POC vault macros and broker

this PR implements dynamic macro expansion from neb modules in order to
implement password vault broker neb modules. From naemons point of view, we
simply define a new macro prefix $VAULT...$ and add broker callbacks to fill
the value.

In order to make password vault work, we need enter a master password before
naemon starts, thats why closing stdin moved to after the neb module
initialization. So the neb module may implement reading something from stdin.

Advantage of this vault macros would be:

  - dynamic 3rd party macro expansion is not limited to passwords
  - password storage can be implemented in any way you like, ex. simply encrypted file or advanced remote vaults
  - vault macros are not limited to numbers like $VAULT1$ but can be anything ex.: $VAULTSNMPCOMMUNITY$
  - some context might be interesting during macro expansion, something like hostname, etc...
    thats why the macros *mac struct is passed to the broker which might contain host/service/contact pointer.

Things to be done:

  - master password is lost during reloads and stdin is closed at that point,
    so need to find a way to save the master password over reloads.
  - systemd integration needs to be tested (can stdin be used here)

Signed-off-by: Sven Nierlein <[email protected]>

src/naemon/broker.c

@@ -919,3 +919,27 @@ void broker_statechange_data(int type, int flags, int attr, int statechange_type
 
 	return;
 }
+
+/* get vault macro from broker */
+int broker_vault_macro(char *macro_name, char **output, int *free_macro, nagios_macros *mac)
+{
+	nebstruct_vault_macro_data ds;
+
+	if (!(event_broker_options & BROKER_VAULT_MACROS))
+		return OK;
+
+	/* fill struct with relevant data */
+	ds.macro_name = macro_name;
+	ds.value      = NULL;
+	ds.mac        = mac;
+
+	/* make callbacks */
+	neb_make_callbacks(NEBCALLBACK_VAULT_MACRO_DATA, (void *)&ds);
+
+	if(ds.value != NULL) {
+		*free_macro = TRUE;
+		*output = ds.value;
+	}
+
+	return OK;
+}

src/naemon/broker.h

@@ -10,6 +10,7 @@
 #include "objects_contact.h"
 #include "objects_service.h"
 #include "nebmods.h"
+#include "macros.h"
 
 /*************** EVENT BROKER OPTIONS *****************/
 
@@ -27,7 +28,7 @@
 #define BROKER_COMMENT_DATA         	256	/* DONE */
 #define BROKER_DOWNTIME_DATA		512     /* DONE */
 #define BROKER_SYSTEM_COMMANDS          1024	/* DONE */
-#define BROKER_OCP_DATA_UNUSED          2048	/* reusable */
+#define BROKER_VAULT_MACROS             2048    /* DONE */
 #define BROKER_STATUS_DATA              4096    /* DONE */
 #define BROKER_ADAPTIVE_DATA            8192    /* DONE */
 #define BROKER_EXTERNALCOMMAND_DATA     16384   /* DONE */
@@ -191,6 +192,7 @@ void broker_aggregated_status_data(int, int, int);
 void broker_retention_data(int, int, int);
 void broker_acknowledgement_data(int, int, int, int, void *, char *, char *, int, int, int);
 void broker_statechange_data(int, int, int, int, void *, int, int, int, int);
+int broker_vault_macro(char *, char **, int *, nagios_macros *);
 
 NAGIOS_END_DECL
 #endif

src/naemon/macros.c

@@ -7,6 +7,7 @@
 #include "logging.h"
 #include "globals.h"
 #include "nm_alloc.h"
+#include "broker.h"
 #include <string.h>
 #include <glib.h>
 
@@ -2144,6 +2145,10 @@ static int grab_macro_value_r(nagios_macros *mac, char *macro_buffer, char **out
 		return OK;
 	}
 
+	if (strstr(macro_buffer, "VAULT") == macro_buffer) {
+		return(broker_vault_macro(macro_buffer, output, free_macro, mac));
+	}
+
 	/* most frequently used "x" macro gets a shortcut */
 	if (mac->host_ptr && !strcmp(macro_buffer, "HOSTADDRESS")) {
 		if (mac->host_ptr->address)

src/naemon/naemon.c

@@ -27,6 +27,7 @@
 
 #include <getopt.h>
 #include <string.h>
+#include <fcntl.h>
 
 static int test_path_access(const char *program, int mode)
 {
@@ -579,6 +580,20 @@ int main(int argc, char **argv)
 		}
 		timing_point("Loaded modules\n");
 
+		/* close stdin after the neb modules loaded so they can still ask for passwords */
+		if (daemon_mode == TRUE && sigrestart == FALSE) {
+			/* close existing stdin, stdout, stderr */
+			close(0);
+			close(1);
+			close(2);
+
+			/* THIS HAS TO BE DONE TO AVOID PROBLEMS WITH STDERR BEING REDIRECTED TO SERVICE MESSAGE PIPE! */
+			/* re-open stdin, stdout, stderr with known values */
+			open("/dev/null", O_RDONLY);
+			open("/dev/null", O_WRONLY);
+			open("/dev/null", O_WRONLY);
+		}
+
 		timing_point("Making first callback\n");
 		broker_program_state(NEBTYPE_PROCESS_PRELAUNCH, NEBFLAG_NONE, NEBATTR_NONE);
 		timing_point("Made first callback\n");

src/naemon/nebcallbacks.h

@@ -36,6 +36,7 @@ enum NEBCallbackType {
 	NEBCALLBACK_STATE_CHANGE_DATA,
 	NEBCALLBACK_CONTACT_STATUS_DATA,
 	NEBCALLBACK_ADAPTIVE_CONTACT_DATA,
+	NEBCALLBACK_VAULT_MACRO_DATA,
 	NEBCALLBACK_TYPE__COUNT
 };
 

src/naemon/nebstructs.h

@@ -6,6 +6,7 @@
 #endif
 
 #include "common.h"
+#include "macros.h"
 
 NAGIOS_BEGIN_DECL
 
@@ -490,5 +491,12 @@ typedef struct nebstruct_statechange_struct {
 	void            *object_ptr;
 } nebstruct_statechange_data;
 
+/* vault macro retrieve structure */
+typedef struct nebstruct_vault_macro_struct {
+	char            *macro_name;
+	char            *value;
+	nagios_macros   *mac;
+} nebstruct_vault_macro_data;
+
 NAGIOS_END_DECL
 #endif

src/naemon/utils.c

@@ -637,17 +637,6 @@ int daemon_init(void)
 	val |= FD_CLOEXEC;
 	fcntl(lockfile, F_SETFD, val);
 
-	/* close existing stdin, stdout, stderr */
-	close(0);
-	close(1);
-	close(2);
-
-	/* THIS HAS TO BE DONE TO AVOID PROBLEMS WITH STDERR BEING REDIRECTED TO SERVICE MESSAGE PIPE! */
-	/* re-open stdin, stdout, stderr with known values */
-	open("/dev/null", O_RDONLY);
-	open("/dev/null", O_WRONLY);
-	open("/dev/null", O_WRONLY);
-
 	broker_program_state(NEBTYPE_PROCESS_DAEMONIZE, NEBFLAG_NONE, NEBATTR_NONE);
 
 	return OK;