static bool DistributeClass(EvalContext *ctx, const Rlist *dist, const Promise *pp)
{
int total = 0;
const Rlist *rp;
for (rp = dist; rp != NULL; rp = rp->next)
{
int result = IntFromString(RlistScalarValue(rp));
if (result < 0)
{
Log(LOG_LEVEL_ERR, "Negative integer in class distribution");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
total += result;
}
if (total == 0)
{
Log(LOG_LEVEL_ERR, "An empty distribution was specified on RHS");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
double fluct = drand48() * total;
assert(0 <= fluct && fluct < total);
for (rp = dist; rp != NULL; rp = rp->next)
{
fluct -= IntFromString(RlistScalarValue(rp));
if (fluct < 0)
{
break;
}
}
assert(rp);
char buffer[CF_MAXVARSIZE];
snprintf(buffer, CF_MAXVARSIZE, "%s_%s", pp->promiser, RlistScalarValue(rp));
if (strcmp(PromiseGetBundle(pp)->type, "common") == 0)
{
EvalContextClassPutSoft(ctx, buffer, CONTEXT_SCOPE_NAMESPACE,
"source=promise");
}
else
{
EvalContextClassPutSoft(ctx, buffer, CONTEXT_SCOPE_BUNDLE,
"source=promise");
}
return true;
}
long TimeAbs2Int(const char *s)
{
time_t cftime;
char mon[4], h[3], m[3];
long month = 0, day = 0, hour = 0, min = 0, year = 0;
struct tm tm;
if (s == NULL)
{
return CF_NOINT;
}
year = IntFromString(VYEAR);
if (strstr(s, ":")) /* Hr:Min */
{
sscanf(s, "%2[^:]:%2[^:]:", h, m);
month = Month2Int(VMONTH);
day = IntFromString(VDAY);
hour = IntFromString(h);
min = IntFromString(m);
tm.tm_year = year - 1900;
tm.tm_mon = month - 1;
tm.tm_mday = day;
tm.tm_hour = hour;
tm.tm_min = min;
tm.tm_sec = 0;
tm.tm_isdst = -1;
cftime = mktime(&tm);
}
else /* date Month */
{
sscanf(s, "%3[a-zA-Z] %ld", mon, &day);
month = Month2Int(mon);
if (Month2Int(VMONTH) < month)
{
/* Wrapped around */
year--;
}
tm.tm_year = year - 1900;
tm.tm_mon = month - 1;
tm.tm_mday = day;
tm.tm_hour = 0;
tm.tm_min = 0;
tm.tm_sec = 0;
tm.tm_isdst = -1;
cftime = mktime(&tm);
}
return (long) cftime;
}
bool FEngineConfig::ParseWindowConfig()
{
const int WindowX = IntFromString(INIParser.GetValue(CONFIG_INI_WINDOW_SETTINGS_SECTION, CONFIG_INI_WINDOW_WIDTH_KEY, "1024"));
const int WindowY = IntFromString(INIParser.GetValue(CONFIG_INI_WINDOW_SETTINGS_SECTION, CONFIG_INI_WINDOW_HEIGHT_KEY, "768"));
const FString WindowTitle = INIParser.GetValue(CONFIG_INI_WINDOW_SETTINGS_SECTION, CONFIG_INI_WINDOW_TITLE_KEY, "DefaultTitle");
WindowConfig.Dimensions = FVector2D(WindowX, WindowY);
WindowConfig.Title = WindowTitle;
return true;
}
long TimeAbs2Int(const char *s)
{
time_t cftime;
int i;
char mon[4], h[3], m[3];
long month = 0, day = 0, hour = 0, min = 0, year = 0;
if (s == NULL)
{
return CF_NOINT;
}
year = IntFromString(VYEAR);
if (strstr(s, ":")) /* Hr:Min */
{
sscanf(s, "%2[^:]:%2[^:]:", h, m);
month = Month2Int(VMONTH);
day = IntFromString(VDAY);
hour = IntFromString(h);
min = IntFromString(m);
}
else /* date Month */
{
sscanf(s, "%3[a-zA-Z] %ld", mon, &day);
month = Month2Int(mon);
if (Month2Int(VMONTH) < month)
{
/* Wrapped around */
year--;
}
}
CfDebug("(%s)\n%ld=%s,%ld=%s,%ld,%ld,%ld\n", s, year, VYEAR, month, VMONTH, day, hour, min);
cftime = 0;
cftime += min * 60;
cftime += hour * 3600;
cftime += (day - 1) * 24 * 3600;
cftime += 24 * 3600 * ((year - 1970) / 4); /* Leap years */
for (i = 0; i < month - 1; i++)
{
cftime += GetMonthLength(i, year) * 24 * 3600;
}
cftime += (year - 1970) * 365 * 24 * 3600;
CfDebug("Time %s CORRESPONDS %s\n", s, cf_ctime(&cftime));
return (long) cftime;
}
static void ResolvePackageManagerBody(EvalContext *ctx, const Body *pm_body)
{
PackageModuleBody *new_manager = xcalloc(1, sizeof(PackageModuleBody));
new_manager->name = SafeStringDuplicate(pm_body->name);
for (size_t i = 0; i < SeqLength(pm_body->conlist); i++)
{
Constraint *cp = SeqAt(pm_body->conlist, i);
Rval returnval = {0};
if (IsDefinedClass(ctx, cp->classes))
{
returnval = ExpandPrivateRval(ctx, NULL, "body",
cp->rval.item, cp->rval.type);
}
if (returnval.item == NULL || returnval.type == RVAL_TYPE_NOPROMISEE)
{
Log(LOG_LEVEL_VERBOSE, "have invalid constraint while resolving"
"package promise body: %s", cp->lval);
RvalDestroy(returnval);
continue;
}
if (strcmp(cp->lval, "query_installed_ifelapsed") == 0)
{
new_manager->installed_ifelapsed =
(int)IntFromString(RvalScalarValue(returnval));
}
else if (strcmp(cp->lval, "query_updates_ifelapsed") == 0)
{
new_manager->updates_ifelapsed =
(int)IntFromString(RvalScalarValue(returnval));
}
else if (strcmp(cp->lval, "default_options") == 0)
{
new_manager->options = RlistCopy(RvalRlistValue(returnval));
}
else
{
/* This should be handled by the parser. */
assert(0);
}
RvalDestroy(returnval);
}
AddPackageModuleToContext(ctx, new_manager);
}
long Months2Seconds(int m)
{
long tot_days = 0;
int this_month, i, month, year;
if (m == 0)
{
return 0;
}
this_month = Month2Int(VMONTH);
year = IntFromString(VYEAR);
for (i = 0; i < m; i++)
{
month = (this_month - i) % 12;
while (month < 0)
{
month += 12;
year--;
}
tot_days += GetMonthLength(month, year);
}
return (long) tot_days *3600 * 24;
}
static int SelectProcRangeMatch(char *name1, char *name2, int min, int max, char **names, char **line)
{
int i;
long value;
if ((min == CF_NOINT) || (max == CF_NOINT))
{
return false;
}
if ((i = GetProcColumnIndex(name1, name2, names)) != -1)
{
value = IntFromString(line[i]);
if (value == CF_NOINT)
{
Log(LOG_LEVEL_INFO, "Failed to extract a valid integer from '%s' => '%s' in process list", names[i],
line[i]);
return false;
}
if ((min <= value) && (value <= max))
{
return true;
}
else
{
return false;
}
}
return false;
}
static SyntaxTypeMatch CheckParseInt(const char *lval, const char *s, const char *range)
{
Item *split;
int n;
long max = CF_LOWINIT, min = CF_HIGHINIT, val;
/* Numeric types are registered by range separated by comma str "min,max" */
CfDebug("\nCheckParseInt(%s => %s/%s)\n", lval, s, range);
split = SplitString(range, ',');
if ((n = ListLen(split)) != 2)
{
ProgrammingError("INTERN: format specifier for int rvalues is not ok for lval %s - got %d items", lval, n);
}
sscanf(split->name, "%ld", &min);
if (strcmp(split->next->name, "inf") == 0)
{
max = CF_INFINITY;
}
else
{
sscanf(split->next->name, "%ld", &max);
}
DeleteItemList(split);
if (min == CF_HIGHINIT || max == CF_LOWINIT)
{
ProgrammingError("INTERN: could not parse format specifier for int rvalues for lval %s", lval);
}
if (IsCf3VarString(s))
{
return SYNTAX_TYPE_MATCH_ERROR_UNEXPANDED;
}
val = IntFromString(s);
if (val == CF_NOINT)
{
return SYNTAX_TYPE_MATCH_ERROR_INT_PARSE;
}
if (val > max || val < min)
{
return SYNTAX_TYPE_MATCH_ERROR_INT_OUT_OF_RANGE;
}
CfDebug("CheckParseInt - syntax verified\n\n");
return SYNTAX_TYPE_MATCH_OK;
}
static int HailServer(const EvalContext *ctx, const GenericAgentConfig *config,
char *host)
{
assert(host != NULL);
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE],
hostkey[CF_HOSTKEY_STRING_SIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
bool trustkey = false;
char *hostname, *port;
ParseHostPort(host, &hostname, &port);
if (hostname == NULL || strcmp(hostname, "localhost") == 0)
{
Log(LOG_LEVEL_INFO, "No remote hosts were specified to connect to");
return false;
}
if (port == NULL)
{
port = "5308";
}
char ipaddr[CF_MAX_IP_LEN];
if (Hostname2IPString(ipaddr, hostname, sizeof(ipaddr)) == -1)
{
Log(LOG_LEVEL_ERR,
"HailServer: ERROR, could not resolve '%s'", hostname);
return false;
}
Address2Hostkey(hostkey, sizeof(hostkey), ipaddr);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
Log(LOG_LEVEL_VERBOSE, "Using interactive key trust...");
gotkey = HavePublicKey(user, ipaddr, hostkey) != NULL;
if (!gotkey)
{
/* TODO print the hash of the connecting host. But to do that we
* should open the connection first, and somehow pass that hash
* here! redmine#7212 */
printf("WARNING - You do not have a public key from host %s = %s\n",
hostname, ipaddr);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, sizeof(reply), stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
Log(LOG_LEVEL_ERR, "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf("Will trust the key...\n");
trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf("Will not trust the key...\n");
trustkey = false;
break;
}
else
{
printf("Please reply yes or no...(%s)\n", reply);
}
}
}
}
#ifndef __MINGW32__
if (BACKGROUND)
{
Log(LOG_LEVEL_INFO, "Hailing %s : %s (in the background)",
hostname, port);
}
else
#endif
{
Log(LOG_LEVEL_INFO,
"........................................................................");
Log(LOG_LEVEL_INFO, "Hailing %s : %s",
hostname, port);
Log(LOG_LEVEL_INFO,
"........................................................................");
}
ConnectionFlags connflags = {
.protocol_version = config->protocol_version,
.trust_server = trustkey
};
int err = 0;
conn = ServerConnection(hostname, port, CONNTIMEOUT, connflags, &err);
if (conn == NULL)
{
Log(LOG_LEVEL_ERR, "Failed to connect to host: %s", hostname);
return false;
}
/* Send EXEC command. */
HailExec(conn, hostname, recvbuffer, sendbuffer);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, const Policy *policy)
{
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_runagent");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
Log(LOG_LEVEL_WARNING,
"'background_children' setting from 'body runagent control' is overridden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(value);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(value))
{
strlcpy(OUTPUT_DIRECTORY, value, CF_BUFSIZE);
Log(LOG_LEVEL_VERBOSE, "Setting output direcory to '%s'", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = value;
}
continue;
}
}
}
const char *expire_after = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (expire_after)
{
LASTSEENEXPIREAFTER = IntFromString(expire_after) * 60;
}
}
static int VerifyTablePromise(EvalContext *ctx, CfdbConn *cfdb, char *table_path, Rlist *columns, Attributes a, Promise *pp)
{
char name[CF_MAXVARSIZE], type[CF_MAXVARSIZE], query[CF_MAXVARSIZE], table[CF_MAXVARSIZE], db[CF_MAXVARSIZE];
int i, count, size, no_of_cols, *size_table, *done, identified, retval = true;
char **name_table, **type_table;
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> Verifying promised table structure for \"%s\"", table_path);
if (!ValidateSQLTableName(table_path, db, table))
{
CfOut(OUTPUT_LEVEL_ERROR, "",
" !! The structure of the promiser did not match that for an SQL table, i.e. \"database.table\"\n");
return false;
}
else
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> Assuming database \"%s\" with table \"%s\"", db, table);
}
/* Verify the existence of the tables within the database */
if (!TableExists(cfdb, table))
{
CfOut(OUTPUT_LEVEL_ERROR, "", " !! The database did not contain the promised table \"%s\"\n", table_path);
if ((a.database.operation) && (strcmp(a.database.operation, "create") == 0))
{
if ((!DONTDO) && ((a.transaction.action) != cfa_warn))
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_CHANGE, "", pp, a, " -> Database.table %s doesn't seem to exist, creating\n",
table_path);
return CreateTableColumns(cfdb, table, columns);
}
else
{
CfOut(OUTPUT_LEVEL_ERROR, "", " -> Database.table %s doesn't seem to exist, but only a warning was promised\n",
table_path);
}
}
return false;
}
/* Get a list of the columns in the table */
QueryTableColumns(query, db, table);
CfNewQueryDB(cfdb, query);
if (cfdb->maxcolumns != 3)
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a, "Could not make sense of the columns");
CfDeleteQuery(cfdb);
return false;
}
/* Assume that the Rlist has been validated and consists of a,b,c */
count = 0;
no_of_cols = RlistLen(columns);
if (!NewSQLColumns(table, columns, &name_table, &type_table, &size_table, &done))
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a, "Could not make sense of the columns");
return false;
}
/* Obtain columns from the named table - if any */
while (CfFetchRow(cfdb))
{
char *sizestr;
name[0] = '\0';
type[0] = '\0';
size = CF_NOINT;
strlcpy(name, CfFetchColumn(cfdb, 0), CF_MAXVARSIZE);
strlcpy(type, CfFetchColumn(cfdb, 1), CF_MAXVARSIZE);
ToLowerStrInplace(type);
sizestr = CfFetchColumn(cfdb, 2);
if (sizestr)
{
size = IntFromString(sizestr);
}
CfOut(OUTPUT_LEVEL_VERBOSE, "", " ... discovered column (%s,%s,%d)", name, type, size);
if (sizestr && (size == CF_NOINT))
{
cfPS(ctx, OUTPUT_LEVEL_VERBOSE, PROMISE_RESULT_NOOP, "", pp, a,
" !! Integer size of SQL datatype could not be determined or was not specified - invalid promise.");
DeleteSQLColumns(name_table, type_table, size_table, done, no_of_cols);
CfDeleteQuery(cfdb);
return false;
}
identified = false;
for (i = 0; i < no_of_cols; i++)
{
if (done[i])
{
continue;
}
if (strcmp(name, name_table[i]) == 0)
{
CheckSQLDataType(type, type_table[i], pp);
if (size != size_table[i])
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a,
" !! Promised column \"%s\" in database.table \"%s\" has a non-matching array size (%d != %d)",
name, table_path, size, size_table[i]);
}
else
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> Promised column \"%s\" in database.table \"%s\" is as promised", name,
table_path);
}
count++;
done[i] = true;
identified = true;
break;
}
}
if (!identified)
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a,
"Column \"%s\" found in database.table \"%s\" is not part of its promise.", name, table_path);
if ((a.database.operation) && (strcmp(a.database.operation, "drop") == 0))
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_FAIL, "", pp, a,
"Cfengine will not promise to repair this, as the operation is potentially too destructive.");
// Future allow deletion?
}
retval = false;
}
}
CfDeleteQuery(cfdb);
/* Now look for deviations - only if we have promised to create missing */
if ((a.database.operation) && (strcmp(a.database.operation, "drop") == 0))
{
return retval;
}
if (count != no_of_cols)
{
for (i = 0; i < no_of_cols; i++)
{
if (!done[i])
{
CfOut(OUTPUT_LEVEL_ERROR, "", " !! Promised column \"%s\" missing from database table %s", name_table[i],
pp->promiser);
if ((!DONTDO) && ((a.transaction.action) != cfa_warn))
{
if (size_table[i] > 0)
{
snprintf(query, CF_MAXVARSIZE - 1, "ALTER TABLE %s ADD %s %s(%d)", table, name_table[i],
type_table[i], size_table[i]);
}
else
{
snprintf(query, CF_MAXVARSIZE - 1, "ALTER TABLE %s ADD %s %s", table, name_table[i],
type_table[i]);
}
CfVoidQueryDB(cfdb, query);
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_CHANGE, "", pp, a, " !! Adding promised column \"%s\" to database table %s",
name_table[i], table);
retval = true;
}
else
{
cfPS(ctx, OUTPUT_LEVEL_ERROR, PROMISE_RESULT_WARN, "", pp, a,
" !! Promised column \"%s\" missing from database table %s but only a warning was promised",
name_table[i], table);
retval = false;
}
}
}
}
DeleteSQLColumns(name_table, type_table, size_table, done, no_of_cols);
return retval;
}
void VerifyVarPromise(EvalContext *ctx, const Promise *pp, bool allow_duplicates)
{
ConvergeVariableOptions opts = CollectConvergeVariableOptions(ctx, pp, allow_duplicates);
if (!opts.should_converge)
{
return;
}
char *scope = NULL;
if (strcmp("meta", pp->parent_promise_type->name) == 0)
{
scope = StringConcatenate(2, PromiseGetBundle(pp)->name, "_meta");
}
else
{
scope = xstrdup(PromiseGetBundle(pp)->name);
}
//More consideration needs to be given to using these
//a.transaction = GetTransactionConstraints(pp);
Attributes a = { {0} };
a.classes = GetClassDefinitionConstraints(ctx, pp);
Rval existing_var_rval;
DataType existing_var_type = DATA_TYPE_NONE;
EvalContextVariableGet(ctx, (VarRef) { NULL, scope, pp->promiser }, &existing_var_rval, &existing_var_type);
Buffer *qualified_scope = BufferNew();
int result = 0;
if (strcmp(PromiseGetNamespace(pp), "default") == 0)
{
result = BufferSet(qualified_scope, scope, strlen(scope));
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&qualified_scope);
return;
}
}
else
{
if (strchr(scope, ':') == NULL)
{
result = BufferPrintf(qualified_scope, "%s:%s", PromiseGetNamespace(pp), scope);
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&qualified_scope);
return;
}
}
else
{
result = BufferSet(qualified_scope, scope, strlen(scope));
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&qualified_scope);
return;
}
}
}
PromiseResult promise_result;
Rval rval = opts.cp_save->rval;
if (rval.item != NULL)
{
FnCall *fp = (FnCall *) rval.item;
if (opts.cp_save->rval.type == RVAL_TYPE_FNCALL)
{
if (existing_var_type != DATA_TYPE_NONE)
{
// Already did this
free(scope);
BufferDestroy(&qualified_scope);
return;
}
FnCallResult res = FnCallEvaluate(ctx, fp, pp);
if (res.status == FNCALL_FAILURE)
{
/* We do not assign variables to failed fn calls */
RvalDestroy(res.rval);
free(scope);
BufferDestroy(&qualified_scope);
return;
}
else
{
rval = res.rval;
}
}
else
{
Buffer *conv = BufferNew();
if (strcmp(opts.cp_save->lval, "int") == 0)
{
result = BufferPrintf(conv, "%ld", IntFromString(opts.cp_save->rval.item));
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&qualified_scope);
BufferDestroy(&conv);
return;
}
rval = RvalCopy((Rval) {(char *)BufferData(conv), opts.cp_save->rval.type});
}
else if (strcmp(opts.cp_save->lval, "real") == 0)
{
double real_value = 0.0;
if (DoubleFromString(opts.cp_save->rval.item, &real_value))
{
result = BufferPrintf(conv, "%lf", real_value);
}
else
{
result = BufferPrintf(conv, "(double conversion error)");
}
if (result < 0)
{
/*
* Even though there will be no problems with memory allocation, there
* might be other problems.
*/
UnexpectedError("Problems writing to buffer");
free(scope);
BufferDestroy(&conv);
BufferDestroy(&qualified_scope);
return;
}
rval = RvalCopy((Rval) {(char *)BufferData(conv), opts.cp_save->rval.type});
}
else
{
rval = RvalCopy(opts.cp_save->rval);
}
if (rval.type == RVAL_TYPE_LIST)
{
Rlist *rval_list = RvalRlistValue(rval);
RlistFlatten(ctx, &rval_list);
rval.item = rval_list;
}
BufferDestroy(&conv);
}
if (Epimenides(ctx, PromiseGetBundle(pp)->name, pp->promiser, rval, 0))
{
Log(LOG_LEVEL_ERR, "Variable \"%s\" contains itself indirectly - an unkeepable promise", pp->promiser);
exit(1);
}
else
{
/* See if the variable needs recursively expanding again */
Rval returnval = EvaluateFinalRval(ctx, BufferData(qualified_scope), rval, true, pp);
RvalDestroy(rval);
// freed before function exit
rval = returnval;
}
if (existing_var_type != DATA_TYPE_NONE)
{
if (opts.ok_redefine) /* only on second iteration, else we ignore broken promises */
{
ScopeDeleteVariable(BufferData(qualified_scope), pp->promiser);
}
else if ((THIS_AGENT_TYPE == AGENT_TYPE_COMMON) && (CompareRval(existing_var_rval, rval) == false))
{
switch (rval.type)
{
case RVAL_TYPE_SCALAR:
Log(LOG_LEVEL_VERBOSE, "Redefinition of a constant scalar \"%s\" (was %s now %s)",
pp->promiser, RvalScalarValue(existing_var_rval), RvalScalarValue(rval));
PromiseRef(LOG_LEVEL_VERBOSE, pp);
break;
case RVAL_TYPE_LIST:
{
Log(LOG_LEVEL_VERBOSE, "Redefinition of a constant list \"%s\".", pp->promiser);
Writer *w = StringWriter();
RlistWrite(w, existing_var_rval.item);
char *oldstr = StringWriterClose(w);
Log(LOG_LEVEL_VERBOSE, "Old value: %s", oldstr);
free(oldstr);
w = StringWriter();
RlistWrite(w, rval.item);
char *newstr = StringWriterClose(w);
Log(LOG_LEVEL_VERBOSE, " New value: %s", newstr);
free(newstr);
PromiseRef(LOG_LEVEL_VERBOSE, pp);
}
break;
default:
break;
}
}
}
if (IsCf3VarString(pp->promiser))
{
// Unexpanded variables, we don't do anything with
RvalDestroy(rval);
free(scope);
BufferDestroy(&qualified_scope);
return;
}
if (!FullTextMatch("[a-zA-Z0-9_\200-\377.]+(\\[.+\\])*", pp->promiser))
{
Log(LOG_LEVEL_ERR, "Variable identifier contains illegal characters");
PromiseRef(LOG_LEVEL_ERR, pp);
RvalDestroy(rval);
free(scope);
BufferDestroy(&qualified_scope);
return;
}
if (opts.drop_undefined && rval.type == RVAL_TYPE_LIST)
{
for (Rlist *rp = rval.item; rp != NULL; rp = rp->next)
{
if (IsNakedVar(rp->item, '@'))
{
free(rp->item);
rp->item = xstrdup(CF_NULL_VALUE);
}
}
}
if (!EvalContextVariablePut(ctx, (VarRef) { NULL, BufferData(qualified_scope), pp->promiser }, rval, DataTypeFromString(opts.cp_save->lval)))
{
Log(LOG_LEVEL_VERBOSE, "Unable to converge %s.%s value (possibly empty or infinite regression)", BufferData(qualified_scope), pp->promiser);
PromiseRef(LOG_LEVEL_VERBOSE, pp);
promise_result = PROMISE_RESULT_FAIL;
}
else
{
promise_result = PROMISE_RESULT_CHANGE;
}
}
else
{
Log(LOG_LEVEL_ERR, "Variable %s has no promised value", pp->promiser);
Log(LOG_LEVEL_ERR, "Rule from %s at/before line %zu", PromiseGetBundle(pp)->source_path, opts.cp_save->offset.line);
promise_result = PROMISE_RESULT_FAIL;
}
/*
* FIXME: Variable promise are exempt from normal evaluation logic still, so
* they are not pushed to evaluation stack before being evaluated. Due to
* this reason, we cannot call cfPS here to set classes, as it will error
* out with ProgrammingError.
*
* In order to support 'classes' body for variables as well, we call
* ClassAuditLog explicitly.
*/
ClassAuditLog(ctx, pp, a, promise_result);
free(scope);
BufferDestroy(&qualified_scope);
RvalDestroy(rval);
}
static int NewSQLColumns(char *table, Rlist *columns, char ***name_table, char ***type_table, int **size_table,
int **done)
{
int i, no_of_cols = RlistLen(columns);
Rlist *cols, *rp;
*name_table = (char **) xmalloc(sizeof(char *) * (no_of_cols + 1));
*type_table = (char **) xmalloc(sizeof(char *) * (no_of_cols + 1));
*size_table = (int *) xmalloc(sizeof(int) * (no_of_cols + 1));
*done = (int *) xmalloc(sizeof(int) * (no_of_cols + 1));
for (i = 0, rp = columns; rp != NULL; rp = rp->next, i++)
{
(*done)[i] = 0;
cols = RlistFromSplitString(RlistScalarValue(rp), ',');
if (!cols)
{
Log(LOG_LEVEL_ERR, "No columns promised for table '%s' - makes no sense", table);
return false;
}
if (cols->val.item == NULL)
{
Log(LOG_LEVEL_ERR, "Malformed column promise for table '%s' - found not even a name", table);
free(*name_table);
free(*type_table);
free(*size_table);
free(*done);
return false;
}
(*name_table)[i] = xstrdup(RlistScalarValue(cols));
if (cols->next == NULL)
{
Log(LOG_LEVEL_ERR, "Malformed column '%s' promised for table '%s' - missing a type", (*name_table)[i],
table);
free(*name_table);
free(*type_table);
free(*size_table);
free(*done);
return false;
}
(*type_table)[i] = xstrdup(RlistScalarValue(cols->next));
if (cols->next->next == NULL)
{
(*size_table)[i] = 0;
}
else
{
if (cols->next->next->val.item)
{
(*size_table)[i] = IntFromString(RlistScalarValue(cols->next->next));
}
else
{
(*size_table)[i] = 0;
}
}
RlistDestroy(cols);
}
return true;
}
static void KeepControlPromises(EvalContext *ctx, Policy *policy, GenericAgentConfig *config)
{
Rval retval;
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdates(true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
PolicyResolve(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_server");
if (!EvalContextVariableGet(ctx, ref, &retval, NULL))
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in server control body", cp->lval);
VarRefDestroy(ref);
continue;
}
VarRefDestroy(ref);
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SERVER_FACILITY].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_BAD_CLOCKS].lval) == 0)
{
DENYBADCLOCKS = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting denybadclocks to '%s'", DENYBADCLOCKS ? "true" : "false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS].lval) == 0)
{
LOGENCRYPT = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting logencrypt to '%s'", LOGENCRYPT ? "true" : "false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ALL_CONNECTIONS].lval) == 0)
{
SV.logconns = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting logconns to %d", SV.logconns);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_MAX_CONNECTIONS].lval) == 0)
{
CFD_MAXPROCESSES = (int) IntFromString(retval.item);
MAXTRIES = CFD_MAXPROCESSES / 3;
Log(LOG_LEVEL_VERBOSE, "Setting maxconnections to %d", CFD_MAXPROCESSES);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_INTERVAL].lval) == 0)
{
COLLECT_INTERVAL = (int) 60 * IntFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting call_collect_interval to %d (seconds)", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LISTEN].lval) == 0)
{
SERVER_LISTEN = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting server listen to '%s' ",
(SERVER_LISTEN)? "true":"false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_WINDOW].lval) == 0)
{
COLLECT_WINDOW = (int) IntFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting collect_window to %d (seconds)", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CF_RUN_COMMAND].lval) == 0)
{
strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1);
Log(LOG_LEVEL_VERBOSE, "Setting cfruncommand to '%s'", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_CONNECTS].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting allowing connections from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, rp->item))
{
AppendItem(&SV.nonattackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_CONNECTS].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting denying connections from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, rp->item))
{
AppendItem(&SV.attackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SKIP_VERIFY].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting skip verify connections from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.skipverify, rp->item))
{
AppendItem(&SV.skipverify, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_ALL_CONNECTS].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting allowing multiple connections from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, rp->item))
{
AppendItem(&SV.multiconnlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_USERS].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "SET Allowing users ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, rp->item))
{
AppendItem(&SV.allowuserlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_TRUST_KEYS_FROM].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting trust keys from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, rp->item))
{
AppendItem(&SV.trustkeylist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_PORT_NUMBER].lval) == 0)
{
SHORT_CFENGINEPORT = (short) IntFromString(retval.item);
strncpy(STR_CFENGINEPORT, retval.item, 15);
Log(LOG_LEVEL_VERBOSE, "Setting default portnumber to %u = %s = %s", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT,
RvalScalarValue(retval));
SHORT_CFENGINEPORT = htons((short) IntFromString(retval.item));
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_BIND_TO_INTERFACE].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
Log(LOG_LEVEL_VERBOSE, "Setting bindtointerface to '%s'", BINDINTERFACE);
continue;
}
}
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST, &retval))
{
/* Don't resolve syslog_host now, better do it per log request. */
if (!SetSyslogHost(retval.item))
{
Log(LOG_LEVEL_ERR, "Failed to set syslog_host, '%s' too long",
(char *) retval.item);
}
else
{
Log(LOG_LEVEL_VERBOSE, "Setting syslog_host to '%s'",
(char *) retval.item);
}
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT, &retval))
{
SetSyslogPort(IntFromString(retval.item));
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE, &retval))
{
FIPS_MODE = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting FIPS mode to to '%s'", FIPS_MODE ? "true" : "false");
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval))
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
static void KeepControlPromises(EvalContext *ctx, const Policy *policy, GenericAgentConfig *config)
{
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdatesDefault(ctx, true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
PolicyResolve(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
#define IsControlBody(e) (strcmp(cp->lval, CFS_CONTROLBODY[e].lval) == 0)
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_server");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR,
"Unknown lval '%s' in server control body",
cp->lval);
}
else if (IsControlBody(SERVER_CONTROL_SERVER_FACILITY))
{
SetFacility(value);
}
else if (IsControlBody(SERVER_CONTROL_DENY_BAD_CLOCKS))
{
DENYBADCLOCKS = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting denybadclocks to '%s'",
DENYBADCLOCKS ? "true" : "false");
}
else if (IsControlBody(SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS))
{
LOGENCRYPT = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting logencrypt to '%s'",
LOGENCRYPT ? "true" : "false");
}
else if (IsControlBody(SERVER_CONTROL_LOG_ALL_CONNECTIONS))
{
SV.logconns = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting logconns to %d", SV.logconns);
}
else if (IsControlBody(SERVER_CONTROL_MAX_CONNECTIONS))
{
CFD_MAXPROCESSES = (int) IntFromString(value);
MAXTRIES = CFD_MAXPROCESSES / 3;
Log(LOG_LEVEL_VERBOSE,
"Setting maxconnections to %d",
CFD_MAXPROCESSES);
/* The handling of max_readers in LMDB is not ideal, but
* here is how it is right now: We know that both cf-serverd and
* cf-hub will access the lastseen database. Worst case every
* single thread and process will do it at the same time, and
* this has in fact been observed. So we add the maximum of
* those two values together to provide a safe ceiling. In
* addition, cf-agent can access the database occasionally as
* well, so add a few extra for that too. */
DBSetMaximumConcurrentTransactions(CFD_MAXPROCESSES
+ EnterpriseGetMaxCfHubProcesses() + 10);
continue;
}
else if (IsControlBody(SERVER_CONTROL_CALL_COLLECT_INTERVAL))
{
COLLECT_INTERVAL = (int) 60 * IntFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting call_collect_interval to %d (seconds)",
COLLECT_INTERVAL);
}
else if (IsControlBody(SERVER_CONTROL_LISTEN))
{
SERVER_LISTEN = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting server listen to '%s' ",
SERVER_LISTEN ? "true" : "false");
}
else if (IsControlBody(SERVER_CONTROL_CALL_COLLECT_WINDOW))
{
COLLECT_WINDOW = (int) IntFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting collect_window to %d (seconds)",
COLLECT_INTERVAL);
}
else if (IsControlBody(SERVER_CONTROL_CF_RUN_COMMAND))
{
strlcpy(CFRUNCOMMAND, value, sizeof(CFRUNCOMMAND));
Log(LOG_LEVEL_VERBOSE,
"Setting cfruncommand to '%s'",
CFRUNCOMMAND);
}
else if (IsControlBody(SERVER_CONTROL_ALLOW_CONNECTS))
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, RlistScalarValue(rp)))
{
PrependItem(&SV.nonattackerlist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_DENY_CONNECTS))
{
Log(LOG_LEVEL_VERBOSE, "Setting denying connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, RlistScalarValue(rp)))
{
PrependItem(&SV.attackerlist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_SKIP_VERIFY))
{
/* Skip. */
}
else if (IsControlBody(SERVER_CONTROL_ALLOW_ALL_CONNECTS))
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing multiple connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, RlistScalarValue(rp)))
{
PrependItem(&SV.multiconnlist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_ALLOW_USERS))
{
Log(LOG_LEVEL_VERBOSE, "SET Allowing users ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, RlistScalarValue(rp)))
{
PrependItem(&SV.allowuserlist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_TRUST_KEYS_FROM))
{
Log(LOG_LEVEL_VERBOSE, "Setting trust keys from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, RlistScalarValue(rp)))
{
PrependItem(&SV.trustkeylist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_ALLOWLEGACYCONNECTS))
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing legacy connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowlegacyconnects, RlistScalarValue(rp)))
{
PrependItem(&SV.allowlegacyconnects, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_PORT_NUMBER))
{
CFENGINE_PORT = IntFromString(value);
strlcpy(CFENGINE_PORT_STR, value, sizeof(CFENGINE_PORT_STR));
Log(LOG_LEVEL_VERBOSE, "Setting default port number to %d",
CFENGINE_PORT);
}
else if (IsControlBody(SERVER_CONTROL_BIND_TO_INTERFACE))
{
strlcpy(BINDINTERFACE, value, sizeof(BINDINTERFACE));
Log(LOG_LEVEL_VERBOSE, "Setting bindtointerface to '%s'", BINDINTERFACE);
}
else if (IsControlBody(SERVER_CONTROL_ALLOWCIPHERS))
{
SV.allowciphers = xstrdup(value);
Log(LOG_LEVEL_VERBOSE, "Setting allowciphers to '%s'", SV.allowciphers);
}
#undef IsControlBody
}
}
const void *value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST);
if (value)
{
/* Don't resolve syslog_host now, better do it per log request. */
if (!SetSyslogHost(value))
{
Log(LOG_LEVEL_ERR, "Failed to set syslog_host, '%s' too long", (const char *)value);
}
else
{
Log(LOG_LEVEL_VERBOSE, "Setting syslog_host to '%s'", (const char *)value);
}
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT);
if (value)
{
SetSyslogPort(IntFromString(value));
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE);
if (value)
{
FIPS_MODE = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting FIPS mode to to '%s'", FIPS_MODE ? "true" : "false");
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (value)
{
LASTSEENEXPIREAFTER = IntFromString(value) * 60;
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_BWLIMIT);
if (value)
{
double bval;
if (DoubleFromString(value, &bval))
{
bwlimit_kbytes = (uint32_t) ( bval / 1000.0);
Log(LOG_LEVEL_VERBOSE, "Setting rate limit to %d kBytes/sec", bwlimit_kbytes);
}
}
}
PromiseResult VerifyVarPromise(EvalContext *ctx, const Promise *pp, bool allow_duplicates)
{
ConvergeVariableOptions opts = CollectConvergeVariableOptions(ctx, pp, allow_duplicates);
if (!opts.should_converge)
{
return PROMISE_RESULT_NOOP;
}
Attributes a = { {0} };
// More consideration needs to be given to using these
//a.transaction = GetTransactionConstraints(pp);
a.classes = GetClassDefinitionConstraints(ctx, pp);
VarRef *ref = VarRefParseFromBundle(pp->promiser, PromiseGetBundle(pp));
if (strcmp("meta", pp->parent_promise_type->name) == 0)
{
VarRefSetMeta(ref, true);
}
DataType existing_value_type = CF_DATA_TYPE_NONE;
const void *const existing_value =
IsExpandable(pp->promiser) ? NULL : EvalContextVariableGet(ctx, ref, &existing_value_type);
PromiseResult result = PROMISE_RESULT_NOOP;
Rval rval = opts.cp_save->rval;
if (rval.item != NULL)
{
DataType data_type = DataTypeFromString(opts.cp_save->lval);
if (opts.cp_save->rval.type == RVAL_TYPE_FNCALL)
{
FnCall *fp = RvalFnCallValue(rval);
const FnCallType *fn = FnCallTypeGet(fp->name);
if (!fn)
{
assert(false && "Canary: should have been caught before this point");
FatalError(ctx, "While setting variable '%s' in bundle '%s', unknown function '%s'",
pp->promiser, PromiseGetBundle(pp)->name, fp->name);
}
if (fn->dtype != DataTypeFromString(opts.cp_save->lval))
{
FatalError(ctx, "While setting variable '%s' in bundle '%s', variable declared type '%s' but function '%s' returns type '%s'",
pp->promiser, PromiseGetBundle(pp)->name, opts.cp_save->lval,
fp->name, DataTypeToString(fn->dtype));
}
if (existing_value_type != CF_DATA_TYPE_NONE)
{
// Already did this
VarRefDestroy(ref);
return PROMISE_RESULT_NOOP;
}
FnCallResult res = FnCallEvaluate(ctx, PromiseGetPolicy(pp), fp, pp);
if (res.status == FNCALL_FAILURE)
{
/* We do not assign variables to failed fn calls */
RvalDestroy(res.rval);
VarRefDestroy(ref);
return PROMISE_RESULT_NOOP;
}
else
{
rval = res.rval;
}
}
else
{
Buffer *conv = BufferNew();
bool malformed = false, misprint = false;
if (strcmp(opts.cp_save->lval, "int") == 0)
{
long int asint = IntFromString(opts.cp_save->rval.item);
if (asint == CF_NOINT)
{
malformed = true;
}
else if (0 > BufferPrintf(conv, "%ld", asint))
{
misprint = true;
}
else
{
rval = RvalNew(BufferData(conv), opts.cp_save->rval.type);
}
}
else if (strcmp(opts.cp_save->lval, "real") == 0)
{
double real_value;
if (!DoubleFromString(opts.cp_save->rval.item, &real_value))
{
malformed = true;
}
else if (0 > BufferPrintf(conv, "%lf", real_value))
{
misprint = true;
}
else
{
rval = RvalNew(BufferData(conv), opts.cp_save->rval.type);
}
}
else
{
rval = RvalCopy(opts.cp_save->rval);
}
BufferDestroy(conv);
if (malformed)
{
/* Arises when opts->cp_save->rval.item isn't yet expanded. */
/* Has already been logged by *FromString */
VarRefDestroy(ref);
return PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
}
else if (misprint)
{
/* Even though no problems with memory allocation can
* get here, there might be other problems. */
UnexpectedError("Problems writing to buffer");
VarRefDestroy(ref);
return PROMISE_RESULT_NOOP;
}
else if (rval.type == RVAL_TYPE_LIST)
{
Rlist *rval_list = RvalRlistValue(rval);
RlistFlatten(ctx, &rval_list);
rval.item = rval_list;
}
}
if (Epimenides(ctx, PromiseGetBundle(pp)->ns, PromiseGetBundle(pp)->name, pp->promiser, rval, 0))
{
Log(LOG_LEVEL_ERR, "Variable '%s' contains itself indirectly - an unkeepable promise", pp->promiser);
exit(EXIT_FAILURE);
}
else
{
/* See if the variable needs recursively expanding again */
Rval returnval = EvaluateFinalRval(ctx, PromiseGetPolicy(pp), ref->ns, ref->scope, rval, true, pp);
RvalDestroy(rval);
// freed before function exit
rval = returnval;
}
if (existing_value_type != CF_DATA_TYPE_NONE)
{
if (!opts.ok_redefine) /* only on second iteration, else we ignore broken promises */
{
if (THIS_AGENT_TYPE == AGENT_TYPE_COMMON &&
!CompareRval(existing_value, DataTypeToRvalType(existing_value_type),
rval.item, rval.type))
{
switch (rval.type)
{
case RVAL_TYPE_SCALAR:
Log(LOG_LEVEL_VERBOSE, "Redefinition of a constant scalar '%s', was '%s' now '%s'",
pp->promiser, (const char *)existing_value, RvalScalarValue(rval));
PromiseRef(LOG_LEVEL_VERBOSE, pp);
break;
case RVAL_TYPE_LIST:
{
Log(LOG_LEVEL_VERBOSE, "Redefinition of a constant list '%s'", pp->promiser);
Writer *w = StringWriter();
RlistWrite(w, existing_value);
char *oldstr = StringWriterClose(w);
Log(LOG_LEVEL_VERBOSE, "Old value '%s'", oldstr);
free(oldstr);
w = StringWriter();
RlistWrite(w, rval.item);
char *newstr = StringWriterClose(w);
Log(LOG_LEVEL_VERBOSE, " New value '%s'", newstr);
free(newstr);
PromiseRef(LOG_LEVEL_VERBOSE, pp);
}
break;
case RVAL_TYPE_CONTAINER:
case RVAL_TYPE_FNCALL:
case RVAL_TYPE_NOPROMISEE:
break;
}
}
RvalDestroy(rval);
VarRefDestroy(ref);
return result;
}
}
if (IsCf3VarString(pp->promiser))
{
// Unexpanded variables, we don't do anything with
RvalDestroy(rval);
VarRefDestroy(ref);
return result;
}
if (!IsValidVariableName(pp->promiser))
{
Log(LOG_LEVEL_ERR, "Variable identifier contains illegal characters");
PromiseRef(LOG_LEVEL_ERR, pp);
RvalDestroy(rval);
VarRefDestroy(ref);
return result;
}
if (rval.type == RVAL_TYPE_LIST)
{
if (opts.drop_undefined)
{
for (Rlist *rp = RvalRlistValue(rval); rp; rp = rp->next)
{
if (IsNakedVar(RlistScalarValue(rp), '@'))
{
free(rp->val.item);
rp->val.item = xstrdup(CF_NULL_VALUE);
}
}
}
for (const Rlist *rp = RvalRlistValue(rval); rp; rp = rp->next)
{
switch (rp->val.type)
{
case RVAL_TYPE_SCALAR:
break;
default:
// Cannot assign variable because value is a list containing a non-scalar item
VarRefDestroy(ref);
RvalDestroy(rval);
return result;
}
}
}
if (ref->num_indices > 0)
{
if (data_type == CF_DATA_TYPE_CONTAINER)
{
char *lval_str = VarRefToString(ref, true);
Log(LOG_LEVEL_ERR, "Cannot assign a container to an indexed variable name '%s'. Should be assigned to '%s' instead",
lval_str, ref->lval);
free(lval_str);
VarRefDestroy(ref);
RvalDestroy(rval);
return result;
}
else
{
DataType existing_type = CF_DATA_TYPE_NONE;
VarRef *base_ref = VarRefCopyIndexless(ref);
if (EvalContextVariableGet(ctx, ref, &existing_type) && existing_type == CF_DATA_TYPE_CONTAINER)
{
char *lval_str = VarRefToString(ref, true);
char *base_ref_str = VarRefToString(base_ref, true);
Log(LOG_LEVEL_ERR, "Cannot assign value to indexed variable name '%s', because a container is already assigned to the base name '%s'",
lval_str, base_ref_str);
free(lval_str);
free(base_ref_str);
VarRefDestroy(base_ref);
VarRefDestroy(ref);
RvalDestroy(rval);
return result;
}
VarRefDestroy(base_ref);
}
}
DataType required_datatype = DataTypeFromString(opts.cp_save->lval);
if (rval.type != DataTypeToRvalType(required_datatype))
{
char *ref_str = VarRefToString(ref, true);
char *value_str = RvalToString(rval);
Log(LOG_LEVEL_ERR, "Variable '%s' expected a variable of type '%s', but was given incompatible value '%s'",
ref_str, DataTypeToString(required_datatype), value_str);
PromiseRef(LOG_LEVEL_ERR, pp);
free(ref_str);
free(value_str);
VarRefDestroy(ref);
RvalDestroy(rval);
return PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
}
if (!EvalContextVariablePut(ctx, ref, rval.item, required_datatype, "source=promise"))
{
Log(LOG_LEVEL_VERBOSE,
"Unable to converge %s.%s value (possibly empty or infinite regression)",
ref->scope, pp->promiser);
PromiseRef(LOG_LEVEL_VERBOSE, pp);
result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
}
else
{
Rlist *promise_meta = PromiseGetConstraintAsList(ctx, "meta", pp);
if (promise_meta)
{
StringSet *class_meta = EvalContextVariableTags(ctx, ref);
Buffer *print;
for (const Rlist *rp = promise_meta; rp; rp = rp->next)
{
StringSetAdd(class_meta, xstrdup(RlistScalarValue(rp)));
print = StringSetToBuffer(class_meta, ',');
Log(LOG_LEVEL_DEBUG,
"Added tag %s to class %s, tags now [%s]",
RlistScalarValue(rp), pp->promiser, BufferData(print));
BufferDestroy(print);
}
}
}
}
else
{
Log(LOG_LEVEL_ERR, "Variable %s has no promised value", pp->promiser);
Log(LOG_LEVEL_ERR, "Rule from %s at/before line %llu",
PromiseGetBundle(pp)->source_path,
(unsigned long long)opts.cp_save->offset.line);
result = PromiseResultUpdate(result, PROMISE_RESULT_FAIL);
}
/*
* FIXME: Variable promise are exempt from normal evaluation logic still, so
* they are not pushed to evaluation stack before being evaluated. Due to
* this reason, we cannot call cfPS here to set classes, as it will error
* out with ProgrammingError.
*
* In order to support 'classes' body for variables as well, we call
* ClassAuditLog explicitly.
*/
ClassAuditLog(ctx, pp, a, result);
VarRefDestroy(ref);
RvalDestroy(rval);
return result;
}
static int NewSQLColumns(char *table, Rlist *columns, char ***name_table, char ***type_table, int **size_table,
int **done)
{
int i, no_of_cols = RlistLen(columns);
Rlist *cols, *rp;
*name_table = (char **) xmalloc(sizeof(char *) * (no_of_cols + 1));
*type_table = (char **) xmalloc(sizeof(char *) * (no_of_cols + 1));
*size_table = (int *) xmalloc(sizeof(int) * (no_of_cols + 1));
*done = (int *) xmalloc(sizeof(int) * (no_of_cols + 1));
for (i = 0, rp = columns; rp != NULL; rp = rp->next, i++)
{
(*done)[i] = 0;
cols = RlistFromSplitString((char *) rp->item, ',');
if (!cols)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "No columns promised for table \"%s\" - makes no sense", table);
return false;
}
if (cols->item == NULL)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Malformed column promise for table \"%s\" - found not even a name", table);
free(*name_table);
free(*type_table);
free(*size_table);
free(*done);
return false;
}
(*name_table)[i] = xstrdup((char *) cols->item);
if (cols->next == NULL)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Malformed column \"%s\" promised for table \"%s\" - missing a type", (*name_table)[i],
table);
free(*name_table);
free(*type_table);
free(*size_table);
free(*done);
return false;
}
(*type_table)[i] = xstrdup(cols->next->item);
if (cols->next->next == NULL)
{
(*size_table)[i] = 0;
}
else
{
if (cols->next->next->item)
{
(*size_table)[i] = IntFromString(cols->next->next->item);
}
else
{
(*size_table)[i] = 0;
}
}
RlistDestroy(cols);
}
return true;
}
ExecConfig *ExecConfigNew(bool scheduled_run, const EvalContext *ctx, const Policy *policy)
{
ExecConfig *exec_config = xcalloc(1, sizeof(ExecConfig));
exec_config->scheduled_run = scheduled_run;
exec_config->exec_command = xstrdup("");
exec_config->agent_expireafter = 2 * 60; /* two hours */
exec_config->mail_server = xstrdup("");
exec_config->mail_from_address = xstrdup("");
exec_config->mail_to_address = xstrdup("");
exec_config->mail_subject = xstrdup("");
exec_config->mail_max_lines = 30;
exec_config->mailfilter_include = SeqNew(0, &free);
exec_config->mailfilter_include_regex = SeqNew(0, &RegexFree);
exec_config->mailfilter_exclude = SeqNew(0, &free);
exec_config->mailfilter_exclude_regex = SeqNew(0, &RegexFree);
exec_config->fq_name = xstrdup(VFQNAME);
exec_config->ip_address = xstrdup(VIPADDRESS);
exec_config->ip_addresses = GetIpAddresses(ctx);
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_executor");
DataType t;
const void *value = EvalContextVariableGet(ctx, ref, &t);
VarRefDestroy(ref);
if (t == CF_DATA_TYPE_NONE)
{
ProgrammingError("Unknown attribute '%s' in control body,"
" should have already been stopped by the parser",
cp->lval);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFROM].lval) == 0)
{
free(exec_config->mail_from_address);
exec_config->mail_from_address = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailfrom '%s'", exec_config->mail_from_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILTO].lval) == 0)
{
free(exec_config->mail_to_address);
exec_config->mail_to_address = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailto '%s'", exec_config->mail_to_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILSUBJECT].lval) == 0)
{
free(exec_config->mail_subject);
exec_config->mail_subject = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailsubject '%s'", exec_config->mail_subject);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SMTPSERVER].lval) == 0)
{
free(exec_config->mail_server);
exec_config->mail_server = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "smtpserver '%s'", exec_config->mail_server);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECCOMMAND].lval) == 0)
{
free(exec_config->exec_command);
exec_config->exec_command = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "exec_command '%s'", exec_config->exec_command);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_AGENT_EXPIREAFTER].lval) == 0)
{
exec_config->agent_expireafter = IntFromString(value);
Log(LOG_LEVEL_DEBUG, "agent_expireafter %d", exec_config->agent_expireafter);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILMAXLINES].lval) == 0)
{
exec_config->mail_max_lines = IntFromString(value);
Log(LOG_LEVEL_DEBUG, "maxlines %d", exec_config->mail_max_lines);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFILTER_INCLUDE].lval) == 0)
{
SeqDestroy(exec_config->mailfilter_include);
SeqDestroy(exec_config->mailfilter_include_regex);
RlistMailFilterFill(value, &exec_config->mailfilter_include,
&exec_config->mailfilter_include_regex, "include");
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFILTER_EXCLUDE].lval) == 0)
{
SeqDestroy(exec_config->mailfilter_exclude);
SeqDestroy(exec_config->mailfilter_exclude_regex);
RlistMailFilterFill(value, &exec_config->mailfilter_exclude,
&exec_config->mailfilter_exclude_regex, "exclude");
}
}
}
return exec_config;
}
static int HailServer(EvalContext *ctx, char *host)
{
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE],
digest[CF_MAXVARSIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
FileCopy fc = {
.portnumber = (unsigned short) ParseHostname(host, peer),
};
char ipaddr[CF_MAX_IP_LEN];
if (Hostname2IPString(ipaddr, peer, sizeof(ipaddr)) == -1)
{
Log(LOG_LEVEL_ERR,
"HailServer: ERROR, could not resolve '%s'", peer);
return false;
}
Address2Hostkey(ipaddr, digest);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
Log(LOG_LEVEL_VERBOSE, "Using interactive key trust...");
gotkey = HavePublicKey(user, peer, digest) != NULL;
if (!gotkey)
{
gotkey = HavePublicKey(user, ipaddr, digest) != NULL;
}
if (!gotkey)
{
printf("WARNING - You do not have a public key from host %s = %s\n",
host, ipaddr);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, sizeof(reply), stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
Log(LOG_LEVEL_ERR, "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf("Will trust the key...\n");
fc.trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf("Will not trust the key...\n");
fc.trustkey = false;
break;
}
else
{
printf("Please reply yes or no...(%s)\n", reply);
}
}
}
}
/* Continue */
#ifdef __MINGW32__
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_INFO, "...........................................................................");
Log(LOG_LEVEL_INFO, " * Hailing %s : %u, with options \"%s\" (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
Log(LOG_LEVEL_INFO, "...........................................................................");
}
else
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
#else /* !__MINGW32__ */
if (BACKGROUND)
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (parallel)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
else
{
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_INFO, "...........................................................................");
Log(LOG_LEVEL_INFO, " * Hailing %s : %u, with options \"%s\" (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
Log(LOG_LEVEL_INFO, "...........................................................................");
}
else
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
}
#endif /* !__MINGW32__ */
fc.servers = RlistFromSplitString(peer, '*');
if (fc.servers == NULL || strcmp(RlistScalarValue(fc.servers), "localhost") == 0)
{
Log(LOG_LEVEL_INFO, "No hosts are registered to connect to");
return false;
}
else
{
int err = 0;
conn = NewServerConnection(fc, false, &err, -1);
if (conn == NULL)
{
RlistDestroy(fc.servers);
Log(LOG_LEVEL_VERBOSE, "No suitable server responded to hail");
return false;
}
}
/* Check trust interaction*/
HailExec(conn, peer, recvbuffer, sendbuffer);
RlistDestroy(fc.servers);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, const Policy *policy)
{
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_runagent");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
Log(LOG_LEVEL_WARNING,
"'background_children' setting from 'body runagent control' is overridden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(value);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(value))
{
strncpy(OUTPUT_DIRECTORY, value, CF_BUFSIZE - 1);
Log(LOG_LEVEL_VERBOSE, "Setting output direcory to '%s'", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = value;
}
continue;
}
}
}
const char *expire_after = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (expire_after)
{
LASTSEENEXPIREAFTER = IntFromString(expire_after) * 60;
}
}
void KeepControlPromises(Policy *policy)
{
Rval retval;
Rlist *rp;
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_AGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (IsExcluded(cp->classes, NULL))
{
continue;
}
if (GetVariable("control_common", cp->lval, &retval) != DATA_TYPE_NONE)
{
/* Already handled in generic_agent */
continue;
}
if (GetVariable("control_agent", cp->lval, &retval) == DATA_TYPE_NONE)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in agent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_maxconnections].lval) == 0)
{
CFA_MAXTHREADS = (int) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET maxconnections = %d\n", CFA_MAXTHREADS);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_checksum_alert_time].lval) == 0)
{
CF_PERSISTENCE = (int) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET checksum_alert_time = %d\n", CF_PERSISTENCE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_agentfacility].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_agentaccess].lval) == 0)
{
ACCESSLIST = (Rlist *) retval.item;
CheckAgentAccess(ACCESSLIST, InputFiles(policy));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_refresh_processes].lval) == 0)
{
Rlist *rp;
if (VERBOSE)
{
printf("%s> SET refresh_processes when starting: ", VPREFIX);
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
printf(" %s", (char *) rp->item);
PrependItem(&PROCESSREFRESH, rp->item, NULL);
}
printf("\n");
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_abortclasses].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Abort classes from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
AddAbortClass(name, cp->classes);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_abortbundleclasses].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Abort bundle classes from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
if (!IsItemIn(ABORTBUNDLEHEAP, name))
{
AppendItem(&ABORTBUNDLEHEAP, name, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_addclasses].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "-> Add classes ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> ... %s\n", RlistScalarValue(rp));
NewClass(rp->item, NULL);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_auditing].lval) == 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "This option does nothing and is retained for compatibility reasons");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_alwaysvalidate].lval) == 0)
{
ALWAYS_VALIDATE = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET alwaysvalidate = %d\n", ALWAYS_VALIDATE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_allclassesreport].lval) == 0)
{
ALLCLASSESREPORT = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET allclassesreport = %d\n", ALLCLASSESREPORT);
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_secureinput].lval) == 0)
{
CFPARANOID = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET secure input = %d\n", CFPARANOID);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_binarypaddingchar].lval) == 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "binarypaddingchar is obsolete and does nothing\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_bindtointerface].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET bindtointerface = %s\n", BINDINTERFACE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_hashupdates].lval) == 0)
{
bool enabled = BooleanFromString(retval.item);
SetChecksumUpdates(enabled);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET ChecksumUpdates %d\n", enabled);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_exclamation].lval) == 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "exclamation control is deprecated and does not do anything\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_childlibpath].lval) == 0)
{
char output[CF_BUFSIZE];
snprintf(output, CF_BUFSIZE, "LD_LIBRARY_PATH=%s", (char *) retval.item);
if (putenv(xstrdup(output)) == 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "Setting %s\n", output);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_defaultcopytype].lval) == 0)
{
DEFAULT_COPYTYPE = (char *) retval.item;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET defaultcopytype = %s\n", DEFAULT_COPYTYPE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_fsinglecopy].lval) == 0)
{
SINGLE_COPY_LIST = (Rlist *) retval.item;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET file single copy list\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_fautodefine].lval) == 0)
{
SetFileAutoDefineList(RvalRlistValue(retval));
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET file auto define list\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_dryrun].lval) == 0)
{
DONTDO = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET dryrun = %c\n", DONTDO);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_inform].lval) == 0)
{
INFORM = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET inform = %c\n", INFORM);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_verbose].lval) == 0)
{
VERBOSE = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET inform = %c\n", VERBOSE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_repository].lval) == 0)
{
SetRepositoryLocation(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET repository = %s\n", RvalScalarValue(retval));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_skipidentify].lval) == 0)
{
bool enabled = BooleanFromString(retval.item);
SetSkipIdentify(enabled);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET skipidentify = %d\n", (int) enabled);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_suspiciousnames].lval) == 0)
{
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
AddFilenameToListOfSuspicious(RlistScalarValue(rp));
CfOut(OUTPUT_LEVEL_VERBOSE, "", "-> Considering %s as suspicious file", RlistScalarValue(rp));
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_repchar].lval) == 0)
{
char c = *(char *) retval.item;
SetRepositoryChar(c);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET repchar = %c\n", c);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_mountfilesystems].lval) == 0)
{
CF_MOUNTALL = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET mountfilesystems = %d\n", CF_MOUNTALL);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_editfilesize].lval) == 0)
{
EDITFILESIZE = IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET EDITFILESIZE = %d\n", EDITFILESIZE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_ifelapsed].lval) == 0)
{
VIFELAPSED = IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET ifelapsed = %d\n", VIFELAPSED);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_expireafter].lval) == 0)
{
VEXPIREAFTER = IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET ifelapsed = %d\n", VEXPIREAFTER);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_timeout].lval) == 0)
{
CONNTIMEOUT = IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET timeout = %jd\n", (intmax_t) CONNTIMEOUT);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_max_children].lval) == 0)
{
CFA_BACKGROUND_LIMIT = IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET MAX_CHILDREN = %d\n", CFA_BACKGROUND_LIMIT);
if (CFA_BACKGROUND_LIMIT > 10)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Silly value for max_children in agent control promise (%d > 10)",
CFA_BACKGROUND_LIMIT);
CFA_BACKGROUND_LIMIT = 1;
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_syslog].lval) == 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET syslog = %d\n", BooleanFromString(retval.item));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_environment].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET environment variables from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (putenv(rp->item) != 0)
{
CfOut(OUTPUT_LEVEL_ERROR, "putenv", "Failed to set environment variable %s", RlistScalarValue(rp));
}
}
continue;
}
}
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != DATA_TYPE_NONE)
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_fips_mode].lval, &retval) != DATA_TYPE_NONE)
{
FIPS_MODE = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET FIPS_MODE = %d\n", FIPS_MODE);
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_port].lval, &retval) != DATA_TYPE_NONE)
{
SetSyslogPort(IntFromString(retval.item));
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET syslog_port to %s", RvalScalarValue(retval));
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_host].lval, &retval) != DATA_TYPE_NONE)
{
SetSyslogHost(Hostname2IPString(retval.item));
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET syslog_host to %s", Hostname2IPString(retval.item));
}
#ifdef HAVE_NOVA
Nova_Initialize();
#endif
}
static void KeepControlPromises(Policy *policy)
{
Rval retval;
RUNATTR.copy.trustkey = false;
RUNATTR.copy.encrypt = true;
RUNATTR.copy.force_ipv4 = false;
RUNATTR.copy.portnumber = SHORT_CFENGINEPORT;
/* Keep promised agent behaviour - control bodies */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (IsExcluded(cp->classes, NULL))
{
continue;
}
if (GetVariable("control_runagent", cp->lval, &retval) == DATA_TYPE_NONE)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
RUNATTR.copy.force_ipv4 = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET force_ipv4 = %d\n", RUNATTR.copy.force_ipv4);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
RUNATTR.copy.trustkey = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET trustkey = %d\n", RUNATTR.copy.trustkey);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
RUNATTR.copy.encrypt = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET encrypt = %d\n", RUNATTR.copy.encrypt);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
RUNATTR.copy.portnumber = (short) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u\n", (int) RUNATTR.copy.portnumber);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
CfOut(OUTPUT_LEVEL_ERROR, "",
"Warning: 'background_children' setting from 'body runagent control' is overriden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(retval.item);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(retval.item))
{
strncpy(OUTPUT_DIRECTORY, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET output direcory to = %s\n", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
RUNATTR.copy.timeout = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = retval.item;
}
continue;
}
}
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != DATA_TYPE_NONE)
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
ExecConfig *ExecConfigNew(bool scheduled_run, const EvalContext *ctx, const Policy *policy)
{
ExecConfig *exec_config = xcalloc(1, sizeof(ExecConfig));
exec_config->scheduled_run = scheduled_run;
exec_config->exec_command = xstrdup("");
exec_config->agent_expireafter = 2 * 60; /* two hours */
exec_config->mail_server = xstrdup("");
exec_config->mail_from_address = xstrdup("");
exec_config->mail_to_address = xstrdup("");
exec_config->mail_subject = xstrdup("");
exec_config->mail_max_lines = 30;
exec_config->fq_name = xstrdup(VFQNAME);
exec_config->ip_address = xstrdup(VIPADDRESS);
exec_config->ip_addresses = GetIpAddresses(ctx);
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_executor");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
if (!value)
{
/* Has already been checked by the parser. */
ProgrammingError(
"Unknown attribute in body executor control: %s",
cp->lval);
VarRefDestroy(ref);
continue;
}
VarRefDestroy(ref);
if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFROM].lval) == 0)
{
free(exec_config->mail_from_address);
exec_config->mail_from_address = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailfrom '%s'", exec_config->mail_from_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILTO].lval) == 0)
{
free(exec_config->mail_to_address);
exec_config->mail_to_address = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailto '%s'", exec_config->mail_to_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILSUBJECT].lval) == 0)
{
free(exec_config->mail_subject);
exec_config->mail_subject = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailsubject '%s'", exec_config->mail_subject);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SMTPSERVER].lval) == 0)
{
free(exec_config->mail_server);
exec_config->mail_server = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "smtpserver '%s'", exec_config->mail_server);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECCOMMAND].lval) == 0)
{
free(exec_config->exec_command);
exec_config->exec_command = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "exec_command '%s'", exec_config->exec_command);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_AGENT_EXPIREAFTER].lval) == 0)
{
exec_config->agent_expireafter = IntFromString(value);
Log(LOG_LEVEL_DEBUG, "agent_expireafter %d", exec_config->agent_expireafter);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILMAXLINES].lval) == 0)
{
exec_config->mail_max_lines = IntFromString(value);
Log(LOG_LEVEL_DEBUG, "maxlines %d", exec_config->mail_max_lines);
}
}
}
return exec_config;
}
static int EvalClassExpression(EvalContext *ctx, Constraint *cp, const Promise *pp)
{
assert(pp);
int result_and = true;
int result_or = false;
int result_xor = 0;
int result = 0, total = 0;
char buffer[CF_MAXVARSIZE];
Rlist *rp;
if (cp == NULL) // ProgrammingError ? We'll crash RSN anyway ...
{
Log(LOG_LEVEL_ERR, "EvalClassExpression internal diagnostic discovered an ill-formed condition");
}
if (!IsDefinedClass(ctx, pp->classes))
{
return false;
}
if (IsDefinedClass(ctx, pp->promiser))
{
if (PromiseGetConstraintAsInt(ctx, "persistence", pp) == 0)
{
Log(LOG_LEVEL_VERBOSE, " ?> Cancelling cached persistent class %s", pp->promiser);
EvalContextHeapPersistentRemove(pp->promiser);
}
return false;
}
switch (cp->rval.type)
{
Rval rval;
FnCall *fp;
case RVAL_TYPE_FNCALL:
fp = RvalFnCallValue(cp->rval);
/* Special expansion of functions for control, best effort only: */
FnCallResult res = FnCallEvaluate(ctx, PromiseGetPolicy(pp), fp, pp);
FnCallDestroy(fp);
cp->rval = res.rval;
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
rval = EvaluateFinalRval(ctx, PromiseGetPolicy(pp), NULL, "this", rp->val, true, pp);
RvalDestroy(rp->val);
rp->val = rval;
}
break;
default:
rval = ExpandPrivateRval(ctx, NULL, "this", cp->rval.item, cp->rval.type);
RvalDestroy(cp->rval);
cp->rval = rval;
break;
}
if (strcmp(cp->lval, "expression") == 0)
{
return (cp->rval.type == RVAL_TYPE_SCALAR &&
IsDefinedClass(ctx, RvalScalarValue(cp->rval)));
}
if (strcmp(cp->lval, "not") == 0)
{
return (cp->rval.type == RVAL_TYPE_SCALAR &&
!IsDefinedClass(ctx, RvalScalarValue(cp->rval)));
}
// Class selection
if (strcmp(cp->lval, "select_class") == 0)
{
char splay[CF_MAXVARSIZE];
int i, n;
double hash;
total = 0;
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
total++;
}
if (total == 0)
{
Log(LOG_LEVEL_ERR, "No classes to select on RHS");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
snprintf(splay, CF_MAXVARSIZE, "%s+%s+%ju", VFQNAME, VIPADDRESS, (uintmax_t)getuid());
hash = (double) StringHash(splay, 0, CF_HASHTABLESIZE);
n = (int) (total * hash / (double) CF_HASHTABLESIZE);
for (rp = (Rlist *) cp->rval.item, i = 0; rp != NULL; rp = rp->next, i++)
{
if (i == n)
{
EvalContextClassPutSoft(ctx, RlistScalarValue(rp), CONTEXT_SCOPE_NAMESPACE, "source=promise");
return true;
}
}
}
/* If we get here, anything remaining on the RHS must be a clist */
if (cp->rval.type != RVAL_TYPE_LIST)
{
Log(LOG_LEVEL_ERR, "RHS of promise body attribute '%s' is not a list", cp->lval);
PromiseRef(LOG_LEVEL_ERR, pp);
return true;
}
// Class distributions
if (strcmp(cp->lval, "dist") == 0)
{
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
result = IntFromString(RlistScalarValue(rp));
if (result < 0)
{
Log(LOG_LEVEL_ERR, "Non-positive integer in class distribution");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
total += result;
}
if (total == 0)
{
Log(LOG_LEVEL_ERR, "An empty distribution was specified on RHS");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
double fluct = drand48();
double cum = 0.0;
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
double prob = ((double) IntFromString(RlistScalarValue(rp))) / ((double) total);
cum += prob;
if (fluct < cum)
{
break;
}
}
snprintf(buffer, CF_MAXVARSIZE - 1, "%s_%s", pp->promiser, RlistScalarValue(rp));
if (strcmp(PromiseGetBundle(pp)->type, "common") == 0)
{
EvalContextClassPutSoft(ctx, buffer, CONTEXT_SCOPE_NAMESPACE, "source=promise");
}
else
{
EvalContextClassPutSoft(ctx, buffer, CONTEXT_SCOPE_BUNDLE, "source=promise");
}
return true;
}
/* and/or/xor expressions */
enum {
c_or = 0, c_and, c_xor
} logic;
if (strcmp(cp->lval, "or") == 0)
{
logic = c_or;
}
else if (strcmp(cp->lval, "and") == 0)
{
logic = c_and;
}
else if (strcmp(cp->lval, "xor") == 0)
{
logic = c_xor;
}
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
// tolerate unexpanded entries here and interpret as "class not set"
if (rp->val.type != RVAL_TYPE_SCALAR)
{
result = false;
}
else
{
result = IsDefinedClass(ctx, RlistScalarValue(rp));
}
// shortcut and and or
switch (logic)
{
case c_or:
if (result)
{
return true;
}
break;
case c_and:
if (!result)
{
return false;
}
break;
default:
break;
}
result_and = result_and && result;
result_or = result_or || result;
result_xor ^= result;
}
// Class combinations
switch (logic)
{
case c_or:
return result_or;
case c_xor:
return result_xor == 1;
case c_and:
return result_and;
}
return false;
}
static void KeepControlPromises(EvalContext *ctx, const Policy *policy, GenericAgentConfig *config)
{
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdatesDefault(ctx, true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
PolicyResolve(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_server");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in server control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SERVER_FACILITY].lval) == 0)
{
SetFacility(value);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_BAD_CLOCKS].lval) == 0)
{
DENYBADCLOCKS = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting denybadclocks to '%s'", DENYBADCLOCKS ? "true" : "false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS].lval) == 0)
{
LOGENCRYPT = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting logencrypt to '%s'", LOGENCRYPT ? "true" : "false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ALL_CONNECTIONS].lval) == 0)
{
SV.logconns = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting logconns to %d", SV.logconns);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_MAX_CONNECTIONS].lval) == 0)
{
CFD_MAXPROCESSES = (int) IntFromString(value);
MAXTRIES = CFD_MAXPROCESSES / 3;
Log(LOG_LEVEL_VERBOSE, "Setting maxconnections to %d", CFD_MAXPROCESSES);
#ifdef LMDB
static int LSD_MAXREADERS = 0;
if (LSD_MAXREADERS < CFD_MAXPROCESSES)
{
int rc = UpdateLastSeenMaxReaders(CFD_MAXPROCESSES);
if (rc == 0)
{
LSD_MAXREADERS = CFD_MAXPROCESSES;
}
}
#endif
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_INTERVAL].lval) == 0)
{
COLLECT_INTERVAL = (int) 60 * IntFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting call_collect_interval to %d (seconds)", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LISTEN].lval) == 0)
{
SERVER_LISTEN = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting server listen to '%s' ",
(SERVER_LISTEN)? "true":"false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_WINDOW].lval) == 0)
{
COLLECT_WINDOW = (int) IntFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting collect_window to %d (seconds)", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CF_RUN_COMMAND].lval) == 0)
{
strlcpy(CFRUNCOMMAND, value, sizeof(CFRUNCOMMAND));
Log(LOG_LEVEL_VERBOSE, "Setting cfruncommand to '%s'", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_CONNECTS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, RlistScalarValue(rp)))
{
AppendItem(&SV.nonattackerlist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_CONNECTS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting denying connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, RlistScalarValue(rp)))
{
AppendItem(&SV.attackerlist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SKIP_VERIFY].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_ALL_CONNECTS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing multiple connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, RlistScalarValue(rp)))
{
AppendItem(&SV.multiconnlist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_USERS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "SET Allowing users ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, RlistScalarValue(rp)))
{
AppendItem(&SV.allowuserlist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_TRUST_KEYS_FROM].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting trust keys from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, RlistScalarValue(rp)))
{
AppendItem(&SV.trustkeylist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOWLEGACYCONNECTS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing legacy connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowlegacyconnects, RlistScalarValue(rp)))
{
AppendItem(&SV.allowlegacyconnects, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_PORT_NUMBER].lval) == 0)
{
CFENGINE_PORT = IntFromString(value);
strlcpy(CFENGINE_PORT_STR, value, sizeof(CFENGINE_PORT_STR));
Log(LOG_LEVEL_VERBOSE, "Setting default port number to %d",
CFENGINE_PORT);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_BIND_TO_INTERFACE].lval) == 0)
{
strlcpy(BINDINTERFACE, value, sizeof(BINDINTERFACE));
Log(LOG_LEVEL_VERBOSE, "Setting bindtointerface to '%s'", BINDINTERFACE);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOWCIPHERS].lval) == 0)
{
SV.allowciphers = xstrdup(value);
Log(LOG_LEVEL_VERBOSE, "Setting allowciphers to '%s'", SV.allowciphers);
continue;
}
}
}
const void *value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST);
if (value)
{
/* Don't resolve syslog_host now, better do it per log request. */
if (!SetSyslogHost(value))
{
Log(LOG_LEVEL_ERR, "Failed to set syslog_host, '%s' too long", (const char *)value);
}
else
{
Log(LOG_LEVEL_VERBOSE, "Setting syslog_host to '%s'", (const char *)value);
}
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT);
if (value)
{
SetSyslogPort(IntFromString(value));
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE);
if (value)
{
FIPS_MODE = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting FIPS mode to to '%s'", FIPS_MODE ? "true" : "false");
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (value)
{
LASTSEENEXPIREAFTER = IntFromString(value) * 60;
}
}
static int HailServer(EvalContext *ctx, char *host)
{
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE], ipv4[CF_MAXVARSIZE],
digest[CF_MAXVARSIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
FileCopy fc = {
.portnumber = (short) ParseHostname(host, peer),
};
snprintf(ipv4, CF_MAXVARSIZE, "%s", Hostname2IPString(peer));
Address2Hostkey(ipv4, digest);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> Using interactive key trust...\n");
gotkey = HavePublicKey(user, peer, digest) != NULL;
if (!gotkey)
{
gotkey = HavePublicKey(user, ipv4, digest) != NULL;
}
if (!gotkey)
{
printf("WARNING - You do not have a public key from host %s = %s\n", host, ipv4);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, 8, stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf(" -> Will trust the key...\n");
fc.trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf(" -> Will not trust the key...\n");
fc.trustkey = false;
break;
}
else
{
printf(" !! Please reply yes or no...(%s)\n", reply);
}
}
}
}
/* Continue */
#ifdef __MINGW32__
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
CfOut(OUTPUT_LEVEL_INFORM, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
#else /* !__MINGW32__ */
if (BACKGROUND)
{
CfOut(OUTPUT_LEVEL_INFORM, "", "Hailing %s : %u, with options \"%s\" (parallel)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
else
{
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
CfOut(OUTPUT_LEVEL_INFORM, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
}
#endif /* !__MINGW32__ */
fc.servers = RlistFromSplitString(peer, '*');
if (fc.servers == NULL || strcmp(fc.servers->item, "localhost") == 0)
{
CfOut(OUTPUT_LEVEL_INFORM, "", "No hosts are registered to connect to");
return false;
}
else
{
int err = 0;
conn = NewServerConnection(fc, false, &err);
if (conn == NULL)
{
RlistDestroy(fc.servers);
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> No suitable server responded to hail\n");
return false;
}
}
/* Check trust interaction*/
HailExec(conn, peer, recvbuffer, sendbuffer);
RlistDestroy(fc.servers);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, Policy *policy)
{
Rval retval;
RUNATTR.copy.trustkey = false;
RUNATTR.copy.encrypt = true;
RUNATTR.copy.force_ipv4 = false;
RUNATTR.copy.portnumber = SHORT_CFENGINEPORT;
/* Keep promised agent behaviour - control bodies */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_runagent", cp->lval }, &retval, NULL))
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
RUNATTR.copy.force_ipv4 = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET force_ipv4 = %d\n", RUNATTR.copy.force_ipv4);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
RUNATTR.copy.trustkey = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET trustkey = %d\n", RUNATTR.copy.trustkey);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
RUNATTR.copy.encrypt = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET encrypt = %d\n", RUNATTR.copy.encrypt);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
RUNATTR.copy.portnumber = (short) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u\n", (int) RUNATTR.copy.portnumber);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
CfOut(OUTPUT_LEVEL_ERROR, "",
"Warning: 'background_children' setting from 'body runagent control' is overriden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(retval.item);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(retval.item))
{
strncpy(OUTPUT_DIRECTORY, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET output direcory to = %s\n", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
RUNATTR.copy.timeout = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = retval.item;
}
continue;
}
}
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval))
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
static SyntaxTypeMatch CheckParseIntRange(const char *lval, const char *s, const char *range)
{
Item *split, *ip, *rangep;
int n;
long long max = CF_LOWINIT, min = CF_HIGHINIT;
// Numeric types are registered by range separated by comma str "min,max"
if (*s == '[' || *s == '(')
{
return SYNTAX_TYPE_MATCH_ERROR_RANGE_BRACKETED;
}
split = SplitString(range, ',');
if ((n = ListLen(split)) != 2)
{
ProgrammingError("Format specifier %s for irange rvalues is not ok for lval %s - got %d items", range, lval, n);
}
sscanf(split->name, "%lld", &min);
if (strcmp(split->next->name, "inf") == 0)
{
max = CF_INFINITY;
}
else
{
sscanf(split->next->name, "%lld", &max);
}
DeleteItemList(split);
if (min == CF_HIGHINIT || max == CF_LOWINIT)
{
ProgrammingError("Could not parse irange format specifier for int rvalues for lval %s", lval);
}
if (IsCf3VarString(s))
{
return SYNTAX_TYPE_MATCH_ERROR_UNEXPANDED;
}
rangep = SplitString(s, ',');
if ((n = ListLen(rangep)) != 2)
{
return SYNTAX_TYPE_MATCH_ERROR_RANGE_MULTIPLE_ITEMS;
}
for (ip = rangep; ip != NULL; ip = ip->next)
{
long val = IntFromString(ip->name);
if (val > max || val < min)
{
return SYNTAX_TYPE_MATCH_ERROR_INT_OUT_OF_RANGE;
}
}
DeleteItemList(rangep);
return SYNTAX_TYPE_MATCH_OK;
}
static void KeepControlPromises(EvalContext *ctx, Policy *policy, GenericAgentConfig *config)
{
Rval retval;
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdates(true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
HashControls(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_server", cp->lval }, &retval, NULL))
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in server control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SERVER_FACILITY].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_BAD_CLOCKS].lval) == 0)
{
DENYBADCLOCKS = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET denybadclocks = %d\n", DENYBADCLOCKS);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS].lval) == 0)
{
LOGENCRYPT = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET LOGENCRYPT = %d\n", LOGENCRYPT);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ALL_CONNECTIONS].lval) == 0)
{
SV.logconns = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET logconns = %d\n", SV.logconns);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_MAX_CONNECTIONS].lval) == 0)
{
CFD_MAXPROCESSES = (int) IntFromString(retval.item);
MAXTRIES = CFD_MAXPROCESSES / 3;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET maxconnections = %d\n", CFD_MAXPROCESSES);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_INTERVAL].lval) == 0)
{
COLLECT_INTERVAL = (int) 60 * IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET call_collect_interval = %d (seconds)\n", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LISTEN].lval) == 0)
{
SERVER_LISTEN = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET server listen = %s \n",
(SERVER_LISTEN)? "true":"false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_WINDOW].lval) == 0)
{
COLLECT_WINDOW = (int) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET collect_window = %d (seconds)\n", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CF_RUN_COMMAND].lval) == 0)
{
strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET cfruncommand = %s\n", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, rp->item))
{
AppendItem(&SV.nonattackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Denying connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, rp->item))
{
AppendItem(&SV.attackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SKIP_VERIFY].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Skip verify connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.skipverify, rp->item))
{
AppendItem(&SV.skipverify, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_ALL_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing multiple connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, rp->item))
{
AppendItem(&SV.multiconnlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_USERS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing users ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, rp->item))
{
AppendItem(&SV.allowuserlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_TRUST_KEYS_FROM].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Trust keys from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, rp->item))
{
AppendItem(&SV.trustkeylist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_PORT_NUMBER].lval) == 0)
{
SHORT_CFENGINEPORT = (short) IntFromString(retval.item);
strncpy(STR_CFENGINEPORT, retval.item, 15);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u = %s = %s\n", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT,
RvalScalarValue(retval));
SHORT_CFENGINEPORT = htons((short) IntFromString(retval.item));
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_KEY_TTL].lval) == 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "Ignoring deprecated option keycacheTTL");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_BIND_TO_INTERFACE].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET bindtointerface = %s\n", BINDINTERFACE);
continue;
}
}
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST, &retval) != DATA_TYPE_NONE)
{
SetSyslogHost(Hostname2IPString(retval.item));
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT, &retval) != DATA_TYPE_NONE)
{
SetSyslogPort(IntFromString(retval.item));
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE, &retval) != DATA_TYPE_NONE)
{
FIPS_MODE = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET FIPS_MODE = %d\n", FIPS_MODE);
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval) != DATA_TYPE_NONE)
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
void KeepPromises(Policy *policy, ExecConfig *config)
{
bool schedule_is_specified = false;
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (IsExcluded(cp->classes, NULL))
{
continue;
}
Rval retval;
if (GetVariable("control_executor", cp->lval, &retval) == DATA_TYPE_NONE)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in exec control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailfrom].lval) == 0)
{
free(config->mail_from_address);
config->mail_from_address = SafeStringDuplicate(retval.item);
CfDebug("mailfrom = %s\n", config->mail_from_address);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailto].lval) == 0)
{
free(config->mail_to_address);
config->mail_to_address = SafeStringDuplicate(retval.item);
CfDebug("mailto = %s\n", config->mail_to_address);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_smtpserver].lval) == 0)
{
free(config->mail_server);
config->mail_server = SafeStringDuplicate(retval.item);
CfDebug("smtpserver = %s\n", config->mail_server);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_execcommand].lval) == 0)
{
free(config->exec_command);
config->exec_command = SafeStringDuplicate(retval.item);
CfDebug("exec_command = %s\n", config->exec_command);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_agent_expireafter].lval) == 0)
{
config->agent_expireafter = IntFromString(retval.item);
CfDebug("agent_expireafter = %d\n", config->agent_expireafter);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_executorfacility].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailmaxlines].lval) == 0)
{
config->mail_max_lines = IntFromString(retval.item);
CfDebug("maxlines = %d\n", config->mail_max_lines);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_splaytime].lval) == 0)
{
int time = IntFromString(RvalScalarValue(retval));
SPLAYTIME = (int) (time * SECONDS_PER_MINUTE * GetSplay());
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_schedule].lval) == 0)
{
CfDebug("Loading user-defined schedule...\n");
DeleteItemList(SCHEDULE);
SCHEDULE = NULL;
schedule_is_specified = true;
for (const Rlist *rp = retval.item; rp; rp = rp->next)
{
if (!IsItemIn(SCHEDULE, rp->item))
{
AppendItem(&SCHEDULE, rp->item, NULL);
}
}
}
}
}
if (!schedule_is_specified)
{
LoadDefaultSchedule();
}
}
void ExecConfigUpdate(const EvalContext *ctx, const Policy *policy, ExecConfig *exec_config)
{
ExecConfigResetDefault(exec_config);
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_executor");
Rval retval;
if (!EvalContextVariableGet(ctx, ref, &retval, NULL))
{
// TODO: should've been checked before this point. change to programming error
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in exec control body", cp->lval);
VarRefDestroy(ref);
continue;
}
VarRefDestroy(ref);
if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFROM].lval) == 0)
{
free(exec_config->mail_from_address);
exec_config->mail_from_address = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "mailfrom '%s'", exec_config->mail_from_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILTO].lval) == 0)
{
free(exec_config->mail_to_address);
exec_config->mail_to_address = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "mailto '%s'", exec_config->mail_to_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILSUBJECT].lval) == 0)
{
free(exec_config->mail_subject);
exec_config->mail_subject = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "mailsubject '%s'", exec_config->mail_subject);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SMTPSERVER].lval) == 0)
{
free(exec_config->mail_server);
exec_config->mail_server = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "smtpserver '%s'", exec_config->mail_server);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECCOMMAND].lval) == 0)
{
free(exec_config->exec_command);
exec_config->exec_command = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "exec_command '%s'", exec_config->exec_command);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_AGENT_EXPIREAFTER].lval) == 0)
{
exec_config->agent_expireafter = IntFromString(retval.item);
Log(LOG_LEVEL_DEBUG, "agent_expireafter %d", exec_config->agent_expireafter);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECUTORFACILITY].lval) == 0)
{
exec_config->log_facility = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "executorfacility '%s'", exec_config->log_facility);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILMAXLINES].lval) == 0)
{
exec_config->mail_max_lines = IntFromString(retval.item);
Log(LOG_LEVEL_DEBUG, "maxlines %d", exec_config->mail_max_lines);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SPLAYTIME].lval) == 0)
{
int time = IntFromString(RvalScalarValue(retval));
exec_config->splay_time = (int) (time * SECONDS_PER_MINUTE * GetSplay());
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SCHEDULE].lval) == 0)
{
Log(LOG_LEVEL_DEBUG, "Loading user-defined schedule...");
StringSetClear(exec_config->schedule);
for (const Rlist *rp = retval.item; rp; rp = rp->next)
{
StringSetAdd(exec_config->schedule, xstrdup(RlistScalarValue(rp)));
Log(LOG_LEVEL_DEBUG, "Adding '%s'", RlistScalarValue(rp));
}
}
}
}
char ipbuf[CF_MAXVARSIZE] = "";
for (Item *iptr = EvalContextGetIpAddresses(ctx); iptr != NULL; iptr = iptr->next)
{
if ((SafeStringLength(ipbuf) + SafeStringLength(iptr->name)) < sizeof(ipbuf))
{
strcat(ipbuf, iptr->name);
strcat(ipbuf, " ");
}
else
{
break;
}
}
Chop(ipbuf, sizeof(ipbuf));
free(exec_config->ip_addresses);
exec_config->ip_addresses = xstrdup(ipbuf);
}
static int EvalClassExpression(EvalContext *ctx, Constraint *cp, Promise *pp)
{
int result_and = true;
int result_or = false;
int result_xor = 0;
int result = 0, total = 0;
char buffer[CF_MAXVARSIZE];
Rlist *rp;
FnCall *fp;
Rval rval;
if (cp == NULL)
{
Log(LOG_LEVEL_ERR, "EvalClassExpression internal diagnostic discovered an ill-formed condition");
}
if (!IsDefinedClass(ctx, pp->classes, PromiseGetNamespace(pp)))
{
return false;
}
if (EvalContextPromiseIsDone(ctx, pp))
{
return false;
}
if (IsDefinedClass(ctx, pp->promiser, PromiseGetNamespace(pp)))
{
if (PromiseGetConstraintAsInt(ctx, "persistence", pp) == 0)
{
Log(LOG_LEVEL_VERBOSE, " ?> Cancelling cached persistent class %s", pp->promiser);
EvalContextHeapPersistentRemove(pp->promiser);
}
return false;
}
switch (cp->rval.type)
{
case RVAL_TYPE_FNCALL:
fp = (FnCall *) cp->rval.item; /* Special expansion of functions for control, best effort only */
FnCallResult res = FnCallEvaluate(ctx, fp, pp);
FnCallDestroy(fp);
cp->rval = res.rval;
break;
case RVAL_TYPE_LIST:
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
rval = EvaluateFinalRval(ctx, "this", (Rval) {rp->item, rp->type}, true, pp);
RvalDestroy((Rval) {rp->item, rp->type});
rp->item = rval.item;
rp->type = rval.type;
}
break;
default:
rval = ExpandPrivateRval(ctx, "this", cp->rval);
RvalDestroy(cp->rval);
cp->rval = rval;
break;
}
if (strcmp(cp->lval, "expression") == 0)
{
if (cp->rval.type != RVAL_TYPE_SCALAR)
{
return false;
}
if (IsDefinedClass(ctx, (char *) cp->rval.item, PromiseGetNamespace(pp)))
{
return true;
}
else
{
return false;
}
}
if (strcmp(cp->lval, "not") == 0)
{
if (cp->rval.type != RVAL_TYPE_SCALAR)
{
return false;
}
if (IsDefinedClass(ctx, (char *) cp->rval.item, PromiseGetNamespace(pp)))
{
return false;
}
else
{
return true;
}
}
// Class selection
if (strcmp(cp->lval, "select_class") == 0)
{
char splay[CF_MAXVARSIZE];
int i, n;
double hash;
total = 0;
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
total++;
}
if (total == 0)
{
Log(LOG_LEVEL_ERR, "No classes to select on RHS");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
snprintf(splay, CF_MAXVARSIZE, "%s+%s+%ju", VFQNAME, VIPADDRESS, (uintmax_t)getuid());
hash = (double) OatHash(splay, CF_HASHTABLESIZE);
n = (int) (total * hash / (double) CF_HASHTABLESIZE);
for (rp = (Rlist *) cp->rval.item, i = 0; rp != NULL; rp = rp->next, i++)
{
if (i == n)
{
EvalContextHeapAddSoft(ctx, rp->item, PromiseGetNamespace(pp));
return true;
}
}
}
/* If we get here, anything remaining on the RHS must be a clist */
if (cp->rval.type != RVAL_TYPE_LIST)
{
Log(LOG_LEVEL_ERR, "RHS of promise body attribute '%s' is not a list", cp->lval);
PromiseRef(LOG_LEVEL_ERR, pp);
return true;
}
// Class distributions
if (strcmp(cp->lval, "dist") == 0)
{
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
result = IntFromString(rp->item);
if (result < 0)
{
Log(LOG_LEVEL_ERR, "Non-positive integer in class distribution");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
total += result;
}
if (total == 0)
{
Log(LOG_LEVEL_ERR, "An empty distribution was specified on RHS");
PromiseRef(LOG_LEVEL_ERR, pp);
return false;
}
double fluct = drand48();
double cum = 0.0;
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
double prob = ((double) IntFromString(rp->item)) / ((double) total);
cum += prob;
if (fluct < cum)
{
break;
}
}
snprintf(buffer, CF_MAXVARSIZE - 1, "%s_%s", pp->promiser, (char *) rp->item);
/* FIXME: figure why explicit mark and get rid of it */
EvalContextMarkPromiseDone(ctx, pp);
if (strcmp(PromiseGetBundle(pp)->type, "common") == 0)
{
EvalContextHeapAddSoft(ctx, buffer, PromiseGetNamespace(pp));
}
else
{
EvalContextStackFrameAddSoft(ctx, buffer);
}
return true;
}
/* and/or/xor expressions */
for (rp = (Rlist *) cp->rval.item; rp != NULL; rp = rp->next)
{
if (rp->type != RVAL_TYPE_SCALAR)
{
return false;
}
result = IsDefinedClass(ctx, (char *) (rp->item), PromiseGetNamespace(pp));
result_and = result_and && result;
result_or = result_or || result;
result_xor ^= result;
}
// Class combinations
if (strcmp(cp->lval, "or") == 0)
{
return result_or;
}
if (strcmp(cp->lval, "xor") == 0)
{
return (result_xor == 1) ? true : false;
}
if (strcmp(cp->lval, "and") == 0)
{
return result_and;
}
return false;
}
void FromString<int16>::Function(String& out, int16& value, const String& string)
{
out = IntFromString(value, string);
}
