From fa9c19dbf8cc37e3d81b8bb223a81e08ef4bc151 Mon Sep 17 00:00:00 2001
From: Sven Nierlein <sven@nierlein.de>
Date: Sat, 12 Jun 2021 14:32:57 +0200
Subject: [PATCH] POC vault macros and broker

this PR implements dynamic macro expansion from neb modules in order to
implement password vault broker neb modules. From naemons point of view, we
simply define a new macro prefix $VAULT...$ and add broker callbacks to fill
the value.

In order to make password vault work, we need enter a master password before
naemon starts, thats why closing stdin moved to after the neb module
initialization. So the neb module may implement reading something from stdin.

Advantage of this vault macros would be:

  - dynamic 3rd party macro expansion is not limited to passwords
  - password storage can be implemented in any way you like, ex. simply encrypted file or advanced remote vaults
  - vault macros are not limited to numbers like $VAULT1$ but can be anything ex.: $VAULTSNMPCOMMUNITY$
  - some context might be interesting during macro expansion, something like hostname, etc...
    thats why the macros *mac struct is passed to the broker which might contain host/service/contact pointer.

Things to be done:

  - master password is lost during reloads and stdin is closed at that point,
    so need to find a way to save the master password over reloads.
  - systemd integration needs to be tested (can stdin be used here)

Signed-off-by: Sven Nierlein <sven@nierlein.de>
---
 src/naemon/broker.c       | 24 ++++++++++++++++++++++++
 src/naemon/broker.h       |  4 +++-
 src/naemon/macros.c       |  5 +++++
 src/naemon/naemon.c       | 15 +++++++++++++++
 src/naemon/nebcallbacks.h |  1 +
 src/naemon/nebstructs.h   |  8 ++++++++
 src/naemon/utils.c        | 11 -----------
 7 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/src/naemon/broker.c b/src/naemon/broker.c
index 81db929ab..e24afaa47 100644
--- a/src/naemon/broker.c
+++ b/src/naemon/broker.c
@@ -919,3 +919,27 @@ void broker_statechange_data(int type, int flags, int attr, int statechange_type
 
 	return;
 }
+
+/* get vault macro from broker */
+int broker_vault_macro(char *macro_name, char **output, int *free_macro, nagios_macros *mac)
+{
+	nebstruct_vault_macro_data ds;
+
+	if (!(event_broker_options & BROKER_VAULT_MACROS))
+		return OK;
+
+	/* fill struct with relevant data */
+	ds.macro_name = macro_name;
+	ds.value      = NULL;
+	ds.mac        = mac;
+
+	/* make callbacks */
+	neb_make_callbacks(NEBCALLBACK_VAULT_MACRO_DATA, (void *)&ds);
+
+	if(ds.value != NULL) {
+		*free_macro = TRUE;
+		*output = ds.value;
+	}
+
+	return OK;
+}
diff --git a/src/naemon/broker.h b/src/naemon/broker.h
index 94b05fcaa..9ebe6b590 100644
--- a/src/naemon/broker.h
+++ b/src/naemon/broker.h
@@ -10,6 +10,7 @@
 #include "objects_contact.h"
 #include "objects_service.h"
 #include "nebmods.h"
+#include "macros.h"
 
 /*************** EVENT BROKER OPTIONS *****************/
 
@@ -27,7 +28,7 @@
 #define BROKER_COMMENT_DATA         	256	/* DONE */
 #define BROKER_DOWNTIME_DATA		512     /* DONE */
 #define BROKER_SYSTEM_COMMANDS          1024	/* DONE */
-#define BROKER_OCP_DATA_UNUSED          2048	/* reusable */
+#define BROKER_VAULT_MACROS             2048    /* DONE */
 #define BROKER_STATUS_DATA              4096    /* DONE */
 #define BROKER_ADAPTIVE_DATA            8192    /* DONE */
 #define BROKER_EXTERNALCOMMAND_DATA     16384   /* DONE */
@@ -191,6 +192,7 @@ void broker_aggregated_status_data(int, int, int);
 void broker_retention_data(int, int, int);
 void broker_acknowledgement_data(int, int, int, int, void *, char *, char *, int, int, int);
 void broker_statechange_data(int, int, int, int, void *, int, int, int, int);
+int broker_vault_macro(char *, char **, int *, nagios_macros *);
 
 NAGIOS_END_DECL
 #endif
diff --git a/src/naemon/macros.c b/src/naemon/macros.c
index 8546354a5..664223048 100644
--- a/src/naemon/macros.c
+++ b/src/naemon/macros.c
@@ -7,6 +7,7 @@
 #include "logging.h"
 #include "globals.h"
 #include "nm_alloc.h"
+#include "broker.h"
 #include <string.h>
 #include <glib.h>
 
@@ -2144,6 +2145,10 @@ static int grab_macro_value_r(nagios_macros *mac, char *macro_buffer, char **out
 		return OK;
 	}
 
+	if (strstr(macro_buffer, "VAULT") == macro_buffer) {
+		return(broker_vault_macro(macro_buffer, output, free_macro, mac));
+	}
+
 	/* most frequently used "x" macro gets a shortcut */
 	if (mac->host_ptr && !strcmp(macro_buffer, "HOSTADDRESS")) {
 		if (mac->host_ptr->address)
diff --git a/src/naemon/naemon.c b/src/naemon/naemon.c
index 4aa05b7e6..86d26ee26 100644
--- a/src/naemon/naemon.c
+++ b/src/naemon/naemon.c
@@ -27,6 +27,7 @@
 
 #include <getopt.h>
 #include <string.h>
+#include <fcntl.h>
 
 static int test_path_access(const char *program, int mode)
 {
@@ -579,6 +580,20 @@ int main(int argc, char **argv)
 		}
 		timing_point("Loaded modules\n");
 
+		/* close stdin after the neb modules loaded so they can still ask for passwords */
+		if (daemon_mode == TRUE && sigrestart == FALSE) {
+			/* close existing stdin, stdout, stderr */
+			close(0);
+			close(1);
+			close(2);
+
+			/* THIS HAS TO BE DONE TO AVOID PROBLEMS WITH STDERR BEING REDIRECTED TO SERVICE MESSAGE PIPE! */
+			/* re-open stdin, stdout, stderr with known values */
+			open("/dev/null", O_RDONLY);
+			open("/dev/null", O_WRONLY);
+			open("/dev/null", O_WRONLY);
+		}
+
 		timing_point("Making first callback\n");
 		broker_program_state(NEBTYPE_PROCESS_PRELAUNCH, NEBFLAG_NONE, NEBATTR_NONE);
 		timing_point("Made first callback\n");
diff --git a/src/naemon/nebcallbacks.h b/src/naemon/nebcallbacks.h
index 2b79c5b55..8ed700c5e 100644
--- a/src/naemon/nebcallbacks.h
+++ b/src/naemon/nebcallbacks.h
@@ -36,6 +36,7 @@ enum NEBCallbackType {
 	NEBCALLBACK_STATE_CHANGE_DATA,
 	NEBCALLBACK_CONTACT_STATUS_DATA,
 	NEBCALLBACK_ADAPTIVE_CONTACT_DATA,
+	NEBCALLBACK_VAULT_MACRO_DATA,
 	NEBCALLBACK_TYPE__COUNT
 };
 
diff --git a/src/naemon/nebstructs.h b/src/naemon/nebstructs.h
index 86e3ac087..68f701e07 100644
--- a/src/naemon/nebstructs.h
+++ b/src/naemon/nebstructs.h
@@ -6,6 +6,7 @@
 #endif
 
 #include "common.h"
+#include "macros.h"
 
 NAGIOS_BEGIN_DECL
 
@@ -490,5 +491,12 @@ typedef struct nebstruct_statechange_struct {
 	void            *object_ptr;
 } nebstruct_statechange_data;
 
+/* vault macro retrieve structure */
+typedef struct nebstruct_vault_macro_struct {
+	char            *macro_name;
+	char            *value;
+	nagios_macros   *mac;
+} nebstruct_vault_macro_data;
+
 NAGIOS_END_DECL
 #endif
diff --git a/src/naemon/utils.c b/src/naemon/utils.c
index b36393f85..4db5aa17d 100644
--- a/src/naemon/utils.c
+++ b/src/naemon/utils.c
@@ -637,17 +637,6 @@ int daemon_init(void)
 	val |= FD_CLOEXEC;
 	fcntl(lockfile, F_SETFD, val);
 
-	/* close existing stdin, stdout, stderr */
-	close(0);
-	close(1);
-	close(2);
-
-	/* THIS HAS TO BE DONE TO AVOID PROBLEMS WITH STDERR BEING REDIRECTED TO SERVICE MESSAGE PIPE! */
-	/* re-open stdin, stdout, stderr with known values */
-	open("/dev/null", O_RDONLY);
-	open("/dev/null", O_WRONLY);
-	open("/dev/null", O_WRONLY);
-
 	broker_program_state(NEBTYPE_PROCESS_DAEMONIZE, NEBFLAG_NONE, NEBATTR_NONE);
 
 	return OK;