You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
252 lines
8.7 KiB
252 lines
8.7 KiB
#!/usr/bin/perl |
|
# |
|
# This program sets/changes passwords on the Anvil! platform (nodes and dashboards). |
|
# |
|
# Exit codes; |
|
# 0 = Normal exit. |
|
# 1 = The program is not running as root. |
|
# 2 = Failed to connect to database(s). |
|
# 3 = User didn't enter a password or the passwords didn't match. |
|
# 4 = The password file doesn't exist, wasn't readable or was empty. |
|
# |
|
|
|
use strict; |
|
use warnings; |
|
use Data::Dumper; |
|
use Anvil::Tools; |
|
|
|
my $THIS_FILE = ($0 =~ /^.*\/(.*)$/)[0]; |
|
my $running_directory = ($0 =~ /^(.*?)\/$THIS_FILE$/)[0]; |
|
if (($running_directory =~ /^\./) && ($ENV{PWD})) |
|
{ |
|
$running_directory =~ s/^\./$ENV{PWD}/; |
|
} |
|
|
|
# Turn off buffering so that the pinwheel will display while waiting for the SSH call(s) to complete. |
|
$| = 1; |
|
|
|
# Prevent a discrepency between UID/GID and EUID/EGID from throwing an error. |
|
$< = $>; |
|
$( = $); |
|
|
|
my $anvil = Anvil::Tools->new(); |
|
|
|
# Make sure we're running as 'root' |
|
# $< == real UID, $> == effective UID |
|
if (($< != 0) && ($> != 0)) |
|
{ |
|
# Not root |
|
print $anvil->Words->string({key => "error_0005"})."\n"; |
|
$anvil->nice_exit({exit_code => 1}); |
|
} |
|
|
|
$anvil->Get->switches; |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 3, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }}); |
|
|
|
# Connect |
|
$anvil->Database->connect(); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, key => "log_0132"}); |
|
if (not $anvil->data->{sys}{database}{connections}) |
|
{ |
|
# No databases, exit. |
|
print $anvil->Words->string({key => "error_0003"})."\n"; |
|
$anvil->nice_exit({exit_code => 2}); |
|
} |
|
|
|
# The order that we pick up the new password is; |
|
# 1. If we've been told of a password file, read it |
|
# 2. If the user passed the password with --new-password <secret>, use that. |
|
# 3. Ask the user for the new password. |
|
if ($anvil->data->{switches}{'password-file'}) |
|
{ |
|
# Read the password in from the file. |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, list => { "switches::password-file" => $anvil->data->{switches}{'password-file'} }}); |
|
if (-e $anvil->data->{switches}{'password-file'}) |
|
{ |
|
# Read it in and remove the new-line(s), if it(they) exist. |
|
$anvil->data->{switches}{'new-password'} = $anvil->Storage->read_file({file => $anvil->data->{switches}{'password-file'}}); |
|
$anvil->data->{switches}{'new-password'} =~ s/\n//gs; |
|
} |
|
else |
|
{ |
|
# The file doesn't exist. |
|
print $anvil->Words->string({key => "error_0008", variables => { file => $anvil->data->{switches}{'password-file'} }})."\n"; |
|
$anvil->nice_exit({exit_code => 4}); |
|
} |
|
} |
|
elsif (not $anvil->data->{switches}{'new-password'}) |
|
{ |
|
print $anvil->Words->string({key => "message_0018"})."\n"; |
|
# Turn off echo |
|
$anvil->System->stty_echo({set => "off"}); |
|
my $password1 = <STDIN>; |
|
chomp($password1); |
|
$password1 =~ s/^\s+//; |
|
$password1 =~ s/\s+$//; |
|
# Turn echo on |
|
$anvil->System->stty_echo({set => "on"}); |
|
|
|
if (not $password1) |
|
{ |
|
print $anvil->Words->string({key => "error_0006"})."\n"; |
|
$anvil->nice_exit({exit_code => 3}); |
|
} |
|
|
|
print $anvil->Words->string({key => "message_0019"})."\n"; |
|
# Turn off echo |
|
$anvil->System->stty_echo({set => "off"}); |
|
my $password2 = <STDIN>; |
|
chomp($password2); |
|
$password2 =~ s/^\s+//; |
|
$password2 =~ s/\s+$//; |
|
# Turn echo on |
|
$anvil->System->stty_echo({set => "on"}); |
|
|
|
if ($password1 eq $password2) |
|
{ |
|
$anvil->data->{switches}{'new-password'} = $password1; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 1, list => { "switches::new-password" => $anvil->data->{switches}{'new-password'} }}); |
|
} |
|
else |
|
{ |
|
print $anvil->Words->string({key => "error_0007"})."\n"; |
|
$anvil->nice_exit({exit_code => 3}); |
|
} |
|
} |
|
|
|
### TODO: Check for access to all known Anvil! nodes and warn the user that they will have to manually update |
|
### the password for us on any node we can't access |
|
### NOTE: 'anvil' can be a name or UUID |
|
# If we're called without an '--anvil' switch, then change the local password only. |
|
if ($anvil->data->{switches}{anvil}) |
|
{ |
|
# Find the Anvil! and verify access to both nodes. If neither are accessible, abort. |
|
} |
|
else |
|
{ |
|
### TODO: Support '--peers' to also update the peer dashboards. |
|
# Updating just ourself |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 1, list => { "switches::new-password" => $anvil->data->{switches}{'new-password'} }}); |
|
if (($anvil->data->{switches}{y}) or ($anvil->data->{switches}{yes})) |
|
{ |
|
print $anvil->Words->string({key => "message_0023"})."\n"; |
|
update_local_passwords($anvil); |
|
} |
|
else |
|
{ |
|
print $anvil->Words->string({key => "message_0020"})."\n"; |
|
print $anvil->Words->string({key => "message_0021"})." "; |
|
my $answer = <STDIN>; |
|
chomp($answer); |
|
if ($answer =~ /^y/) |
|
{ |
|
update_local_passwords($anvil); |
|
} |
|
else |
|
{ |
|
# Abort. |
|
print $anvil->Words->string({key => "message_0022"})."\n"; |
|
} |
|
} |
|
} |
|
|
|
|
|
$anvil->nice_exit({exit_code => 0}); |
|
|
|
############################################################################################################# |
|
# Functions # |
|
############################################################################################################# |
|
|
|
# This updates the local passwords. |
|
sub update_local_passwords |
|
{ |
|
my ($anvil) = @_; |
|
|
|
# Update the 'admin' user password in the database. |
|
my $user = "admin"; |
|
print $anvil->Words->string({key => "message_0024", variables => { user => $user }}); |
|
|
|
my $user_uuid = $anvil->Database->insert_or_update_users({ |
|
debug => 2, |
|
user_name => $user, |
|
user_password_hash => $anvil->data->{switches}{'new-password'}, |
|
user_is_admin => 1, |
|
user_is_experienced => 1, |
|
user_is_trusted => 1, |
|
}); |
|
# Log out any Striker sessions. |
|
$anvil->Account->logout({host_uuid => "all"}); |
|
print $anvil->Words->string({key => "message_0025"})."\n"; |
|
|
|
# Validate |
|
my $valid = $anvil->Account->validate_password({ |
|
debug => 2, |
|
user => $user, |
|
password => $anvil->data->{switches}{'new-password'}, |
|
}); |
|
|
|
### NOTE: We directly connect to the local 'template1' database as |
|
# Update the database passwords |
|
my $host_uuid = $anvil->data->{sys}{host_uuid}; |
|
my $old_password = $anvil->data->{database}{$host_uuid}{password}; |
|
my $dbh = DBI->connect("DBI:Pg:dbname=template1;host=localhost;port=5432", "postgres", $old_password, { |
|
RaiseError => 1, |
|
AutoCommit => 1, |
|
pg_enable_utf8 => 1 |
|
}); |
|
my $query = "SELECT a.datname, b.usename FROM pg_catalog.pg_database a, pg_catalog.pg_user b WHERE a.datdba = b.usesysid AND a.datistemplate IS NOT TRUE AND a.datname != 'postgres'"; |
|
my $DBreq = $dbh->prepare($query) or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0075", variables => { |
|
query => $query, |
|
server => "localhost", |
|
db_error => $DBI::errstr, |
|
}}); |
|
|
|
# Execute on the query |
|
$DBreq->execute() or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0076", variables => { |
|
query => $query, |
|
server => "localhost", |
|
db_error => $DBI::errstr, |
|
}}); |
|
|
|
# Return the array |
|
my $results = $DBreq->fetchall_arrayref(); |
|
my $database_name = $results->[0]->[0]; |
|
my $owner_name = $results->[0]->[1]; |
|
foreach my $user ("postgres", $owner_name) |
|
{ |
|
print $anvil->Words->string({key => "message_0026", variables => { user => $user }}); |
|
my $query = "ALTER ROLE ".$user." WITH PASSWORD ".$dbh->quote($anvil->data->{switches}{'new-password'}); |
|
$dbh->do($query) or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0090", variables => { |
|
query => $anvil->Log->is_secure($query), |
|
server => "localhost", |
|
db_error => $DBI::errstr, |
|
}}); |
|
print $anvil->Words->string({key => "message_0025"})."\n"; |
|
} |
|
|
|
# Update our database password in anvil.conf |
|
print $anvil->Words->string({key => "message_0027", variables => { file => $anvil->data->{switches}{'new-password'} }}); |
|
$anvil->Storage->update_config({ |
|
debug => 2, |
|
secure => 1, |
|
variable => "database::${host_uuid}::password", |
|
value => $anvil->data->{switches}{'new-password'}, |
|
}); |
|
print $anvil->Words->string({key => "message_0025"})."\n"; |
|
|
|
### TODO: Loop through any other dashboards and nodes we know about and call the above with 'target' |
|
### (and password, port and remote_user) set. |
|
|
|
# Update the local users. |
|
foreach my $user ("admin", "root") |
|
{ |
|
print $anvil->Words->string({key => "message_0028", variables => { user => $user }}); |
|
$anvil->System->change_shell_user_password({debug => 2, user => $user, new_password => $anvil->data->{switches}{'new-password'}}); |
|
print $anvil->Words->string({key => "message_0025"})."\n"; |
|
} |
|
|
|
# All done! |
|
print $anvil->Words->string({key => "message_0029"})."\n"; |
|
|
|
return(0); |
|
}
|
|
|