# vim: set filetype=perl ts=4 sw=4 sts=4 et: package OVH::Bastion; use common::sense; use Config; use Fcntl 'SEEK_CUR'; use IO::Handle; use IO::Select; use IPC::Open3; use JSON; use POSIX ":sys_wait_h"; use Symbol 'gensym'; # Get signal names, i.e. signal 9 is SIGKILL, etc. my %signum2string; @signum2string{split ' ', $Config{sig_num}} = map { "SIG$_" } split ' ', $Config{sig_name}; sub sysret2human { my $sysret = shift; if ($sysret == -1) { return R('OK', msg => "error: failed to execute ($!)"); } elsif ($sysret & 127) { my $signal = $sysret & 127; my $coredump = $sysret & 128; return R( 'OK', value => { coredump => $coredump ? \1 : \0, signal => $signum2string{$signal} || $signal, status => undef, }, msg => sprintf("signal %d (%s)%s", $signal, $signum2string{$signal}, $coredump ? ' and coredump' : '') ); } else { return R('OK', value => {coredump => \0, signal => undef, status => $sysret >> 8}, msg => sprintf("status %d", $sysret >> 8)); } } ## no critic(ControlStructures::ProhibitDeepNests) sub execute { my %params = @_; my $cmd = $params{'cmd'}; # command to execute, must be an array ref (with possible parameters) my $expects_stdin = $params{'expects_stdin'}; # the command called expects stdin, pipe caller stdin to it my $noisy_stdout = $params{'noisy_stdout'}; # capture stdout but print it too my $noisy_stderr = $params{'noisy_stderr'}; # capture stderr but print it too my $is_helper = $params{'is_helper'}; # hide JSON returns from stdout even if noisy_stdout my $is_binary = $params{'is_binary'}; # used for e.g. scp, don't bother mimicking readline(), we lose debug and stdout/stderr are NOT returned to caller my $stdin_str = $params{'stdin_str'}; # string to push to the STDIN of the command my $must_succeed = $params{'must_succeed'}; # if the executed command returns a non-zero exit value, turn OK_NON_ZERO_EXIT to ERR_NON_ZERO_EXIT my $max_stdout_bytes = $params{'max_stdout_bytes'}; # if the amount of stored stdout bytes exceeds this, halt the command and return to caller my $system = $params{'system'}; # if set to 1, will use system() instead of open3(), needed for some plugins $noisy_stderr = $noisy_stdout = 1 if ($ENV{'PLUGIN_DEBUG'} or $is_binary); my $readsize = $is_binary ? 16384 : 1; # XXX needs to be enhanced to be > 1 even for non-binary my $fnret; =cut only to debug slow calls if (not $is_binary) { require Carp; open(SLOW, '>>', '/dev/shm/slowexecute'); print SLOW Carp::longmess(join('^',@$cmd))."\n\n"; close(SLOW); } =cut require Scalar::Util; foreach (@$cmd) { if (Scalar::Util::tainted($_) && /(.+)/) { # to be able to warn under -T; untaint it. we're going to crash right after anyway. require Carp; warn(Carp::longmess("would exec <" . join('^', @$cmd) . "> but param '$1' is tainted!")); } } if ($system) { my $child_exit_status = system(@$cmd); $fnret = sysret2human($child_exit_status); return R( $child_exit_status == 0 ? 'OK' : ($must_succeed ? 'ERR_NON_ZERO_EXIT' : 'OK_NON_ZERO_EXIT'), value => { sysret => $child_exit_status + 0, status => $fnret->value->{'status'}, coredump => $fnret->value->{'coredump'}, signal => $fnret->value->{'signal'}, }, msg => "Command exited with " . sysret2human($child_exit_status)->msg, ); } my ($child_stdin, $child_stdout, $child_stderr); $child_stderr = gensym; osh_debug("about to run_cmd ['" . join("','", @$cmd) . "']"); my $pid; eval { $pid = open3($child_stdin, $child_stdout, $child_stderr, @$cmd); }; if ($@) { chomp $@; return R('ERR_EXEC_FAILED', msg => "Couldn't exec requested command ($@)"); } osh_debug("waiting for child PID $pid to complete..."); my %output = (); my %lineBuffer; my $currentActive = undef; my $currently_in_json_block = 0; my %bytesnb; # maximum number of code_info() to call, to avoid flooding the logs my $infoLimit = 5; # always monitor our child stdout and stderr my $select = IO::Select->new($child_stdout, $child_stderr); binmode $child_stdin; binmode $child_stdout; binmode $child_stderr; # if some fd are closed, binmode may fail eval { binmode STDIN; }; eval { binmode STDOUT; }; eval { binmode STDERR; }; if ($stdin_str) { # we have some stdin data to push, do it now syswrite $child_stdin, $stdin_str; close($child_stdin); } elsif ($expects_stdin) { # ... and also monitor our own stdin only if we expect it (we'll pipe it to our child's stdin) $select->add(\*STDIN); } # then, while we still have fh to monitor while ($select->count() > 1 || ($select->count() == 1 && !$select->exists(\*STDIN))) { # block only for 50ms, before checking if child is dead my @ready = $select->can_read(0.05); # yep, we have something to read on at least one fh if (@ready) { # guarantee we're still reading this fh while it has something to say $currentActive = $ready[0]; my $subSelect = IO::Select->new($currentActive); # can_read(0) because we don't need a timeout: we KNOW there's something to read on this fh while ($subSelect->can_read(0)) { my $buffer; my $nbread = sysread $currentActive, $buffer, $readsize; # if size 0, it means it's an EOF, if undef, it's an error if (not $nbread) { # error, we'll log to syslog and close. as this might be user-induced, use info instead of warn if (not defined $nbread) { # awwww, not cool at all info_syslog("execute(): error while sysreading($!), closing fh!"); } # we got an EOF on this fh, remove it from the monitor list $select->remove($currentActive); # if this is an EOF on our own STDIN, we need to close our child's STDIN if ($currentActive->fileno == STDIN->fileno) { close(STDIN); # we got eof on it, so close it close($child_stdin); # and close our child stdin } else { ; # eof on our child's stdout or stderr, nothing to do } last; } # we got data, is this our child's stderr ? if ($currentActive->fileno == $child_stderr->fileno) { $bytesnb{'stderr'} += $nbread; # syswrite on our own STDERR what we received if ($noisy_stderr) { my $offset = 0; while ($offset < $nbread) { my $written = syswrite STDERR, $buffer, $readsize, $offset; if (not defined $written) { # is the fd still open? (maybe we got a SIGPIPE or a SIGHUP) # don't use tell() here, we use syseek() for unbuffered i/o, # note that if we're at the position "0", it's still true (see doc). my $previousError = $!; if (!sysseek(STDERR, 0, SEEK_CUR)) { info_syslog("execute(): error while syswriting($previousError/$!) on stderr, the filehandle is closed, will no longer attempt to write to it") if $infoLimit-- > 0; $noisy_stderr = 0; } else { # oww, abort writing for this cycle. as this might be user-induced, use info instead of warn info_syslog("execute(): error while syswriting($previousError) on stderr, aborting this cycle") if $infoLimit-- > 0; } last; } $offset += $written; } } # mimic line-based reading (for debug, and also data will be returned to caller) if (not $is_binary) { # if this is a newline, push it to our output array if ($buffer eq $/) { osh_debug("stderr($pid): " . $lineBuffer{'stderr'}) unless $noisy_stderr; # avoid double print push @{$output{'stderr'}}, $lineBuffer{'stderr'}; $lineBuffer{'stderr'} = ''; } # or push it to our temp line buffer else { $lineBuffer{'stderr'} .= $buffer; } } } # we got data, is this our child's stdout ? elsif ($currentActive->fileno == $child_stdout->fileno) { $bytesnb{'stdout'} += $nbread; # syswrite on our own STDOUT what we received if ($noisy_stdout and not $is_helper) { # the "if is_helper" case is handled below per-line my $offset = 0; while ($offset < $nbread) { my $written = syswrite STDOUT, $buffer, $readsize, $offset; if (not defined $written) { # is the fd still open? (maybe we got a SIGPIPE or a SIGHUP) # don't use tell() here, we use syseek() for unbuffered i/o, # note that if we're at the position "0", it's still true (see doc). my $previousError = $!; if (!sysseek(STDOUT, 0, SEEK_CUR)) { info_syslog("execute(): error while syswriting($previousError/$!) on stdout, the filehandle is closed, will no longer attempt to write to it") if $infoLimit-- > 0; $noisy_stdout = 0; } else { # oww, abort writing for this cycle. as this might be user-induced, use info instead of warn. info_syslog("execute(): error while syswriting($previousError) on stdout, aborting this cycle") if $infoLimit-- > 0; } last; } $offset += $written; } } # mimic line-based reading (for debug, and also data will be returned to caller) if (not $is_binary) { if ($buffer eq $/) { osh_debug("stdout($pid): " . $lineBuffer{'stdout'}) unless $noisy_stdout; # avoid double print push @{$output{'stdout'}}, $lineBuffer{'stdout'}; if ($noisy_stdout and $is_helper) { # in that case, we didn't noisy print each char, we wait for $/ # then print it IF this is not the result_from_helper (json) if ($lineBuffer{'stdout'} eq 'JSON_START') { $currently_in_json_block = 1; } if (not $currently_in_json_block) { print $lineBuffer{'stdout'} . $/; } if ($currently_in_json_block and $lineBuffer{'stdout'} eq 'JSON_END') { $currently_in_json_block = 0; } } $lineBuffer{'stdout'} = ''; } else { $lineBuffer{'stdout'} .= $buffer; } } if ($max_stdout_bytes && $bytesnb{'stdout'} >= $max_stdout_bytes) { # caller got enough data, close all our child channels $select->remove($child_stdout); $select->remove($child_stderr); close($child_stdin); close($child_stdout); close($child_stderr); # and also our own STDIN if we're listening for it if ($select->exists(\*STDIN)) { $select->remove(\*STDIN); close(STDIN); } # don't forget to push any pending data to our output buffer push @{$output{'stdout'}}, $lineBuffer{'stdout'}; } } # we got data, is this our stdin ? elsif ($currentActive->fileno == STDIN->fileno) { $bytesnb{'stdin'} += $nbread; # we just write the data to our child's own stdin syswrite $child_stdin, $buffer; } # wow, we got data from an unknown fh ... it's not possible else { # ... but just in case: require Data::Dumper; osh_warn("unknown fh: " . Data::Dumper::Dumper($currentActive) . " with char <$buffer>"); osh_warn(Data::Dumper::Dumper($child_stdout)); osh_warn(Data::Dumper::Dumper($child_stderr)); osh_warn(Data::Dumper::Dumper(\*STDIN)); } } # /guarantee } } # here, all fd went EOF (except maybe STDIN but we don't care) # so we need to waitpid # (might be blocking, but we have nothing to read/write anyway) osh_debug("all fds are EOF, waiting for pid $pid indefinitely"); waitpid($pid, 0); my $child_exit_status = $?; $fnret = sysret2human($child_exit_status); osh_debug("cmd returned with " . $fnret->msg); return R( $fnret->value->{'status'} == 0 ? 'OK' : ($must_succeed ? 'ERR_NON_ZERO_EXIT' : 'OK_NON_ZERO_EXIT'), value => { sysret => $child_exit_status >> 8, sysret_raw => $child_exit_status, stdout => $output{stdout}, stderr => $output{stderr}, bytesnb => \%bytesnb, status => $fnret->value->{'status'}, coredump => $fnret->value->{'coredump'}, signal => $fnret->value->{'signal'}, }, msg => "Command exited with " . sysret2human($child_exit_status)->msg, ); } # This is a simplified version of execute(), only supporting to launch a command, # closing STDIN immediately, and merging STDERR/STDOUT into a global output that can # then be returned to the caller. It removes a lot of complicated locking problems # execute() has to work with at the expense of efficiency. # Most notably, execute() reads STDOUT and STDERR one byte at a time in some cases, # while execute_simple() uses a buffer of 16K instead, which is several orders of # magnitude faster for commands outputting large amounts of data (several megabytes) for example. sub execute_simple { my %params = @_; my $cmd = $params{'cmd'}; # command to execute, must be an array ref (with possible parameters) my $must_succeed = $params{'must_succeed'}; # if the executed command returns a non-zero exit value, turn OK_NON_ZERO_EXIT to ERR_NON_ZERO_EXIT my $fnret; require Scalar::Util; foreach (@$cmd) { if (Scalar::Util::tainted($_) && /(.+)/) { # to be able to warn under -T; untaint it. we're going to crash right after anyway. require Carp; warn(Carp::longmess("would exec <" . join('^', @$cmd) . "> but param '$1' is tainted!")); } } my $child_in; my $child_out = gensym; osh_debug("about to run_cmd_simple ['" . join("','", @$cmd) . "']"); my $pid; eval { $pid = open3($child_in, $child_out, undef, @$cmd); }; if ($@) { chomp $@; return R('ERR_EXEC_FAILED', msg => "Couldn't exec requested command ($@)"); } close($child_in); osh_debug("waiting for child PID $pid to complete..."); my $output; while (1) { my $buffer; my $nbread = read $child_out, $buffer, 16384; if (not defined $nbread) { # oww, abort reading warn("execute_simple(): error while reading from command ($!), aborting"); last; } last if ($nbread == 0); # EOF $output .= $buffer; } close($child_out); osh_debug("all fds are EOF, waiting for pid $pid indefinitely"); waitpid($pid, 0); my $child_exit_status = $?; $fnret = sysret2human($child_exit_status); osh_debug("cmd returned with " . $fnret->msg); return R( $fnret->value->{'status'} == 0 ? 'OK' : ($must_succeed ? 'ERR_NON_ZERO_EXIT' : 'OK_NON_ZERO_EXIT'), value => { sysret => $child_exit_status >> 8, sysret_raw => $child_exit_status, output => $output, status => $fnret->value->{'status'}, coredump => $fnret->value->{'coredump'}, signal => $fnret->value->{'signal'}, }, msg => "Command exited with " . sysret2human($child_exit_status)->msg, ); } sub result_from_helper { my $input = shift; if (ref $input ne 'ARRAY') { $input = [$input]; } my $state = 1; my @json; foreach my $line (@$input) { chomp; if ($state == 1) { if ($line eq 'JSON_START') { # will now capture data @json = (); $state = 2; } } elsif ($state == 2) { if ($line eq 'JSON_END') { # done capturing data, might still see a new JSON_START however $state = 1; } else { # capturing data push @json, $line; } } } if (not @json) { return R('ERR_HELPER_RETURN_EMPTY', msg => "The helper didn't return any data, maybe it crashed, please report to your sysadmin!"); } my $json_decoded; eval { $json_decoded = decode_json(join("\n", @json)); }; if ($@) { return R('ERR_HELPER_RETURN_INVALID', msg => $@); } return R('OK', value => $json_decoded); } sub helper_decapsulate { my $value = shift; return R($value->{'error_code'}, value => $value->{'value'}, msg => $value->{'error_message'}); } sub helper { my %params = @_; my @command = @{$params{'cmd'} || []}; my $expects_stdin = $params{'expects_stdin'}; my $stdin_str = $params{'stdin_str'}; my $fnret = OVH::Bastion::execute(cmd => \@command, noisy_stdout => 1, noisy_stderr => 1, is_helper => 1, expects_stdin => $expects_stdin, stdin_str => $stdin_str); $fnret or return R('ERR_HELPER_FAILED', "something went wrong in helper script (" . $fnret->msg . ")"); $fnret = OVH::Bastion::result_from_helper($fnret->value->{'stdout'}); $fnret or return $fnret; return OVH::Bastion::helper_decapsulate($fnret->value); } 1;