(* HCoop Domtool (http://hcoop.sourceforge.net/)
- * Copyright (c) 2006, Adam Chlipala
+ * Copyright (c) 2006-2007, Adam Chlipala
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
end
end
-val notTmp = CharVector.all (fn ch => Char.isAlphaNum ch orelse ch = #"." orelse ch = #"_" orelse ch = #"-")
+fun notTmp s =
+ String.sub (s, 0) <> #"."
+ andalso CharVector.all (fn ch => Char.isAlphaNum ch orelse ch = #"." orelse ch = #"_" orelse ch = #"-") s
fun checkDir dname =
let
val self =
"localhost:" ^ Int.toString Config.slavePort
+fun context x =
+ (OpenSSL.context false x)
+ handle e as OpenSSL.OpenSSL s =>
+ (print "Couldn't find your certificate.\nYou probably haven't been given any Domtool privileges.\n";
+ print ("Additional information: " ^ s ^ "\n");
+ raise e)
+
+fun setupUser () =
+ let
+ val user =
+ case Posix.ProcEnv.getenv "DOMTOOL_USER" of
+ NONE =>
+ let
+ val uid = Posix.ProcEnv.getuid ()
+ in
+ Posix.SysDB.Passwd.name (Posix.SysDB.getpwuid uid)
+ end
+ | SOME user => user
+ in
+ Acl.read Config.aclFile;
+ Domain.setUser user;
+ user
+ end
+
fun requestContext f =
let
- val uid = Posix.ProcEnv.getuid ()
- val user = Posix.SysDB.Passwd.name (Posix.SysDB.getpwuid uid)
-
- val () = Acl.read Config.aclFile
- val () = Domain.setUser user
+ val user = setupUser ()
val () = f ()
- val context = OpenSSL.context (Config.certDir ^ "/" ^ user ^ ".pem",
- Config.keyDir ^ "/" ^ user ^ "/key.pem",
- Config.trustStore)
+ val context = context (Config.certDir ^ "/" ^ user ^ ".pem",
+ Config.keyDir ^ "/" ^ user ^ "/key.pem",
+ Config.trustStore)
in
(user, context)
end
fun requestDir dname =
let
+ val _ = if Posix.FileSys.access (dname, []) then
+ ()
+ else
+ (print ("Can't access " ^ dname ^ ".\n");
+ print "Did you mean to run domtool on a specific file, instead of asking for all\n";
+ print "files in your ~/domtool directory?\n";
+ OS.Process.exit OS.Process.failure)
+
val _ = ErrorMsg.reset ()
val (user, bio) = requestBio (fn () => checkDir dname)
OpenSSL.close bio
end
+fun requestRegenTc () =
+ let
+ val (_, bio) = requestBio (fn () => ())
+ in
+ Msg.send (bio, MsgRegenerateTc);
+ case Msg.recv bio of
+ NONE => print "Server closed connection unexpectedly.\n"
+ | SOME m =>
+ case m of
+ MsgOk => print "All configuration validated.\n"
+ | MsgError s => print ("Configuration validation failed: " ^ s ^ "\n")
+ | _ => print "Unexpected server reply.\n";
+ OpenSSL.close bio
+ end
+
fun requestRmdom dom =
let
val (_, bio) = requestBio (fn () => ())
before OpenSSL.close bio
end
+fun requestTrustedPath {node, uname} =
+ let
+ val (user, context) = requestContext (fn () => ())
+ val bio = OpenSSL.connect (context, if node = Config.masterNode then
+ dispatcher
+ else
+ Domain.nodeIp node ^ ":" ^ Int.toString Config.slavePort)
+
+ val _ = Msg.send (bio, MsgQuery (QTrustedPath uname))
+
+ fun loop () =
+ case Msg.recv bio of
+ NONE => (print "Server closed connection unexpectedly.\n";
+ OS.Process.failure)
+ | SOME m =>
+ case m of
+ MsgYes => (print "User has trusted path restriction.\n";
+ OS.Process.success)
+ | MsgNo => (print "User does not have trusted path restriction.\n";
+ OS.Process.failure)
+ | MsgError s => (print ("Trusted path query failed: " ^ s ^ "\n");
+ OS.Process.failure)
+ | _ => (print "Unexpected server reply.\n";
+ OS.Process.failure)
+ in
+ loop ()
+ before OpenSSL.close bio
+ end
+
+fun requestSocketPerm {node, uname} =
+ let
+ val (user, context) = requestContext (fn () => ())
+ val bio = OpenSSL.connect (context, if node = Config.masterNode then
+ dispatcher
+ else
+ Domain.nodeIp node ^ ":" ^ Int.toString Config.slavePort)
+
+ val _ = Msg.send (bio, MsgQuery (QSocket uname))
+
+ fun loop () =
+ case Msg.recv bio of
+ NONE => (print "Server closed connection unexpectedly.\n";
+ OS.Process.failure)
+ | SOME m =>
+ case m of
+ MsgSocket p => (case p of
+ Any => print "Any\n"
+ | Client => print "Client\n"
+ | Server => print "Server\n"
+ | Nada => print "Nada\n";
+ OS.Process.success)
+ | MsgError s => (print ("Socket permission query failed: " ^ s ^ "\n");
+ OS.Process.failure)
+ | _ => (print "Unexpected server reply.\n";
+ OS.Process.failure)
+ in
+ loop ()
+ before OpenSSL.close bio
+ end
+
+fun requestFirewall {node, uname} =
+ let
+ val (user, context) = requestContext (fn () => ())
+ val bio = OpenSSL.connect (context, if node = Config.masterNode then
+ dispatcher
+ else
+ Domain.nodeIp node ^ ":" ^ Int.toString Config.slavePort)
+
+ val _ = Msg.send (bio, MsgQuery (QFirewall uname))
+
+ fun loop () =
+ case Msg.recv bio of
+ NONE => (print "Server closed connection unexpectedly.\n";
+ OS.Process.failure)
+ | SOME m =>
+ case m of
+ MsgFirewall ls => (app (fn s => (print s; print "\n")) ls;
+ OS.Process.success)
+ | MsgError s => (print ("Firewall query failed: " ^ s ^ "\n");
+ OS.Process.failure)
+ | _ => (print "Unexpected server reply.\n";
+ OS.Process.failure)
+ in
+ loop ()
+ before OpenSSL.close bio
+ end
+
fun regenerate context =
let
+ val _ = ErrorMsg.reset ()
+
val b = basis ()
val () = Tycheck.disallowExterns ()
val () = Domain.resetGlobal ()
+ val ok = ref true
+
fun contactNode (node, ip) =
if node = Config.defaultNode then
Domain.resetLocal ()
| _ => print ("Slave " ^ node
^ " returned unexpected command\n");
OpenSSL.close bio
- end
+ end
+ handle OpenSSL.OpenSSL s => print ("OpenSSL error: " ^ s ^ "\n")
fun doUser user =
let
val _ = ErrorMsg.reset ()
val dname = Config.domtoolDir user
+ in
+ if Posix.FileSys.access (dname, []) then
+ let
+ val dir = Posix.FileSys.opendir dname
+
+ fun loop files =
+ case Posix.FileSys.readdir dir of
+ NONE => (Posix.FileSys.closedir dir;
+ files)
+ | SOME fname =>
+ if notTmp fname then
+ loop (OS.Path.joinDirFile {dir = dname,
+ file = fname}
+ :: files)
+ else
+ loop files
- val dir = Posix.FileSys.opendir dname
-
- fun loop files =
- case Posix.FileSys.readdir dir of
- NONE => (Posix.FileSys.closedir dir;
- files)
- | SOME fname =>
- if notTmp fname then
- loop (OS.Path.joinDirFile {dir = dname,
- file = fname}
- :: files)
+ val files = loop []
+ val (_, files) = Order.order (SOME b) files
+ in
+ if !ErrorMsg.anyErrors then
+ (ErrorMsg.reset ();
+ print ("User " ^ user ^ "'s configuration has errors!\n"))
else
- loop files
-
- val files = loop []
- val (_, files) = Order.order (SOME b) files
- in
- if !ErrorMsg.anyErrors then
- print ("User " ^ user ^ "'s configuration has errors!\n")
+ app eval' files
+ end
else
- app eval' files
+ ()
end
- handle IO.Io _ => ()
- | OS.SysErr (s, _) => print ("System error processing user " ^ user ^ ": " ^ s ^ "\n")
- | ErrorMsg.Error => print ("User " ^ user ^ " had a compilation error.\n")
+ handle IO.Io _ => ()
+ | OS.SysErr (s, _) => (print ("System error processing user " ^ user ^ ": " ^ s ^ "\n");
+ ok := false)
+ | ErrorMsg.Error => (ErrorMsg.reset ();
+ print ("User " ^ user ^ " had a compilation error.\n");
+ ok := false)
+ | _ => (print "Unknown exception during regeneration!\n";
+ ok := false)
in
app contactNode Config.nodeIps;
Env.pre ();
app doUser (Acl.users ());
- Env.post ()
+ Env.post ();
+ !ok
+ end
+
+fun regenerateTc context =
+ let
+ val _ = ErrorMsg.reset ()
+
+ val b = basis ()
+ val () = Tycheck.disallowExterns ()
+
+ val () = Domain.resetGlobal ()
+
+ val ok = ref true
+
+ fun doUser user =
+ let
+ val _ = Domain.setUser user
+ val _ = ErrorMsg.reset ()
+
+ val dname = Config.domtoolDir user
+ in
+ if Posix.FileSys.access (dname, []) then
+ let
+ val dir = Posix.FileSys.opendir dname
+
+ fun loop files =
+ case Posix.FileSys.readdir dir of
+ NONE => (Posix.FileSys.closedir dir;
+ files)
+ | SOME fname =>
+ if notTmp fname then
+ loop (OS.Path.joinDirFile {dir = dname,
+ file = fname}
+ :: files)
+ else
+ loop files
+
+ val files = loop []
+ val (_, files) = Order.order (SOME b) files
+ in
+ if !ErrorMsg.anyErrors then
+ (ErrorMsg.reset ();
+ print ("User " ^ user ^ "'s configuration has errors!\n");
+ ok := false)
+ else
+ app (ignore o check) files
+ end
+ else
+ ()
+ end
+ handle IO.Io _ => ()
+ | OS.SysErr (s, _) => print ("System error processing user " ^ user ^ ": " ^ s ^ "\n")
+ | ErrorMsg.Error => (ErrorMsg.reset ();
+ print ("User " ^ user ^ " had a compilation error.\n"))
+ | _ => print "Unknown exception during -tc regeneration!\n"
+ in
+ app doUser (Acl.users ());
+ !ok
end
fun rmuser user =
QApt pkg => if Apt.installed pkg then MsgYes else MsgNo
| QCron user => if Cron.allowed user then MsgYes else MsgNo
| QFtp user => if Ftp.allowed user then MsgYes else MsgNo
+ | QTrustedPath user => if TrustedPath.query user then MsgYes else MsgNo
+ | QSocket user => MsgSocket (SocketPerm.query user)
+ | QFirewall user => MsgFirewall (Firewall.query user)
fun describeQuery q =
case q of
QApt pkg => "Requested installation status of package " ^ pkg
| QCron user => "Asked about cron permissions for user " ^ user
| QFtp user => "Asked about FTP permissions for user " ^ user
+ | QTrustedPath user => "Asked about trusted path settings for user " ^ user
+ | QSocket user => "Asked about socket permissions for user " ^ user
+ | QFirewall user => "Asked about firewall rules for user " ^ user
fun service () =
let
val () = Acl.read Config.aclFile
- val context = OpenSSL.context (Config.serverCert,
- Config.serverKey,
- Config.trustStore)
+ val context = context (Config.serverCert,
+ Config.serverKey,
+ Config.trustStore)
val _ = Domain.set_context context
val sock = OpenSSL.listen (context, Config.dispatcherPort)
(print msgLocal;
print "\n";
Msg.send (bio, MsgOk)))
- handle OpenSSL.OpenSSL _ =>
- print "OpenSSL error\n"
+ handle e as (OpenSSL.OpenSSL s) =>
+ (print ("OpenSSL error: " ^ s ^ "\n");
+ app (fn x => print (x ^ "\n")) (SMLofNJ.exnHistory e);
+ Msg.send (bio, MsgError ("OpenSSL error: " ^ s))
+ handle OpenSSL.OpenSSL _ => ())
| OS.SysErr (s, _) =>
(print "System error: ";
print s;
doIt (fn () =>
if Acl.query {user = user, class = "priv", value = "regen"}
orelse Acl.query {user = user, class = "priv", value = "all"} then
- (regenerate context;
- ("Regenerated all configuration.",
- NONE))
+ (if regenerate context then
+ ("Regenerated all configuration.",
+ NONE)
+ else
+ ("Error regenerating configuration!",
+ SOME "Error regenerating configuration! Consult /var/log/domtool.log."))
else
("Unauthorized user asked to regenerate!",
SOME "Not authorized to regenerate"))
(fn () => ())
+ | MsgRegenerateTc =>
+ doIt (fn () =>
+ if Acl.query {user = user, class = "priv", value = "regen"}
+ orelse Acl.query {user = user, class = "priv", value = "all"} then
+ (if regenerateTc context then
+ ("Checked all configuration.",
+ NONE)
+ else
+ ("Found a compilation error!",
+ SOME "Found a compilation error! Consult /var/log/domtool.log."))
+ else
+ ("Unauthorized user asked to regenerate -tc!",
+ SOME "Not authorized to regenerate -tc"))
+ (fn () => ())
+
| MsgRmuser user' =>
doIt (fn () =>
if Acl.query {user = user, class = "priv", value = "all"} then
in
cmdLoop ()
end
- handle OpenSSL.OpenSSL s =>
+ handle e as (OpenSSL.OpenSSL s) =>
(print ("OpenSSL error: " ^ s ^ "\n");
+ app (fn x => print (x ^ "\n")) (SMLofNJ.exnHistory e);
OpenSSL.close bio
handle OpenSSL.OpenSSL _ => ();
loop ())
OpenSSL.close bio
handle OpenSSL.OpenSSL _ => ();
loop ())
+ | IO.Io {name, function, cause} =>
+ (print ("IO error: " ^ function ^ " for " ^ name ^ "\n");
+ app (fn x => print (x ^ "\n")) (SMLofNJ.exnHistory cause);
+ OpenSSL.close bio
+ handle OpenSSL.OpenSSL _ => ();
+ loop ())
+ | e =>
+ (print "Unknown exception in main loop!\n";
+ app (fn x => print (x ^ "\n")) (SMLofNJ.exnHistory e);
+ OpenSSL.close bio
+ handle OpenSSL.OpenSSL _ => ();
+ loop ())
in
print ("Domtool dispatcher starting up at " ^ now () ^ "\n");
print "Listening for connections....\n";
let
val host = Slave.hostname ()
- val context = OpenSSL.context (Config.certDir ^ "/" ^ host ^ ".pem",
- Config.keyDir ^ "/" ^ host ^ "/key.pem",
- Config.trustStore)
+ val context = context (Config.certDir ^ "/" ^ host ^ ".pem",
+ Config.keyDir ^ "/" ^ host ^ "/key.pem",
+ Config.trustStore)
val sock = OpenSSL.listen (context, Config.slavePort)
OpenSSL.close bio
handle OpenSSL.OpenSSL _ => ();
loop ())
- | OS.SysErr (s, _) =>
- (print ("System error: "^ s ^ "\n");
+ | e as OS.SysErr (s, _) =>
+ (app (fn s => print (s ^ "\n")) (SMLofNJ.exnHistory e);
+ print ("System error: "^ s ^ "\n");
OpenSSL.close bio
handle OpenSSL.OpenSSL _ => ();
loop ())