You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
435 lines
14 KiB
435 lines
14 KiB
#!/usr/bin/perl |
|
# |
|
# This removes a bad key from a |
|
# |
|
# This program is setuid 'admin' and calls a (new) peer to read its host name and system UUID. It takes the |
|
# target's password in via a file. |
|
# |
|
# Exit codes; |
|
# 0 = Normal exit. |
|
# 1 = No database connection. |
|
# 2 = Job not found. |
|
# 3 = No offending keys found. |
|
# |
|
# TODO: Record the keys we remove, then check for the same keys on any other machine we know about. If any |
|
# are found on those machines, create a job for that host to remove the same. |
|
# Also, look in the 'ip_addresses' table for any matching keys and delete them. |
|
# |
|
|
|
use strict; |
|
use warnings; |
|
use Anvil::Tools; |
|
|
|
my $THIS_FILE = ($0 =~ /^.*\/(.*)$/)[0]; |
|
my $running_directory = ($0 =~ /^(.*?)\/$THIS_FILE$/)[0]; |
|
if (($running_directory =~ /^\./) && ($ENV{PWD})) |
|
{ |
|
$running_directory =~ s/^\./$ENV{PWD}/; |
|
} |
|
|
|
# Turn off buffering so that the pinwheel will display while waiting for the SSH call(s) to complete. |
|
$| = 1; |
|
|
|
my $anvil = Anvil::Tools->new(); |
|
$anvil->Log->level({set => 2}); |
|
$anvil->Log->secure({set => 1}); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }}); |
|
|
|
# Read switches (target ([user@]host[:port]) and the file with the target's password. If the password is |
|
# passed directly, it will be used. Otherwise, the password will be read from the database. |
|
$anvil->Get->switches; |
|
|
|
$anvil->Database->connect(); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 3, secure => 0, key => "log_0132"}); |
|
if (not $anvil->data->{sys}{database}{connections}) |
|
{ |
|
# No databases, update the job, sleep for a bit and then exit. The daemon will pick it up and try |
|
# again after we exit. |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0077"}); |
|
sleep 10; |
|
$anvil->nice_exit({exit_code => 1}); |
|
} |
|
|
|
# Pick up the job details |
|
$anvil->data->{switches}{'job-uuid'} = ""; |
|
$anvil->Get->switches; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
'switches::job-uuid' => $anvil->data->{switches}{'job-uuid'}, |
|
}}); |
|
|
|
# Load data. |
|
load_job_data($anvil); |
|
|
|
# Process the bad keys |
|
process_keys($anvil); |
|
|
|
# Done. |
|
update_progress($anvil, 100, "job_0051"); |
|
$anvil->nice_exit({code => 0}); |
|
|
|
|
|
############################################################################################################# |
|
# Functions # |
|
############################################################################################################# |
|
|
|
sub process_keys |
|
{ |
|
my ($anvil) = @_; |
|
|
|
foreach my $state_uuid (@{$anvil->data->{state_uuids}}) |
|
{ |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { state_uuid => $state_uuid }}); |
|
my $query = " |
|
SELECT |
|
state_host_uuid, |
|
state_name, |
|
state_note |
|
FROM |
|
states |
|
WHERE |
|
state_uuid = ".$anvil->Database->quote($state_uuid)." |
|
;"; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { query => $query }}); |
|
my $results = $anvil->Database->query({query => $query, source => $THIS_FILE, line => __LINE__}); |
|
my $count = @{$results}; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
results => $results, |
|
count => $count, |
|
}}); |
|
if (not $count) |
|
{ |
|
# No bad keys found on this host. |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0078"}); |
|
sleep 10; |
|
$anvil->nice_exit({exit_code => 2}); |
|
} |
|
foreach my $row (@{$results}) |
|
{ |
|
|
|
my $state_host_uuid = $row->[0]; |
|
my $state_name = $row->[1]; |
|
my $state_note = $row->[2]; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
's1:sys::host_uuid' => $anvil->data->{sys}{host_uuid}, |
|
's2:state_host_uuid' => $state_host_uuid, |
|
's3:state_name' => $state_name, |
|
's4:state_note' => $state_note, |
|
}}); |
|
|
|
# Is this meant for us? |
|
if ($state_host_uuid ne $anvil->data->{sys}{host_uuid}) |
|
{ |
|
# Um... |
|
$anvil->data->{job}{progress} += 10; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0058,!!state_uuid!".$state_uuid."!!,!!host_uuid!".$state_host_uuid."!!"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0058", variables => { |
|
state_uuid => $state_uuid, |
|
host_uuid => $state_host_uuid, |
|
}}); |
|
next; |
|
} |
|
|
|
### NOTE: We don't need the file or line anymore, but we're not removing it as having |
|
### a record of the trigger might be useful someday. |
|
# Pull out the details. |
|
my $bad_file = ""; |
|
my $bad_line = ""; |
|
foreach my $pair (split/,/, $state_note) |
|
{ |
|
my ($variable, $value) = ($pair =~ /^(.*?)=(.*)$/); |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
pair => $pair, |
|
variable => $variable, |
|
value => $value, |
|
}}); |
|
if ($variable eq "file") |
|
{ |
|
$bad_file = $value; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { bad_file => $bad_file }}); |
|
} |
|
if ($variable eq "line") |
|
{ |
|
$bad_line = $value; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { bad_line => $bad_line }}); |
|
} |
|
} |
|
my ($target) = ($state_name =~ /host_key_changed::(.*)$/); |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
target => $target, |
|
bad_file => $bad_file, |
|
bad_line => $bad_line, |
|
}}); |
|
|
|
# Read in the specified bad file, then find any other files that might have matching bad keys. |
|
process_file($anvil, "/root/.ssh/known_hosts", $target); |
|
|
|
# Walk through any other users. |
|
my $directory = "/home"; |
|
local(*DIRECTORY); |
|
opendir(DIRECTORY, $directory); |
|
while(my $file = readdir(DIRECTORY)) |
|
{ |
|
next if $file eq "."; |
|
next if $file eq ".."; |
|
my $full_path = $directory."/".$file; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { |
|
file => $file, |
|
full_path => $full_path, |
|
}}); |
|
|
|
# If we're looking at a directory, scan it. Otherwise, see if it's an executable and that it |
|
# starts with 'scan-*'. |
|
if (-d $full_path) |
|
{ |
|
# Check for a known_hosts file. |
|
my $known_hosts = $full_path."/.ssh/known_hosts"; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { known_hosts => $known_hosts }}); |
|
if (-e $known_hosts) |
|
{ |
|
process_file($anvil, $known_hosts, $target); |
|
} |
|
} |
|
} |
|
closedir(DIRECTORY); |
|
|
|
delete_state($anvil, $state_uuid); |
|
} |
|
} |
|
|
|
return(0); |
|
} |
|
|
|
# Look through the file for bad keys. |
|
sub process_file |
|
{ |
|
my ($anvil, $file, $target) = @_; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
file => $file, |
|
target => $target, |
|
}}); |
|
|
|
$anvil->data->{job}{progress} += 5; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0049,!!file!".$file."!!,!!target!".$target."!!"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0049", variables => { |
|
file => $file, |
|
target => $target, |
|
}}); |
|
|
|
# Read in the file, if it exists. |
|
if (not -e $file) |
|
{ |
|
# File doesn't actually exist, wtf? |
|
$anvil->data->{job}{progress} += 10; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0050,!!file!".$file."!!"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0050", variables => { file => $file }}); |
|
|
|
return(1); |
|
} |
|
|
|
# Read in the file |
|
my ($old_body) = $anvil->Storage->read_file({file => $file}); |
|
if ($old_body eq "!!error!!") |
|
{ |
|
# Failed to read the file |
|
$anvil->data->{job}{progress} += 5; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0052,!!file!".$file."!!"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0052", variables => { file => $file }}); |
|
|
|
return(1); |
|
} |
|
|
|
# Find our key(s) |
|
my $line_number = 0; |
|
my $new_body = ""; |
|
my $update = 0; |
|
foreach my $line (split/\n/, $old_body) |
|
{ |
|
$line_number++; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
's1:line_number' => $line_number, |
|
's2:line' => $line, |
|
}}); |
|
|
|
# If the line starts with our target, remove it. |
|
if ($line =~ /^$target /) |
|
{ |
|
# Found it! |
|
$anvil->data->{job}{progress} += 5; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0053,!!line!".$line_number."!!"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0053", variables => { line => $line_number }}); |
|
|
|
$update = 1; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { update => $update }}); |
|
} |
|
else |
|
{ |
|
$new_body .= $line."\n"; |
|
} |
|
} |
|
|
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
's1:old_body' => $old_body, |
|
's2:new_body' => $new_body, |
|
's3:update' => $update, |
|
}}); |
|
if ($update) |
|
{ |
|
# Write the file out. |
|
$anvil->data->{job}{progress} += 5; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0055,!!file!".$file."!!"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0055", variables => { file => $file }}); |
|
|
|
# Get the owning user and group. |
|
my ($owning_uid, $owning_gid) = (stat($file))[4,5]; |
|
my $owning_user = getpwuid($owning_uid); |
|
my $owning_group = getpwuid($owning_gid); |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
owning_uid => $owning_uid, |
|
owning_gid => $owning_gid, |
|
owning_user => $owning_user, |
|
owning_group => $owning_group, |
|
}}); |
|
|
|
my $error = $anvil->Storage->write_file({ |
|
body => $new_body, |
|
debug => 3, |
|
file => $file, |
|
overwrite => 1, |
|
user => $owning_user, |
|
group => $owning_group |
|
}); |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, list => { error => $error }}); |
|
if ($error) |
|
{ |
|
$anvil->data->{job}{progress} += 5; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0059,!!file!".$file."!!"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0059", variables => { file => $file }}); |
|
} |
|
else |
|
{ |
|
# Success! |
|
$anvil->data->{job}{progress} += 5; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0060,!!file!".$file."!!"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0060", variables => { file => $file }}); |
|
} |
|
} |
|
|
|
return(0); |
|
} |
|
|
|
# Load the job data or exit |
|
sub load_job_data |
|
{ |
|
my ($anvil) = @_; |
|
|
|
if (not $anvil->data->{switches}{'job-uuid'}) |
|
{ |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0080"}); |
|
$anvil->nice_exit({exit_code => 1}); |
|
} |
|
|
|
my $query = "SELECT job_data FROM jobs WHERE job_uuid = ".$anvil->Database->quote($anvil->data->{switches}{'job-uuid'}).";"; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { query => $query }}); |
|
my $results = $anvil->Database->query({query => $query, source => $THIS_FILE, line => __LINE__}); |
|
my $count = @{$results}; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { |
|
results => $results, |
|
count => $count, |
|
}}); |
|
|
|
if (not $count) |
|
{ |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0079", variables => { |
|
job_uuid => $anvil->data->{switches}{'job-uuid'}, |
|
}}); |
|
$anvil->nice_exit({exit_code => 1}); |
|
} |
|
|
|
# Pick up the data. |
|
my $job_data = $results->[0]->[0]; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { job_data => $job_data }}); |
|
if (not $job_data) |
|
{ |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0081", variables => { |
|
job_uuid => $anvil->data->{switches}{'job-uuid'}, |
|
}}); |
|
$anvil->nice_exit({exit_code => 1}); |
|
} |
|
|
|
# Pick up the job. |
|
$anvil->data->{job}{progress} = 0; |
|
update_progress($anvil, 0, "clear"); |
|
|
|
$anvil->data->{job}{progress} += 5; |
|
update_progress($anvil, $anvil->data->{job}{progress}, "job_0048"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "job_0048"}); |
|
|
|
# Break the job up. |
|
$anvil->data->{state_uuids} = []; |
|
foreach my $state_uuid (split/,/, $job_data) |
|
{ |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { state_uuid => $state_uuid }}); |
|
if ($anvil->Validate->is_uuid({uuid => $state_uuid})) |
|
{ |
|
push @{$anvil->data->{state_uuids}}, $state_uuid; |
|
} |
|
else |
|
{ |
|
# Invalid, skip it. |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0082", variables => { |
|
state_uuid => $state_uuid, |
|
}}); |
|
} |
|
} |
|
|
|
my $uuid_count = @{$anvil->data->{state_uuids}}; |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { uuid_count => $uuid_count }}); |
|
|
|
# Did I find any actual UUIDs? |
|
if (not $uuid_count) |
|
{ |
|
# Nope. |
|
update_progress($anvil, 100, "error_0083"); |
|
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "error_0083"}); |
|
} |
|
|
|
return(0); |
|
} |
|
|
|
# This deletes a state entry. |
|
sub delete_state |
|
{ |
|
my ($anvil, $state_uuid) = @_; |
|
|
|
# Delete it so long as we have a UUID. |
|
if ($state_uuid) |
|
{ |
|
my $query = "DELETE FROM states WHERE state_uuid = ".$anvil->Database->quote($state_uuid).";"; |
|
$anvil->Database->write({debug => 3, query => $query, source => $THIS_FILE, line => __LINE__}); |
|
} |
|
|
|
return(0); |
|
} |
|
|
|
# This updates the progress if we were called with a job UUID. |
|
sub update_progress |
|
{ |
|
my ($anvil, $progress, $message) = @_; |
|
|
|
$progress = 95 if $progress > 100; |
|
|
|
# Log the progress percentage. |
|
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { |
|
progress => $progress, |
|
message => $message, |
|
}}); |
|
|
|
$anvil->Job->update_progress({ |
|
debug => 3, |
|
progress => $progress, |
|
message => $message, |
|
job_uuid => $anvil->data->{switches}{'job-uuid'}, |
|
}); |
|
|
|
return(0); |
|
}
|
|
|