bool WriteAmPolicyHubFile(const char *workdir, bool am_policy_hub)
{
char *filename = AmPolicyHubFilename(workdir);
if (am_policy_hub)
{
if (!GetAmPolicyHub(workdir))
{
if (creat(filename, 0600) == -1)
{
Log(LOG_LEVEL_ERR, "Error writing marker file '%s'", filename);
free(filename);
return false;
}
}
}
else
{
if (GetAmPolicyHub(workdir))
{
if (unlink(filename) != 0)
{
Log(LOG_LEVEL_ERR, "Error removing marker file '%s'", filename);
free(filename);
return false;
}
}
}
free(filename);
return true;
}
static void KeepHardClasses(EvalContext *ctx)
{
char name[CF_BUFSIZE];
if (name != NULL)
{
char *existing_policy_server = PolicyServerReadFile(GetWorkDir());
if (existing_policy_server)
{
free(existing_policy_server);
if (GetAmPolicyHub())
{
MarkAsPolicyServer(ctx);
}
}
}
/* FIXME: why is it not in generic_agent?! */
GenericAgentAddEditionClasses(ctx);
}
static void KeepHardClasses(EvalContext *ctx)
{
char name[CF_BUFSIZE];
if (name != NULL)
{
char *existing_policy_server = ReadPolicyServerFile(CFWORKDIR);
if (existing_policy_server)
{
if (GetAmPolicyHub(CFWORKDIR))
{
EvalContextClassPutHard(ctx, "am_policy_hub", "source=bootstrap");
}
free(existing_policy_server);
}
}
/* FIXME: why is it not in generic_agent?! */
GenericAgentAddEditionClasses(ctx);
}
bool GenericAgentCheckPolicy(GenericAgentConfig *config, bool force_validation, bool write_validated_file)
{
if (!MissingInputFile(config->input_file))
{
{
if (config->agent_type == AGENT_TYPE_SERVER ||
config->agent_type == AGENT_TYPE_MONITOR ||
config->agent_type == AGENT_TYPE_EXECUTOR)
{
time_t validated_at = ReadTimestampFromPolicyValidatedFile(config, NULL);
config->agent_specific.daemon.last_validated_at = validated_at;
}
}
if (IsPolicyPrecheckNeeded(config, force_validation))
{
bool policy_check_ok = GenericAgentArePromisesValid(config);
if (policy_check_ok && write_validated_file)
{
GenericAgentTagReleaseDirectory(config,
NULL, // use GetAutotagDir
write_validated_file, // true
GetAmPolicyHub(GetWorkDir())); // write release ID?
}
if (config->agent_specific.agent.bootstrap_policy_server && !policy_check_ok)
{
Log(LOG_LEVEL_VERBOSE, "Policy is not valid, but proceeding with bootstrap");
return true;
}
return policy_check_ok;
}
else
{
Log(LOG_LEVEL_VERBOSE, "Policy is already validated");
return true;
}
}
return false;
}
void PolicyHubUpdateKeys(const char *policy_server)
{
if (GetAmPolicyHub(CFWORKDIR)
&& NULL != PUBKEY)
{
unsigned char digest[EVP_MAX_MD_SIZE + 1];
char dst_public_key_filename[CF_BUFSIZE] = "";
{
char buffer[CF_HOSTKEY_STRING_SIZE];
HashPubKey(PUBKEY, digest, CF_DEFAULT_DIGEST);
snprintf(dst_public_key_filename, sizeof(dst_public_key_filename),
"%s/ppkeys/%s-%s.pub",
CFWORKDIR, "root",
HashPrintSafe(buffer, sizeof(buffer), digest,
CF_DEFAULT_DIGEST, true));
MapName(dst_public_key_filename);
}
struct stat sb;
if ((stat(dst_public_key_filename, &sb) == -1))
{
char src_public_key_filename[CF_BUFSIZE] = "";
snprintf(src_public_key_filename, CF_MAXVARSIZE, "%s/ppkeys/localhost.pub", CFWORKDIR);
MapName(src_public_key_filename);
// copy localhost.pub to root-HASH.pub on policy server
if (!LinkOrCopy(src_public_key_filename, dst_public_key_filename, false))
{
Log(LOG_LEVEL_ERR, "Unable to copy policy server's own public key from '%s' to '%s'", src_public_key_filename, dst_public_key_filename);
}
if (policy_server)
{
LastSaw(policy_server, digest, LAST_SEEN_ROLE_CONNECT);
}
}
}
}
static void KeepHardClasses(EvalContext *ctx)
{
char name[CF_BUFSIZE];
if (name != NULL)
{
char *existing_policy_server = ReadPolicyServerFile(CFWORKDIR);
if (existing_policy_server)
{
if (GetAmPolicyHub(CFWORKDIR))
{
EvalContextHeapAddHard(ctx, "am_policy_hub");
}
free(existing_policy_server);
}
}
/* FIXME: why is it not in generic_agent?! */
#if defined HAVE_NOVA
EvalContextHeapAddHard(ctx, "nova_edition");
EvalContextHeapAddHard(ctx, "enterprise_edition");
#else
EvalContextHeapAddHard(ctx, "community_edition");
#endif
}
void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config)
{
GenericAgentSetDefaultDigest(&CF_DEFAULT_DIGEST, &CF_DEFAULT_DIGEST_LEN);
GenericAgentInitialize(ctx, config);
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
SanitizeEnvironment();
THIS_AGENT_TYPE = config->agent_type;
EvalContextClassPutHard(ctx, CF_AGENTTYPES[config->agent_type], "cfe_internal,source=agent");
DetectEnvironment(ctx);
EvalContextHeapPersistentLoadAll(ctx);
LoadSystemConstants(ctx);
if (config->agent_type == AGENT_TYPE_AGENT && config->agent_specific.agent.bootstrap_policy_server)
{
if (!RemoveAllExistingPolicyInInputs(GetInputDir()))
{
Log(LOG_LEVEL_ERR, "Error removing existing input files prior to bootstrap");
exit(EXIT_FAILURE);
}
if (!WriteBuiltinFailsafePolicy(GetInputDir()))
{
Log(LOG_LEVEL_ERR, "Error writing builtin failsafe to inputs prior to bootstrap");
exit(EXIT_FAILURE);
}
bool am_policy_server = false;
{
const char *canonified_bootstrap_policy_server = CanonifyName(config->agent_specific.agent.bootstrap_policy_server);
am_policy_server = NULL != EvalContextClassGet(ctx, NULL, canonified_bootstrap_policy_server);
{
char policy_server_ipv4_class[CF_BUFSIZE];
snprintf(policy_server_ipv4_class, CF_MAXVARSIZE, "ipv4_%s", canonified_bootstrap_policy_server);
am_policy_server |= NULL != EvalContextClassGet(ctx, NULL, policy_server_ipv4_class);
}
if (am_policy_server)
{
Log(LOG_LEVEL_INFO, "Assuming role as policy server, with policy distribution point at %s", GetMasterDir());
EvalContextClassPutHard(ctx, "am_policy_hub", "source=bootstrap");
if (!MasterfileExists(GetMasterDir()))
{
Log(LOG_LEVEL_ERR, "In order to bootstrap as a policy server, the file '%s/promises.cf' must exist.", GetMasterDir());
exit(EXIT_FAILURE);
}
}
else
{
Log(LOG_LEVEL_INFO, "Not assuming role as policy server");
}
WriteAmPolicyHubFile(CFWORKDIR, am_policy_server);
}
WritePolicyServerFile(GetWorkDir(), config->agent_specific.agent.bootstrap_policy_server);
SetPolicyServer(ctx, config->agent_specific.agent.bootstrap_policy_server);
/* FIXME: Why it is called here? Can't we move both invocations to before if? */
UpdateLastPolicyUpdateTime(ctx);
Log(LOG_LEVEL_INFO, "Bootstrapping to '%s'", POLICY_SERVER);
}
else
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
if (existing_policy_server)
{
Log(LOG_LEVEL_VERBOSE, "This agent is bootstrapped to '%s'", existing_policy_server);
SetPolicyServer(ctx, existing_policy_server);
free(existing_policy_server);
UpdateLastPolicyUpdateTime(ctx);
}
else
{
Log(LOG_LEVEL_VERBOSE, "This agent is not bootstrapped");
return;
}
if (GetAmPolicyHub(GetWorkDir()))
{
EvalContextClassPutHard(ctx, "am_policy_hub", "source=bootstrap,deprecated,alias=policy_server");
Log(LOG_LEVEL_VERBOSE, "Additional class defined: am_policy_hub");
EvalContextClassPutHard(ctx, "policy_server", "inventory,attribute_name=CFEngine roles,source=bootstrap");
Log(LOG_LEVEL_VERBOSE, "Additional class defined: policy_server");
}
}
}
void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config)
{
GenericAgentInitialize(ctx, config);
SetReferenceTime(ctx, true);
SetStartTime();
SanitizeEnvironment();
THIS_AGENT_TYPE = config->agent_type;
EvalContextHeapAddHard(ctx, CF_AGENTTYPES[config->agent_type]);
GenericAgentSetDefaultDigest(&CF_DEFAULT_DIGEST, &CF_DEFAULT_DIGEST_LEN);
GetNameInfo3(ctx, config->agent_type);
GetInterfacesInfo(ctx);
Get3Environment(ctx, config->agent_type);
BuiltinClasses(ctx);
OSClasses(ctx);
EvalContextHeapPersistentLoadAll(ctx);
LoadSystemConstants(ctx);
if (config->agent_type == AGENT_TYPE_AGENT && config->agent_specific.agent.bootstrap_policy_server)
{
if (!RemoveAllExistingPolicyInInputs(GetWorkDir()))
{
Log(LOG_LEVEL_ERR, "Error removing existing input files prior to bootstrap");
exit(EXIT_FAILURE);
}
if (!WriteBuiltinFailsafePolicy(GetWorkDir()))
{
Log(LOG_LEVEL_ERR, "Error writing builtin failsafe to inputs prior to bootstrap");
exit(EXIT_FAILURE);
}
bool am_policy_server = false;
{
const char *canonified_bootstrap_policy_server = CanonifyName(config->agent_specific.agent.bootstrap_policy_server);
am_policy_server = IsDefinedClass(ctx, canonified_bootstrap_policy_server, NULL);
{
char policy_server_ipv4_class[CF_BUFSIZE];
snprintf(policy_server_ipv4_class, CF_MAXVARSIZE, "ipv4_%s", canonified_bootstrap_policy_server);
am_policy_server |= IsDefinedClass(ctx, policy_server_ipv4_class, NULL);
}
if (am_policy_server)
{
Log(LOG_LEVEL_INFO, "Assuming role as policy server, with policy distribution point at %s/masterfiles", GetWorkDir());
EvalContextHeapAddHard(ctx, "am_policy_hub");
if (!MasterfileExists(GetWorkDir()))
{
Log(LOG_LEVEL_ERR, "In order to bootstrap as a policy server, the file '%s/masterfiles/promises.cf' must exist.", GetWorkDir());
exit(EXIT_FAILURE);
}
}
else
{
Log(LOG_LEVEL_INFO, "Not assuming role as policy server");
}
WriteAmPolicyHubFile(CFWORKDIR, am_policy_server);
}
WritePolicyServerFile(GetWorkDir(), config->agent_specific.agent.bootstrap_policy_server);
SetPolicyServer(ctx, config->agent_specific.agent.bootstrap_policy_server);
Log(LOG_LEVEL_INFO, "Bootstrapping to '%s'", POLICY_SERVER);
}
else
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
if (existing_policy_server)
{
Log(LOG_LEVEL_VERBOSE, "This agent is bootstrapped to '%s'", existing_policy_server);
}
else
{
Log(LOG_LEVEL_VERBOSE, "This agent is not bootstrapped");
}
SetPolicyServer(ctx, existing_policy_server);
if (GetAmPolicyHub(GetWorkDir()))
{
EvalContextHeapAddHard(ctx, "am_policy_hub"); // DEPRECATED: use policy_server instead
Log(LOG_LEVEL_VERBOSE, "Additional class defined: am_policy_hub");
EvalContextHeapAddHard(ctx, "policy_server");
Log(LOG_LEVEL_VERBOSE, "Additional class defined: policy_server");
}
}
}
/**
* @return true the error is not so severe that we must stop
*/
bool LoadSecretKeys(const char *policy_server)
{
static char *passphrase = "Cfengine passphrase";
{
FILE *fp = fopen(PrivateKeyFile(GetWorkDir()), "r");
if (!fp)
{
Log(LOG_LEVEL_INFO, "Couldn't find a private key at '%s', use cf-key to get one. (fopen: %s)", PrivateKeyFile(GetWorkDir()), GetErrorStr());
return true;
}
if ((PRIVKEY = PEM_read_RSAPrivateKey(fp, (RSA **) NULL, NULL, passphrase)) == NULL)
{
unsigned long err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Error reading private key. (PEM_read_RSAPrivateKey: %s)", ERR_reason_error_string(err));
PRIVKEY = NULL;
fclose(fp);
return true;
}
fclose(fp);
Log(LOG_LEVEL_VERBOSE, "Loaded private key at '%s'", PrivateKeyFile(GetWorkDir()));
}
{
FILE *fp = fopen(PublicKeyFile(GetWorkDir()), "r");
if (!fp)
{
Log(LOG_LEVEL_ERR, "Couldn't find a public key at '%s', use cf-key to get one (fopen: %s)", PublicKeyFile(GetWorkDir()), GetErrorStr());
return true;
}
if ((PUBKEY = PEM_read_RSAPublicKey(fp, NULL, NULL, passphrase)) == NULL)
{
unsigned long err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Error reading public key at '%s'. (PEM_read_RSAPublicKey: %s)", PublicKeyFile(GetWorkDir()), ERR_reason_error_string(err));
PUBKEY = NULL;
fclose(fp);
return true;
}
Log(LOG_LEVEL_VERBOSE, "Loaded public key '%s'", PublicKeyFile(GetWorkDir()));
fclose(fp);
}
if ((BN_num_bits(PUBKEY->e) < 2) || (!BN_is_odd(PUBKEY->e)))
{
Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not odd");
return false;
}
if (GetAmPolicyHub(CFWORKDIR))
{
unsigned char digest[EVP_MAX_MD_SIZE + 1];
char dst_public_key_filename[CF_BUFSIZE] = "";
{
char buffer[EVP_MAX_MD_SIZE * 4];
HashPubKey(PUBKEY, digest, CF_DEFAULT_DIGEST);
snprintf(dst_public_key_filename, CF_MAXVARSIZE, "%s/ppkeys/%s-%s.pub", CFWORKDIR, "root", HashPrintSafe(CF_DEFAULT_DIGEST, digest, buffer));
MapName(dst_public_key_filename);
}
struct stat sb;
if ((stat(dst_public_key_filename, &sb) == -1))
{
char src_public_key_filename[CF_BUFSIZE] = "";
snprintf(src_public_key_filename, CF_MAXVARSIZE, "%s/ppkeys/localhost.pub", CFWORKDIR);
MapName(src_public_key_filename);
// copy localhost.pub to root-HASH.pub on policy server
if (!LinkOrCopy(src_public_key_filename, dst_public_key_filename, false))
{
Log(LOG_LEVEL_ERR, "Unable to copy policy server's own public key from '%s' to '%s'", src_public_key_filename, dst_public_key_filename);
}
if (policy_server)
{
LastSaw(policy_server, digest, LAST_SEEN_ROLE_CONNECT);
}
}
}
return true;
}
void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config)
{
strcpy(VPREFIX, "");
Log(LOG_LEVEL_VERBOSE, " %s", NameVersion());
Banner("Initialization preamble");
GenericAgentSetDefaultDigest(&CF_DEFAULT_DIGEST, &CF_DEFAULT_DIGEST_LEN);
GenericAgentInitialize(ctx, config);
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
SanitizeEnvironment();
THIS_AGENT_TYPE = config->agent_type;
LoggingSetAgentType(CF_AGENTTYPES[config->agent_type]);
EvalContextClassPutHard(ctx, CF_AGENTTYPES[config->agent_type],
"cfe_internal,source=agent");
DetectEnvironment(ctx);
EvalContextHeapPersistentLoadAll(ctx);
LoadSystemConstants(ctx);
const char *bootstrap_arg =
config->agent_specific.agent.bootstrap_policy_server;
/* Are we bootstrapping the agent? */
if (config->agent_type == AGENT_TYPE_AGENT && bootstrap_arg != NULL)
{
EvalContextClassPutHard(ctx, "bootstrap_mode", "source=environment");
if (!RemoveAllExistingPolicyInInputs(GetInputDir()))
{
Log(LOG_LEVEL_ERR,
"Error removing existing input files prior to bootstrap");
exit(EXIT_FAILURE);
}
if (!WriteBuiltinFailsafePolicy(GetInputDir()))
{
Log(LOG_LEVEL_ERR,
"Error writing builtin failsafe to inputs prior to bootstrap");
exit(EXIT_FAILURE);
}
char canonified_ipaddr[strlen(bootstrap_arg) + 1];
StringCanonify(canonified_ipaddr, bootstrap_arg);
bool am_policy_server =
EvalContextClassGet(ctx, NULL, canonified_ipaddr) != NULL;
if (am_policy_server)
{
Log(LOG_LEVEL_INFO, "Assuming role as policy server,"
" with policy distribution point at: %s", GetMasterDir());
MarkAsPolicyServer(ctx);
if (!MasterfileExists(GetMasterDir()))
{
Log(LOG_LEVEL_ERR, "In order to bootstrap as a policy server,"
" the file '%s/promises.cf' must exist.", GetMasterDir());
exit(EXIT_FAILURE);
}
CheckAndSetHAState(GetWorkDir(), ctx);
}
else
{
Log(LOG_LEVEL_INFO, "Assuming role as regular client,"
" bootstrapping to policy server: %s", bootstrap_arg);
if (config->agent_specific.agent.bootstrap_trust_server)
{
EvalContextClassPutHard(ctx, "trust_server", "source=agent");
Log(LOG_LEVEL_NOTICE,
"Bootstrap mode: implicitly trusting server, "
"use --trust-server=no if server trust is already established");
}
}
WriteAmPolicyHubFile(am_policy_server);
WritePolicyServerFile(GetWorkDir(), bootstrap_arg);
SetPolicyServer(ctx, bootstrap_arg);
/* FIXME: Why it is called here? Can't we move both invocations to before if? */
UpdateLastPolicyUpdateTime(ctx);
}
else
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
if (existing_policy_server)
{
Log(LOG_LEVEL_VERBOSE, "This agent is bootstrapped to: %s",
existing_policy_server);
SetPolicyServer(ctx, existing_policy_server);
free(existing_policy_server);
UpdateLastPolicyUpdateTime(ctx);
}
else
{
Log(LOG_LEVEL_VERBOSE, "This agent is not bootstrapped -"
" can't find policy_server.dat in: %s", GetWorkDir());
return;
}
if (GetAmPolicyHub())
{
MarkAsPolicyServer(ctx);
/* Should this go in MarkAsPolicyServer() ? */
CheckAndSetHAState(GetWorkDir(), ctx);
}
}
}
AgentDiagnosticsResult AgentDiagnosticsCheckAmPolicyServer(ARG_UNUSED const char *workdir)
{
bool am_policy_server = GetAmPolicyHub();
return AgentDiagnosticsResultNew(am_policy_server,
am_policy_server ? xstrdup("Acting as a policy server") : xstrdup("Not acting as a policy server"));
}
DBPriv *DBPrivOpenDB(const char *dbpath, dbid id)
{
DBPriv *db = xcalloc(1, sizeof(DBPriv));
MDB_txn *txn = NULL;
int rc;
rc = pthread_key_create(&db->txn_key, &DestroyTransaction);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not create transaction key. (pthread_key_create: '%s')",
GetErrorStrFromCode(rc));
free(db);
return NULL;
}
rc = mdb_env_create(&db->env);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not create handle for database %s: %s",
dbpath, mdb_strerror(rc));
goto err;
}
rc = mdb_env_set_mapsize(db->env, LMDB_MAXSIZE);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not set mapsize for database %s: %s",
dbpath, mdb_strerror(rc));
goto err;
}
if (DB_MAX_READERS > 0)
{
rc = mdb_env_set_maxreaders(db->env, DB_MAX_READERS);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not set maxreaders for database %s: %s",
dbpath, mdb_strerror(rc));
goto err;
}
}
unsigned int open_flags = MDB_NOSUBDIR;
if (id == dbid_locks
|| (GetAmPolicyHub() && id == dbid_lastseen))
{
open_flags |= MDB_NOSYNC;
}
#ifdef __hpux
/*
* On HP-UX, a unified file cache was not introduced until version 11.31.
* This means that on 11.23 there are separate file caches for mmap()'ed
* files and open()'ed files. When these two are mixed, changes made using
* one mode won't be immediately seen by the other mode, which is an
* assumption LMDB is relying on. The MDB_WRITEMAP flag causes LMDB to use
* mmap() only, so that we stay within one file cache.
*/
open_flags |= MDB_WRITEMAP;
#endif
rc = mdb_env_open(db->env, dbpath, open_flags, 0644);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not open database %s: %s",
dbpath, mdb_strerror(rc));
goto err;
}
if (DB_MAX_READERS > 0)
{
int max_readers;
rc = mdb_env_get_maxreaders(db->env, &max_readers);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not get maxreaders for database %s: %s",
dbpath, mdb_strerror(rc));
goto err;
}
if (max_readers < DB_MAX_READERS)
{
// LMDB will only reinitialize maxreaders if no database handles are
// open, including in other processes, which is how we might end up
// here.
Log(LOG_LEVEL_VERBOSE, "Failed to set LMDB max reader limit on database '%s', "
"consider restarting CFEngine",
dbpath);
}
}
rc = mdb_txn_begin(db->env, NULL, MDB_RDONLY, &txn);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not open database txn %s: %s",
dbpath, mdb_strerror(rc));
goto err;
}
rc = mdb_open(txn, NULL, 0, &db->dbi);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not open database dbi %s: %s",
dbpath, mdb_strerror(rc));
mdb_txn_abort(txn);
goto err;
}
rc = mdb_txn_commit(txn);
if (rc)
{
Log(LOG_LEVEL_ERR, "Could not commit database dbi %s: %s",
dbpath, mdb_strerror(rc));
goto err;
}
return db;
err:
if (db->env)
{
mdb_env_close(db->env);
}
pthread_key_delete(db->txn_key);
free(db);
if (rc == MDB_INVALID)
{
return DB_PRIV_DATABASE_BROKEN;
}
return NULL;
}
