choria-mcorpc-support 2.23.0 → 2.23.1

data/lib/mcollective/util/choria.rb

@@ -86,14 +86,6 @@ module MCollective
         end
       end
 
-      # Which port to provide stats over HTTP on
-      #
-      # @return [Integer,nil]
-      # @raise [StandardError] when not numeric
-      def stats_port
-        Integer(get_option("choria.stats_port", "")) if has_option?("choria.stats_port")
-      end
-
       # Determines if there are any federations configured
       #
       # @return [Boolean]
@@ -888,15 +880,6 @@ module MCollective
         File.exist?(csr_path)
       end
 
-      # The formatted string representation of the CSR fingerprint
-      #
-      # @return [String]
-      def csr_fingerprint
-        require "puppet"
-        csr = OpenSSL::X509::Request.new(File.read(csr_path))
-        Puppet::SSL::Digest.new(nil, csr.to_der)
-      end
-
       # Searches the PATH for an executable command
       #
       # @param command [String] a command to search for
@@ -927,146 +910,6 @@ module MCollective
         which("facter")
       end
 
-      # Creates any missing SSL directories
-      #
-      # This prepares a Puppet like SSL tree in case Puppet
-      # has not been initialized yet
-      #
-      # @return [void]
-      def make_ssl_dirs
-        return if file_security?
-
-        FileUtils.mkdir_p(ssl_dir, :mode => 0o0771)
-
-        ["certificate_requests", "certs", "public_keys"].each do |dir|
-          FileUtils.mkdir_p(File.join(ssl_dir, dir), :mode => 0o0755)
-        end
-
-        ["private_keys", "private"].each do |dir|
-          FileUtils.mkdir_p(File.join(ssl_dir, dir), :mode => 0o0750)
-        end
-      end
-
-      # Creates a RSA key of a certain strenth
-      #
-      # @return [OpenSSL::PKey::RSA]
-      def create_rsa_key(bits)
-        OpenSSL::PKey::RSA.new(bits)
-      end
-
-      # Writes a new 4096 bit key in the puppet default locatioj
-      #
-      # @return [OpenSSL::PKey::RSA]
-      # @raise [StandardError] when the key already exist
-      def write_key
-        raise("Refusing to overwrite existing key in %s" % client_private_key) if has_client_private_key?
-
-        key = create_rsa_key(4096)
-        File.open(client_private_key, "w", 0o0640) {|f| f.write(key.to_pem)}
-
-        key
-      end
-
-      # Creates a basic CSR
-      #
-      # @return [OpenSSL::X509::Request] signed CSR
-      def create_csr(comonname, orgunit, key)
-        csr = OpenSSL::X509::Request.new
-        csr.version = 0
-        csr.public_key = key.public_key
-        csr.subject = OpenSSL::X509::Name.new(
-          [
-            ["CN", comonname, OpenSSL::ASN1::UTF8STRING],
-            ["OU", orgunit, OpenSSL::ASN1::UTF8STRING]
-          ]
-        )
-        csr.sign(key, OpenSSL::Digest.new("SHA1"))
-
-        csr
-      end
-
-      # Creates a new CSR signed by the given key
-      #
-      # @param key [OpenSSL::PKey::RSA]
-      # @return [String] PEM encoded CSR
-      def write_csr(key)
-        raise("Refusing to overwrite existing CSR in %s" % csr_path) if has_csr?
-
-        csr = create_csr(certname, "mcollective", key)
-
-        File.open(csr_path, "w", 0o0644) {|f| f.write(csr.to_pem)}
-
-        csr.to_pem
-      end
-
-      # Fetch and save the CA from Puppet
-      #
-      # @return [Boolean]
-      def fetch_ca
-        return true if has_ca?
-
-        server = puppetca_server
-
-        req = http_get("/puppet-ca/v1/certificate/ca?environment=production", "Accept" => "text/plain")
-        resp, _ = https(server).request(req)
-
-        if resp.code == "200"
-          File.open(ca_path, "w", 0o0644) {|f| f.write(resp.body)}
-        else
-          raise(UserError, "Failed to fetch CA from %s:%s: %s: %s" % [server[:target], server[:port], resp.code, resp.message])
-        end
-
-        has_ca?
-      end
-
-      # Requests a certificate from the Puppet CA
-      #
-      # This will attempt to create a new key, write a CSR and
-      # then sends it to the CA for signing
-      #
-      # @return [Boolean]
-      # @raise [UserError] when requesting the cert fails
-      def request_cert
-        key = write_key
-        csr = write_csr(key)
-
-        server = puppetca_server
-
-        req = Net::HTTP::Put.new("/puppet-ca/v1/certificate_request/%s?environment=production" % certname, "Content-Type" => "text/plain")
-        req.body = csr
-        resp, _ = https(server).request(req)
-
-        if resp.code == "200"
-          true
-        else
-          raise(UserError, "Failed to request certificate from %s:%s: %s: %s: %s" % [server[:target], server[:port], resp.code, resp.message, resp.body])
-        end
-      end
-
-      # Attempts to fetch a cert from the CA
-      #
-      # @return [Boolean]
-      def attempt_fetch_cert
-        return true if has_client_public_cert?
-
-        req = http_get("/puppet-ca/v1/certificate/%s?environment=production" % certname, "Accept" => "text/plain")
-        resp, _ = https(puppetca_server).request(req)
-
-        if resp.code == "200"
-          File.open(client_public_cert, "w", 0o0644) {|f| f.write(resp.body)}
-          true
-        else
-          false
-        end
-      end
-
-      # Determines if a CSR has been sent but not yet retrieved
-      #
-      # @return [Boolean]
-      def waiting_for_cert?
-        !has_client_public_cert? && has_client_private_key?
-      end
-
       # Gets a config option
       #
       # @param opt [String] config option to look up

data/lib/mcollective/util/tasks_support.rb

@@ -250,8 +250,9 @@ module MCollective
       # @param environment [Hash] environment to run with
       # @param stdin [String] stdin to send to the command
       # @param spooldir [String] path to the spool for this specific request
+      # @param run_as [String] name of the user who will run the command
       # @return [Integer] the pid that was spawned
-      def spawn_command(command, environment, stdin, spooldir)
+      def spawn_command(command, environment, stdin, spooldir, run_as)
         wrapper_input = File.join(spooldir, "wrapper_stdin")
         wrapper_stdout = File.join(spooldir, "wrapper_stdout")
         wrapper_stderr = File.join(spooldir, "wrapper_stderr")
@@ -269,7 +270,24 @@ module MCollective
           options[:in] = wrapper_input
         end
 
-        pid = Process.spawn(environment, command, options)
+        if run_as
+          raise("System does not allow forking.  run_as not usable.") unless Process.respond_to?(:fork)
+
+          require "etc"
+
+          u = Etc.getpwnam(run_as)
+
+          FileUtils.chown_R(u.uid, u.gid, spooldir)
+
+          pid = Process.fork
+          if pid.nil?
+            Process.gid = Process.egid = u.gid
+            Process.uid = Process.euid = u.uid
+            Process.exec(environment, command, options)
+          end
+        else
+          pid = Process.spawn(environment, command, options)
+        end
 
         sleep 0.1 until File.exist?(wrapper_stdout)
 
@@ -353,7 +371,7 @@ module MCollective
           meta.print(data.to_json)
         end
 
-        pid = spawn_command(wrapper_path, task_environment(task, requestid, callerid), wrapper_input.to_json, spool)
+        pid = spawn_command(wrapper_path, task_environment(task, requestid, callerid), wrapper_input.to_json, spool, task["run_as"])
 
         Log.info("Spawned task %s in spool %s with pid %s" % [task["task"], spool, pid])
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: choria-mcorpc-support
 version: !ruby/object:Gem::Version
-  version: 2.23.0
+  version: 2.23.1
 platform: ruby
 authors:
 - R.I.Pienaar
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-29 00:00:00.000000000 Z
+date: 2021-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: systemu
@@ -79,7 +79,6 @@ files:
 - lib/mcollective/application.rb
 - lib/mcollective/application/choria.rb
 - lib/mcollective/application/completion.rb
-- lib/mcollective/application/describe_filter.rb
 - lib/mcollective/application/facts.rb
 - lib/mcollective/application/federation.rb
 - lib/mcollective/application/find.rb
@@ -145,9 +144,6 @@ files:
 - lib/mcollective/logger/console_logger.rb
 - lib/mcollective/logger/file_logger.rb
 - lib/mcollective/logger/syslog_logger.rb
-- lib/mcollective/matcher.rb
-- lib/mcollective/matcher/parser.rb
-- lib/mcollective/matcher/scanner.rb
 - lib/mcollective/message.rb
 - lib/mcollective/monkey_patches.rb
 - lib/mcollective/optionparser.rb

data/lib/mcollective/application/describe_filter.rb

@@ -1,87 +0,0 @@
-module MCollective
-  class Application::Describe_filter < Application # rubocop:disable Style/ClassAndModuleChildren
-    exclude_argument_sections "common", "rpc"
-
-    description "Display human readable interpretation of filters"
-
-    usage "mco describe_filter -S <filter> -F <filter> -C <filter>"
-
-    def describe_s_filter(stack)
-      indent = "  "
-      old_indent = "  "
-      puts "-S Query expands to the following instructions:"
-      puts
-      stack.each do |token|
-        case token.keys[0]
-        when "statement"
-          if token.values[0] =~ /(<=|>=|=|=~|=)/
-            op = $1
-            k, v = token.values[0].split(op)
-            puts indent + get_fact_string(k, v, op)
-          else
-            puts indent + get_class_string(token.values[0])
-          end
-        when "fstatement"
-          v = token.values[0]
-          result_string = indent + "Execute the Data Query '#{v['name']}'"
-          result_string += " with parameters (#{v['params']})" if v["params"]
-          result_string += ". "
-          result_string += "Check if the query's '#{v['value']}' value #{v['operator']} '#{v['r_compare']}'  "
-          puts result_string
-        when "("
-          puts "#{indent}("
-          old_indent = indent
-          indent *= 2
-        when ")"
-          indent = old_indent
-          puts "#{indent})"
-        else
-          puts indent + token.keys[0].upcase
-        end
-      end
-    end
-
-    def describe_f_filter(facts)
-      puts "-F filter expands to the following fact comparisons:"
-      puts
-      facts.each do |f|
-        puts "  #{get_fact_string(f[:fact], f[:value], f[:operator])}"
-      end
-    end
-
-    def describe_c_filter(classes)
-      puts "-C filter expands to the following class checks:"
-      puts
-      classes.each do |c|
-        puts "  #{get_class_string(c)}"
-      end
-    end
-
-    def main
-      unless @options[:filter]["fact"].empty?
-        describe_f_filter(@options[:filter]["fact"])
-        puts
-      end
-
-      unless @options[:filter]["cf_class"].empty?
-        describe_c_filter(@options[:filter]["cf_class"])
-        puts
-      end
-
-      unless @options[:filter]["compound"].empty?
-        describe_s_filter(@options[:filter]["compound"][0])
-        puts
-      end
-    end
-
-    private
-
-    def get_fact_string(fact, value, oper)
-      "Check if fact '#{fact}' #{oper} '#{value}'"
-    end
-
-    def get_class_string(classname)
-      "Check if class '#{classname}' is present on the host"
-    end
-  end
-end

data/lib/mcollective/matcher.rb

@@ -1,220 +0,0 @@
-module MCollective
-  # A parser and scanner that creates a stack machine for a simple
-  # fact and class matching language used on the CLI to facilitate
-  # a rich discovery language
-  #
-  # Language EBNF
-  #
-  # compound = ["("] expression [")"] {["("] expression [")"]}
-  # expression = [!|not]statement ["and"|"or"] [!|not] statement
-  # char = A-Z | a-z | < | > | => | =< | _ | - |* | / { A-Z | a-z | < | > | => | =< | _ | - | * | / | }
-  # int = 0|1|2|3|4|5|6|7|8|9{|0|1|2|3|4|5|6|7|8|9|0}
-  module Matcher
-    require "mcollective/matcher/parser"
-    require "mcollective/matcher/scanner"
-
-    # Helper creates a hash from a function call string
-    def self.create_function_hash(function_call)
-      func_hash = {}
-      f = ""
-      func_parts = function_call.split(/(!=|>=|<=|<|>|=)/)
-      func_hash["r_compare"] = func_parts.pop
-      func_hash["operator"] = func_parts.pop
-      func = func_parts.join
-
-      # Deal with dots in function parameters and functions without dot values
-      if func =~ /^.+\(.*\)$/
-        f = func
-      else
-        func_parts = func.split(".")
-        func_hash["value"] = func_parts.pop
-        f = func_parts.join(".")
-      end
-
-      # Deal with regular expression matches
-      if func_hash["r_compare"] =~ /^\/.*\/$/
-        func_hash["operator"] = "=~" if func_hash["operator"] == "="
-        func_hash["operator"] = "!=~" if func_hash["operator"] == "!="
-        func_hash["r_compare"] = Regexp.new(func_hash["r_compare"].gsub(/^\/|\/$/, ""))
-      # Convert = operators to == so they can be propperly evaluated
-      elsif func_hash["operator"] == "="
-        func_hash["operator"] = "=="
-      end
-
-      # Grab function name and parameters from left compare string
-      func_hash["name"], func_hash["params"] = f.split("(")
-      if func_hash["params"] == ")"
-        func_hash["params"] = nil
-      else
-
-        # Walk the function parameters from the front and from the
-        # back removing the first and last instances of single of
-        # double qoutes. We do this to handle the case where params
-        # contain escaped qoutes.
-        func_hash["params"] = func_hash["params"].gsub(")", "")
-        func_quotes = func_hash["params"].split(/('|")/)
-
-        func_quotes.each_with_index do |item, i|
-          if item =~ /'|"/
-            func_quotes.delete_at(i)
-            break
-          end
-        end
-
-        func_quotes.reverse.each_with_index do |item, i|
-          if item =~ /'|"/
-            func_quotes.delete_at(func_quotes.size - i - 1)
-            break
-          end
-        end
-
-        func_hash["params"] = func_quotes.join
-      end
-
-      func_hash
-    end
-
-    # Returns the result of an executed function
-    def self.execute_function(function_hash)
-      # In the case where a data plugin isn't present there are two ways we can handle
-      # the raised exception. The function result can either be false or the entire
-      # expression can fail.
-      #
-      # In the case where we return the result as false it opens us op to unexpected
-      # negation behavior.
-      #
-      #   !foo('bar').name = bar
-      #
-      # In this case the user would expect discovery to match on all machines where
-      # the name value of the foo function does not equal bar. If a non existent function
-      # returns false then it is posible to match machines where the name value of the
-      # foo function is bar.
-      #
-      # Instead we raise a DDLValidationError to prevent this unexpected behavior from
-      # happening.
-
-      result = Data.send(function_hash["name"], function_hash["params"])
-
-      if function_hash["value"]
-        begin
-          eval_result = result.send(function_hash["value"])
-        rescue
-          # If data field has not been set we set the comparison result to nil
-          eval_result = nil
-        end
-        eval_result
-      else
-        result
-      end
-    rescue NoMethodError
-      Log.debug("cannot execute discovery function '#{function_hash['name']}'. data plugin not found")
-      raise DDLValidationError
-    end
-
-    # Evaluates a compound statement
-    def self.eval_compound_statement(expression)
-      case expression.values.first
-      when /^\//
-        Util.has_cf_class?(expression.values.first)
-      when />=|<=|=|<|>/
-        optype = expression.values.first.match(/>=|<=|=|<|>/)
-        name, value = expression.values.first.split(optype[0])
-        if value.split("")[0] == "/"
-          optype = "=~"
-        else
-          optype[0] == "=" ? optype = "==" : optype = optype[0]
-        end
-
-        Util.has_fact?(name, value, optype).to_s
-      else
-        Util.has_cf_class?(expression.values.first)
-      end
-    end
-
-    # Returns the result of an evaluated compound statement that
-    # includes a function
-    def self.eval_compound_fstatement(function_hash) # rubocop:disable Metrics/MethodLength
-      l_compare = execute_function(function_hash)
-      r_compare = function_hash["r_compare"]
-      operator = function_hash["operator"]
-
-      # Break out early and return false if the function returns nil
-      return false if l_compare.nil?
-
-      # Prevent unwanted discovery by limiting comparison operators
-      # on Strings and Booleans
-      if (l_compare.is_a?(String) || l_compare.is_a?(TrueClass) || l_compare.is_a?(FalseClass)) && function_hash["operator"].match(/<|>/)
-        Log.debug("Cannot do > and < comparison on Booleans and Strings '#{l_compare} #{function_hash['operator']} #{function_hash['r_compare']}'")
-        return false
-      end
-
-      # Prevent backticks in function parameters
-      if function_hash["params"] =~ /`/
-        Log.debug("Cannot use backticks in function parameters")
-        return false
-      end
-
-      # Do a regex comparison if right compare string is a regex
-      if operator =~ /(=~|!=~)/
-        # Fail if left compare value isn't a string
-        if l_compare.is_a?(String)
-          result = l_compare.match(r_compare)
-          # Flip return value for != operator
-          if function_hash["operator"] == "!=~"
-            !result
-          else
-            !!result
-          end
-        else
-          Log.debug("Cannot do a regex check on a non string value.")
-          false
-        end
-        # Otherwise do a normal comparison while taking the type into account
-      else
-        if l_compare.is_a? String
-          r_compare = r_compare.to_s
-        elsif r_compare.is_a? String
-          case l_compare
-          when Numeric
-            r_compare = r_compare.strip
-            begin
-              r_compare = Integer(r_compare)
-            rescue ArgumentError # rubocop:disable Metrics/BlockNesting
-              begin
-                r_compare = Float(r_compare)
-              rescue ArgumentError # rubocop:disable Metrics/BlockNesting
-                raise(ArgumentError, "invalid numeric value: #{r_compare}")
-              end
-            end
-          when TrueClass, FalseClass
-            r_compare = r_compare.strip
-            if r_compare == true.to_s # rubocop:disable Metrics/BlockNesting
-              r_compare = true
-            elsif r_compare == false.to_s # rubocop:disable Metrics/BlockNesting
-              r_compare = false
-            else
-              raise(ArgumentError, "invalid boolean value: #{r_compare}")
-            end
-          end
-        end
-        operator = operator.strip
-        if operator =~ /(?:(!=|<=|>=|<|>)|==?)/
-          operator = $1 ? $1.to_sym : :==
-        else
-          raise(ArgumentError, "invalid operator: #{operator}")
-        end
-        l_compare.send(operator, r_compare)
-
-      end
-    end
-
-    # Creates a callstack to be evaluated from a compound evaluation string
-    def self.create_compound_callstack(call_string)
-      callstack = Matcher::Parser.new(call_string).execution_stack
-      callstack.each_with_index do |statement, i|
-        callstack[i]["fstatement"] = create_function_hash(statement.values.first) if statement.keys.first == "fstatement"
-      end
-      callstack
-    end
-  end
-end