Merge pull request #238 from MalloZup/hawk-invoke-sle15

Hawk invoke sle15

Makefile

@@ -54,12 +54,8 @@ all: scripts/hawk.$(INIT_STYLE) scripts/hawk.service scripts/hawk-backend.servic
 tools/hawk_chkpwd: tools/hawk_chkpwd.c tools/common.h
 	gcc -fpie -pie $(CFLAGS) -o $@ $< -lpam
 
-# TODO(must): This is inching towards becoming annoying: want better build infrastructure/deps
-tools/hawk_invoke: tools/hawk_invoke.c tools/common.h
-	gcc -fpie -pie $(CFLAGS) -o $@ $<
-
-tools: tools/hawk_chkpwd tools/hawk_invoke
 
+tools: tools/hawk_chkpwd
 
 base/install:
 	./scripts/create-directory-layout.sh "$(DESTDIR)" "$(WWW_BASE)" "$(WWW_LOG)" "$(WWW_TMP)"
@@ -78,18 +74,13 @@ tools/install:
 	-chown root.haclient $(DESTDIR)/usr/sbin/hawk_chkpwd || true
 	-chmod u+s $(DESTDIR)/usr/sbin/hawk_chkpwd
 
-	install -D -m 4750 tools/hawk_invoke $(DESTDIR)/usr/sbin/hawk_invoke
-	-chown root.haclient $(DESTDIR)/usr/sbin/hawk_invoke || true
-	-chmod u+s $(DESTDIR)/usr/sbin/hawk_invoke
-
 # TODO(should): Verify this is really clean (it won't get rid of .mo files,
 # for example
 clean:
 	rm -rf hawk/tmp/*
 	rm -rf hawk/log/*
 	rm -f scripts/hawk.{suse,redhat,service}
 	rm -f tools/hawk_chkpwd
-	rm -f tools/hawk_invoke
 	rm -f tools/common.h
 
 # Note: chown & chmod here are only necessary if *not* doing an RPM build

hawk/app/lib/hb_report.rb

@@ -98,8 +98,7 @@ def generate(from_time, to_time, all_nodes = true)
       args.push("-Q") # Requires a version of crm report which supports this
       args.push("-S") unless all_nodes
       args.push(@path)
-
-      out, err, status = Util.run_as("root", "crm", "report", *args)
+      out, err, status = Util.capture3('crm', "report", *args)
       f = File.new(@outfile, "w")
       f.write(out)
       f.close

hawk/app/lib/invoker.rb

@@ -27,7 +27,7 @@ def initialize
   # cleaned up further)
   # Returns [out, err, exitstatus]
   def run(*cmd)
-    out, err, status = Util.run_as(current_user, *cmd)
+    out, err, status = Util.capture3(*cmd)
     [out, fudge_error(status.exitstatus, err), status.exitstatus]
   end
 
@@ -78,7 +78,7 @@ def crm_configure_load_update(cmd)
   # Invoke cibadmin with command line arguments.  Returns stdout as string,
   # Raises NotFoundError, SecurityError or RuntimeError on failure.
   def cibadmin(*cmd)
-    out, err, status = run_as current_user, 'cibadmin', *cmd
+    out, err, status = Util.capture3('cibadmin', *cmd)
     case status.exitstatus
     when 0
       return out
@@ -110,7 +110,7 @@ def cibadmin_modify(xml)
 
   # Used by the simulator
   def crm_simulate(*cmd)
-    run_as current_user, 'crm_simulate', *cmd
+    Util.capture3('crm_simulate', *cmd)
   end
 
   private
@@ -136,7 +136,8 @@ def invoke_crm(input, *cmd)
       end
     end
     cmd << { stdin_data: input }
-    out, err, status = run_as current_user, 'crm', *cmd
+
+    out, err, status = Util.capture3('crm', *cmd)
     [out, fudge_error(status.exitstatus, err), status.exitstatus]
   end
 

hawk/app/lib/util.rb

@@ -110,23 +110,6 @@ def ensure_home_for(user)
   end
   module_function :ensure_home_for
 
-  # Like capture3, but via /usr/sbin/hawk_invoke
-  def run_as(user, *cmd)
-    Rails.logger.debug "Executing `#{cmd.join(' ').inspect}` through `run_as`"
-    old_home = ensure_home_for(user)
-    # RORSCAN_INL: multi-arg invocation safe from shell injection.
-    ret = capture3('/usr/sbin/hawk_invoke', user, *cmd)
-    # Having invoked a command, reset $HOME to what it was before,
-    # else it sticks, and other (non-invoker) crm invoctiaons, e.g.
-    # has_feature() run the shell as hacluster, which in turn causes
-    # $HOME/.cache and $HOME/.config to revert to 600 with uid hacluster,
-    # which means the *next* call after that will die with permission
-    # problems, and you will spend an entire day debugging it.
-    ENV['HOME'] = old_home
-    ret
-  end
-  module_function :run_as
-
   def diff(a, b)
     # call diff on a and b
     # returns [data, ok?]

hawk/app/models/api/v1/cib.rb

@@ -18,7 +18,7 @@ def get_cib(user)
           Rails.logger.error "Unable to execute #{cmd}"
           return
         end
-        out, err, status = Util.run_as(user, File.basename(cmd), '-Ql')
+        out, err, status = Util.capture3(File.basename(cmd), '-Ql')
         case status.exitstatus
         when 0
           @xml = REXML::Document.new(out)

hawk/app/models/cib.rb

@@ -511,7 +511,7 @@ def initialize(id, user, use_file = false, stonithwarning = false)
         init_offline_cluster id, user, use_file
         return
       end
-      out, err, status = Util.run_as(user, 'cibadmin', '-Ql')
+      out, err, status = Util.capture3('cibadmin', '-Ql')
       case status.exitstatus
       when 0
         @xml = REXML::Document.new(out)

hawk/app/models/cluster.rb

@@ -102,8 +102,7 @@ def cluster_copy(clusters)
       fname = "#{Rails.root}/tmp/dashboard.js"
       File.open(fname, "w") { |f| f.write(JSON.pretty_generate(clusters)) }
       File.chmod(0660, fname)
-      out, err, rc = Util.run_as("root", "crm", "cluster", "copy", fname)
-      out, err, rc = Util.run_as("root", "crm", "cluster", "run", "chown hacluster:haclient #{fname}") if rc == 0
+      out, err, rc = Util.capture3("crm", "cluster", "copy", fname)
       Rails.logger.debug "Copy: #{out} #{err} #{rc}"
       # always succeed here: we don't really care that much if the copy succeeded or not
       true

hawk/app/models/report.rb

@@ -145,7 +145,7 @@ def graph(hb_report, path, format = :svg)
     tmpfile = Tempfile.new("hawk_dot")
     tmpfile.close
     File.chmod(0666, tmpfile.path)
-    _out, err, status = Util.run_as('hacluster', 'crm_simulate', '-x', tpath.to_s, format == :xml ? "-G" : "-D", tmpfile.path.to_s)
+    _out, err, status = Util.capture3('crm_simulate', '-x', tpath.to_s, format == :xml ? "-G" : "-D", tmpfile.path.to_s)
     rc = status.exitstatus
 
     ret = [false, err]