Permission Model + Image Builder (#2325)

* implemented a file system permission cleaner and hooked it up in each web api function to enforce it

* auto infer group name from path

* modify ssh

* fix to test on gamma

* Implement SSH key management and Unix user/group system

- Add SshKey model with validation and fingerprinting
- Implement UnixGroupManager service for user/group management
- Create Unix users/groups automatically on course/staff creation
- Add SSH key provisioning to authorized_keys
- Implement FilesystemEnforcer with group-based permissions
- Add SSH key management UI (restricted to staff/instructors)
- Fix require paths for services in controllers
- Add services directory to autoload paths
- Create bootstrap script for existing courses
- Add host system user setup scripts
- Support BusyBox useradd (use -p '*' instead of --disabled-password)
- Add comprehensive setup and testing scripts

* testing

* add a new daemon container

* fix bugs

* fix bugs ++

* add hint for ssh key creation

* add symlink

* testing ec2, add support on autolab side

* Filesystem mapping + EC2 autograder changes

* fix group

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* add support for EC2 settings in Autolab

* fix issue with autograder initialization

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* fix groupa

* editing ssh commands

* added service user to classes

* attempt to fix course permissions

* unix file system scanner

* install assessment

* Revert "install assessment"

This reverts commit 224f4ee.

* Revert "unix file system scanner"

This reverts commit 73326f8.

* Revert "attempt to fix course permissions"

This reverts commit 18d9fa4.

* make user9999 always an instructor

* test adding user9999 to all groups

* remove integration bundle

* fix user groups

* remove check of local membership

* fix script to have both local and group

* tranfer ownership script

* CAs should not be able to ssh

* Add clarification about course unix group inclusions.

* modify ssh commands

* add provision and deprovision of keys

* prevent group add error

* fix typo in ssh commands

* fixed ca and instructor ssh perms

* sponsors and contact us page

* try to add both app and user9999

* list dir to unix ops

* fix unix ops delegation

* change delegate parsing

* mkdir over to unixops

* formatting

* should delegate during perm error

* restrict dump yaml

* yaml read file delegate to unix ops

* is file delagated to unix ops

* dump yaml to delegate

* conversion of pathname

* load config to delegate

* guard against empty file read from delegate

* try reload config file with fallback

* handin directory exists delegate

* bulk email and delegation of read writeup

* delegate submission to unix ops

* unable to read files and submit files

* Submission unviewable

* check if use_access_key exists

* basic controller done, before tango integration

* test modified symlink

* try test modified symlink fix

* update permissions when ssh key changes/user role changes

* add cleanup step for symlinks

* try fix symlink

* add log statement to debug

* modify unix_ops_daemon

* test file transfer change

* undo prev changes

* try new change

* revert changes

* test new change

* try new fix

* try new fix

* try new fix

* fix circular dependency

* try to fix for all except admin

* remove user's directory once it has no courses

* handle cleanup for deleted users

* reverse unix group deletion

* change symbolic link ownership

* try to fix cd update issue

* try to fix cd update issue

* fix circular looping

* try to fix circular looping

* fix file access

* undo file access changes

* creating container image works

* table UI almost done

* refresh status implemented

* make rails DB source of truth

* refresh all status when reloading the page/ added refresh all button

* access key

* attempt to fix file perms

* instance type guards

* fixed migrations

* logs get updated

* format error

* create parents if it does not exist

* course creation delegate

* rb sys delegate

* list dir paths to delegate

* fallback to list_dir for path exists

* fix for view submission

* fix view for submissions controller

* delegate reading to unix

* more archive read paths to be delagted

* fix file manager

* delete feedback and path access fallbacks

* delegate delete and move to unix ops

* add delete and move path to unix ops

* only show ssh part if instructor

* try modifying users list breadcrumb

* modify "Users List" view to look the same as when it has a link

* modify symlinks to handle admin properly

* can view log now

* additional details for uploading job

* fallback for tango upload

* allow for non empty feedback without autograder

* autograding works with ec2docker now!

* manage autograder images on manage course

* debugging for autograding feedback

* delegated write of feedback to unix ops

* view feedback delegate

* add description clarification

* more unix ops delegation and documentation

* fix autograder upload errors

* debugging for saving autograder

* autograder length increased

* delegate list assessment dirs

* upload uses delegate

* disallow duplicate keys across all users

* distinguish between duplicates for current user and copies from other users

* Filter out non-ready container images in autograder settings and add … (#2322)

Filter out non-ready container images in autograder settings and add dockerfile_contents column

* remove ssh access for user once account deleted (keep unix account on system)

* revert change

* added admin container images controller + routes

* add logic to wipe ssh access once account deleted

* added template for managing images

* added template for viewing build log

* added template for new image page

* try to prevent unix account creation for tas

* created admin pages

* new image form works now

* can manage images with correct permissions now

* public images have unique names

* add public_template_id to container_images

* can select public templates now

* admin controller names don't overlap anymore

* admin controller names don't overlap anymore, routes

* passes base docker image tag and uri to tango

* building image works without public template now

* authorized false by default

* only show container images that belong to the course

* gemfile dockerfile update

* added button to the manage public templates page

* Fixed polling issue with ECR builder (#2323)

* export delegate

* order images in newly created order

* add unique unix_user column to users table

* fixed public_template.image_uri

* attempt to fix non-unique ssh login issue

* instructors can choose public images now

* fixed bug with join

* push unix_user database migration file

* load dir to tar to delegate

* lint fix

* course directory name

* change ruby version

* clean up lint issues

* clean up lint issues

* changed production.rb template to add ec2_docker

* added helper text to new docker image form

* increase client max body in nginx

* remove name index

* debugging for admin ssh key

* added prefix to unix group

* remove t2 nano

---------

Co-authored-by: Haoyu Yang <haoyuy@andrew.cmu.edu>
Co-authored-by: Joey Wildman <josephwildman88@gmail.com>
Co-authored-by: Kester <kestertan040@gmail.com>
Co-authored-by: Joy Song <joys@andrew.cmu.edu>
Co-authored-by: Giancarlo Umberto Ambrosino <129298577+Giabbi@users.noreply.github.com>
Co-authored-by: Ubuntu <ubuntu@ip-172-31-84-53.ec2.internal>

Author: 7 people

.ruby-version

@@ -1 +1 @@
-3.2.2
+3.2.10

Dockerfile

@@ -7,7 +7,7 @@
 #     https://github.com/phusion/passenger-docker
 #
 #
-FROM phusion/passenger-ruby32:2.6.1
+FROM phusion/passenger-ruby32:3.1.6
 
 MAINTAINER Autolab Development Team "autolab-dev@andrew.cmu.edu"
 

Gemfile

@@ -1,5 +1,5 @@
 source 'https://rubygems.org'
-ruby '3.2.2'
+ruby '3.2.10'
 
 gem 'rails', '=6.1.7.6'
 
@@ -179,4 +179,4 @@ gem 'uri', '0.10.3'
 gem 'friendly_id', '~> 5.5.0'
 
 # to sanitize CSV files
-gem 'csv-safe'
+gem 'csv-safe'

Gemfile.lock

@@ -548,7 +548,7 @@ DEPENDENCIES
   yard
 
 RUBY VERSION
-   ruby 3.2.2p53
+   ruby 3.2.10p266
 
 BUNDLED WITH
    2.5.3

README.md

@@ -113,7 +113,6 @@ Autolab is released under the [Apache License 2.0](http://opensource.org/license
 
 Please feel free to use Autolab at your school/organization. If you run into any problems, you can reach the core developers at `autolab-dev@andrew.cmu.edu` and we would be happy to help. On a case-by-case basis, we also provide servers for free. (Especially if you are an NGO or small high-school classroom)
 
-
 ## Changelog
 
 ### [v3.0.0](https://github.com/autolab/Autolab/releases/tag/v3.0.0) (2024/07/24) UI-based deployment configuration, Simple File Manager, Export / Import Course, Tango, Grading Improvements

app/assets/javascripts/file_manager.js

@@ -5,7 +5,7 @@ function rename(path) {
         $.ajax({
             url: "/file_manager/" + rel_path,
             type: "PUT",
-            data: { new_name: new_name, relative_path: rel_path},
+            data: { new_name: new_name, relative_path: rel_path },
             success: function(data) {
                 console.log(`Renamed: ${rel_path}`)
                 location.reload();
@@ -19,12 +19,21 @@ function deleteSelected(path) {
         $.ajax({
             url: path,
             type: "DELETE",
-            success: function () {
+            dataType: "json",
+            headers: {
+                "Accept": "application/json"
+            },
+            success: function(response) {
+                if (response && response.success === false) {
+                    reject(response.error || "Delete failed");
+                    return;
+                }
                 console.log(`Deleted: ${path}`);
                 resolve();
             },
-            error: function (xhr, status, error) {
-                reject(error);
+            error: function(xhr, status, error) {
+                const message = (xhr && xhr.responseJSON && xhr.responseJSON.error) ? xhr.responseJSON.error : error;
+                reject(message);
             }
         });
     })
@@ -38,7 +47,7 @@ function downloadSelected(path) {
             data: {
                 path: path
             },
-            success: function (data) {
+            success: function(data) {
                 let blob = new Blob([data], { type: 'application/x-tar' });
                 let url = URL.createObjectURL(blob);
                 let a = document.createElement('a');
@@ -53,7 +62,7 @@ function downloadSelected(path) {
                 console.log(`Downloaded: ${data.filename}`);
                 resolve();
             },
-            error: function (xhr, status, error) {
+            error: function(xhr, status, error) {
                 console.error(`Failed to download ${path}: ${error}`);
                 reject(error);
             }
@@ -76,11 +85,11 @@ function uploadFile(file, path, name) {
             data: formData,
             contentType: false,
             processData: false,
-            success: function () {
+            success: function() {
                 console.log("Uploaded file successfully");
                 resolve();
             },
-            error: function (xhr, status, error) {
+            error: function(xhr, status, error) {
                 console.error(`Failed to upload file: ${error}`);
                 reject(error);
             }
@@ -98,14 +107,14 @@ function uploadAllFiles(path) {
     }
     if (files.length > 0) {
         Promise.all(uploadPromises)
-        .then(() => {
-            alert("All files uploaded successfully.");
-            location.reload();
-        })
-        .catch((error) => {
-            alert("Some files failed to upload successfully. Ensure that you are not in the root directory, the file is smaller than 1 GB, and does not already exist.");
-            location.reload();
-        });
+            .then(() => {
+                alert("All files uploaded successfully.");
+                location.reload();
+            })
+            .catch((error) => {
+                alert("Some files failed to upload successfully. Ensure that you are not in the root directory, the file is smaller than 1 GB, and does not already exist.");
+                location.reload();
+            });
     } else {
         console.log('No files selected.');
     }
@@ -130,8 +139,7 @@ function createFolder(path) {
             })
             .catch((error) => {
                 alert("Failed to create folder. Check that you are not in the root directory and that the tile/folder does not already exist.");
-            })
-        ;
+            });
     }
 }
 
@@ -219,4 +227,4 @@ document.addEventListener('DOMContentLoaded', function() {
     $(".check").click(function() {
         handleSelectionChange();
     })
-});
+});

app/assets/stylesheets/_contact.scss

@@ -0,0 +1,10 @@
+.contact-page {
+    .contact-card .card-content .card-title {
+        display: flex;
+        align-items: center;
+        gap: 0.2rem;
+    }
+    .contact-card .card-content .card-title .contact-icon {
+        font-size: 1.5rem;
+    }
+}

app/assets/stylesheets/application.scss

@@ -1,6 +1,8 @@
 /* For the materialize gem documentation, check out https://github.com/mkhairi/materialize-sass */
+
 $primary-color: #dd2222 !default;
 $secondary-color: #dd2222 !default;
 @import "materialize";
 @import "bootstrap-sprockets";
-@import "bootstrap-datetimepicker";
+@import "bootstrap-datetimepicker";
+@import "contact";

app/assets/stylesheets/assessments.scss

@@ -1,21 +1,20 @@
 @import 'variables';
-
 .badge {
-  &.blue {
-    margin-left: 0 !important;
-  }
+    &.blue {
+        margin-left: 0 !important;
+    }
 }
 
 .card-title {
-  margin-bottom: 0 !important;
+    margin-bottom: 0 !important;
 }
 
 .hover p {
-  display: none;
+    display: none;
 }
 
 .collection-item:hover {
-  .hover {
-    display: block;
-  }
-}
+    .hover {
+        display: block;
+    }
+}

app/assets/stylesheets/container_images.scss

@@ -0,0 +1,139 @@
+.status-cell {
+  font-size: 18px;
+}
+
+.material-icons.status-icon {
+  font-size: 24px;
+}
+
+.center-column {
+  height: 100%;
+  border: 0;
+  outline: 0;
+  display: flex;
+  flex-direction: column;
+  justify-content: center;
+  align-content: center;
+}
+
+.log-link {
+  font-size: 14px;
+  display: flex;
+  justify-content: center;
+  align-content: center;
+}
+
+.all-icon {
+  display: flex;
+  justify-content: center;
+  align-content: center;
+}
+
+.error-icon {
+  color: red;
+}
+
+.hourglass-icon {
+  color: lightgray;
+}
+
+.draft-icon {
+  color: gray;
+}
+
+.building-icon {
+  color: gray;
+}
+
+.success-icon {
+  color: limegreen;
+}
+
+.source-table {
+  margin-bottom: 36px;
+}
+
+.mr-8 {
+  margin-right: 8px;
+}
+
+.status-chip {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.35rem;
+
+  padding: 0.2rem 0.5rem;
+  border: 1px solid currentColor;
+  border-radius: 0.2rem;
+
+  font-size: 1rem;
+  font-weight: 500;
+  line-height: 1.2;
+  white-space: nowrap;
+}
+
+.status-chip__icon {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 0.8rem;
+  height: 0.8rem;
+  flex-shrink: 0;
+}
+
+.status-chip--draft {
+  color: #d9534f;
+  background-color: #fdf1f1;
+}
+
+.status-chip--building {
+  color: #21b5b0;
+  background-color: #eefbfa;
+}
+
+.status-chip--ready {
+  color: limegreen;
+  background-color: #f1fdf1;
+}
+
+.status-chip--disabled {
+  color: gray;
+  background-color: #fdfdfd;
+}
+
+.status-chip--error {
+  color: #8A0000;
+  background-color: #f8f1f1;
+}
+
+.tooltip {
+  position: relative;
+  display: inline-block;
+  cursor: pointer;
+}
+
+.tooltip-hover {
+  visibility: hidden;
+  opacity: 0;
+
+  position: absolute;
+  bottom: 125%;
+  left: 50%;
+  transform: translateX(-50%);
+
+  background-color: #333;
+  color: #fff;
+  padding: 6px 8px;
+  border-radius: 4px;
+
+  font-size: 0.75rem;
+  white-space: nowrap;
+
+  transition: opacity 0.2s;
+  z-index: 10;
+}
+
+.tooltip:hover .tooltip-hover {
+  visibility: visible;
+  opacity: 1;
+}