├── hosts.ini ├── .gitignore ├── test.yml ├── config.go ├── conf └── defaults.toml ├── config_test.go ├── ansible.cfg ├── main.go ├── README.md ├── connection_plugins └── agent.py ├── ansible ├── server_test.go ├── ldap.go └── server.go └── LICENSE /hosts.ini: -------------------------------------------------------------------------------- 1 | default ansible_ssh_host=127.0.0.1 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | /ansible-agent 3 | /ansible.toml 4 | -------------------------------------------------------------------------------- /test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: default 3 | connection: agent 4 | tasks: 5 | - name: run echo command 6 | command: echo 'hello world!' 7 | -------------------------------------------------------------------------------- /config.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "github.com/jsternberg/ansible-agent/ansible" 4 | 5 | type Config struct { 6 | SSL SSLSection 7 | Ldap ansible.LdapOptions 8 | } 9 | 10 | type SSLSection struct { 11 | Enabled bool 12 | Certificate string 13 | PrivateKey string `toml:"private_key"` 14 | ClientCA string `toml:"client_ca"` 15 | } 16 | 17 | func DefaultConfig() *Config { 18 | return &Config{} 19 | } 20 | -------------------------------------------------------------------------------- /conf/defaults.toml: -------------------------------------------------------------------------------- 1 | # Configures the daemon to use SSL. 2 | # This is recommended for all agents. 3 | [ssl] 4 | # enabled = false 5 | 6 | # The SSL certificate for the server. This will most likely be a self-signed 7 | # certificate. If you want the remote machine to verify the server, this file 8 | # should also be made available to the clients in a different method. 9 | # certificate = 10 | 11 | # The SSL private key for the server. Keep this secret. 12 | # private_key = 13 | 14 | # Enables password authentication with LDAP. 15 | [ldap] 16 | # enabled = false 17 | 18 | # LDAP connection url. This must be in the format `$protocol://$host[:$port]`. 19 | # The protocol can be either `ldap` or `ldaps`. If using plain text, the 20 | # default port is 389. If SSL, the default port is 636. 21 | # host = "ldap://127.0.0.1:389" 22 | 23 | # Base DN for the search tree. 24 | # base_dn = "dn=example,dn=com" 25 | 26 | # Filter to use for finding the user. This should be in printf format with 27 | # exactly one `%s`. The string inserted will already by escaped for LDAP. 28 | # user_filter = "(uid=%s)" 29 | -------------------------------------------------------------------------------- /config_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/BurntSushi/toml" 7 | "github.com/stretchr/testify/assert" 8 | ) 9 | 10 | const TestConfig = ` 11 | [ssl] 12 | enabled = true 13 | certificate = "/etc/ansible/server.cert" 14 | private_key = "/etc/ansible/server.key" 15 | 16 | [ldap] 17 | enabled = true 18 | host = "ldaps://example.com" 19 | port = 636 20 | base_dn = "dc=example,dc=com" 21 | user_filter = "(uid=%s)" 22 | ` 23 | 24 | func TestDefaultConfig(t *testing.T) { 25 | assert := assert.New(t) 26 | 27 | config := DefaultConfig() 28 | assert.False(config.SSL.Enabled) 29 | assert.False(config.Ldap.Enabled) 30 | } 31 | 32 | func TestConfigLoad(t *testing.T) { 33 | assert := assert.New(t) 34 | 35 | config := DefaultConfig() 36 | if err := toml.Unmarshal([]byte(TestConfig), config); assert.NoError(err) { 37 | assert.True(config.SSL.Enabled) 38 | assert.Equal("/etc/ansible/server.cert", config.SSL.Certificate) 39 | assert.Equal("/etc/ansible/server.key", config.SSL.PrivateKey) 40 | 41 | assert.True(config.Ldap.Enabled) 42 | assert.Equal("ldaps://example.com", config.Ldap.Host) 43 | assert.Equal(uint16(636), config.Ldap.Port) 44 | assert.Equal("dc=example,dc=com", config.Ldap.BaseDN) 45 | assert.Equal("(uid=%s)", config.Ldap.UserFilter) 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | #~:INI 2 | # config file for ansible -- http://ansibleworks.com/ 3 | # ================================================== 4 | 5 | # nearly all parameters can be overridden in ansible-playbook 6 | # or with command line flags. ansible will read ~/.ansible.cfg, 7 | # ansible.cfg in the current working directory or 8 | # /etc/ansible/ansible.cfg, whichever it finds first 9 | 10 | [defaults] 11 | 12 | # some basic default values... 13 | hostfile = hosts.ini 14 | library = ./library:/usr/share/ansible 15 | remote_tmp = $HOME/.ansible/tmp 16 | pattern = * 17 | forks = 50 18 | poll_interval = 15 19 | sudo_user = root 20 | #ask_sudo_pass = True 21 | #ask_pass = True 22 | transport = agent 23 | remote_port = 22 24 | 25 | deprecation_warnings = False 26 | # additional paths to search for roles in, colon seperated 27 | roles_path = /etc/ansible/roles 28 | 29 | # uncomment this to disable SSH key host checking 30 | host_key_checking = False 31 | 32 | # change this for alternative sudo implementations 33 | sudo_exe = sudo 34 | # what flags to pass to sudo 35 | sudo_flags = -HE 36 | 37 | # SSH timeout 38 | timeout = 10 39 | 40 | # default user to use for playbooks if user is not specified 41 | # (/usr/bin/ansible will use current user as default) 42 | #remote_user = ubuntu 43 | #ask_pass = True 44 | 45 | # set plugin path directories here, seperate with colons 46 | connection_plugins = ./connection_plugins:/usr/share/ansible_plugins/connection_plugins 47 | 48 | [ssh_connection] 49 | pipelining = True 50 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "crypto/x509" 6 | "flag" 7 | "io/ioutil" 8 | "log" 9 | "net" 10 | "os" 11 | 12 | "github.com/BurntSushi/toml" 13 | "github.com/jsternberg/ansible-agent/ansible" 14 | ) 15 | 16 | var ( 17 | flConfig = flag.String("c", "", "Server configuration file") 18 | ) 19 | 20 | func realMain() int { 21 | flag.Parse() 22 | 23 | config := DefaultConfig() 24 | if *flConfig != "" { 25 | in, err := ioutil.ReadFile(*flConfig) 26 | if err != nil { 27 | log.Println(err) 28 | return 1 29 | } 30 | 31 | if err := toml.Unmarshal(in, config); err != nil { 32 | log.Println(err) 33 | return 1 34 | } 35 | } 36 | 37 | l, err := net.Listen("tcp", ":8700") 38 | if err != nil { 39 | log.Println(err) 40 | return 1 41 | } 42 | 43 | if config.SSL.Enabled { 44 | cert, err := tls.LoadX509KeyPair(config.SSL.Certificate, config.SSL.PrivateKey) 45 | if err != nil { 46 | log.Println(err) 47 | return 1 48 | } 49 | 50 | tlsConfig := tls.Config{ 51 | Certificates: []tls.Certificate{cert}, 52 | ClientCAs: x509.NewCertPool(), 53 | ClientAuth: tls.NoClientCert, 54 | } 55 | if config.SSL.ClientCA != "" { 56 | data, err := ioutil.ReadFile(config.SSL.ClientCA) 57 | if err != nil { 58 | log.Println(err) 59 | return 1 60 | } 61 | tlsConfig.ClientCAs.AppendCertsFromPEM(data) 62 | tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert 63 | } 64 | l = tls.NewListener(l, &tlsConfig) 65 | } 66 | 67 | server := ansible.NewServer() 68 | if config.Ldap.Enabled { 69 | if err := server.ConfigureLDAP(&config.Ldap); err != nil { 70 | log.Println(err) 71 | return 1 72 | } 73 | } 74 | 75 | if err := server.Serve(l); err != nil { 76 | log.Println(err) 77 | return 1 78 | } 79 | return 0 80 | } 81 | 82 | func main() { 83 | os.Exit(realMain()) 84 | } 85 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Ansible Agent 2 | ------------- 3 | **ARCHIVED:** This project is unused and may be in an incomplete state. 4 | The code is left here just in case it ends up being helpful for someone 5 | who has a similar need and wants some kind of base to write something 6 | for themselves, but this project is unmaintained and probably doesn't 7 | work properly. The remainder of this README is kept as-is for archival 8 | purposes. 9 | 10 | The Ansible Agent is a simple daemon used as a transport for Ansible. 11 | 12 | Ansible traditionally operates over the SSH daemon that is installed on 13 | all machines that are remotely configured. In general, the SSH daemon 14 | and ControlMaster are good enough for most workflows. Using the SSH 15 | daemon makes starting to use Ansible much easier. 16 | 17 | On the other hand, using SSH and ControlMaster can be unreliable 18 | transports. On certain platforms, like Ubuntu, are unusable because the 19 | SSH daemon will randomly exit with exit status 0 and cause random tasks 20 | to fail ([example](https://github.com/ansible/ansible/issues/9174)). 21 | 22 | When you manage an entire platform with Ansible, owning and 23 | configuring the machines, then being agentless doesn't really matter. As 24 | long as the agent is easy to install, it's trivial to install one either 25 | embedded in the launched image or by just using Ansible to download a 26 | binary and start it. 27 | 28 | Installation 29 | ============ 30 | To install the daemon, copy the binary to the machine and start it. See 31 | the configuration section below for customizing the daemon. 32 | 33 | To have Ansible connect to the agent, copy the file in 34 | `connection_plugins/agent.py` to the connection plugins folder in your 35 | Ansible repository. Set the following setting in your `ansible.cfg` 36 | file. 37 | 38 | [defaults] 39 | transport = agent 40 | 41 | You can also configure the connection type in the playbook by doing: 42 | 43 | --- 44 | - hosts: all 45 | connection: agent 46 | tasks: 47 | - name: print a greeting message 48 | comand: echo "Hello, World!" 49 | 50 | Configuration 51 | ============= 52 | The server configuration file is in toml. A sample configuration is 53 | provided in `conf/defaults.toml`. 54 | -------------------------------------------------------------------------------- /connection_plugins/agent.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Copyright 2015, Jonathan A. Sternberg 4 | # 5 | # This Source Code Form is subject to the terms of the Mozilla Public 6 | # License, v. 2.0. If a copy of the MPL was not distributed with this 7 | # file, You can obtain one at http://mozilla.org/MPL/2.0/. 8 | 9 | import os 10 | import requests 11 | from StringIO import StringIO 12 | from ansible import errors, utils 13 | from ansible.callbacks import vvv 14 | from ansible.constants import p, get_config 15 | 16 | DEFAULT_USE_SSL = get_config(p, 'agent', 'use_ssl', None, False, boolean=True) 17 | CERTIFICATE = get_config(p, 'agent', 'certificate', None, None) 18 | 19 | class Connection(object): 20 | 21 | def __init__(self, runner, host, port, user, password, *args, **kwargs): 22 | self.runner = runner 23 | self.host = host 24 | self.port = port or 8700 25 | self.user = user 26 | self.password = password 27 | self.proto = 'http' 28 | if DEFAULT_USE_SSL: 29 | self.proto = 'https' 30 | self.has_pipelining = True 31 | 32 | def _build_url(self, url): 33 | return '{proto}://{host}:{port}{url}'.format(proto=self.proto, host=self.host, port=self.port, url=url) 34 | 35 | def connect(self): 36 | vvv("ESTABLISH CONNECTION FOR USER: %s" % self.user, host=self.host) 37 | self.session = requests.Session() 38 | self.session.auth = (self.user, self.password) 39 | if CERTIFICATE: 40 | self.session.cert = os.path.expanduser(CERTIFICATE) 41 | self.session.verify = False 42 | return self 43 | 44 | def exec_command(self, cmd, tmp_path, sudoable=False, in_data=None, **kwargs): 45 | vvv("EXEC %s" % cmd, host=self.host) 46 | 47 | data = {'command': cmd} 48 | executable = kwargs.get('executable') 49 | if executable is not None: 50 | data['executable'] = executable 51 | 52 | if self.runner.become and sudoable: 53 | data['become'] = 1 54 | if self.runner.become_method: 55 | data['becomeMethod'] = self.runner.become_method 56 | 57 | files = {} 58 | if in_data: 59 | files['stdin'] = StringIO(in_data) 60 | 61 | r = self.session.post(self._build_url('/exec'), data=data, files=files) 62 | if r.status_code == 200: 63 | data = r.json() 64 | return (data['status'], data['stdin'], data['stdout'], data['stderr']) 65 | 66 | return (255, '', '', r.text) 67 | 68 | def put_file(self, in_path, out_path): 69 | vvv("PUT %s TO %s" % (in_path, out_path), host=self.host) 70 | with open(in_path, 'rb') as fp: 71 | r = self.session.put(self._build_url('/upload'), data={'dest': out_path}, files={'src': fp}) 72 | 73 | if r.status_code != 200: 74 | raise errors.AnsibleError("failed to transfer file from %s" % in_path) 75 | 76 | def fetch_file(self, in_path, out_path): 77 | vvv("FETCH %s TO %s" % (in_path, out_path), host=self.host) 78 | raise errors.AnsibleError("not unimplemented") 79 | 80 | def close(self): 81 | self.session.close() 82 | -------------------------------------------------------------------------------- /ansible/server_test.go: -------------------------------------------------------------------------------- 1 | package ansible 2 | 3 | import ( 4 | "bytes" 5 | "encoding/json" 6 | "io" 7 | "io/ioutil" 8 | "mime/multipart" 9 | "net/http" 10 | "net/http/httptest" 11 | "net/url" 12 | "os" 13 | "path/filepath" 14 | "strings" 15 | "testing" 16 | 17 | "github.com/stretchr/testify/assert" 18 | ) 19 | 20 | func TestServerPing(t *testing.T) { 21 | assert := assert.New(t) 22 | 23 | req, err := http.NewRequest("GET", "/ping", nil) 24 | if err != nil { 25 | t.Fatal(err) 26 | } 27 | res := httptest.NewRecorder() 28 | 29 | server := NewServer() 30 | server.ServeHTTP(res, req) 31 | 32 | if assert.Equal(200, res.Code) { 33 | var out map[string]string 34 | decoder := json.NewDecoder(res.Body) 35 | if err := decoder.Decode(&out); err != nil { 36 | t.Fatal(err) 37 | } 38 | 39 | assert.Equal(0, len(out)) 40 | } 41 | } 42 | 43 | func TestServerExec(t *testing.T) { 44 | assert := assert.New(t) 45 | 46 | form := url.Values{} 47 | form.Add("command", "echo hello world") 48 | 49 | req, err := http.NewRequest("POST", "/exec", strings.NewReader(form.Encode())) 50 | if err != nil { 51 | t.Fatal(err) 52 | } 53 | req.Header.Add("Content-Type", "application/x-www-form-urlencoded") 54 | res := httptest.NewRecorder() 55 | 56 | server := NewServer() 57 | server.ServeHTTP(res, req) 58 | 59 | if assert.Equal(200, res.Code) { 60 | var out map[string]interface{} 61 | decoder := json.NewDecoder(res.Body) 62 | if err := decoder.Decode(&out); err != nil { 63 | t.Fatal(err) 64 | } 65 | 66 | status, ok := out["status"] 67 | if assert.True(ok, "missing 'status' from json response") { 68 | assert.Equal(0, int(status.(float64))) 69 | } 70 | stdin, ok := out["stdin"] 71 | if assert.True(ok, "missing 'stdin' from json response") { 72 | assert.Equal("", stdin.(string)) 73 | } 74 | stdout, ok := out["stdout"] 75 | if assert.True(ok, "missing 'stdout' from json response") { 76 | assert.Equal("hello world\n", stdout.(string)) 77 | } 78 | stderr, ok := out["stderr"] 79 | if assert.True(ok, "missing 'stderr' from json response") { 80 | assert.Equal("", stderr.(string)) 81 | } 82 | } 83 | } 84 | 85 | func TestServerPutFile(t *testing.T) { 86 | assert := assert.New(t) 87 | 88 | tmpdir, err := ioutil.TempDir(os.TempDir(), "ansible-agent") 89 | if err != nil { 90 | t.Fatal(err) 91 | } 92 | defer os.RemoveAll(tmpdir) 93 | 94 | var buffer bytes.Buffer 95 | bodyWriter := multipart.NewWriter(&buffer) 96 | 97 | fileWriter, err := bodyWriter.CreateFormFile("src", "test.txt") 98 | if err != nil { 99 | t.Fatal(err) 100 | } 101 | io.WriteString(fileWriter, "hello world\n") 102 | 103 | outputFile := filepath.Join(tmpdir, "test.txt") 104 | bodyWriter.WriteField("dest", outputFile) 105 | contentType := bodyWriter.FormDataContentType() 106 | bodyWriter.Close() 107 | 108 | req, err := http.NewRequest("PUT", "/upload", &buffer) 109 | if err != nil { 110 | t.Fatal(err) 111 | } 112 | req.Header.Add("Content-Type", contentType) 113 | res := httptest.NewRecorder() 114 | 115 | server := NewServer() 116 | server.ServeHTTP(res, req) 117 | 118 | if assert.Equal(200, res.Code) { 119 | content, err := ioutil.ReadFile(outputFile) 120 | if assert.NoError(err) { 121 | assert.Equal("hello world\n", string(content)) 122 | } 123 | } 124 | } 125 | -------------------------------------------------------------------------------- /ansible/ldap.go: -------------------------------------------------------------------------------- 1 | package ansible 2 | 3 | import ( 4 | "crypto/tls" 5 | "fmt" 6 | "log" 7 | "net/http" 8 | "regexp" 9 | "strconv" 10 | 11 | "github.com/go-martini/martini" 12 | "github.com/martini-contrib/auth" 13 | "github.com/mavricknz/ldap" 14 | ) 15 | 16 | var HostExpr = regexp.MustCompile(`^(ldaps?)://([\w-.]+)(:(\d+))?$`) 17 | 18 | type LdapOptions struct { 19 | Enabled bool 20 | Host string 21 | Port uint16 22 | SSL bool 23 | BaseDN string `toml:"base_dn"` 24 | UserFilter string `toml:"user_filter"` 25 | } 26 | 27 | type ldapConfig struct { 28 | Host string 29 | Port uint16 30 | SSL bool 31 | } 32 | 33 | func LdapAuthenticator(options *LdapOptions) (martini.Handler, error) { 34 | hostInfo := HostExpr.FindStringSubmatch(options.Host) 35 | 36 | config := &ldapConfig{} 37 | switch hostInfo[1] { 38 | case "ldap": 39 | config.SSL = false 40 | case "ldaps": 41 | config.SSL = true 42 | default: 43 | return nil, fmt.Errorf("invalid ldap protocol: %s", hostInfo[1]) 44 | } 45 | config.Host = hostInfo[2] 46 | 47 | if hostInfo[4] != "" { 48 | port, err := strconv.ParseUint(hostInfo[4], 10, 16) 49 | if err != nil { 50 | return nil, fmt.Errorf("unable to parse ldap port: %s", err) 51 | } 52 | config.Port = uint16(port) 53 | } else { 54 | if config.SSL { 55 | config.Port = 636 56 | } else { 57 | config.Port = 389 58 | } 59 | } 60 | 61 | return func(res http.ResponseWriter, req *http.Request, c martini.Context, log *log.Logger) { 62 | // HACK TODO: do not put routing logic in the auth handler 63 | // The /ping endpoint does not have auth, so explicitly exclude it here 64 | if req.URL.Path == "/ping" { 65 | return 66 | } 67 | 68 | authHandler := auth.BasicFunc(func(username, password string) bool { 69 | // create the ldap server connection 70 | var conn *ldap.LDAPConnection 71 | if config.SSL { 72 | tlsConfig := tls.Config{ 73 | ServerName: config.Host, 74 | } 75 | conn = ldap.NewLDAPSSLConnection(config.Host, config.Port, &tlsConfig) 76 | } else { 77 | conn = ldap.NewLDAPConnection(config.Host, config.Port) 78 | } 79 | 80 | // attempt to connect to the ldap server 81 | if err := conn.Connect(); err != nil { 82 | log.Printf("Unable to connect to LDAP: %s", err) 83 | return false 84 | } 85 | 86 | // perform an anonymous search for the user's dn so we can attempt to bind as them 87 | req := ldap.SearchRequest{ 88 | BaseDN: options.BaseDN, 89 | Filter: fmt.Sprintf(options.UserFilter, ldap.EscapeFilterValue(username)), 90 | Scope: ldap.ScopeWholeSubtree, 91 | } 92 | res, err := conn.Search(&req) 93 | if err != nil { 94 | log.Printf("Error performing LDAP search: %s", err) 95 | return false 96 | } 97 | 98 | // Return false if the number of entries isn't exactly 1. If multiple 99 | // results were returned, there is an ambiguity so return false instead 100 | // of proceeding. If no entries were returned, we have no idea who this 101 | // is and cannot authenticate. 102 | if len(res.Entries) != 1 { 103 | if len(res.Entries) > 1 { 104 | log.Printf("User '%s' attempted to authenticate but multiple entries exists", username) 105 | } else { 106 | log.Printf("User '%s' attempted to authenticate but does not exist", username) 107 | } 108 | return false 109 | } 110 | 111 | dn := res.Entries[0].DN 112 | if err := conn.Bind(dn, password); err != nil { 113 | log.Printf("User '%s' attempted to authenticate but provided an invalid password", username) 114 | return false 115 | } 116 | log.Printf("Authenticated successfully as %s", username) 117 | return true 118 | }) 119 | authenticate := authHandler.(func(http.ResponseWriter, *http.Request, martini.Context)) 120 | authenticate(res, req, c) 121 | }, nil 122 | } 123 | -------------------------------------------------------------------------------- /ansible/server.go: -------------------------------------------------------------------------------- 1 | package ansible 2 | 3 | import ( 4 | "bytes" 5 | "encoding/json" 6 | "fmt" 7 | "io" 8 | "io/ioutil" 9 | "net" 10 | "net/http" 11 | "os" 12 | "os/exec" 13 | "strconv" 14 | "strings" 15 | 16 | "github.com/go-martini/martini" 17 | ) 18 | 19 | type Server struct { 20 | m *martini.Martini 21 | } 22 | 23 | func NewServer() *Server { 24 | s := &Server{} 25 | r := martini.NewRouter() 26 | r.Get("/ping", s.Ping) 27 | r.Post("/exec", s.ExecCommand) 28 | r.Put("/upload", s.PutFile) 29 | 30 | m := martini.New() 31 | m.Use(martini.Logger()) 32 | m.Use(martini.Recovery()) 33 | m.MapTo(r, (*martini.Routes)(nil)) 34 | m.Action(r.Handle) 35 | s.m = m 36 | return s 37 | } 38 | 39 | func (s *Server) ConfigureLDAP(options *LdapOptions) error { 40 | handler, err := LdapAuthenticator(options) 41 | if err != nil { 42 | return err 43 | } 44 | s.m.Use(handler) 45 | return nil 46 | } 47 | 48 | func (s *Server) Serve(l net.Listener) error { 49 | return http.Serve(l, s.m) 50 | } 51 | 52 | func (s *Server) Ping() []byte { 53 | serverInfo := map[string]string{} 54 | out, _ := json.Marshal(&serverInfo) 55 | return out 56 | } 57 | 58 | func (s *Server) ExecCommand(req *http.Request) (int, interface{}) { 59 | command := req.FormValue("command") 60 | if command == "" { 61 | return http.StatusInternalServerError, "command is a required parameter\n" 62 | } 63 | 64 | executable := req.FormValue("executable") 65 | if executable == "" { 66 | executable = "/bin/sh" 67 | } 68 | 69 | become := false 70 | if arg := req.FormValue("become"); arg != "" { 71 | value, err := strconv.Atoi(arg) 72 | if err != nil { 73 | return http.StatusInternalServerError, fmt.Sprintf("error decoding 'become' value: %s", err) 74 | } 75 | 76 | if value != 0 { 77 | become = true 78 | } 79 | } 80 | 81 | becomeMethod := req.FormValue("becomeMethod") 82 | if becomeMethod == "" { 83 | becomeMethod = "sudo" 84 | } 85 | 86 | // if the /exec request contains stdin, we are likely pipelining 87 | // if some other error happens, we want to report the error and exit 88 | // read all of stdin and write to a temporary file, then pipe that file to the process 89 | // interpreters have a bad habit of executing files before they have finished transferring 90 | // and can be a vector for security vulnerabilities when a file is only half-read. 91 | var stdin io.ReadCloser 92 | if strings.HasPrefix(req.Header.Get("Content-Type"), "multipart/form-data") { 93 | input, _, err := req.FormFile("stdin") 94 | if err != nil && err != http.ErrMissingFile { 95 | return http.StatusInternalServerError, fmt.Sprintf("%s\n", err.Error()) 96 | } 97 | 98 | tmpfile, err := ioutil.TempFile(os.TempDir(), "ansible-stdin") 99 | if err != nil { 100 | return http.StatusInternalServerError, fmt.Sprintf("%s\n", err.Error()) 101 | } 102 | defer os.Remove(tmpfile.Name()) 103 | 104 | _, err = io.Copy(tmpfile, input) 105 | tmpfile.Close() 106 | if err != nil { 107 | return http.StatusInternalServerError, fmt.Sprintf("%s\n", err.Error()) 108 | } 109 | 110 | stdin, err = os.Open(tmpfile.Name()) 111 | if err != nil { 112 | return http.StatusInternalServerError, fmt.Sprintf("%s\n", err.Error()) 113 | } 114 | defer stdin.Close() 115 | } 116 | 117 | stdout := bytes.NewBuffer(nil) 118 | stderr := bytes.NewBuffer(nil) 119 | 120 | // preallocate the command array (we have a maximum of 5 elements at the moment) 121 | cmdArgs := make([]string, 0, 5) 122 | if become { 123 | switch becomeMethod { 124 | case "sudo": 125 | cmdArgs = append(cmdArgs, "sudo", "-n") 126 | default: 127 | return http.StatusInternalServerError, fmt.Sprintf("unsupported become method '%s'", becomeMethod) 128 | } 129 | } 130 | cmdArgs = append(cmdArgs, executable, "-c", command) 131 | 132 | cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...) 133 | cmd.Stdin = stdin 134 | cmd.Stdout = stdout 135 | cmd.Stderr = stderr 136 | err := cmd.Run() 137 | 138 | data := map[string]interface{}{} 139 | if err != nil { 140 | data["status"] = 1 141 | } else { 142 | data["status"] = 0 143 | } 144 | data["stdin"] = "" 145 | data["stdout"] = stdout.String() 146 | data["stderr"] = stderr.String() 147 | 148 | out, err := json.Marshal(&data) 149 | if err != nil { 150 | return http.StatusInternalServerError, err.Error() 151 | } 152 | return http.StatusOK, out 153 | } 154 | 155 | func (s *Server) PutFile(req *http.Request) (int, string) { 156 | dest := req.FormValue("dest") 157 | src, _, err := req.FormFile("src") 158 | if err != nil { 159 | return http.StatusInternalServerError, err.Error() 160 | } 161 | 162 | f, err := os.Create(dest) 163 | if err != nil { 164 | return http.StatusInternalServerError, err.Error() 165 | } 166 | defer f.Close() 167 | 168 | io.Copy(f, src) 169 | return http.StatusOK, "" 170 | } 171 | 172 | func (s *Server) ServeHTTP(res http.ResponseWriter, req *http.Request) { 173 | s.m.ServeHTTP(res, req) 174 | } 175 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | --------------------------------------------------------------------------------