ok

Mini Shell

Direktori : /proc/self/root/opt/cloudlinux/venv/lib/python3.11/site-packages/clwpos/
Upload File :
Current File : //proc/self/root/opt/cloudlinux/venv/lib/python3.11/site-packages/clwpos/wpos_admin.py

# -*- coding: utf-8 -*-

# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2021 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT

# wposctl.py - work code for clwposctl utility

from __future__ import absolute_import

import argparse
import datetime
import itertools
import json
import logging
import os
import pwd
import subprocess
import sys

import requests
from copy import deepcopy
from dataclasses import asdict
from typing import Dict, Iterator, Set, Tuple, List, Optional
from enum import Enum
from psutil import pid_exists
from clcommon.cpapi import cpusers, userdomains, is_admin, cpinfo, getCPName

from clwpos.billing import get_or_create_unique_identifier
from clwpos.migrations import migrate_configs
from clwpos.cron import install_cron_files, clean_clwpos_crons
from clwpos.feature_suites.configurations import FeatureStatus, FeatureStatusEnum, AdminSuitesConfig, \
    any_suite_visible_on_server, is_module_visible_for_user, StatusSource, extract_suites
from clwpos.optimization_features import (
    ALL_OPTIMIZATION_FEATURES,
    OBJECT_CACHE_FEATURE,
    CDN_FEATURE,
    enable_without_config_affecting,
    disable_without_config_affecting,
    DocRootPath,
    SITE_OPTIMIZATION_FEATURE,
    Feature
)
from clwpos.feature_suites import (
    ALL_SUITES,
    any_suite_allowed_on_server,
    get_suites_allowed_path,
    get_admin_suites_config,
    write_suites_allowed,
    extract_features,
    is_module_allowed_for_user,
    PremiumSuite,
    CDNSuitePro,
    CDNSuite,
    AWPSuite
)
from clcommon.clpwd import drop_privileges
from clwpos.cl_wpos_exceptions import WposError

from clwpos.user.config import UserConfig

from clwpos.constants import (
    ALT_PHP_REDIS_ENABLE_UTILITY,
    CLWPOS_UIDS_PATH,
    CLWPOS_SOLO_PATH,
    PHP_REDIS_ENABLE_UTILITY,
    SUITES_MARKERS,
    MIGRATION_NEEDED_MARKER,
    SCAN_CACHE,
    ADMIN_ENABLE_FEATURE_STATUS,
    ADMIN_ENABLE_FEATURE_PID,
    ADMIN_UPDATE_OBJECT_CACHE_BANNER_PID,
    USERS_PLUGINS_SYNCING_PID,
    CLN_URL,
    SMART_ADVICE_ROOT_UTILITY,
    ON_OFF_IDENTIFIERS,
    XRAY_MANAGER_UTILITY
)
from clwpos.object_cache.redis_utils import reload_redis
from clwpos import gettext as _, billing
from clwpos.parse import ArgumentParser, CustomFormatter
from clwpos.logsetup import setup_logging, init_wpos_sentry_safely, ADMIN_LOGFILE_PATH
from clcommon.lib.cledition import is_cl_solo_edition
from clcommon.cpapi.cpapiexceptions import NoPackage
from clwpos.report_generator import ReportGenerator, ReportGeneratorError
from clwpos.utils import (
    catch_error,
    error_and_exit,
    print_data,
    check_license_decorator,
    set_wpos_icon_visibility,
    acquire_lock,
    write_public_options,
    get_pw,
    is_redis_configuration_running,
    install_monitoring_daemon,
    get_server_wide_options,
    is_ui_icon_hidden,
    ServerWideOptions,
    daemon_communicate,
    ExtendedJSONEncoder,
    is_shared_pro_safely,
    get_supported_suites,
    jwt_token_check,
    should_xray_user_agent_enabled,
    should_xray_user_agent_disabled
)
from clwpos.wpos_hooks import (
    install_panel_hooks,
    install_yum_universal_hook_alt_php,
    _uninstall_hooks
)
from clcommon.clcagefs import setup_mount_dir_cagefs, _remount_cagefs
from clwpos.stats import fill_current_wpos_statistics
from clwpos.data_collector_utils import has_wps
from secureio import disable_quota


WPOS_SERVICE_ENABLE_ERR_MSG = _("Unable to run CL AccelerateWP daemon. Caching databases won't start and work. "
                                "You can find detailed information in log file")
REDIS_CONFIGURATION_WARNING_MSG = _("Configuration of PHP redis extension is running in background process. "
                                    "This may take up to several minutes. Until the end of this process "
                                    "functionality of CL AccelerateWP is limited.")

parser = ArgumentParser(
    "/usr/bin/clwpos-admin",
    "Utility for control CL AccelerateWP admin interface",
    formatter_class=CustomFormatter,
    allow_abbrev=False
)

_logger = setup_logging(__name__)


class CloudlinuxWposAdmin(object):
    """
    Class for run cloudlinux-wpos-admin commands
    """

    class EnablingStatus(Enum):
        """
        Basic statuses while feature is enabling in background
        """
        IDLE = 'idle'
        PROGRESS = 'progress'
        DONE = 'done'

    def __init__(self):
        self._is_json = False
        self._opts: argparse.Namespace
        self._logger = setup_logging(__name__)
        init_wpos_sentry_safely(self._logger)
        self.clwpos_path = "/var/clwpos"
        self.modules_allowed_name = "modules_allowed.json"
        # TODO: [unification] remove this attr once it is unification is done
        self.is_solo = is_cl_solo_edition(skip_jwt_check=True)
        self.wait_child_process = bool(os.environ.get('CL_WPOS_WAIT_CHILD_PROCESS'))
        if self.wait_child_process:
            self.exec_func = subprocess.run
        else:
            self.exec_func = subprocess.Popen

    @catch_error
    def run(self, argv):
        """
        Run command action
        :param argv: sys.argv[1:]
        :return: clwpos-user utility retcode
        """
        self._opts =  self._parse_args(argv)
        self._is_json = True
        result = getattr(self, self._opts.command.replace("-", "_"))()
        print_data(self._is_json, result)

    def _parse_args(self, argv):
        raise NotImplementedError

    @staticmethod
    def _create_markers(suites_list):
        for suite in suites_list:
            if SUITES_MARKERS.get(suite) and not os.path.isfile(SUITES_MARKERS.get(suite)):
                open(SUITES_MARKERS.get(suite), 'w').close()

    @staticmethod
    def _clear_markers(suites_list):
        for suite in suites_list:
            if SUITES_MARKERS.get(suite) and os.path.isfile(
                    SUITES_MARKERS.get(suite)):
                os.unlink(SUITES_MARKERS.get(suite))
    @staticmethod
    def _is_true(opt):
        return opt == 'on'

    @parser.command()  # Uninstall cache for all domain during downgrade
    def uninstall_cache_for_all_domains(self) -> dict:
        """
        This command used during downgrade to lve-utils, which version does not support clwpos
        :return:
        """
        try:
            users = cpusers()
        except (OSError, IOError, IndexError, NoPackage) as e:
            self._logger.warning("Can't get user list from panel: %s", str(e))
            return {}
        for username in users:
            user_domains = userdomains(username)
            with drop_privileges(username):
                for doc_root, wp_path, module in _enabled_modules(username):
                    domain = _extract_domain(user_domains,
                                             os.path.join(pwd.getpwnam(username).pw_dir, doc_root))
                    disable_without_config_affecting(DocRootPath(doc_root), wp_path, module=module, domain=domain)
        return {}

    @check_license_decorator
    def _set_suite(self) -> dict:
        """
        Write info related to module allowance into user file
        """
        defaults = get_server_wide_options()
        suites_list = [suite.strip() for suite in self._opts.suites.split(",")]
        for suite in suites_list:
            if suite not in ALL_SUITES:
                error_and_exit(self._is_json, {'result': _(f'Unsupported suite: {suite}')})

            if (self._opts.allowed
                or self._opts.visible_for_all
                or self._opts.allowed_for_all) and\
                    suite not in get_supported_suites():
                error_and_exit(self._is_json, {'result': _(f'Suite is disabled externally: {suite}')})

            valid_attributes = {}
            allowed_attrs = ALL_SUITES[suite].allowed_attrubites
            for attribute in allowed_attrs:
                if self._opts.attrs \
                        and attribute.name not in self._opts.attrs \
                        and attribute.default is None:
                    error_and_exit(self._is_json, {'result': _(f'Attribute %s does not have default '
                                                               f'value and must be included: {attribute.name}')})
                elif not self._opts.attrs and attribute.default is not None:
                    valid_attributes[attribute.name] = attribute.default
                else:
                    if attribute.name in self._opts.attrs:
                        valid_attributes[attribute.name] = attribute.type(self._opts.attrs[attribute.name])

            # what we check here is whether billing is allowed to enable the feature
            # that is true in one cases: if the feature is already visible for users
            if self._opts.allowed and self._opts.source and \
                    getattr(StatusSource, self._opts.source) == StatusSource.BILLING_OVERRIDE \
                    and suite not in defaults.visible_suites:
                error_and_exit(self._is_json, {
                    'result': _(f'Suite %(suite)s is not visible for users and so '
                                f'cannot be allowed in billing. '
                                f'Activate the suite on server first. '
                                f'Contact your hoster if you don`t have an access to the server.'),
                    'context': dict(suite=suite)})
        if self._opts.default and len(suites_list) > 1:
            error_and_exit(self._is_json, {'result': _(f'Only one suite is possible with --default option')})
        if self._opts.attrs and len(suites_list) > 1:
            error_and_exit(self._is_json, {'result': _(f'Only one suite is possible with --attrs option')})

        # TODO: allowed_for_all works in the way that runs --allowed command for each new user in hook
        #       accroding to Dennis, hoster's unlikely would enable more then 50GB free for all users
        #       or they would do that using packages in WHMCS, so I allow only default configuration config here
        #       and create new task to fix this later upon requests: https://cloudlinux.atlassian.net/browse/AWP-546
        if self._opts.attrs and self._opts.allowed_for_all:
            error_and_exit(self._is_json, {'result': _(f'Only default suite configuration'
                                                       f' can be activated for all users')})

        modules_list = [module for suite in suites_list for module in ALL_SUITES[suite].feature_set]

        if self._opts.allowed_for_all:
            # async call here is fine, also no need to wait
            # in most cases it should work fast
            # if it works slower - scanning will be in process in UI
            self._logger.info('Going to generate users report')
            if not os.path.isfile(SCAN_CACHE):
                ReportGenerator().scan()

        # CL Shared (Pro)
        if self._opts.allowed_for_all:
            # Process all panel users
            user_list_to_process = cpusers()
            module_allowed = module_visible = True
            self._create_markers(suites_list)

        elif self._opts.disallowed_for_all:
            # Process all panel users
            user_list_to_process = cpusers()
            module_allowed = module_visible = False
            self._clear_markers(suites_list)
        elif self._opts.visible_for_all:
            # Process all panel users
            user_list_to_process = cpusers()
            module_allowed = False
            module_visible = True
            self._clear_markers(suites_list)
        else:
            if self._opts.default:
                defaults = get_server_wide_options()
                module_visible = suites_list[0] in defaults.visible_suites
                module_allowed = suites_list[0] in defaults.allowed_suites
            else:
                module_allowed = module_visible = self._opts.allowed

            # Process only specified users
            user_arg_list = self._opts.users.split(",")
            user_list_to_process = [user_arg_list[0].strip()]  # in v1 only single user processing is supported


        first_user_wpos_visible = module_visible and not any_suite_visible_on_server()
        first_user_cdn_allowed = module_allowed and CDN_FEATURE in modules_list \
            and not is_module_visible_for_user(CDN_FEATURE)
        first_user_obj_cache_visible = module_visible and OBJECT_CACHE_FEATURE in modules_list \
            and not is_module_visible_for_user(OBJECT_CACHE_FEATURE)
        warning_dict = {}
        if module_allowed:
            retcode, stdout, stderr = install_monitoring_daemon(True)
            if retcode:
                self._logger.error("Starting service ended with error: %s, %s", stdout, stderr)
                warning_dict.update({"warning": WPOS_SERVICE_ENABLE_ERR_MSG})


        error_flag = False
        is_one_user_processing = len(user_list_to_process) == 1

        if self._opts.source:
            source_override = getattr(StatusSource, self._opts.source)
        else:
            source_override = None

        if self._opts.preserve_user_settings:
            user_list_to_process = tuple()

        for username in user_list_to_process:
            # update modules only after daemon startup
            try:
                _error_flag, warning_d = self._process_user_suites(
                    username,
                    suites_list,
                    (
                        FeatureStatusEnum.ALLOWED
                        if module_allowed else
                            FeatureStatusEnum.VISIBLE if module_visible else
                        FeatureStatusEnum.DISABLED
                    ),
                    source_override or (
                        StatusSource.DEFAULT if any((
                            self._opts.allowed_for_all,
                            self._opts.disallowed_for_all,
                            self._opts.visible_for_all,
                            self._opts.default)
                        ) else StatusSource.COMMAND_LINE
                    ),
                    self._opts.purchase_date,
                    valid_attributes,
                    is_one_user_processing)
            except Exception as e:
                # ignore all errors for users processing during
                # bulk operations in order not to interrupt it
                # and raise otherwise (for individual users processing)
                if is_one_user_processing:
                    self._logger.error(
                        "Error while processing module for '%s': %s",
                        username, str(e))
                    raise
                self._logger.exception(
                    "Error while processing module for '%s', processing other users will be continued: %s",
                    username, str(e))
                _error_flag = True
                warning_d = {}
            # Skip further user processing if error
            if _error_flag:
                # Set global error flag
                error_flag = True
                continue
            if self._opts.allowed:
                self.exec_func(
                    ["/usr/sbin/clwpos_collect_information.py", username],
                    stdout=subprocess.DEVNULL,
                    stderr=subprocess.DEVNULL
                )

        if module_visible and is_ui_icon_hidden():
            # toggle icon if allow is in progress and icon is hidden in UI
            set_wpos_icon_visibility(hide=False)
            with write_public_options() as options:
                options.show_icon = True

        if should_xray_user_agent_enabled(module_visible):
            self.exec_func([XRAY_MANAGER_UTILITY, 'enable-user-agent'],
                           stdout=subprocess.DEVNULL,
                           stderr=subprocess.DEVNULL)


        if self._opts.allowed_for_all:
            # /usr/sbin/clwpos_collect_information.py without args processes all users
            self.exec_func(["/usr/sbin/clwpos_collect_information.py"], stdout=subprocess.DEVNULL,
                           stderr=subprocess.DEVNULL)
            _remount_cagefs()
        if first_user_wpos_visible:
            setup_mount_dir_cagefs(
                CLWPOS_UIDS_PATH, prefix='*', remount_cagefs=True,
                remount_in_background=not self.wait_child_process
            )
            install_panel_hooks()

        if first_user_obj_cache_visible:
            # This runs after object_cache module is allowed for any user
            # and there were no users on server who are allowed object_cache module before
            warning_dict.update({"warning": REDIS_CONFIGURATION_WARNING_MSG})
            self.exec_func([ALT_PHP_REDIS_ENABLE_UTILITY], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
            self.exec_func([PHP_REDIS_ENABLE_UTILITY], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
            install_yum_universal_hook_alt_php()
        elif module_allowed and OBJECT_CACHE_FEATURE in modules_list and is_redis_configuration_running():
            warning_dict.update({"warning": REDIS_CONFIGURATION_WARNING_MSG})

        if first_user_wpos_visible or first_user_obj_cache_visible:
            install_cron_files(
                itertools.compress(
                    [SITE_OPTIMIZATION_FEATURE, OBJECT_CACHE_FEATURE, CDN_FEATURE],
                    [first_user_wpos_visible, first_user_obj_cache_visible, first_user_cdn_allowed]
                ), wait_child_process=True)


        if self._opts.disallowed_for_all:
            _remount_cagefs()
        # determine the case of all suites becoming disallowed
        # after manipulations with users
        if not module_visible and not any_suite_visible_on_server():
            _uninstall_hooks()
            clean_clwpos_crons()
            set_wpos_icon_visibility(hide=True)
            with write_public_options() as options:
                options.show_icon = False

            # TODO: [unification] once xray default value is same across all editions -> is_solo check will not be needed
            if should_xray_user_agent_disabled(self.is_solo):
                self.exec_func([XRAY_MANAGER_UTILITY, 'disable-user-agent'],
                               stdout=subprocess.DEVNULL,
                               stderr=subprocess.DEVNULL)


        # MIGRATION_NEEDED_MARKER is created in .spec only during 1 upgrade
        # before_renaming_version -> renaming_version

        if (self._opts.allowed_for_all or self._opts.visible_for_all) and os.path.isfile(MIGRATION_NEEDED_MARKER):
            self._logger.info('set-suite for all was called, removing migration marker')
            os.remove(MIGRATION_NEEDED_MARKER)

        if error_flag:
            error_and_exit(
                self._is_json,
                {
                    "result": _("User(s) process error. Please check log file %(logfile)s"),
                    "context": {"logfile": ADMIN_LOGFILE_PATH},
                }
            )

        self._save_suites_list_to_public_settings(suites_list)


        if self._opts.allowed_for_all or self._opts.allowed:
            # synchronize features to cln so at the time when
            # daemon tries to enable feature our remote service
            # already knows that feature is purchased
            self.cln_sync(False)
            self._force_user_sync(user_list_to_process)


            # notify daemon that we enabled some suites
            daemon_communicate({
                'command': "suite_allowed_callback",
                'uid': 0
            })

        return warning_dict

    def _force_user_sync(self, userlist: List[str]):
        """
        Communicates with AWP provision server asking it to fetch data about user ASAP.
        """
        if not os.path.exists(SMART_ADVICE_ROOT_UTILITY):
            self._logger.warning('Force syncing is skipped, because alt-php-xray package is not installed')
            return

        account_ids = []
        for username in userlist:
            try:
                account_ids.append(get_or_create_unique_identifier(username))
            except Exception:
                self._logger.exception('Unable to obtain account_id for user %s. ', username)
                continue

        if not account_ids:
            self._logger.warning('No account_ids to be synced')
            return

        try:
            subprocess.check_output([SMART_ADVICE_ROOT_UTILITY,
                                     'awp-sync',
                                     '--account_id',
                                     ','.join(account_ids)],
                                    stderr=subprocess.PIPE, text=True)
        except subprocess.CalledProcessError as e:
            self._logger.warning('Unable to force synchronization of data for user %s. '
                                 'stderr: %s; stdout: %s', str(userlist), e.stderr, e.stdout)

    def _save_suites_list_to_public_settings(self, suites_list):
        """
        Saves list of suites that are currently allowed/visible/disallowed
        to config which each user on server can read.
        """
        with write_public_options() as options:
            for suite in [ALL_SUITES[suite] for suite in suites_list]:
                if self._opts.allowed_for_all:
                    options.allowed_suites = list(set(options.allowed_suites) | {suite.name})
                    options.visible_suites = list(set(options.visible_suites) | {suite.name})
                elif self._opts.visible_for_all:
                    options.allowed_suites = list(set(options.allowed_suites) - {suite.name})
                    options.visible_suites = list(set(options.visible_suites) | {suite.name})
                elif self._opts.disallowed_for_all:
                    options.allowed_suites = list(set(options.allowed_suites) - {suite.name})
                    options.visible_suites = list(set(options.visible_suites) - {suite.name})

    @check_license_decorator
    def _set_options(self) -> dict:
        """
        Set global options that affect all users.
        For v1 it is only allowed to control WPOS icon visibility.
        """
        if self._opts.icon_visible:
            is_visible = self._is_true(self._opts.icon_visible)
            retcode, stdout = set_wpos_icon_visibility(hide=not is_visible)
            if retcode:
                error_and_exit(
                    self._is_json,
                    {
                        "result": _("Error during changing of AccelerateWP icon visibility: \n%(error)s"),
                        "context": {"error": stdout}
                    },
                )

        with write_public_options() as options:
            if self._opts.icon_visible is not None:
                if self._is_true(self._opts.icon_visible):
                    options.show_icon = True
                else:
                    options.show_icon = False
            if self._opts.object_cache_banner_visible is not None:
                if self._is_true(self._opts.object_cache_banner_visible):
                    options.disable_object_cache_banners = False
                else:
                    options.disable_object_cache_banners = True
            if self._opts.smart_advice_notifications is not None:
                if self._is_true(self._opts.smart_advice_notifications):
                    options.disable_smart_advice_notifications = False
                else:
                    options.disable_smart_advice_notifications = True
            if self._opts.smart_advice_reminders is not None:
                if self._is_true(self._opts.smart_advice_reminders):
                    options.disable_smart_advice_reminders = False
                else:
                    options.disable_smart_advice_reminders = True
            if self._opts.upgrade_url is not None:
                if self._opts.suite == PremiumSuite.name:
                    options.upgrade_url = self._opts.upgrade_url or None
                elif self._opts.suite == CDNSuitePro.name:
                    options.upgrade_url_cdn = self._opts.upgrade_url or None

        if self._opts.feature_visible and self._opts.features:
            self.set_feature(self._opts.features, self._is_true(self._opts.feature_visible))

        return {}
    def set_feature(self, features, is_visible):
        features = [feature.strip() for feature in features.split(',')]

        # accelerate_wp is base for many features (CDN, image optimization, critical css)
        # do not see any sense to allow admin hide this feature
        possible_to_hide = [f.to_interface_name() for f in ALL_OPTIMIZATION_FEATURES
                            if f != SITE_OPTIMIZATION_FEATURE.optimization_feature()]

        for feature in features:
            if feature not in possible_to_hide:
                error_and_exit(
                    self._is_json,
                    {
                        "result": _("Invalid feature name passed: \n%(feature)s.\n"
                                    " You may set only those features: %(supported)s"),
                        "context": {"feature": feature, "supported": possible_to_hide}
                    },
                )

        target_features = set([Feature(f).optimization_feature() for f in features])
        already_hidden = set(get_server_wide_options().hidden_features)

        if not is_visible:
            features_to_hide = list(target_features.union(already_hidden))

            all_premium_features = PremiumSuite.feature_set
            all_free_features = AWPSuite.feature_set.union(CDNSuite.feature_set)

            # suite_features: ['object_cache', 'critical_css', 'image_optimization']
            # to hide: ['object_cache', 'critical_css', 'image_optimization', 'cdn']
            # do not support case of hiding all features of suites, to prevent weird cases in UI

            if all_premium_features.issubset(features_to_hide):
                error_and_exit(
                    self._is_json,
                    {
                        "result": _("Hiding all features of AccelerateWP Premium is not permitted, "
                                    "please use 'set-suite' command instead to disallow all "
                                    "Premium features to users: \n%(feature)s"),
                        "context": {"feature": features_to_hide}
                    },
                )
            if all_free_features.issubset(features_to_hide):
                error_and_exit(
                    self._is_json,
                    {
                        "result": _("Hiding all features of AccelerateWP is not permitted, "
                                    "please use 'set-suite' command instead to disallow all "
                                    "Premium features for users: \n%(feature)s"),
                        "context": {"feature": features_to_hide}
                    },
                )
        else:
            # already_hidden: ['image_optimization', 'critical_cass']
            # to show: ['critical_css']
            # result: ['image_optimization']
            features_to_hide = list(already_hidden.difference(target_features))

        with write_public_options() as options:
            options.hidden_features = features_to_hide

            # just in case some users already enabled feature --> disable it on feature --hide
            if not is_visible and features_to_hide:
                for user in list(cpusers()):
                    try:
                        self._disable_feature(features_to_hide, user)
                    except Exception:
                        self._logger.exception('Unable to disable feature on set-feature --hide '
                                               'for user %s', user)
                        continue

    def _disable_feature(self, features, user):
        user_domains = userdomains(user)
        with drop_privileges(user):
            enabled_features = UserConfig(user).enabled_modules()
        for doc_root, wp_path, module in enabled_features:
            domain = _extract_domain(user_domains,
                                     os.path.join(pwd.getpwnam(user).pw_dir, doc_root))
            if module not in features:
                continue
            command = ['/usr/bin/clwpos-user', '--user', user, 'disable', '--feature', module,
                       '--wp-path', wp_path, '--domain', domain]
            result = subprocess.run(command, text=True, capture_output=True)
            self._logger.info(result.stdout)
            self._logger.info(result.stderr)

    @catch_error
    @check_license_decorator
    def _get_options(self):
        try:
            return asdict(get_server_wide_options())
        except json.decoder.JSONDecodeError as err:
            raise WposError(
                message=_(
                    "File is corrupted: Please, delete file mentioned in details or fix the corrupted line"),
                details=str(err))

    @catch_error
    def _get_report(self) -> dict:
        """
        Print report in stdout.
        """
        report = {}
        try:
            users = self._opts.users.split(',') if self._opts.users else None
            report = ReportGenerator().get(target_users=users)
        except ReportGeneratorError as e:
            error_and_exit(
                self._is_json,
                {
                    'result': e.message,
                    'context': e.context
                }
            )
        except Exception as e:
            error_and_exit(
                self._is_json,
                {
                    'result': _('Error during getting report: %(error)s'),
                    'context': {'error': e},
                }
            )
        return report


    def _generate_report(self) -> dict:
        rg = ReportGenerator()
        try:
            if self._opts.status:
                scan_status = rg.get_status()
            else:
                # TODO: implement --users support: send List[str] argument
                scan_status = rg.scan()  # initial status dict, like 0/10
            return {
                'result': 'success',
                **scan_status,
            }
        except ReportGeneratorError as e:
            error_and_exit(
                self._is_json,
                {
                    'result': e.message,
                    'context': e.context
                }
            )
        except Exception as e:
            error_and_exit(
                self._is_json,
                {
                    'result': _('Error during generating report: %(error)s'),
                    'context': {'error': str(e)},
                }
            )

    @catch_error
    def _get_stat(self) -> dict:
        """AccelerateWP statistics"""
        return fill_current_wpos_statistics()

    @catch_error
    def _enable_feature(self):
        """
        cli command for enabling optimization feature for all sites on the server
        (where possible)
        """
        # now only 1 feature is available to enable, will add parameter in case needed for other features as well
        feature = 'accelerate_wp'

        if self._opts.users:
            users = self._opts.users.split(',')
        else:
            users = list(cpusers())

        if self._opts.status:
            return self._feature_enable_status()

        if os.path.exists(ADMIN_ENABLE_FEATURE_PID):
            error_and_exit(
                self._is_json,
                {
                    'result': _('Feature enabling is already in progress.  '
                                'Process pid is stored in %(progress_marker)s.'
                                'If process with such pid does not exist - please, remove file "%(progress_marker)s" '
                                'and re-run command'),
                    'context': {'progress_marker': ADMIN_ENABLE_FEATURE_PID},
                }
            )

        if os.path.exists(ADMIN_ENABLE_FEATURE_STATUS):
            os.remove(ADMIN_ENABLE_FEATURE_STATUS)

        enable_result = self.run_in_background(ADMIN_ENABLE_FEATURE_PID, self._enable_feature_for_users, users, feature)

        if enable_result is None:
            # parent
            return {'result': 'success', 'status': self.EnablingStatus.PROGRESS.value, 'total_users_count': len(users)}

        total_websites_to_enable, total_enabled_websites = enable_result
        with open(ADMIN_ENABLE_FEATURE_STATUS, 'w') as f:
            json.dump({
                'wordpress_sites_to_enable_feature': total_websites_to_enable,
                'wordpress_sites_with_enabled_feature': total_enabled_websites,
                'total_users_count': len(users)
            }, f, indent=4)
        sys.exit(0)

    def _feature_enable_status(self):
        """
        Check current status of enabling feature process
        - idle: if no pid file
        - in progress: if pid file exists and such pid really exists in process list
        - done: is enabling status file exists (which is created when process finishes)
        """
        data = {'result': 'success'}
        status = self.EnablingStatus.IDLE.value
        if os.path.exists(ADMIN_ENABLE_FEATURE_PID):
            with open(ADMIN_ENABLE_FEATURE_PID) as f:
                pid = f.readline().strip()
            if pid_exists(int(pid)):
                status =  self.EnablingStatus.PROGRESS.value
        if os.path.exists(ADMIN_ENABLE_FEATURE_STATUS):
            status = self.EnablingStatus.DONE.value
            with open(ADMIN_ENABLE_FEATURE_STATUS) as f:
                data.update(json.load(f))
            if data.get('wordpress_sites_to_enable_feature') != data.get('wordpress_sites_with_enabled_feature'):
                data['warning'] = 'Feature was enabled not for all sites on the server, due to some errors. ' \
                                  f'Please, take a look at {ADMIN_LOGFILE_PATH}'
        data['status'] = status
        return data

    def run_in_background(self, pidfile, func, *args, **kwargs):
        """
        Forks child process in background if needed and created pid file with forked pid
        """
        # dummy func result if func returns nothing
        dummy_result = True
        fp = os.fork()
        if fp:
            # parent process
            return

        # redirect everything to devnull in order not to block parent
        si = open(os.devnull, 'r')
        so = open(os.devnull, 'a+')
        se = open(os.devnull, 'a+')
        os.dup2(si.fileno(), sys.stdin.fileno())
        os.dup2(so.fileno(), sys.stdout.fileno())
        os.dup2(se.fileno(), sys.stderr.fileno())

        # child process
        child_pid = os.getpid()
        with open(pidfile, 'w') as f:
            f.write(str(child_pid))
        try:
            func_result = func(*args, **kwargs)
            return func_result if func_result is not None else dummy_result
        finally:
            if os.path.exists(pidfile):
                os.remove(pidfile)

    def _enable_feature_for_users(self, usernames, feature):
        """
        Enables passed feature for passed username`s sites
        domains and target sites are obtained via user cli utility get (which  knows all
        about incompatibilities and able to detect sites/domains correctly)

        for those sites which do not have any incompatibilities - run user cli command enable feature

        returns <how many sites we should enable> and <how many sites were in fact enabled w/o errors>
        """
        total_websites_to_enable, total_enabled_websites = 0, 0
        for username in usernames:
            try:
                target_wps = self._get_target_websites(username, feature)
            except Exception:
                self._logger.exception('Unable to get websites info for enabling feature "%s"',
                                       feature)
                continue

            total_websites_to_enable += sum(len(websites) for websites in target_wps.values())

            for domain, websites in target_wps.items():
                for wp_site in websites:
                    self._logger.info('Enabling optimization feature "%s" for user "%s" website "%s"',
                                      feature,
                                      username,
                                      wp_site)
                    try:
                        enable_result = self._enable_for_site(username, feature, wp_site, domain,
                                                              self._opts.ignore_errors,
                                                              self._opts.skip_dns_check)
                        enabled_status = enable_result['feature']['enabled']
                    except Exception:
                        self._logger.exception('Failed to enable feature "%s" for website "%s". ',
                                               feature,
                                               wp_site)
                        continue

                    if enabled_status:
                        total_enabled_websites += 1
        return total_websites_to_enable, total_enabled_websites

    def _get_target_websites(self, username, feature):
        """
        Gets target websites via user command GET
        """
        target_wps = {}
        # skip heavy `get` once we detect no WP sites for user
        if has_wps(username):
            result = subprocess.run(
                ['/usr/bin/clwpos-user', '--user', username, 'get'],
                capture_output=True, text=True, timeout=600)
            docroots_info = json.loads(result.stdout)['docroots']

            for docroot in docroots_info:
                domain = docroot['domains'][0]
                target_wps[domain] = [
                    wp['path']
                    for wp in docroot['wps']
                    if not wp['features'][feature]['enabled'] and not wp['features'][feature].get('issues')
                ]
        return target_wps

    def _enable_for_site(self, username, feature, wp_site, domain, ignore_errors, skip_dns_check):
        """
        Enables feature via user cli command ENABLE
        """
        command = ['/usr/bin/clwpos-user', '--user', username, 'enable', '--feature', feature,
             '--wp-path', wp_site, '--domain', domain]

        if ignore_errors:
            command.append('--ignore-errors')

        elif skip_dns_check:
            command.append('--skip-dns-check')

        result = subprocess.run(command, text=True, capture_output=True, timeout=180)
        self._logger.info(result.stdout)
        self._logger.info(result.stderr)
        return json.loads(result.stdout)

    @catch_error
    @parser.command()
    def billing_check(self):
        """
        Automatically turn off suites that are not suppoted on this server.
        """
        supported_suites = get_supported_suites()
        suites_to_turn_off = set(ALL_SUITES.keys()) - set(supported_suites)

        if not suites_to_turn_off:
            return

        logging.info('Suites %s need to be turned off on the server', suites_to_turn_off)
        result = subprocess.run(['cloudlinux-awp-admin', 'set-suite',
                                 '--suites', ','.join(sorted(suites_to_turn_off)),
                                 '--disallowed-for-all'],
                                text=True, capture_output=True, timeout=3600)
        self._logger.info(result.stdout)
        self._logger.info(result.stderr)

    @catch_error
    @parser.command()  # Synchronize billing usage statistics with CLN
    def cln_sync(self, exit=True) -> dict:
        """AccelerateWP cln integration"""
        report = billing.get_report()
        cln_report_url = f'{CLN_URL}/cln/api/clos/server/addons/v2'

        success, err, jwt_str = jwt_token_check()

        if not success:
            self._logger.warning('JWT error: %s, report to CLN will not be sent', err)
        else:
            r = requests.post(cln_report_url,
                              data=json.dumps(report, cls=ExtendedJSONEncoder),
                              headers={'Authorization': f'JWT {jwt_str.decode("utf-8")}',
                                       'Content-Type': 'application/json'})

            if r.status_code != 200:
                self._logger.error('CLN report sending failed with status: %s, http response: %s',
                                   str(r.status_code), r.text)

        return report
    @catch_error
    @parser.command()  # migrate configs
    def migrate_configs(self):
        migrate_configs()
        return True

    @catch_error
    @parser.command()  # Synchronize cron files with current status
    def sync_cron_files(self):
        """
        Install cron files based on current status of wpos.

        This code is executed after updates to add new
        cron files that might be missing.
        """
        install_cron_files(
            itertools.compress(
                [
                    SITE_OPTIMIZATION_FEATURE,
                    CDN_FEATURE,
                    OBJECT_CACHE_FEATURE
                ],
                [
                    any_suite_visible_on_server(),
                    is_module_allowed_for_user(CDN_FEATURE),
                    is_module_allowed_for_user(OBJECT_CACHE_FEATURE)
                ]
            ), wait_child_process=True)
        return True

    @staticmethod
    def all_suites_disabled(suites_admin_config: AdminSuitesConfig,
                            default_config: ServerWideOptions) -> bool:
        """
        Check if all feature suites are disabled.
        """
        for suite, status in suites_admin_config.suites.items():
            if status in [FeatureStatusEnum.VISIBLE, FeatureStatusEnum.ALLOWED]:
                return False

            if status == FeatureStatusEnum.DEFAULT:
                any_feature_enabled_by_default = \
                    set(ALL_SUITES[suite].feature_set) & set(default_config.allowed_features)
                if any_feature_enabled_by_default:
                    return False

        return True

    def _is_supported_for_user(self, username):
        user_owner = cpinfo(cpuser=username, keyls=('reseller',))[0][0]
        # admin is owned by "root", but "root" is not is_admin()
        should_be_whitelisted = getCPName() == 'DirectAdmin' and username == 'admin'
        return any([is_admin(user_owner), should_be_whitelisted])

    def _process_user_suites(self, user_name: str, suites: List[str],
                             allowed_state: FeatureStatusEnum,
                             state_source: StatusSource,
                             purchase_date: datetime.date,
                             attributes: Dict,
                             is_one_user: bool) -> Tuple[bool, Optional[dict]]:
        """
        Enable/disable modules for user.
         - write admin config for user with new state
         - install/uninstall WP plugin
         - reload deamon to start/stop redis
        :param user_name: username
        :param suites: Suites list to process
        :param allowed_state: Suite state
        :param purchase_date: Date when user last payed for the product
        :param is_one_user: True - utility processes one user, False - some users
            For messages backward compatibility
        :return: Tuple: (error_flag, warning_flag)
        """
        # Get modules_allowed.json for user
        try:
            pw_info = get_pw(username=user_name)
            uid, gid = pw_info.pw_uid, pw_info.pw_gid
        except KeyError:
            if is_one_user:
                error_and_exit(
                    self._is_json,
                    {
                        "result": _("User %(username)s does not exist."),
                        "context": {"username": user_name},
                    },
                )
            self._logger.error("User %s does not exist.", user_name)
            return True, None

        if allowed_state != FeatureStatusEnum.DISABLED and \
                not self._is_supported_for_user(user_name):

            self._logger.warning('User username="%s" is owned by reseller, suites="%s" cannot be allowed',
                              user_name,
                              str(suites))
            if is_one_user:
                error_and_exit(
                    self._is_json,
                    {
                        "result": _("User %(username)s is owned by reseller, "
                                    "--visible or --allowed states cannot be set"),
                        "context": {"username": user_name},
                    },
                )

        # pid file is cleaned up after finishing syncing plugins in background,
        # until process is running - block command
        if os.path.exists(USERS_PLUGINS_SYNCING_PID.format(uid=str(uid))):
            if is_one_user:
                error_and_exit(
                    self._is_json,
                    {
                        "result": _("Plugins syncing in currently running for user %(username)s, "
                                    "please wait and try again. If issue persists - check file presence %(sync_pid)s "
                                    "and try to remove it"),
                        "context": {"username": user_name,
                                    'sync_pid': USERS_PLUGINS_SYNCING_PID.format(uid=str(uid))},
                    },
                )
            self._logger.error("Plugins syncing in currently running for user %s", user_name)
            return True, None
        suites_allowed_path = get_suites_allowed_path(uid)
        warning_dict = {}
        try:
            os.makedirs(os.path.dirname(suites_allowed_path), 0o755, exist_ok=False)
        except OSError:
            pass
        else:
            if is_one_user:
                _remount_cagefs(user_name)

        # automatically create user identifier when
        # he is allowed to use feature
        if allowed_state == FeatureStatusEnum.ALLOWED:
            get_or_create_unique_identifier(user_name)

        with acquire_lock(suites_allowed_path):
            default_config = get_server_wide_options()
            config_contents = get_admin_suites_config(uid)
            features_old_state = extract_features(
                deepcopy(config_contents),
                default_config,
                allowed_state
            )

            unsupported_suites_for_reseller = [PremiumSuite.name, CDNSuitePro.name, CDNSuite.name]
            for suite in suites:
                if suite in unsupported_suites_for_reseller and \
                        allowed_state != FeatureStatusEnum.DISABLED and \
                        not self._is_supported_for_user(user_name):
                    self._logger.info('Silently disallow %s user because it is owned by reseller', user_name)
                    config_contents.suites[suite] = FeatureStatusEnum.DISABLED
                else:
                    config_contents.suites[suite] = allowed_state
                config_contents.sources[suite] = state_source
                if attributes:
                    config_contents.attributes[suite] = attributes
                if purchase_date:
                    config_contents.purchase_dates[suite] = str(purchase_date)

            features_new_state = extract_features(
                deepcopy(config_contents),
                default_config,
                allowed_state
            )

            try:
                write_suites_allowed(uid, gid, config_contents)
            except (IOError, OSError) as err:
                if is_one_user:
                    raise WposError(
                        message=_("Configuration file '%(path)s' update failed."),
                        details=str(err),
                        context=dict(path=suites_allowed_path)
                    )
                self._logger.error("Configuration file %s update failed. Error is %s",
                                   suites_allowed_path, str(err))
                return True, None

            self.synchronize_plugins_if_needed(allowed_state, state_source,
                                          user_name, uid, features_old_state, features_new_state)
        return False, warning_dict

    def synchronize_plugins_if_needed(self, state, source, username, uid, features_old_state, features_new_state):
        """
        1. does not sync plugins if source == BILLING (WHMCS CALL) and state == allowed
        2. start syncing plugins in background if source == BILLING (WHMCS CALL) and state != allowed
        3. it syncs plugins in regular regime for both allowed/non-allowed states if source != BILLING
        """
        # set-suite command execution time is limited to 25s by our billing
        # implementation -> call uninstalling/installing plugin in background
        if source == StatusSource.BILLING_OVERRIDE:
            _logger.info('Syncing plugins in background for user: %s', username)
            # start in background
            sync_result = self.run_in_background(USERS_PLUGINS_SYNCING_PID.format(uid=str(uid)),
                                                 synchronize_plugins_status_for_user,
                                                 username,
                                                 uid,
                                                 features_old_state,
                                                 features_new_state)
            if sync_result is not None:
                self._logger.info('Forked syncing plugins for user %s, '
                                  'features old states: %s, features new states: %s',
                                  username,
                                  str(features_old_state),
                                  str(features_new_state))
                # ATTENTION!!!!! BECAUSE HERE WE ARE IN CHILD PROCESS
                sys.exit(0)
        else:
            _logger.info('Start syncing plugins for user: %s, source: %s, state: %s',
                         username,
                         str(source),
                         str(state))
            synchronize_plugins_status_for_user(username, uid, features_old_state, features_new_state)

    def _object_cache_banner(self):
        if self._opts.disable:
            disable_object_cache_banners = True
        else:
            disable_object_cache_banners = False

        if self._opts.all:
            users = cpusers()
            if not users:
                error_and_exit(
                    self._is_json,
                    {"result": _("There are no users in the control panel.")},
                )

            user_list_to_process = users
        else:
            user_list_to_process = self._opts.users.split(",")

        if os.path.exists(ADMIN_UPDATE_OBJECT_CACHE_BANNER_PID):
            error_and_exit(
                self._is_json,
                {
                    'result': _('Updating visibility of Object Cache PRO banners is already in progress.  '
                                'Process pid is stored in %(progress_marker)s.'
                                'If process with such pid does not exist - please, remove file "%(progress_marker)s" '
                                'and re-run command'),
                    'context': {'progress_marker': ADMIN_UPDATE_OBJECT_CACHE_BANNER_PID},
                }
            )

        self.run_in_background(ADMIN_UPDATE_OBJECT_CACHE_BANNER_PID, self._update_object_cache_banner_for_users,
                               user_list_to_process, disable_object_cache_banners)
        return {}

    def _update_object_cache_banner_for_users(self, usernames, disable_object_cache_banners: bool):
        if disable_object_cache_banners:
            status = '--disable'
        else:
            status = '--enable'

        for username in usernames:
            command = ['/usr/bin/clwpos-user', '--user', username, 'object-cache-banner', '--all', status]
            result = subprocess.run(command, text=True, capture_output=True, timeout=180)
            self._logger.info(result.stdout)
            self._logger.info(result.stderr)


def synchronize_plugins_status_for_user(username: str, uid: int,
                                        old_state: Dict[str, FeatureStatus],
                                        new_state: Dict[str, FeatureStatus]):
    """
    Compare old and new states of modules in admin's wpos config,
    determine what modules should be enabled and disabled
    and synchronize new state for each panel's user.
    """
    old_state = {key for key, value in old_state.items() if value.status == FeatureStatusEnum.ALLOWED}
    new_state = {key for key, value in new_state.items() if value.status == FeatureStatusEnum.ALLOWED}

    enabled_modules = new_state - old_state
    disabled_modules = old_state - new_state

    synchronize_plugins_for_user(username, uid, enabled_modules, disabled_modules)


def _extract_domain(all_domains, docroot):
    for domain_info in all_domains:
        if docroot == domain_info[1]:
            return domain_info[0]


def synchronize_plugins_for_user(username: str, uid: int, enabled_modules: Set[str], disabled_modules: Set[str]):
    """
    Iterate through user's docroots and wp_paths
    and enable/disable modules with wp-cli
    not modifying user's wpos config.
    """
    user_domains = userdomains(username)
    # TODO: [pain point] look all places (xray/ssa/accelerate-wp) which use drop_privileges + writing something
    # create unified contextmanager for bypassing quota as well
    # https://cloudlinux.atlassian.net/browse/CLPRO-864
    with drop_privileges(username), disable_quota():
        user_config = UserConfig(username=username)
        for doc_root, wp_path, module in user_config.enabled_modules():
            domain = _extract_domain(user_domains,
                                     os.path.join(pwd.getpwnam(username).pw_dir, doc_root))
            if module in enabled_modules:
                enable_without_config_affecting(
                    DocRootPath(doc_root),
                    wp_path,
                    module=module,
                    domain=domain
                )
            if module in disabled_modules:
                disable_without_config_affecting(
                    DocRootPath(doc_root),
                    wp_path,
                    module=module,
                    domain=domain
                )

    # we don't hardcode object cache here in case we will
    # add some other modules that will require redis running
    modules_that_require_redis = [
        str(module) for module in ALL_OPTIMIZATION_FEATURES
        if module.redis_daemon_required()
    ]
    # reload redis only if we need
    if not user_config.is_default_config() \
            and set(modules_that_require_redis) & (enabled_modules | disabled_modules):
        try:
            # Reload redis for user
            reload_redis(uid)
        except WposError as e:
            _logger.exception("CL AccelerateWP daemon error: '%s'; details: '%s'; context: '%s'", e.message, e.details, e.context)
        except Exception as e:
            _logger.exception(e)


def _enabled_modules(username: str) -> Iterator[Tuple[str, str, str]]:
    return UserConfig(username=username).enabled_modules()

Zerion Mini Shell 1.0