p4login #4 

#!/bin/bash
#------------------------------------------------------------------------------
# Copyright (c) Perforce Software, Inc., 2007-2015. All rights reserved
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1  Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
#
# 2.  Redistributions in binary form must reproduce the above copyright
#     notice, this list of conditions and the following disclaimer in the
#     documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PERFORCE
# SOFTWARE, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
# ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
# TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
# DAMAGE.
#------------------------------------------------------------------------------
set -u

# p4login generates a login ticket for the SDP super user.  It is called
# from cron scripts, and so does not normally generate output to stdout or
# stderr.
#
# Normally output (stdout and stderr) is logged in $LOGS/p4login.log,
# unless unless SDP_INSTANCE isn't defined, in which case it bails
# immediately.
#
# An exit code of 0 indicates a valid login ticket exists, while a
# non-zero exit code indicates a failure to login.

export SDP_INSTANCE=${SDP_INSTANCE:-Undefined}
declare DateFormat='%a %Y-%m-%d %H:%M:%S %Z'

function bail () { echo -e "\nError: ${1:-Unknown Error}"; exit ${2:-1}; }

[[ $SDP_INSTANCE == Undefined ]] && bail "Error: SDP_INSTANCE not defined."

declare TicketExpiration=$($P4BIN -ztag -F %TicketExpiration% -p $P4PORT -u $P4USER login -s 2>/dev/null)
declare Log=$LOGS/p4login.log
echo "$(date +'%a %Y-%m-%d %H:%M:%S %Z'): Checking login status." > $Log

if [[ $TicketExpiration =~ [0-9]+ ]]; then
   # A 'long-term' ticket is one that expires more than a month (31 days + 1 second) from now.
   if [[ $TicketExpiration -ge 2678401 ]]; then
      echo "$(date +'%a %Y-%m-%d %H:%M:%S %Z'): Verified: User $P4USER logged into $P4PORT with a long-term ticket.  Login not required." >> $Log
      exit 0
   else
      echo "$(date +'%a %Y-%m-%d %H:%M:%S %Z'): Warning: User $P4USER logged into $P4PORT with a short-term ticket.  Attempting to extend." >> $Log
      echo Running: $P4BIN -p $P4PORT -u $P4USER -s login -a >> /p4/${SDP_INSTANCE}/logs/p4login.log 2>&1
      $P4BIN -p $P4PORT -u $P4USER -s login -a < /p4/common/bin/adminpass >> /p4/${SDP_INSTANCE}/logs/p4login.log 2>&1
      exit $?
   fi
else
   echo "$(date +'%a %Y-%m-%d %H:%M:%S %Z'): Warning: User $P4USER is not logged into $P4PORT.  Attempting to login." >> $Log
   echo Running: $P4BIN -p $P4PORT -u $P4USER -s login -a >> /p4/${SDP_INSTANCE}/logs/p4login.log 2>&1
   $P4BIN -p $P4PORT -u $P4USER -s login -a < /p4/common/bin/adminpass >> /p4/${SDP_INSTANCE}/logs/p4login.log 2>&1
   exit $?
fi
# Change User Description Committed
#32 31979 C. Thomas Tyler Doc updates related to using encoded password files.
#31 31916 C. Thomas Tyler Tweaks to p4login:

Fixes issue with attempted login with '-a' of service user.

Adapted to support 'operator' type automation users.

Added optional 'userType' parameter to login_user(), to
eliminate an unnecessary 'p4' call to determine the user type.

#review-31917
#30 31733 C. Thomas Tyler Prototype change to use encrypted password file.

Partial fix to: SDP-641

Documentation still needed; the changes is for testing.

#review-31734 @daniel_ferrara
#29 31411 C. Thomas Tyler Changed behavior of '-service' option to that, if used on a commit
server, will login to all active edge servers.

Revised p4login logging write to a single $LOGS/p4login.log file all
day, with the log being rotated daily.  This reduces the number of
p4login.* log files.

First pass at modernizing script internals.

#review-31412
#28 31167 C. Thomas Tyler Fixed p4login bug for case-insensitive servers checking for SERVERID using
case case-sensitive check.

Fixes SDP-1189 (Bug): p4login is wrongly sensitive to case of ServerID on case-insensitive server.
#27 30979 C. Thomas Tyler Eliminated buildup of temp dirs, e.g.
/tmp/tmp.XXXXXXXXXX.

Added remove_jd_tables() function and calls to it to prevent buildup of new
cruft.

Modified remove_old_logs() to cleanup cruft created previously.

#review-30980 @robert_cowham
#26 30270 Robert Cowham Fix shellcheck warnings and use of copy_jd_table
#25 30267 Robert Cowham Copy files to be dumped via p4d -jd to tmp dir first
to avoid locks on P4ROOT (or offline_db)

SDP-1087
#24 29410 C. Thomas Tyler Fixed bug where p4login substitunes only first comma (',') instead
of all commas in SDP_AUTOMATION_USERS.
#23 29408 C. Thomas Tyler Fixed bug with regex that needed to be tightened in p4login.
#22 27722 C. Thomas Tyler Refinements to @27712:
* Resolved one out-of-date file (verify_sdp.sh).
* Added missing adoc file for which HTML file had a change (WorkflowEnforcementTriggers.adoc).
* Updated revdate/revnumber in *.adoc files.
* Additional content updates in Server/Unix/p4/common/etc/cron.d/ReadMe.md.
* Bumped version numbers on scripts with Version= def'n.
* Generated HTML, PDF, and doc/gen files:
  - Most HTML and all PDF are generated using Makefiles that call an AsciiDoc utility.
  - HTML for Perl scripts is generated with pod2html.
  - doc/gen/*.man.txt files are generated with .../tools/gen_script_man_pages.sh.

#review-27712
#21 26855 C. Thomas Tyler Fixed minor bug in p4login where 'p4 login -a' could be attempted for a service
user if it has only a short-term ticket. This is deemed minor since a service
user with a short-term ticket is misconfiguration anyway (already with a warning
message).
#20 26637 Robert Cowham Include script help within doc
Requires a couple of tags in the scripts themselves.
#19 25798 C. Thomas Tyler Enhanced p4login to perform 'p4 trust' checks/fixes if required.

p4login is now shellcheck v0.6.0 compliant.
#18 25769 C. Thomas Tyler Fixed bug where P4PORT value might be 'Unset'.

This could be observed due to a misconfiguration where the
P4MASTER_ID value set in the instance vars file,
/p4/common/config/p4_N.vars, was incorrect (i.e. didn't match
the actual ServerID of the master/commit server). Or if a
replica was only partially defined without P4TARGET being
defined.  These misconfigurations are outside the realm of
this script to address, but they exposed a bad assumption in
the script.  That has been corrected.

Also:
* Added logic to ensure 'p4d -cshow' is not attempted unless
$P4ROOT/db.config exists, for error-free operation on proxy and
replica servers that have no p4d.
* Several unrelated minor tweaks were made to help with shellcheck
compliance.
#17 24357 C. Thomas Tyler Added SDP_ADMIN_PASSWORD_FILE variable in p4_vars.template, and also added a
default value in backup_functions.sh.  Also added comments in p4_vars
explaining the 'set +u' bit.

Adding SDP_ADMIN_PASSWORD_FILE is an enabling change for an upcoming change
to mkrep.sh.

Updated p4login and p4login-super.sh to reference this variable.

Normalized p4login-super.sh to accept SDP instance parameter, which (as
with other scripts) is optional of SDP_INSTANCE is already defined, else
required.  Also chmod +x p4login-super.sh.

#review @robert_cowham
#16 23203 C. Thomas Tyler p4login v4.1.0:
* Added '-d' flag to enable debug mode, and dbg() function.
* Added dbg() calls.
* Improved info in error output.
#15 23041 C. Thomas Tyler Minor changes to p4login:
* Corrected login count in p4login script.
* Referenced P4CCFG and P4CBIN vars; removed hard-coding.
* Allow SDP_ENV to be overriden (coding standard for future use).
#14 20855 C. Thomas Tyler Fixed quoting bug in p4login.
#13 20774 C. Thomas Tyler p4login: Minor fix to use $P4BIN rather than raw 'p4'.
 This impacted
only 'p4 set P4TICKETS' output, but is otherwise a non-functional
change.
#12 20749 C. Thomas Tyler Approved and committed, but I believe that the shared data setting is always set to false on the master and we should look at fixing that in another change.

Enhanced p4login again.

Improvements:
Default behavior with no arguments gives the desired results.
For example, if run on a master, we login on the super user P4USER to
P4PORT.  If run on a replica/edge and auth.id is set, we login P4USER
to the P4TARGET port of the replica.

All other login functionality, such as logging in the replication
service user on a replica, logging in supplemental automation users,
is now accessed via new flags.

A usage message is now available via '-h' and '-man' options.  The
new synopsys is:
p4login [<instance>] [-p <port> | -service] [-automation] [-all]

The <instance> parameter is the only non-flag positional parameter,
and can be ommitted if SDP_INSTANCE is already defined (as is typical
when called by scripts).

With this change, several other scripts calling either the 'p4login'
script or 'p4 login' commands were normalized to call p4login as
appropriate given the new usage.

Reviewer Note:  Review p4login first, then other files.  Most changes
are in p4login.

In other scripts callling p4login, calls similar to:
$P4BIN -u $P4USER -p $P4PORT login < /path/to/pwd
are replaced with: $P4CBIN/p4login

In other scritps calling p4login, calls similar to:
$P4BIN -p $P4MASTERPORT login < /path/to/pwd
are replaced with: $P4CBIN/p4login -p $P4MASTERPORT

Note that, if auth.id is set, calling 'p4login' actually has the
same behavior as 'p4login -p $P4MASTERPORT', since p4login
called on a replica with auth.id set will just login to the master
port anyway.

Depending on intent, sometimes $P4BIN/p4login -service
is used.

== Misc Cleanup ==

In doing the cleanup:
* Fixed a hard-coding-to-instance-1 bug in broker_rotate.sh.
* Fixed an inconsistency in recreate_db_sync_replica.sh, where
it did just a regular login rather than a login -a as done in other
places for (for compatibility with some multi-interface NIC card
configs).

== p4login Call Normalization ==
Code cleanup was done to normalize calls to p4login, such that:
1) the call starts with $P4CBIN/p4login (not the hard-coded path),
and 2) logic to redirect sdtout/stderr to /dev/null was removed,
since it's not necessary with p4login.  (And if p4login ever
does generate any unwanted output, we only fix it in one place).

== Tweak to instance_vars.template ==
This change includes a tweak to set P4MASTERPORT dynamically
on a replica to ensure the value precisely matches P4TARGET
for the given replica.  This will reduce a source of problems
when SSL is used, as it is particularly sensitive to the precise
P4PORT values used, and will also help for environments which
have not yet set auth.id.  If the port cannot be determined
dynamically, we fall back to the old logic using the assigned
value.

== Tweak to SDP_ALWAYS_LOGIN behavior ==
This used to default to 1, now it defaults to 0.  At this
point we should no longer need to force logins, and in fact
doing so can get into a 'p4 login' hang situation with
auth.id set.  Best to avoid unnecessary logins if we
already have a valid ticket.  (I think the need to force a
login may have gone away with p4d patches).

== Obsolete Script ==
With this change, svclogin.sh is now obsolete.  All it was doing
was a few redundant 'p4 login' commands followed by a call to
p4login anyway.

== Testing ==
Our test suite doesn't fully cover this change, so additional
manual testing was done in the Battle School lab environment.
#11 20635 C. Thomas Tyler p4login changes:
* Fixed bug in attempted login count.
* Added '-s' flag to login only P4USER to P4PORT.  This is
  to make p4login more useful for cases where extraneous logins
  it now does (e.g. automation users) isn't desired.
* Enahnced in-code docs.
#10 20170 Russell C. Jackson (Rusty) Moved password and users into the config directory to allow for instance specific
users and passwords. Ran into a case where two different teams were sharing the same
server hardware and needed this type of differentiation. Surprised that we haven't hit
this sooner.

Also defaulted mkdirs to use the numeric ports since this is the most common
installation.
#9 20028 C. Thomas Tyler p4login v3.1.4:
* Avoids logging replication service user into local replica host,
as doing so breaks the login to the master.
* Does needed login of service user to P4AUTH server if P4AUTH is set.
* Clarity enhancements to log messages.
#8 19965 C. Thomas Tyler The Ultimate Perforce Login Script.

Enhanced p4login v3.1.0:
* If on a replica/edge server, logs in replication service users.
* Uses 'p4 login -a' for non-service type accounts, and 'p4 login 'for
  service type accounts.
* Accounts for auth.id, and behaves appropriately whether auth.id is set
  or not, e.g. doing an extra 'p4 login' as needed if auth.id isn't set.
* Logs in external automaiton users,  e.g. trigger or broker filter script
  users, if defined by the SDP_AUTOMATION_USERS setting in
  /p4/common/config/p4_<instance>.vars.
* Fixed bug where it broke if p4_vars wasn't sourced.  It now sources p4_vars.
* Logs whether actual 'p4 login' commands were needed and the number of logins
  done, along with other cosmetic logging enhancements.
* Added Version identifier.
#7 18209 Russell C. Jackson (Rusty) Added missing auto source of p4_vars to eliminate the need to use p4master_run.
Missed in early changes to support that behavior.
#6 16029 C. Thomas Tyler Routine merge to dev from main using:
p4 merge -b perforce_software-sdp-dev
#5 15605 C. Thomas Tyler Per review, Rusty noted a preference for the current behvaior, i.e.
always
doing a login if p4login is called.

This version introduces SDP_ALWAYS_LOGIN, which defaults to 1 (enabled),
which preserves the traditional 'always login each time the script is
run' behavior, while allowing the new 'login only if a ticket is not
available' behavior.  (An advantage of the traditional behavior is that
it fixes the case where a human admin does a 'p4 login' but forgets the
'-a' on a server a network card configuration setup such that 'p4 login -a'
is required).

Customers desiring the 'login only if required' can set SDP_ALWAYS_LOGIN=0
in p4_vars.

Also includes style improvements.

#review-15606
#4 15559 C. Thomas Tyler Enhancements to p4login:
* Enhanced handling for the cose where p4login is run with no environment defined.
* Now checks login status first, and only does a login if ticket expires in less than a month.
* Enhanced  auditability.
* Added comments.

#review-15560
#3 13906 C. Thomas Tyler Normalized P4INSTANCE to SDP_INSTANCE to get Unix/Windows
implementations in sync.

Reasons:
1. Things that interact with SDP in both Unix and Windows
environments shoudn't have to account for this obscure
SDP difference between Unix and Windows.  (I came across
this doing CBD work).

2. The Windows and Unix scripts have different variable
names for defining the same concept, the SDP instance.
Unix uses P4INSTANCE, while Windows uses SDP_INSTANCE.

3. This instance tag, a data set identifier, is an SDP concept.
I prefer the SDP_INSTANCE name over P4INSTANCE, so I prpose
to normalize to SDP_INSTANCE.

4. The P4INSTANCE name makes it look like a setting that might be
recognized by the p4d itself, which it is not.  (There are other
such things such as P4SERVER that could perhaps be renamed as
a separate task; but I'm not sure we want to totally disallow
the P4 prefix for variable names. It looks too right to be wrong
in same cases, like P4BIN and P4DBIN.  That's a discussion for
another day, outside the scope of this task).

Meanwhile:
* Fixed a bug in the Windows 2013.3 upgrade script that
was referencing undefined P4INSTANCE, as the Windows
environment defined only SDP_INSTANCE.

* Had P4INSTANCE been removed completely, this change would
likely cause trouble for users doing updates for existing
SDP installations.  So, though it involves slight technical debt,
I opted to keep a redundant definition of P4INSTANCE
in p4_vars.template, with comments indicating SDP_INSTANCE should be
used in favor of P4INSTANCE, with a warning that P4INSTANCE
may go away in a future release.  This should avoid unnecessary
upgrade pain.

* In mkdirs.sh, the varialbe name was INSTANCE rather than
SDP_INSTANCE.  I changed that as well.  That required manual
change rather than sub/replace to avoid corrupting other similar
varialbe names (e.g.  MASTERINSTANCE).

This is a trivial change technically (a substitute/replace, plus
tweaks in p4_vars.template), but impacts many files.
#2 12169 Russell C. Jackson (Rusty) Updated copyright date to 2015

 Updated shell scripts to require an instance parameter to eliminate the need
 for calling p4master_run.    Python and Perl still need it since you have to set the
environment for them to run in.

 Incorporated comments from reviewers. Left the . instead of source as that seems
more common in the field and has the same functionality.
#1 10638 C. Thomas Tyler Populate perforce_software-sdp-dev.
//guest/perforce_software/sdp/main/Server/Unix/p4/common/bin/p4login
#1 10148 C. Thomas Tyler Promoted the Perforce Server Deployment Package to The Workshop.