From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Thu, 29 Dec 2011 20:06:50 +0000 (-0500)
Subject: Firewall Regen Support
X-Git-Tag: release_20120902~5
X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/commitdiff_plain/73b9542320e82ad398689b66bc1938c78cc53be0

Firewall Regen Support
* Clean up code slightly (still ugly, I'm no good with SML)
* Accept `MsgFirewallRegen' to regenerate firewall on slave
* Not tested much, should also generate the firewall elsewhere and
  copy to `/etc'
---

diff --git a/configDefault/firewall.cfg b/configDefault/firewall.cfg
index f07ecad..b2d5179 100644
--- a/configDefault/firewall.cfg
+++ b/configDefault/firewall.cfg
@@ -5,4 +5,6 @@ val firewallRules = "/home/clinton/misc/hcoop/firewall/user.rules"
 val firewallDir = "/home/clinton/misc/hcoop/firewall/output"
 val firewallNodes = ["bog"]
 
+val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish firewall"
+
 end
diff --git a/configDefault/firewall.csg b/configDefault/firewall.csg
index 95bb6bd..af23b1c 100644
--- a/configDefault/firewall.csg
+++ b/configDefault/firewall.csg
@@ -4,4 +4,6 @@ signature FIREWALL_CONFIG = sig
     val firewallNodes : string list (* Nodes to firewall *)
     val firewallDir : string (* Output directory for ferm config *)
     val firewallRules : string (* Rules file *)
+
+    val reload : string (* Command to reload configuration *)
 end
diff --git a/scripts/domtool-publish b/scripts/domtool-publish
index f11bc4c..7518281 100755
--- a/scripts/domtool-publish
+++ b/scripts/domtool-publish
@@ -78,7 +78,10 @@ case $1 in
                 /bin/cp /var/domtool/waklog.conf /etc/apache2/
 		/etc/init.d/apache2 reload
         ;;
+        firewall)
+	       /etc/init.d/ferm reload
+	;;
 	*)
-		echo "Usage: domtool-publish [apache|bind|courier|exim|mailman|smtplog STRING|users]"
+		echo "Usage: domtool-publish [apache|bind|courier|exim|mailman|smtplog STRING|users|firewall]"
 	;;
 esac
diff --git a/src/main.sml b/src/main.sml
index 2800cbd..a673fde 100644
--- a/src/main.sml
+++ b/src/main.sml
@@ -1745,6 +1745,16 @@ fun slave () =
 							 ("Requested mysql-fixperms, but execution failed!",
 							  SOME "Script execution failed."))
 					   (fn () => ()))
+				   | MsgFirewallRegen =>
+				     doIt (fn () => if Acl.query {user = user, class = "priv", value = "all"} andalso List.exists (fn x => x = host) Config.Firewall.firewallNodes then
+							if (Firewall.generateFirewallConfig (Firewall.parseRules ()) andalso Firewall.publishConfig ())
+							then
+							    ("Firewall rules regenerated.", NONE)
+							else
+							    ("Rules regeneration failed!", SOME "Script execution failed.")
+						    else
+							("Not authorized to regenerate firewall.", SOME ("Unauthorized user " ^ user ^ "attempted to regenerated firewall")))
+					  (fn () => ())
 
 				   | _ => (OpenSSL.close bio;
 					   loop ())
diff --git a/src/msg.sml b/src/msg.sml
index a745f5c..ab79885 100644
--- a/src/msg.sml
+++ b/src/msg.sml
@@ -238,6 +238,7 @@ fun send (bio, m) =
 			     OpenSSL.writeString (bio, s))
       | MsgReUsers => OpenSSL.writeInt (bio, 41)
       | MsgVmailChanged => OpenSSL.writeInt (bio, 42)
+      | MsgFirewallRegen => OpenSSL.writeInt (bio, 43)
 
 fun checkIt v =
     case v of
@@ -352,6 +353,7 @@ fun recv bio =
 		   | 40 => Option.map MsgDescription (OpenSSL.readString bio)
 		   | 41 => SOME MsgReUsers
 		   | 42 => SOME MsgVmailChanged
+		   | 43 => SOME MsgFirewallRegen
 		   | _ => NONE)
 	 
 end
diff --git a/src/msgTypes.sml b/src/msgTypes.sml
index 45646a6..a0b7593 100644
--- a/src/msgTypes.sml
+++ b/src/msgTypes.sml
@@ -128,5 +128,7 @@ datatype msg =
        (* Rerun all callbacks for cases where the set of users has changed *)
        | MsgVmailChanged
        (* Server tells slave that vmail user information has changed *)
+       | MsgFirewallRegen
+       (* Regenerate firewall on user machines *)
 
 end
diff --git a/src/plugins/firewall.sig b/src/plugins/firewall.sig
index 94a838a..0bb8611 100644
--- a/src/plugins/firewall.sig
+++ b/src/plugins/firewall.sig
@@ -1,5 +1,6 @@
 (* HCoop Domtool (http://hcoop.sourceforge.net/)
  * Copyright (c) 2006-2007, Adam Chlipala
+ * Copyright (c) 2011, Clinton Ebadi <clinton@unknownlamer.org>
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -16,13 +17,19 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  *)
 
-(* Firewall rule querying *)
+(* Firewall rule querying/generation *)
 
 signature FIREWALL = sig
 
+    type firewall_rules = { server_rules : (string list DataStructures.StringMap.map), 
+			    client_rules : (string list DataStructures.StringMap.map)}
+
     val query : string -> string list
     (* List a user's local firewall rules. *)
 
-    val generateFirewallConfig : unit -> unit
+    val parseRules : unit -> firewall_rules
+    val generateFirewallConfig : firewall_rules -> bool
+
+    val publishConfig : unit -> bool
 
 end
diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml
index 65c9db1..70c45b5 100644
--- a/src/plugins/firewall.sml
+++ b/src/plugins/firewall.sml
@@ -23,6 +23,9 @@
 
 structure Firewall :> FIREWALL = struct
 
+type firewall_rules = { server_rules : (string list DataStructures.StringMap.map), 
+			client_rules : (string list DataStructures.StringMap.map)}
+
 structure StringMap = DataStructures.StringMap
 
 fun parseRules _ =
@@ -84,11 +87,10 @@ fun query uname =
     end
 
 
-fun generateFirewallConfig _ =
+fun generateFirewallConfig {server_rules, client_rules} =
 (* rule generation must happen on the node (not really, but I'd rather
     avoid codifying that uids must be consistent between hosts) *) 
     let
-	val {server_rules, client_rules} = parseRules ()
 	val users_tcp_out_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_out.conf")
 	val users_tcp_in_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_in.conf")
 	val users_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users.conf")
@@ -121,7 +123,11 @@ fun generateFirewallConfig _ =
 
 	TextIO.closeOut users_conf;
 	TextIO.closeOut users_tcp_out_conf;
-	TextIO.closeOut users_tcp_in_conf
+	TextIO.closeOut users_tcp_in_conf;
+
+	true
     end
-    
+
+fun publishConfig _ = 
+    Slave.shell [Config.Firewall.reload]
 end