Add delete user fuctionality, increase verbosity and general refactoring

README.md

@@ -17,63 +17,96 @@ This role expect several requirements.
 2. the python packages imported in `walle.py` and `galaxy_jwd.py` must be present
 3. Following environment vars must be set:
     - `GALAXY_CONFIG_FILE`: Path to the galaxy.yml file
-    - `GALAXY_LOG_DIR`: Path to the Galaxy log directory
     - `PGDATABASE`: Name of the Galaxy database
     - `PGUSER`: Galaxy database user
     - `PGHOST`: Galaxy database host
     - `PGPASSFILE`: path to Postgres' `.pgpass` file (defaults to `/home/<walle_user_name>/.pgpass`)
-    - `GALAXY_PULSAR_APP_CONF`: 
+    - `GALAXY_PULSAR_APP_CONF`: [Galaxy's Pulsar configuration file](https://github.com/galaxyproject/pulsar/blob/master/app.yml.sample) (for the staging directory)[^1]
+4. These environment vars must be set when using `--delete-user` mode
+    - `GALAXY_BASE_URL`: Instance hostname including scheme (https://examplegalaxy.org)
+    - `GALAXY_API_KEY`: Galaxy API key with admin privileges\
+    Optional, for default values see the constants in `walle.py`:
+    - `WALLE_USER_DELETION_MESSAGE`: Message that tells the user why their account is deleted.
+    - `WALLE_USER_DELETION_SUBJECT`: The message's subject line.
+
+[^1]: You should always run 'dangerous' jobs in embedded Pulsar.
 ## Ansible
-For ansible details consult `defaults/main.yml`, it should be pretty much self-explanatory.  
+For ansible details consult `defaults/main.yml`, it should be pretty much self-explanatory.
 
 ## Usage
 From the tools help command:
 ~~~
-usage: Wall·E [-h] [--chunksize CHUNKSIZE] [--min-size MIN_SIZE_MB] [--max-size MAX_SIZE_MB] [--since SINCE] [--tool TOOL] [-v] [-i]
+usage: WALL·E [-h] [--chunksize CHUNKSIZE] [--min-size MIN_SIZE_MB] [--max-size MAX_SIZE_MB] [--since SINCE] [--tool TOOL] [-v] [-i] [--delete-user MIN_SEVERITY]
+
+            Galaxy's Static Malware Scanner
+
+            DESCRIPTION
+            Loads a yaml malware library with CRC32 and SHA1 hashes
+            from the environment variable "MALWARE_LIB".
+            Gets a list of running jobs from Galaxy's database,
+            optionally filtered by a '--tool <str>' substring.
+            Then iterates over the jobs, scans all files in the Job Working Directory,
+            optionally filtered by size and access time,
+            for files that match both hashes and reports details to stdout.
+            If '--delete-user' flag is set it notifies and deletes the user.
+
+            REQUIREMENTS
+            galaxy_jwd.py as well as all other imported packages must be present.
+            The following environment variables (same as gxadmin's) should be set:
+                GALAXY_CONFIG_FILE: Path to the galaxy.yml file
+                PGDATABASE: Name of the Galaxy database
+                PGUSER: Galaxy database user
+                PGHOST: Galaxy database host
+                PGPASSFILE: path to .pgpass file (same as gxadmin's) in format:
+                <pg_host>:5432:*:<pg_user>:<pg_password>
 
-            Loads a yaml malware library with CRC32 and SHA1 hashes as arguments
-            from the environment variable "MALWARE_LIB",
-            searches in JWDs of currently running jobs for matching files
-            and reports jobs, users and malware details if specified.
-            Malware library file has the following schema:
+            MALWARE LIBRARY SCHEMA
+            The malware library file has the following schema:
                 class:
-                    name:
+                    program:
                         version:
                             severity: [high, medium, low]
                             description: "optional info"
                             checksums:
                                 crc32: <checksum crc32, gzip algorithm, integer representation>
                                 sha1: <checksum sha1, hex representation>
             WARNING:
+            ----------------------------------------------------------------
             Be careful with how you generate the CRC32 hashes:
             There are multiple algorithms, this script is using
             the one specified by RFC in the GZIP specification.
             You should get this when using the gzip command on POSIX systems
             and convert it to integer representation.
             e.g. with:
             gzip -1 -c /path/to/file | tail -c8 | hexdump -n4 -e '"%u"'
-
-            The following ENVs (same as gxadmin's) should be set:
-                GALAXY_CONFIG_FILE: Path to the galaxy.yml file
-                GALAXY_LOG_DIR: Path to the Galaxy log directory
-                PGDATABASE: Name of the Galaxy database
-                PGUSER: Galaxy database user
-                PGHOST: Galaxy database host
+            ----------------------------------------------------------------
 
-                PGPASSFILE: path to a ~/.pgpass file (same as gxadmin's) in format:
-                <pg_host>:5432:*:<pg_user>:<pg_password>
-
 
 optional arguments:
   -h, --help            show this help message and exit
   --chunksize CHUNKSIZE
                         Chunksize in MiB for hashing the files in JWDs, defaults to 100 MiB
   --min-size MIN_SIZE_MB
-                        Minimum filesize im MB to limit the files to scan.
+                        Minimum filesize im MB to limit the files to scan. The check will be skipped if value is 0 (default)
   --max-size MAX_SIZE_MB
-                        Maximum filesize im MB to limit the files to scan.             CAUTION: Not setting this value can lead to very long computation times
-  --since SINCE         Access time in hours backwards from now
-  --tool TOOL           A string to filter tools in the tool_id column of currently running jobs.             Use like 'grep' after the gxadmin query queue-details command.
-  -v, --verbose         Report not only the job and user ID that matched, but also Path of matched file and malware info.             If set, the scanning process will quit after the first match in a JWD to save resources.
-  -i, --interactive     Show progress bar. Leave unset for cleaner logs and slightly higher performance
+                        Maximum filesize im MB to limit the files to scan.
+                         CAUTION: Not setting this value can lead to very long computation times.
+                         The check will be skipped if value is 0 (default)
+  --since SINCE         Access time in hours backwards from now, default=0 (skip check)
+  --tool TOOL           A string to filter tools in the tool_id column of currently running jobs.
+                         Use like 'grep' after the gxadmin query queue-details command.
+  -v, --verbose         Report details for every match.
+  -i, --interactive     Show table header.
+  --delete-user MIN_SEVERITY
+                        Delete user when the found malware's severity level is equal or higher than this value.
+                         Possible values are 'LOW', 'MEDIUM' or 'HIGH'.
+                         This feature requires Galaxy's notification framework to be enabled.
+                         Make sure that you know the consequences on your instance, especially regarding GDPR and
+                         what happens when a user is set to deleted (e.g. when a user is purged automatically after deletion).
+                         Following additional environment variables are expected:
+                         GALAXY_BASE_URL: Instance hostname including scheme (https://examplegalaxy.org)
+                         GALAXY_API_KEY: Galaxy API key with admin privileges
+                         Optional, for default see documentation:
+                         WALLE_USER_DELETION_MESSAGE: Message that tells the user why their account is deleted.
+                         WALLE_USER_DELETION_SUBJECT: The message's subject line.
 ~~~

defaults/main.yml

@@ -12,10 +12,40 @@ walle_log_dir: /var/log/walle
 walle_script_location: /usr/local/bin/walle.py
 
 # Script args
-walle_filesize_min: 1
+walle_filesize_min: 0
 walle_filesize_max: 10
 walle_since_hours: 24
-#walle_tool: <string to filter tool ids in database job table>
+walle_envs_database:
+  - key: MALWARE_LIB
+    value: "{{ walle_malware_database_location }}/{{ walle_database_file }}"
+  - key: PGPASSFILE
+    value: "{{ walle_pgpass_file }}"
+  - key: PGHOST
+    value: 127.0.0.1
+  - key: PGUSER
+    value: galaxy
+  - key: PGDATABASE
+    value: galaxy
+  - key: GALAXY_CONFIG_FILE
+    value: "{{ galaxy_config_dir }}/galaxy.yml"
+  - key: GALAXY_PULSAR_APP_CONF
+    value: "{{ galaxy_config_dir }}/pulsar_app.yml"
+
+# delete users when malware was found and malware severity reached walle_delete_threshold
+walle_delete_users: false
+walle_delete_threshold: medium
+walle_envs_user_deletion:
+  - key: GALAXY_API_KEY
+    value: "{{ walle_api_key }}"
+  - key: GALAXY_BASE_URL
+    value: "{{ walle_galaxy_url }}"
+#  - key: GALAXY_USER_DELETION_MESSAGE
+#    value: "Your personalized message"
+#  - key: GALAXY_USER_DELETION_SUBJECT
+#    value: "Your personalized subject line"
+# walle_api_key: #admin api key to delete users, goes to VAULT
+# walle_galaxy_url: #galaxy_hostname, no leading slash
+# walle_tool: <string to filter tool ids in database job table>
 walle_verbose: false
 
 # Cron

tasks/main.yml

@@ -28,11 +28,17 @@
 - name: Add env variable for database (WallE)
   ansible.builtin.lineinfile:
     path: "{{ walle_bashrc }}"
-    line: "{{ item }}"
-  with_items:
-    - 'export MALWARE_LIB="{{ walle_malware_database_location }}/{{ walle_database_file }}"'
-    - 'export PGPASSFILE="{{ walle_pgpass_file }}"'
+    regexp: "^export {{ item.key }}="
+    line: 'export {{ item.key }}="{{ item.value }}"'
+  with_items: "{{ walle_envs_database }}"
 
+- name: Add env variables for user deletion (WallE)
+  ansible.builtin.lineinfile:
+    path: "{{ walle_bashrc }}"
+    regexp: "^export {{ item.key }}="
+    line: 'export {{ item.key }}="{{ item.value }}"'
+  with_items: "{{ walle_envs_user_deletion }}"
+  when: walle_delete_users
 
 - name: Create logfile (WallE)
   ansible.builtin.file:
@@ -79,4 +85,6 @@
       {% if walle_filesize_max %} --max-size {{ walle_filesize_max }} {% endif %}
       {% if walle_since_hours %} --since {{ walle_since_hours }} {% endif %}
       {% if walle_verbose %} -v {% endif %}
+      {% if walle_delete_users %} --delete-user {{ walle_delete_threshold }}
+      {% endif %}
       >> {{ walle_log_dir }}/walle.log 2>&1