\}$" # trailing :: edge case, includes case of only :: (all 0's) EDGE_TAIL="^\(\(${WORD}:\)\{1,7\}\|:\):$" # leading :: edge case EDGE_LEAD="^:\(:${WORD}\)\{1,7\}$" echo $t_ip | grep --silent "\(${FLAT}\)\|\(${COMP2}\)\|\(${COMP3}\)\|\(${COMP4}\)\|\(${COMP5}\)\|\(${COMP6}\)\|\(${COMP7}\)\|\(${EDGE_TAIL}\)\|\(${EDGE_LEAD}\)" if [ $? -ne 0 ]; then ipv6_valid="INVALID" fi if [ -n "$(echo $1 | grep '/')" ]; then if [[ "$t_cidr" -lt 0 ]] || [[ "$t_cidr" -gt 128 ]]; then valid_cidr=0 fi if ! [[ "$t_cidr" =~ ^[0-9]+$ ]]; then valid_cidr=0 fi fi if [ -n "$ipv6_valid" ] || [ "$valid_cidr" -eq 0 ]; then check_result "$E_INVALID" "invalid IP format :: $1" fi fi } # Proxy extention format validator is_extention_format_valid() { exclude="[!|#|$|^|&|(|)|+|=|{|}|:|@|<|>|?|/|\|\"|'|;|%|\`| ]" if [[ "$1" =~ $exclude ]]; then check_result "$E_INVALID" "invalid proxy extention format :: $1" fi is_no_new_line_format "$1" } # Number format validator is_number_format_valid() { object_name=${2-number} if ! [[ "$1" =~ ^[0-9]+$ ]]; then check_result "$E_INVALID" "invalid $object_name format :: $1" fi } # Autoreply format validator is_autoreply_format_valid() { if [ 10240 -le ${#1} ]; then check_result "$E_INVALID" "invalid autoreply format :: $1" fi } # Boolean format validator is_boolean_format_valid() { if [ "$1" != 'yes' ] && [ "$1" != 'no' ]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } # Refresh IPset format validator is_refresh_ipset_format_valid() { if [ "$1" != 'load' ] && [ "$1" != 'yes' ] && [ "$1" != 'no' ]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } # Common format validator is_common_format_valid() { exclude="[!|#|$|^|&|(|)|+|=|{|}|:|<|>|?|/|\|\"|'|;|%|\`| ]" if [[ "$1" =~ $exclude ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi if [ 400 -le ${#1} ]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi if [[ "$1" =~ @ ]] && [ ${#1} -gt 1 ]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi if [[ $1 =~ \* ]]; then if [[ "$(echo $1 | grep -o '\*\.' | wc -l)" -eq 0 ]] && [[ $1 != '*' ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi fi if [[ $(echo -n "$1" | tail -c 1) =~ [^a-zA-Z0-9_*@.] ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi if [[ $(echo -n "$1" | grep -c '\.\.') -gt 0 ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi if [[ $(echo -n "$1" | head -c 1) =~ [^a-zA-Z0-9_*@] ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi if [[ $(echo -n "$1" | grep -c '\-\-') -gt 0 ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi if [[ $(echo -n "$1" | grep -c '\_\_') -gt 0 ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi is_no_new_line_format "$1" } is_no_new_line_format() { test=$(echo "$1" | head -n1) if [[ "$test" != "$1" ]]; then check_result "$E_INVALID" "invalid value :: $1" fi } is_string_format_valid() { exclude="[!|#|$|^|&|(|)|+|=|{|}|:|<|>|?|/|\|\"|'|;|%|\`]" if [[ "$1" =~ $exclude ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi is_no_new_line_format "$1" } # Database format validator is_database_format_valid() { exclude="[!|@|#|$|^|&|*|(|)|+|=|{|}|:|,|<|>|?|/|\|\"|'|;|%|\`| ]" if [[ "$1" =~ $exclude ]] || [ 64 -le ${#1} ]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi is_no_new_line_format "$1" } # Date format validator is_date_format_valid() { if ! [[ "$1" =~ ^[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]$ ]]; then check_result "$E_INVALID" "invalid date format :: $1" fi } # Database user validator is_dbuser_format_valid() { exclude="[!|@|#|$|^|&|*|(|)|+|=|{|}|:|,|<|>|?|/|\|\"|'|;|%|\`| ]" if [ 33 -le ${#1} ]; then check_result "$E_INVALID" "mysql username can be up to 32 characters long" fi if [[ "$1" =~ $exclude ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi is_no_new_line_format "$1" } # DNS record type validator is_dns_type_format_valid() { known_dnstype='A,AAAA,NS,CNAME,MX,TXT,SRV,DNSKEY,KEY,IPSECKEY,PTR,SPF,TLSA,CAA,DS' if [ -z "$(echo $known_dnstype | grep -w $1)" ]; then check_result "$E_INVALID" "invalid dns record type format :: $1" fi } # DNS record validator is_dns_record_format_valid() { if [ "$rtype" = 'A' ]; then is_ip_format_valid "$1" fi if [ "$rtype" = 'NS' ]; then is_domain_format_valid "${1::-1}" 'ns_record' fi if [ "$rtype" = 'MX' ]; then is_domain_format_valid "${1::-1}" 'mx_record' is_int_format_valid "$priority" 'priority_record' fi is_no_new_line_format "$1" } # Email format validator is_email_format_valid() { if [[ ! "$1" =~ ^[A-Za-z0-9._%+-]+@[[:alnum:].-]+\.[A-Za-z]{2,63}$ ]]; then if [[ ! "$1" =~ ^[A-Za-z0-9._%+-]+@[[:alnum:].-]+\.(xn--)[[:alnum:]]{2,63}$ ]]; then check_result "$E_INVALID" "invalid email format :: $1" fi fi } # Firewall action validator is_fw_action_format_valid() { if [ "$1" != "ACCEPT" ] && [ "$1" != 'DROP' ]; then check_result "$E_INVALID" "invalid action format :: $1" fi } # Firewall protocol validator is_fw_protocol_format_valid() { if [ "$1" != "ICMP" ] && [ "$1" != 'UDP' ] && [ "$1" != 'TCP' ]; then check_result "$E_INVALID" "invalid protocol format :: $1" fi } # Firewall port validator is_fw_port_format_valid() { if [ "${#1}" -eq 1 ]; then if ! [[ "$1" =~ [0-9] ]]; then check_result "$E_INVALID" "invalid port format :: $1" fi else if ! [[ "$1" =~ ^[0-9][-|,|:|0-9]{0,30}[0-9]$ ]]; then check_result "$E_INVALID" "invalid port format :: $1" fi fi } # Integer validator is_int_format_valid() { if ! [[ "$1" =~ ^[0-9]+$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } # Interface validator is_interface_format_valid() { nic_names="$(ip -d -j link show | jq -r '.[] | if .link_type == "loopback" then empty else .ifname, if .altnames then .altnames[] else empty end end')" if [ -z "$(echo "$nic_names" | grep -x "$1")" ]; then check_result "$E_INVALID" "invalid interface format :: $1" fi } # IP status validator is_ip_status_format_valid() { if [ -z "$(echo shared,dedicated | grep -w "$1")" ]; then check_result "$E_INVALID" "invalid status format :: $1" fi } # Cron validator is_cron_format_valid() { limit=59 check_format='' if [ "$2" = 'hour' ]; then limit=23 fi if [ "$2" = 'day' ]; then limit=31 fi if [ "$2" = 'month' ]; then limit=12 fi if [ "$2" = 'wday' ]; then limit=7 fi if [ "$1" = '*' ]; then check_format='ok' fi if [[ "$1" =~ ^[\*]+[/]+[0-9] ]]; then if [ "$(echo $1 | cut -f 2 -d /)" -lt $limit ]; then check_format='ok' fi fi if [[ "$1" =~ ^[0-9][-|,|0-9]{0,70}[\/][0-9]$ ]]; then check_format='ok' crn_values=${1//,/ } crn_values=${crn_values//-/ } crn_values=${crn_values//\// } for crn_vl in $crn_values; do if [ "$crn_vl" -gt $limit ]; then check_format='invalid' fi done fi crn_values=$(echo $1 | tr "," " " | tr "-" " ") for crn_vl in $crn_values; do if [[ "$crn_vl" =~ ^[0-9]+$ ]] && [ "$crn_vl" -le $limit ]; then check_format='ok' fi done if [ "$check_format" != 'ok' ]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } is_object_name_format_valid() { if ! [[ "$1" =~ ^[-|\ |\.|_[:alnum:]]{0,50}$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } # Name validator is_name_format_valid() { exclude="['|\"|<|>]" if [[ "$1" =~ $exclude ]]; then check_result "$E_INVALID" "Invalid $2 contains qoutes (\" or ') :: $1" fi is_no_new_line_format "$1" } # Object validator is_object_format_valid() { if ! [[ "$1" =~ ^[[:alnum:]][-|\.|_[:alnum:]]{0,64}[[:alnum:]]$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } # Role validator is_role_valid() { if ! [[ "$1" =~ ^admin$|^user$|^dns-cluster$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } # Password validator is_password_format_valid() { if [ "${#1}" -lt '6' ]; then check_result "$E_INVALID" "invalid password format :: $1" fi } # Missing function - # Before: validate_format_shell # After: is_format_valid_shell is_format_valid_shell() { if [ -z "$(grep -w $1 /etc/shells)" ]; then echo "Error: shell $1 is not valid" log_event "$E_INVALID" "$EVENT" exit $E_INVALID fi } # Service name validator is_service_format_valid() { if ! [[ "$1" =~ ^[[:alnum:]][-|\.|_[:alnum:]]{0,64}$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } is_hash_format_valid() { if ! [[ "$1" =~ ^[[:alnum:]|\:|\=|_|-]{1,80}$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } # Format validation controller is_format_valid() { for arg_name in $*; do eval arg=\$$arg_name if [ -n "$arg" ]; then case $arg_name in access_key_id) is_access_key_id_format_valid "$arg" "$arg_name" ;; account) is_user_format_valid "$arg" "$arg_name" '64' ;; action) is_fw_action_format_valid "$arg" ;; active) is_boolean_format_valid "$arg" 'active' ;; aliases) is_alias_format_valid "$arg" ;; alias) is_alias_format_valid "$arg" ;; antispam) is_boolean_format_valid "$arg" 'antispam' ;; antivirus) is_boolean_format_valid "$arg" 'antivirus' ;; autoreply) is_autoreply_format_valid "$arg" ;; backup) is_object_format_valid "$arg" 'backup' ;; charset) is_object_format_valid "$arg" "$arg_name" ;; charsets) is_common_format_valid "$arg" 'charsets' ;; chain) is_object_format_valid "$arg" 'chain' ;; comment) is_object_format_valid "$arg" 'comment' ;; database) is_database_format_valid "$arg" 'database' ;; day) is_cron_format_valid "$arg" $arg_name ;; dbpass) is_password_format_valid "$arg" ;; dbuser) is_dbuser_format_valid "$arg" 'dbuser' ;; dkim) is_boolean_format_valid "$arg" 'dkim' ;; dkim_size) is_int_format_valid "$arg" ;; domain) is_domain_format_valid "$arg" ;; dom_alias) is_alias_format_valid "$arg" ;; dvalue) is_dns_record_format_valid "$arg" ;; email) is_email_format_valid "$arg" ;; email_forward) is_email_format_valid "$arg" ;; exp) is_date_format_valid "$arg" ;; extentions) is_common_format_valid "$arg" 'extentions' ;; format) is_type_valid 'plain json shell csv' "$arg" ;; ftp_password) is_password_format_valid "$arg" ;; ftp_user) is_user_format_valid "$arg" "$arg_name" ;; hash) is_hash_format_valid "$arg" "$arg_name" ;; host) is_object_format_valid "$arg" "$arg_name" ;; hour) is_cron_format_valid "$arg" $arg_name ;; id) is_int_format_valid "$arg" 'id' ;; iface) is_interface_format_valid "$arg" ;; ip) is_ip_format_valid "$arg" ;; ipv6) is_ipv6_format_valid "$arg" ;; ip46) is_ip46_format_valid "$arg" ;; ip_name) is_domain_format_valid "$arg" 'IP name' ;; ip_status) is_ip_status_format_valid "$arg" ;; job) is_int_format_valid "$arg" 'job' ;; key) is_common_format_valid "$arg" "$arg_name" ;; malias) is_user_format_valid "$arg" "$arg_name" '64' ;; max_db) is_int_format_valid "$arg" 'max db' ;; min) is_cron_format_valid "$arg" $arg_name ;; month) is_cron_format_valid "$arg" $arg_name ;; name) is_name_format_valid "$arg" "name" ;; nat_ip) is_ip_format_valid "$arg" ;; netmask) is_ip_format_valid "$arg" 'netmask' ;; newid) is_int_format_valid "$arg" 'id' ;; ns1) is_domain_format_valid "$arg" 'ns1' ;; ns2) is_domain_format_valid "$arg" 'ns2' ;; ns3) is_domain_format_valid "$arg" 'ns3' ;; ns4) is_domain_format_valid "$arg" 'ns4' ;; ns5) is_domain_format_valid "$arg" 'ns5' ;; ns6) is_domain_format_valid "$arg" 'ns6' ;; ns7) is_domain_format_valid "$arg" 'ns7' ;; ns8) is_domain_format_valid "$arg" 'ns8' ;; object) is_object_name_format_valid "$arg" 'object' ;; package) is_object_format_valid "$arg" "$arg_name" ;; password) is_password_format_valid "$arg" ;; port) is_int_format_valid "$arg" 'port' ;; port_ext) is_fw_port_format_valid "$arg" ;; protocol) is_fw_protocol_format_valid "$arg" ;; proxy_ext) is_extention_format_valid "$arg" ;; quota) is_int_format_valid "$arg" 'quota' ;; rate) is_int_format_valid "$arg" 'rate' ;; record) is_common_format_valid "$arg" 'record' ;; reject) is_boolean_format_valid "$arg" 'reject' ;; restart) is_restart_format_valid "$arg" 'restart' ;; role) is_role_valid "$arg" 'role' ;; rtype) is_dns_type_format_valid "$arg" ;; rule) is_int_format_valid "$arg" "rule id" ;; service) is_service_format_valid "$arg" "$arg_name" ;; secret_access_key) is_secret_access_key_format_valid "$arg" "$arg_name" ;; soa) is_domain_format_valid "$arg" 'SOA' ;; #missing command: is_format_valid_shell shell) is_format_valid_shell "$arg" ;; ssl_dir) is_folder_exists "$arg" "$arg_name" ;; stats_pass) is_password_format_valid "$arg" ;; stats_user) is_user_format_valid "$arg" "$arg_name" ;; template) is_object_format_valid "$arg" "$arg_name" ;; theme) is_common_format_valid "$arg" "$arg_name" ;; ttl) is_int_format_valid "$arg" 'ttl' ;; user) is_user_format_valid "$arg" $arg_name ;; wday) is_cron_format_valid "$arg" $arg_name ;; value) is_common_format_valid "$arg" $arg_name ;; esac fi done } is_folder_exists() { if [ ! -d "$1" ]; then check_result "$E_NOTEXIST" "folder $1 does not exist" fi } is_command_valid_format() { if [[ ! "$1" =~ ^v-[[:alnum:]][-|\.|_[:alnum:]]{0,64}[[:alnum:]]$ ]]; then check_result "$E_INVALID" "Invalid command format" fi if [[ -n $(echo "$1" | grep -e '\-\-') ]]; then check_result "$E_INVALID" "Invalid command format" fi } # Check access_key_id name # Don't work with legacy key format is_access_key_id_format_valid() { local hash="$1" # ACCESS_KEY_ID format validation if ! [[ "$hash" =~ ^[[:alnum:]]{20}$ ]]; then check_result "$E_INVALID" "invalid $2 format :: $hash" fi } # SECRET_ACCESS_KEY format validation is_secret_access_key_format_valid() { local hash="$1" if ! [[ "$hash" =~ ^[[:alnum:]|_|\.|\+|/|\^|~|=|%|\-]{40}$ ]]; then check_result "$E_INVALID" "invalid $2 format" fi } # Checks if the secret belongs to the access key check_access_key_secret() { local access_key_id="$(basename "$1")" local secret_access_key=$2 local -n key_user=$3 if [[ -z "$access_key_id" || ! -f "$HESTIA/data/access-keys/${access_key_id}" ]]; then check_result "$E_PASSWORD" "Access key $access_key_id doesn't exist" fi if [[ -z "$secret_access_key" ]]; then check_result "$E_PASSWORD" "Secret key not provided for key $access_key_id" elif ! [[ "$secret_access_key" =~ ^[[:alnum:]|_|\.|\+|/|\^|~|=|%|\-]{40}$ ]]; then check_result "$E_PASSWORD" "Invalid secret key for key $access_key_id" else SECRET_ACCESS_KEY="" source_conf "$HESTIA/data/access-keys/${access_key_id}" if [[ -z "$SECRET_ACCESS_KEY" || "$SECRET_ACCESS_KEY" != "$secret_access_key" ]]; then check_result "$E_PASSWORD" "Invalid secret key for key $access_key_id" fi fi key_user="$USER" } # Checks if the key belongs to the user check_access_key_user() { local access_key_id="$(basename "$1")" local user=$2 if [[ -z "$access_key_id" || ! -f "$HESTIA/data/access-keys/${access_key_id}" ]]; then check_result "$E_FORBIDEN" "Access key $access_key_id doesn't exist" fi if [[ -z "$user" ]]; then check_result "$E_FORBIDEN" "User not provided" else USER="" source_conf "$HESTIA/data/access-keys/${access_key_id}" if [[ -z "$USER" || "$USER" != "$user" ]]; then check_result "$E_FORBIDEN" "key $access_key_id does not belong to the user $user" fi fi } # Checks if the key is allowed to run the command check_access_key_cmd() { local access_key_id="$(basename "$1")" local cmd=$2 local -n user_arg_position=$3 if [[ "$DEBUG_MODE" = "true" ]]; then new_timestamp echo "[$date:$time] $1 $2" >> /var/log/hestia/api.log fi if [[ -z "$access_key_id" || ! -f "$HESTIA/data/access-keys/${access_key_id}" ]]; then check_result "$E_FORBIDEN" "Access key $access_key_id doesn't exist" fi if [[ -z "$cmd" ]]; then check_result "$E_FORBIDEN" "Command not provided" elif [[ "$cmd" = 'v-make-tmp-file' ]]; then USER="" PERMISSIONS="" source_conf "${HESTIA}/data/access-keys/${access_key_id}" local allowed_commands if [[ -n "$PERMISSIONS" ]]; then allowed_commands="$(get_apis_commands "$PERMISSIONS")" if [[ -z "$(echo ",${allowed_commands}," | grep ",${hst_command},")" ]]; then check_result "$E_FORBIDEN" "Key $access_key_id don't have permission to run the command $hst_command" fi elif [[ -z "$PERMISSIONS" && "$USER" != "admin" ]]; then check_result "$E_FORBIDEN" "Key $access_key_id don't have permission to run the command $hst_command" fi user_arg_position="0" elif [[ ! -e "$BIN/$cmd" ]]; then check_result "$E_FORBIDEN" "Command $cmd not found" else USER="" PERMISSIONS="" source_conf "${HESTIA}/data/access-keys/${access_key_id}" local allowed_commands if [[ -n "$PERMISSIONS" ]]; then allowed_commands="$(get_apis_commands "$PERMISSIONS")" if [[ -z "$(echo ",${allowed_commands}," | grep ",${hst_command},")" ]]; then check_result "$E_FORBIDEN" "Key $access_key_id don't have permission to run the command $hst_command" fi elif [[ -z "$PERMISSIONS" && "$USER" != "admin" ]]; then check_result "$E_FORBIDEN" "Key $access_key_id don't have permission to run the command $hst_command" fi if [[ "$USER" == "admin" ]]; then # Admin can run commands for any user user_arg_position="0" else user_arg_position="$(search_command_arg_position "$hst_command" "USER")" if ! [[ "$user_arg_position" =~ ^[0-9]+$ ]]; then check_result "$E_FORBIDEN" "Command $hst_command not found" fi fi fi } # Domain argument formatting format_domain() { if [[ "$domain" = *[![:ascii:]]* ]]; then if [[ "$domain" =~ [[:upper:]] ]]; then domain=$(echo "$domain" | sed 's/[[:upper:]].*/\L&/') fi else if [[ "$domain" =~ [[:upper:]] ]]; then domain=$(echo "$domain" | tr '[:upper:]' '[:lower:]') fi fi if [[ "$domain" =~ ^www\..* ]]; then domain=$(echo "$domain" | sed -e "s/^www.//") fi if [[ "$domain" =~ .*\.$ ]]; then domain=$(echo "$domain" | sed -e "s/[.]*$//g") fi if [[ "$domain" =~ ^\. ]]; then domain=$(echo "$domain" | sed -e "s/^[.]*//") fi # Remove white spaces domain=$(echo $domain | sed 's/^[ \t]*//;s/[ \t]*$//') } format_domain_idn() { if [ -z "$domain_idn" ]; then domain_idn=$domain fi if [[ "$domain_idn" = *[![:ascii:]]* ]]; then domain_idn=$(idn2 --quiet $domain_idn) fi } format_aliases() { if [ -n "$aliases" ] && [ "$aliases" != 'none' ]; then aliases=$(echo $aliases | tr '[:upper:]' '[:lower:]' | tr ',' '\n') aliases=$(echo "$aliases" | sed -e "s/\.$//" | sort -u) aliases=$(echo "$aliases" | tr -s '.') aliases=$(echo "$aliases" | sed -e "s/[.]*$//g") aliases=$(echo "$aliases" | sed -e "s/^[.]*//") aliases=$(echo "$aliases" | sed -e "/^$/d") aliases=$(echo "$aliases" | tr '\n' ',' | sed -e "s/,$//") fi } is_restart_format_valid() { if [ "$1" != 'yes' ] && [ "$1" != 'no' ] && [ "$1" != 'ssl' ] && [ "$1" != 'reload' ] && [ "$1" != 'updatessl' ]; then check_result "$E_INVALID" "invalid $2 format :: $1" fi } check_backup_conditions() { # Checking load average la=$(cat /proc/loadavg | cut -f 1 -d ' ' | cut -f 1 -d '.') # i=0 while [ "$la" -ge "$BACKUP_LA_LIMIT" ]; do echo -e "$(date "+%F %T") Load Average $la" sleep 60 la=$(cat /proc/loadavg | cut -f 1 -d ' ' | cut -f 1 -d '.') done } # Define download function download_file() { local url=$1 local destination=$2 local force=$3 # Default destination is the curent working directory local dstopt="" if [ -n "$(echo "$url" | grep -E "\.(gz|gzip|bz2|zip|xz)$")" ]; then # When an archive file is downloaded it will be first saved localy dstopt="--directory-prefix=$ARCHIVE_DIR" local is_archive="true" local filename="${url##*/}" if [ -z "$filename" ]; then echo >&2 "[!] No filename was found in url, exiting ($url)" exit 1 fi if [ -n "$force" ] && [ -f "$ARCHIVE_DIR/$filename" ]; then rm -f $ARCHIVE_DIR/$filename fi elif [ -n "$destination" ]; then # Plain files will be written to specified location dstopt="-O $destination" fi # check for corrupted archive if [ -f "$ARCHIVE_DIR/$filename" ] && [ "$is_archive" = "true" ]; then tar -tzf "$ARCHIVE_DIR/$filename" > /dev/null 2>&1 if [ $? -ne 0 ]; then echo >&2 "[!] Archive $ARCHIVE_DIR/$filename is corrupted, redownloading" rm -f $ARCHIVE_DIR/$filename fi fi if [ ! -f "$ARCHIVE_DIR/$filename" ]; then wget $url -q $dstopt --show-progress --progress=bar:force --limit-rate=3m fi if [ -n "$destination" ] && [ "$is_archive" = "true" ]; then if [ "$destination" = "-" ]; then cat "$ARCHIVE_DIR/$filename" elif [ -d "$(dirname $destination)" ]; then cp "$ARCHIVE_DIR/$filename" "$destination" fi fi } check_hestia_demo_mode() { demo_mode=$(grep DEMO_MODE /usr/local/hestia/conf/hestia.conf | cut -d '=' -f2 | sed "s|'||g") if [ -n "$demo_mode" ] && [ "$demo_mode" = "yes" ]; then echo "ERROR: Unable to perform operation due to security restrictions that are in place." exit 1 fi } multiphp_count() { $BIN/v-list-sys-php plain | wc -l } multiphp_versions() { local -a php_versions_list local php_ver if [ "$(multiphp_count)" -gt 0 ]; then for php_ver in $($BIN/v-list-sys-php plain); do [ ! -d "/etc/php/$php_ver/fpm/pool.d/" ] && continue php_versions_list+=($php_ver) done echo "${php_versions_list[@]}" fi } multiphp_default_version() { # Get system wide default php version (set by update-alternatives) local sys_phpversion=$(php -r "echo substr(phpversion(),0,3);") # Check if the system php also has php-fpm enabled, otherwise return # the most recent php version which does have it installed. if [ ! -d "/etc/php/$sys_phpversion/fpm/pool.d/" ]; then local all_versions="$(multiphp_versions)" if [ -n "$all_versions" ]; then sys_phpversion="${all_versions##*\ }" fi fi echo "$sys_phpversion" } is_hestia_package() { check=false for pkg in $1; do if [ "$pkg" == "$2" ]; then check="true" fi done if [ "$check" != "true" ]; then check_result $E_INVALID "$2 package is not controlled by hestiacp" fi } # Run arbitrary cli commands with dropped privileges # Note: setpriv --init-groups is not available on debian9 (util-linux 2.29.2) # Input: # - $user : Vaild hestia user user_exec() { is_object_valid 'user' 'USER' "$user" local user_groups=$(id -G "$user") user_groups=${user_groups//\ /,} setpriv --groups "$user_groups" --reuid "$user" --regid "$user" -- "${@}" } # Simple chmod wrapper that skips symlink files after glob expand no_symlink_chmod() { local filemode=$1 shift for i in "$@"; do [[ -L ${i} ]] && continue chmod "${filemode}" "${i}" done } source_conf() { while IFS='= ' read -r lhs rhs; do if [[ ! $lhs =~ ^\ *# && -n $lhs ]]; then rhs="${rhs%%^\#*}" # Del in line right comments rhs="${rhs%%*( )}" # Del trailing spaces rhs="${rhs%\'*}" # Del opening string quotes rhs="${rhs#\'*}" # Del closing string quotes declare -g $lhs="$rhs" fi done < $1 } format_no_quotes() { exclude="['|\"]" if [[ "$1" =~ $exclude ]]; then check_result "$E_INVALID" "Invalid $2 contains qoutes (\" or ' or | ) :: $1" fi is_no_new_line_format "$1" } is_username_format_valid() { if [[ ! "$1" =~ ^[A-Za-z0-9._%+-]+@[[:alnum:].-]+\.[A-Za-z]{2,63}$ ]]; then is_string_format_valid "$1" "$2" fi } change_sys_value() { check_ckey=$(grep "^$1='" "$HESTIA/conf/hestia.conf") if [ -z "$check_ckey" ]; then echo "$1='$2'" >> "$HESTIA/conf/hestia.conf" else sed -i "s|^$1=.*|$1='$2'|g" "$HESTIA/conf/hestia.conf" fi } # Checks the format of APIs that will be allowed for the key is_key_permissions_format_valid() { local permissions="$1" local user="$2" if [[ "$user" != "admin" && -z "$permissions" ]]; then check_result "$E_INVALID" "Non-admin users need a permission list" fi while IFS=',' read -ra permissions_arr; do for permission in "${permissions_arr[@]}"; do permission="$(basename "$permission" | sed -E "s/^\s*|\s*$//g")" # if [[ -z "$(echo "$permission" | grep -E "^v-")" ]]; then if [[ ! -e "$HESTIA/data/api/$permission" ]]; then check_result "$E_NOTEXIST" "API $permission doesn't exist" fi source_conf "$HESTIA/data/api/$permission" if [ "$ROLE" = "admin" ] && [ "$user" != "admin" ]; then check_result "$E_INVALID" "Only the admin can run this API" fi # elif [[ ! -e "$BIN/$permission" ]]; then # check_result "$E_NOTEXIST" "Command $permission doesn't exist" # fi done done <<< "$permissions" } # Remove whitespaces, and bin path from commands cleanup_key_permissions() { local permissions="$1" local final quote while IFS=',' read -ra permissions_arr; do for permission in "${permissions_arr[@]}"; do permission="$(basename "$permission" | sed -E "s/^\s*|\s*$//g")" # Avoid duplicate items if [[ -z "$(echo ",${final}," | grep ",${permission},")" ]]; then final+="${quote}${permission}" quote=',' fi done done <<< "$permissions" echo "$final" } # Extract all allowed commands from a permission list get_apis_commands() { local permissions="$1" local allowed_commands quote commands_to_add while IFS=',' read -ra permissions_arr; do for permission in "${permissions_arr[@]}"; do permission="$(basename "$permission" | sed -E "s/^\s*|\s*$//g")" commands_to_add="" # if [[ -n "$(echo "$permission" | grep -E "^v-")" ]]; then # commands_to_add="$permission" # el if [[ -e "$HESTIA/data/api/$permission" ]]; then source_conf "$HESTIA/data/api/$permission" commands_to_add="$COMMANDS" fi if [[ -n "$commands_to_add" ]]; then allowed_commands+="${quote}${commands_to_add}" quote=',' fi done done <<< "$permissions" cleanup_key_permissions "$allowed_commands" } # Get the position of an argument by name in a hestia command using the command's documentation comment. # # Return: # * 0: It doesn't have the argument; # * 1-9: The position of the argument in the command. search_command_arg_position() { local hst_command="$(basename "$1")" local arg_name="$2" local command_path="$BIN/$hst_command" if [[ -z "$hst_command" || ! -e "$command_path" ]]; then echo "-1" return fi local position=0 local count=0 local command_options="$(sed -En 's/^# options: (.+)/\1/p' "$command_path")" while IFS=' ' read -ra options_arr; do for option in "${options_arr[@]}"; do count=$((count + 1)) option_name="$(echo " $option " | sed -E 's/^(\s|\[)*|(\s|\])*$//g')" if [[ "${option_name^^}" == "$arg_name" ]]; then position=$count fi done done <<< "$command_options" echo "$position" } # Convert version X.X to XX convert_dot_version_to_non_dot() { version="$1" echo "${version//./}" } # Get conf,d name according to web system get_conf_d_name(){ if [ "$1" = "httpd" ]; then echo "conf.h.d" else echo "conf.d" fi }