int MissingDependencies(EvalContext *ctx, const Promise *pp)
{
if (pp == NULL)
{
return false;
}
char name[CF_BUFSIZE], *d;
Rlist *rp, *deps = PromiseGetConstraintAsList(ctx, "depends_on", pp);
for (rp = deps; rp != NULL; rp = rp->next)
{
if (strchr(rp->item, ':'))
{
d = (char *)rp->item;
}
else
{
snprintf(name, CF_BUFSIZE, "%s:%s", PromiseGetNamespace(pp), (char *)rp->item);
d = name;
}
if (!StringSetContains(ctx->dependency_handles, d))
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "\n");
CfOut(OUTPUT_LEVEL_VERBOSE, "", ". . . . . . . . . . . . . . . . . . . . . . . . . . . . \n");
CfOut(OUTPUT_LEVEL_VERBOSE, "", "Skipping whole next promise (%s), as promise dependency %s has not yet been kept\n", pp->promiser, d);
CfOut(OUTPUT_LEVEL_VERBOSE, "", ". . . . . . . . . . . . . . . . . . . . . . . . . . . . \n");
return true;
}
}
return false;
}
int VarClassExcluded(EvalContext *ctx, Promise *pp, char **classes)
{
Constraint *cp = PromiseGetConstraint(ctx, pp, "ifvarclass");
if (cp == NULL)
{
return false;
}
*classes = (char *) ConstraintGetRvalValue(ctx, "ifvarclass", pp, RVAL_TYPE_SCALAR);
if (*classes == NULL)
{
return true;
}
if (strchr(*classes, '$') || strchr(*classes, '@'))
{
CfDebug("Class expression did not evaluate");
return true;
}
if (*classes && IsDefinedClass(ctx, *classes, PromiseGetNamespace(pp)))
{
return false;
}
else
{
return true;
}
}
FnCallResult FnCallEvaluate(EvalContext *ctx, FnCall *fp, const Promise *caller)
{
Rlist *expargs;
const FnCallType *fp_type = FnCallTypeGet(fp->name);
if (fp_type)
{
if (DEBUG)
{
printf("EVALUATE FN CALL %s\n", fp->name);
FnCallShow(stdout, fp);
printf("\n");
}
}
else
{
if (caller)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "No such FnCall \"%s()\" in promise @ %s near line %zd\n",
fp->name, PromiseGetBundle(caller)->source_path, caller->offset.line);
}
else
{
CfOut(OUTPUT_LEVEL_ERROR, "", "No such FnCall \"%s()\" - context info unavailable\n", fp->name);
}
return (FnCallResult) { FNCALL_FAILURE, { FnCallCopy(fp), RVAL_TYPE_FNCALL } };
}
/* If the container classes seem not to be defined at this stage, then don't try to expand the function */
if ((caller != NULL) && !IsDefinedClass(ctx, caller->classes, PromiseGetNamespace(caller)))
{
return (FnCallResult) { FNCALL_FAILURE, { FnCallCopy(fp), RVAL_TYPE_FNCALL } };
}
expargs = NewExpArgs(ctx, fp, caller);
if (UnresolvedArgs(expargs))
{
DeleteExpArgs(expargs);
return (FnCallResult) { FNCALL_FAILURE, { FnCallCopy(fp), RVAL_TYPE_FNCALL } };
}
fp->caller = caller;
FnCallResult result = CallFunction(ctx, fp_type, fp, expargs);
if (result.status == FNCALL_FAILURE)
{
/* We do not assign variables to failed function calls */
DeleteExpArgs(expargs);
return (FnCallResult) { FNCALL_FAILURE, { FnCallCopy(fp), RVAL_TYPE_FNCALL } };
}
DeleteExpArgs(expargs);
return result;
}
static void KeepServerRolePromise(EvalContext *ctx, Promise *pp)
{
Rlist *rp;
Auth *ap;
if (!GetAuthPath(pp->promiser, SV.roles))
{
InstallServerAuthPath(pp->promiser, &SV.roles, &SV.rolestop);
}
ap = GetAuthPath(pp->promiser, SV.roles);
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (!IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pp)))
{
continue;
}
switch (cp->rval.type)
{
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMROLE_BODIES[REMOTE_ROLE_AUTHORIZE].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
}
break;
case RVAL_TYPE_FNCALL:
/* Shouldn't happen */
break;
default:
if ((strcmp(cp->lval, "comment") == 0) || (strcmp(cp->lval, "handle") == 0))
{
}
else
{
Log(LOG_LEVEL_ERR, "Right-hand side of authorize promise for '%s' should be a list", pp->promiser);
}
break;
}
}
}
void MarkPromiseHandleDone(EvalContext *ctx, const Promise *pp)
{
char name[CF_BUFSIZE];
const char *handle = PromiseGetHandle(pp);
if (handle == NULL)
{
return;
}
snprintf(name, CF_BUFSIZE, "%s:%s", PromiseGetNamespace(pp), handle);
StringSetAdd(ctx->dependency_handles, xstrdup(name));
}
static void SetPromiseOutcomeClasses(char status, EvalContext *ctx, const Promise *pp, Attributes attr)
{
Rlist *add_classes;
Rlist *del_classes;
switch (status)
{
case PROMISE_RESULT_CHANGE:
add_classes = attr.classes.change;
del_classes = attr.classes.del_change;
break;
case PROMISE_RESULT_WARN:
/* FIXME: nothing? */
return;
case PROMISE_RESULT_TIMEOUT:
add_classes = attr.classes.timeout;
del_classes = attr.classes.del_notkept;
break;
case PROMISE_RESULT_FAIL:
add_classes = attr.classes.failure;
del_classes = attr.classes.del_notkept;
break;
case PROMISE_RESULT_DENIED:
add_classes = attr.classes.denied;
del_classes = attr.classes.del_notkept;
break;
case PROMISE_RESULT_INTERRUPTED:
add_classes = attr.classes.interrupt;
del_classes = attr.classes.del_notkept;
break;
case PROMISE_RESULT_NOOP:
add_classes = attr.classes.kept;
del_classes = attr.classes.del_kept;
break;
default:
ProgrammingError("Unexpected status '%c' has been passed to SetPromiseOutcomeClasses", status);
}
AddAllClasses(ctx, PromiseGetNamespace(pp), add_classes, attr.classes.persist, attr.classes.timer, attr.classes.scope);
DeleteAllClasses(ctx, del_classes);
}
static void SetPromiseOutcomeClasses(PromiseResult status, EvalContext *ctx, const Promise *pp, DefineClasses dc)
{
Rlist *add_classes = NULL;
Rlist *del_classes = NULL;
switch (status)
{
case PROMISE_RESULT_CHANGE:
add_classes = dc.change;
del_classes = dc.del_change;
break;
case PROMISE_RESULT_TIMEOUT:
add_classes = dc.timeout;
del_classes = dc.del_notkept;
break;
case PROMISE_RESULT_WARN:
case PROMISE_RESULT_FAIL:
add_classes = dc.failure;
del_classes = dc.del_notkept;
break;
case PROMISE_RESULT_DENIED:
add_classes = dc.denied;
del_classes = dc.del_notkept;
break;
case PROMISE_RESULT_INTERRUPTED:
add_classes = dc.interrupt;
del_classes = dc.del_notkept;
break;
case PROMISE_RESULT_NOOP:
add_classes = dc.kept;
del_classes = dc.del_kept;
break;
default:
ProgrammingError("Unexpected status '%c' has been passed to SetPromiseOutcomeClasses", status);
}
AddAllClasses(ctx, PromiseGetNamespace(pp), add_classes, dc.persist, dc.timer, dc.scope);
DeleteAllClasses(ctx, del_classes);
}
void MarkPromiseHandleDone(EvalContext *ctx, const Promise *pp)
{
if (pp == NULL)
{
return;
}
char name[CF_BUFSIZE];
char *handle = ConstraintGetRvalValue(ctx, "handle", pp, RVAL_TYPE_SCALAR);
if (handle == NULL)
{
return;
}
snprintf(name, CF_BUFSIZE, "%s:%s", PromiseGetNamespace(pp), handle);
StringSetAdd(ctx->dependency_handles, xstrdup(name));
}
static bool MethodsParseTreeCheck(const Promise *pp, Seq *errors)
{
bool success = true;
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
const Constraint *cp = SeqAt(pp->conlist, i);
// ensure: if call and callee are resolved, then they have matching arity
if (StringSafeEqual(cp->lval, "usebundle"))
{
if (cp->rval.type == RVAL_TYPE_FNCALL)
{
// HACK: exploiting the fact that class-references and call-references are similar
FnCall *call = RvalFnCallValue(cp->rval);
ClassRef ref = ClassRefParse(call->name);
if (!ClassRefIsQualified(ref))
{
ClassRefQualify(&ref, PromiseGetNamespace(pp));
}
const Bundle *callee = PolicyGetBundle(PolicyFromPromise(pp), ref.ns, "agent", ref.name);
if (!callee)
{
callee = PolicyGetBundle(PolicyFromPromise(pp), ref.ns, "common", ref.name);
}
ClassRefDestroy(ref);
if (callee)
{
if (RlistLen(call->args) != RlistLen(callee->args))
{
SeqAppend(errors, PolicyErrorNew(POLICY_ELEMENT_TYPE_CONSTRAINT, cp,
POLICY_ERROR_METHODS_BUNDLE_ARITY,
call->name, RlistLen(callee->args), RlistLen(call->args)));
success = false;
}
}
}
}
}
return success;
}
void VerifyVarPromise(EvalContext *ctx, const Promise *pp, bool allow_duplicates)
{
ConvergeVariableOptions opts = CollectConvergeVariableOptions(ctx, pp, allow_duplicates);
if (!opts.should_converge)
{
return;
}
char *scope = NULL;
if (strcmp("meta", pp->parent_promise_type->name) == 0)
{
scope = StringConcatenate(2, PromiseGetBundle(pp)->name, "_meta");
}
else
{
scope = xstrdup(PromiseGetBundle(pp)->name);
}
//More consideration needs to be given to using these
//a.transaction = GetTransactionConstraints(pp);
Attributes a = { {0} };
a.classes = GetClassDefinitionConstraints(ctx, pp);
Rval existing_var_rval;
DataType existing_var_type = DATA_TYPE_NONE;
EvalContextVariableGet(ctx, (VarRef) { NULL, scope, pp->promiser }, &existing_var_rval, &existing_var_type);
Buffer *qualified_scope = BufferNew();
int result = 0;
if (strcmp(PromiseGetNamespace(pp), "default") == 0)
{
result = BufferSet(qualified_scope, scope, strlen(scope));
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&qualified_scope);
return;
}
}
else
{
if (strchr(scope, ':') == NULL)
{
result = BufferPrintf(qualified_scope, "%s:%s", PromiseGetNamespace(pp), scope);
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&qualified_scope);
return;
}
}
else
{
result = BufferSet(qualified_scope, scope, strlen(scope));
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&qualified_scope);
return;
}
}
}
PromiseResult promise_result;
Rval rval = opts.cp_save->rval;
if (rval.item != NULL)
{
FnCall *fp = (FnCall *) rval.item;
if (opts.cp_save->rval.type == RVAL_TYPE_FNCALL)
{
if (existing_var_type != DATA_TYPE_NONE)
{
// Already did this
free(scope);
BufferDestroy(&qualified_scope);
return;
}
FnCallResult res = FnCallEvaluate(ctx, fp, pp);
if (res.status == FNCALL_FAILURE)
{
/* We do not assign variables to failed fn calls */
RvalDestroy(res.rval);
free(scope);
BufferDestroy(&qualified_scope);
return;
}
else
{
rval = res.rval;
}
}
else
{
Buffer *conv = BufferNew();
if (strcmp(opts.cp_save->lval, "int") == 0)
{
result = BufferPrintf(conv, "%ld", IntFromString(opts.cp_save->rval.item));
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&qualified_scope);
BufferDestroy(&conv);
return;
}
rval = RvalCopy((Rval) {(char *)BufferData(conv), opts.cp_save->rval.type});
}
else if (strcmp(opts.cp_save->lval, "real") == 0)
{
double real_value = 0.0;
if (DoubleFromString(opts.cp_save->rval.item, &real_value))
{
result = BufferPrintf(conv, "%lf", real_value);
}
else
{
result = BufferPrintf(conv, "(double conversion error)");
}
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&conv);
BufferDestroy(&qualified_scope);
return;
}
rval = RvalCopy((Rval) {(char *)BufferData(conv), opts.cp_save->rval.type});
}
else
{
rval = RvalCopy(opts.cp_save->rval);
}
if (rval.type == RVAL_TYPE_LIST)
{
Rlist *rval_list = RvalRlistValue(rval);
RlistFlatten(ctx, &rval_list);
rval.item = rval_list;
}
BufferDestroy(&conv);
}
if (Epimenides(ctx, PromiseGetBundle(pp)->name, pp->promiser, rval, 0))
{
Log(LOG_LEVEL_ERR, "Variable \"%s\" contains itself indirectly - an unkeepable promise", pp->promiser);
exit(1);
}
else
{
/* See if the variable needs recursively expanding again */
Rval returnval = EvaluateFinalRval(ctx, BufferData(qualified_scope), rval, true, pp);
RvalDestroy(rval);
// freed before function exit
rval = returnval;
}
if (existing_var_type != DATA_TYPE_NONE)
{
if (opts.ok_redefine) /* only on second iteration, else we ignore broken promises */
{
ScopeDeleteVariable(BufferData(qualified_scope), pp->promiser);
}
else if ((THIS_AGENT_TYPE == AGENT_TYPE_COMMON) && (CompareRval(existing_var_rval, rval) == false))
{
switch (rval.type)
{
case RVAL_TYPE_SCALAR:
Log(LOG_LEVEL_VERBOSE, "Redefinition of a constant scalar \"%s\" (was %s now %s)",
pp->promiser, RvalScalarValue(existing_var_rval), RvalScalarValue(rval));
PromiseRef(LOG_LEVEL_VERBOSE, pp);
break;
case RVAL_TYPE_LIST:
{
Log(LOG_LEVEL_VERBOSE, "Redefinition of a constant list \"%s\".", pp->promiser);
Writer *w = StringWriter();
RlistWrite(w, existing_var_rval.item);
char *oldstr = StringWriterClose(w);
Log(LOG_LEVEL_VERBOSE, "Old value: %s", oldstr);
free(oldstr);
w = StringWriter();
RlistWrite(w, rval.item);
char *newstr = StringWriterClose(w);
Log(LOG_LEVEL_VERBOSE, " New value: %s", newstr);
free(newstr);
PromiseRef(LOG_LEVEL_VERBOSE, pp);
}
break;
default:
break;
}
}
}
if (IsCf3VarString(pp->promiser))
{
// Unexpanded variables, we don't do anything with
RvalDestroy(rval);
free(scope);
BufferDestroy(&qualified_scope);
return;
}
if (!FullTextMatch("[a-zA-Z0-9_\200-\377.]+(\\[.+\\])*", pp->promiser))
{
Log(LOG_LEVEL_ERR, "Variable identifier contains illegal characters");
PromiseRef(LOG_LEVEL_ERR, pp);
RvalDestroy(rval);
free(scope);
BufferDestroy(&qualified_scope);
return;
}
if (opts.drop_undefined && rval.type == RVAL_TYPE_LIST)
{
for (Rlist *rp = rval.item; rp != NULL; rp = rp->next)
{
if (IsNakedVar(rp->item, '@'))
{
free(rp->item);
rp->item = xstrdup(CF_NULL_VALUE);
}
}
}
if (!EvalContextVariablePut(ctx, (VarRef) { NULL, BufferData(qualified_scope), pp->promiser }, rval, DataTypeFromString(opts.cp_save->lval)))
{
Log(LOG_LEVEL_VERBOSE, "Unable to converge %s.%s value (possibly empty or infinite regression)", BufferData(qualified_scope), pp->promiser);
PromiseRef(LOG_LEVEL_VERBOSE, pp);
promise_result = PROMISE_RESULT_FAIL;
}
else
{
promise_result = PROMISE_RESULT_CHANGE;
}
}
else
{
Log(LOG_LEVEL_ERR, "Variable %s has no promised value", pp->promiser);
Log(LOG_LEVEL_ERR, "Rule from %s at/before line %zu", PromiseGetBundle(pp)->source_path, opts.cp_save->offset.line);
promise_result = PROMISE_RESULT_FAIL;
}
/*
* FIXME: Variable promise are exempt from normal evaluation logic still, so
* they are not pushed to evaluation stack before being evaluated. Due to
* this reason, we cannot call cfPS here to set classes, as it will error
* out with ProgrammingError.
*
* In order to support 'classes' body for variables as well, we call
* ClassAuditLog explicitly.
*/
ClassAuditLog(ctx, pp, a, promise_result);
free(scope);
BufferDestroy(&qualified_scope);
RvalDestroy(rval);
}
static void ExpandPromiseAndDo(EvalContext *ctx, const Promise *pp, Rlist *lists, Rlist *containers, PromiseActuator *ActOnPromise, void *param)
{
const char *handle = PromiseGetHandle(pp);
char v[CF_MAXVARSIZE];
EvalContextStackPushPromiseFrame(ctx, pp, true);
PromiseIterator *iter_ctx = NULL;
for (iter_ctx = PromiseIteratorNew(ctx, pp, lists, containers); PromiseIteratorHasMore(iter_ctx); PromiseIteratorNext(iter_ctx))
{
EvalContextStackPushPromiseIterationFrame(ctx, iter_ctx);
char number[CF_SMALLBUF];
/* Allow $(this.handle) etc variables */
if (PromiseGetBundle(pp)->source_path)
{
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "promise_filename",PromiseGetBundle(pp)->source_path, DATA_TYPE_STRING);
snprintf(number, CF_SMALLBUF, "%zu", pp->offset.line);
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "promise_linenumber", number, DATA_TYPE_STRING);
}
snprintf(v, CF_MAXVARSIZE, "%d", (int) getuid());
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "promiser_uid", v, DATA_TYPE_INT);
snprintf(v, CF_MAXVARSIZE, "%d", (int) getgid());
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "promiser_gid", v, DATA_TYPE_INT);
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "bundle", PromiseGetBundle(pp)->name, DATA_TYPE_STRING);
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "namespace", PromiseGetNamespace(pp), DATA_TYPE_STRING);
/* Must expand $(this.promiser) here for arg dereferencing in things
like edit_line and methods, but we might have to
adjust again later if the value changes -- need to qualify this
so we don't expand too early for some other promsies */
if (pp->has_subbundles)
{
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "promiser", pp->promiser, DATA_TYPE_STRING);
}
if (handle)
{
char tmp[CF_EXPANDSIZE];
// This ordering is necessary to get automated canonification
ExpandScalar(ctx, NULL, "this", handle, tmp);
CanonifyNameInPlace(tmp);
Log(LOG_LEVEL_DEBUG, "Expanded handle to '%s'", tmp);
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "handle", tmp, DATA_TYPE_STRING);
}
else
{
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "handle", PromiseID(pp), DATA_TYPE_STRING);
}
Promise *pexp = ExpandDeRefPromise(ctx, pp);
assert(ActOnPromise);
ActOnPromise(ctx, pexp, param);
if (strcmp(pp->parent_promise_type->name, "vars") == 0 || strcmp(pp->parent_promise_type->name, "meta") == 0)
{
VerifyVarPromise(ctx, pexp, true);
}
PromiseDestroy(pexp);
EvalContextStackPopFrame(ctx);
}
PromiseIteratorDestroy(iter_ctx);
EvalContextStackPopFrame(ctx);
}
/**
* @brief Collects variable constraints controlling how the promise should be converged
*/
static ConvergeVariableOptions CollectConvergeVariableOptions(EvalContext *ctx, const Promise *pp, bool allow_redefine)
{
ConvergeVariableOptions opts = { 0 };
opts.should_converge = false;
opts.drop_undefined = false;
opts.ok_redefine = allow_redefine;
opts.cp_save = NULL;
if (EvalContextPromiseIsDone(ctx, pp))
{
return opts;
}
if (!IsDefinedClass(ctx, pp->classes, PromiseGetNamespace(pp)))
{
return opts;
}
int num_values = 0;
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (strcmp(cp->lval, "comment") == 0)
{
continue;
}
if (cp->rval.item == NULL)
{
continue;
}
if (strcmp(cp->lval, "ifvarclass") == 0)
{
Rval res;
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
if (!IsDefinedClass(ctx, cp->rval.item, PromiseGetNamespace(pp)))
{
return opts;
}
break;
case RVAL_TYPE_FNCALL:
{
bool excluded = false;
/* eval it: e.g. ifvarclass => not("a_class") */
res = FnCallEvaluate(ctx, cp->rval.item, NULL).rval;
/* Don't continue unless function was evaluated properly */
if (res.type != RVAL_TYPE_SCALAR)
{
RvalDestroy(res);
return opts;
}
excluded = !IsDefinedClass(ctx, res.item, PromiseGetNamespace(pp));
RvalDestroy(res);
if (excluded)
{
return opts;
}
}
break;
default:
Log(LOG_LEVEL_ERR, "Invalid ifvarclass type '%c': should be string or function", cp->rval.type);
continue;
}
continue;
}
if (strcmp(cp->lval, "policy") == 0)
{
if (strcmp(cp->rval.item, "ifdefined") == 0)
{
opts.drop_undefined = true;
opts.ok_redefine = false;
}
else if (strcmp(cp->rval.item, "constant") == 0)
{
opts.ok_redefine = false;
}
else
{
opts.ok_redefine |= true;
}
}
else if (IsDataType(cp->lval))
{
num_values++;
opts.cp_save = cp;
}
}
if (opts.cp_save == NULL)
{
Log(LOG_LEVEL_INFO, "Warning: Variable body for \"%s\" seems incomplete", pp->promiser);
PromiseRef(LOG_LEVEL_INFO, pp);
return opts;
}
if (num_values > 2)
{
Log(LOG_LEVEL_ERR, "Variable \"%s\" breaks its own promise with multiple values (code %d)", pp->promiser, num_values);
PromiseRef(LOG_LEVEL_ERR, pp);
return opts;
}
opts.should_converge = true;
return opts;
}
PromiseResult ScheduleEditOperation(EvalContext *ctx, char *filename, Attributes a, Promise *pp)
{
void *vp;
FnCall *fp;
Rlist *args = NULL;
char edit_bundle_name[CF_BUFSIZE], lockname[CF_BUFSIZE], qualified_edit[CF_BUFSIZE], *method_deref;
CfLock thislock;
snprintf(lockname, CF_BUFSIZE - 1, "fileedit-%s", filename);
thislock = AcquireLock(ctx, lockname, VUQNAME, CFSTARTTIME, a.transaction, pp, false);
if (thislock.lock == NULL)
{
return PROMISE_RESULT_NOOP;
}
EditContext *edcontext = NewEditContext(filename, a);
PromiseResult result = PROMISE_RESULT_NOOP;
if (edcontext == NULL)
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "File '%s' was marked for editing but could not be opened", filename);
result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
goto exit;
}
Policy *policy = PolicyFromPromise(pp);
if (a.haveeditline)
{
if ((vp = ConstraintGetRvalValue(ctx, "edit_line", pp, RVAL_TYPE_FNCALL)))
{
fp = (FnCall *) vp;
strcpy(edit_bundle_name, fp->name);
args = fp->args;
}
else if ((vp = ConstraintGetRvalValue(ctx, "edit_line", pp, RVAL_TYPE_SCALAR)))
{
strcpy(edit_bundle_name, (char *) vp);
args = NULL;
}
else
{
goto exit;
}
if (strncmp(edit_bundle_name,"default:",strlen("default:")) == 0) // CF_NS == ':'
{
method_deref = strchr(edit_bundle_name, CF_NS) + 1;
}
else if ((strchr(edit_bundle_name, CF_NS) == NULL) && (strcmp(PromiseGetNamespace(pp), "default") != 0))
{
snprintf(qualified_edit, CF_BUFSIZE, "%s%c%s", PromiseGetNamespace(pp), CF_NS, edit_bundle_name);
method_deref = qualified_edit;
}
else
{
method_deref = edit_bundle_name;
}
Log(LOG_LEVEL_VERBOSE, "Handling file edits in edit_line bundle '%s'", method_deref);
Bundle *bp = NULL;
if ((bp = PolicyGetBundle(policy, NULL, "edit_line", method_deref)))
{
BannerSubBundle(bp, args);
EvalContextStackPushBundleFrame(ctx, bp, args, a.edits.inherit);
BundleResolve(ctx, bp);
ScheduleEditLineOperations(ctx, bp, a, pp, edcontext);
EvalContextStackPopFrame(ctx);
}
else
{
Log(LOG_LEVEL_ERR, "Did not find method '%s' in bundle '%s' for edit operation", method_deref, edit_bundle_name);
}
}
if (a.haveeditxml)
{
if ((vp = ConstraintGetRvalValue(ctx, "edit_xml", pp, RVAL_TYPE_FNCALL)))
{
fp = (FnCall *) vp;
strcpy(edit_bundle_name, fp->name);
args = fp->args;
}
else if ((vp = ConstraintGetRvalValue(ctx, "edit_xml", pp, RVAL_TYPE_SCALAR)))
{
strcpy(edit_bundle_name, (char *) vp);
args = NULL;
}
else
{
goto exit;
}
if (strncmp(edit_bundle_name,"default:",strlen("default:")) == 0) // CF_NS == ':'
{
method_deref = strchr(edit_bundle_name, CF_NS) + 1;
}
else
{
method_deref = edit_bundle_name;
}
Log(LOG_LEVEL_VERBOSE, "Handling file edits in edit_xml bundle '%s'", method_deref);
Bundle *bp = NULL;
if ((bp = PolicyGetBundle(policy, NULL, "edit_xml", method_deref)))
{
BannerSubBundle(bp, args);
EvalContextStackPushBundleFrame(ctx, bp, args, a.edits.inherit);
BundleResolve(ctx, bp);
ScheduleEditXmlOperations(ctx, bp, a, pp, edcontext);
EvalContextStackPopFrame(ctx);
}
}
if (a.edit_template)
{
if (!a.template_method || strcmp("cfengine", a.template_method) == 0)
{
Policy *tmp_policy = PolicyNew();
Bundle *bp = NULL;
if ((bp = MakeTemporaryBundleFromTemplate(ctx, tmp_policy, a, pp, &result)))
{
BannerSubBundle(bp, args);
a.haveeditline = true;
EvalContextStackPushBundleFrame(ctx, bp, args, a.edits.inherit);
BundleResolve(ctx, bp);
ScheduleEditLineOperations(ctx, bp, a, pp, edcontext);
EvalContextStackPopFrame(ctx);
}
PolicyDestroy(tmp_policy);
}
else if (strcmp("mustache", a.template_method) == 0)
{
if (!FileCanOpen(a.edit_template, "r"))
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Template file '%s' could not be opened for reading", a.edit_template);
result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
goto exit;
}
Writer *ouput_writer = NULL;
{
FILE *output_file = fopen(pp->promiser, "w");
if (!output_file)
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Output file '%s' could not be opened for writing", pp->promiser);
result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
goto exit;
}
ouput_writer = FileWriter(output_file);
}
Writer *template_writer = FileRead(a.edit_template, SIZE_MAX, NULL);
if (!template_writer)
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Could not read template file '%s'", a.edit_template);
result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
WriterClose(ouput_writer);
goto exit;
}
JsonElement *default_template_data = NULL;
if (!a.template_data)
{
a.template_data = default_template_data = DefaultTemplateData(ctx);
}
if (!MustacheRender(ouput_writer, StringWriterData(template_writer), a.template_data))
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Error rendering mustache template '%s'", a.edit_template);
result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
WriterClose(template_writer);
WriterClose(ouput_writer);
goto exit;
}
JsonDestroy(default_template_data);
WriterClose(template_writer);
WriterClose(ouput_writer);
}
}
exit:
result = PromiseResultUpdate(result, FinishEditContext(ctx, edcontext, a, pp));
YieldCurrentLock(thislock);
return result;
}
void VerifyClassPromise(EvalContext *ctx, Promise *pp, ARG_UNUSED void *param)
{
assert(param == NULL);
Attributes a;
a = GetClassContextAttributes(ctx, pp);
if (!FullTextMatch("[a-zA-Z0-9_]+", pp->promiser))
{
Log(LOG_LEVEL_VERBOSE, "Class identifier '%s' contains illegal characters - canonifying", pp->promiser);
snprintf(pp->promiser, strlen(pp->promiser) + 1, "%s", CanonifyName(pp->promiser));
}
if (a.context.nconstraints == 0)
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "No constraints for class promise '%s'", pp->promiser);
return;
}
if (a.context.nconstraints > 1)
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Irreconcilable constraints in classes for '%s'", pp->promiser);
return;
}
bool global_class;
if (a.context.persistent > 0) /* Persistent classes are always global */
{
global_class = true;
}
else if (a.context.scope == CONTEXT_SCOPE_NONE)
{
/* If there is no explicit scope, common bundles define global classes, other bundles define local classes */
if (strcmp(PromiseGetBundle(pp)->type, "common") == 0)
{
global_class = true;
}
else
{
global_class = false;
}
}
else if (a.context.scope == CONTEXT_SCOPE_NAMESPACE)
{
global_class = true;
}
else if (a.context.scope == CONTEXT_SCOPE_BUNDLE)
{
global_class = false;
}
if (EvalClassExpression(ctx, a.context.expression, pp))
{
if (!ValidClassName(pp->promiser))
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a,
"Attempted to name a class '%s', which is an illegal class identifier", pp->promiser);
}
else
{
if (global_class)
{
Log(LOG_LEVEL_VERBOSE, "Adding global class '%s'", pp->promiser);
EvalContextHeapAddSoft(ctx, pp->promiser, PromiseGetNamespace(pp));
}
else
{
Log(LOG_LEVEL_VERBOSE, "Adding local bundle class '%s'", pp->promiser);
EvalContextStackFrameAddSoft(ctx, pp->promiser);
}
if (a.context.persistent > 0)
{
Log(LOG_LEVEL_VERBOSE, "Adding persistent class '%s'. (%d minutes)", pp->promiser,
a.context.persistent);
EvalContextHeapPersistentSave(pp->promiser, PromiseGetNamespace(pp), a.context.persistent, CONTEXT_STATE_POLICY_RESET);
}
}
}
}
int VerifyMethod(EvalContext *ctx, char *attrname, Attributes a, Promise *pp)
{
Bundle *bp;
void *vp;
FnCall *fp;
char method_name[CF_EXPANDSIZE], qualified_method[CF_BUFSIZE], *method_deref;
Rlist *params = NULL;
int retval = false;
CfLock thislock;
char lockname[CF_BUFSIZE];
if (a.havebundle)
{
if ((vp = ConstraintGetRvalValue(ctx, attrname, pp, RVAL_TYPE_FNCALL)))
{
fp = (FnCall *) vp;
ExpandScalar(ctx, PromiseGetBundle(pp)->name, fp->name, method_name);
params = fp->args;
}
else if ((vp = ConstraintGetRvalValue(ctx, attrname, pp, RVAL_TYPE_SCALAR)))
{
ExpandScalar(ctx, PromiseGetBundle(pp)->name, (char *) vp, method_name);
params = NULL;
}
else
{
return false;
}
}
GetLockName(lockname, "method", pp->promiser, params);
thislock = AcquireLock(ctx, lockname, VUQNAME, CFSTARTTIME, a.transaction, pp, false);
if (thislock.lock == NULL)
{
return false;
}
PromiseBanner(pp);
if (strncmp(method_name,"default:",strlen("default:")) == 0) // CF_NS == ':'
{
method_deref = strchr(method_name, CF_NS) + 1;
}
else if ((strchr(method_name, CF_NS) == NULL) && (strcmp(PromiseGetNamespace(pp), "default") != 0))
{
snprintf(qualified_method, CF_BUFSIZE, "%s%c%s", PromiseGetNamespace(pp), CF_NS, method_name);
method_deref = qualified_method;
}
else
{
method_deref = method_name;
}
bp = PolicyGetBundle(PolicyFromPromise(pp), NULL, "agent", method_deref);
if (!bp)
{
bp = PolicyGetBundle(PolicyFromPromise(pp), NULL, "common", method_deref);
}
if (bp)
{
BannerSubBundle(bp, params);
EvalContextStackPushBundleFrame(ctx, bp, a.inherit);
ScopeClear(bp->name);
BundleHashVariables(ctx, bp);
ScopeAugment(ctx, bp, pp, params);
retval = ScheduleAgentOperations(ctx, bp);
GetReturnValue(ctx, bp->name, pp);
EvalContextStackPopFrame(ctx);
switch (retval)
{
case PROMISE_RESULT_FAIL:
cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_FAIL, pp, a, "Method failed in some repairs or aborted");
break;
case PROMISE_RESULT_CHANGE:
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_CHANGE, pp, a, "Method invoked repairs");
break;
default:
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_NOOP, pp, a, "Method verified");
break;
}
for (const Rlist *rp = bp->args; rp; rp = rp->next)
{
const char *lval = rp->item;
ScopeDeleteScalar((VarRef) { NULL, bp->name, lval });
}
}
else
{
if (IsCf3VarString(method_name))
{
Log(LOG_LEVEL_ERR,
"A variable seems to have been used for the name of the method. In this case, the promiser also needs to contain the unique name of the method");
}
if (bp && (bp->name))
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Method '%s' was used but was not defined", bp->name);
}
else
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a,
"A method attempted to use a bundle '%s' that was apparently not defined", method_name);
}
}
YieldCurrentLock(thislock);
return retval;
}
Promise *DeRefCopyPromise(EvalContext *ctx, const Promise *pp)
{
Promise *pcopy;
Rval returnval;
pcopy = xcalloc(1, sizeof(Promise));
if (pp->promiser)
{
pcopy->promiser = xstrdup(pp->promiser);
}
if (pp->promisee.item)
{
pcopy->promisee = RvalCopy(pp->promisee);
if (pcopy->promisee.type == RVAL_TYPE_LIST)
{
Rlist *rval_list = RvalRlistValue(pcopy->promisee);
RlistFlatten(ctx, &rval_list);
pcopy->promisee.item = rval_list;
}
}
if (pp->classes)
{
pcopy->classes = xstrdup(pp->classes);
}
/* FIXME: may it happen? */
if ((pp->promisee.item != NULL && pcopy->promisee.item == NULL))
{
ProgrammingError("Unable to copy promise");
}
pcopy->parent_promise_type = pp->parent_promise_type;
pcopy->offset.line = pp->offset.line;
pcopy->comment = pp->comment ? xstrdup(pp->comment) : NULL;
pcopy->has_subbundles = pp->has_subbundles;
pcopy->conlist = SeqNew(10, ConstraintDestroy);
pcopy->org_pp = pp->org_pp;
pcopy->offset = pp->offset;
/* No further type checking should be necessary here, already done by CheckConstraintTypeMatch */
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
Body *bp = NULL;
FnCall *fp = NULL;
/* A body template reference could look like a scalar or fn to the parser w/w () */
const Policy *policy = PolicyFromPromise(pp);
Seq *bodies = policy ? policy->bodies : NULL;
char body_ns[CF_MAXVARSIZE] = "";
char body_name[CF_MAXVARSIZE] = "";
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
if (cp->references_body)
{
SplitScopeName(RvalScalarValue(cp->rval), body_ns, body_name);
if (EmptyString(body_ns))
{
strncpy(body_ns, PromiseGetNamespace(pp), CF_MAXVARSIZE);
}
bp = IsBody(bodies, body_ns, body_name);
}
fp = NULL;
break;
case RVAL_TYPE_FNCALL:
fp = RvalFnCallValue(cp->rval);
SplitScopeName(fp->name, body_ns, body_name);
if (EmptyString(body_ns))
{
strncpy(body_ns, PromiseGetNamespace(pp), CF_MAXVARSIZE);
}
bp = IsBody(bodies, body_ns, body_name);
break;
default:
bp = NULL;
fp = NULL;
break;
}
/* First case is: we have a body template to expand lval = body(args), .. */
if (bp)
{
EvalContextStackPushBodyFrame(ctx, pcopy, bp, fp ? fp->args : NULL);
if (strcmp(bp->type, cp->lval) != 0)
{
Log(LOG_LEVEL_ERR,
"Body type mismatch for body reference '%s' in promise at line %zu of file '%s', '%s' does not equal '%s'",
body_name, pp->offset.line, PromiseGetBundle(pp)->source_path, bp->type, cp->lval);
}
/* Keep the referent body type as a boolean for convenience when checking later */
if (IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pcopy)))
{
Constraint *cp_copy = PromiseAppendConstraint(pcopy, cp->lval, (Rval) {xstrdup("true"), RVAL_TYPE_SCALAR }, false);
cp_copy->offset = cp->offset;
}
if (bp->args != NULL)
{
/* There are arguments to insert */
if (fp == NULL || fp->args == NULL)
{
Log(LOG_LEVEL_ERR, "Argument mismatch for body reference '%s' in promise at line %zu of file '%s'",
body_name, pp->offset.line, PromiseGetBundle(pp)->source_path);
}
for (size_t k = 0; k < SeqLength(bp->conlist); k++)
{
Constraint *scp = SeqAt(bp->conlist, k);
returnval = ExpandPrivateRval(ctx, NULL, "body", scp->rval.item, scp->rval.type);
if (IsDefinedClass(ctx, scp->classes, PromiseGetNamespace(pcopy)))
{
Constraint *scp_copy = PromiseAppendConstraint(pcopy, scp->lval, returnval, false);
scp_copy->offset = scp->offset;
}
}
}
else
{
/* No arguments to deal with or body undeclared */
if (fp != NULL)
{
Log(LOG_LEVEL_ERR,
"An apparent body \"%s()\" was undeclared or could have incorrect args, but used in a promise near line %zu of %s (possible unquoted literal value)",
body_name, pp->offset.line, PromiseGetBundle(pp)->source_path);
}
else
{
for (size_t k = 0; k < SeqLength(bp->conlist); k++)
{
Constraint *scp = SeqAt(bp->conlist, k);
Rval newrv = RvalCopy(scp->rval);
if (newrv.type == RVAL_TYPE_LIST)
{
Rlist *new_list = RvalRlistValue(newrv);
RlistFlatten(ctx, &new_list);
newrv.item = new_list;
}
if (IsDefinedClass(ctx, scp->classes, PromiseGetNamespace(pcopy)))
{
Constraint *scp_copy = PromiseAppendConstraint(pcopy, scp->lval, newrv, false);
scp_copy->offset = scp->offset;
}
}
}
}
EvalContextStackPopFrame(ctx);
}
else
{
const Policy *policy = PolicyFromPromise(pp);
if (cp->references_body && !IsBundle(policy->bundles, EmptyString(body_ns) ? NULL : body_ns, body_name))
{
Log(LOG_LEVEL_ERR,
"Apparent body \"%s()\" was undeclared, but used in a promise near line %zu of %s (possible unquoted literal value)",
body_name, pp->offset.line, PromiseGetBundle(pp)->source_path);
}
Rval newrv = RvalCopy(cp->rval);
if (newrv.type == RVAL_TYPE_LIST)
{
Rlist *new_list = RvalRlistValue(newrv);
RlistFlatten(ctx, &new_list);
newrv.item = new_list;
}
if (IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pcopy)))
{
Constraint *cp_copy = PromiseAppendConstraint(pcopy, cp->lval, newrv, false);
cp_copy->offset = cp->offset;
}
}
}
return pcopy;
}
static void KeepServerPromise(EvalContext *ctx, Promise *pp, const ReportContext *report_context)
{
char *sp = NULL;
if (!IsDefinedClass(ctx, pp->classes, PromiseGetNamespace(pp)))
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "Skipping whole promise, as context is %s\n", pp->classes);
return;
}
if (VarClassExcluded(ctx, pp, &sp))
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "\n");
CfOut(OUTPUT_LEVEL_VERBOSE, "", ". . . . . . . . . . . . . . . . . . . . . . . . . . . . \n");
CfOut(OUTPUT_LEVEL_VERBOSE, "", "Skipping whole next promise (%s), as var-context %s is not relevant\n", pp->promiser,
sp);
CfOut(OUTPUT_LEVEL_VERBOSE, "", ". . . . . . . . . . . . . . . . . . . . . . . . . . . . \n");
return;
}
if (strcmp(pp->parent_promise_type->name, "classes") == 0)
{
KeepClassContextPromise(ctx, pp, report_context);
return;
}
sp = (char *) ConstraintGetRvalValue(ctx, "resource_type", pp, RVAL_TYPE_SCALAR);
if ((strcmp(pp->parent_promise_type->name, "access") == 0) && sp && (strcmp(sp, "literal") == 0))
{
KeepLiteralAccessPromise(ctx, pp, "literal");
return;
}
if ((strcmp(pp->parent_promise_type->name, "access") == 0) && sp && (strcmp(sp, "variable") == 0))
{
KeepLiteralAccessPromise(ctx, pp, "variable");
return;
}
if ((strcmp(pp->parent_promise_type->name, "access") == 0) && sp && (strcmp(sp, "query") == 0))
{
KeepQueryAccessPromise(ctx, pp, "query");
return;
}
if ((strcmp(pp->parent_promise_type->name, "access") == 0) && sp && (strcmp(sp, "context") == 0))
{
KeepLiteralAccessPromise(ctx, pp, "context");
return;
}
/* Default behaviour is file access */
if (strcmp(pp->parent_promise_type->name, "access") == 0)
{
KeepFileAccessPromise(ctx, pp);
return;
}
if (strcmp(pp->parent_promise_type->name, "roles") == 0)
{
KeepServerRolePromise(ctx, pp);
return;
}
}
static ActionResult RepairExec(EvalContext *ctx, Attributes a, Promise *pp)
{
char line[CF_BUFSIZE], eventname[CF_BUFSIZE];
char cmdline[CF_BUFSIZE];
char comm[20];
int outsourced, count = 0;
#if !defined(__MINGW32__)
mode_t maskval = 0;
#endif
FILE *pfp;
char cmdOutBuf[CF_BUFSIZE];
int cmdOutBufPos = 0;
int lineOutLen;
if (IsAbsoluteFileName(CommandArg0(pp->promiser)) || a.contain.shelltype == SHELL_TYPE_NONE)
{
if (!IsExecutable(CommandArg0(pp->promiser)))
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "'%s' promises to be executable but isn't", pp->promiser);
if (strchr(pp->promiser, ' '))
{
Log(LOG_LEVEL_VERBOSE, "Paths with spaces must be inside escaped quoutes (e.g. \\\"%s\\\")", pp->promiser);
}
return ACTION_RESULT_FAILED;
}
else
{
Log(LOG_LEVEL_VERBOSE, "Promiser string contains a valid executable '%s' - ok", CommandArg0(pp->promiser));
}
}
char timeout_str[CF_BUFSIZE];
if (a.contain.timeout == CF_NOINT)
{
snprintf(timeout_str, CF_BUFSIZE, "no timeout");
}
else
{
snprintf(timeout_str, CF_BUFSIZE, "timeout=%ds", a.contain.timeout);
}
char owner_str[CF_BUFSIZE] = "";
if (a.contain.owner != -1)
{
snprintf(owner_str, CF_BUFSIZE, ",uid=%ju", (uintmax_t)a.contain.owner);
}
char group_str[CF_BUFSIZE] = "";
if (a.contain.group != -1)
{
snprintf(group_str, CF_BUFSIZE, ",gid=%ju", (uintmax_t)a.contain.group);
}
snprintf(cmdline, CF_BUFSIZE, "%s%s%s", pp->promiser, a.args ? " " : "", a.args ? a.args : "");
Log(LOG_LEVEL_INFO, "Executing '%s%s%s' ... '%s'", timeout_str, owner_str, group_str, cmdline);
BeginMeasure();
if (DONTDO && (!a.contain.preview))
{
Log(LOG_LEVEL_ERR, "Would execute script '%s'", cmdline);
return ACTION_RESULT_OK;
}
if (a.transaction.action != cfa_fix)
{
Log(LOG_LEVEL_ERR, "Command '%s' needs to be executed, but only warning was promised", cmdline);
return ACTION_RESULT_OK;
}
CommandPrefix(cmdline, comm);
if (a.transaction.background)
{
#ifdef __MINGW32__
outsourced = true;
#else
Log(LOG_LEVEL_VERBOSE, "Backgrounding job '%s'", cmdline);
outsourced = fork();
#endif
}
else
{
outsourced = false;
}
if (outsourced || (!a.transaction.background)) // work done here: either by child or non-background parent
{
if (a.contain.timeout != CF_NOINT)
{
SetTimeOut(a.contain.timeout);
}
#ifndef __MINGW32__
Log(LOG_LEVEL_VERBOSE, "(Setting umask to %jo)", (uintmax_t)a.contain.umask);
maskval = umask(a.contain.umask);
if (a.contain.umask == 0)
{
Log(LOG_LEVEL_VERBOSE, "Programming '%s' running with umask 0! Use umask= to set", cmdline);
}
#endif /* !__MINGW32__ */
if (a.contain.shelltype == SHELL_TYPE_POWERSHELL)
{
#ifdef __MINGW32__
pfp =
cf_popen_powershell_setuid(cmdline, "r", a.contain.owner, a.contain.group, a.contain.chdir, a.contain.chroot,
a.transaction.background);
#else // !__MINGW32__
Log(LOG_LEVEL_ERR, "Powershell is only supported on Windows");
return ACTION_RESULT_FAILED;
#endif // !__MINGW32__
}
else if (a.contain.shelltype == SHELL_TYPE_USE)
{
pfp =
cf_popen_shsetuid(cmdline, "r", a.contain.owner, a.contain.group, a.contain.chdir, a.contain.chroot,
a.transaction.background);
}
else
{
pfp =
cf_popensetuid(cmdline, "r", a.contain.owner, a.contain.group, a.contain.chdir, a.contain.chroot,
a.transaction.background);
}
if (pfp == NULL)
{
Log(LOG_LEVEL_ERR, "Couldn't open pipe to command '%s'. (cf_popen: %s)", cmdline, GetErrorStr());
return ACTION_RESULT_FAILED;
}
for (;;)
{
ssize_t res = CfReadLine(line, CF_BUFSIZE, pfp);
if (res == 0)
{
break;
}
if (res == -1)
{
Log(LOG_LEVEL_ERR, "Unable to read output from command '%s'. (fread: %s)", cmdline, GetErrorStr());
cf_pclose(pfp);
return ACTION_RESULT_FAILED;
}
if (strstr(line, "cfengine-die"))
{
break;
}
if (a.contain.preview)
{
PreviewProtocolLine(line, cmdline);
}
if (a.module)
{
ModuleProtocol(ctx, cmdline, line, !a.contain.nooutput, PromiseGetNamespace(pp));
}
else if ((!a.contain.nooutput) && (!EmptyString(line)))
{
lineOutLen = strlen(comm) + strlen(line) + 12;
// if buffer is to small for this line, output it directly
if (lineOutLen > sizeof(cmdOutBuf))
{
Log(LOG_LEVEL_NOTICE, "Q: '%s': %s", comm, line);
}
else
{
if (cmdOutBufPos + lineOutLen > sizeof(cmdOutBuf))
{
Log(LOG_LEVEL_NOTICE, "%s", cmdOutBuf);
cmdOutBufPos = 0;
}
sprintf(cmdOutBuf + cmdOutBufPos, "Q: \"...%s\": %s\n", comm, line);
cmdOutBufPos += (lineOutLen - 1);
}
count++;
}
}
#ifdef __MINGW32__
if (outsourced) // only get return value if we waited for command execution
{
cf_pclose(pfp);
}
else
#endif /* __MINGW32__ */
{
int ret = cf_pclose(pfp);
if (ret == -1)
{
cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_FAIL, pp, a, "Finished script '%s' - failed (abnormal termination)", pp->promiser);
}
else
{
VerifyCommandRetcode(ctx, ret, true, a, pp);
}
}
}
if (count)
{
if (cmdOutBufPos)
{
Log(LOG_LEVEL_NOTICE, "%s", cmdOutBuf);
}
Log(LOG_LEVEL_INFO, "Last %d quoted lines were generated by promiser '%s'", count, cmdline);
}
if (a.contain.timeout != CF_NOINT)
{
alarm(0);
signal(SIGALRM, SIG_DFL);
}
Log(LOG_LEVEL_INFO, "Completed execution of '%s'", cmdline);
#ifndef __MINGW32__
umask(maskval);
#endif
snprintf(eventname, CF_BUFSIZE - 1, "Exec(%s)", cmdline);
#ifndef __MINGW32__
if ((a.transaction.background) && outsourced)
{
Log(LOG_LEVEL_VERBOSE, "Backgrounded command '%s' is done - exiting", cmdline);
exit(0);
}
#endif /* !__MINGW32__ */
return ACTION_RESULT_OK;
}
void FinishEditContext(EvalContext *ctx, EditContext *ec, Attributes a, Promise *pp)
{
Item *ip;
EDIT_MODEL = false;
if (DONTDO || (a.transaction.action == cfa_warn))
{
if (ec && (!CompareToFile(ctx, ec->file_start, ec->filename, a, pp)) && (ec->num_edits > 0))
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, CF_WARN, "", pp, a, " -> Should edit file %s but only a warning promised", ec->filename);
}
return;
}
else if (ec && (ec->num_edits > 0))
{
if (a.haveeditline)
{
if (CompareToFile(ctx, ec->file_start, ec->filename, a, pp))
{
if (ec)
{
cfPS(ctx, OUTPUT_LEVEL_VERBOSE, CF_NOP, "", pp, a, " -> No edit changes to file %s need saving", ec->filename);
}
}
else
{
SaveItemListAsFile(ctx, ec->file_start, ec->filename, a, pp);
}
}
if (a.haveeditxml)
{
#ifdef HAVE_LIBXML2
if (XmlCompareToFile(ctx, ec->xmldoc, ec->filename, a, pp))
{
if (ec)
{
cfPS(ctx, OUTPUT_LEVEL_VERBOSE, CF_NOP, "", pp, a, " -> No edit changes to xml file %s need saving", ec->filename);
}
}
else
{
SaveXmlDocAsFile(ctx, ec->xmldoc, ec->filename, a, pp);
}
xmlFreeDoc(ec->xmldoc);
#else
cfPS(ctx, OUTPUT_LEVEL_ERROR, CF_FAIL, "", pp, a, " !! Cannot edit XML files without LIBXML2\n");
#endif
}
}
else
{
if (ec)
{
cfPS(ctx, OUTPUT_LEVEL_VERBOSE, CF_NOP, "", pp, a, " -> No edit changes to file %s need saving", ec->filename);
}
}
if (ec != NULL)
{
for (ip = ec->file_classes; ip != NULL; ip = ip->next)
{
EvalContextHeapAddSoft(ctx, ip->name, PromiseGetNamespace(pp));
}
DeleteItemList(ec->file_classes);
DeleteItemList(ec->file_start);
}
}
void KeepFileAccessPromise(EvalContext *ctx, const Promise *pp)
{
Rlist *rp;
Auth *ap, *dp;
if (strlen(pp->promiser) != 1)
{
DeleteSlash(pp->promiser);
}
if (!GetAuthPath(pp->promiser, SV.admit))
{
InstallServerAuthPath(pp->promiser, &SV.admit, &SV.admittop);
}
if (!GetAuthPath(pp->promiser, SV.deny))
{
InstallServerAuthPath(pp->promiser, &SV.deny, &SV.denytop);
}
ap = GetAuthPath(pp->promiser, SV.admit);
dp = GetAuthPath(pp->promiser, SV.deny);
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (!IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pp)))
{
continue;
}
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ENCRYPTED].lval) == 0)
{
ap->encrypt = true;
}
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ADMIT].lval) == 0)
{
PrependItem(&(ap->accesslist), RlistScalarValue(rp), NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_DENY].lval) == 0)
{
PrependItem(&(dp->accesslist), RlistScalarValue(rp), NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_MAPROOT].lval) == 0)
{
PrependItem(&(ap->maproot), RlistScalarValue(rp), NULL);
continue;
}
}
break;
default:
UnexpectedError("Unknown constraint type!");
break;
}
}
}
static PromiseResult KeepServerPromise(EvalContext *ctx, const Promise *pp, ARG_UNUSED void *param)
{
assert(!param);
if (!IsDefinedClass(ctx, pp->classes, PromiseGetNamespace(pp)))
{
Log(LOG_LEVEL_VERBOSE, "Skipping whole promise, as context is %s", pp->classes);
return PROMISE_RESULT_NOOP;
}
{
char *cls = NULL;
if (VarClassExcluded(ctx, pp, &cls))
{
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_VERBOSE, "\n");
Log(LOG_LEVEL_VERBOSE, ". . . . . . . . . . . . . . . . . . . . . . . . . . . . ");
Log(LOG_LEVEL_VERBOSE, "Skipping whole next promise (%s), as var-context %s is not relevant", pp->promiser, cls);
Log(LOG_LEVEL_VERBOSE, ". . . . . . . . . . . . . . . . . . . . . . . . . . . . ");
}
else
{
Log(LOG_LEVEL_VERBOSE, "Skipping next promise '%s', as var-context '%s' is not relevant", pp->promiser, cls);
}
return PROMISE_RESULT_NOOP;
}
}
if (strcmp(pp->parent_promise_type->name, "classes") == 0)
{
return VerifyClassPromise(ctx, pp, NULL);
}
const char *resource_type = PromiseGetConstraintAsRval(pp, "resource_type", RVAL_TYPE_SCALAR);
if (resource_type && strcmp(pp->parent_promise_type->name, "access") == 0)
{
if (strcmp(resource_type, "literal") == 0)
{
KeepLiteralAccessPromise(ctx, pp, "literal");
return PROMISE_RESULT_NOOP;
}
else if (strcmp(resource_type, "variable") == 0)
{
KeepLiteralAccessPromise(ctx, pp, "variable");
return PROMISE_RESULT_NOOP;
}
else if (strcmp(resource_type, "query") == 0)
{
KeepQueryAccessPromise(ctx, pp, "query");
KeepReportDataSelectAccessPromise(pp);
return PROMISE_RESULT_NOOP;
}
else if (strcmp(resource_type, "context") == 0)
{
KeepLiteralAccessPromise(ctx, pp, "context");
return PROMISE_RESULT_NOOP;
}
}
if (strcmp(pp->parent_promise_type->name, "access") == 0)
{
KeepFileAccessPromise(ctx, pp);
return PROMISE_RESULT_NOOP;
}
else if (strcmp(pp->parent_promise_type->name, "roles") == 0)
{
KeepServerRolePromise(ctx, pp);
return PROMISE_RESULT_NOOP;
}
return PROMISE_RESULT_NOOP;
}
void KeepClassContextPromise(EvalContext *ctx, Promise *pp, ARG_UNUSED const ReportContext *report_context)
{
Attributes a;
a = GetClassContextAttributes(ctx, pp);
if (!FullTextMatch("[a-zA-Z0-9_]+", pp->promiser))
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "Class identifier \"%s\" contains illegal characters - canonifying", pp->promiser);
snprintf(pp->promiser, strlen(pp->promiser) + 1, "%s", CanonifyName(pp->promiser));
}
if (a.context.nconstraints == 0)
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a, "No constraints for class promise %s", pp->promiser);
return;
}
if (a.context.nconstraints > 1)
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a, "Irreconcilable constraints in classes for %s", pp->promiser);
return;
}
// If this is a common bundle ...
if (strcmp(PromiseGetBundle(pp)->type, "common") == 0)
{
if (EvalClassExpression(ctx, a.context.expression, pp))
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " ?> defining additional global class %s\n", pp->promiser);
if (!ValidClassName(pp->promiser))
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a,
" !! Attempted to name a class \"%s\", which is an illegal class identifier", pp->promiser);
}
else
{
if (a.context.persistent > 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " ?> defining explicit persistent class %s (%d mins)\n", pp->promiser,
a.context.persistent);
EvalContextHeapPersistentSave(pp->promiser, PromiseGetNamespace(pp), a.context.persistent, CONTEXT_STATE_POLICY_RESET);
EvalContextHeapAddSoft(ctx, pp->promiser, PromiseGetNamespace(pp));
}
else
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " ?> defining explicit global class %s\n", pp->promiser);
EvalContextHeapAddSoft(ctx, pp->promiser, PromiseGetNamespace(pp));
}
}
}
/* These are global and loaded once */
/* *(pp->donep) = true; */
return;
}
// If this is some other kind of bundle (else here??)
if (strcmp(PromiseGetBundle(pp)->type, CF_AGENTTYPES[THIS_AGENT_TYPE]) == 0 || FullTextMatch("edit_.*", PromiseGetBundle(pp)->type))
{
if (EvalClassExpression(ctx, a.context.expression, pp))
{
if (!ValidClassName(pp->promiser))
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a,
" !! Attempted to name a class \"%s\", which is an illegal class identifier", pp->promiser);
}
else
{
if (a.context.persistent > 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " ?> defining explicit persistent class %s (%d mins)\n", pp->promiser,
a.context.persistent);
CfOut(OUTPUT_LEVEL_VERBOSE, "",
" ?> Warning: persistent classes are global in scope even in agent bundles\n");
EvalContextHeapPersistentSave(pp->promiser, PromiseGetNamespace(pp), a.context.persistent, CONTEXT_STATE_POLICY_RESET);
EvalContextHeapAddSoft(ctx, pp->promiser, PromiseGetNamespace(pp));
}
else
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " ?> defining explicit local bundle class %s\n", pp->promiser);
EvalContextStackFrameAddSoft(ctx, pp->promiser);
}
}
}
// Private to bundle, can be reloaded
*(pp->donep) = false;
return;
}
}
static void KeepServerPromise(EvalContext *ctx, Promise *pp, ARG_UNUSED void *param)
{
char *sp = NULL;
assert(param == NULL);
if (!IsDefinedClass(ctx, pp->classes, PromiseGetNamespace(pp)))
{
Log(LOG_LEVEL_VERBOSE, "Skipping whole promise, as context is %s", pp->classes);
return;
}
if (VarClassExcluded(ctx, pp, &sp))
{
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_VERBOSE, "\n");
Log(LOG_LEVEL_VERBOSE, ". . . . . . . . . . . . . . . . . . . . . . . . . . . . ");
Log(LOG_LEVEL_VERBOSE, "Skipping whole next promise (%s), as var-context %s is not relevant", pp->promiser,
sp);
Log(LOG_LEVEL_VERBOSE, ". . . . . . . . . . . . . . . . . . . . . . . . . . . . ");
}
else
{
Log(LOG_LEVEL_VERBOSE, "Skipping next promise '%s', as var-context '%s' is not relevant", pp->promiser, sp);
}
return;
}
if (strcmp(pp->parent_promise_type->name, "classes") == 0)
{
VerifyClassPromise(ctx, pp, NULL);
return;
}
sp = (char *) ConstraintGetRvalValue(ctx, "resource_type", pp, RVAL_TYPE_SCALAR);
if ((strcmp(pp->parent_promise_type->name, "access") == 0) && sp && (strcmp(sp, "literal") == 0))
{
KeepLiteralAccessPromise(ctx, pp, "literal");
return;
}
if ((strcmp(pp->parent_promise_type->name, "access") == 0) && sp && (strcmp(sp, "variable") == 0))
{
KeepLiteralAccessPromise(ctx, pp, "variable");
return;
}
if ((strcmp(pp->parent_promise_type->name, "access") == 0) && sp && (strcmp(sp, "query") == 0))
{
KeepQueryAccessPromise(ctx, pp, "query");
KeepReportDataSelectAccessPromise(pp);
return;
}
if ((strcmp(pp->parent_promise_type->name, "access") == 0) && sp && (strcmp(sp, "context") == 0))
{
KeepLiteralAccessPromise(ctx, pp, "context");
return;
}
/* Default behaviour is file access */
if (strcmp(pp->parent_promise_type->name, "access") == 0)
{
KeepFileAccessPromise(ctx, pp);
return;
}
if (strcmp(pp->parent_promise_type->name, "roles") == 0)
{
KeepServerRolePromise(ctx, pp);
return;
}
}
static PromiseResult VerifyFilePromise(EvalContext *ctx, char *path, Promise *pp)
{
struct stat osb, oslb, dsb;
Attributes a = { {0} };
CfLock thislock;
int exists;
a = GetFilesAttributes(ctx, pp);
if (!FileSanityChecks(ctx, path, a, pp))
{
return PROMISE_RESULT_NOOP;
}
EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_THIS, "promiser", path, DATA_TYPE_STRING);
thislock = AcquireLock(ctx, path, VUQNAME, CFSTARTTIME, a.transaction, pp, false);
if (thislock.lock == NULL)
{
return PROMISE_RESULT_NOOP;
}
LoadSetuid(a);
PromiseResult result = PROMISE_RESULT_NOOP;
if (lstat(path, &oslb) == -1) /* Careful if the object is a link */
{
if ((a.create) || (a.touch))
{
if (!CfCreateFile(ctx, path, pp, a, &result))
{
goto exit;
}
else
{
exists = (lstat(path, &oslb) != -1);
}
}
exists = false;
}
else
{
if ((a.create) || (a.touch))
{
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_NOOP, pp, a, "File '%s' exists as promised", path);
}
exists = true;
}
if ((a.havedelete) && (!exists))
{
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_NOOP, pp, a, "File '%s' does not exist as promised", path);
goto exit;
}
if (!a.havedepthsearch) /* if the search is trivial, make sure that we are in the parent dir of the leaf */
{
char basedir[CF_BUFSIZE];
Log(LOG_LEVEL_DEBUG, "Direct file reference '%s', no search implied", path);
snprintf(basedir, sizeof(basedir), "%s", path);
if (strcmp(ReadLastNode(basedir), ".") == 0)
{
// Handle /. notation for deletion of directories
ChopLastNode(basedir);
ChopLastNode(path);
}
ChopLastNode(basedir);
if (chdir(basedir))
{
Log(LOG_LEVEL_ERR, "Failed to chdir into '%s'", basedir);
}
}
if (exists && (!VerifyFileLeaf(ctx, path, &oslb, a, pp, &result)))
{
if (!S_ISDIR(oslb.st_mode))
{
goto exit;
}
}
if (stat(path, &osb) == -1)
{
if ((a.create) || (a.touch))
{
if (!CfCreateFile(ctx, path, pp, a, &result))
{
goto exit;
}
else
{
exists = true;
}
}
else
{
exists = false;
}
}
else
{
if (!S_ISDIR(osb.st_mode))
{
if (a.havedepthsearch)
{
Log(LOG_LEVEL_WARNING,
"depth_search (recursion) is promised for a base object '%s' that is not a directory",
path);
goto exit;
}
}
exists = true;
}
if (a.link.link_children)
{
if (stat(a.link.source, &dsb) != -1)
{
if (!S_ISDIR(dsb.st_mode))
{
Log(LOG_LEVEL_ERR, "Cannot promise to link the children of '%s' as it is not a directory!",
a.link.source);
goto exit;
}
}
}
/* Phase 1 - */
if (exists && ((a.havedelete) || (a.haverename) || (a.haveperms) || (a.havechange) || (a.transformer)))
{
lstat(path, &oslb); /* if doesn't exist have to stat again anyway */
DepthSearch(ctx, path, &oslb, 0, a, pp, oslb.st_dev, &result);
/* normally searches do not include the base directory */
if (a.recursion.include_basedir)
{
int save_search = a.havedepthsearch;
/* Handle this node specially */
a.havedepthsearch = false;
DepthSearch(ctx, path, &oslb, 0, a, pp, oslb.st_dev, &result);
a.havedepthsearch = save_search;
}
else
{
/* unless child nodes were repaired, set a promise kept class */
if (!IsDefinedClass(ctx, "repaired" , PromiseGetNamespace(pp)))
{
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_NOOP, pp, a, "Basedir '%s' not promising anything", path);
}
}
if (((a.change.report_changes) == FILE_CHANGE_REPORT_CONTENT_CHANGE) || ((a.change.report_changes) == FILE_CHANGE_REPORT_ALL))
{
if (a.havedepthsearch)
{
PurgeHashes(ctx, NULL, a, pp);
}
else
{
PurgeHashes(ctx, path, a, pp);
}
}
}
/* Phase 2a - copying is potentially threadable if no followup actions */
if (a.havecopy)
{
result = PromiseResultUpdate(result, ScheduleCopyOperation(ctx, path, a, pp));
}
/* Phase 2b link after copy in case need file first */
if ((a.havelink) && (a.link.link_children))
{
result = PromiseResultUpdate(result, ScheduleLinkChildrenOperation(ctx, path, a.link.source, 1, a, pp));
}
else if (a.havelink)
{
result = PromiseResultUpdate(result, ScheduleLinkOperation(ctx, path, a.link.source, a, pp));
}
/* Phase 3 - content editing */
if (a.haveedit)
{
result = PromiseResultUpdate(result, ScheduleEditOperation(ctx, path, a, pp));
}
// Once more in case a file has been created as a result of editing or copying
exists = (stat(path, &osb) != -1);
if (exists && (S_ISREG(osb.st_mode)))
{
VerifyFileLeaf(ctx, path, &osb, a, pp, &result);
}
if (!exists && a.havechange)
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_FAIL, pp, a, "Promised to monitor '%s' for changes, but file does not exist", path);
result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
}
exit:
result = PromiseResultUpdate(result, SaveSetuid(ctx, a, pp));
YieldCurrentLock(thislock);
return result;
}
void KeepLiteralAccessPromise(EvalContext *ctx, Promise *pp, char *type)
{
Rlist *rp;
Auth *ap = NULL, *dp = NULL;
const char *handle = PromiseGetHandle(pp);
if ((handle == NULL) && (strcmp(type,"literal") == 0))
{
Log(LOG_LEVEL_ERR, "Access to literal server data requires you to define a promise handle for reference");
return;
}
if (strcmp(type, "literal") == 0)
{
Log(LOG_LEVEL_VERBOSE,"Looking at literal access promise '%s', type '%s'", pp->promiser, type);
if (!GetAuthPath(handle, SV.varadmit))
{
InstallServerAuthPath(handle, &SV.varadmit, &SV.varadmittop);
}
if (!GetAuthPath(handle, SV.vardeny))
{
InstallServerAuthPath(handle, &SV.vardeny, &SV.vardenytop);
}
RegisterLiteralServerData(ctx, handle, pp);
ap = GetAuthPath(handle, SV.varadmit);
dp = GetAuthPath(handle, SV.vardeny);
ap->literal = true;
}
else
{
Log(LOG_LEVEL_VERBOSE,"Looking at context/var access promise '%s', type '%s'", pp->promiser, type);
if (!GetAuthPath(pp->promiser, SV.varadmit))
{
InstallServerAuthPath(pp->promiser, &SV.varadmittop, &SV.varadmittop);
}
if (!GetAuthPath(pp->promiser, SV.vardeny))
{
InstallServerAuthPath(pp->promiser, &SV.vardeny, &SV.vardenytop);
}
if (strcmp(type, "context") == 0)
{
ap = GetAuthPath(pp->promiser, SV.varadmit);
dp = GetAuthPath(pp->promiser, SV.vardeny);
ap->classpattern = true;
}
if (strcmp(type, "variable") == 0)
{
ap = GetAuthPath(pp->promiser, SV.varadmit); // Allow the promiser (preferred) as well as handle as variable name
dp = GetAuthPath(pp->promiser, SV.vardeny);
ap->variable = true;
}
}
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (!IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pp)))
{
continue;
}
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ENCRYPTED].lval) == 0)
{
ap->encrypt = true;
}
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ADMIT].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_DENY].lval) == 0)
{
PrependItem(&(dp->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_MAPROOT].lval) == 0)
{
PrependItem(&(ap->maproot), rp->item, NULL);
continue;
}
}
break;
default:
/* Shouldn't happen */
break;
}
}
}
static int EvalClassExpression(EvalContext *ctx, Constraint *cp, Promise *pp)
{
int result_and = true;
int result_or = false;
int result_xor = 0;
int result = 0, total = 0;
char buffer[CF_MAXVARSIZE];
Rlist *rp;
FnCall *fp;
Rval rval;
if (cp == NULL)
{
Log(LOG_LEVEL_ERR, "EvalClassExpression internal diagnostic discovered an ill-formed condition");
}
if (!IsDefinedClass(ctx, pp->classes, PromiseGetNamespace(pp)))
{
return false;
}
if (EvalContextPromiseIsDone(ctx, pp))
{
return false;
}
if (IsDefinedClass(ctx, pp->promiser, PromiseGetNamespace(pp)))
{
if (PromiseGetConstraintAsInt(ctx, "persistence", pp) == 0)
{
Log(LOG_LEVEL_VERBOSE, " ?> Cancelling cached persistent class %s", pp->promiser);
EvalContextHeapPersistentRemove(pp->promiser);
}
return false;
}
switch (cp->rval.type)
{
case RVAL_TYPE_FNCALL:
fp = (FnCall *) cp->rval.item; /* Special expansion of functions for control, best effort only */
FnCallResult res = FnCallEvaluate(ctx, fp, pp);
FnCallDestroy(fp);
cp->rval = res.rval;
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
rval = EvaluateFinalRval(ctx, "this", (Rval) {rp->item, rp->type}, true, pp);
RvalDestroy((Rval) {rp->item, rp->type});
rp->item = rval.item;
rp->type = rval.type;
}
break;
default:
rval = ExpandPrivateRval(ctx, "this", cp->rval);
RvalDestroy(cp->rval);
cp->rval = rval;
break;
}
if (strcmp(cp->lval, "expression") == 0)
{
if (cp->rval.type != RVAL_TYPE_SCALAR)
{
return false;
}
if (IsDefinedClass(ctx, (char *) cp->rval.item, PromiseGetNamespace(pp)))
{
return true;
}
else
{
return false;
}
}
if (strcmp(cp->lval, "not") == 0)
{
if (cp->rval.type != RVAL_TYPE_SCALAR)
{
return false;
}
if (IsDefinedClass(ctx, (char *) cp->rval.item, PromiseGetNamespace(pp)))
{
return false;
}
else
{
return true;
}
}
// Class selection
if (strcmp(cp->lval, "select_class") == 0)
{
char splay[CF_MAXVARSIZE];
int i, n;
double hash;
total = 0;
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
total++;
}
if (total == 0)
{
Log(LOG_LEVEL_ERR, "No classes to select on RHS");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
snprintf(splay, CF_MAXVARSIZE, "%s+%s+%ju", VFQNAME, VIPADDRESS, (uintmax_t)getuid());
hash = (double) OatHash(splay, CF_HASHTABLESIZE);
n = (int) (total * hash / (double) CF_HASHTABLESIZE);
for (rp = (Rlist *) cp->rval.item, i = 0; rp != NULL; rp = rp->next, i++)
{
if (i == n)
{
EvalContextHeapAddSoft(ctx, rp->item, PromiseGetNamespace(pp));
return true;
}
}
}
/* If we get here, anything remaining on the RHS must be a clist */
if (cp->rval.type != RVAL_TYPE_LIST)
{
Log(LOG_LEVEL_ERR, "RHS of promise body attribute '%s' is not a list", cp->lval);
PromiseRef(LOG_LEVEL_ERR, pp);
return true;
}
// Class distributions
if (strcmp(cp->lval, "dist") == 0)
{
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
result = IntFromString(rp->item);
if (result < 0)
{
Log(LOG_LEVEL_ERR, "Non-positive integer in class distribution");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
total += result;
}
if (total == 0)
{
Log(LOG_LEVEL_ERR, "An empty distribution was specified on RHS");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
double fluct = drand48();
double cum = 0.0;
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
double prob = ((double) IntFromString(rp->item)) / ((double) total);
cum += prob;
if (fluct < cum)
{
break;
}
}
snprintf(buffer, CF_MAXVARSIZE - 1, "%s_%s", pp->promiser, (char *) rp->item);
/* FIXME: figure why explicit mark and get rid of it */
EvalContextMarkPromiseDone(ctx, pp);
if (strcmp(PromiseGetBundle(pp)->type, "common") == 0)
{
EvalContextHeapAddSoft(ctx, buffer, PromiseGetNamespace(pp));
}
else
{
EvalContextStackFrameAddSoft(ctx, buffer);
}
return true;
}
/* and/or/xor expressions */
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (rp->type != RVAL_TYPE_SCALAR)
{
return false;
}
result = IsDefinedClass(ctx, (char *) (rp->item), PromiseGetNamespace(pp));
result_and = result_and && result;
result_or = result_or || result;
result_xor ^= result;
}
// Class combinations
if (strcmp(cp->lval, "or") == 0)
{
return result_or;
}
if (strcmp(cp->lval, "xor") == 0)
{
return (result_xor == 1) ? true : false;
}
if (strcmp(cp->lval, "and") == 0)
{
return result_and;
}
return false;
}
void KeepQueryAccessPromise(EvalContext *ctx, Promise *pp, char *type)
{
Rlist *rp;
Auth *ap, *dp;
if (!GetAuthPath(pp->promiser, SV.varadmit))
{
InstallServerAuthPath(pp->promiser, &SV.varadmit, &SV.varadmittop);
}
RegisterLiteralServerData(ctx, pp->promiser, pp);
if (!GetAuthPath(pp->promiser, SV.vardeny))
{
InstallServerAuthPath(pp->promiser, &SV.vardeny, &SV.vardenytop);
}
ap = GetAuthPath(pp->promiser, SV.varadmit);
dp = GetAuthPath(pp->promiser, SV.vardeny);
if (strcmp(type, "query") == 0)
{
ap->literal = true;
}
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
if (!IsDefinedClass(ctx, cp->classes, PromiseGetNamespace(pp)))
{
continue;
}
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ENCRYPTED].lval) == 0)
{
ap->encrypt = true;
}
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_ADMIT].lval) == 0)
{
PrependItem(&(ap->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_DENY].lval) == 0)
{
PrependItem(&(dp->accesslist), rp->item, NULL);
continue;
}
if (strcmp(cp->lval, CF_REMACCESS_BODIES[REMOTE_ACCESS_MAPROOT].lval) == 0)
{
PrependItem(&(ap->maproot), rp->item, NULL);
continue;
}
}
break;
default:
/* Shouldn't happen */
break;
}
}
}
static void VerifyProcessOp(EvalContext *ctx, Item *procdata, Attributes a, Promise *pp)
{
int matches = 0, do_signals = true, out_of_range, killed = 0, need_to_restart = true;
Item *killlist = NULL;
matches = FindPidMatches(ctx, procdata, &killlist, a, pp->promiser);
/* promise based on number of matches */
if (a.process_count.min_range != CF_NOINT) /* if a range is specified */
{
if ((matches < a.process_count.min_range) || (matches > a.process_count.max_range))
{
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_CHANGE, pp, a, "Process count for '%s' was out of promised range (%d found)", pp->promiser, matches);
for (const Rlist *rp = a.process_count.out_of_range_define; rp != NULL; rp = rp->next)
{
if (!EvalContextHeapContainsSoft(ctx, rp->item))
{
EvalContextHeapAddSoft(ctx, rp->item, PromiseGetNamespace(pp));
}
}
out_of_range = true;
}
else
{
for (const Rlist *rp = a.process_count.in_range_define; rp != NULL; rp = rp->next)
{
if (!EvalContextHeapContainsSoft(ctx, rp->item))
{
EvalContextHeapAddSoft(ctx, rp->item, PromiseGetNamespace(pp));
}
}
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_NOOP, pp, a, "Process promise for '%s' is kept", pp->promiser);
out_of_range = false;
}
}
else
{
out_of_range = true;
}
if (!out_of_range)
{
return;
}
if (a.transaction.action == cfa_warn)
{
do_signals = false;
}
else
{
do_signals = true;
}
/* signal/kill promises for existing matches */
if (do_signals && (matches > 0))
{
if (a.process_stop != NULL)
{
if (DONTDO)
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_WARN, pp, a,
"Need to keep process-stop promise for '%s', but only a warning is promised", pp->promiser);
}
else
{
if (IsExecutable(CommandArg0(a.process_stop)))
{
ShellCommandReturnsZero(a.process_stop, SHELL_TYPE_NONE);
}
else
{
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_FAIL, pp, a,
"Process promise to stop '%s' could not be kept because '%s' the stop operator failed",
pp->promiser, a.process_stop);
DeleteItemList(killlist);
return;
}
}
}
killed = DoAllSignals(ctx, killlist, a, pp);
}
/* delegated promise to restart killed or non-existent entries */
need_to_restart = (a.restart_class != NULL) && (killed || (matches == 0));
DeleteItemList(killlist);
if (!need_to_restart)
{
cfPS(ctx, LOG_LEVEL_VERBOSE, PROMISE_RESULT_NOOP, pp, a, "No restart promised for %s", pp->promiser);
return;
}
else
{
if (a.transaction.action == cfa_warn)
{
cfPS(ctx, LOG_LEVEL_ERR, PROMISE_RESULT_WARN, pp, a,
"Need to keep restart promise for '%s', but only a warning is promised", pp->promiser);
}
else
{
cfPS(ctx, LOG_LEVEL_INFO, PROMISE_RESULT_CHANGE, pp, a, "Making a one-time restart promise for '%s'", pp->promiser);
EvalContextHeapAddSoft(ctx, a.restart_class, PromiseGetNamespace(pp));
}
}
}
Promise *DeRefCopyPromise(EvalContext *ctx, const Promise *pp)
{
Promise *pcopy;
Rval returnval;
if (pp->promisee.item)
{
CfDebug("CopyPromise(%s->", pp->promiser);
if (DEBUG)
{
RvalShow(stdout, pp->promisee);
}
CfDebug("\n");
}
else
{
CfDebug("CopyPromise(%s->)\n", pp->promiser);
}
pcopy = xcalloc(1, sizeof(Promise));
if (pp->promiser)
{
pcopy->promiser = xstrdup(pp->promiser);
}
if (pp->promisee.item)
{
pcopy->promisee = RvalCopy(pp->promisee);
if (pcopy->promisee.type == RVAL_TYPE_LIST)
{
Rlist *rval_list = RvalRlistValue(pcopy->promisee);
RlistFlatten(ctx, &rval_list);
pcopy->promisee.item = rval_list;
}
}
if (pp->classes)
{
pcopy->classes = xstrdup(pp->classes);
}
/* FIXME: may it happen? */
if ((pp->promisee.item != NULL && pcopy->promisee.item == NULL))
{
ProgrammingError("Unable to copy promise");
}
pcopy->parent_promise_type = pp->parent_promise_type;
pcopy->offset.line = pp->offset.line;
pcopy->comment = pp->comment ? xstrdup(pp->comment) : NULL;
pcopy->has_subbundles = pp->has_subbundles;
pcopy->conlist = SeqNew(10, ConstraintDestroy);
pcopy->org_pp = pp->org_pp;
pcopy->offset = pp->offset;
CfDebug("Copying promise constraints\n\n");
/* No further type checking should be necessary here, already done by CheckConstraintTypeMatch */
for (size_t i = 0; i < SeqLength(pp->conlist); i++)
{
Constraint *cp = SeqAt(pp->conlist, i);
Body *bp = NULL;
FnCall *fp = NULL;
char *bodyname = NULL;
/* A body template reference could look like a scalar or fn to the parser w/w () */
Policy *policy = PolicyFromPromise(pp);
Seq *bodies = policy ? policy->bodies : NULL;
switch (cp->rval.type)
{
case RVAL_TYPE_SCALAR:
bodyname = (char *) cp->rval.item;
if (cp->references_body)
{
bp = IsBody(bodies, PromiseGetNamespace(pp), bodyname);
}
fp = NULL;
break;
case RVAL_TYPE_FNCALL:
fp = (FnCall *) cp->rval.item;
bodyname = fp->name;
bp = IsBody(bodies, PromiseGetNamespace(pp), bodyname);
break;
default:
bp = NULL;
fp = NULL;
bodyname = NULL;
break;
}
/* First case is: we have a body template to expand lval = body(args), .. */
if (bp)
{
EvalContextStackPushBodyFrame(ctx, bp);
if (strcmp(bp->type, cp->lval) != 0)
{
Log(LOG_LEVEL_ERR,
"Body type mismatch for body reference \"%s\" in promise at line %zu of %s (%s != %s)\n",
bodyname, pp->offset.line, PromiseGetBundle(pp)->source_path, bp->type, cp->lval);
}
/* Keep the referent body type as a boolean for convenience when checking later */
{
Constraint *cp_copy = PromiseAppendConstraint(pcopy, cp->lval, (Rval) {xstrdup("true"), RVAL_TYPE_SCALAR }, cp->classes, false);
cp_copy->offset = cp->offset;
}
CfDebug("Handling body-lval \"%s\"\n", cp->lval);
if (bp->args != NULL)
{
/* There are arguments to insert */
if (fp == NULL || fp->args == NULL)
{
Log(LOG_LEVEL_ERR, "Argument mismatch for body reference \"%s\" in promise at line %zu of %s",
bodyname, pp->offset.line, PromiseGetBundle(pp)->source_path);
}
if (fp && bp && fp->args && bp->args && !ScopeMapBodyArgs(ctx, "body", fp->args, bp->args))
{
Log(LOG_LEVEL_ERR,
"Number of arguments does not match for body reference \"%s\" in promise at line %zu of %s\n",
bodyname, pp->offset.line, PromiseGetBundle(pp)->source_path);
}
for (size_t k = 0; k < SeqLength(bp->conlist); k++)
{
Constraint *scp = SeqAt(bp->conlist, k);
CfDebug("Doing arg-mapped sublval = %s (promises.c)\n", scp->lval);
returnval = ExpandPrivateRval(ctx, "body", scp->rval);
{
Constraint *scp_copy = PromiseAppendConstraint(pcopy, scp->lval, returnval, scp->classes, false);
scp_copy->offset = scp->offset;
}
}
ScopeClear("body");
}
else
{
/* No arguments to deal with or body undeclared */
if (fp != NULL)
{
Log(LOG_LEVEL_ERR,
"An apparent body \"%s()\" was undeclared or could have incorrect args, but used in a promise near line %zu of %s (possible unquoted literal value)",
bodyname, pp->offset.line, PromiseGetBundle(pp)->source_path);
}
else
{
for (size_t k = 0; k < SeqLength(bp->conlist); k++)
{
Constraint *scp = SeqAt(bp->conlist, k);
CfDebug("Doing sublval = %s (promises.c)\n", scp->lval);
Rval newrv = RvalCopy(scp->rval);
if (newrv.type == RVAL_TYPE_LIST)
{
Rlist *new_list = RvalRlistValue(newrv);
RlistFlatten(ctx, &new_list);
newrv.item = new_list;
}
{
Constraint *scp_copy = PromiseAppendConstraint(pcopy, scp->lval, newrv, scp->classes, false);
scp_copy->offset = scp->offset;
}
}
}
}
EvalContextStackPopFrame(ctx);
}
else
{
Policy *policy = PolicyFromPromise(pp);
if (cp->references_body && !IsBundle(policy->bundles, bodyname))
{
Log(LOG_LEVEL_ERR,
"Apparent body \"%s()\" was undeclared, but used in a promise near line %zu of %s (possible unquoted literal value)",
bodyname, pp->offset.line, PromiseGetBundle(pp)->source_path);
}
Rval newrv = RvalCopy(cp->rval);
if (newrv.type == RVAL_TYPE_LIST)
{
Rlist *new_list = RvalRlistValue(newrv);
RlistFlatten(ctx, &new_list);
newrv.item = new_list;
}
{
Constraint *cp_copy = PromiseAppendConstraint(pcopy, cp->lval, newrv, cp->classes, false);
cp_copy->offset = cp->offset;
}
}
}
return pcopy;
}
