#!/usr/bin/perl # # This removes a bad key from a # # This program is setuid 'admin' and calls a (new) peer to read its host name and system UUID. It takes the # target's password in via a file. # # Exit codes; # 0 = Normal exit. # 1 = No database connection. # 2 = Job not found. # 3 = No offending keys found. # # TODO: Record the keys we remove, then check for the same keys on any other machine we know about. If any # are found on those machines, create a job for that host to remove the same. # Also, look in the 'ip_addresses' table for any matching keys and delete them. # use strict; use warnings; use Anvil::Tools; my $THIS_FILE = ($0 =~ /^.*\/(.*)$/)[0]; my $running_directory = ($0 =~ /^(.*?)\/$THIS_FILE$/)[0]; if (($running_directory =~ /^\./) && ($ENV{PWD})) { $running_directory =~ s/^\./$ENV{PWD}/; } # Turn off buffering so that the pinwheel will display while waiting for the SSH call(s) to complete. $| = 1; my $anvil = Anvil::Tools->new(); $anvil->Log->level({set => 2}); $anvil->Log->secure({set => 1}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }}); # Read switches (target ([user@]host[:port]) and the file with the target's password. If the password is # passed directly, it will be used. Otherwise, the password will be read from the database. $anvil->Get->switches; $anvil->Database->connect(); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 3, secure => 0, key => "log_0132"}); if (not $anvil->data->{sys}{database}{connections}) { # No databases, update the job, sleep for a bit and then exit. The daemon will pick it up and try # again after we exit. $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0077"}); sleep 10; $anvil->nice_exit({exit_code => 1}); } # Pick up the job details $anvil->data->{switches}{'job-uuid'} = ""; $anvil->Get->switches; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { 'switches::job-uuid' => $anvil->data->{switches}{'job-uuid'}, }}); # Load data. load_job_data($anvil); # Process the bad keys process_keys($anvil); # Done. update_progress($anvil, 100, "job_0051"); $anvil->nice_exit({exit_code => 0}); ############################################################################################################# # Functions # ############################################################################################################# sub process_keys { my ($anvil) = @_; foreach my $state_uuid (@{$anvil->data->{state_uuids}}) { $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { state_uuid => $state_uuid }}); my $query = " SELECT state_host_uuid, state_name, state_note FROM states WHERE state_uuid = ".$anvil->Database->quote($state_uuid)." ;"; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { query => $query }}); my $results = $anvil->Database->query({query => $query, source => $THIS_FILE, line => __LINE__}); my $count = @{$results}; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { results => $results, count => $count, }}); if (not $count) { # No bad keys found on this host. $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0078"}); sleep 10; $anvil->nice_exit({exit_code => 2}); } foreach my $row (@{$results}) { my $state_host_uuid = $row->[0]; my $state_name = $row->[1]; my $state_note = $row->[2]; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { 's1:sys::host_uuid' => $anvil->data->{sys}{host_uuid}, 's2:state_host_uuid' => $state_host_uuid, 's3:state_name' => $state_name, 's4:state_note' => $state_note, }}); # Is this meant for us? if ($state_host_uuid ne $anvil->data->{sys}{host_uuid}) { # Um... $anvil->data->{job}{progress} += 10; update_progress($anvil, $anvil->data->{job}{progress}, "job_0058,!!state_uuid!".$state_uuid."!!,!!host_uuid!".$state_host_uuid."!!"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0058", variables => { state_uuid => $state_uuid, host_uuid => $state_host_uuid, }}); next; } ### NOTE: We don't need the file or line anymore, but we're not removing it as having ### a record of the trigger might be useful someday. # Pull out the details. my $bad_file = ""; my $bad_line = ""; foreach my $pair (split/,/, $state_note) { my ($variable, $value) = ($pair =~ /^(.*?)=(.*)$/); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { pair => $pair, variable => $variable, value => $value, }}); if ($variable eq "file") { $bad_file = $value; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { bad_file => $bad_file }}); } if ($variable eq "line") { $bad_line = $value; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { bad_line => $bad_line }}); } } my ($target) = ($state_name =~ /host_key_changed::(.*)$/); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { target => $target, bad_file => $bad_file, bad_line => $bad_line, }}); # Read in the specified bad file, then find any other files that might have matching bad keys. process_file($anvil, "/root/.ssh/known_hosts", $target); # Walk through any other users. my $directory = "/home"; local(*DIRECTORY); opendir(DIRECTORY, $directory); while(my $file = readdir(DIRECTORY)) { next if $file eq "."; next if $file eq ".."; my $full_path = $directory."/".$file; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { file => $file, full_path => $full_path, }}); # If we're looking at a directory, scan it. Otherwise, see if it's an executable and that it # starts with 'scan-*'. if (-d $full_path) { # Check for a known_hosts file. my $known_hosts = $full_path."/.ssh/known_hosts"; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { known_hosts => $known_hosts }}); if (-e $known_hosts) { process_file($anvil, $known_hosts, $target); } } } closedir(DIRECTORY); delete_state($anvil, $state_uuid); } } return(0); } # Look through the file for bad keys. sub process_file { my ($anvil, $file, $target) = @_; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { file => $file, target => $target, }}); $anvil->data->{job}{progress} += 5; update_progress($anvil, $anvil->data->{job}{progress}, "job_0049,!!file!".$file."!!,!!target!".$target."!!"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0049", variables => { file => $file, target => $target, }}); # Read in the file, if it exists. if (not -e $file) { # File doesn't actually exist, wtf? $anvil->data->{job}{progress} += 10; update_progress($anvil, $anvil->data->{job}{progress}, "job_0050,!!file!".$file."!!"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0050", variables => { file => $file }}); return(1); } # Read in the file my ($old_body) = $anvil->Storage->read_file({file => $file}); if ($old_body eq "!!error!!") { # Failed to read the file $anvil->data->{job}{progress} += 5; update_progress($anvil, $anvil->data->{job}{progress}, "job_0052,!!file!".$file."!!"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0052", variables => { file => $file }}); return(1); } # Find our key(s) my $line_number = 0; my $new_body = ""; my $update = 0; foreach my $line (split/\n/, $old_body) { $line_number++; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { 's1:line_number' => $line_number, 's2:line' => $line, }}); # If the line starts with our target, remove it. if ($line =~ /^$target /) { # Found it! $anvil->data->{job}{progress} += 5; update_progress($anvil, $anvil->data->{job}{progress}, "job_0053,!!line!".$line_number."!!"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0053", variables => { line => $line_number }}); $update = 1; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { update => $update }}); } else { $new_body .= $line."\n"; } } $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { 's1:old_body' => $old_body, 's2:new_body' => $new_body, 's3:update' => $update, }}); if ($update) { # Write the file out. $anvil->data->{job}{progress} += 5; update_progress($anvil, $anvil->data->{job}{progress}, "job_0055,!!file!".$file."!!"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0055", variables => { file => $file }}); # Get the owning user and group. my ($owning_uid, $owning_gid) = (stat($file))[4,5]; my $owning_user = getpwuid($owning_uid); my $owning_group = getpwuid($owning_gid); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { owning_uid => $owning_uid, owning_gid => $owning_gid, owning_user => $owning_user, owning_group => $owning_group, }}); my $error = $anvil->Storage->write_file({ body => $new_body, debug => 3, file => $file, overwrite => 1, user => $owning_user, group => $owning_group }); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, list => { error => $error }}); if ($error) { $anvil->data->{job}{progress} += 5; update_progress($anvil, $anvil->data->{job}{progress}, "job_0059,!!file!".$file."!!"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0059", variables => { file => $file }}); } else { # Success! $anvil->data->{job}{progress} += 5; update_progress($anvil, $anvil->data->{job}{progress}, "job_0060,!!file!".$file."!!"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0060", variables => { file => $file }}); } } return(0); } # Load the job data or exit sub load_job_data { my ($anvil) = @_; if (not $anvil->data->{switches}{'job-uuid'}) { $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0080"}); $anvil->nice_exit({exit_code => 1}); } my $query = "SELECT job_data FROM jobs WHERE job_uuid = ".$anvil->Database->quote($anvil->data->{switches}{'job-uuid'}).";"; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { query => $query }}); my $results = $anvil->Database->query({query => $query, source => $THIS_FILE, line => __LINE__}); my $count = @{$results}; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { results => $results, count => $count, }}); if (not $count) { $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0079", variables => { job_uuid => $anvil->data->{switches}{'job-uuid'}, }}); $anvil->nice_exit({exit_code => 1}); } # Pick up the data. my $job_data = $results->[0]->[0]; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { job_data => $job_data }}); if (not $job_data) { $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0081", variables => { job_uuid => $anvil->data->{switches}{'job-uuid'}, }}); $anvil->nice_exit({exit_code => 1}); } # Pick up the job. $anvil->data->{job}{progress} = 0; update_progress($anvil, 0, "clear"); $anvil->data->{job}{progress} += 5; update_progress($anvil, $anvil->data->{job}{progress}, "job_0048"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0048"}); # Break the job up. $anvil->data->{state_uuids} = []; foreach my $state_uuid (split/,/, $job_data) { $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { state_uuid => $state_uuid }}); if ($anvil->Validate->is_uuid({uuid => $state_uuid})) { push @{$anvil->data->{state_uuids}}, $state_uuid; } else { # Invalid, skip it. $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0082", variables => { state_uuid => $state_uuid, }}); } } my $uuid_count = @{$anvil->data->{state_uuids}}; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { uuid_count => $uuid_count }}); # Did I find any actual UUIDs? if (not $uuid_count) { # Nope. update_progress($anvil, 100, "error_0083"); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "error_0083"}); } return(0); } # This deletes a state entry. sub delete_state { my ($anvil, $state_uuid) = @_; # Delete it so long as we have a UUID. if ($state_uuid) { my $query = "DELETE FROM states WHERE state_uuid = ".$anvil->Database->quote($state_uuid).";"; $anvil->Database->write({debug => 3, query => $query, source => $THIS_FILE, line => __LINE__}); } return(0); } # This updates the progress if we were called with a job UUID. sub update_progress { my ($anvil, $progress, $message) = @_; $progress = 95 if $progress > 100; # Log the progress percentage. $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { progress => $progress, message => $message, }}); $anvil->Job->update_progress({ debug => 3, progress => $progress, message => $message, job_uuid => $anvil->data->{switches}{'job-uuid'}, }); return(0); }