pyinfra 3.0.dev0__py2.py3-none-any.whl → 3.0.2__py2.py3-none-any.whl

pyinfra/operations/selinux.py

@@ -1,21 +1,36 @@
 """
 Provides operations to set SELinux file contexts, booleans and port types.
 """
+
+from __future__ import annotations
+
+from enum import Enum
+
 from pyinfra import host
-from pyinfra.api import QuoteString, StringCommand, operation
+from pyinfra.api import OperationValueError, QuoteString, StringCommand, operation
 from pyinfra.facts.selinux import FileContext, FileContextMapping, SEBoolean, SEPort, SEPorts
 from pyinfra.facts.server import Which
 
 
-@operation(
-    pipeline_facts={"seboolean": "bool_name"},
-)
-def boolean(bool_name, value, persistent=False):
+class Boolean(Enum):
+    ON = "on"
+    OFF = "off"
+
+
+class Protocol(Enum):
+    UDP = "udp"
+    TCP = "tcp"
+    SCTP = "sctp"
+    DCCP = "dccp"
+
+
+@operation()
+def boolean(bool_name: str, value: Boolean, persistent=False):
     """
     Set the specified SELinux boolean to the desired state.
 
     + boolean: name of an SELinux boolean
-    + state: 'on' or 'off'
+    + value: desired state of the boolean
     + persistent: whether to write updated policy or not
 
     Note: This operation requires root privileges.
@@ -27,28 +42,31 @@ def boolean(bool_name, value, persistent=False):
         selinux.boolean(
             name='Allow Apache to connect to LDAP server',
             'httpd_can_network_connect',
-            'on',
+            Boolean.ON,
             persistent=True
         )
     """
-    _valid_states = ["on", "off"]
 
-    if value not in _valid_states:
-        raise ValueError(
-            f'\'value\' must be one of \'{",".join(_valid_states)}\' but found \'{value}\'',
-        )
+    value_str: str
+    if value in ["on", "off"]:  # compatibility with the old version
+        assert isinstance(value, str)
+        value_str = value
+    elif value is Boolean.ON:
+        value_str = "on"
+    elif value is Boolean.OFF:
+        value_str = "off"
+    else:
+        raise OperationValueError(f"Invalid value '{value}' for boolean operation")
 
-    if host.get_fact(SEBoolean, boolean=bool_name) != value:
+    if host.get_fact(SEBoolean, boolean=bool_name) != value_str:
         persist = "-P " if persistent else ""
-        yield StringCommand("setsebool", f"{persist}{bool_name}", value)
+        yield StringCommand("setsebool", f"{persist}{bool_name}", value_str)
     else:
-        host.noop(f"boolean '{bool_name}' already had the value '{value}'")
+        host.noop(f"boolean '{bool_name}' already had the value '{value_str}'")
 
 
-@operation(
-    pipeline_facts={"filecontext": "path"},
-)
-def file_context(path, se_type):
+@operation()
+def file_context(path: str, se_type: str):
     """
     Set the SELinux type for the specified path to the specified value.
 
@@ -73,10 +91,8 @@ def file_context(path, se_type):
         host.noop(f"file_context: '{path}' already had type '{se_type}'")
 
 
-@operation(
-    pipeline_facts={"filecontextmapping": "target"},
-)
-def file_context_mapping(target, se_type=None, present=True):
+@operation()
+def file_context_mapping(target: str, se_type: str | None = None, present=True):
     """
     Set the SELinux file context mapping for paths matching the target.
 
@@ -115,10 +131,8 @@ def file_context_mapping(target, se_type=None, present=True):
             host.noop(f"no existing mapping for '{target}'")
 
 
-@operation(
-    pipeline_facts={"which": "sepolicy"},
-)
-def port(protocol, port_num, se_type=None, present=True):
+@operation()
+def port(protocol: Protocol | str, port_num: int, se_type: str | None = None, present=True):
     """
     Set the SELinux type for the specified protocol and port.
 
@@ -135,17 +149,21 @@ def port(protocol, port_num, se_type=None, present=True):
 
         selinux.port(
             name='Allow Apache to provide service on port 2222',
-            'tcp',
+            Protocol.TCP,
             2222,
             'http_port_t',
         )
     """
 
+    if protocol is Protocol:
+        assert isinstance(protocol, Protocol)
+        protocol = protocol.value
+
     if present and (se_type is None):
         raise ValueError("se_type must have a valid value if present is set")
 
     new_type = se_type if present else ""
-    direct_get = len(host.get_fact(Which, command=SEPort.requires_command) or "") > 0
+    direct_get = len(host.get_fact(Which, command="sepolicy") or "") > 0
     if direct_get:
         current = host.get_fact(SEPort, protocol=protocol, port=port_num)
     else:

pyinfra/operations/server.py

@@ -3,12 +3,14 @@ The server module takes care of os-level state. Targets POSIX compatibility, tes
 Linux/BSD.
 """
 
+from __future__ import annotations
+
 import shlex
 from io import StringIO
 from itertools import filterfalse, tee
 from os import path
 from time import sleep
-from typing import Callable
+from typing import TYPE_CHECKING
 
 from pyinfra import host, logger, state
 from pyinfra.api import FunctionCommand, OperationError, StringCommand, operation
@@ -18,6 +20,7 @@ from pyinfra.facts.files import Directory, FindInFile, Link
 from pyinfra.facts.server import (
     Crontab,
     Groups,
+    Home,
     Hostname,
     KernelModules,
     Locales,
@@ -38,6 +41,7 @@ from . import (
     openrc,
     pacman,
     pkg,
+    runit,
     systemd,
     sysvinit,
     upstart,
@@ -47,6 +51,9 @@ from . import (
 )
 from .util.files import chmod, sed_replace
 
+if TYPE_CHECKING:
+    from pyinfra.api.arguments_typed import PyinfraOperation
+
 
 @operation(is_idempotent=False)
 def reboot(delay=10, interval=1, reboot_timeout=300):
@@ -100,6 +107,12 @@ def reboot(delay=10, interval=1, reboot_timeout=300):
 
     yield FunctionCommand(wait_and_reconnect, (), {})
 
+    # On certain systems sudo files are lost on reboot
+    def clean_sudo_info(state, host):
+        host.connector_data["sudo_askpass_path"] = None
+
+    yield FunctionCommand(clean_sudo_info, (), {})
+
 
 @operation(is_idempotent=False)
 def wait(port: int):
@@ -130,7 +143,7 @@ def wait(port: int):
 
 
 @operation(is_idempotent=False)
-def shell(commands):
+def shell(commands: str | list[str]):
     """
     Run raw shell code on server during a deploy. If the command would
     modify data that would be in a fact, the fact would not be updated
@@ -157,7 +170,7 @@ def shell(commands):
 
 
 @operation(is_idempotent=False)
-def script(src, args=()):
+def script(src: str, args=()):
     """
     Upload and execute a local script on the remote host.
 
@@ -182,15 +195,15 @@ def script(src, args=()):
         )
     """
 
-    temp_file = state.get_temp_filename()
-    yield from files.put(src=src, dest=temp_file)
+    temp_file = host.get_temp_filename()
+    yield from files.put._inner(src=src, dest=temp_file)
 
     yield chmod(temp_file, "+x")
     yield StringCommand(temp_file, *args)
 
 
 @operation(is_idempotent=False)
-def script_template(src, args=(), **data):
+def script_template(src: str, args=(), **data):
     """
     Generate, upload and execute a local script template on the remote host.
 
@@ -212,15 +225,15 @@ def script_template(src, args=(), **data):
         )
     """
 
-    temp_file = state.get_temp_filename("{0}{1}".format(src, data))
-    yield from files.template(src, temp_file, **data)
+    temp_file = host.get_temp_filename("{0}{1}".format(src, data))
+    yield from files.template._inner(src, temp_file, **data)
 
     yield chmod(temp_file, "+x")
     yield StringCommand(temp_file, *args)
 
 
 @operation()
-def modprobe(module, present=True, force=False):
+def modprobe(module: str, present=True, force=False):
     """
     Load/unload kernel modules.
 
@@ -272,11 +285,11 @@ def modprobe(module, present=True, force=False):
 
 @operation()
 def mount(
-    path,
+    path: str,
     mounted=True,
-    options=None,
-    device=None,
-    fs_type=None,
+    options: list[str] | None = None,
+    device: str | None = None,
+    fs_type: str | None = None,
     # TODO: do we want to manage fstab here?
     # update_fstab=False,
 ):
@@ -335,7 +348,7 @@ def mount(
 
 
 @operation()
-def hostname(hostname, hostname_file=None):
+def hostname(hostname: str, hostname_file: str | None = None):
     """
     Set the system hostname using ``hostnamectl`` or ``hostname`` on older systems.
 
@@ -388,13 +401,13 @@ def hostname(hostname, hostname_file=None):
         file = StringIO("{0}\n".format(hostname))
 
         # And ensure it exists
-        yield from files.put(src=file, dest=hostname_file)
+        yield from files.put._inner(src=file, dest=hostname_file)
 
 
 @operation()
 def sysctl(
-    key,
-    value,
+    key: str,
+    value: str | int | list[str | int],
     persist=False,
     persist_file="/etc/sysctl.conf",
 ):
@@ -422,16 +435,16 @@ def sysctl(
 
     value = [try_int(v) for v in value] if isinstance(value, list) else try_int(value)
 
-    existing_sysctls = host.get_fact(Sysctl)
-
+    existing_sysctls = host.get_fact(Sysctl, keys=[key])
     existing_value = existing_sysctls.get(key)
+
     if not existing_value or existing_value != value:
         yield "sysctl {0}='{1}'".format(key, string_value)
     else:
         host.noop("sysctl {0} is set to {1}".format(key, string_value))
 
     if persist:
-        yield from files.line(
+        yield from files.line._inner(
             path=persist_file,
             line="{0}[[:space:]]*=[[:space:]]*{1}".format(key, string_value),
             replace="{0} = {1}".format(key, string_value),
@@ -440,16 +453,16 @@ def sysctl(
 
 @operation()
 def service(
-    service,
+    service: str,
     running=True,
     restarted=False,
     reloaded=False,
-    command=None,
-    enabled=None,
+    command: str | None = None,
+    enabled: bool | None = None,
 ):
     """
     Manage the state of services. This command checks for the presence of all the
-    Linux init systems ``pyinfra`` can handle and executes the relevant operation.
+    Linux init systems pyinfra can handle and executes the relevant operation.
 
     + service: name of the service to manage
     + running: whether the service should be running
@@ -469,7 +482,7 @@ def service(
         )
     """
 
-    service_operation: Callable
+    service_operation: "PyinfraOperation"
 
     if host.get_fact(Which, command="systemctl"):
         service_operation = systemd.service
@@ -480,6 +493,9 @@ def service(
     elif host.get_fact(Which, command="initctl"):
         service_operation = upstart.service
 
+    elif host.get_fact(Which, command="sv"):
+        service_operation = runit.service
+
     elif (
         host.get_fact(Which, command="service")
         or host.get_fact(Link, path="/etc/init.d")
@@ -489,7 +505,7 @@ def service(
 
     # NOTE: important that we are not Linux here because /etc/rc.d will exist but checking it's
     # contents may trigger things (like a reboot: https://github.com/Fizzadar/pyinfra/issues/819)
-    elif host.get_fact(Os) != "Linux" and host.get_fact(Directory, path="/etc/rc.d"):
+    elif host.get_fact(Os) != "Linux" and bool(host.get_fact(Directory, path="/etc/rc.d")):
         service_operation = bsdinit.service
 
     else:
@@ -497,7 +513,7 @@ def service(
             ("No init system found " "(no systemctl, initctl, /etc/init.d or /etc/rc.d found)"),
         )
 
-    yield from service_operation(
+    yield from service_operation._inner(
         service=service,
         running=running,
         restarted=restarted,
@@ -509,12 +525,12 @@ def service(
 
 @operation()
 def packages(
-    packages,
+    packages: str | list[str],
     present=True,
 ):
     """
     Add or remove system packages. This command checks for the presence of all the
-    system package managers ``pyinfra`` can handle and executes the relevant operation.
+    system package managers pyinfra can handle and executes the relevant operation.
 
     + packages: list of packages to ensure
     + present: whether the packages should be installed
@@ -529,7 +545,7 @@ def packages(
         )
     """
 
-    package_operation: Callable
+    package_operation: "PyinfraOperation"
 
     # TODO: improve this - use LinuxDistribution fact + mapping with fallback below?
     # Here to be preferred on openSUSE which also provides aptitude
@@ -552,7 +568,7 @@ def packages(
     elif host.get_fact(Which, command="pacman"):
         package_operation = pacman.packages
 
-    elif host.get_fact(Which, command="xbps"):
+    elif host.get_fact(Which, command="xbps-install") or host.get_fact(Which, command="xbps"):
         package_operation = xbps.packages
 
     elif host.get_fact(Which, command="yum"):
@@ -569,21 +585,21 @@ def packages(
             ),
         )
 
-    yield from package_operation(packages=packages, present=present)
+    yield from package_operation._inner(packages=packages, present=present)
 
 
 @operation()
 def crontab(
-    command,
+    command: str,
     present=True,
-    user=None,
-    cron_name=None,
+    user: str | None = None,
+    cron_name: str | None = None,
     minute="*",
     hour="*",
     month="*",
     day_of_week="*",
     day_of_month="*",
-    special_time=None,
+    special_time: str | None = None,
     interpolate_variables=False,
 ):
     """
@@ -645,6 +661,8 @@ def crontab(
 
     if not existing_crontab and cron_name:  # find the crontab by name if provided
         for cmd, details in crontab.items():
+            if not details["comments"]:
+                continue
             if name_comment in details["comments"]:
                 existing_crontab = details
                 existing_crontab_match = cmd
@@ -652,8 +670,8 @@ def crontab(
 
     exists = existing_crontab is not None
 
-    edit_commands = []
-    temp_filename = state.get_temp_filename()
+    edit_commands: list[str | StringCommand] = []
+    temp_filename = host.get_temp_filename()
 
     if special_time:
         new_crontab_line = "{0} {1}".format(special_time, command)
@@ -701,6 +719,7 @@ def crontab(
 
     # We have the cron and it exists, do it's details? If not, replace the line
     elif present and exists:
+        assert existing_crontab is not None
         if any(
             (
                 special_time != existing_crontab.get("special_time"),
@@ -746,7 +765,7 @@ def crontab(
 
 
 @operation()
-def group(group, present=True, system=False, gid=None):
+def group(group: str, present=True, system=False, gid: int | str | None = None):
     """
     Add/remove system groups.
 
@@ -815,12 +834,12 @@ def group(group, present=True, system=False, gid=None):
 
 @operation()
 def user_authorized_keys(
-    user,
-    public_keys,
-    group=None,
+    user: str,
+    public_keys: str | list[str],
+    group: str | None = None,
     delete_keys=False,
-    authorized_key_directory=None,
-    authorized_key_filename=None,
+    authorized_key_directory: str | None = None,
+    authorized_key_filename: str | None = None,
 ):
     """
     Manage `authorized_keys` of system users.
@@ -832,7 +851,7 @@ def user_authorized_keys(
 
     Public keys:
         These can be provided as strings containing the public key or as a path to
-        a public key file which ``pyinfra`` will read.
+        a public key file which pyinfra will read.
 
     **Examples:**
 
@@ -844,8 +863,11 @@ def user_authorized_keys(
             public_keys=["ed25519..."],
         )
     """
+
     if not authorized_key_directory:
-        authorized_key_directory = f"/home/{user}/.ssh/"
+        home = host.get_fact(Home, user=user)
+        authorized_key_directory = f"{home}/.ssh"
+
     if not authorized_key_filename:
         authorized_key_filename = "authorized_keys"
 
@@ -861,14 +883,14 @@ def user_authorized_keys(
             with open(try_path, "r") as f:
                 return f.read().strip()
 
-        return key
+        return key.strip()
 
     public_keys = list(map(read_any_pub_key_file, public_keys))
 
     # Ensure .ssh directory
     # note that this always outputs commands unless the SSH user has access to the
     # authorized_keys file, ie the SSH user is the user defined in this function
-    yield from files.directory(
+    yield from files.directory._inner(
         path=authorized_key_directory,
         user=user,
         group=group or user,
@@ -886,7 +908,7 @@ def user_authorized_keys(
         )
 
         # And ensure it exists
-        yield from files.put(
+        yield from files.put._inner(
             src=keys_file,
             dest=authorized_key_file,
             user=user,
@@ -896,7 +918,7 @@ def user_authorized_keys(
 
     else:
         # Ensure authorized_keys exists
-        yield from files.file(
+        yield from files.file._inner(
             path=authorized_key_file,
             user=user,
             group=group or user,
@@ -905,26 +927,27 @@ def user_authorized_keys(
 
         # And every public key is present
         for key in public_keys:
-            yield from files.line(path=authorized_key_file, line=key, ensure_newline=True)
+            yield from files.line._inner(path=authorized_key_file, line=key, ensure_newline=True)
 
 
 @operation()
 def user(
-    user,
+    user: str,
     present=True,
-    home=None,
-    shell=None,
-    group=None,
-    groups=None,
-    public_keys=None,
+    home: str | None = None,
+    shell: str | None = None,
+    group: str | None = None,
+    groups: list[str] | None = None,
+    public_keys: str | list[str] | None = None,
     delete_keys=False,
     ensure_home=True,
     create_home=False,
     system=False,
-    uid=None,
-    comment=None,
+    uid: int | None = None,
+    comment: str | None = None,
     add_deploy_dir=True,
     unique=True,
+    password: str | None = None,
 ):
     """
     Add/remove/update system users & their ssh `authorized_keys`.
@@ -944,6 +967,7 @@ def user(
     + comment: the user GECOS comment
     + add_deploy_dir: any public_key filenames are relative to the deploy directory
     + unique: prevent creating users with duplicate UID
+    + password: set the encrypted password for the user
 
     Home directory:
         When ``ensure_home`` or ``public_keys`` are provided, ``home`` defaults to
@@ -953,7 +977,7 @@ def user(
 
     Public keys:
         These can be provided as strings containing the public key or as a path to
-        a public key file which ``pyinfra`` will read.
+        a public key file which pyinfra will read.
 
     **Examples:**
 
@@ -1040,6 +1064,11 @@ def user(
 
         if create_home:
             args.append("-m")
+        else:
+            args.append("-M")
+
+        if password:
+            args.append("-p '{0}'".format(password))
 
         # Users are often added by other operations (package installs), so check
         # for the user at runtime before adding.
@@ -1058,7 +1087,7 @@ def user(
                 user,
             )
 
-    # User exists and we want them, check home/shell/keys
+    # User exists and we want them, check home/shell/keys/password
     else:
         args = []
 
@@ -1081,6 +1110,9 @@ def user(
         if comment and existing_user["comment"] != comment:
             args.append("-c '{0}'".format(comment))
 
+        if password and existing_user["password"] != password:
+            args.append("-p '{0}'".format(password))
+
         # Need to mod the user?
         if args:
             if os_type == "FreeBSD":
@@ -1097,10 +1129,12 @@ def user(
                 existing_user["group"] = group
             if groups:
                 existing_user["groups"] = groups
+            if password:
+                existing_user["password"] = password
 
     # Ensure home directory ownership
-    if ensure_home:
-        yield from files.directory(
+    if ensure_home and home:
+        yield from files.directory._inner(
             path=home,
             user=user,
             group=group or user,
@@ -1110,7 +1144,7 @@ def user(
 
     # Add SSH keys
     if public_keys is not None:
-        yield from user_authorized_keys(
+        yield from user_authorized_keys._inner(
             user=user,
             public_keys=public_keys,
             group=group,
@@ -1122,7 +1156,7 @@ def user(
 
 @operation()
 def locale(
-    locale,
+    locale: str,
     present=True,
 ):
     """
@@ -1171,7 +1205,7 @@ def locale(
     if not present and locale in locales:
         logger.debug(f"Removing locale {locale}")
 
-        yield from files.line(
+        yield from files.line._inner(
             path=locales_definitions_file, line=f"^{matching_line}$", replace=f"# {matching_line}"
         )
 
@@ -1181,10 +1215,47 @@ def locale(
     if present and locale not in locales:
         logger.debug(f"Adding locale {locale}")
 
-        yield from files.replace(
+        yield from files.replace._inner(
             path=locales_definitions_file,
             text=f"^{matching_line}$",
             replace=f"{matching_line}".replace("# ", ""),
         )
 
         yield "locale-gen"
+
+
+@operation()
+def security_limit(
+    domain: str,
+    limit_type: str,
+    item: str,
+    value: int,
+):
+    """
+    Edit /etc/security/limits.conf configuration.
+
+    + domain: the domain (user, group, or wildcard) for the limit
+    + limit_type: the type of limit (hard or soft)
+    + item: the item to limit (e.g., nofile, nproc)
+    + value: the value for the limit
+
+    **Example:**
+
+    .. code:: python
+
+        security_limit(
+            name="Set nofile limit for all users",
+            domain='*',
+            limit_type='soft',
+            item='nofile',
+            value=1024,
+        )
+    """
+
+    line_format = f"{domain}\t{limit_type}\t{item}\t{value}"
+
+    yield from files.line._inner(
+        path="/etc/security/limits.conf",
+        line=f"^{domain}[[:space:]]+{limit_type}[[:space:]]+{item}",
+        replace=line_format,
+    )