]>
Commit | Line | Data |
---|---|---|
758c7b6b DM |
1 | package PMG::Utils; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
758c7b6b | 5 | use DBI; |
b8ea5d5d | 6 | use Net::Cmd; |
758c7b6b | 7 | use Net::SMTP; |
26357b0a | 8 | use IO::File; |
cad3d400 | 9 | use File::stat; |
d17c5265 DM |
10 | use POSIX qw(strftime); |
11 | use File::stat; | |
ff1c5a81 | 12 | use File::Basename; |
758c7b6b DM |
13 | use MIME::Words; |
14 | use MIME::Parser; | |
8210c7fa | 15 | use Time::HiRes qw (gettimeofday); |
2f7031b7 | 16 | use Time::Local; |
26357b0a | 17 | use Xdgmime; |
d0d91cda | 18 | use Data::Dumper; |
62ebb4bc | 19 | use Digest::SHA; |
f609bf7f | 20 | use Net::IP; |
9f67f5b3 | 21 | use Socket; |
dff363d9 DM |
22 | use RRDs; |
23 | use Filesys::Df; | |
8208c076 | 24 | use Encode; |
9a56f771 | 25 | use HTML::Entities; |
758c7b6b | 26 | |
dff363d9 | 27 | use PVE::ProcFSTools; |
f609bf7f | 28 | use PVE::Network; |
5953119e | 29 | use PVE::Tools; |
758c7b6b | 30 | use PVE::SafeSyslog; |
f609bf7f | 31 | use PVE::ProcFSTools; |
d0d91cda | 32 | use PMG::AtomicFile; |
8210c7fa | 33 | use PMG::MailQueue; |
c4df1b85 | 34 | use PMG::SMTPPrinter; |
758c7b6b | 35 | |
62ebb4bc DM |
36 | my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/; |
37 | ||
38 | PVE::JSONSchema::register_format('pmg-realm', \&verify_realm); | |
39 | sub verify_realm { | |
40 | my ($realm, $noerr) = @_; | |
41 | ||
42 | if ($realm !~ m/^${realm_regex}$/) { | |
43 | return undef if $noerr; | |
44 | die "value does not look like a valid realm\n"; | |
45 | } | |
46 | return $realm; | |
47 | } | |
48 | ||
49 | PVE::JSONSchema::register_standard_option('realm', { | |
50 | description => "Authentication domain ID", | |
51 | type => 'string', format => 'pmg-realm', | |
52 | maxLength => 32, | |
53 | }); | |
54 | ||
55 | PVE::JSONSchema::register_format('pmg-userid', \&verify_username); | |
56 | sub verify_username { | |
57 | my ($username, $noerr) = @_; | |
58 | ||
59 | $username = '' if !$username; | |
60 | my $len = length($username); | |
61 | if ($len < 3) { | |
62 | die "user name '$username' is too short\n" if !$noerr; | |
63 | return undef; | |
64 | } | |
65 | if ($len > 64) { | |
66 | die "user name '$username' is too long ($len > 64)\n" if !$noerr; | |
67 | return undef; | |
68 | } | |
69 | ||
70 | # we only allow a limited set of characters | |
71 | # colon is not allowed, because we store usernames in | |
72 | # colon separated lists)! | |
73 | # slash is not allowed because it is used as pve API delimiter | |
74 | # also see "man useradd" | |
75 | if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) { | |
76 | return wantarray ? ($username, $1, $2) : $username; | |
77 | } | |
78 | ||
79 | die "value '$username' does not look like a valid user name\n" if !$noerr; | |
80 | ||
81 | return undef; | |
82 | } | |
83 | ||
84 | PVE::JSONSchema::register_standard_option('userid', { | |
85 | description => "User ID", | |
86 | type => 'string', format => 'pmg-userid', | |
6b0180c3 | 87 | minLength => 4, |
62ebb4bc | 88 | maxLength => 64, |
6b0180c3 | 89 | }); |
62ebb4bc DM |
90 | |
91 | PVE::JSONSchema::register_standard_option('username', { | |
92 | description => "Username (without realm)", | |
93 | type => 'string', | |
94 | pattern => '[^\s:\/\@]{3,60}', | |
6b0180c3 | 95 | minLength => 4, |
62ebb4bc DM |
96 | maxLength => 64, |
97 | }); | |
98 | ||
758c7b6b DM |
99 | sub lastid { |
100 | my ($dbh, $seq) = @_; | |
101 | ||
102 | return $dbh->last_insert_id( | |
103 | undef, undef, undef, undef, { sequence => $seq}); | |
104 | } | |
105 | ||
ab466078 DM |
106 | # quote all regex operators |
107 | sub quote_regex { | |
108 | my $val = shift; | |
109 | ||
110 | $val =~ s/([\(\)\[\]\/\}\+\*\?\.\|\^\$\\])/\\$1/g; | |
111 | ||
112 | return $val; | |
113 | } | |
114 | ||
cad3d400 DM |
115 | sub file_older_than { |
116 | my ($filename, $lasttime) = @_; | |
117 | ||
118 | my $st = stat($filename); | |
119 | ||
120 | return 0 if !defined($st); | |
121 | ||
122 | return ($lasttime >= $st->ctime); | |
123 | } | |
124 | ||
758c7b6b DM |
125 | sub extract_filename { |
126 | my ($head) = @_; | |
127 | ||
128 | if (my $value = $head->recommended_filename()) { | |
8210c7fa | 129 | chomp $value; |
758c7b6b DM |
130 | if (my $decvalue = MIME::Words::decode_mimewords($value)) { |
131 | $decvalue =~ s/\0/ /g; | |
5953119e | 132 | $decvalue = PVE::Tools::trim($decvalue); |
758c7b6b DM |
133 | return $decvalue; |
134 | } | |
135 | } | |
136 | ||
137 | return undef; | |
138 | } | |
139 | ||
140 | sub remove_marks { | |
141 | my ($entity, $add_id, $id) = @_; | |
142 | ||
143 | $id //= 1; | |
144 | ||
145 | foreach my $tag (grep {/^x-proxmox-tmp/i} $entity->head->tags) { | |
146 | $entity->head->delete ($tag); | |
147 | } | |
148 | ||
149 | $entity->head->replace('X-Proxmox-tmp-AID', $id) if $add_id; | |
150 | ||
151 | foreach my $part ($entity->parts) { | |
152 | $id = remove_marks($part, $add_id, $id + 1); | |
153 | } | |
154 | ||
155 | return $id; | |
156 | } | |
157 | ||
158 | sub subst_values { | |
159 | my ($body, $dh) = @_; | |
160 | ||
161 | return if !$body; | |
162 | ||
163 | foreach my $k (keys %$dh) { | |
164 | my $v = $dh->{$k}; | |
bd98f5a1 DM |
165 | if (defined($v)) { |
166 | $body =~ s/__\Q${k}\E__/$v/gs; | |
758c7b6b DM |
167 | } |
168 | } | |
169 | ||
170 | return $body; | |
171 | } | |
172 | ||
173 | sub reinject_mail { | |
174 | my ($entity, $sender, $targets, $xforward, $me, $nodsn) = @_; | |
175 | ||
176 | my $smtp; | |
177 | my $resid; | |
178 | my $rescode; | |
179 | my $resmess; | |
180 | ||
181 | eval { | |
182 | my $smtp = Net::SMTP->new('127.0.0.1', Port => 10025, Hello => $me) || | |
183 | die "unable to connect to localhost at port 10025"; | |
184 | ||
185 | if (defined($xforward)) { | |
186 | my $xfwd; | |
8210c7fa | 187 | |
758c7b6b DM |
188 | foreach my $attr (keys %{$xforward}) { |
189 | $xfwd .= " $attr=$xforward->{$attr}"; | |
190 | } | |
191 | ||
192 | if ($xfwd && $smtp->command("XFORWARD", $xfwd)->response() != CMD_OK) { | |
193 | syslog('err', "xforward error - got: %s %s", $smtp->code, scalar($smtp->message)); | |
194 | } | |
195 | } | |
196 | ||
197 | if (!$smtp->mail($sender)) { | |
198 | syslog('err', "smtp error - got: %s %s", $smtp->code, scalar ($smtp->message)); | |
199 | die "smtp from: ERROR"; | |
200 | } | |
201 | ||
202 | my $dsnopts = $nodsn ? {Notify => ['NEVER']} : {}; | |
203 | ||
204 | if (!$smtp->to (@$targets, $dsnopts)) { | |
205 | syslog ('err', "smtp error - got: %s %s", $smtp->code, scalar($smtp->message)); | |
206 | die "smtp to: ERROR"; | |
207 | } | |
208 | ||
209 | # Output the head: | |
210 | #$entity->sync_headers (); | |
211 | $smtp->data(); | |
212 | ||
213 | my $out = PMG::SMTPPrinter->new($smtp); | |
214 | $entity->print($out); | |
8210c7fa DM |
215 | |
216 | # make sure we always have a newline at the end of the mail | |
758c7b6b DM |
217 | # else dataend() fails |
218 | $smtp->datasend("\n"); | |
219 | ||
220 | if ($smtp->dataend()) { | |
221 | my @msgs = $smtp->message; | |
8210c7fa DM |
222 | $resmess = $msgs[$#msgs]; |
223 | ($resid) = $resmess =~ m/Ok: queued as ([0-9A-Z]+)/; | |
758c7b6b DM |
224 | $rescode = $smtp->code; |
225 | if (!$resid) { | |
226 | die sprintf("unexpected SMTP result - got: %s %s : WARNING", $smtp->code, $resmess); | |
8210c7fa | 227 | } |
758c7b6b DM |
228 | } else { |
229 | my @msgs = $smtp->message; | |
8210c7fa | 230 | $resmess = $msgs[$#msgs]; |
758c7b6b DM |
231 | $rescode = $smtp->code; |
232 | die sprintf("sending data failed - got: %s %s : ERROR", $smtp->code, $resmess); | |
233 | } | |
234 | }; | |
235 | my $err = $@; | |
8210c7fa | 236 | |
758c7b6b | 237 | $smtp->quit if $smtp; |
8210c7fa | 238 | |
758c7b6b DM |
239 | if ($err) { |
240 | syslog ('err', $err); | |
241 | } | |
242 | ||
243 | return wantarray ? ($resid, $rescode, $resmess) : $resid; | |
244 | } | |
245 | ||
8210c7fa DM |
246 | sub analyze_virus_clam { |
247 | my ($queue, $dname, $pmg_cfg) = @_; | |
248 | ||
249 | my $timeout = 60*5; | |
250 | my $vinfo; | |
251 | ||
252 | my $clamdscan_opts = "--stdout"; | |
253 | ||
254 | my ($csec, $usec) = gettimeofday(); | |
255 | ||
256 | my $previous_alarm; | |
257 | ||
258 | eval { | |
259 | ||
260 | $previous_alarm = alarm($timeout); | |
261 | ||
262 | $SIG{ALRM} = sub { | |
263 | die "$queue->{logid}: Maximum time ($timeout sec) exceeded. " . | |
264 | "virus analyze (clamav) failed: ERROR"; | |
265 | }; | |
266 | ||
267 | open(CMD, "/usr/bin/clamdscan $clamdscan_opts '$dname'|") || | |
268 | die "$queue->{logid}: can't exec clamdscan: $! : ERROR"; | |
269 | ||
270 | my $ifiles; | |
8210c7fa | 271 | |
54eaf7df DM |
272 | my $response = ''; |
273 | while (defined(my $line = <CMD>)) { | |
274 | if ($line =~ m/^$dname.*:\s+([^ :]*)\s+FOUND$/) { | |
8210c7fa DM |
275 | # we just use the first detected virus name |
276 | $vinfo = $1 if !$vinfo; | |
54eaf7df | 277 | } elsif ($line =~ m/^Infected files:\s(\d*)$/i) { |
8210c7fa DM |
278 | $ifiles = $1; |
279 | } | |
280 | ||
54eaf7df | 281 | $response .= $line; |
8210c7fa DM |
282 | } |
283 | ||
284 | close(CMD); | |
285 | ||
286 | alarm(0); # avoid race conditions | |
287 | ||
288 | if (!defined($ifiles)) { | |
289 | die "$queue->{logid}: got undefined output from " . | |
54eaf7df | 290 | "virus detector: $response : ERROR"; |
8210c7fa DM |
291 | } |
292 | ||
293 | if ($vinfo) { | |
54eaf7df | 294 | syslog('info', "$queue->{logid}: virus detected: $vinfo (clamav)"); |
8210c7fa DM |
295 | } |
296 | }; | |
297 | my $err = $@; | |
298 | ||
299 | alarm($previous_alarm); | |
300 | ||
301 | my ($csec_end, $usec_end) = gettimeofday(); | |
302 | $queue->{ptime_clam} = | |
303 | int (($csec_end-$csec)*1000 + ($usec_end - $usec)/1000); | |
304 | ||
305 | if ($err) { | |
306 | syslog ('err', $err); | |
307 | $vinfo = undef; | |
308 | $queue->{errors} = 1; | |
309 | } | |
310 | ||
311 | $queue->{vinfo_clam} = $vinfo; | |
312 | ||
313 | return $vinfo ? "$vinfo (clamav)" : undef; | |
314 | } | |
315 | ||
316 | sub analyze_virus { | |
317 | my ($queue, $filename, $pmg_cfg, $testmode) = @_; | |
318 | ||
319 | # TODO: support other virus scanners? | |
320 | ||
321 | # always scan with clamav | |
322 | return analyze_virus_clam($queue, $filename, $pmg_cfg); | |
323 | } | |
324 | ||
26357b0a DM |
325 | sub magic_mime_type_for_file { |
326 | my ($filename) = @_; | |
dff363d9 | 327 | |
26357b0a DM |
328 | # we do not use get_mime_type_for_file, because that considers |
329 | # filename extensions - we only want magic type detection | |
330 | ||
331 | my $bufsize = Xdgmime::xdg_mime_get_max_buffer_extents(); | |
332 | die "got strange value for max_buffer_extents" if $bufsize > 4096*10; | |
333 | ||
334 | my $ct = "application/octet-stream"; | |
335 | ||
dff363d9 | 336 | my $fh = IO::File->new("<$filename") || |
26357b0a DM |
337 | die "unable to open file '$filename' - $!"; |
338 | ||
339 | my ($buf, $len); | |
340 | if (($len = $fh->read($buf, $bufsize)) > 0) { | |
341 | $ct = xdg_mime_get_mime_type_for_data($buf, $len); | |
342 | } | |
343 | $fh->close(); | |
dff363d9 | 344 | |
26357b0a | 345 | die "unable to read file '$filename' - $!" if ($len < 0); |
dff363d9 | 346 | |
26357b0a DM |
347 | return $ct; |
348 | } | |
758c7b6b | 349 | |
1d4193a1 DM |
350 | sub add_ct_marks { |
351 | my ($entity) = @_; | |
352 | ||
353 | if (my $path = $entity->{PMX_decoded_path}) { | |
354 | ||
355 | # set a reasonable default if magic does not give a result | |
356 | $entity->{PMX_magic_ct} = $entity->head->mime_attr('content-type'); | |
357 | ||
358 | if (my $ct = magic_mime_type_for_file($path)) { | |
359 | if ($ct ne 'application/octet-stream' || !$entity->{PMX_magic_ct}) { | |
360 | $entity->{PMX_magic_ct} = $ct; | |
361 | } | |
362 | } | |
363 | ||
364 | my $filename = $entity->head->recommended_filename; | |
365 | $filename = basename($path) if !defined($filename) || $filename eq ''; | |
366 | ||
367 | if (my $ct = xdg_mime_get_mime_type_from_file_name($filename)) { | |
368 | $entity->{PMX_glob_ct} = $ct; | |
369 | } | |
370 | } | |
371 | ||
372 | foreach my $part ($entity->parts) { | |
373 | add_ct_marks ($part); | |
374 | } | |
375 | } | |
376 | ||
f609bf7f DM |
377 | # x509 certificate utils |
378 | ||
896ef634 DM |
379 | # only write output if something fails |
380 | sub run_silent_cmd { | |
381 | my ($cmd) = @_; | |
382 | ||
383 | my $outbuf = ''; | |
384 | ||
385 | my $record_output = sub { | |
386 | $outbuf .= shift; | |
387 | $outbuf .= "\n"; | |
388 | }; | |
389 | ||
390 | eval { | |
391 | PVE::Tools::run_command($cmd, outfunc => $record_output, | |
392 | errfunc => $record_output); | |
393 | }; | |
394 | my $err = $@; | |
395 | ||
396 | if ($err) { | |
397 | print STDERR $outbuf; | |
398 | die $err; | |
399 | } | |
400 | } | |
401 | ||
3278b571 | 402 | my $proxmox_tls_cert_fn = "/etc/pmg/pmg-tls.pem"; |
f609bf7f DM |
403 | |
404 | sub gen_proxmox_tls_cert { | |
bc44eb02 | 405 | my ($force) = @_; |
f609bf7f | 406 | |
bc44eb02 DM |
407 | my $resolv = PVE::INotify::read_file('resolvconf'); |
408 | my $domain = $resolv->{search}; | |
409 | ||
410 | my $company = $domain; # what else ? | |
411 | my $cn = "*.$domain"; | |
412 | ||
413 | return if !$force && -f $proxmox_tls_cert_fn; | |
f609bf7f DM |
414 | |
415 | my $sslconf = <<__EOD__; | |
416 | RANDFILE = /root/.rnd | |
417 | extensions = v3_req | |
418 | ||
419 | [ req ] | |
420 | default_bits = 4096 | |
421 | distinguished_name = req_distinguished_name | |
422 | req_extensions = v3_req | |
423 | prompt = no | |
424 | string_mask = nombstr | |
425 | ||
426 | [ req_distinguished_name ] | |
427 | organizationalUnitName = Proxmox Mail Gateway | |
428 | organizationName = $company | |
429 | commonName = $cn | |
430 | ||
431 | [ v3_req ] | |
432 | basicConstraints = CA:FALSE | |
433 | nsCertType = server | |
434 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
435 | __EOD__ | |
436 | ||
3278b571 | 437 | my $cfgfn = "/tmp/pmgtlsconf-$$.tmp"; |
f609bf7f DM |
438 | my $fh = IO::File->new ($cfgfn, "w"); |
439 | print $fh $sslconf; | |
440 | close ($fh); | |
441 | ||
442 | eval { | |
896ef634 DM |
443 | my $cmd = ['openssl', 'req', '-batch', '-x509', '-new', '-sha256', |
444 | '-config', $cfgfn, '-days', 3650, '-nodes', | |
445 | '-out', $proxmox_tls_cert_fn, | |
446 | '-keyout', $proxmox_tls_cert_fn]; | |
447 | run_silent_cmd($cmd); | |
f609bf7f DM |
448 | }; |
449 | ||
450 | if (my $err = $@) { | |
451 | unlink $proxmox_tls_cert_fn; | |
452 | unlink $cfgfn; | |
453 | die "unable to generate proxmox certificate request:\n$err"; | |
454 | } | |
455 | ||
456 | unlink $cfgfn; | |
457 | } | |
458 | ||
459 | sub find_local_network_for_ip { | |
460 | my ($ip) = @_; | |
461 | ||
462 | my $testip = Net::IP->new($ip); | |
463 | ||
464 | my $isv6 = $testip->version == 6; | |
465 | my $routes = $isv6 ? | |
466 | PVE::ProcFSTools::read_proc_net_ipv6_route() : | |
467 | PVE::ProcFSTools::read_proc_net_route(); | |
468 | ||
469 | foreach my $entry (@$routes) { | |
470 | my $mask; | |
471 | if ($isv6) { | |
472 | $mask = $entry->{prefix}; | |
473 | next if !$mask; # skip the default route... | |
474 | } else { | |
475 | $mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}}; | |
476 | next if !defined($mask); | |
477 | } | |
478 | my $cidr = "$entry->{dest}/$mask"; | |
479 | my $testnet = Net::IP->new($cidr); | |
480 | my $overlap = $testnet->overlaps($testip); | |
481 | if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP || | |
482 | $overlap == $Net::IP::IP_IDENTICAL) | |
483 | { | |
484 | return $cidr; | |
485 | } | |
486 | } | |
487 | ||
488 | die "unable to detect local network for ip '$ip'\n"; | |
489 | } | |
d0d91cda | 490 | |
ef07e4d0 DM |
491 | my $service_aliases = { |
492 | 'postfix' => 'postfix@-', | |
493 | 'postgres' => 'postgresql@9.6-main', | |
494 | }; | |
495 | ||
496 | sub lookup_real_service_name { | |
497 | my $alias = shift; | |
498 | ||
499 | return $service_aliases->{$alias} // $alias; | |
500 | } | |
501 | ||
230b4e03 DM |
502 | sub get_full_service_state { |
503 | my ($service) = @_; | |
504 | ||
505 | my $res; | |
506 | ||
507 | my $parser = sub { | |
508 | my $line = shift; | |
509 | if ($line =~ m/^([^=\s]+)=(.*)$/) { | |
510 | $res->{$1} = $2; | |
511 | } | |
512 | }; | |
513 | ||
ef07e4d0 | 514 | $service = $service_aliases->{$service} // $service; |
230b4e03 DM |
515 | PVE::Tools::run_command(['systemctl', 'show', $service], outfunc => $parser); |
516 | ||
517 | return $res; | |
518 | } | |
519 | ||
cfdf6608 DM |
520 | sub service_wait_stopped { |
521 | my ($timeout, $service_list) = @_; | |
522 | ||
523 | my $starttime = time(); | |
524 | ||
525 | foreach my $service (@$service_list) { | |
526 | PVE::Tools::run_command(['systemctl', 'stop', $service]); | |
527 | } | |
528 | ||
529 | while (1) { | |
530 | my $wait = 0; | |
531 | ||
532 | foreach my $service (@$service_list) { | |
533 | my $ss = get_full_service_state($service); | |
534 | my $state = $ss->{ActiveState} // 'unknown'; | |
535 | ||
536 | if ($state ne 'inactive') { | |
537 | if ((time() - $starttime) > $timeout) { | |
538 | syslog('err', "unable to stop services (got timeout)"); | |
539 | $wait = 0; | |
540 | last; | |
541 | } | |
542 | $wait = 1; | |
543 | } | |
544 | } | |
545 | ||
546 | last if !$wait; | |
547 | ||
548 | sleep(1); | |
549 | } | |
550 | } | |
551 | ||
3f85510e DM |
552 | sub service_cmd { |
553 | my ($service, $cmd) = @_; | |
554 | ||
555 | die "unknown service command '$cmd'\n" | |
556 | if $cmd !~ m/^(start|stop|restart|reload)$/; | |
557 | ||
558 | if ($service eq 'pmgdaemon' || $service eq 'pmgproxy') { | |
559 | if ($cmd eq 'restart') { | |
560 | # OK | |
561 | } else { | |
562 | die "invalid service cmd '$service $cmd': ERROR"; | |
563 | } | |
564 | } | |
565 | ||
ef07e4d0 | 566 | $service = $service_aliases->{$service} // $service; |
3f85510e DM |
567 | PVE::Tools::run_command(['systemctl', $cmd, $service]); |
568 | }; | |
569 | ||
9f67f5b3 DM |
570 | # this is also used to get the IP of the local node |
571 | sub lookup_node_ip { | |
572 | my ($nodename, $noerr) = @_; | |
573 | ||
574 | my ($family, $packed_ip); | |
575 | ||
576 | eval { | |
577 | my @res = PVE::Tools::getaddrinfo_all($nodename); | |
578 | $family = $res[0]->{family}; | |
579 | $packed_ip = (PVE::Tools::unpack_sockaddr_in46($res[0]->{addr}))[2]; | |
580 | }; | |
581 | ||
582 | if ($@) { | |
583 | die "hostname lookup failed:\n$@" if !$noerr; | |
584 | return undef; | |
585 | } | |
586 | ||
587 | my $ip = Socket::inet_ntop($family, $packed_ip); | |
588 | if ($ip =~ m/^127\.|^::1$/) { | |
589 | die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr; | |
590 | return undef; | |
591 | } | |
592 | ||
593 | return wantarray ? ($ip, $family) : $ip; | |
594 | } | |
595 | ||
630d1ae3 DM |
596 | sub run_postmap { |
597 | my ($filename) = @_; | |
598 | ||
599 | # make sure the file exists (else postmap fails) | |
600 | IO::File->new($filename, 'a', 0644); | |
601 | ||
78982d93 DM |
602 | my $age_src = -M $filename // 0; |
603 | my $age_dst = -M "$filename.db" // 10000000000; | |
604 | ||
605 | # if not changed, do nothing | |
606 | return if $age_src > $age_dst; | |
607 | ||
630d1ae3 DM |
608 | eval { |
609 | PVE::Tools::run_command( | |
610 | ['/usr/sbin/postmap', $filename], | |
611 | errmsg => "unable to update postfix table $filename"); | |
612 | }; | |
613 | my $err = $@; | |
614 | ||
615 | warn $err if $err; | |
616 | } | |
617 | ||
d17c5265 DM |
618 | sub clamav_dbstat { |
619 | ||
620 | my $res = []; | |
621 | ||
622 | my $read_cvd_info = sub { | |
623 | my ($dbname, $dbfile) = @_; | |
624 | ||
625 | my $header; | |
626 | my $fh = IO::File->new("<$dbfile"); | |
627 | if (!$fh) { | |
628 | warn "cant open ClamAV Database $dbname ($dbfile) - $!\n"; | |
629 | return; | |
630 | } | |
631 | $fh->read($header, 512); | |
632 | $fh->close(); | |
633 | ||
634 | ## ClamAV-VDB:16 Mar 2016 23-17 +0000:57:4218790:60:06386f34a16ebeea2733ab037f0536be: | |
635 | if ($header =~ m/^(ClamAV-VDB):([^:]+):(\d+):(\d+):/) { | |
636 | my ($ftype, $btime, $version, $nsigs) = ($1, $2, $3, $4); | |
637 | push @$res, { | |
638 | name => $dbname, | |
639 | type => $ftype, | |
640 | build_time => $btime, | |
641 | version => $version, | |
642 | nsigs => $nsigs, | |
643 | }; | |
644 | } else { | |
645 | warn "unable to parse ClamAV Database $dbname ($dbfile)\n"; | |
646 | } | |
647 | }; | |
648 | ||
649 | # main database | |
650 | my $filename = "/var/lib/clamav/main.inc/main.info"; | |
651 | $filename = "/var/lib/clamav/main.cvd" if ! -f $filename; | |
652 | ||
653 | $read_cvd_info->('main', $filename) if -f $filename; | |
654 | ||
655 | # daily database | |
656 | $filename = "/var/lib/clamav/daily.inc/daily.info"; | |
657 | $filename = "/var/lib/clamav/daily.cvd" if ! -f $filename; | |
658 | $filename = "/var/lib/clamav/daily.cld" if ! -f $filename; | |
659 | ||
660 | $read_cvd_info->('daily', $filename) if -f $filename; | |
661 | ||
662 | $filename = "/var/lib/clamav/bytecode.cvd"; | |
663 | $read_cvd_info->('bytecode', $filename) if -f $filename; | |
664 | ||
9860e592 DM |
665 | $filename = "/var/lib/clamav/safebrowsing.cvd"; |
666 | $read_cvd_info->('safebrowsing', $filename) if -f $filename; | |
667 | ||
dabcd20e DM |
668 | my $ss_dbs_fn = "/var/lib/clamav-unofficial-sigs/configs/ss-include-dbs.txt"; |
669 | my $ss_dbs_files = {}; | |
670 | if (my $ssfh = IO::File->new("<${ss_dbs_fn}")) { | |
671 | while (defined(my $line = <$ssfh>)) { | |
672 | chomp $line; | |
673 | $ss_dbs_files->{$line} = 1; | |
674 | } | |
675 | } | |
d17c5265 DM |
676 | my $last = 0; |
677 | my $nsigs = 0; | |
678 | foreach $filename (</var/lib/clamav/*>) { | |
dabcd20e DM |
679 | my $fn = basename($filename); |
680 | next if !$ss_dbs_files->{$fn}; | |
681 | ||
d17c5265 DM |
682 | my $fh = IO::File->new("<$filename"); |
683 | next if !defined($fh); | |
684 | my $st = stat($fh); | |
685 | next if !$st; | |
686 | my $mtime = $st->mtime(); | |
687 | $last = $mtime if $mtime > $last; | |
688 | while (defined(my $line = <$fh>)) { $nsigs++; } | |
689 | } | |
690 | ||
691 | if ($nsigs > 0) { | |
692 | push @$res, { | |
9860e592 | 693 | name => 'sanesecurity', |
d17c5265 | 694 | type => 'unofficial', |
2d011fef | 695 | build_time => strftime("%d %b %Y %H-%M %z", localtime($last)), |
d17c5265 DM |
696 | nsigs => $nsigs, |
697 | }; | |
698 | } | |
699 | ||
700 | return $res; | |
701 | } | |
702 | ||
dff363d9 DM |
703 | # RRD related code |
704 | my $rrd_dir = "/var/lib/rrdcached/db"; | |
705 | my $rrdcached_socket = "/var/run/rrdcached.sock"; | |
706 | ||
707 | my $rrd_def_node = [ | |
708 | "DS:loadavg:GAUGE:120:0:U", | |
709 | "DS:maxcpu:GAUGE:120:0:U", | |
710 | "DS:cpu:GAUGE:120:0:U", | |
711 | "DS:iowait:GAUGE:120:0:U", | |
712 | "DS:memtotal:GAUGE:120:0:U", | |
713 | "DS:memused:GAUGE:120:0:U", | |
714 | "DS:swaptotal:GAUGE:120:0:U", | |
715 | "DS:swapused:GAUGE:120:0:U", | |
716 | "DS:roottotal:GAUGE:120:0:U", | |
717 | "DS:rootused:GAUGE:120:0:U", | |
718 | "DS:netin:DERIVE:120:0:U", | |
719 | "DS:netout:DERIVE:120:0:U", | |
720 | ||
721 | "RRA:AVERAGE:0.5:1:70", # 1 min avg - one hour | |
722 | "RRA:AVERAGE:0.5:30:70", # 30 min avg - one day | |
723 | "RRA:AVERAGE:0.5:180:70", # 3 hour avg - one week | |
724 | "RRA:AVERAGE:0.5:720:70", # 12 hour avg - one month | |
725 | "RRA:AVERAGE:0.5:10080:70", # 7 day avg - ony year | |
726 | ||
727 | "RRA:MAX:0.5:1:70", # 1 min max - one hour | |
728 | "RRA:MAX:0.5:30:70", # 30 min max - one day | |
729 | "RRA:MAX:0.5:180:70", # 3 hour max - one week | |
730 | "RRA:MAX:0.5:720:70", # 12 hour max - one month | |
731 | "RRA:MAX:0.5:10080:70", # 7 day max - ony year | |
732 | ]; | |
733 | ||
734 | sub cond_create_rrd_file { | |
735 | my ($filename, $rrddef) = @_; | |
736 | ||
737 | return if -f $filename; | |
738 | ||
739 | my @args = ($filename); | |
740 | ||
741 | push @args, "--daemon" => "unix:${rrdcached_socket}" | |
742 | if -S $rrdcached_socket; | |
743 | ||
744 | push @args, '--step', 60; | |
745 | ||
746 | push @args, @$rrddef; | |
747 | ||
748 | # print "TEST: " . join(' ', @args) . "\n"; | |
749 | ||
750 | RRDs::create(@args); | |
751 | my $err = RRDs::error; | |
752 | die "RRD error: $err\n" if $err; | |
753 | } | |
754 | ||
755 | sub update_node_status_rrd { | |
756 | ||
757 | my $filename = "$rrd_dir/pmg-node-v1.rrd"; | |
758 | cond_create_rrd_file($filename, $rrd_def_node); | |
759 | ||
760 | my ($avg1, $avg5, $avg15) = PVE::ProcFSTools::read_loadavg(); | |
761 | ||
762 | my $stat = PVE::ProcFSTools::read_proc_stat(); | |
763 | ||
764 | my $netdev = PVE::ProcFSTools::read_proc_net_dev(); | |
765 | ||
766 | my ($uptime) = PVE::ProcFSTools::read_proc_uptime(); | |
767 | ||
768 | my $cpuinfo = PVE::ProcFSTools::read_cpuinfo(); | |
769 | ||
770 | my $maxcpu = $cpuinfo->{cpus}; | |
771 | ||
772 | # traffic from/to physical interface cards | |
773 | my $netin = 0; | |
774 | my $netout = 0; | |
775 | foreach my $dev (keys %$netdev) { | |
776 | next if $dev !~ m/^eth\d+$/; | |
777 | $netin += $netdev->{$dev}->{receive}; | |
778 | $netout += $netdev->{$dev}->{transmit}; | |
779 | } | |
780 | ||
781 | my $meminfo = PVE::ProcFSTools::read_meminfo(); | |
782 | ||
783 | my $dinfo = df('/', 1); # output is bytes | |
784 | ||
785 | my $ctime = time(); | |
786 | ||
787 | # everything not free is considered to be used | |
788 | my $dused = $dinfo->{blocks} - $dinfo->{bfree}; | |
789 | ||
790 | my $data = "$ctime:$avg1:$maxcpu:$stat->{cpu}:$stat->{wait}:" . | |
791 | "$meminfo->{memtotal}:$meminfo->{memused}:" . | |
792 | "$meminfo->{swaptotal}:$meminfo->{swapused}:" . | |
793 | "$dinfo->{blocks}:$dused:$netin:$netout"; | |
794 | ||
795 | ||
796 | my @args = ($filename); | |
797 | ||
798 | push @args, "--daemon" => "unix:${rrdcached_socket}" | |
799 | if -S $rrdcached_socket; | |
800 | ||
801 | push @args, $data; | |
802 | ||
803 | # print "TEST: " . join(' ', @args) . "\n"; | |
804 | ||
805 | RRDs::update(@args); | |
806 | my $err = RRDs::error; | |
807 | die "RRD error: $err\n" if $err; | |
808 | } | |
809 | ||
065b2986 DM |
810 | sub create_rrd_data { |
811 | my ($rrdname, $timeframe, $cf) = @_; | |
812 | ||
813 | my $rrd = "${rrd_dir}/$rrdname"; | |
814 | ||
815 | my $setup = { | |
816 | hour => [ 60, 70 ], | |
817 | day => [ 60*30, 70 ], | |
818 | week => [ 60*180, 70 ], | |
819 | month => [ 60*720, 70 ], | |
820 | year => [ 60*10080, 70 ], | |
821 | }; | |
822 | ||
823 | my ($reso, $count) = @{$setup->{$timeframe}}; | |
824 | my $ctime = $reso*int(time()/$reso); | |
825 | my $req_start = $ctime - $reso*$count; | |
826 | ||
827 | $cf = "AVERAGE" if !$cf; | |
828 | ||
829 | my @args = ( | |
830 | "-s" => $req_start, | |
831 | "-e" => $ctime - 1, | |
832 | "-r" => $reso, | |
833 | ); | |
834 | ||
835 | push @args, "--daemon" => "unix:${rrdcached_socket}" | |
836 | if -S $rrdcached_socket; | |
837 | ||
838 | my ($start, $step, $names, $data) = RRDs::fetch($rrd, $cf, @args); | |
839 | ||
840 | my $err = RRDs::error; | |
841 | die "RRD error: $err\n" if $err; | |
842 | ||
843 | die "got wrong time resolution ($step != $reso)\n" | |
844 | if $step != $reso; | |
845 | ||
846 | my $res = []; | |
847 | my $fields = scalar(@$names); | |
848 | for my $line (@$data) { | |
849 | my $entry = { 'time' => $start }; | |
850 | $start += $step; | |
851 | for (my $i = 0; $i < $fields; $i++) { | |
852 | my $name = $names->[$i]; | |
853 | if (defined(my $val = $line->[$i])) { | |
854 | $entry->{$name} = $val; | |
855 | } else { | |
856 | # leave empty fields undefined | |
857 | # maybe make this configurable? | |
858 | } | |
859 | } | |
860 | push @$res, $entry; | |
861 | } | |
862 | ||
863 | return $res; | |
864 | } | |
865 | ||
8da6f9ec DM |
866 | sub decode_to_html { |
867 | my ($charset, $data) = @_; | |
868 | ||
869 | my $res = $data; | |
870 | ||
871 | eval { $res = encode_entities(decode($charset, $data)); }; | |
872 | ||
873 | return $res; | |
874 | } | |
875 | ||
46f9e9af DM |
876 | sub decode_rfc1522 { |
877 | my ($enc) = @_; | |
878 | ||
879 | my $res = ''; | |
880 | ||
881 | return '' if !$enc; | |
882 | ||
883 | eval { | |
884 | foreach my $r (MIME::Words::decode_mimewords($enc)) { | |
885 | my ($d, $cs) = @$r; | |
886 | if ($d) { | |
887 | if ($cs) { | |
888 | $res .= decode($cs, $d); | |
889 | } else { | |
890 | $res .= $d; | |
891 | } | |
892 | } | |
893 | } | |
894 | }; | |
895 | ||
896 | $res = $enc if $@; | |
897 | ||
898 | return $res; | |
899 | } | |
900 | ||
9a56f771 DM |
901 | sub rfc1522_to_html { |
902 | my ($enc) = @_; | |
903 | ||
904 | my $res = ''; | |
905 | ||
906 | return '' if !$enc; | |
907 | ||
908 | eval { | |
909 | foreach my $r (MIME::Words::decode_mimewords($enc)) { | |
910 | my ($d, $cs) = @$r; | |
911 | if ($d) { | |
912 | if ($cs) { | |
913 | $res .= encode_entities(decode($cs, $d)); | |
914 | } else { | |
915 | $res .= encode_entities($d); | |
916 | } | |
917 | } | |
918 | } | |
919 | }; | |
920 | ||
921 | $res = $enc if $@; | |
922 | ||
923 | return $res; | |
924 | } | |
925 | ||
9d26ab13 DM |
926 | # RFC 2047 B-ENCODING http://rfc.net/rfc2047.html |
927 | # (Q-Encoding is complex and error prone) | |
928 | sub bencode_header { | |
929 | my $txt = shift; | |
930 | ||
931 | my $CRLF = "\015\012"; | |
932 | ||
933 | # Nonprintables (controls + x7F + 8bit): | |
934 | my $NONPRINT = "\\x00-\\x1F\\x7F-\\xFF"; | |
935 | ||
936 | # always use utf-8 (work with japanese character sets) | |
937 | $txt = encode("UTF-8", $txt); | |
938 | ||
939 | return $txt if $txt !~ /[$NONPRINT]/o; | |
940 | ||
941 | my $res = ''; | |
942 | ||
943 | while ($txt =~ s/^(.{1,42})//sm) { | |
944 | my $t = MIME::Words::encode_mimeword ($1, 'B', 'UTF-8'); | |
945 | $res .= $res ? "\015\012\t$t" : $t; | |
946 | } | |
947 | ||
948 | return $res; | |
949 | } | |
950 | ||
7d89adf4 DM |
951 | sub load_sa_descriptions { |
952 | ||
953 | my @dirs = ('/usr/share/spamassassin', | |
954 | '/usr/share/spamassassin-extra'); | |
955 | ||
956 | my $res = {}; | |
957 | ||
958 | my $parse_sa_file = sub { | |
959 | my ($file) = @_; | |
960 | ||
961 | open(my $fh,'<', $file); | |
962 | return if !defined($fh); | |
963 | ||
964 | while (defined(my $line = <$fh>)) { | |
965 | if ($line =~ m/^describe\s+(\S+)\s+(.*)\s*$/) { | |
966 | my ($name, $desc) = ($1, $2); | |
967 | next if $res->{$name}; | |
968 | $res->{$name}->{desc} = $desc; | |
969 | if ($desc =~ m|[\(\s](http:\/\/\S+\.[^\s\.\)]+\.[^\s\.\)]+)|i) { | |
970 | $res->{$name}->{url} = $1; | |
971 | } | |
972 | } | |
973 | } | |
974 | close($fh); | |
975 | }; | |
976 | ||
977 | foreach my $dir (@dirs) { | |
978 | foreach my $file (<$dir/*.cf>) { | |
979 | $parse_sa_file->($file); | |
980 | } | |
981 | } | |
982 | ||
983 | return $res; | |
984 | } | |
985 | ||
8162c745 DM |
986 | sub format_uptime { |
987 | my ($uptime) = @_; | |
988 | ||
989 | my $days = int($uptime/86400); | |
990 | $uptime -= $days*86400; | |
991 | ||
992 | my $hours = int($uptime/3600); | |
993 | $uptime -= $hours*3600; | |
994 | ||
995 | my $mins = $uptime/60; | |
996 | ||
997 | if ($days) { | |
998 | my $ds = $days > 1 ? 'days' : 'day'; | |
999 | return sprintf "%d $ds %02d:%02d", $days, $hours, $mins; | |
1000 | } else { | |
1001 | return sprintf "%02d:%02d", $hours, $mins; | |
1002 | } | |
1003 | } | |
1004 | ||
3dfe317a DM |
1005 | sub finalize_report { |
1006 | my ($tt, $template, $data, $mailfrom, $receiver, $debug) = @_; | |
1007 | ||
1008 | my $html = ''; | |
1009 | ||
1010 | $tt->process($template, $data, \$html) || | |
1011 | die $tt->error() . "\n"; | |
1012 | ||
1013 | my $title; | |
1014 | if ($html =~ m|^\s*<title>(.*)</title>|m) { | |
1015 | $title = $1; | |
1016 | } else { | |
1017 | die "unable to extract template title\n"; | |
1018 | } | |
1019 | ||
1020 | my $top = MIME::Entity->build( | |
1021 | Type => "multipart/related", | |
1022 | To => $data->{pmail}, | |
1023 | From => $mailfrom, | |
1024 | Subject => bencode_header(decode_entities($title))); | |
1025 | ||
1026 | $top->attach( | |
1027 | Data => $html, | |
1028 | Type => "text/html", | |
1029 | Encoding => $debug ? 'binary' : 'quoted-printable'); | |
1030 | ||
1031 | if ($debug) { | |
1032 | $top->print(); | |
1033 | return; | |
1034 | } | |
1035 | # we use an empty envelope sender (we dont want to receive NDRs) | |
1036 | PMG::Utils::reinject_mail ($top, '', [$receiver], undef, $data->{fqdn}); | |
1037 | } | |
1038 | ||
2f7031b7 DM |
1039 | sub lookup_timespan { |
1040 | my ($timespan) = @_; | |
1041 | ||
1042 | my (undef, undef, undef, $mday, $mon, $year) = localtime(time()); | |
1043 | my $daystart = timelocal(0, 0, 0, $mday, $mon, $year); | |
1044 | ||
1045 | my $start; | |
1046 | my $end; | |
1047 | ||
1048 | if ($timespan eq 'today') { | |
1049 | $start = $daystart; | |
1050 | $end = $start + 86400; | |
1051 | } elsif ($timespan eq 'yesterday') { | |
1052 | $end = $daystart; | |
1053 | $start = $end - 86400; | |
1054 | } elsif ($timespan eq 'week') { | |
1055 | $end = $daystart; | |
1056 | $start = $end - 7*86400; | |
1057 | } else { | |
1058 | die "internal error"; | |
1059 | } | |
1060 | ||
1061 | return ($start, $end); | |
1062 | } | |
1063 | ||
758c7b6b | 1064 | 1; |