d2/d63/unix__command__config_8cc_source.html

// Copyright (C) 2015-2025 Internet Systems Consortium, Inc. ("ISC")

//

// This Source Code Form is subject to the terms of the Mozilla Public

// License, v. 2.0. If a copy of the MPL was not distributed with this

// file, You can obtain one at http://mozilla.org/MPL/2.0/.


#include <config.h>


#include <asiolink/io_asio_socket.h>

#include <cc/dhcp_config_error.h>

#include <config/command_mgr.h>

#include <config/config_log.h>

#include <config/unix_command_config.h>

#include <util/filesystem.h>

#include <limits>


using namespace isc;

using namespace isc::asiolink;

using namespace isc::config;

using namespace isc::data;

using namespace isc::dhcp;

using namespace isc::util::file;

using namespace std;


namespace isc {

namespace config {


namespace {

    // Singleton PathChecker to set and hold valid unix socket path.

    PathCheckerPtr socket_path_checker_;

};


const mode_t UnixCommandConfig::DEFAULT_SOCKET_PATH_PERMS = (S_IRWXU | S_IRGRP | S_IXGRP);


mode_t UnixCommandConfig::socket_path_perms_ = UnixCommandConfig::DEFAULT_SOCKET_PATH_PERMS;


UnixCommandConfig::UnixCommandConfig(ConstElementPtr config)

    : socket_type_("unix"), socket_name_() {

    if (config->getType() != Element::map) {

        isc_throw(DhcpConfigError, "expected map type ("

                  << config->getPosition() << ")");

    }

    // Get socket type.

    ConstElementPtr socket_type = config->get("socket-type");

    if (socket_type) {

        if (socket_type->getType() != Element::string) {

            isc_throw(DhcpConfigError,

                      "invalid type specified for parameter 'socket-type' ("

                      << socket_type->getPosition() << ")");

        }

        socket_type_ = socket_type->stringValue();

        if ((socket_type_ != "unix")) {

            isc_throw(DhcpConfigError, "unsupported 'socket-type' '"

                      << socket_type_ << "' not 'unix'");

        }

    }

    // Reject HTTP/HTTPS only socket-address.

    if (config->contains("socket-address")) {

        isc_throw(DhcpConfigError,

                  "parameter 'socket-address' is not supported by UNIX "

                  "control sockets");

    }

    // Get socket name.

    ConstElementPtr socket_name = config->get("socket-name");

    if (!socket_name) {

        isc_throw(DhcpConfigError, "Mandatory 'socket-name' parameter missing");

    }


    if (socket_name->getType() != Element::string) {

        isc_throw(DhcpConfigError,

                  "invalid type specified for parameter 'socket-name' ("

                  << socket_name->getPosition() << ")");

    }


    try {

        socket_name_ = validatePath(socket_name->stringValue());

    } catch (const std::exception& ex) {

        isc_throw(DhcpConfigError, "'socket-name' is invalid: " << ex.what());

    }


    // Get user context.

    ConstElementPtr user_context = config->get("user-context");

    if (user_context) {

        setContext(user_context);

    }

}


ElementPtr


UnixCommandConfig::toElement() const {

    ElementPtr result = Element::createMap();

    // Set user-context.

    contextToElement(result);

    // Set socket type.

    result->set("socket-type", Element::create(socket_type_));

    // Set socket name.

    result->set("socket-name", Element::create(socket_name_));

    return (result);

}


std::string


UnixCommandConfig::getSocketPath(bool reset /* = false */,

                                 const std::string explicit_path /* = "" */) {

    if (!socket_path_checker_ || reset) {

        socket_path_checker_.reset(new PathChecker(CONTROL_SOCKET_DIR,

                                                   "KEA_CONTROL_SOCKET_DIR"));

        if (!explicit_path.empty()) {

            socket_path_checker_->getPath(true, explicit_path);

        }

    }


    return (socket_path_checker_->getPath());

}


std::string


UnixCommandConfig::validatePath(const std::string socket_path) {

    if (!socket_path_checker_) {

        getSocketPath();

    }


    std::string valid_path;

    try {

        valid_path = socket_path_checker_->validatePath(socket_path);

    } catch (const SecurityWarn& ex) {

        LOG_WARN(command_logger, COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING)

                .arg(ex.what());

        // Skip checking permissions.

        return(socket_path);

    }


    auto parent_path = socket_path_checker_->getPath();

    if (!hasPermissions(parent_path, socket_path_perms_)) {

        std::ostringstream oss;

        oss << "socket path:" << parent_path

            << " does not exist or does not have permssions = "

            << std::oct << socket_path_perms_;


        if (PathChecker::shouldEnforceSecurity()) {

            isc_throw (DhcpConfigError, oss.str());

        }


        LOG_WARN(command_logger, COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING)

                .arg(oss.str());

    }


    return (valid_path);

}


mode_t


UnixCommandConfig::getSocketPathPerms() {

    return (socket_path_perms_);

}


void


UnixCommandConfig::setSocketPathPerms(mode_t perms

                                      /* = DEFAULT_SOCKET_PATH_PERMS */) {

    socket_path_perms_ = perms;

}


} // end of isc::config

} // end of isc

if
if(!(yy_init))
Definition agent_lexer.cc:1900

Element::create
static ElementPtr create(const Position &pos=ZERO_POSITION())
Definition data.cc:249

Element::map
@ map
Definition data.h:147

Element::string
@ string
Definition data.h:144

Element::createMap
static ElementPtr createMap(const Position &pos=ZERO_POSITION())
Creates an empty MapElement type ElementPtr.
Definition data.cc:304

isc::Exception::what
virtual const char * what() const
Returns a C-style character string of the cause of the exception.
Definition exceptions/exceptions.cc:32

isc::config::UnixCommandConfig::getSocketPath
static std::string getSocketPath(bool reset=false, const std::string explicit_path="")
Fetches the supported control socket path.
Definition unix_command_config.cc:101

isc::config::UnixCommandConfig::getSocketPathPerms
static mode_t getSocketPathPerms()
Fetches the required socket path permissions mask.
Definition unix_command_config.cc:149

isc::config::UnixCommandConfig::UnixCommandConfig
UnixCommandConfig(isc::data::ConstElementPtr config)
Constructor.
Definition unix_command_config.cc:37

isc::config::UnixCommandConfig::DEFAULT_SOCKET_PATH_PERMS
static const mode_t DEFAULT_SOCKET_PATH_PERMS
Defines the default permissions for unix socket parent directory.
Definition unix_command_config.h:26

isc::config::UnixCommandConfig::setSocketPathPerms
static void setSocketPathPerms(mode_t perms=DEFAULT_SOCKET_PATH_PERMS)
Sets the required socket path permissions mask.
Definition unix_command_config.cc:154

isc::config::UnixCommandConfig::toElement
virtual isc::data::ElementPtr toElement() const
Unparse a configuration object.
Definition unix_command_config.cc:89

isc::config::UnixCommandConfig::validatePath
static std::string validatePath(const std::string socket_path)
Validates a path against the supported path for unix control sockets.
Definition unix_command_config.cc:115

isc::config::UnixCommandConfig::socket_path_perms_
static mode_t socket_path_perms_
Stores the default permissions for unix socket parent directory.
Definition unix_command_config.h:29

isc::dhcp::DhcpConfigError
To be removed. Please use ConfigError instead.
Definition dhcp_config_error.h:58

isc::util::file::PathChecker
Embodies a supported path against which file paths can be validated.
Definition filesystem.h:203

isc::util::file::PathChecker::shouldEnforceSecurity
static bool shouldEnforceSecurity()
Indicates security checks should be enforced.
Definition filesystem.cc:351

isc::util::file::SecurityWarn
A generic exception that is thrown if a parameter given violates security check but enforcement is la...
Definition filesystem.h:21

command_mgr.h

config_log.h

dhcp_config_error.h

isc_throw
#define isc_throw(type, stream)
A shortcut macro to insert known values into exception arguments.
Definition exceptions/exceptions.h:210

filesystem.h

io_asio_socket.h

LOG_WARN
#define LOG_WARN(LOGGER, MESSAGE)
Macro to conveniently test warn output and log it.
Definition macros.h:26

isc::asiolink
Definition addr_utilities.cc:170

isc::config
Definition command_interpreter.cc:23

isc::config::COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING
const isc::log::MessageID COMMAND_UNIX_SOCKET_PATH_SECURITY_WARNING
Definition config_messages.h:36

isc::config::COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING
const isc::log::MessageID COMMAND_UNIX_SOCKET_PERMISSIONS_SECURITY_WARNING
Definition config_messages.h:37

isc::config::command_logger
isc::log::Logger command_logger("commands")
Command processing Logger.
Definition config_log.h:21

isc::data
Definition base_stamped_element.cc:12

isc::data::ConstElementPtr
boost::shared_ptr< const Element > ConstElementPtr
Definition data.h:29

isc::data::ElementPtr
boost::shared_ptr< Element > ElementPtr
Definition data.h:28

isc::dhcp
Definition dhcp4/client_handler.cc:20

isc::util::file
Definition filesystem.cc:29

isc::util::file::PathCheckerPtr
boost::shared_ptr< PathChecker > PathCheckerPtr
Defines a pointer to a PathChecker.
Definition filesystem.h:323

isc::util::file::hasPermissions
bool hasPermissions(const std::string path, const mode_t &permissions)
Check if there if file or directory has the given permissions.
Definition filesystem.cc:66

isc
Defines the logger used by the top-level component of kea-lfc.
Definition agent_parser.cc:148

isc::data::UserContext::contextToElement
void contextToElement(data::ElementPtr map) const
Merge unparse a user_context object.
Definition user_context.cc:15

isc::data::UserContext::setContext
void setContext(const data::ConstElementPtr &ctx)
Sets user context.
Definition user_context.h:30

unix_command_config.h