int main(int argc, char *argv[])
{
EvalContext *ctx = EvalContextNew();
GenericAgentConfig *config = CheckOpts(argc, argv);
GenericAgentConfigApply(ctx, config);
GenericAgentDiscoverContext(ctx, config);
if (SHOWHOSTS)
{
ShowLastSeenHosts();
return 0;
}
if (print_digest_arg)
{
return PrintDigest(print_digest_arg);
}
if (REMOVEKEYS)
{
return RemoveKeys(remove_keys_host, true);
}
if(LICENSE_INSTALL)
{
bool success = LicenseInstall(LICENSE_SOURCE);
return success ? 0 : 1;
}
if (trust_key_arg)
{
return TrustKey(trust_key_arg);
}
char *public_key_file, *private_key_file;
if (KEY_PATH)
{
xasprintf(&public_key_file, "%s.pub", KEY_PATH);
xasprintf(&private_key_file, "%s.priv", KEY_PATH);
}
else
{
public_key_file = xstrdup(PublicKeyFile(GetWorkDir()));
private_key_file = xstrdup(PrivateKeyFile(GetWorkDir()));
}
KeepKeyPromises(public_key_file, private_key_file);
free(public_key_file);
free(private_key_file);
GenericAgentConfigDestroy(config);
EvalContextDestroy(ctx);
return 0;
}
static FILE *NewStream(char *name)
{
FILE *fp;
char filename[CF_BUFSIZE];
if (OUTPUT_DIRECTORY[0] != '\0')
{
snprintf(filename, CF_BUFSIZE, "%s/%s_runagent.out", OUTPUT_DIRECTORY, name);
}
else
{
snprintf(filename, CF_BUFSIZE, "%s%coutputs%c%s_runagent.out",
GetWorkDir(), FILE_SEPARATOR, FILE_SEPARATOR, name);
}
if (OUTPUT_TO_FILE)
{
printf("Opening file... %s\n", filename);
if ((fp = fopen(filename, "w")) == NULL)
{
Log(LOG_LEVEL_ERR, "Unable to open file '%s' (fopen: %s)", filename, GetErrorStr());
fp = stdout;
}
}
else
{
fp = stdout;
}
return fp;
}
BOOL CADHelper::WriteLaunchInfo()
{
CString CurrentPath = GetWorkDir();
if( !writeTestKeybyWinAPI( CurrentPath ) ) return FALSE;
if( !MotifiInfomationKey( 0 ) ) return FALSE;
return TRUE;
}
void TestExpandVariables()
{
Promise pp = { 0 }, *pcopy;
Rlist *args, *listvars = NULL, *scalarvars = NULL;
Constraint *cp;
FnCall *fp;
strcpy(CFWORKDIR, GetWorkDir());
MapName(CFWORKDIR);
/* Still have diagnostic scope */
NewScope("control_common");
printf("%d. Testing variable expansion\n", ++NR);
pp.promiser = "the originator";
pp.promisee = (Rval) {"the recipient with $(two)", CF_SCALAR};
pp.classes = "proletariat";
pp.offset.line = 12;
pp.audit = NULL;
pp.conlist = NULL;
pp.agentsubtype = "none";
pp.bundletype = "bundle_type";
pp.bundle = "test_bundle";
pp.ref = "commentary";
pp.agentsubtype = xstrdup("files");
pp.done = false;
pp.next = NULL;
pp.cache = NULL;
pp.inode_cache = NULL;
pp.this_server = NULL;
pp.donep = &(pp.done);
pp.conn = NULL;
args = SplitStringAsRList("$(administrator)", ',');
fp = NewFnCall("getuid", args);
AppendConstraint(&(pp.conlist), "lval1", (Rval) {xstrdup("@(one)"), CF_SCALAR}, "lower classes1", false);
AppendConstraint(&(pp.conlist), "lval2", (Rval) {xstrdup("$(four)"), CF_SCALAR}, "upper classes1", false);
AppendConstraint(&(pp.conlist), "lval3", (Rval) {fp, CF_FNCALL}, "upper classes2", false);
/* Now copy promise and delete */
pcopy = DeRefCopyPromise("diagnostic", &pp);
MapIteratorsFromRval("diagnostic", &scalarvars, &listvars, (Rval) {pcopy->promiser, CF_SCALAR}, NULL);
if (pcopy->promisee.item != NULL)
{
MapIteratorsFromRval("diagnostic", &scalarvars, &listvars, pp.promisee, NULL);
}
for (cp = pcopy->conlist; cp != NULL; cp = cp->next)
{
MapIteratorsFromRval("diagnostic", &scalarvars, &listvars, cp->rval, NULL);
}
ExpandPromiseAndDo(cf_common, "diagnostic", pcopy, scalarvars, listvars, NULL);
/* No cleanup */
}
void LoadThemeGfxLogo(void) {
LoadThemeGfx(GFX_LOGO, LOGO_TOP);
#if defined LOGO_TEXT_X && defined LOGO_TEXT_Y
u32 emunand_state = CheckEmuNand();
DrawStringF(LOGO_TEXT_X, LOGO_TEXT_Y - 0, LOGO_TOP, "SD card: %lluMB/%lluMB & %s", RemainingStorageSpace() / 1024 / 1024, TotalStorageSpace() / 1024 / 1024, (emunand_state == EMUNAND_READY) ? "EmuNAND ready" : (emunand_state == EMUNAND_GATEWAY) ? "GW EmuNAND" : (emunand_state == EMUNAND_REDNAND) ? "RedNAND" : (emunand_state > 3) ? "MultiNAND" : "no EmuNAND");
DrawStringF(LOGO_TEXT_X, LOGO_TEXT_Y - 10, LOGO_TOP, "Game directory: %s", (GetGameDir()) ? GetGameDir() : "(not available)");
DrawStringF(LOGO_TEXT_X, LOGO_TEXT_Y - 20, LOGO_TOP, "Work directory: %s", GetWorkDir());
#endif
}
static bool TwinExists(void)
{
char twinfilename[CF_BUFSIZE];
struct stat sb;
snprintf(twinfilename, CF_BUFSIZE, "%s/%s", GetWorkDir(), TwinFilename());
MapName(twinfilename);
return (stat(twinfilename, &sb) == 0) && (IsExecutable(twinfilename));
}
/* Buffer has to be at least CF_BUFSIZE bytes long */
static void ConstructFailsafeCommand(bool scheduled_run, char *buffer)
{
bool twin_exists = TwinExists();
const char* const workdir = GetWorkDir();
snprintf(buffer, CF_BUFSIZE,
"\"%s%c%s\" -f failsafe.cf "
"&& \"%s%c%s\" -Dfrom_cfexecd%s",
workdir, FILE_SEPARATOR, twin_exists ? TwinFilename() : AgentFilename(),
workdir, FILE_SEPARATOR, AgentFilename(), scheduled_run ? ",scheduled_run" : "");
}
int main(int argc, char *argv[])
{
EvalContext *ctx = EvalContextNew();
GenericAgentConfig *config = CheckOpts(ctx, argc, argv);
GenericAgentConfigApply(ctx, config);
GenericAgentDiscoverContext(ctx, config);
Policy *policy = NULL;
if (GenericAgentCheckPolicy(ctx, config, false))
{
policy = GenericAgentLoadPolicy(ctx, config);
}
else if (config->tty_interactive)
{
exit(EXIT_FAILURE);
}
else
{
Log(LOG_LEVEL_ERR, "CFEngine was not able to get confirmation of promises from cf-promises, so going to failsafe");
EvalContextHeapAddHard(ctx, "failsafe_fallback");
GenericAgentConfigSetInputFile(config, GetWorkDir(), "failsafe.cf");
policy = GenericAgentLoadPolicy(ctx, config);
}
CheckForPolicyHub(ctx);
ThisAgentInit();
ExecConfig *exec_config = ExecConfigNewDefault(!ONCE, VFQNAME, VIPADDRESS);
ExecConfigUpdate(ctx, policy, exec_config);
SetFacility(exec_config->log_facility);
#ifdef __MINGW32__
if (WINSERVICE)
{
NovaWin_StartExecService();
}
else
#endif /* __MINGW32__ */
{
StartServer(ctx, policy, config, exec_config);
}
ExecConfigDestroy(exec_config);
GenericAgentConfigDestroy(config);
return 0;
}
static void KeepHardClasses(EvalContext *ctx)
{
char name[CF_BUFSIZE];
if (name != NULL)
{
char *existing_policy_server = PolicyServerReadFile(GetWorkDir());
if (existing_policy_server)
{
free(existing_policy_server);
if (GetAmPolicyHub())
{
MarkAsPolicyServer(ctx);
}
}
}
/* FIXME: why is it not in generic_agent?! */
GenericAgentAddEditionClasses(ctx);
}
static BOOL CopyCUIXandMNR( LPCTSTR cuixPath, LPCTSTR mnrPath )
{
CString cadPath = GetCADPathByWinAPI( _T( "RoamableRootFolder" ), CURRENT_USER );
cadPath.Append( _T( "Support" ) );
//CString CADcuixPath = cadPath + _T("\\acad.CUIX");
CString CADcuixPath = cadPath + _T( "\\acad.CUIX" );
CString CADmnrPath = cadPath + _T( "\\acad.mnr" );
//获取当前程序(.exe)所在的路径
CString CurrentPath = GetWorkDir();
CString JLcuixPath = CurrentPath;
//JLcuixPath.Append("\\Datas\\JL\\acad.CUIX");
JLcuixPath.Append( cuixPath );
CString JLmnrPath = CurrentPath + mnrPath;
if( !CopyFile( JLcuixPath, CADcuixPath, false ) ) return FALSE;
//if(!CopyFile(JLmnrPath,CADmnrPath,false)) return FALSE;
return TRUE;
}
int main(int argc, char *argv[])
{
EvalContext *ctx = EvalContextNew();
GenericAgentConfig *config = CheckOpts(argc, argv);
GenericAgentConfigApply(ctx, config);
GenericAgentDiscoverContext(ctx, config);
Policy *policy = NULL;
if (GenericAgentCheckPolicy(config, false))
{
policy = GenericAgentLoadPolicy(ctx, config);
}
else if (config->tty_interactive)
{
exit(EXIT_FAILURE);
}
else
{
Log(LOG_LEVEL_ERR, "CFEngine was not able to get confirmation of promises from cf-promises, so going to failsafe");
EvalContextHeapAddHard(ctx, "failsafe_fallback");
GenericAgentConfigSetInputFile(config, GetWorkDir(), "failsafe.cf");
policy = GenericAgentLoadPolicy(ctx, config);
}
ThisAgentInit();
KeepPromises(ctx, policy, config);
Summarize();
Log(LOG_LEVEL_NOTICE, "Server is starting...");
StartServer(ctx, &policy, config);
Log(LOG_LEVEL_NOTICE, "Cleaning up and exiting...");
GenericAgentConfigDestroy(config);
PolicyDestroy(policy);
EvalContextDestroy(ctx);
return 0;
}
bool GenericAgentCheckPolicy(GenericAgentConfig *config, bool force_validation, bool write_validated_file)
{
if (!MissingInputFile(config->input_file))
{
{
if (config->agent_type == AGENT_TYPE_SERVER ||
config->agent_type == AGENT_TYPE_MONITOR ||
config->agent_type == AGENT_TYPE_EXECUTOR)
{
time_t validated_at = ReadTimestampFromPolicyValidatedFile(config, NULL);
config->agent_specific.daemon.last_validated_at = validated_at;
}
}
if (IsPolicyPrecheckNeeded(config, force_validation))
{
bool policy_check_ok = GenericAgentArePromisesValid(config);
if (policy_check_ok && write_validated_file)
{
GenericAgentTagReleaseDirectory(config,
NULL, // use GetAutotagDir
write_validated_file, // true
GetAmPolicyHub(GetWorkDir())); // write release ID?
}
if (config->agent_specific.agent.bootstrap_policy_server && !policy_check_ok)
{
Log(LOG_LEVEL_VERBOSE, "Policy is not valid, but proceeding with bootstrap");
return true;
}
return policy_check_ok;
}
else
{
Log(LOG_LEVEL_VERBOSE, "Policy is already validated");
return true;
}
}
return false;
}
const char *GetMasterDir(void)
{
const char *masterdir = getenv("CFENGINE_TEST_OVERRIDE_WORKDIR");
if (masterdir != NULL)
{
static char workbuf[CF_BUFSIZE];
snprintf(workbuf, CF_BUFSIZE, "%s%cmasterfiles", masterdir, FILE_SEPARATOR);
return MapName(workbuf);
}
else if (strcmp(MASTERDIR, "default") == 0 )
{
static char workbuf[CF_BUFSIZE];
snprintf(workbuf, CF_BUFSIZE, "%s%cmasterfiles", GetWorkDir(), FILE_SEPARATOR);
return MapName(workbuf);
}
else
{
return GetDefaultMasterDir();
}
}
const char *GetInputDir(void)
{
const char *inputdir = getenv("CFENGINE_TEST_OVERRIDE_WORKDIR");
if (inputdir != NULL)
{
static char workbuf[CF_BUFSIZE];
snprintf(workbuf, CF_BUFSIZE, "%s%cinputs", inputdir, FILE_SEPARATOR);
return MapName(workbuf);
}
else if (strcmp(INPUTDIR, "default") == 0 )
{
static char workbuf[CF_BUFSIZE];
snprintf(workbuf, CF_BUFSIZE, "%s%cinputs", GetWorkDir(), FILE_SEPARATOR);
return MapName(workbuf);
}
else
{
return GetDefaultInputDir();
}
}
static void CheckFileChanges(EvalContext *ctx, Policy **policy, GenericAgentConfig *config)
{
Log(LOG_LEVEL_DEBUG, "Checking file updates for input file '%s'",
config->input_file);
time_t validated_at = ReadTimestampFromPolicyValidatedFile(config, NULL);
bool reload_config = false;
if (config->agent_specific.daemon.last_validated_at < validated_at)
{
Log(LOG_LEVEL_VERBOSE, "New promises detected...");
reload_config = true;
}
if (ReloadConfigRequested())
{
Log(LOG_LEVEL_VERBOSE, "Force reload of inputs files...");
reload_config = true;
}
if (reload_config)
{
ClearRequestReloadConfig();
/* Rereading policies now, so update timestamp. */
config->agent_specific.daemon.last_validated_at = validated_at;
if (GenericAgentArePromisesValid(config))
{
Log(LOG_LEVEL_NOTICE, "Rereading policy file '%s'",
config->input_file);
/* STEP 1: Free everything */
EvalContextClear(ctx);
strcpy(VDOMAIN, "undefined.domain");
ClearAuthAndACLs();
PolicyDestroy(*policy); *policy = NULL;
/* STEP 2: Set Environment, Parse and Evaluate policy */
/*
* TODO why is this done separately here? What's the difference to
* calling the same steps as in cf-serverd.c:main()? Those are:
* GenericAgentConfigApply(); // not here!
* GenericAgentDiscoverContext(); // not here!
* EvalContextClassPutHard("server"); // only here!
* if (GenericAgentCheckPolicy()) // not here!
* policy = LoadPolicy();
* ThisAgentInit(); // not here, only calls umask()
* ReloadHAConfig(); // only here!
* KeepPromises();
* Summarize();
* Plus the following from within StartServer() which is only
* called during startup:
* InitSignals(); // not here
* ServerTLSInitialize(); // not here
* SetServerListenState(); // not here
* InitServer() // not here
* PolicyNew()+AcquireServerLock() // not here
* PrepareServer(sd); // not here
* CollectCallStart(); // both
*/
EvalContextSetPolicyServerFromFile(ctx, GetWorkDir());
UpdateLastPolicyUpdateTime(ctx);
DetectEnvironment(ctx);
KeepHardClasses(ctx);
LoadAugments(ctx, config);
/* During startup this is done in GenericAgentDiscoverContext(). */
EvalContextClassPutHard(ctx, CF_AGENTTYPES[AGENT_TYPE_SERVER], "cfe_internal,source=agent");
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
/* TODO BUG: this modifies config, but previous config has not
* been reset/free'd. Ideally we would want LoadPolicy to not
* modify config at all, but only modify ctx. */
*policy = LoadPolicy(ctx, config);
/* Reload HA related configuration */
ReloadHAConfig();
KeepPromises(ctx, *policy, config);
Summarize();
}
else
{
Log(LOG_LEVEL_INFO, "File changes contain errors -- ignoring");
}
}
else
{
Log(LOG_LEVEL_DEBUG, "No new promises found");
}
}
static void MailResult(const ExecConfig *config, const char *file)
{
#if defined __linux__ || defined __NetBSD__ || defined __FreeBSD__ || defined __OpenBSD__
time_t now = time(NULL);
#endif
Log(LOG_LEVEL_VERBOSE, "Mail result...");
{
struct stat statbuf;
if (stat(file, &statbuf) == -1)
{
return;
}
if (statbuf.st_size == 0)
{
unlink(file);
Log(LOG_LEVEL_DEBUG, "Nothing to report in file '%s'", file);
return;
}
}
{
char prev_file[CF_BUFSIZE];
snprintf(prev_file, CF_BUFSIZE - 1, "%s/outputs/previous", CFWORKDIR);
MapName(prev_file);
if (CompareResult(file, prev_file) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Previous output is the same as current so do not mail it");
return;
}
}
if ((strlen(config->mail_server) == 0) || (strlen(config->mail_to_address) == 0))
{
/* Syslog should have done this */
Log(LOG_LEVEL_VERBOSE, "Empty mail server or address - skipping");
return;
}
if (config->mail_max_lines == 0)
{
Log(LOG_LEVEL_DEBUG, "Not mailing: EmailMaxLines was zero");
return;
}
Log(LOG_LEVEL_DEBUG, "Mailing results of '%s' to '%s'", file, config->mail_to_address);
/* Check first for anomalies - for subject header */
FILE *fp = fopen(file, "r");
if (!fp)
{
Log(LOG_LEVEL_INFO, "Couldn't open file '%s'. (fopen: %s)", file, GetErrorStr());
return;
}
bool anomaly = false;
char vbuff[CF_BUFSIZE];
while (!feof(fp))
{
vbuff[0] = '\0';
if (fgets(vbuff, sizeof(vbuff), fp) == NULL)
{
break;
}
if (strstr(vbuff, "entropy"))
{
anomaly = true;
break;
}
}
fclose(fp);
if ((fp = fopen(file, "r")) == NULL)
{
Log(LOG_LEVEL_INFO, "Couldn't open file '%s'. (fopen: %s)", file, GetErrorStr());
return;
}
struct hostent *hp = gethostbyname(config->mail_server);
if (!hp)
{
Log(LOG_LEVEL_ERR, "While mailing agent output, unknown host '%s'. Make sure that fully qualified names can be looked up at your site.",
config->mail_server);
fclose(fp);
return;
}
struct servent *server = getservbyname("smtp", "tcp");
if (!server)
{
Log(LOG_LEVEL_INFO, "Unable to lookup smtp service. (getservbyname: %s)", GetErrorStr());
fclose(fp);
return;
}
struct sockaddr_in raddr;
memset(&raddr, 0, sizeof(raddr));
raddr.sin_port = (unsigned int) server->s_port;
raddr.sin_addr.s_addr = ((struct in_addr *) (hp->h_addr))->s_addr;
raddr.sin_family = AF_INET;
Log(LOG_LEVEL_DEBUG, "Connecting...");
int sd = socket(AF_INET, SOCK_STREAM, 0);
if (sd == -1)
{
Log(LOG_LEVEL_INFO, "Couldn't open a socket. (socket: %s)", GetErrorStr());
fclose(fp);
return;
}
if (connect(sd, (void *) &raddr, sizeof(raddr)) == -1)
{
Log(LOG_LEVEL_INFO, "Couldn't connect to host '%s'. (connect: %s)",
config->mail_server, GetErrorStr());
fclose(fp);
cf_closesocket(sd);
return;
}
/* read greeting */
if (!Dialogue(sd, NULL))
{
goto mail_err;
}
sprintf(vbuff, "HELO %s\r\n", config->fq_name);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
if (!Dialogue(sd, vbuff))
{
goto mail_err;
}
if (strlen(config->mail_from_address) == 0)
{
sprintf(vbuff, "MAIL FROM: <cfengine@%s>\r\n", config->fq_name);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
}
else
{
sprintf(vbuff, "MAIL FROM: <%s>\r\n", config->mail_from_address);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
}
if (!Dialogue(sd, vbuff))
{
goto mail_err;
}
sprintf(vbuff, "RCPT TO: <%s>\r\n", config->mail_to_address);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
if (!Dialogue(sd, vbuff))
{
goto mail_err;
}
if (!Dialogue(sd, "DATA\r\n"))
{
goto mail_err;
}
char mailsubject_anomaly_prefix[8];
if (anomaly)
{
strcpy(mailsubject_anomaly_prefix, "**!! ");
}
else
{
mailsubject_anomaly_prefix[0] = '\0';
}
if (SafeStringLength(config->mail_subject) == 0)
{
snprintf(vbuff, sizeof(vbuff), "Subject: %s[%s/%s]\r\n", mailsubject_anomaly_prefix, config->fq_name, config->ip_address);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
}
else
{
snprintf(vbuff, sizeof(vbuff), "Subject: %s%s\r\n", mailsubject_anomaly_prefix, config->mail_subject);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
}
send(sd, vbuff, strlen(vbuff), 0);
/* send X-CFEngine SMTP header if mailsubject set */
if (SafeStringLength(config->mail_subject) > 0)
{
unsigned char digest[EVP_MAX_MD_SIZE + 1];
char buffer[EVP_MAX_MD_SIZE * 4];
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
HashPubKey(PUBKEY, digest, CF_DEFAULT_DIGEST);
snprintf(vbuff, sizeof(vbuff), "X-CFEngine: vfqhost=\"%s\";ip-addresses=\"%s\";policyhub=\"%s\";pkhash=\"%s\"\r\n",
VFQNAME, config->ip_addresses, existing_policy_server,
HashPrintSafe(CF_DEFAULT_DIGEST, true, digest, buffer));
send(sd, vbuff, strlen(vbuff), 0);
free(existing_policy_server);
}
#if defined __linux__ || defined __NetBSD__ || defined __FreeBSD__ || defined __OpenBSD__
strftime(vbuff, CF_BUFSIZE, "Date: %a, %d %b %Y %H:%M:%S %z\r\n", localtime(&now));
send(sd, vbuff, strlen(vbuff), 0);
#endif
if (strlen(config->mail_from_address) == 0)
{
sprintf(vbuff, "From: cfengine@%s\r\n", config->fq_name);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
}
else
{
sprintf(vbuff, "From: %s\r\n", config->mail_from_address);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
}
send(sd, vbuff, strlen(vbuff), 0);
sprintf(vbuff, "To: %s\r\n\r\n", config->mail_to_address);
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
send(sd, vbuff, strlen(vbuff), 0);
int count = 0;
while (!feof(fp))
{
vbuff[0] = '\0';
if (fgets(vbuff, sizeof(vbuff), fp) == NULL)
{
break;
}
Log(LOG_LEVEL_DEBUG, "%s", vbuff);
if (strlen(vbuff) > 0)
{
vbuff[strlen(vbuff) - 1] = '\r';
strcat(vbuff, "\n");
count++;
send(sd, vbuff, strlen(vbuff), 0);
}
if ((config->mail_max_lines != INF_LINES) && (count > config->mail_max_lines))
{
sprintf(vbuff, "\r\n[Mail truncated by cfengine. File is at %s on %s]\r\n", file, config->fq_name);
send(sd, vbuff, strlen(vbuff), 0);
break;
}
}
if (!Dialogue(sd, ".\r\n"))
{
Log(LOG_LEVEL_DEBUG, "mail_err\n");
goto mail_err;
}
Dialogue(sd, "QUIT\r\n");
Log(LOG_LEVEL_DEBUG, "Done sending mail");
fclose(fp);
cf_closesocket(sd);
return;
mail_err:
fclose(fp);
cf_closesocket(sd);
Log(LOG_LEVEL_INFO, "Cannot mail to %s.", config->mail_to_address);
}
void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config)
{
GenericAgentInitialize(ctx, config);
SetReferenceTime(ctx, true);
SetStartTime();
SanitizeEnvironment();
THIS_AGENT_TYPE = config->agent_type;
EvalContextHeapAddHard(ctx, CF_AGENTTYPES[config->agent_type]);
GenericAgentSetDefaultDigest(&CF_DEFAULT_DIGEST, &CF_DEFAULT_DIGEST_LEN);
GetNameInfo3(ctx, config->agent_type);
GetInterfacesInfo(ctx);
Get3Environment(ctx, config->agent_type);
BuiltinClasses(ctx);
OSClasses(ctx);
EvalContextHeapPersistentLoadAll(ctx);
LoadSystemConstants(ctx);
if (config->agent_type == AGENT_TYPE_AGENT && config->agent_specific.agent.bootstrap_policy_server)
{
if (!RemoveAllExistingPolicyInInputs(GetWorkDir()))
{
Log(LOG_LEVEL_ERR, "Error removing existing input files prior to bootstrap");
exit(EXIT_FAILURE);
}
if (!WriteBuiltinFailsafePolicy(GetWorkDir()))
{
Log(LOG_LEVEL_ERR, "Error writing builtin failsafe to inputs prior to bootstrap");
exit(EXIT_FAILURE);
}
bool am_policy_server = false;
{
const char *canonified_bootstrap_policy_server = CanonifyName(config->agent_specific.agent.bootstrap_policy_server);
am_policy_server = IsDefinedClass(ctx, canonified_bootstrap_policy_server, NULL);
{
char policy_server_ipv4_class[CF_BUFSIZE];
snprintf(policy_server_ipv4_class, CF_MAXVARSIZE, "ipv4_%s", canonified_bootstrap_policy_server);
am_policy_server |= IsDefinedClass(ctx, policy_server_ipv4_class, NULL);
}
if (am_policy_server)
{
Log(LOG_LEVEL_INFO, "Assuming role as policy server, with policy distribution point at %s/masterfiles", GetWorkDir());
EvalContextHeapAddHard(ctx, "am_policy_hub");
if (!MasterfileExists(GetWorkDir()))
{
Log(LOG_LEVEL_ERR, "In order to bootstrap as a policy server, the file '%s/masterfiles/promises.cf' must exist.", GetWorkDir());
exit(EXIT_FAILURE);
}
}
else
{
Log(LOG_LEVEL_INFO, "Not assuming role as policy server");
}
WriteAmPolicyHubFile(CFWORKDIR, am_policy_server);
}
WritePolicyServerFile(GetWorkDir(), config->agent_specific.agent.bootstrap_policy_server);
SetPolicyServer(ctx, config->agent_specific.agent.bootstrap_policy_server);
Log(LOG_LEVEL_INFO, "Bootstrapping to '%s'", POLICY_SERVER);
}
else
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
if (existing_policy_server)
{
Log(LOG_LEVEL_VERBOSE, "This agent is bootstrapped to '%s'", existing_policy_server);
}
else
{
Log(LOG_LEVEL_VERBOSE, "This agent is not bootstrapped");
}
SetPolicyServer(ctx, existing_policy_server);
if (GetAmPolicyHub(GetWorkDir()))
{
EvalContextHeapAddHard(ctx, "am_policy_hub"); // DEPRECATED: use policy_server instead
Log(LOG_LEVEL_VERBOSE, "Additional class defined: am_policy_hub");
EvalContextHeapAddHard(ctx, "policy_server");
Log(LOG_LEVEL_VERBOSE, "Additional class defined: policy_server");
}
}
}
void CheckFileChanges(EvalContext *ctx, Policy **policy, GenericAgentConfig *config, time_t *last_policy_reload)
{
time_t validated_at;
Log(LOG_LEVEL_DEBUG, "Checking file updates for input file '%s'", config->input_file);
validated_at = ReadTimestampFromPolicyValidatedMasterfiles(config);
if (*last_policy_reload < validated_at)
{
*last_policy_reload = validated_at;
Log(LOG_LEVEL_VERBOSE, "New promises detected...");
if (GenericAgentArePromisesValid(config))
{
Log(LOG_LEVEL_INFO, "Rereading policy file '%s'", config->input_file);
/* Free & reload -- lock this to avoid access errors during reload */
EvalContextClear(ctx);
free(SV.allowciphers);
SV.allowciphers = NULL;
DeleteItemList(SV.trustkeylist);
DeleteItemList(SV.attackerlist);
DeleteItemList(SV.nonattackerlist);
DeleteItemList(SV.multiconnlist);
DeleteAuthList(&SV.admit, &SV.admittail);
DeleteAuthList(&SV.deny, &SV.denytail);
DeleteAuthList(&SV.varadmit, &SV.varadmittail);
DeleteAuthList(&SV.vardeny, &SV.vardenytail);
DeleteAuthList(&SV.roles, &SV.rolestail);
strcpy(VDOMAIN, "undefined.domain");
SV.trustkeylist = NULL;
SV.attackerlist = NULL;
SV.nonattackerlist = NULL;
SV.multiconnlist = NULL;
acl_Free(paths_acl); paths_acl = NULL;
acl_Free(classes_acl); classes_acl = NULL;
acl_Free(vars_acl); vars_acl = NULL;
acl_Free(literals_acl); literals_acl = NULL;
acl_Free(query_acl); query_acl = NULL;
StringMapDestroy(SV.path_shortcuts);
SV.path_shortcuts = NULL;
PolicyDestroy(*policy);
*policy = NULL;
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
SetPolicyServer(ctx, existing_policy_server);
free(existing_policy_server);
}
UpdateLastPolicyUpdateTime(ctx);
DetectEnvironment(ctx);
KeepHardClasses(ctx);
EvalContextClassPutHard(ctx, CF_AGENTTYPES[AGENT_TYPE_SERVER], "cfe_internal,source=agent");
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
*policy = GenericAgentLoadPolicy(ctx, config);
KeepPromises(ctx, *policy, config);
Summarize();
}
else
{
Log(LOG_LEVEL_INFO, "File changes contain errors -- ignoring");
}
}
else
{
Log(LOG_LEVEL_DEBUG, "No new promises found");
}
}
void GenericAgentInitialize(EvalContext *ctx, GenericAgentConfig *config)
{
int force = false;
struct stat statbuf, sb;
char vbuff[CF_BUFSIZE];
char ebuff[CF_EXPANDSIZE];
#ifdef __MINGW32__
InitializeWindows();
#endif
DetermineCfenginePort();
EvalContextClassPutHard(ctx, "any", "source=agent");
GenericAgentAddEditionClasses(ctx);
strcpy(VPREFIX, GetConsolePrefix());
/* Define trusted directories */
{
const char *workdir = GetWorkDir();
if (!workdir)
{
FatalError(ctx, "Error determining working directory");
}
strcpy(CFWORKDIR, workdir);
MapName(CFWORKDIR);
}
OpenLog(LOG_USER);
SetSyslogFacility(LOG_USER);
Log(LOG_LEVEL_VERBOSE, "Work directory is %s", CFWORKDIR);
snprintf(vbuff, CF_BUFSIZE, "%s%cupdate.conf", GetInputDir(), FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%cbin%ccf-agent -D from_cfexecd", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%coutputs%cspooled_reports", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%clastseen%cintermittencies", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%creports%cvarious", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s", GetInputDir());
if (stat(vbuff, &sb) == -1)
{
FatalError(ctx, " No access to WORKSPACE/inputs dir");
}
else
{
chmod(vbuff, sb.st_mode | 0700);
}
snprintf(vbuff, CF_BUFSIZE, "%s%coutputs", CFWORKDIR, FILE_SEPARATOR);
if (stat(vbuff, &sb) == -1)
{
FatalError(ctx, " No access to WORKSPACE/outputs dir");
}
else
{
chmod(vbuff, sb.st_mode | 0700);
}
snprintf(ebuff, sizeof(ebuff), "%s%cstate%ccf_procs",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
snprintf(ebuff, sizeof(ebuff), "%s%cstate%ccf_rootprocs",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
snprintf(ebuff, sizeof(ebuff), "%s%cstate%ccf_otherprocs",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
snprintf(ebuff, sizeof(ebuff), "%s%cstate%cprevious_state%c",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
snprintf(ebuff, sizeof(ebuff), "%s%cstate%cdiff%c",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
snprintf(ebuff, sizeof(ebuff), "%s%cstate%cuntracked%c",
CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
OpenNetwork();
CryptoInitialize();
CheckWorkingDirectories(ctx);
/* Initialize keys and networking. cf-key, doesn't need keys. In fact it
must function properly even without them, so that it generates them! */
if (config->agent_type != AGENT_TYPE_KEYGEN)
{
LoadSecretKeys();
char *bootstrapped_policy_server = ReadPolicyServerFile(CFWORKDIR);
PolicyHubUpdateKeys(bootstrapped_policy_server);
free(bootstrapped_policy_server);
cfnet_init();
}
size_t cwd_size = PATH_MAX;
while (true)
{
char cwd[cwd_size];
if (!getcwd(cwd, cwd_size))
{
if (errno == ERANGE)
{
cwd_size *= 2;
continue;
}
Log(LOG_LEVEL_WARNING, "Could not determine current directory. (getcwd: '%s')", GetErrorStr());
break;
}
EvalContextSetLaunchDirectory(ctx, cwd);
break;
}
if (!MINUSF)
{
GenericAgentConfigSetInputFile(config, GetInputDir(), "promises.cf");
}
VIFELAPSED = 1;
VEXPIREAFTER = 1;
setlinebuf(stdout);
if (config->agent_specific.agent.bootstrap_policy_server)
{
snprintf(vbuff, CF_BUFSIZE, "%s%cfailsafe.cf", GetInputDir(), FILE_SEPARATOR);
if (stat(vbuff, &statbuf) == -1)
{
GenericAgentConfigSetInputFile(config, GetInputDir(), "failsafe.cf");
}
else
{
GenericAgentConfigSetInputFile(config, GetInputDir(), vbuff);
}
}
}
void DrawMenu(MenuInfo* currMenu, u32 index, bool fullDraw, bool subMenu)
{
u32 emunand_state = CheckEmuNand();
bool top_screen = true;
u32 menublock_x0 = (((top_screen) ? SCREEN_WIDTH_TOP : SCREEN_WIDTH_BOT) - 30 * FONT_WIDTH_EXT) / 2;
u32 menublock_x1 = menublock_x0 - FONT_WIDTH_EXT;
u32 menublock_y0 = 40;
u32 menublock_y1 = menublock_y0 + currMenu->n_entries * 10;
if (fullDraw) { // draw full menu
ClearScreenFull(true, !top_screen);
DrawStringF(menublock_x0, menublock_y0 - 20, top_screen, "%s", currMenu->name);
DrawStringF(menublock_x0, menublock_y0 - 10, top_screen, "==============================");
DrawStringF(menublock_x0, menublock_y1 + 0, top_screen, "==============================");
DrawStringF(menublock_x0, menublock_y1 + 10, top_screen, (subMenu) ? "A: Choose B: Return" : "A: Choose");
DrawStringF(menublock_x0, menublock_y1 + 20, top_screen, "SELECT: Unmount SD Card");
DrawStringF(menublock_x0, menublock_y1 + 30, top_screen, "START: Reboot / [+\x1B] Poweroff");
DrawStringF(menublock_x1, SCREEN_HEIGHT - 20, top_screen, "SD card: %lluMB/%lluMB & %s", RemainingStorageSpace() / 1024 / 1024, TotalStorageSpace() / 1024 / 1024, (emunand_state == EMUNAND_READY) ? "EmuNAND ready" : (emunand_state == EMUNAND_GATEWAY) ? "GW EmuNAND" : (emunand_state == EMUNAND_REDNAND) ? "RedNAND" : (emunand_state > 3) ? "MultiNAND" : "no EmuNAND");
DrawStringF(menublock_x1, SCREEN_HEIGHT - 30, top_screen, "Game directory: %s", (GetGameDir()) ? GetGameDir() : "(not available)");
DrawStringF(menublock_x1, SCREEN_HEIGHT - 40, top_screen, "Work directory: %s", GetWorkDir());
}
if (!top_screen)
DrawStringF(10, 10, true, "Selected: %-*.*s", 32, 32, currMenu->entries[index].name);
for (u32 i = 0; i < currMenu->n_entries; i++) { // draw menu entries / selection []
char* name = currMenu->entries[i].name;
DrawStringF(menublock_x0, menublock_y0 + (i*10), top_screen, (i == index) ? "[%s]" : " %s ", name);
}
}
static void Apoptosis(void)
{
char promiser_buf[CF_SMALLBUF];
snprintf(promiser_buf, sizeof(promiser_buf), "%s%cbin%ccf-execd",
GetWorkDir(), FILE_SEPARATOR, FILE_SEPARATOR);
if (LoadProcessTable())
{
char myuid[PRINTSIZE(unsigned)];
xsnprintf(myuid, sizeof(myuid), "%u", (unsigned) getuid());
Rlist *owners = NULL;
RlistPrepend(&owners, myuid, RVAL_TYPE_SCALAR);
ProcessSelect process_select = {
.owner = owners,
.process_result = "process_owner",
};
Item *killlist = SelectProcesses(promiser_buf, process_select, true);
RlistDestroy(owners);
for (Item *ip = killlist; ip != NULL; ip = ip->next)
{
pid_t pid = ip->counter;
if (pid != getpid() && kill(pid, SIGTERM) < 0)
{
if (errno == ESRCH)
{
/* That's ok, process exited voluntarily */
}
else
{
Log(LOG_LEVEL_ERR, "Unable to kill stale cf-execd process pid=%d. (kill: %s)",
(int)pid, GetErrorStr());
}
}
}
}
ClearProcessTable();
Log(LOG_LEVEL_VERBOSE, "Pruning complete");
}
#endif
typedef enum
{
RELOAD_ENVIRONMENT,
RELOAD_FULL
} Reload;
static Reload CheckNewPromises(GenericAgentConfig *config)
{
Log(LOG_LEVEL_DEBUG, "Checking file updates for input file '%s'", config->input_file);
time_t validated_at = ReadTimestampFromPolicyValidatedFile(config, NULL);
bool reload_config = false;
if (config->agent_specific.daemon.last_validated_at < validated_at)
{
Log(LOG_LEVEL_VERBOSE, "New promises detected...");
reload_config = true;
}
if (ReloadConfigRequested())
{
Log(LOG_LEVEL_VERBOSE, "Force reload of inputs files...");
reload_config = true;
}
if (reload_config)
{
ClearRequestReloadConfig();
/* Rereading policies now, so update timestamp. */
config->agent_specific.daemon.last_validated_at = validated_at;
if (GenericAgentArePromisesValid(config))
{
return RELOAD_FULL;
}
else
{
Log(LOG_LEVEL_INFO, "New promises file contains syntax errors -- ignoring");
}
}
else
{
Log(LOG_LEVEL_DEBUG, "No new promises found");
}
return RELOAD_ENVIRONMENT;
}
/**
* @return true the error is not so severe that we must stop
*/
bool LoadSecretKeys(const char *policy_server)
{
static char *passphrase = "Cfengine passphrase";
{
FILE *fp = fopen(PrivateKeyFile(GetWorkDir()), "r");
if (!fp)
{
Log(LOG_LEVEL_INFO, "Couldn't find a private key at '%s', use cf-key to get one. (fopen: %s)", PrivateKeyFile(GetWorkDir()), GetErrorStr());
return true;
}
if ((PRIVKEY = PEM_read_RSAPrivateKey(fp, (RSA **) NULL, NULL, passphrase)) == NULL)
{
unsigned long err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Error reading private key. (PEM_read_RSAPrivateKey: %s)", ERR_reason_error_string(err));
PRIVKEY = NULL;
fclose(fp);
return true;
}
fclose(fp);
Log(LOG_LEVEL_VERBOSE, "Loaded private key at '%s'", PrivateKeyFile(GetWorkDir()));
}
{
FILE *fp = fopen(PublicKeyFile(GetWorkDir()), "r");
if (!fp)
{
Log(LOG_LEVEL_ERR, "Couldn't find a public key at '%s', use cf-key to get one (fopen: %s)", PublicKeyFile(GetWorkDir()), GetErrorStr());
return true;
}
if ((PUBKEY = PEM_read_RSAPublicKey(fp, NULL, NULL, passphrase)) == NULL)
{
unsigned long err = ERR_get_error();
Log(LOG_LEVEL_ERR, "Error reading public key at '%s'. (PEM_read_RSAPublicKey: %s)", PublicKeyFile(GetWorkDir()), ERR_reason_error_string(err));
PUBKEY = NULL;
fclose(fp);
return true;
}
Log(LOG_LEVEL_VERBOSE, "Loaded public key '%s'", PublicKeyFile(GetWorkDir()));
fclose(fp);
}
if ((BN_num_bits(PUBKEY->e) < 2) || (!BN_is_odd(PUBKEY->e)))
{
Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not odd");
return false;
}
if (GetAmPolicyHub(CFWORKDIR))
{
unsigned char digest[EVP_MAX_MD_SIZE + 1];
char dst_public_key_filename[CF_BUFSIZE] = "";
{
char buffer[EVP_MAX_MD_SIZE * 4];
HashPubKey(PUBKEY, digest, CF_DEFAULT_DIGEST);
snprintf(dst_public_key_filename, CF_MAXVARSIZE, "%s/ppkeys/%s-%s.pub", CFWORKDIR, "root", HashPrintSafe(CF_DEFAULT_DIGEST, digest, buffer));
MapName(dst_public_key_filename);
}
struct stat sb;
if ((stat(dst_public_key_filename, &sb) == -1))
{
char src_public_key_filename[CF_BUFSIZE] = "";
snprintf(src_public_key_filename, CF_MAXVARSIZE, "%s/ppkeys/localhost.pub", CFWORKDIR);
MapName(src_public_key_filename);
// copy localhost.pub to root-HASH.pub on policy server
if (!LinkOrCopy(src_public_key_filename, dst_public_key_filename, false))
{
Log(LOG_LEVEL_ERR, "Unable to copy policy server's own public key from '%s' to '%s'", src_public_key_filename, dst_public_key_filename);
}
if (policy_server)
{
LastSaw(policy_server, digest, LAST_SEEN_ROLE_CONNECT);
}
}
}
return true;
}
int OpenReceiverChannel(void)
{
struct addrinfo *response, *ap;
struct addrinfo query = {
.ai_flags = AI_PASSIVE,
.ai_family = AF_UNSPEC,
.ai_socktype = SOCK_STREAM
};
/* Listen to INADDR(6)_ANY if BINDINTERFACE unset. */
char *ptr = NULL;
if (BINDINTERFACE[0] != '\0')
{
ptr = BINDINTERFACE;
}
/* Resolve listening interface. */
if (getaddrinfo(ptr, STR_CFENGINEPORT, &query, &response) != 0)
{
Log(LOG_LEVEL_ERR, "DNS/service lookup failure. (getaddrinfo: %s)", GetErrorStr());
return -1;
}
int sd = -1;
for (ap = response; ap != NULL; ap = ap->ai_next)
{
if ((sd = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol)) == -1)
{
continue;
}
int yes = 1;
if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR,
&yes, sizeof(yes)) == -1)
{
Log(LOG_LEVEL_ERR, "Socket option SO_REUSEADDR was not accepted. (setsockopt: %s)", GetErrorStr());
exit(1);
}
struct linger cflinger = {
.l_onoff = 1,
.l_linger = 60
};
if (setsockopt(sd, SOL_SOCKET, SO_LINGER,
&cflinger, sizeof(cflinger)) == -1)
{
Log(LOG_LEVEL_ERR, "Socket option SO_LINGER was not accepted. (setsockopt: %s)", GetErrorStr());
exit(1);
}
if (bind(sd, ap->ai_addr, ap->ai_addrlen) != -1)
{
if (LogGetGlobalLevel() >= LOG_LEVEL_DEBUG)
{
/* Convert IP address to string, no DNS lookup performed. */
char txtaddr[CF_MAX_IP_LEN] = "";
getnameinfo(ap->ai_addr, ap->ai_addrlen,
txtaddr, sizeof(txtaddr),
NULL, 0, NI_NUMERICHOST);
Log(LOG_LEVEL_DEBUG, "Bound to address '%s' on '%s' = %d", txtaddr,
CLASSTEXT[VSYSTEMHARDCLASS], VSYSTEMHARDCLASS);
}
break;
}
else
{
Log(LOG_LEVEL_ERR, "Could not bind server address. (bind: %s)", GetErrorStr());
cf_closesocket(sd);
}
}
if (sd < 0)
{
Log(LOG_LEVEL_ERR, "Couldn't open/bind a socket");
exit(1);
}
freeaddrinfo(response);
return sd;
}
/*********************************************************************/
/* Level 3 */
/*********************************************************************/
void CheckFileChanges(EvalContext *ctx, Policy **policy, GenericAgentConfig *config)
{
Log(LOG_LEVEL_DEBUG, "Checking file updates for input file '%s'", config->input_file);
if (NewPromiseProposals(ctx, config, InputFiles(ctx, *policy)))
{
Log(LOG_LEVEL_VERBOSE, "New promises detected...");
if (CheckPromises(config))
{
Log(LOG_LEVEL_INFO, "Rereading policy file '%s'", config->input_file);
/* Free & reload -- lock this to avoid access errors during reload */
EvalContextHeapClear(ctx);
DeleteItemList(IPADDRESSES);
IPADDRESSES = NULL;
DeleteItemList(SV.trustkeylist);
DeleteItemList(SV.skipverify);
DeleteItemList(SV.attackerlist);
DeleteItemList(SV.nonattackerlist);
DeleteItemList(SV.multiconnlist);
DeleteAuthList(SV.admit);
DeleteAuthList(SV.deny);
DeleteAuthList(SV.varadmit);
DeleteAuthList(SV.vardeny);
DeleteAuthList(SV.roles);
//DeleteRlist(VINPUTLIST); This is just a pointer, cannot free it
ScopeDeleteAll();
strcpy(VDOMAIN, "undefined.domain");
POLICY_SERVER[0] = '\0';
SV.admit = NULL;
SV.admittop = NULL;
SV.varadmit = NULL;
SV.varadmittop = NULL;
SV.deny = NULL;
SV.denytop = NULL;
SV.vardeny = NULL;
SV.vardenytop = NULL;
SV.roles = NULL;
SV.rolestop = NULL;
SV.trustkeylist = NULL;
SV.skipverify = NULL;
SV.attackerlist = NULL;
SV.nonattackerlist = NULL;
SV.multiconnlist = NULL;
PolicyDestroy(*policy);
*policy = NULL;
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
SetPolicyServer(ctx, existing_policy_server);
free(existing_policy_server);
}
GetNameInfo3(ctx, AGENT_TYPE_SERVER);
GetInterfacesInfo(ctx, AGENT_TYPE_SERVER);
Get3Environment(ctx, AGENT_TYPE_SERVER);
BuiltinClasses(ctx);
OSClasses(ctx);
KeepHardClasses(ctx);
EvalContextHeapAddHard(ctx, CF_AGENTTYPES[config->agent_type]);
SetReferenceTime(ctx, true);
*policy = GenericAgentLoadPolicy(ctx, config);
KeepPromises(ctx, *policy, config);
Summarize();
}
else
{
Log(LOG_LEVEL_INFO, "File changes contain errors -- ignoring");
PROMISETIME = time(NULL);
}
}
else
{
Log(LOG_LEVEL_DEBUG, "No new promises found");
}
}
void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config)
{
strcpy(VPREFIX, "");
Log(LOG_LEVEL_VERBOSE, " %s", NameVersion());
Banner("Initialization preamble");
GenericAgentSetDefaultDigest(&CF_DEFAULT_DIGEST, &CF_DEFAULT_DIGEST_LEN);
GenericAgentInitialize(ctx, config);
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
SanitizeEnvironment();
THIS_AGENT_TYPE = config->agent_type;
LoggingSetAgentType(CF_AGENTTYPES[config->agent_type]);
EvalContextClassPutHard(ctx, CF_AGENTTYPES[config->agent_type],
"cfe_internal,source=agent");
DetectEnvironment(ctx);
EvalContextHeapPersistentLoadAll(ctx);
LoadSystemConstants(ctx);
const char *bootstrap_arg =
config->agent_specific.agent.bootstrap_policy_server;
/* Are we bootstrapping the agent? */
if (config->agent_type == AGENT_TYPE_AGENT && bootstrap_arg != NULL)
{
EvalContextClassPutHard(ctx, "bootstrap_mode", "source=environment");
if (!RemoveAllExistingPolicyInInputs(GetInputDir()))
{
Log(LOG_LEVEL_ERR,
"Error removing existing input files prior to bootstrap");
exit(EXIT_FAILURE);
}
if (!WriteBuiltinFailsafePolicy(GetInputDir()))
{
Log(LOG_LEVEL_ERR,
"Error writing builtin failsafe to inputs prior to bootstrap");
exit(EXIT_FAILURE);
}
char canonified_ipaddr[strlen(bootstrap_arg) + 1];
StringCanonify(canonified_ipaddr, bootstrap_arg);
bool am_policy_server =
EvalContextClassGet(ctx, NULL, canonified_ipaddr) != NULL;
if (am_policy_server)
{
Log(LOG_LEVEL_INFO, "Assuming role as policy server,"
" with policy distribution point at: %s", GetMasterDir());
MarkAsPolicyServer(ctx);
if (!MasterfileExists(GetMasterDir()))
{
Log(LOG_LEVEL_ERR, "In order to bootstrap as a policy server,"
" the file '%s/promises.cf' must exist.", GetMasterDir());
exit(EXIT_FAILURE);
}
CheckAndSetHAState(GetWorkDir(), ctx);
}
else
{
Log(LOG_LEVEL_INFO, "Assuming role as regular client,"
" bootstrapping to policy server: %s", bootstrap_arg);
if (config->agent_specific.agent.bootstrap_trust_server)
{
EvalContextClassPutHard(ctx, "trust_server", "source=agent");
Log(LOG_LEVEL_NOTICE,
"Bootstrap mode: implicitly trusting server, "
"use --trust-server=no if server trust is already established");
}
}
WriteAmPolicyHubFile(am_policy_server);
WritePolicyServerFile(GetWorkDir(), bootstrap_arg);
SetPolicyServer(ctx, bootstrap_arg);
/* FIXME: Why it is called here? Can't we move both invocations to before if? */
UpdateLastPolicyUpdateTime(ctx);
}
else
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
if (existing_policy_server)
{
Log(LOG_LEVEL_VERBOSE, "This agent is bootstrapped to: %s",
existing_policy_server);
SetPolicyServer(ctx, existing_policy_server);
free(existing_policy_server);
UpdateLastPolicyUpdateTime(ctx);
}
else
{
Log(LOG_LEVEL_VERBOSE, "This agent is not bootstrapped -"
" can't find policy_server.dat in: %s", GetWorkDir());
return;
}
if (GetAmPolicyHub())
{
MarkAsPolicyServer(ctx);
/* Should this go in MarkAsPolicyServer() ? */
CheckAndSetHAState(GetWorkDir(), ctx);
}
}
}
GenericAgentConfig *CheckOpts(EvalContext *ctx, int argc, char **argv)
{
extern char *optarg;
int optindex = 0;
int c;
GenericAgentConfig *config = GenericAgentConfigNewDefault(AGENT_TYPE_COMMON);
while ((c = getopt_long(argc, argv, "dvnIf:D:N:VSrxMb:i:p:s:cg:hW:lC::", OPTIONS, &optindex)) != EOF)
{
switch ((char) c)
{
case 'l':
LEGACY_OUTPUT = true;
break;
case 'c':
config->check_runnable = true;
break;
case 'f':
if (optarg && (strlen(optarg) < 5))
{
Log(LOG_LEVEL_ERR, " -f used but argument '%s' incorrect", optarg);
exit(EXIT_FAILURE);
}
GenericAgentConfigSetInputFile(config, GetWorkDir(), optarg);
MINUSF = true;
break;
case 'd':
LogSetGlobalLevel(LOG_LEVEL_DEBUG);
break;
case 'b':
if (optarg)
{
Rlist *bundlesequence = RlistFromSplitString(optarg, ',');
GenericAgentConfigSetBundleSequence(config, bundlesequence);
RlistDestroy(bundlesequence);
}
break;
case 'p':
if (strcmp("none", optarg) == 0)
{
config->agent_specific.common.policy_output_format = GENERIC_AGENT_CONFIG_COMMON_POLICY_OUTPUT_FORMAT_NONE;
}
else if (strcmp("cf", optarg) == 0)
{
config->agent_specific.common.policy_output_format = GENERIC_AGENT_CONFIG_COMMON_POLICY_OUTPUT_FORMAT_CF;
}
else if (strcmp("json", optarg) == 0)
{
config->agent_specific.common.policy_output_format = GENERIC_AGENT_CONFIG_COMMON_POLICY_OUTPUT_FORMAT_JSON;
}
else
{
Log(LOG_LEVEL_ERR, "Invalid policy output format: '%s'. Possible values are 'none', 'cf', 'json'", optarg);
exit(EXIT_FAILURE);
}
break;
case 's':
if (strcmp("none", optarg) == 0)
{
break;
}
else if (strcmp("json", optarg) == 0)
{
JsonElement *json_syntax = SyntaxToJson();
Writer *out = FileWriter(stdout);
JsonWrite(out, json_syntax, 0);
FileWriterDetach(out);
JsonDestroy(json_syntax);
exit(EXIT_SUCCESS);
}
else
{
Log(LOG_LEVEL_ERR, "Invalid syntax description output format: '%s'. Possible values are 'none', 'json'", optarg);
exit(EXIT_FAILURE);
}
break;
case 'K':
IGNORELOCK = true;
break;
case 'D':
config->heap_soft = StringSetFromString(optarg, ',');
break;
case 'N':
config->heap_negated = StringSetFromString(optarg, ',');
break;
case 'I':
LogSetGlobalLevel(LOG_LEVEL_INFO);
break;
case 'v':
LogSetGlobalLevel(LOG_LEVEL_VERBOSE);
break;
case 'n':
DONTDO = true;
IGNORELOCK = true;
LOOKUP = true;
EvalContextHeapAddHard(ctx, "opt_dry_run");
break;
case 'V':
{
Writer *w = FileWriter(stdout);
GenericAgentWriteVersion(w);
FileWriterDetach(w);
}
exit(0);
case 'h':
{
Writer *w = FileWriter(stdout);
GenericAgentWriteHelp(w, "cf-promises", OPTIONS, HINTS, true);
FileWriterDetach(w);
}
exit(0);
case 'M':
{
Writer *out = FileWriter(stdout);
ManPageWrite(out, "cf-promises", time(NULL),
CF_PROMISES_SHORT_DESCRIPTION,
CF_PROMISES_MANPAGE_LONG_DESCRIPTION,
OPTIONS, HINTS,
true);
FileWriterDetach(out);
exit(EXIT_SUCCESS);
}
case 'r':
SHOWREPORTS = true;
break;
case 'W':
if (!GenericAgentConfigParseWarningOptions(config, optarg))
{
Log(LOG_LEVEL_ERR, "Error parsing warning option");
exit(EXIT_FAILURE);
}
break;
case 'x':
Log(LOG_LEVEL_ERR, "Self-diagnostic functionality is retired.");
exit(0);
case 'C':
if (!GenericAgentConfigParseColor(config, optarg))
{
exit(EXIT_FAILURE);
}
break;
default:
{
Writer *w = FileWriter(stdout);
GenericAgentWriteHelp(w, "cf-promises", OPTIONS, HINTS, true);
FileWriterDetach(w);
}
exit(1);
}
}
if (!GenericAgentConfigParseArguments(config, argc - optind, argv + optind))
{
Log(LOG_LEVEL_ERR, "Too many arguments");
exit(EXIT_FAILURE);
}
return config;
}
void GenericAgentDiscoverContext(EvalContext *ctx, GenericAgentConfig *config)
{
GenericAgentSetDefaultDigest(&CF_DEFAULT_DIGEST, &CF_DEFAULT_DIGEST_LEN);
GenericAgentInitialize(ctx, config);
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
SanitizeEnvironment();
THIS_AGENT_TYPE = config->agent_type;
EvalContextClassPutHard(ctx, CF_AGENTTYPES[config->agent_type], "cfe_internal,source=agent");
DetectEnvironment(ctx);
EvalContextHeapPersistentLoadAll(ctx);
LoadSystemConstants(ctx);
if (config->agent_type == AGENT_TYPE_AGENT && config->agent_specific.agent.bootstrap_policy_server)
{
if (!RemoveAllExistingPolicyInInputs(GetInputDir()))
{
Log(LOG_LEVEL_ERR, "Error removing existing input files prior to bootstrap");
exit(EXIT_FAILURE);
}
if (!WriteBuiltinFailsafePolicy(GetInputDir()))
{
Log(LOG_LEVEL_ERR, "Error writing builtin failsafe to inputs prior to bootstrap");
exit(EXIT_FAILURE);
}
bool am_policy_server = false;
{
const char *canonified_bootstrap_policy_server = CanonifyName(config->agent_specific.agent.bootstrap_policy_server);
am_policy_server = NULL != EvalContextClassGet(ctx, NULL, canonified_bootstrap_policy_server);
{
char policy_server_ipv4_class[CF_BUFSIZE];
snprintf(policy_server_ipv4_class, CF_MAXVARSIZE, "ipv4_%s", canonified_bootstrap_policy_server);
am_policy_server |= NULL != EvalContextClassGet(ctx, NULL, policy_server_ipv4_class);
}
if (am_policy_server)
{
Log(LOG_LEVEL_INFO, "Assuming role as policy server, with policy distribution point at %s", GetMasterDir());
EvalContextClassPutHard(ctx, "am_policy_hub", "source=bootstrap");
if (!MasterfileExists(GetMasterDir()))
{
Log(LOG_LEVEL_ERR, "In order to bootstrap as a policy server, the file '%s/promises.cf' must exist.", GetMasterDir());
exit(EXIT_FAILURE);
}
}
else
{
Log(LOG_LEVEL_INFO, "Not assuming role as policy server");
}
WriteAmPolicyHubFile(CFWORKDIR, am_policy_server);
}
WritePolicyServerFile(GetWorkDir(), config->agent_specific.agent.bootstrap_policy_server);
SetPolicyServer(ctx, config->agent_specific.agent.bootstrap_policy_server);
/* FIXME: Why it is called here? Can't we move both invocations to before if? */
UpdateLastPolicyUpdateTime(ctx);
Log(LOG_LEVEL_INFO, "Bootstrapping to '%s'", POLICY_SERVER);
}
else
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
if (existing_policy_server)
{
Log(LOG_LEVEL_VERBOSE, "This agent is bootstrapped to '%s'", existing_policy_server);
SetPolicyServer(ctx, existing_policy_server);
free(existing_policy_server);
UpdateLastPolicyUpdateTime(ctx);
}
else
{
Log(LOG_LEVEL_VERBOSE, "This agent is not bootstrapped");
return;
}
if (GetAmPolicyHub(GetWorkDir()))
{
EvalContextClassPutHard(ctx, "am_policy_hub", "source=bootstrap,deprecated,alias=policy_server");
Log(LOG_LEVEL_VERBOSE, "Additional class defined: am_policy_hub");
EvalContextClassPutHard(ctx, "policy_server", "inventory,attribute_name=CFEngine roles,source=bootstrap");
Log(LOG_LEVEL_VERBOSE, "Additional class defined: policy_server");
}
}
}
static bool ScheduleRun(EvalContext *ctx, Policy **policy, GenericAgentConfig *config,
ExecdConfig **execd_config, ExecConfig **exec_config)
{
Log(LOG_LEVEL_VERBOSE, "Sleeping for pulse time %d seconds...", CFPULSETIME);
sleep(CFPULSETIME); /* 1 Minute resolution is enough */
/*
* FIXME: this logic duplicates the one from cf-serverd.c. Unify ASAP.
*/
if (CheckNewPromises(config) == RELOAD_FULL)
{
/* Full reload */
Log(LOG_LEVEL_INFO, "Re-reading promise file '%s'", config->input_file);
EvalContextClear(ctx);
strcpy(VDOMAIN, "undefined.domain");
PolicyDestroy(*policy);
*policy = NULL;
{
char *existing_policy_server = ReadPolicyServerFile(GetWorkDir());
SetPolicyServer(ctx, existing_policy_server);
free(existing_policy_server);
}
UpdateLastPolicyUpdateTime(ctx);
DetectEnvironment(ctx);
EvalContextClassPutHard(ctx, CF_AGENTTYPES[AGENT_TYPE_EXECUTOR], "cfe_internal,source=agent");
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
GenericAgentConfigSetBundleSequence(config, NULL);
*policy = LoadPolicy(ctx, config);
ExecConfigDestroy(*exec_config);
ExecdConfigDestroy(*execd_config);
*exec_config = ExecConfigNew(!ONCE, ctx, *policy);
*execd_config = ExecdConfigNew(ctx, *policy);
SetFacility((*execd_config)->log_facility);
}
else
{
/* Environment reload */
EvalContextClear(ctx);
DetectEnvironment(ctx);
time_t t = SetReferenceTime();
UpdateTimeClasses(ctx, t);
}
{
StringSetIterator it = StringSetIteratorInit((*execd_config)->schedule);
const char *time_context = NULL;
while ((time_context = StringSetIteratorNext(&it)))
{
if (IsDefinedClass(ctx, time_context))
{
Log(LOG_LEVEL_VERBOSE, "Waking up the agent at %s ~ %s", ctime(&CFSTARTTIME), time_context);
return true;
}
}
}
Log(LOG_LEVEL_VERBOSE, "Nothing to do at %s", ctime(&CFSTARTTIME));
return false;
}
void GenericAgentInitialize(EvalContext *ctx, GenericAgentConfig *config)
{
int force = false;
struct stat statbuf, sb;
char vbuff[CF_BUFSIZE];
char ebuff[CF_EXPANDSIZE];
SHORT_CFENGINEPORT = htons((unsigned short) 5308);
snprintf(STR_CFENGINEPORT, 15, "5308");
EvalContextHeapAddHard(ctx, "any");
strcpy(VPREFIX, GetConsolePrefix());
/* Define trusted directories */
{
const char *workdir = GetWorkDir();
if (!workdir)
{
FatalError(ctx, "Error determining working directory");
}
strcpy(CFWORKDIR, workdir);
MapName(CFWORKDIR);
}
/* On windows, use 'binary mode' as default for files */
#ifdef __MINGW32__
_fmode = _O_BINARY;
#endif
OpenLog(LOG_USER);
SetSyslogFacility(LOG_USER);
if (!LOOKUP) /* cf-know should not do this in lookup mode */
{
Log(LOG_LEVEL_VERBOSE, "Work directory is %s", CFWORKDIR);
snprintf(vbuff, CF_BUFSIZE, "%s%cinputs%cupdate.conf", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%cbin%ccf-agent -D from_cfexecd", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%coutputs%cspooled_reports", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%clastseen%cintermittencies", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%creports%cvarious", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(vbuff, force);
snprintf(vbuff, CF_BUFSIZE, "%s%cinputs", CFWORKDIR, FILE_SEPARATOR);
if (stat(vbuff, &sb) == -1)
{
FatalError(ctx, " No access to WORKSPACE/inputs dir");
}
else
{
chmod(vbuff, sb.st_mode | 0700);
}
snprintf(vbuff, CF_BUFSIZE, "%s%coutputs", CFWORKDIR, FILE_SEPARATOR);
if (stat(vbuff, &sb) == -1)
{
FatalError(ctx, " No access to WORKSPACE/outputs dir");
}
else
{
chmod(vbuff, sb.st_mode | 0700);
}
sprintf(ebuff, "%s%cstate%ccf_procs", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
MakeParentDirectory(ebuff, force);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
sprintf(ebuff, "%s%cstate%ccf_rootprocs", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
sprintf(ebuff, "%s%cstate%ccf_otherprocs", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
if (stat(ebuff, &statbuf) == -1)
{
CreateEmptyFile(ebuff);
}
}
OpenNetwork();
CryptoInitialize();
if (!LOOKUP)
{
CheckWorkingDirectories(ctx);
}
const char *bootstrapped_policy_server = ReadPolicyServerFile(CFWORKDIR);
/* Initialize keys and networking. cf-key, doesn't need keys. In fact it
must function properly even without them, so that it generates them! */
if (config->agent_type != AGENT_TYPE_KEYGEN)
{
LoadSecretKeys(bootstrapped_policy_server);
cfnet_init();
}
if (!MINUSF)
{
GenericAgentConfigSetInputFile(config, GetWorkDir(), "promises.cf");
}
DetermineCfenginePort();
VIFELAPSED = 1;
VEXPIREAFTER = 1;
setlinebuf(stdout);
if (config->agent_specific.agent.bootstrap_policy_server)
{
snprintf(vbuff, CF_BUFSIZE, "%s%cinputs%cfailsafe.cf", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR);
#ifndef HAVE_ENTERPRISE
if (stat(vbuff, &statbuf) == -1)
{
GenericAgentConfigSetInputFile(config, GetWorkDir(), "failsafe.cf");
}
else
#endif
{
GenericAgentConfigSetInputFile(config, GetWorkDir(), vbuff);
}
}
}
bool GenericAgentArePromisesValid(const GenericAgentConfig *config)
{
char cmd[CF_BUFSIZE];
const char* const workdir = GetWorkDir();
Log(LOG_LEVEL_VERBOSE, "Verifying the syntax of the inputs...");
{
char cfpromises[CF_MAXVARSIZE];
snprintf(cfpromises, sizeof(cfpromises), "%s%cbin%ccf-promises%s",
workdir, FILE_SEPARATOR, FILE_SEPARATOR, EXEC_SUFFIX);
struct stat sb;
if (stat(cfpromises, &sb) == -1)
{
Log(LOG_LEVEL_ERR,
"cf-promises%s needs to be installed in %s%cbin for pre-validation of full configuration",
EXEC_SUFFIX, workdir, FILE_SEPARATOR);
return false;
}
if (config->bundlesequence)
{
snprintf(cmd, sizeof(cmd), "\"%s\" \"", cfpromises);
}
else
{
snprintf(cmd, sizeof(cmd), "\"%s\" -c \"", cfpromises);
}
}
strlcat(cmd, config->input_file, CF_BUFSIZE);
strlcat(cmd, "\"", CF_BUFSIZE);
if (config->bundlesequence)
{
strlcat(cmd, " -b \"", CF_BUFSIZE);
for (const Rlist *rp = config->bundlesequence; rp; rp = rp->next)
{
const char *bundle_ref = RlistScalarValue(rp);
strlcat(cmd, bundle_ref, CF_BUFSIZE);
if (rp->next)
{
strlcat(cmd, ",", CF_BUFSIZE);
}
}
strlcat(cmd, "\"", CF_BUFSIZE);
}
Log(LOG_LEVEL_VERBOSE, "Checking policy with command '%s'", cmd);
if (!ShellCommandReturnsZero(cmd, true))
{
Log(LOG_LEVEL_ERR, "Policy failed validation with command '%s'", cmd);
return false;
}
return true;
}
static GenericAgentConfig *CheckOpts(int argc, char **argv)
{
extern char *optarg;
int optindex = 0;
int c;
GenericAgentConfig *config = GenericAgentConfigNewDefault(AGENT_TYPE_MONITOR);
while ((c = getopt_long(argc, argv, "dvnIf:VSxHTKMFhlC::", OPTIONS, &optindex)) != EOF)
{
switch ((char) c)
{
case 'l':
LEGACY_OUTPUT = true;
break;
case 'f':
GenericAgentConfigSetInputFile(config, GetWorkDir(), optarg);
MINUSF = true;
break;
case 'd':
LogSetGlobalLevel(LOG_LEVEL_DEBUG);
NO_FORK = true;
break;
case 'K':
IGNORELOCK = true;
break;
case 'I':
LogSetGlobalLevel(LOG_LEVEL_INFO);
break;
case 'v':
LogSetGlobalLevel(LOG_LEVEL_VERBOSE);
NO_FORK = true;
break;
case 'F':
NO_FORK = true;
break;
case 'H': /* Keep accepting this option for compatibility -- no longer used */
break;
case 'T':
MonNetworkSnifferEnable(true);
break;
case 'V':
PrintVersion();
exit(0);
case 'h':
PrintHelp("cf-monitord", OPTIONS, HINTS, true);
exit(0);
case 'M':
{
Writer *out = FileWriter(stdout);
ManPageWrite(out, "cf-monitord", time(NULL),
CF_MONITORD_SHORT_DESCRIPTION,
CF_MONITORD_MANPAGE_LONG_DESCRIPTION,
OPTIONS, HINTS,
true);
FileWriterDetach(out);
exit(EXIT_SUCCESS);
}
case 'x':
Log(LOG_LEVEL_ERR, "Self-diagnostic functionality is retired.");
exit(0);
case 'C':
if (!GenericAgentConfigParseColor(config, optarg))
{
exit(EXIT_FAILURE);
}
break;
default:
PrintHelp("cf-monitord", OPTIONS, HINTS, true);
exit(1);
}
}
if (!GenericAgentConfigParseArguments(config, argc - optind, argv + optind))
{
Log(LOG_LEVEL_ERR, "Too many arguments");
exit(EXIT_FAILURE);
}
return config;
}