pacemaker  1.1.24-3850484742
Scalable High-Availability cluster resource manager
cib_secrets.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 SUSE, Attachmate
3  * Author: Dejan Muhamedagic <dejan@suse.de>
4  *
5  * This source code is licensed under the GNU Lesser General Public License
6  * version 2.1 or later (LGPLv2.1+) WITHOUT ANY WARRANTY.
7  */
8 
9 #include <crm_internal.h>
10 
11 #include <unistd.h>
12 #include <stdlib.h>
13 #include <stdio.h>
14 #include <string.h>
15 #include <ctype.h>
16 #include <errno.h>
17 #include <sys/types.h>
18 #include <sys/stat.h>
19 #include <time.h>
20 
21 #include <glib.h>
22 
23 #include <crm/common/util.h>
24 #include <crm/common/cib_secrets.h>
25 
26 static int do_replace_secret_params(const char *rsc_id, GHashTable *params, gboolean from_legacy_dir);
27 static int is_magic_value(char *p);
28 static int check_md5_hash(char *hash, char *value);
29 static void add_secret_params(gpointer key, gpointer value, gpointer user_data);
30 static char *read_local_file(char *local_file);
31 
32 #define MAX_VALUE_LEN 255
33 #define MAGIC "lrm://"
34 
35 static int
36 is_magic_value(char *p)
37 {
38  return !strcmp(p, MAGIC);
39 }
40 
41 static int
42 check_md5_hash(char *hash, char *value)
43 {
44  int rc = FALSE;
45  char *hash2 = NULL;
46 
47  hash2 = crm_md5sum(value);
48  crm_debug("hash: %s, calculated hash: %s", hash, hash2);
49  if (safe_str_eq(hash, hash2)) {
50  rc = TRUE;
51  }
52 
53  free(hash2);
54  return rc;
55 }
56 
57 static char *
58 read_local_file(char *local_file)
59 {
60  FILE *fp = fopen(local_file, "r");
61  char buf[MAX_VALUE_LEN+1];
62  char *p;
63 
64  if (!fp) {
65  if (errno != ENOENT) {
66  crm_perror(LOG_ERR, "cannot open %s" , local_file);
67  }
68  return NULL;
69  }
70 
71  if (!fgets(buf, MAX_VALUE_LEN, fp)) {
72  crm_perror(LOG_ERR, "cannot read %s", local_file);
73  fclose(fp);
74  return NULL;
75  }
76  fclose(fp);
77 
78  /* strip white space */
79  for (p = buf+strlen(buf)-1; p >= buf && isspace(*p); p--)
80  ;
81  *(p+1) = '\0';
82  return strdup(buf);
83 }
84 
85 /*
86  * returns 0 on success or no replacements necessary
87  * returns -1 if replacement failed for whatever reasone
88  */
89 
90 int
91 replace_secret_params(const char *rsc_id, GHashTable *params)
92 {
93  if (do_replace_secret_params(rsc_id, params, FALSE) < 0
94  && do_replace_secret_params(rsc_id, params, TRUE) < 0) {
95  return -1;
96  }
97 
98  return 0;
99 }
100 
101 static int
102 do_replace_secret_params(const char *rsc_id, GHashTable *params,
103  gboolean from_legacy_dir)
104 {
105  char local_file[FILENAME_MAX+1], *start_pname;
106  char hash_file[FILENAME_MAX+1], *hash;
107  GList *secret_params = NULL, *l;
108  char *key, *pvalue, *secret_value;
109  int rc = 0;
110  const char *dir_prefix = NULL;
111 
112  if (params == NULL) {
113  return 0;
114  }
115 
116  if (from_legacy_dir) {
117  dir_prefix = LRM_LEGACY_CIBSECRETS_DIR;
118 
119  } else {
120  dir_prefix = LRM_CIBSECRETS_DIR;
121  }
122 
123  /* secret_params could be cached with the resource;
124  * there are also parameters sent with operations
125  * which cannot be cached
126  */
127  g_hash_table_foreach(params, add_secret_params, &secret_params);
128  if (!secret_params) { /* none found? */
129  return 0;
130  }
131 
132  crm_debug("replace secret parameters for resource %s", rsc_id);
133 
134  if (snprintf(local_file, FILENAME_MAX,
135  "%s/%s/", dir_prefix, rsc_id) > FILENAME_MAX) {
136  crm_err("filename size exceeded for resource %s", rsc_id);
137  return -1;
138  }
139  start_pname = local_file + strlen(local_file);
140 
141  for (l = g_list_first(secret_params); l; l = g_list_next(l)) {
142  key = (char *)(l->data);
143  pvalue = g_hash_table_lookup(params, key);
144  if (!pvalue) { /* this cannot really happen */
145  crm_err("odd, no parameter %s for rsc %s found now", key, rsc_id);
146  continue;
147  }
148 
149  if ((strlen(key) + strlen(local_file)) >= FILENAME_MAX-2) {
150  crm_err("%d: parameter name %s too big", key);
151  rc = -1;
152  continue;
153  }
154 
155  strcpy(start_pname, key);
156  secret_value = read_local_file(local_file);
157  if (!secret_value) {
158  if (from_legacy_dir == FALSE) {
159  crm_debug("secret for rsc %s parameter %s not found in %s. "
160  "will try "LRM_LEGACY_CIBSECRETS_DIR, rsc_id, key, dir_prefix);
161 
162  } else {
163  crm_err("secret for rsc %s parameter %s not found in %s",
164  rsc_id, key, dir_prefix);
165  }
166  rc = -1;
167  continue;
168  }
169 
170  strcpy(hash_file, local_file);
171  if (strlen(hash_file) + 5 > FILENAME_MAX) {
172  crm_err("cannot build such a long name "
173  "for the sign file: %s.sign", hash_file);
174  free(secret_value);
175  rc = -1;
176  continue;
177 
178  } else {
179  strcat(hash_file, ".sign");
180  hash = read_local_file(hash_file);
181  if (hash == NULL) {
182  crm_err("md5 sum for rsc %s parameter %s "
183  "cannot be read from %s", rsc_id, key, hash_file);
184  free(secret_value);
185  rc = -1;
186  continue;
187 
188  } else if (!check_md5_hash(hash, secret_value)) {
189  crm_err("md5 sum for rsc %s parameter %s "
190  "does not match", rsc_id, key);
191  free(secret_value);
192  free(hash);
193  rc = -1;
194  continue;
195  }
196  free(hash);
197  }
198  g_hash_table_replace(params, strdup(key), secret_value);
199  }
200  g_list_free(secret_params);
201  return rc;
202 }
203 
204 static void
205 add_secret_params(gpointer key, gpointer value, gpointer user_data)
206 {
207  GList **lp = (GList **)user_data;
208 
209  if (is_magic_value((char *)value)) {
210  *lp = g_list_append(*lp, (char *)key);
211  }
212 }
#define MAGIC
Definition: cib_secrets.c:33
int replace_secret_params(const char *rsc_id, GHashTable *params)
Definition: cib_secrets.c:91
#define crm_debug(fmt, args...)
Definition: logging.h:279
Utility functions.
#define crm_perror(level, fmt, args...)
Log a system error message.
Definition: logging.h:252
#define crm_err(fmt, args...)
Definition: logging.h:274
#define MAX_VALUE_LEN
Definition: cib_secrets.c:32
char * crm_md5sum(const char *buffer)
Definition: utils.c:1313
#define safe_str_eq(a, b)
Definition: util.h:74