File: //proc/self/root/usr/sbin/cl-link-to-cln
#!/usr/libexec/platform-python
import sys
import os
import stat
import optparse
import json
import time
from pyexpat import ExpatError
sys.path.append("/usr/share/rhn/")
from up2date_client import rhnserver
from up2date_client import up2dateAuth
from up2date_client import up2dateErrors
from up2date_client import rhnreg
def print_error_and_exit(error):
print(json.dumps({'result': error,
'timestamp': time.time()}))
sys.exit(-1)
def _read_token_file(path):
"""Read the linking token from a root-owned, mode-0600 regular file without
following symlinks, so the secret is never placed on the command line.
Opens with O_NOFOLLOW|O_CLOEXEC|O_NONBLOCK and validates the OPENED
descriptor with fstat (no lstat-then-open TOCTOU): the path must be a
regular file owned by root (or the current effective user) and not
accessible by group/other. O_NONBLOCK keeps a planted FIFO/device from
blocking the open forever (the open returns immediately and fstat then
rejects the non-regular file); it has no effect on a regular-file read.
Mirrors the O_NOFOLLOW credential-handling pattern used elsewhere in the
tree (e.g. up2date_client/up2dateLog.py)."""
try:
fd = os.open(path, os.O_RDONLY | os.O_NOFOLLOW | os.O_CLOEXEC | os.O_NONBLOCK)
except OSError as e:
print_error_and_exit("Unable to read --linking-token-file %s: %s" % (path, e))
try:
st = os.fstat(fd)
if not stat.S_ISREG(st.st_mode):
print_error_and_exit("--linking-token-file %s must be a regular file" % path)
if st.st_uid not in (0, os.geteuid()):
print_error_and_exit("--linking-token-file %s must be owned by root" % path)
if st.st_mode & 0o077:
print_error_and_exit("--linking-token-file %s must not be accessible by "
"group or others (chmod 600)" % path)
chunks = []
while True:
chunk = os.read(fd, 65536)
if not chunk:
break
chunks.append(chunk)
finally:
os.close(fd)
return b"".join(chunks).decode("utf-8").strip()
def _resolve_token(options):
"""Return the linking token from whichever channel was requested. The
secure channels (--linking-token-file, --linking-token-stdin) keep the
secret off argv; the legacy value-bearing --linking-token still works but
warns, because it exposes the token via /proc/<pid>/cmdline and process
listings (CWE-214). The caller guarantees at most one channel was given.
The deprecation warning is emitted only when stderr is a TTY (an
interactive operator). When stderr is redirected/piped -- e.g. an
automation wrapper that captures the stream and folds it into the parsed
stdout on error paths -- the warning is suppressed so it cannot corrupt the
JSON result the caller reads."""
if options.token_file:
return _read_token_file(options.token_file)
if options.token_stdin:
return sys.stdin.read().strip()
if sys.stderr.isatty():
sys.stderr.write(
"cl-link-to-cln: warning: --linking-token exposes the token via "
"/proc/<pid>/cmdline and process listings; use --linking-token-file "
"or --linking-token-stdin instead.\n")
return options.token
def main():
parser = optparse.OptionParser()
parser.add_option('-t', '--linking-token', dest='token',
help='Token to link the server. DEPRECATED: the token is '
'visible in /proc/<pid>/cmdline and process listings '
'while this runs; prefer --linking-token-file or '
'--linking-token-stdin.')
parser.add_option('--linking-token-file', dest='token_file', metavar='PATH',
help='Read the linking token from a root-owned, mode-0600 '
'file instead of the command line (not exposed on argv).')
parser.add_option('--linking-token-stdin', dest='token_stdin',
action='store_true', default=False,
help='Read the linking token from standard input instead of '
'the command line (not exposed on argv).')
parser.add_option('-s', '--linking-status', dest='status', action='store_true', help='Show if status linked or not')
options, args = parser.parse_args()
n_token_sources = sum(1 for src in (options.token, options.token_file,
options.token_stdin) if src)
if n_token_sources and options.status:
print_error_and_exit("Invalid usage, --linking-status and a linking token could not "
"be specified simultaneously")
if n_token_sources > 1:
print_error_and_exit("Invalid usage, specify only one of --linking-token, "
"--linking-token-file or --linking-token-stdin")
if not n_token_sources and not options.status:
print_error_and_exit("Invalid usage, a linking token (--linking-token-file, "
"--linking-token-stdin or --linking-token) or "
"--linking-status must be specified")
system_id_xml = up2dateAuth.getSystemId()
if not system_id_xml:
print_error_and_exit('Unable to read system id, please ensure your server is registered in CLN')
if n_token_sources:
token = _resolve_token(options)
if not token:
print_error_and_exit("Invalid usage, the linking token is empty")
link_server(system_id_xml, token)
print(json.dumps({'result': 'success', 'timestamp': time.time()}))
elif options.status:
linked_info = get_linked_info(system_id_xml)
print(json.dumps({'result': 'success', 'timestamp': time.time(),
'linked': linked_info['linked'],
'linkable': linked_info['linkable']}))
else:
print_error_and_exit('Invalid usage, only supported options are: '
'--linking-status or a linking token')
def link_server(system_id, token):
s = rhnserver.RhnServer()
try:
s.up2date.link_server(system_id, token)
except ExpatError as e:
# CLN returns empty response when success
if 'no element found' not in e.message:
raise
rhnreg.getAndWriteJWTTokenToFile(system_id)
def get_linked_info(system_id):
s = rhnserver.RhnServer()
return {'linked': s.up2date.is_server_linked(system_id),
'linkable': s.up2date.is_server_linkable(system_id)}
if __name__ == "__main__":
try:
main()
except up2dateErrors.UnknownMethodException as e:
print_error_and_exit('CLN does not support method for linking server. %s \n'
'Contact CloudLinux support in case you need help: '
'https://cloudlinux.zendesk.com/' % str(e))
except up2dateErrors.RhnServerException as e:
print_error_and_exit('Server exception, reason: %s \n'
'Contact CloudLinux support in case you need help: '
'https://cloudlinux.zendesk.com/' % str(e))
except Exception as e:
print_error_and_exit('Failed with common exception: %s \n'
'Contact CloudLinux support in case you need help: '
'https://cloudlinux.zendesk.com/' % str(e))