2018-04-13 23:55:34 +00:00
#!/usr/bin/perl
#
# This program sets/changes passwords on the Anvil! platform (nodes and dashboards).
#
# Exit codes;
# 0 = Normal exit.
# 1 = The program is not running as root.
# 2 = Failed to connect to database(s).
2018-04-23 02:16:10 +00:00
# 3 = User didn't enter a password or the passwords didn't match.
# 4 = The password file doesn't exist, wasn't readable or was empty.
2018-04-13 23:55:34 +00:00
#
use strict;
use warnings;
use Data::Dumper;
use Anvil::Tools;
my $THIS_FILE = ($0 =~ /^.*\/(.*)$/)[0];
my $running_directory = ($0 =~ /^(.*?)\/$THIS_FILE$/)[0];
if (($running_directory =~ /^\./) && ($ENV{PWD}))
{
$running_directory =~ s/^\./$ENV{PWD}/;
}
# Turn off buffering so that the pinwheel will display while waiting for the SSH call(s) to complete.
$| = 1;
# Prevent a discrepency between UID/GID and EUID/EGID from throwing an error.
$< = $>;
$( = $);
2019-01-18 08:19:36 +00:00
my $anvil = Anvil::Tools->new();
2018-04-13 23:55:34 +00:00
# Make sure we're running as 'root'
# $< == real UID, $> == effective UID
if (($< != 0) && ($> != 0))
{
# Not root
print $anvil->Words->string({key => "error_0005"})."\n";
2020-06-24 04:39:56 +00:00
$anvil->nice_exit({exit_code => 1});
2018-04-13 23:55:34 +00:00
}
2022-08-02 23:09:57 +00:00
$anvil->Get->switches({list => ["anvil", "new-password", "password-file", "y", "yes"], man => $THIS_FILE});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => $anvil->data->{switches}});
2021-02-08 18:39:34 +00:00
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 3, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }});
2018-04-13 23:55:34 +00:00
# Connect
* Fixed a bug where setting the debug level to 3 caused a deep recursion and a system hang.
* Update Anvil::Tools->new() to access the parameters 'log_level', 'log_secure' and 'debug', streamlining the frequent calls to $anvil->Log->level and ->secure in program startup, and allowing the values to take effect during the ->new constructor.
* Passed 'debug' to child method calls in more places (still more to do though).
* Fixed a bug where 'test_table' wasn't set in the right place, causing the database to try to initialize repeatedly.
* Made Database->archive_database only run if called with root access.
* Now the number of database connections are stored in 'sys::db_connections' instead of checking the returned number, and that is cleared on disconnect.
* Started working more on 'anvil-daemon', including adding support for System->call being taking 'background', 'stderr_file' and 'stdout_file' paramters which, when set, used Proc::Simple to background the process.
* Did some more work on database archiving, though still far from done.
Signed-off-by: Digimer <digimer@alteeve.ca>
2018-08-01 06:06:16 +00:00
$anvil->Database->connect();
2018-08-14 07:45:36 +00:00
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, key => "log_0132"});
2018-08-15 20:57:57 +00:00
if (not $anvil->data->{sys}{database}{connections})
2018-04-13 23:55:34 +00:00
{
# No databases, exit.
2018-05-10 05:41:45 +00:00
print $anvil->Words->string({key => "error_0003"})."\n";
2018-04-13 23:55:34 +00:00
$anvil->nice_exit({exit_code => 2});
}
2018-04-23 02:16:10 +00:00
# The order that we pick up the new password is;
# 1. If we've been told of a password file, read it
# 2. If the user passed the password with --new-password <secret>, use that.
# 3. Ask the user for the new password.
2018-04-26 16:41:03 +00:00
if ($anvil->data->{switches}{'password-file'})
2018-04-23 02:16:10 +00:00
{
# Read the password in from the file.
2018-04-26 16:41:03 +00:00
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, list => { "switches::password-file" => $anvil->data->{switches}{'password-file'} }});
if (-e $anvil->data->{switches}{'password-file'})
2018-04-23 02:16:10 +00:00
{
2018-04-26 16:41:03 +00:00
# Read it in and remove the new-line(s), if it(they) exist.
$anvil->data->{switches}{'new-password'} = $anvil->Storage->read_file({file => $anvil->data->{switches}{'password-file'}});
$anvil->data->{switches}{'new-password'} =~ s/\n//gs;
2018-04-23 02:16:10 +00:00
}
else
{
# The file doesn't exist.
2018-05-22 02:02:45 +00:00
print $anvil->Words->string({key => "error_0008", variables => { file => $anvil->data->{switches}{'password-file'} }})."\n";
2018-04-23 02:16:10 +00:00
$anvil->nice_exit({exit_code => 4});
}
}
elsif (not $anvil->data->{switches}{'new-password'})
{
print $anvil->Words->string({key => "message_0018"})."\n";
# Turn off echo
2018-04-26 16:41:03 +00:00
$anvil->System->stty_echo({set => "off"});
2018-04-23 02:16:10 +00:00
my $password1 = <STDIN>;
chomp($password1);
$password1 =~ s/^\s+//;
$password1 =~ s/\s+$//;
# Turn echo on
2018-04-26 16:41:03 +00:00
$anvil->System->stty_echo({set => "on"});
2018-04-23 02:16:10 +00:00
if (not $password1)
{
print $anvil->Words->string({key => "error_0006"})."\n";
2020-06-24 04:39:56 +00:00
$anvil->nice_exit({exit_code => 3});
2018-04-23 02:16:10 +00:00
}
print $anvil->Words->string({key => "message_0019"})."\n";
# Turn off echo
2018-04-26 16:41:03 +00:00
$anvil->System->stty_echo({set => "off"});
2018-04-23 02:16:10 +00:00
my $password2 = <STDIN>;
chomp($password2);
$password2 =~ s/^\s+//;
$password2 =~ s/\s+$//;
# Turn echo on
2018-04-26 16:41:03 +00:00
$anvil->System->stty_echo({set => "on"});
2018-04-23 02:16:10 +00:00
if ($password1 eq $password2)
{
$anvil->data->{switches}{'new-password'} = $password1;
2018-04-26 16:41:03 +00:00
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 1, list => { "switches::new-password" => $anvil->data->{switches}{'new-password'} }});
2018-04-23 02:16:10 +00:00
}
else
{
print $anvil->Words->string({key => "error_0007"})."\n";
2020-06-24 04:39:56 +00:00
$anvil->nice_exit({exit_code => 3});
2018-04-23 02:16:10 +00:00
}
}
2018-04-13 23:55:34 +00:00
### TODO: Check for access to all known Anvil! nodes and warn the user that they will have to manually update
### the password for us on any node we can't access
### NOTE: 'anvil' can be a name or UUID
# If we're called without an '--anvil' switch, then change the local password only.
if ($anvil->data->{switches}{anvil})
{
# Find the Anvil! and verify access to both nodes. If neither are accessible, abort.
}
else
{
### TODO: Support '--peers' to also update the peer dashboards.
# Updating just ourself
2018-04-26 16:41:03 +00:00
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 1, list => { "switches::new-password" => $anvil->data->{switches}{'new-password'} }});
if (($anvil->data->{switches}{y}) or ($anvil->data->{switches}{yes}))
2018-04-23 02:16:10 +00:00
{
2018-04-26 16:41:03 +00:00
print $anvil->Words->string({key => "message_0023"})."\n";
2018-04-23 02:16:10 +00:00
update_local_passwords($anvil);
}
else
{
2018-04-26 16:41:03 +00:00
print $anvil->Words->string({key => "message_0020"})."\n";
print $anvil->Words->string({key => "message_0021"})." ";
my $answer = <STDIN>;
chomp($answer);
if ($answer =~ /^y/)
{
update_local_passwords($anvil);
}
else
{
# Abort.
print $anvil->Words->string({key => "message_0022"})."\n";
}
2018-04-23 02:16:10 +00:00
}
2018-04-13 23:55:34 +00:00
}
2020-06-24 04:39:56 +00:00
$anvil->nice_exit({exit_code => 0});
2018-04-13 23:55:34 +00:00
#############################################################################################################
# Functions #
#############################################################################################################
# This updates the local passwords.
sub update_local_passwords
{
my ($anvil) = @_;
2018-05-22 02:02:45 +00:00
# Update the 'admin' user password in the database.
my $user = "admin";
print $anvil->Words->string({key => "message_0024", variables => { user => $user }});
my $user_uuid = $anvil->Database->insert_or_update_users({
debug => 2,
user_name => $user,
user_password_hash => $anvil->data->{switches}{'new-password'},
user_is_admin => 1,
user_is_experienced => 1,
user_is_trusted => 1,
});
2018-09-17 19:34:43 +00:00
# Log out any Striker sessions.
2018-09-21 17:49:28 +00:00
$anvil->Account->logout({host_uuid => "all"});
2018-05-22 02:02:45 +00:00
print $anvil->Words->string({key => "message_0025"})."\n";
2018-05-21 07:11:47 +00:00
2018-05-22 02:02:45 +00:00
# Validate
my $valid = $anvil->Account->validate_password({
debug => 2,
user => $user,
password => $anvil->data->{switches}{'new-password'},
});
### NOTE: We directly connect to the local 'template1' database as
# Update the database passwords
2018-05-21 07:11:47 +00:00
my $host_uuid = $anvil->data->{sys}{host_uuid};
my $old_password = $anvil->data->{database}{$host_uuid}{password};
my $dbh = DBI->connect("DBI:Pg:dbname=template1;host=localhost;port=5432", "postgres", $old_password, {
RaiseError => 1,
AutoCommit => 1,
pg_enable_utf8 => 1
});
my $query = "SELECT a.datname, b.usename FROM pg_catalog.pg_database a, pg_catalog.pg_user b WHERE a.datdba = b.usesysid AND a.datistemplate IS NOT TRUE AND a.datname != 'postgres'";
my $DBreq = $dbh->prepare($query) or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0075", variables => {
query => $query,
server => "localhost",
db_error => $DBI::errstr,
}});
# Execute on the query
$DBreq->execute() or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0076", variables => {
query => $query,
server => "localhost",
db_error => $DBI::errstr,
}});
# Return the array
my $results = $DBreq->fetchall_arrayref();
my $database_name = $results->[0]->[0];
my $owner_name = $results->[0]->[1];
foreach my $user ("postgres", $owner_name)
{
2018-05-22 02:02:45 +00:00
print $anvil->Words->string({key => "message_0026", variables => { user => $user }});
2018-05-21 07:11:47 +00:00
my $query = "ALTER ROLE ".$user." WITH PASSWORD ".$dbh->quote($anvil->data->{switches}{'new-password'});
$dbh->do($query) or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0090", variables => {
2019-09-09 02:54:47 +00:00
query => $anvil->Log->is_secure($query),
2018-05-21 07:11:47 +00:00
server => "localhost",
db_error => $DBI::errstr,
}});
2018-05-22 02:02:45 +00:00
print $anvil->Words->string({key => "message_0025"})."\n";
2018-05-21 07:11:47 +00:00
}
# Update our database password in anvil.conf
2018-05-22 02:02:45 +00:00
print $anvil->Words->string({key => "message_0027", variables => { file => $anvil->data->{switches}{'new-password'} }});
2018-05-21 07:11:47 +00:00
$anvil->Storage->update_config({
debug => 2,
secure => 1,
variable => "database::${host_uuid}::password",
value => $anvil->data->{switches}{'new-password'},
});
2018-05-22 02:02:45 +00:00
print $anvil->Words->string({key => "message_0025"})."\n";
2018-05-21 07:11:47 +00:00
### TODO: Loop through any other dashboards and nodes we know about and call the above with 'target'
### (and password, port and remote_user) set.
2018-04-13 23:55:34 +00:00
# Update the local users.
2018-04-23 02:16:10 +00:00
foreach my $user ("admin", "root")
{
2018-05-22 02:02:45 +00:00
print $anvil->Words->string({key => "message_0028", variables => { user => $user }});
2018-05-21 07:11:47 +00:00
$anvil->System->change_shell_user_password({debug => 2, user => $user, new_password => $anvil->data->{switches}{'new-password'}});
2018-05-22 02:02:45 +00:00
print $anvil->Words->string({key => "message_0025"})."\n";
2018-04-23 02:16:10 +00:00
}
2018-05-10 05:41:45 +00:00
2018-05-22 02:02:45 +00:00
# All done!
print $anvil->Words->string({key => "message_0029"})."\n";
2018-04-13 23:55:34 +00:00
return(0);
}