op public repos

Blob

Date:: Sun Jan 9 15:33:55 2022 UTC
Message:: restructure project and switch build system use by default the OpenBSD mk infrastructure to build and test all the kamid components.
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
4  * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org>
5  * Copyright (c) 2004 Esben Norby <norby@openbsd.org>
6  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
7  *
8  * Permission to use, copy, modify, and distribute this software for any
9  * purpose with or without fee is hereby granted, provided that the above
10  * copyright notice and this permission notice appear in all copies.
11  *
12  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
13  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
15  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19  */
20 
21 #include <sys/socket.h>
22 #include <sys/types.h>
23 #include <sys/queue.h>
24 #include <sys/uio.h>
25 #include <sys/wait.h>
26 
27 #include <arpa/inet.h>
28 #include <netinet/in.h>
29 
30 #include <errno.h>
31 #include <event.h>
32 #include <fcntl.h>
33 #include <pwd.h>
34 #include <signal.h>
35 #include <stdint.h>
36 #include <stdio.h>
37 #include <stdlib.h>
38 #include <string.h>
39 #include <syslog.h>
40 #include <unistd.h>
41 #include <imsg.h>
42 
43 #include "client.h"
44 #include "control.h"
45 #include "kamid.h"
46 #include "listener.h"
47 #include "log.h"
48 #include "sandbox.h"
49 #include "table.h"
50 #include "utils.h"
51 
52 enum kd_process {
53 	PROC_MAIN,
54 	PROC_LISTENER,
55 	PROC_CLIENTCONN,
56 };
57 
58 const char	*saved_argv0;
59 static int	 debug, nflag;
60 int		 verbose;
61 
62 __dead void	usage(void);
63 
64 void		main_sig_handler(int, short, void *);
65 void		main_dispatch_listener(int, short, void *);
66 int		main_reload(void);
67 int		main_imsg_send_config(struct kd_conf *);
68 void		main_dispatch_listener(int, short, void *);
69 __dead void	main_shutdown(void);
70 
71 static pid_t	start_child(enum kd_process, int, int, int);
72 
73 struct kd_conf		*main_conf;
74 static struct imsgev	*iev_listener;
75 const char		*conffile;
76 pid_t			 listener_pid;
77 uint32_t		 cmd_opts;
78 
79 __dead void
80 usage(void)
81 {
82 	fprintf(stderr, "usage: %s [-dnv] [-f file] [-s socket]\n",
83 	    getprogname());
84 	exit(1);
85 }
86 
87 int
88 main(int argc, char **argv)
89 {
90 	struct event	 ev_sigint, ev_sigterm, ev_sighup;
91 	int		 ch;
92 	int		 listener_flag = 0, client_flag = 0;
93 	int		 pipe_main2listener[2];
94 	int		 control_fd;
95 	const char	*csock;
96 
97 	conffile = KD_CONF_FILE;
98 	csock = KD_SOCKET;
99 
100 	log_init(1, LOG_DAEMON);	/* Log to stderr until deamonized. */
101 	log_setverbose(1);
102 
103 	saved_argv0 = argv[0];
104 	if (saved_argv0 == NULL)
105 		saved_argv0 = "kamid";
106 
107 	while ((ch = getopt(argc, argv, "D:df:nsT:v")) != -1) {
108 		switch (ch) {
109 		case 'D':
110 			if (cmdline_symset(optarg) == -1)
111                                 log_warnx("could not parse macro definition %s",
112 					optarg);
113 			break;
114 		case 'd':
115 			debug = 1;
116 			break;
117 		case 'f':
118 			conffile = optarg;
119 			break;
120 		case 'n':
121 			nflag = 1;
122 			break;
123 		case 's':
124 			csock = optarg;
125 			break;
126 		case 'T':
127 			switch (*optarg) {
128 			case 'c':
129 				client_flag = 1;
130 				break;
131 			case 'l':
132 				listener_flag = 1;
133 				break;
134 			default:
135 				fatalx("invalid process spec %c", *optarg);
136 			}
137 			break;
138 		case 'v':
139 			verbose = 1;
140 			break;
141 		default:
142 			usage();
143 		}
144 	}
145 
146 	argc -= optind;
147 	argv += optind;
148 	if (argc > 0 || (listener_flag && client_flag))
149 		usage();
150 
151 	if (client_flag)
152 		client(debug, verbose);
153 	else if (listener_flag)
154 		listener(debug, verbose);
155 
156 	if ((main_conf = parse_config(conffile)) == NULL)
157 		exit(1);
158 
159 	if (nflag) {
160 		fprintf(stderr, "configuration OK\n");
161 		exit(0);
162 	}
163 
164 	/* Check for root privileges. */
165         if (geteuid())
166                 fatalx("need root privileges");
167 
168 	/* Check for assigned daemon user. */
169 	if (getpwnam(KD_USER) == NULL)
170 		fatalx("unknown user %s", KD_USER);
171 
172 	log_init(debug, LOG_DAEMON);
173 	log_setverbose(verbose);
174 
175 	if (!debug)
176 		daemon(1, 0);
177 
178 	log_info("startup");
179 
180 	if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK,
181 	    PF_UNSPEC, pipe_main2listener) == -1)
182 		fatal("main2listener socketpair");
183 
184 	/* Start children. */
185 	listener_pid = start_child(PROC_LISTENER, pipe_main2listener[1],
186 	    debug, verbose);
187 
188 	log_procinit("main");
189 
190 	event_init();
191 
192 	/* Setup signal handler */
193 	signal_set(&ev_sigint, SIGINT, main_sig_handler, NULL);
194 	signal_set(&ev_sigterm, SIGTERM, main_sig_handler, NULL);
195 	signal_set(&ev_sighup, SIGHUP, main_sig_handler, NULL);
196 
197 	signal_add(&ev_sigint, NULL);
198 	signal_add(&ev_sigterm, NULL);
199 	signal_add(&ev_sighup, NULL);
200 
201 	signal(SIGCHLD, SIG_IGN);
202 	signal(SIGPIPE, SIG_IGN);
203 
204 	if ((iev_listener = malloc(sizeof(*iev_listener))) == NULL)
205 		fatal(NULL);
206 	imsg_init(&iev_listener->ibuf, pipe_main2listener[0]);
207 	iev_listener->handler = main_dispatch_listener;
208 
209 	/* Setup event handlers for pipes to listener. */
210 	iev_listener->events = EV_READ;
211 	event_set(&iev_listener->ev, iev_listener->ibuf.fd,
212 	    iev_listener->events, iev_listener->handler, iev_listener);
213 	event_add(&iev_listener->ev, NULL);
214 
215 	if ((control_fd = control_init(csock)) == -1)
216 		fatalx("control socket setup failed");
217 
218 	main_imsg_compose_listener(IMSG_CONTROLFD, control_fd, 0,
219 	    NULL, 0);
220 	main_imsg_send_config(main_conf);
221 
222 	sandbox_main();
223 
224 	event_dispatch();
225 
226 	main_shutdown();
227 	return 0;
228 }
229 
230 void
231 main_sig_handler(int sig, short event, void *arg)
232 {
233 	/*
234 	 * Normal signal handler rules don't apply because libevent
235 	 * decouples for us.
236 	 */
237 
238 	switch (sig) {
239 	case SIGTERM:
240 	case SIGINT:
241 		main_shutdown();
242 		break;
243 	case SIGHUP:
244 		if (main_reload() == -1)
245 			log_warnx("configuration reload failed");
246 		else
247 			log_debug("configuration reloaded");
248 		break;
249 	default:
250 		fatalx("unexpected signal %d", sig);
251 	}
252 }
253 
254 static inline struct table *
255 auth_table_by_id(uint32_t id)
256 {
257 	struct kd_listen_conf *listen;
258 
259 	STAILQ_FOREACH(listen, &main_conf->listen_head, entry) {
260 		if (listen->id == id)
261 			return listen->auth_table;
262 	}
263 
264 	return NULL;
265 }
266 
267 static inline struct table *
268 virtual_table_by_id(uint32_t id)
269 {
270 	struct kd_listen_conf *listen;
271 
272 	STAILQ_FOREACH(listen, &main_conf->listen_head, entry) {
273 		if (listen->id == id)
274 			return listen->virtual_table;
275 	}
276 
277 	return NULL;
278 }
279 
280 static inline struct table *
281 userdata_table_by_id(uint32_t id)
282 {
283 	struct kd_listen_conf *listen;
284 
285 	STAILQ_FOREACH(listen, &main_conf->listen_head, entry) {
286 		if (listen->id == id)
287 			return listen->userdata_table;
288 	}
289 
290 	return NULL;
291 }
292 
293 static inline void
294 do_auth_tls(struct imsg *imsg)
295 {
296 	char *username = NULL, *user = NULL, *home = NULL, *local_user;
297 	struct passwd *pw;
298 	struct table *auth, *virt, *userdata;
299 	struct kd_auth_req kauth;
300 	int p[2], free_home = 1;
301 
302 	if (sizeof(kauth) != IMSG_DATA_SIZE(*imsg))
303 		fatal("wrong size for IMSG_AUTH_TLS: "
304 		    "got %lu; want %lu", IMSG_DATA_SIZE(*imsg),
305 		    sizeof(kauth));
306 	memcpy(&kauth, imsg->data, sizeof(kauth));
307 
308 	if (memmem(kauth.hash, sizeof(kauth.hash), "", 1) == NULL)
309                 fatal("non NUL-terminated hash received");
310 
311 	log_debug("tls id=%u hash=%s", kauth.listen_id, kauth.hash);
312 
313 	if ((auth = auth_table_by_id(kauth.listen_id)) == NULL)
314 		fatal("request for invalid listener id %d", imsg->hdr.pid);
315 
316 	virt = virtual_table_by_id(kauth.listen_id);
317 	userdata = userdata_table_by_id(kauth.listen_id);
318 
319 	if (table_lookup(auth, kauth.hash, &username) == -1) {
320 		log_warnx("login failed for hash %s", kauth.hash);
321 		goto err;
322 	}
323 
324 	if (virt != NULL && table_lookup(virt, username, &user) == -1) {
325 		log_warnx("virtual lookup failed for user %s", username);
326 		goto err;
327 	}
328 
329 	/* the local user */
330 	local_user = user != NULL ? user : username;
331 
332 	if (user != NULL)
333 		log_debug("virtual user %s matched local user %s",
334 		    username, user);
335 	else
336 		log_debug("matched local user %s", username);
337 
338 	if (userdata != NULL && table_lookup(userdata, username, &home)
339 	    == -1) {
340 		log_warnx("userdata lookup failed for user %s", username);
341 		goto err;
342 	} else if (userdata == NULL) {
343 		if ((pw = getpwnam(local_user)) == NULL) {
344 			log_warnx("getpwnam(%s) failed", local_user);
345 			goto err;
346 		}
347 
348 		free_home = 0;
349 		home = pw->pw_dir;
350 	}
351 
352 	if (user != NULL)
353 		log_debug("matched home %s for virtual user %s",
354 		    home, username);
355 	else
356 		log_debug("matched home %s for local user %s",
357 		    home, username);
358 
359 	if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
360 	    PF_UNSPEC, p) == -1)
361 		fatal("socketpair");
362 
363 	start_child(PROC_CLIENTCONN, p[1], debug, verbose);
364 
365 	main_imsg_compose_listener(IMSG_AUTH, p[0], imsg->hdr.peerid,
366 	    local_user, strlen(local_user)+1);
367 	main_imsg_compose_listener(IMSG_AUTH_DIR, -1, imsg->hdr.peerid,
368 	    home, strlen(home)+1);
369 
370 	free(username);
371 	free(user);
372 	if (free_home)
373 		free(home);
374 	return;
375 
376 err:
377 	free(username);
378 	free(user);
379 	if (free_home)
380 		free(home);
381 	main_imsg_compose_listener(IMSG_AUTH, -1, imsg->hdr.peerid,
382 	    NULL, 0);
383 }
384 
385 void
386 main_dispatch_listener(int fd, short event, void *d)
387 {
388 	struct imsgev	*iev = d;
389 	struct imsgbuf	*ibuf;
390 	struct imsg	 imsg;
391 	ssize_t		 n;
392 	int		 shut = 0;
393 
394 	ibuf = &iev->ibuf;
395 
396 	if (event & EV_READ) {
397 		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
398 			fatal("imsg_read error");
399 		if (n == 0)	/* Connection closed. */
400 			shut = 1;
401 	}
402 	if (event & EV_WRITE) {
403 		if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN)
404 			fatal("msgbuf_write");
405 		if (n == 0)	/* Connection closed. */
406 			shut = 1;
407 	}
408 
409 	for (;;) {
410 		if ((n = imsg_get(ibuf, &imsg)) == -1)
411 			fatal("imsg_get");
412 		if (n == 0)	/* No more messages. */
413 			break;
414 
415 		switch (imsg.hdr.type) {
416 		case IMSG_AUTH_TLS:
417 			do_auth_tls(&imsg);
418 			break;
419 		default:
420 			log_debug("%s: error handling imsg %d", __func__,
421 				imsg.hdr.type);
422 			break;
423 		}
424 		imsg_free(&imsg);
425 	}
426 	if (!shut)
427 		imsg_event_add(iev);
428 	else {
429 		/* This pipe is dead.  Remove its event handler. */
430 		event_del(&iev->ev);
431 		event_loopexit(NULL);
432 	}
433 }
434 
435 int
436 main_reload(void)
437 {
438 	struct kd_conf *xconf;
439 
440 	if ((xconf = parse_config(conffile)) == NULL)
441 		return -1;
442 
443 	if (main_imsg_send_config(xconf) == -1)
444 		return -1;
445 
446 	merge_config(main_conf, xconf);
447 
448 	return 0;
449 }
450 
451 static inline int
452 make_socket_for(struct kd_listen_conf *l)
453 {
454 	struct sockaddr_in	addr4;
455 	size_t			len;
456 	int			fd, v;
457 
458 	memset(&addr4, 0, sizeof(addr4));
459 	addr4.sin_family = AF_INET;
460 	addr4.sin_port = htons(l->port);
461 	addr4.sin_addr.s_addr = INADDR_ANY;
462 
463 	if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
464 		fatal("socket");
465 
466 	v = 1;
467 	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &v, sizeof(v)) == -1)
468 		fatal("setsockopt(SO_REUSEADDR)");
469 
470 	v = 1;
471 	if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &v, sizeof(v)) == -1)
472 		fatal("setsockopt(SO_REUSEPORT)");
473 
474 	len = sizeof(addr4);
475 	if (bind(fd, (struct sockaddr *)&addr4, len) == -1)
476 		fatal("bind(%s, %d)", l->iface, l->port);
477 
478 	if (listen(fd, 16) == -1)
479 		fatal("l(%s, %d)", l->iface, l->port);
480 
481 	return fd;
482 }
483 
484 int
485 main_imsg_send_config(struct kd_conf *xconf)
486 {
487 	struct kd_pki_conf *pki;
488 	struct kd_listen_conf *listen;
489 
490 #define SEND(type, fd, data, len) do {					\
491 		if (main_imsg_compose_listener(type, fd, 0, data, len)	\
492 		    == -1)						\
493 			return -1;					\
494 	} while (0)
495 
496 	/* Send fixed part of config to children. */
497 	SEND(IMSG_RECONF_CONF, -1, xconf, sizeof(*xconf));
498 
499 	STAILQ_FOREACH(pki, &xconf->pki_head, entry) {
500 		log_debug("sending pki %s", pki->name);
501 		SEND(IMSG_RECONF_PKI, -1, pki->name, sizeof(pki->name));
502 		SEND(IMSG_RECONF_PKI_CERT, -1, pki->cert, pki->certlen);
503 		SEND(IMSG_RECONF_PKI_KEY, -1, pki->key, pki->keylen);
504 	}
505 
506 	STAILQ_FOREACH(listen, &xconf->listen_head, entry) {
507 		log_debug("sending listen on port %d", listen->port);
508 		SEND(IMSG_RECONF_LISTEN, make_socket_for(listen), listen,
509 		    sizeof(*listen));
510 	}
511 
512 	SEND(IMSG_RECONF_END, -1, NULL, 0);
513 	return 0;
514 
515 #undef SEND
516 }
517 
518 void
519 merge_config(struct kd_conf *conf, struct kd_conf *xconf)
520 {
521 	/* do stuff... */
522 
523 	free(xconf);
524 }
525 
526 struct kd_conf *
527 config_new_empty(void)
528 {
529 	struct kd_conf *xconf;
530 
531 	if ((xconf = calloc(1, sizeof(*xconf))) == NULL)
532 		fatal(NULL);
533 
534 	/* set default values */
535 
536 	return xconf;
537 }
538 
539 void
540 config_clear(struct kd_conf *conf)
541 {
542 	struct kd_conf *xconf;
543 
544 	/* Merge current config with an empty one. */
545 	xconf = config_new_empty();
546 	merge_config(conf, xconf);
547 
548 	free(conf);
549 }
550 
551 __dead void
552 main_shutdown(void)
553 {
554 	pid_t	pid;
555 	int	status;
556 
557 	/* close pipes. */
558         config_clear(main_conf);
559 
560 	log_debug("waiting for children to terminate");
561 	do {
562 		pid = wait(&status);
563 		if (pid == -1) {
564 			if (errno != EINTR && errno != ECHILD)
565 				fatal("wait");
566 		} else if (WIFSIGNALED(status))
567 			log_warnx("%s terminated; signal %d",
568 			    (pid == listener_pid) ? "logger" : "clientconn",
569 			    WTERMSIG(status));
570 	} while (pid != -1 || (pid == -1 && errno == EINTR));
571 
572 	free(iev_listener);
573 
574 	log_info("terminating");
575 	exit(0);
576 }
577 
578 static pid_t
579 start_child(enum kd_process p, int fd, int debug, int verbose)
580 {
581 	const char	*argv[5];
582 	int		 argc = 0;
583 	pid_t		 pid;
584 
585 	switch (pid = fork()) {
586 	case -1:
587 		fatal("cannot fork");
588 	case 0:
589 		break;
590 	default:
591 		close(fd);
592 		return pid;
593 	}
594 
595 	if (fd != 3) {
596 		if (dup2(fd, 3) == -1)
597 			fatal("cannot setup imsg fd");
598 	} else if (fcntl(F_SETFD, 0) == -1)
599 		fatal("cannot setup imsg fd");
600 
601 	argv[argc++] = saved_argv0;
602 	switch (p) {
603 	case PROC_MAIN:
604 		fatalx("Can not start main process");
605 	case PROC_LISTENER:
606 		argv[argc++] = "-Tl";
607 		break;
608 	case PROC_CLIENTCONN:
609 		argv[argc++] = "-Tc";
610 		break;
611 	}
612 	if (debug)
613 		argv[argc++] = "-d";
614 	if (verbose)
615 		argv[argc++] = "-v";
616 	argv[argc++] = NULL;
617 
618 	/* really? */
619 	execvp(saved_argv0, (char *const *)argv);
620 	fatal("execvp");
621 }
622 
623 int
624 main_imsg_compose_listener(int type, int fd, uint32_t peerid,
625     const void *data, uint16_t datalen)
626 {
627 	if (iev_listener)
628 		return imsg_compose_event(iev_listener, type, peerid, 0,
629 		    fd, data, datalen);
630 	else
631 		return -1;
632 }