#!/usr/bin/perl # # This program sets/changes passwords on the Anvil! platform (nodes and dashboards). # # Exit codes; # 0 = Normal exit. # 1 = The program is not running as root. # 2 = Failed to connect to database(s). # 3 = User didn't enter a password or the passwords didn't match. # 4 = The password file doesn't exist, wasn't readable or was empty. # use strict; use warnings; use Data::Dumper; use Anvil::Tools; my $THIS_FILE = ($0 =~ /^.*\/(.*)$/)[0]; my $running_directory = ($0 =~ /^(.*?)\/$THIS_FILE$/)[0]; if (($running_directory =~ /^\./) && ($ENV{PWD})) { $running_directory =~ s/^\./$ENV{PWD}/; } # Turn off buffering so that the pinwheel will display while waiting for the SSH call(s) to complete. $| = 1; # Prevent a discrepency between UID/GID and EUID/EGID from throwing an error. $< = $>; $( = $); my $anvil = Anvil::Tools->new(); $anvil->Log->level({set => 2}); $anvil->Log->secure({set => 1}); # Read switches $anvil->Get->switches; # Paths $anvil->Storage->read_config({file => $anvil->data->{path}{configs}{'anvil.conf'}}); # Make sure we're running as 'root' # $< == real UID, $> == effective UID if (($< != 0) && ($> != 0)) { # Not root print $anvil->Words->string({key => "error_0005"})."\n"; $anvil->nice_exit({code => 1}); } # Connect my $connections = $anvil->Database->connect(); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, key => "log_0132", variables => { connections => $connections }}); if (not $connections) { # No databases, exit. print $anvil->Words->string({key => "error_0003"})."\n"; $anvil->nice_exit({exit_code => 2}); } # The order that we pick up the new password is; # 1. If we've been told of a password file, read it # 2. If the user passed the password with --new-password , use that. # 3. Ask the user for the new password. if ($anvil->data->{switches}{'password-file'}) { # Read the password in from the file. $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, list => { "switches::password-file" => $anvil->data->{switches}{'password-file'} }}); if (-e $anvil->data->{switches}{'password-file'}) { # Read it in and remove the new-line(s), if it(they) exist. $anvil->data->{switches}{'new-password'} = $anvil->Storage->read_file({file => $anvil->data->{switches}{'password-file'}}); $anvil->data->{switches}{'new-password'} =~ s/\n//gs; } else { # The file doesn't exist. print $anvil->Words->string({key => "error_0008", variables => { file => $anvil->data->{switches}{'password-file'} }})."\n"; $anvil->nice_exit({exit_code => 4}); } } elsif (not $anvil->data->{switches}{'new-password'}) { print $anvil->Words->string({key => "message_0018"})."\n"; # Turn off echo $anvil->System->stty_echo({set => "off"}); my $password1 = ; chomp($password1); $password1 =~ s/^\s+//; $password1 =~ s/\s+$//; # Turn echo on $anvil->System->stty_echo({set => "on"}); if (not $password1) { print $anvil->Words->string({key => "error_0006"})."\n"; $anvil->nice_exit({code => 3}); } print $anvil->Words->string({key => "message_0019"})."\n"; # Turn off echo $anvil->System->stty_echo({set => "off"}); my $password2 = ; chomp($password2); $password2 =~ s/^\s+//; $password2 =~ s/\s+$//; # Turn echo on $anvil->System->stty_echo({set => "on"}); if ($password1 eq $password2) { $anvil->data->{switches}{'new-password'} = $password1; $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 1, list => { "switches::new-password" => $anvil->data->{switches}{'new-password'} }}); } else { print $anvil->Words->string({key => "error_0007"})."\n"; $anvil->nice_exit({code => 3}); } } ### TODO: Check for access to all known Anvil! nodes and warn the user that they will have to manually update ### the password for us on any node we can't access ### NOTE: 'anvil' can be a name or UUID # If we're called without an '--anvil' switch, then change the local password only. if ($anvil->data->{switches}{anvil}) { # Find the Anvil! and verify access to both nodes. If neither are accessible, abort. } else { ### TODO: Support '--peers' to also update the peer dashboards. # Updating just ourself $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 1, list => { "switches::new-password" => $anvil->data->{switches}{'new-password'} }}); if (($anvil->data->{switches}{y}) or ($anvil->data->{switches}{yes})) { print $anvil->Words->string({key => "message_0023"})."\n"; update_local_passwords($anvil); } else { print $anvil->Words->string({key => "message_0020"})."\n"; print $anvil->Words->string({key => "message_0021"})." "; my $answer = ; chomp($answer); if ($answer =~ /^y/) { update_local_passwords($anvil); } else { # Abort. print $anvil->Words->string({key => "message_0022"})."\n"; } } } $anvil->nice_exit({code => 0}); ############################################################################################################# # Functions # ############################################################################################################# # This updates the local passwords. sub update_local_passwords { my ($anvil) = @_; # Update the 'admin' user password in the database. my $user = "admin"; print $anvil->Words->string({key => "message_0024", variables => { user => $user }}); my $user_uuid = $anvil->Database->insert_or_update_users({ debug => 2, user_name => $user, user_password_hash => $anvil->data->{switches}{'new-password'}, user_is_admin => 1, user_is_experienced => 1, user_is_trusted => 1, }); print $anvil->Words->string({key => "message_0025"})."\n"; # Validate my $valid = $anvil->Account->validate_password({ debug => 2, user => $user, password => $anvil->data->{switches}{'new-password'}, }); ### NOTE: We directly connect to the local 'template1' database as # Update the database passwords my $host_uuid = $anvil->data->{sys}{host_uuid}; my $old_password = $anvil->data->{database}{$host_uuid}{password}; my $dbh = DBI->connect("DBI:Pg:dbname=template1;host=localhost;port=5432", "postgres", $old_password, { RaiseError => 1, AutoCommit => 1, pg_enable_utf8 => 1 }); my $query = "SELECT a.datname, b.usename FROM pg_catalog.pg_database a, pg_catalog.pg_user b WHERE a.datdba = b.usesysid AND a.datistemplate IS NOT TRUE AND a.datname != 'postgres'"; my $DBreq = $dbh->prepare($query) or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0075", variables => { query => $query, server => "localhost", db_error => $DBI::errstr, }}); # Execute on the query $DBreq->execute() or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0076", variables => { query => $query, server => "localhost", db_error => $DBI::errstr, }}); # Return the array my $results = $DBreq->fetchall_arrayref(); my $database_name = $results->[0]->[0]; my $owner_name = $results->[0]->[1]; foreach my $user ("postgres", $owner_name) { print $anvil->Words->string({key => "message_0026", variables => { user => $user }}); my $query = "ALTER ROLE ".$user." WITH PASSWORD ".$dbh->quote($anvil->data->{switches}{'new-password'}); $dbh->do($query) or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0090", variables => { query => $anvil->Log->secure ? $query : $anvil->Words->string({key => "log_0186"}), server => "localhost", db_error => $DBI::errstr, }}); print $anvil->Words->string({key => "message_0025"})."\n"; } # Update our database password in anvil.conf print $anvil->Words->string({key => "message_0027", variables => { file => $anvil->data->{switches}{'new-password'} }}); $anvil->Storage->update_config({ debug => 2, secure => 1, variable => "database::${host_uuid}::password", value => $anvil->data->{switches}{'new-password'}, }); print $anvil->Words->string({key => "message_0025"})."\n"; ### TODO: Loop through any other dashboards and nodes we know about and call the above with 'target' ### (and password, port and remote_user) set. # Update the local users. foreach my $user ("admin", "root") { print $anvil->Words->string({key => "message_0028", variables => { user => $user }}); $anvil->System->change_shell_user_password({debug => 2, user => $user, new_password => $anvil->data->{switches}{'new-password'}}); print $anvil->Words->string({key => "message_0025"})."\n"; } # All done! print $anvil->Words->string({key => "message_0029"})."\n"; return(0); }