WWWWWW

Current Directory: /usr/local/cpanel/scripts
Viewing File: /usr/local/cpanel/scripts/fix-cpanel-perl
#!/usr/bin/perl

#                                      Copyright 2025 WebPros International, LLC
#                                                           All rights reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited.

package scripts::fixcpanelperl;

use strict;
use warnings;

### Do not add any extra use/require statements here without talking to BC.
###
### This code is used by the installer for fresh install
###     its main goal is to bootstrap & repair cPanel Perl
###
### Thus no dependencies should be added to this special script.
### Because this script uses only system perl code,
###     the rest of the cPanel code base gets to have nice things!
###     and rely on cPanel Perl stack.

use IPC::Open3 ();
use POSIX      ();

use constant COLOR_RED    => 31;
use constant COLOR_GREEN  => 32;
use constant COLOR_YELLOW => 33;
use constant COLOR_GRAY   => 37;

use constant UPDATE_SOURCE_DEFAULT => 'httpupdate.cpanel.net';
use constant PKG_VERSION_SOURCE    => '11.130';
use constant PKG_DOWNLOADS_DIR     => '/usr/local/cpanel/tmp/rpm_downloads';

=pod

=head1 NAME

scripts::fixcpanelperl

=head1 SYNOPSIS

    # restore cpanel-perl package when missing
    /scripts/fix-cpanel-perl

=head1 DESCRIPTION

This script is used during fresh installation to bootstrap cPanel Perl and install a few
core dependencies packages to run the installation process using cPanel Perl version as early
as possible.

The script can also be used to recover from a catastrophic loss or coruption of the cpanel-perl
packages blocking check_cpanel_pkgs or upcp to recover the system.

This script is automatically invoked if needed when check_cpanel_pkgs cannot run.

=head1 NOTE

The list of Perl packages install by this script should be short.

This script should only use default perl packages install with the system,
no Cpanel packages can be use as part of this script.

=cut

my %shared_install_env = (
    LANG        => 'C',
    LANGUAGE    => 'C',
    LC_ALL      => 'C',
    LC_MESSAGES => 'C',
    LC_CTYPE    => 'C',
);

our %DISTRO_SETUP = (
    'centos' => {
        name        => 'centos',
        install_env => {
            %shared_install_env,
        },
        install_cmd => [ '/bin/rpm', '-Uvh', '--force', '--nodeps' ],
        template    => {
            base_url  => 'http://%httpupdate%/RPM/%cpanel_major%/%distro_name%/%distro_major%/x86_64',
            file_name => '%package%-%version%~el%distro_major%.%arch%.rpm'
        },
        package_sha512 => 'rpm.sha512',    # could use later once pushed to prod sha512
    },
    'ubuntu' => {
        name        => 'ubuntu',
        install_env => {
            %shared_install_env,
            DEBIAN_FRONTEND => q[noninteractive],
            DEBIAN_PRIORITY => q[critical],
        },
        install_cmd => [ '/bin/dpkg', '-i', '--force-confnew' ],
        template    => {
            base_url      => 'http://%httpupdate%/ubuntu/pool',
            base_file_uri => '%package%',
            file_name     => '%package%_%version%~u%distro_major%_%arch%.deb',
        },
        package_sha512 => 'sha512',
    },
);

our $CPANEL_CONFIG_FILE        = '/var/cpanel/cpanel.config';
our $SIG_VALIDATION_CPCONF_KEY = 'signature_validation';

sub colorize_bold {
    my ( $color, $msg ) = @_;

    return $msg
      if !defined $color || -e '/var/cpanel/disable_cpanel_terminal_colors';
    $msg ||= '';

    return chr(27) . '[1;' . $color . 'm' . $msg . chr(27) . '[0;m';
}

sub DEBUG($) { return _MSG( 'DEBUG', "  " . shift ) }

sub ERROR($) {
    return _MSG(
        colorize_bold( COLOR_RED,  'ERROR' ),
        colorize_bold( COLOR_GRAY, shift )
    );
}

sub WARN($) {
    return _MSG(
        colorize_bold( COLOR_YELLOW, 'WARN' ),
        colorize_bold( COLOR_YELLOW, shift )
    );
}

sub OK($) {
    return _MSG(
        colorize_bold( COLOR_GREEN, 'OK' ),
        colorize_bold( COLOR_GRAY,  shift )
    );
}
sub INFO($) { return _MSG( 'INFO', shift ) }

sub FATAL($) {
    _MSG(
        colorize_bold( COLOR_RED, 'FATAL' ),
        colorize_bold( COLOR_RED, shift )
    );
    die "\n";
}

# Cached and used all over the place.
our ( $wget_bin, $wget_args, $GPG_BIN );
our ( $DISTRO_TYPE, $DISTRO_MAJOR );
our $_distro_instance;
my %sha;

exit script(@ARGV) unless caller();

# return the instance of the current distro
sub current_distro {
    return $_distro_instance if $_distro_instance;

    $DISTRO_TYPE or FATAL("DISTRO_TYPE is not set");
    $_distro_instance = $DISTRO_SETUP{$DISTRO_TYPE}
      or FATAL("Unknown distro type $DISTRO_TYPE. Cannot bootstrap cpanel-perl");

    return $_distro_instance;
}

# init all our global for the scripts
sub _init {
    ( $wget_bin, $wget_args ) = get_download_tool_binary();
    $GPG_BIN = gpg_bin();
    ( $DISTRO_TYPE, $DISTRO_MAJOR ) = os_info();

    # order matters
    current_distro() or FATAL("Cannot guess current distro");

    return;
}

sub script {
    my (@args) = @_;

    return 0 if cpanel_perl_is_stable();

    loop_protection();
    ERROR("Core cpanel-perl modules have been found to be corrupt. Attempting to correct this.") unless $ENV{CPANEL_BASE_INSTALL};

    # init globals first, or things will break in a hard to debug way since output is stifled on install
    _init();
    fetch_and_install_gpg_keys()
      unless $ENV{CPANEL_BASE_INSTALL_GPG_KEYS_IMPORTED};

    download_pkg_sha512();

    chdir(PKG_DOWNLOADS_DIR)
      or FATAL( "Fail to chdir to " . PKG_DOWNLOADS_DIR );

    my $core_perl_pid;
    if ( $core_perl_pid = fork() ) {

        # handle just after...
    }
    elsif ( defined $core_perl_pid ) {
        wget_and_validate_file( core_perl_pkg() );
        install_packages( core_perl_pkg() ) and exit 1;
        exit(0);
    }
    else {
        die "The system failed to fork because of an error: $!";
    }

    # download package while doing the first transaction
    my $pkgs = pkgs_to_download();
    foreach my $package_name ( sort keys %$pkgs ) {
        wget_and_validate_file( $package_name, $pkgs->{$package_name} );
    }

    {
        waitpid( $core_perl_pid, 0 );
        FATAL "Core perl package transaction failed" unless $? == 0;
    }

    install_packages(%$pkgs);

    FATAL "package transaction failed" unless $? == 0;

    OK("cpanel-perl is now restored, checking all cpanel packages.");

    my @to_cleanup = (
        current_distro()->{package_sha512},
        current_distro()->{package_sha512} . '.asc',
        @{ get_packages_filename( core_perl_pkg() ) },
        @{ get_packages_filename(%$pkgs) },
    );
    cleanup_files(@to_cleanup);

    # updatenow.static will do the needful during an install.
    return 0 if $ENV{CPANEL_BASE_INSTALL};

    # This should be changed to check_cpanel_pkgs at some point
    if ( !-x '/usr/local/cpanel/3rdparty/bin/perl' ) {
        FATAL "/usr/local/cpanel/3rdparty/bin/perl is missing";
    }

    if ( !-e '/usr/local/cpanel/scripts/check_cpanel_pkgs' ) {
        FATAL "Unable to run scripts/check_cpanel_pkgs. You will need to run updatenow.static and then re-run /usr/local/cpanel/scripts/check_cpanel_pkgs --fix";
    }

    setup_env_for_distro();
    exec(qw{/usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/scripts/check_cpanel_pkgs --fix --long-list --no-digest})
      or FATAL "Failed to exec /usr/local/cpanel/scripts/check_cpanel_pkgs --fix";

    return 255;
}

sub loop_protection {

    $ENV{CPANEL_FIX_PERL} = 0 unless defined $ENV{CPANEL_FIX_PERL};
    ++$ENV{CPANEL_FIX_PERL};

    if ( $ENV{CPANEL_FIX_PERL} > 3 ) {
        cpanel_perl_is_stable(1);
        FATAL "$0 was run mulitple times without fixing your system. Aborting. (loop detection)";
        return 1;
    }
    elsif ( $ENV{CPANEL_FIX_PERL} > 1 ) {
        WARN( "Running $0 an extra time " . $ENV{CPANEL_FIX_PERL} );
    }

    return;
}

sub render_filename {
    my ( $package, $version_arch ) = @_;

    my $filename = current_distro()->{template}->{file_name}
      or FATAL("Undefined file_name");

    # 3.75-1.cp108.noarch
    my ( $v, $arch ) = ( $version_arch =~ m{^(.+)\.([^\.]+)$} );

    FATAL("Cannot parse version / arch from $package $version_arch")
      unless defined $v && defined $arch;

    if ( current_distro()->{name} eq 'ubuntu' ) {
        $arch = ( $arch =~ m/86/ ) ? 'amd64' : 'all';
    }

    return tt(
        $filename,
        { package => $package, version => $v, arch => $arch }
    );
}

sub render_fileuri {
    my ( $package, $version_arch ) = @_;

    my $filename = render_filename( $package, $version_arch );
    my $uri      = '';                                           # not for all distro
    if ( my $base_file_uri = current_distro()->{template}->{base_file_uri} ) {
        $uri = tt(
            $base_file_uri,
            { package => $package, version_arch => $version_arch }
        );
    }

    $uri .= '/' if defined $uri && length $uri;
    $uri .= $filename;

    return $uri;
}

sub get_packages_filename {
    my @files;
    while ( scalar @_ ) {
        my $package      = shift @_;
        my $version_arch = shift @_;

        push @files, render_filename( $package, $version_arch );
    }

    return \@files;
}

sub install_packages {
    my (@packages) = @_;

    return unless scalar @packages;

    my $files = get_packages_filename(@packages);

    my @cmd = ( @{ current_distro()->{install_cmd} }, @$files );

    DEBUG( "Installing packages: " . join( ' ', @cmd ) );

    local %ENV = %ENV;
    setup_env_for_distro();

    return system(@cmd);
}

sub setup_env_for_distro {

    # setup some special environment variables for running the install command
    my $env = current_distro()->{install_env};

    return unless defined $env && ref $env;

    foreach my $k ( keys %$env ) {
        $ENV{$k} = $env->{$k};
    }

    return;
}

sub cleanup_files {
    my (@files) = @_;

    foreach my $f (@files) {
        unlink( PKG_DOWNLOADS_DIR . '/' . $f );
    }

    return;
}

sub os_info {
    my ( $distro_type, $distro_major );

    # DO NOT use Cpanel-OS symlink here. It can be inaccurate if the server has been elevated.
    if ( open( my $fh, "<", "/etc/os-release" ) ) {    # All distros we support have this file.
        my $line;                                      # buffer
        while ( $line = <$fh> ) {

            if ( index( $line, "ID=" ) == 0 ) {
                $distro_type = _clean_value( $line => length("ID=") );
            }
            elsif ( index( $line, "VERSION_ID=" ) == 0 ) {
                $distro_major = _clean_value( $line => length("VERSION_ID=") );
                $distro_major =~ s/\..+//;    # Strip off .04 from 20.04
            }

            last if $distro_type && $distro_major;
        }
    }
    else {
        die("Unable to find /etc/os-release for system info");
    }

    $distro_type = 'centos' if $distro_type =~ m/cloud|red|alma|rhel|rocky/i;
    ($distro_major) = $distro_major =~ m/^\s*0*\s*(\d+)/
      if $distro_type eq 'centos';    # Strip off the minor version for centos RPMs. Alma linux is a special snowflake!

    return ( $distro_type, $distro_major );
}

sub _clean_value {
    my ( $str, $strip ) = @_;
    die "Internal _clean_value() called without a value (did you make changes to this code recently?)\n"
      if !defined $str;

    chomp $str;
    $str = substr( $str, $strip );

    if ( substr( $str, 0, 1 ) eq '"' ) {
        $str = substr( $str, 1, length($str) );
        $str = substr( $str, 0, length($str) - 1 );
    }

    return $str;
}

sub cpanel_perl_is_stable {
    my ($debug) = @_;

    my $perl_bin = '/usr/local/cpanel/3rdparty/bin/perl';
    my $command  = $perl_bin;

    $command .= " -M$_" foreach minimum_cpanel_perl_modules();

    my $got = `$command -E'sub foo (\$bar) { ... }; print q{ok}' 2>&1`;    ## no critic qw(Cpanel::ProhibitQxAndBackticks)
    print "command failed:\n\n$command -E'sub foo (\$bar) { ... }; print q{ok}' 2>&1\n\nerror message: $got\n" if $debug;
    return 0 unless !$? && $got && $got eq 'ok';

    if ( my $v = _perl_version() ) {
        my $out = `$perl_bin -E 'say \$]'`;
        return unless $out =~ m{^\Q$v\E};
    }

    return 1;
}

sub _perl_major {
    my ($perl_pkg) = core_perl_pkg();
    return $1 if $perl_pkg =~ m{-(\d+)$};
    return;
}

sub _perl_version {
    my $major = _perl_major() or return;
    if ( $major =~ m{^(\d)(\d+)$} ) {
        my ( $rev, $version ) = ( $1, $2 );
        return sprintf( '%d.%03d', $rev, $version );
    }
    return;
}

sub download_pkg_sha512 {

    # Setup the directory as best we can.
    unlink PKG_DOWNLOADS_DIR;    # Just in case it's a file (that'd be weird)
    system( '/bin/mkdir', '-p', PKG_DOWNLOADS_DIR )
      unless -d PKG_DOWNLOADS_DIR;
    -d PKG_DOWNLOADS_DIR
      or FATAL( "Can't make directory " . PKG_DOWNLOADS_DIR );

    my $package_sha512 = current_distro()->{package_sha512}
      or FATAL("no package_sha512 filename set");

    my $sha_file = sprintf( "%s/%s",     PKG_DOWNLOADS_DIR, $package_sha512 );
    my $sig_file = sprintf( "%s/%s.asc", PKG_DOWNLOADS_DIR, $package_sha512 );

    #
    my $sha_url = sprintf( "%s/%s",     url_base(), $package_sha512 );
    my $sig_url = sprintf( "%s/%s.asc", url_base(), $package_sha512 );

    download_file( $sig_url, $sig_file );
    download_file( $sha_url, $sha_file );
    verify_file_signature( $sha_file, $sig_file, $sha_url );

    open( my $fh, '<', $sha_file ) or FATAL("Can't read $sha_file");
    while ( my $line = <$fh> ) {
        chomp $line;
        my ( $sha, $file ) = split( qr{\s+}, $line );

        $sha{$file} = $sha;
    }
    close $fh;

    return;
}

my $url_base;    #cached;

sub url_base {
    return $url_base if defined $url_base;

    return $url_base = tt( current_distro()->{template}->{base_url} );
}

sub tt {
    my ( $str, $extra ) = @_;

    return unless defined $str;

    my $httpupdate   = get_update_source();
    my $cpanel_major = PKG_VERSION_SOURCE;

    $extra = {} unless defined $extra;

    my $tt = {
        httpupdate   => $httpupdate,
        cpanel_major => $cpanel_major,
        distro_name  => $DISTRO_TYPE,
        distro_major => $DISTRO_MAJOR,
        ref $extra ? %$extra : (),
    };

    my $s = sub {
        my $k = shift or FATAL("Undefined key");
        my $v = $tt->{$k};
        FATAL("Unexpected template variables '$k' in base URL ")
          unless defined $v;
        return $v;
    };

    $str =~ s{\%([a-z_]+)\%}{$s->($1)}eg;

    return $str;
}

sub get_download_tool_binary {

    for my $bin (qw(/bin/wget /usr/bin/wget /usr/local/bin/wget)) {

        # check if the binary exists
        next unless -e $bin && -x _ && -s _;

        # use it
        if ( `$bin --version 2>/dev/null` =~ m/GNU\s+Wget\s+[0-9]+\.[0-9]+/ims ) {    ## no critic qw(ProhibitQxAndBackticks)
            return (
                $bin,
                ' -nv --no-dns-cache --tries=20 --timeout=60 --dns-timeout=60 --read-timeout=30 --waitretry=1 --retry-connrefused -O'
            );
        }
    }

    # If $wget_bin is not set, then wget is not installed and
    # We do not have a fallback for Cpanel::SecureDownload::fetch_url()
    FATAL("Can't bootstrap cpanel-perl without a working file download method. Try installing the wget package manually.");

    return;
}

sub gpg_bin {

    for my $bin (qw(/bin/gpg /usr/bin/gpg /usr/local/bin/gpg)) {
        next unless -e $bin && -x _ && -s _;
        return $bin;
    }

    FATAL "Can't bootstrap cpanel-perl without gpg. Try installing the gnupg2 package manually.";
    return;
}

sub _MSG {
    my $level = shift;
    my $msg   = shift || '';
    chomp $msg;

    my $message_caller_depth = 1;

    my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) = localtime;
    my ( $package, $filename, $line ) = caller($message_caller_depth);
    my $stamp_msg = sprintf(
        "%04d-%02d-%02d %02d:%02d:%02d %4s (%5s): %s\n",
        $year + 1900, $mon + 1, $mday,  $hour, $min,
        $sec,         $line,    $level, $msg
    );

    print $stamp_msg;
    return;
}

{

    my $update_source;

    sub get_update_source {

        return $update_source if defined $update_source;

        my $source_file = '/etc/cpsources.conf';

        # pull in from cpsources.conf if it's set.
        if ( open( my $fh, "<", $source_file ) ) {
            while (<$fh>) {
                next if $_ !~ m/^\s*HTTPUPDATE\s*=\s*(\S+)/;
                $update_source = "$1";
                last;
            }
        }

        $update_source = UPDATE_SOURCE_DEFAULT unless $update_source;

        INFO("Downloading bootstrap packages from $update_source");

        return $update_source;
    }

}

sub wget_and_validate_file {
    my ( $package_name, $version_arch ) = @_;

    my $uri = render_fileuri( $package_name, $version_arch );
    my $filename;
    if ( index( $uri, '/' ) == -1 ) {
        $filename = $uri;
    }
    else {
        ($filename) = ( $uri =~ m{/([^/]+)$} );
    }

    FATAL("Cannot guess filename for path $uri") unless length $filename;

    my $url = url_base() . '/' . $uri;

    my $expected_sha = $sha{$uri};
    FATAL("No sha defined for file $uri") unless defined $expected_sha;

    my $pkg_file_path = download_file( $url, PKG_DOWNLOADS_DIR . '/' . $filename );

    my $result = `/usr/bin/sha512sum $pkg_file_path 2>&1`;    ## no critic qw(Cpanel::ProhibitQxAndBackticks)
    my ($sha) = $result =~ m/^([a-fA-F0-9]+)/;

    if ( $expected_sha ne $sha ) {
        FATAL("Couldn't verify the expected sha ($sha{$filename}) for $filename. Got $sha");
    }

    return;
}

## used by unit tests - this should be the only 'require' statement
##
sub _require_securedownload {
    require Cpanel::SecureDownload;
    return;
}

#
# Cpanel::SecureDownload is the preferred method as it will
# attempt Cpanel::HTTP::Client, curl, then wget.  And it will
# attempt to use Mozilla::CA if available.
# However, depending on the broken state if perl, it might
# not work.  In that case we can go back to directly invoking
# wget via backticks as before.
#
sub attempt_secure_download_file {
    my ( $url, $dest_file ) = @_;

    # Add this so that Cpanel::SecureDownload will pick up the
    # latest version of Mozilla::CA if we have it installed
    local @INC = (
        '/usr/local/cpanel',
        '/usr/local/cpanel/3rdparty/perl/542/cpanel-lib', @INC
    );

    my ( $success, $msg );
    eval {
        _require_securedownload();

        my %options = (
            'output-file'       => $dest_file,
            'not-verbose'       => 1,
            'tries'             => 20,
            'retry-delay'       => 1,
            'timeout'           => 60,
            'dns-timeout'       => 60,
            'read-timeout'      => 30,
            'no-dns-cache'      => 1,
            'retry-connrefused' => 1,
        );

        ( $success, $msg ) = Cpanel::SecureDownload::fetch_url( $url, %options );
    };

    if ( !$@ && $success && -e $dest_file && !-z $dest_file ) {
        return 1;
    }

    # Warn if an exception had been thrown, that means there was trouble loading
    # Cpanel::SecureDownload.  However, we do not need to warn on errors returned
    # from fetch_url as it already warns when each method fails
    if ($@) {
        WARN "Could not invoke Cpanel::SecureDownload::fetch_url: $@";
    }

    return;
}

sub minimum_cpanel_perl_modules {
    return qw{
      AnyEvent
      B::COW
      CDB_File
      Call::Context
      Class::XSAccessor
      Compress::Raw::Lzma
      File::Path::Tiny
      File::Slurper
      Guard
      IO::Pty
      IO::SigGuard
      IO::Socket::SSL
      JSON
      JSON::XS
      Module::Runtime
      Net::Curl
      Net::Curl::Promiser
      Net::SSLeay
      PerlIO::utf8_strict
      Proc::FastSpawn
      Promise::ES6
      Promise::XS
      Sereal::Decoder
      Sereal::Encoder
      Simple::Accessor
      Sub::Uplevel
      Test::Exception
      Try::Tiny
      Types::Serialiser
      URI
      X::Tiny
      YAML::Syck
      cPanel::APIClient
      common::sense
    };
}

sub core_perl_pkg {
    return ( 'cpanel-perl-542' => '5.42.0-2.cp130.x86_64' );
}

sub pkgs_to_download {
    my %packages = qw{
      cpanel-3rdparty-bin                 130.1-2.cp130.noarch
      cpanel-perl-542-anyevent            7.17-1.cp130.noarch
      cpanel-perl-542-b-cow               0.007-1.cp130.x86_64
      cpanel-perl-542-call-context        0.05-1.cp130.noarch
      cpanel-perl-542-cdb.file            0.99-1.cp130.x86_64
      cpanel-perl-542-class-xsaccessor    1.19-1.cp130.x86_64
      cpanel-perl-542-common-sense        3.75-1.cp130.noarch
      cpanel-perl-542-compress-raw-lzma   2.213-1.cp130.x86_64
      cpanel-perl-542-cpanel-apiclient    0.10-1.cp130.noarch
      cpanel-perl-542-file-path-tiny      1.0-1.cp130.noarch
      cpanel-perl-542-file-slurper        0.014-1.cp130.noarch
      cpanel-perl-542-guard               1.023-1.cp130.x86_64
      cpanel-perl-542-io-sigguard         0.15-1.cp130.noarch
      cpanel-perl-542-io-socket-ssl       2.089-1.cp130.noarch
      cpanel-perl-542-io-tty              1.20-1.cp130.x86_64
      cpanel-perl-542-json                4.10-1.cp130.noarch
      cpanel-perl-542-json-xs             4.04-1.cp130.x86_64
      cpanel-perl-542-mime-base32         1.303-1.cp130.noarch
      cpanel-perl-542-module-runtime      0.018-1.cp130.noarch
      cpanel-perl-542-net-curl            0.57-1.cp130.x86_64
      cpanel-perl-542-net-curl-promiser   0.20-1.cp130.noarch
      cpanel-perl-542-net-ssleay          1.94-1.cp130.x86_64
      cpanel-perl-542-perlio-utf8.strict  0.010-1.cp130.x86_64
      cpanel-perl-542-proc-fastspawn      1.2-1.cp130.x86_64
      cpanel-perl-542-promise-es6         0.28-1.cp130.noarch
      cpanel-perl-542-promise-xs          0.20-1.cp130.x86_64
      cpanel-perl-542-sereal-decoder      5.004-1.cp130.x86_64
      cpanel-perl-542-sereal-encoder      5.004-1.cp130.x86_64
      cpanel-perl-542-simple-accessor     1.13-1.cp130.noarch
      cpanel-perl-542-sub-uplevel         0.2800-1.cp130.noarch
      cpanel-perl-542-test-exception      0.43-1.cp130.noarch
      cpanel-perl-542-try-tiny            0.32-1.cp130.noarch
      cpanel-perl-542-types-serialiser    1.01-1.cp130.noarch
      cpanel-perl-542-uri                 5.32-1.cp130.noarch
      cpanel-perl-542-x-tiny              0.22-1.cp130.noarch
      cpanel-perl-542-yaml-syck           1.36-1.cp130.x86_64
    };

    return \%packages;
}

sub download_file {
    my ( $url, $dest_file ) = @_;

    DEBUG "Retrieving $url";

    # Don't call attempt_secure_download_file on new installs, as Cpanel::SecureDownload will
    # not be present on the system at the point where fix-cpanel-perl is called.
    if ( !$ENV{'CPANEL_BASE_INSTALL'}
        && attempt_secure_download_file( $url, $dest_file ) ) {
        return $dest_file;
    }

    my $output = `$wget_bin $wget_args '$dest_file' $url 2>&1`;    ## no critic qw(Cpanel::ProhibitQxAndBackticks)

    if ( !-e $dest_file || -z $dest_file ) {
        unlink $dest_file;
        FATAL "The system could not fetch $url to file $dest_file: $output";
    }

    return $dest_file;
}

sub signature_validation_enabled {

    my $config = read_config();

    return 1 unless defined $config->{$SIG_VALIDATION_CPCONF_KEY};
    return 0
      if $config->{$SIG_VALIDATION_CPCONF_KEY} eq '0'
      || lc( $config->{$SIG_VALIDATION_CPCONF_KEY} ) eq 'off';

    return 1;
}

sub verify_file_signature {
    my ( $file, $sig, $url ) = @_;

    if ( !signature_validation_enabled() ) {
        INFO "Skipping signature validation [currently disabled in cpanel.config]";
        return;
    }

    INFO "FILE - $file";
    INFO "SIG  - $sig";
    INFO "URL  - $url";

    my @gpg_args = (
        '--logger-fd', '1',           '--status-fd', '1',
        '--homedir',   gpg_homedir(), '--verify',    $sig,
        $file,
    );

    # Verify the validity of the GPG signature.
    # Information on these return values can be found in 'doc/DETAILS' in the GnuPG source.

    my ( %notes, $curnote );
    my ( $gpg_out, $success, $status );
    my $gpg_pid = IPC::Open3::open3( undef, $gpg_out, undef, $GPG_BIN, @gpg_args );

    while ( my $line = readline($gpg_out) ) {
        if ( $line =~ /^\[GNUPG:\] VALIDSIG ([A-F0-9]+) (\d+-\d+-\d+) (\d+) ([A-F0-9]+) ([A-F0-9]+) ([A-F0-9]+) ([A-F0-9]+) ([A-F0-9]+) ([A-F0-9]+) ([A-F0-9]+)$/ ) {
            $status  = "Valid signature for $file";
            $success = 1;
        }
        elsif ( $line =~ /^\[GNUPG:\] NOTATION_NAME (.+)$/ ) {
            $curnote = $1;
            $notes{$curnote} = '';
        }
        elsif ( $line =~ /^\[GNUPG:\] NOTATION_DATA (.+)$/ ) {
            $notes{$curnote} .= $1;
        }
        elsif ( $line =~ /^\[GNUPG:\] BADSIG ([A-F0-9]+) (.+)$/ ) {
            $status = "Invalid signature for $file.";
        }
        elsif ( $line =~ /^\[GNUPG:\] NO_PUBKEY ([A-F0-9]+)$/ ) {
            $status = "Could not find public key in keychain.";
        }
        elsif ( $line =~ /^\[GNUPG:\] NODATA ([A-F0-9]+)$/ ) {
            $status = "Could not find a GnuPG signature in the signature file.";
        }
    }

    waitpid( $gpg_pid, 0 );

    $status ||= "Unknown error from gpg.";
    $status .= " ($file)";

    if ($success) {
        INFO $status;
    }
    else {
        FATAL $status;
    }

    # At this point, the signature should be valid.
    # We now need to check to see if the filename signature notation is correct.
    my ($url_path) = $url =~ m{^https?://[-.a-zA-Z0-9]+(/.+)};
    $url_path or FATAL("Can't parse $url");

    if ( defined( $notes{'filename@gpg.notations.cpanel.net'} ) ) {
        my $file_note = $notes{'filename@gpg.notations.cpanel.net'};
        if ( $file_note ne $url_path ) {
            FATAL "Filename notation ($file_note) does not match URL ($url_path).";
        }
    }
    else {
        FATAL "Signature does not contain a filename notation.";
    }

    return;
}

sub fetch_and_install_gpg_keys {

    my $pub_keys = public_keys();
    _create_gpg_homedir();

    INFO("fetch and install gpg keys");

    FATAL("gpg bin unset") unless defined $GPG_BIN;

    foreach my $key ( @{ keys_to_download() } ) {
        INFO("Downloading GPG public key, $pub_keys->{$key}");
        my $target   = secure_downloads() . $pub_keys->{$key};
        my $dest     = gpg_homedir() . "/" . $pub_keys->{$key};
        my $wget_out = download_file( $target, $dest, 1, 1 );
        if ( !-e $dest ) {
            WARN("Could not download GPG public key at $target : $wget_out");
            return;
        }
        my $gpg_cmd = $GPG_BIN . " -q --homedir " . gpg_homedir() . " --import " . $dest;
        DEBUG($gpg_cmd);
        my $out = `$gpg_cmd`;    ## no critic qw(ProhibitQxAndBackticks)
        ERROR($out) if $? && length $out;
    }
    return;
}

sub _create_gpg_homedir {
    mkdir( gpg_homedir(), 0700 ) if !-e gpg_homedir();
    return;
}

our $CACHE_CONFIG;

sub read_config {
    my $file = $CPANEL_CONFIG_FILE;

    return $CACHE_CONFIG if $CACHE_CONFIG;

    my $config = {};

    open( my $fh, "<", $file ) or return $config;
    while ( my $line = readline $fh ) {
        chomp $line;
        if ( $line =~ m/^\s*([^=]+?)\s*$/ ) {
            my $key = $1 or next;    # Skip loading the key if it's undef or 0
            $config->{$key} = undef;
        }
        elsif ( $line =~ m/^\s*([^=]+?)\s*=\s*(.*?)\s*$/ ) {
            my $key = $1 or next;    # Skip loading the key if it's undef or 0
            $config->{$key} = $2;
        }
    }

    $CACHE_CONFIG = $config;

    return $config;
}

sub keys_to_download {

    my $config   = read_config();
    my $keyrings = gpg_keyrings();

    my $use_key = 'release';    # default key

    if ( defined $config->{'signature_validation'}
        && $config->{'signature_validation'} =~ /^Release and (?:Development|Test) Keyrings$/ ) {
        $use_key = 'development';
    }

    my $mirror = get_update_source();
    if ( $mirror =~ /^(?:.*\.dev|qa-build|next)\.cpanel\.net$/ ) {
        if ( !defined $config->{'signature_validation'} ) {
            $use_key = 'development';
        }
        elsif ( $use_key ne 'development' ) {
            WARN("Using cPanel GPG '$use_key' key for mirror $mirror (consider using 'development')");
        }
    }

    FATAL("Unknown key for $use_key") unless defined $keyrings->{$use_key};
    WARN("Using cPanel GPG key '$use_key'") if $use_key ne 'release';

    return $keyrings->{$use_key};
}

# The installer may set $ENV{'CPANEL_BASE_INSTALL_GPG_KEYS_IMPORTED'}
# to true in which case the keys will be in /var/cpanel/.gpgtmpdir
sub gpg_homedir {
    return '/var/cpanel/.gpgtmpdir';
}

sub public_keys {
    return {
        'release'     => 'cPanelPublicKey.asc',
        'development' => 'cPanelDevelopmentKey.asc',
    };
}

sub secure_downloads {
    return 'https://securedownloads.cpanel.net/';
}

sub gpg_keyrings {
    return {
        'release'     => ['release'],
        'development' => [ 'release', 'development' ],

    };
}

1;
F1l3 Manager
