anvil/tools/anvil-manage-keys
digimer d9aa8aee74 Updated anvil-manage-keys to work from the command line
Signed-off-by: digimer <mkelly@alteeve.ca>
2023-11-13 18:59:24 -05:00

560 lines
18 KiB
Perl
Executable File

#!/usr/bin/perl
#
# This removes a bad key from a
#
# This program is setuid 'admin' and calls a (new) peer to read its host name and system UUID. It takes the
# target's password in via a file.
#
# Exit codes;
# 0 = Normal exit.
# 1 = No database connection.
# 2 = Job not found.
# 3 = No offending keys found.
#
# TODO: Record the keys we remove, then check for the same keys on any other machine we know about. If any
# are found on those machines, create a job for that host to remove the same.
# Also, look in the 'ip_addresses' table for any matching keys and delete them.
#
use strict;
use warnings;
use Anvil::Tools;
my $THIS_FILE = ($0 =~ /^.*\/(.*)$/)[0];
my $running_directory = ($0 =~ /^(.*?)\/$THIS_FILE$/)[0];
if (($running_directory =~ /^\./) && ($ENV{PWD}))
{
$running_directory =~ s/^\./$ENV{PWD}/;
}
# Turn off buffering so that the pinwheel will display while waiting for the SSH call(s) to complete.
$| = 1;
my $anvil = Anvil::Tools->new();
# Read switches (target ([user@]host[:port]) and the file with the target's password. If the password is
# passed directly, it will be used. Otherwise, the password will be read from the database.
$anvil->Get->switches({list => [
"confirm",
"job-uuid",
], man => $THIS_FILE});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => $anvil->data->{switches}});
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, key => "log_0115", variables => { program => $THIS_FILE }});
$anvil->Database->connect();
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, key => "log_0132"});
if (not $anvil->data->{sys}{database}{connections})
{
# No databases, update the job, sleep for a bit and then exit. The daemon will pick it up and try
# again after we exit.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0077"});
sleep 10;
$anvil->nice_exit({exit_code => 1});
}
# Pick up the job details
load_job_data($anvil);
# Process the bad keys
process_keys($anvil);
# Done.
update_progress($anvil, 100, "job_0051");
$anvil->nice_exit({exit_code => 0});
#############################################################################################################
# Functions #
#############################################################################################################
sub process_keys
{
my ($anvil) = @_;
foreach my $state_uuid (@{$anvil->data->{state_uuids}})
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { state_uuid => $state_uuid }});
my $query = "
SELECT
state_host_uuid,
state_name,
state_note
FROM
states
WHERE
state_uuid = ".$anvil->Database->quote($state_uuid)."
;";
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { query => $query }});
# States aren't sync'ed, so we may need to check both/all DBs to find our data.
my $state_found = 0;
my $results = [];
foreach my $uuid (keys %{$anvil->data->{cache}{database_handle}})
{
$results = $anvil->Database->query({uuid => $uuid, query => $query, source => $THIS_FILE, line => __LINE__});
my $count = @{$results};
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
results => $results,
count => $count,
}});
if ($count)
{
$state_found = 1;
last;
}
}
if (not $state_found)
{
# No bad keys found on this host.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0078"});
sleep 10;
$anvil->nice_exit({exit_code => 2});
}
foreach my $row (@{$results})
{
my $state_host_uuid = $row->[0];
my $state_name = $row->[1];
my $state_note = $row->[2];
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
's1:sys::host_uuid' => $anvil->data->{sys}{host_uuid},
's2:state_host_uuid' => $state_host_uuid,
's3:state_name' => $state_name,
's4:state_note' => $state_note,
}});
# Is this meant for us?
if ($state_host_uuid ne $anvil->data->{sys}{host_uuid})
{
# Um...
$anvil->data->{job}{progress} += 10;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0058,!!state_uuid!".$state_uuid."!!,!!host_uuid!".$state_host_uuid."!!");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0058", variables => {
state_uuid => $state_uuid,
host_uuid => $state_host_uuid,
}});
next;
}
### NOTE: We don't need the file or line anymore, but we're not removing it as having
### a record of the trigger might be useful someday.
# Pull out the details.
my $bad_file = "";
my $bad_line = "";
foreach my $pair (split/,/, $state_note)
{
my ($variable, $value) = ($pair =~ /^(.*?)=(.*)$/);
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
pair => $pair,
variable => $variable,
value => $value,
}});
if ($variable eq "file")
{
$bad_file = $value;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { bad_file => $bad_file }});
}
if ($variable eq "line")
{
$bad_line = $value;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { bad_line => $bad_line }});
}
}
my ($target) = ($state_name =~ /host_key_changed::(.*)$/);
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
target => $target,
bad_file => $bad_file,
bad_line => $bad_line,
}});
# Read in the specified bad file, then find any other files that might have matching bad keys.
process_file($anvil, "/root/.ssh/known_hosts", $target);
# Walk through any other users.
my $directory = "/home";
local(*DIRECTORY);
opendir(DIRECTORY, $directory);
while(my $file = readdir(DIRECTORY))
{
next if $file eq ".";
next if $file eq "..";
my $full_path = $directory."/".$file;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => {
file => $file,
full_path => $full_path,
}});
# If we're looking at a directory, scan it. Otherwise, see if it's an executable and that it
# starts with 'scan-*'.
if (-d $full_path)
{
# Check for a known_hosts file.
my $known_hosts = $full_path."/.ssh/known_hosts";
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { known_hosts => $known_hosts }});
if (-e $known_hosts)
{
process_file($anvil, $known_hosts, $target);
}
}
}
closedir(DIRECTORY);
delete_state($anvil, $state_uuid);
}
}
return(0);
}
# Look through the file for bad keys.
sub process_file
{
my ($anvil, $file, $target) = @_;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
file => $file,
target => $target,
}});
$anvil->data->{job}{progress} += 5;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0049,!!file!".$file."!!,!!target!".$target."!!");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0049", variables => {
file => $file,
target => $target,
}});
# Read in the file, if it exists.
if (not -e $file)
{
# File doesn't actually exist, wtf?
$anvil->data->{job}{progress} += 10;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0050,!!file!".$file."!!");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0050", variables => { file => $file }});
return(1);
}
# Read in the file
my ($old_body) = $anvil->Storage->read_file({file => $file});
if ($old_body eq "!!error!!")
{
# Failed to read the file
$anvil->data->{job}{progress} += 5;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0052,!!file!".$file."!!");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0052", variables => { file => $file }});
return(1);
}
# Find our key(s)
my $line_number = 0;
my $new_body = "";
my $update = 0;
foreach my $line (split/\n/, $old_body)
{
$line_number++;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
's1:line_number' => $line_number,
's2:line' => $line,
}});
# If the line starts with our target, remove it.
if ($line =~ /^$target /)
{
# Found it!
$anvil->data->{job}{progress} += 5;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0053,!!line!".$line_number."!!");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0053", variables => { line => $line_number }});
$update = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { update => $update }});
}
else
{
$new_body .= $line."\n";
}
}
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
's1:old_body' => $old_body,
's2:new_body' => $new_body,
's3:update' => $update,
}});
if ($update)
{
# Write the file out.
$anvil->data->{job}{progress} += 5;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0055,!!file!".$file."!!");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0055", variables => { file => $file }});
# Get the owning user and group.
my ($owning_uid, $owning_gid) = (stat($file))[4,5];
my $owning_user = getpwuid($owning_uid);
my $owning_group = getpwuid($owning_gid);
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
owning_uid => $owning_uid,
owning_gid => $owning_gid,
owning_user => $owning_user,
owning_group => $owning_group,
}});
my $error = $anvil->Storage->write_file({
body => $new_body,
debug => 3,
file => $file,
overwrite => 1,
user => $owning_user,
group => $owning_group
});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, list => { error => $error }});
if ($error)
{
$anvil->data->{job}{progress} += 5;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0059,!!file!".$file."!!");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0059", variables => { file => $file }});
}
else
{
# Success!
$anvil->data->{job}{progress} += 5;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0060,!!file!".$file."!!");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0060", variables => { file => $file }});
}
}
return(0);
}
# Load the job data or exit
sub load_job_data
{
my ($anvil) = @_;
$anvil->data->{state_uuids} = [];
if (not $anvil->data->{switches}{'job-uuid'})
{
# See if we can get the data from the command line switches.
my $bad_keys = 0;
my $query = "
SELECT
state_uuid,
state_name,
state_note
FROM
states
WHERE
state_name
LIKE
'host_key_changed::%'
AND
state_host_uuid = ".$anvil->Database->quote($anvil->Get->host_uuid)."
;";
# Collect from all DBs.
foreach my $uuid (keys %{$anvil->data->{cache}{database_handle}})
{
my $results = $anvil->Database->query({uuid => $uuid, query => $query, source => $THIS_FILE, line => __LINE__});
my $count = @{$results};
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
results => $results,
count => $count,
}});
foreach my $row (@{$results})
{
my $state_uuid = $row->[0];
my $state_name = $row->[1];
my $state_note = $row->[2];
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
's1:state_uuid' => $state_uuid,
's2:state_name' => $state_name,
's2:state_note' => $state_note,
}});
my $bad_file = "";
my $bad_line = "";
foreach my $pair (split/,/, $state_note)
{
my ($variable, $value) = ($pair =~ /^(.*?)=(.*)$/);
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
pair => $pair,
variable => $variable,
value => $value,
}});
if ($variable eq "file")
{
$bad_file = $value;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { bad_file => $bad_file }});
}
if ($variable eq "line")
{
$bad_line = $value;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { bad_line => $bad_line }});
}
}
$bad_keys++;
my ($target) = ($state_name =~ /host_key_changed::(.*)$/);
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
bad_keys => $bad_keys,
target => $target,
bad_file => $bad_file,
bad_line => $bad_line,
}});
$anvil->data->{bad_keys}{$target}{$bad_file}{$bad_line}{$state_uuid} = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
"bad_keys::${target}::${bad_file}::${bad_line}" => $anvil->data->{bad_keys}{$target}{$bad_file}{$bad_line},
}});
}
}
foreach my $target (sort {$a cmp $b} keys %{$anvil->data->{bad_keys}})
{
foreach my $bad_file (sort {$a cmp $b} keys %{$anvil->data->{bad_keys}{$target}})
{
foreach my $bad_line (sort {$a cmp $b} keys %{$anvil->data->{bad_keys}{$target}{$bad_file}})
{
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, key => "message_0362", variables => {
target => $target,
file => $bad_file,
line => $bad_line,
}});
foreach my $state_uuid (sort {$a cmp $b} keys %{$anvil->data->{bad_keys}{$target}{$bad_file}{$bad_line}})
{
push @{$anvil->data->{state_uuids}}, $state_uuid;
}
}
}
}
# Ask the user to confirm?
if ($anvil->data->{switches}{confirm})
{
# No.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, key => "message_0359"});
return(0);
}
# Ask the user to confirm.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, key => "message_0363"});
my $answer = <STDIN>;
chomp $answer;
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, key => "log_0828", variables => { answer => $answer }});
if ((lc($answer) eq "y") or (lc($answer) eq "yes"))
{
# Proceed.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, key => "message_0175"});
return(0);
}
else
{
# Abort.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, key => "message_0022"});
$anvil->nice_exit({exit_code => 0});
}
}
my $query = "SELECT job_data FROM jobs WHERE job_uuid = ".$anvil->Database->quote($anvil->data->{switches}{'job-uuid'}).";";
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { query => $query }});
my $results = $anvil->Database->query({query => $query, source => $THIS_FILE, line => __LINE__});
my $count = @{$results};
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
results => $results,
count => $count,
}});
if (not $count)
{
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0079", variables => {
job_uuid => $anvil->data->{switches}{'job-uuid'},
}});
$anvil->nice_exit({exit_code => 1});
}
# Pick up the data.
my $job_data = $results->[0]->[0];
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { job_data => $job_data }});
if (not $job_data)
{
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0081", variables => {
job_uuid => $anvil->data->{switches}{'job-uuid'},
}});
$anvil->nice_exit({exit_code => 1});
}
# Pick up the job.
$anvil->data->{job}{progress} = 0;
update_progress($anvil, 0, "clear");
$anvil->data->{job}{progress} += 5;
update_progress($anvil, $anvil->data->{job}{progress}, "job_0048");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0048"});
# Break the job up.
foreach my $state_uuid (split/,/, $job_data)
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { state_uuid => $state_uuid }});
if ($anvil->Validate->uuid({uuid => $state_uuid}))
{
push @{$anvil->data->{state_uuids}}, $state_uuid;
}
else
{
# Invalid, skip it.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0082", variables => {
state_uuid => $state_uuid,
}});
}
}
my $uuid_count = @{$anvil->data->{state_uuids}};
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { uuid_count => $uuid_count }});
# Did I find any actual UUIDs?
if (not $uuid_count)
{
# Nope.
update_progress($anvil, 100, "error_0083");
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "error_0083"});
}
return(0);
}
# This deletes a state entry.
sub delete_state
{
my ($anvil, $state_uuid) = @_;
# Delete it so long as we have a UUID.
if ($state_uuid)
{
my $query = "DELETE FROM states WHERE state_uuid = ".$anvil->Database->quote($state_uuid).";";
$anvil->Database->write({debug => 3, query => $query, source => $THIS_FILE, line => __LINE__});
}
return(0);
}
# This updates the progress if we were called with a job UUID.
sub update_progress
{
my ($anvil, $progress, $message) = @_;
$progress = 95 if $progress > 100;
# Log the progress percentage.
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => {
progress => $progress,
message => $message,
}});
$anvil->Job->update_progress({
debug => 3,
progress => $progress,
message => $message,
job_uuid => $anvil->data->{switches}{'job-uuid'},
});
return(0);
}