/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 1999-2002 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

#include "med_local.h"
#include <sdssc.h>

#include <grp.h>
#include <pwd.h>
#include <signal.h>
#include <syslog.h>
#include <netdir.h>
#include <netdb.h>
#include <sys/resource.h>
#include <sys/priocntl.h>
#include <sys/rtpriocntl.h>
#include <sys/utsname.h>

extern	void	nc_perror(const char *msg);

/* daemon name */
static char	*medname = MED_SERVNAME;

/*
 * reset and exit daemon
 */
void
med_exit(
	int	eval
)
{
	med_err_t	status = med_null_err;

	if (med_db_finit(&status))
		medde_perror(&status, "med_db_finit");

	/* log exit */
	med_eprintf("exiting with %d\n", eval);

	/* exit with value */
	exit(eval);
}

/*
 * signal catchers
 */
static void
med_catcher(
	int	sig
)
{
	char	buf[128];
	char	*msg;

	/* log signal */
	if ((msg = strsignal(sig)) == NULL) {
		(void) sprintf(buf, "unknown signal %d", sig);
		msg = buf;
	}
	med_eprintf("%s\n", msg);

	/* let default handler do it's thing */
	(void) sigset(sig, SIG_DFL);
	if (kill(getpid(), sig) != 0) {
		med_perror("kill(getpid())");
		med_exit(-sig);
	}
}

/*
 * initialize daemon
 */
static int
med_setup(
	med_err_t	*medep
)
{
	/* catch common signals */
	if ((sigset(SIGHUP, med_catcher) == SIG_ERR) ||
	    (sigset(SIGINT, med_catcher) == SIG_ERR) ||
	    (sigset(SIGABRT, med_catcher) == SIG_ERR) ||
	    (sigset(SIGBUS, med_catcher) == SIG_ERR) ||
	    (sigset(SIGSEGV, med_catcher) == SIG_ERR) ||
	    (sigset(SIGPIPE, med_catcher) == SIG_ERR) ||
	    (sigset(SIGTERM, med_catcher) == SIG_ERR)) {
		return (med_error(medep, errno, "sigset"));
	}

	/* ignore SIGALRM (used in med_cv_timedwait) */
	if (sigset(SIGALRM, SIG_IGN) == SIG_ERR) {
		return (med_error(medep, errno, "sigset"));
	}

	/* return success */
	return (0);
}

/*
 * (re)initalize daemon
 */
static int
med_init_daemon(
	med_err_t	*medep
)
{
	static int	already = 0;

	/* setup */
	if (! already) {
		if (med_setup(medep) != 0)
			return (-1);
		openlog(medname, LOG_CONS, LOG_DAEMON);
		already = 1;
	}

	/* return success */
	return (0);
}

/*
 * get my nodename
 */
char *
mynode(void)
{
	static struct utsname	myuname;
	static int		done = 0;

	if (! done) {
		if (uname(&myuname) == -1) {
			med_perror("uname");
			assert(0);
		}
		done = 1;
	}
	return (myuname.nodename);
}

/*
 * check for trusted host and user
 */
static int
check_host(
	struct svc_req		*rqstp		/* RPC stuff */
)
{
	struct authsys_parms	*sys_credp;
	SVCXPRT			*transp = rqstp->rq_xprt;
	struct netconfig	*nconfp = NULL;
	struct nd_hostservlist	*hservlistp = NULL;
	int			i;
	int			rval = -1;
	char			*inplace = NULL;

	/* check for root */
	/*LINTED*/
	sys_credp = (struct authsys_parms *)rqstp->rq_clntcred;
	assert(sys_credp != NULL);
	if (sys_credp->aup_uid != 0)
		goto out;

	/* get hostnames */
	if (transp->xp_netid == NULL) {
		med_eprintf("transp->xp_netid == NULL\n");
		goto out;
	}
	if ((nconfp = getnetconfigent(transp->xp_netid)) == NULL) {
#ifdef	DEBUG
		nc_perror("getnetconfigent(transp->xp_netid)");
#endif
		goto out;
	}
	if ((__netdir_getbyaddr_nosrv(nconfp, &hservlistp, &transp->xp_rtaddr)
	    != 0) || (hservlistp == NULL)) {
#ifdef	DEBUG
		netdir_perror("netdir_getbyaddr(transp->xp_rtaddr)");
#endif
		goto out;
	}

	/* check hostnames */
	for (i = 0; (i < hservlistp->h_cnt); ++i) {
		struct nd_hostserv	*hservp = &hservlistp->h_hostservs[i];
		char			*hostname = hservp->h_host;

		inplace = strdup(hostname);
		sdssc_cm_nm2nid(inplace);
		if (strcmp(inplace, hostname)) {

			/*
			 * If the names are now different it indicates
			 * that hostname was converted to a nodeid. This
			 * will only occur if hostname is part of the same
			 * cluster that the current node is in.
			 * If the machine is not running in a cluster than
			 * sdssc_cm_nm2nid is a noop which leaves inplace
			 * alone.
			 */
			rval = 0;
			goto out;
		}

		/* localhost is OK */
		if (strcmp(hostname, mynode()) == 0) {
			rval = 0;
			goto out;
		}

		if (strcmp(hostname, "localhost") == 0) {
			rval = 0;
			goto out;
		}

		/* check for remote root access */
		if (ruserok(hostname, 1, "root", "root") == 0) {
			rval = 0;
			goto out;
		}
	}

	/* cleanup, return success */
out:
	if (inplace)
		free(inplace);
	if (hservlistp != NULL)
		netdir_free(hservlistp, ND_HOSTSERVLIST);
	if (nconfp != NULL)
		Free(nconfp);
	return (rval);
}

/*
 * check for user in local group 14
 */
static int
check_gid14(
	uid_t		uid
)
{
	struct passwd	*pwp;
	struct group	*grp;
	char		**namep;

	/* get user info, check default GID */
	if ((pwp = getpwuid(uid)) == NULL)
		return (-1);
	if (pwp->pw_gid == MED_GID)
		return (0);

	/* check in group */
	if ((grp = getgrgid(MED_GID)) == NULL)
		return (-1);
	for (namep = grp->gr_mem; ((*namep != NULL) && (**namep != '\0'));
	    ++namep) {
		if (strcmp(*namep, pwp->pw_name) == 0)
			return (0);
	}
	return (-1);
}

/*
 * check AUTH_SYS
 */
static int
check_sys(
	struct svc_req		*rqstp,		/* RPC stuff */
	int			amode,		/* R_OK | W_OK */
	med_err_t		*medep		/* returned status */
)
{
#ifdef	_REENTRANT
	static mutex_t		mx = DEFAULTMUTEX;
#endif	/* _REENTRANT */
	struct authsys_parms	*sys_credp;

	/* for read, anything is OK */
	if (! (amode & W_OK))
		return (0);

#ifdef	_REENTRANT
	/* single thread (not really needed if daemon stays single threaded) */
	mutex_lock(&mx);
#endif	/* _REENTRANT */

	/* check for remote root or METAMED_GID */
	/*LINTED*/
	sys_credp = (struct authsys_parms *)rqstp->rq_clntcred;
	if ((check_gid14(sys_credp->aup_uid) == 0) ||
	    (check_host(rqstp) == 0)) {
#ifdef	_REENTRANT
		mutex_unlock(&mx);
#endif	/* _REENTRANT */
		return (0);
	}

	/* return failure */
#ifdef	_REENTRANT
	mutex_unlock(&mx);
#endif	/* _REENTRANT */
	return (med_error(medep, EACCES, medname));
}

/*
 * setup RPC service
 *
 * if can't authenticate return < 0
 * if any other error return > 0
 */
int
med_init(
	struct svc_req	*rqstp,		/* RPC stuff */
	int		amode,		/* R_OK | W_OK */
	med_err_t	*medep		/* returned status */
)
{
	SVCXPRT		*transp = rqstp->rq_xprt;

	/*
	 * initialize
	 */
	(void) memset(medep, 0, sizeof (*medep));

	if (sdssc_bind_library() == SDSSC_ERROR) {
		(void) med_error(medep, EACCES,
		    "can't bind to cluster library");
		return (1);
	}

	/*
	 * check credentials
	 */
	switch (rqstp->rq_cred.oa_flavor) {

	/* UNIX flavor */
	case AUTH_SYS:
	{
		if (check_sys(rqstp, amode, medep) != 0)
			return (1);	/* error */
		break;
	}

	/* can't authenticate anything else */
	default:
		svcerr_weakauth(transp);
		return (-1);		/* weak authentication */

	}

	/*
	 * (re)initialize
	 */
	if (med_init_daemon(medep) != 0)
		return (1);		/* error */

	/* return success */
	return (0);
}