[pmg-api.git] / PMG / Cluster.pm

package PMG::Cluster;

use strict;
use warnings;
use Data::Dumper;
use Socket;

use PVE::Tools;
use PVE::INotify;

use PMG::ClusterConfig;

sub remote_node_ip {
    my ($nodename, $noerr) = @_;

    my $cinfo = PVE::INotify::read_file("cluster.conf");

    foreach my $entry (values %{$cinfo->{ids}}) {
	if ($entry->{name} eq $nodename) {
	    my $ip = $entry->{ip};
	    return $ip if !wantarray;
	    my $family = PVE::Tools::get_host_address_family($ip);
	    return ($ip, $family);
	}
    }

    # fallback: try to get IP by other means
    return PMG::Utils::lookup_node_ip($nodename, $noerr);
}

sub get_master_node {
    my ($cinfo) = @_;

    $cinfo = PVE::INotify::read_file("cluster.conf");

    return $cinfo->{master}->{name} if defined($cinfo->{master});

    return 'localhost';
}

# X509 Certificate cache helper

my $cert_cache_nodes = {};
my $cert_cache_timestamp = time();
my $cert_cache_fingerprints = {};

sub update_cert_cache {
    my ($update_node, $clear) = @_;

    syslog('info', "Clearing outdated entries from certificate cache")
	if $clear;

    $cert_cache_timestamp = time() if !defined($update_node);

    my $node_list = defined($update_node) ?
	[ $update_node ] : [ keys %$cert_cache_nodes ];

    my $clear_node = sub {
	my ($node) = @_;
	if (my $old_fp = $cert_cache_nodes->{$node}) {
	    # distrust old fingerprint
	    delete $cert_cache_fingerprints->{$old_fp};
	    # ensure reload on next proxied request
	    delete $cert_cache_nodes->{$node};
	}
    };

    my $nodename = PVE::INotify::nodename();

    foreach my $node (@$node_list) {

	if ($node ne $nodename) {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $cert_path = "/etc/pmg/pmg-api.pem";

	my $cert;
	eval {
	    my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r');
	    $cert = Net::SSLeay::PEM_read_bio_X509($bio);
	    Net::SSLeay::BIO_free($bio);
	};
	my $err = $@;
	if ($err || !defined($cert)) {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $fp;
	eval {
	    $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
	};
	$err = $@;
	if ($err || !defined($fp) || $fp eq '') {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $old_fp = $cert_cache_nodes->{$node};
	$cert_cache_fingerprints->{$fp} = 1;
	$cert_cache_nodes->{$node} = $fp;

	if (defined($old_fp) && $fp ne $old_fp) {
	    delete $cert_cache_fingerprints->{$old_fp};
	}
    }
}

# load and cache cert fingerprint once
sub initialize_cert_cache {
    my ($node) = @_;

    update_cert_cache($node)
	if defined($node) && !defined($cert_cache_nodes->{$node});
}

sub check_cert_fingerprint {
    my ($cert) = @_;

    # clear cache every 30 minutes at least
    update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;

    # get fingerprint of server certificate
    my $fp;
    eval {
	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
    };
    return 0 if $@ || !defined($fp) || $fp eq ''; # error

    my $check = sub {
	for my $expected (keys %$cert_cache_fingerprints) {
	    return 1 if $fp eq $expected;
	}
	return 0;
    };

    return 1 if &$check();

    # clear cache and retry at most once every minute
    if (time() - $cert_cache_timestamp >= 60) {
	syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
	update_cert_cache();
	return &$check();
    }

    return 0;
}

1;
Commit	Line	Data
0854fb22 DM	1	package PMG::Cluster;
	2
	3	use strict;
	4	use warnings;
45e68618	5	use Data::Dumper;
0854fb22	6	use Socket;
45e68618	7
0854fb22 DM	8	use PVE::Tools;
	9	use PVE::INotify;
	10
9f67f5b3	11	use PMG::ClusterConfig;
0854fb22	12
8737f93a DM	13	sub remote_node_ip {
	14	my ($nodename, $noerr) = @_;
	15
	16	my $cinfo = PVE::INotify::read_file("cluster.conf");
	17
45e68618	18	foreach my $entry (values %{$cinfo->{ids}}) {
8737f93a DM	19	if ($entry->{name} eq $nodename) {
	20	my $ip = $entry->{ip};
	21	return $ip if !wantarray;
	22	my $family = PVE::Tools::get_host_address_family($ip);
	23	return ($ip, $family);
	24	}
	25	}
	26
	27	# fallback: try to get IP by other means
9f67f5b3	28	return PMG::Utils::lookup_node_ip($nodename, $noerr);
8737f93a DM	29	}
8737f93a DM	30
d2e43f9e DM	31	sub get_master_node {
	32	my ($cinfo) = @_;
	33
9f67f5b3	34	$cinfo = PVE::INotify::read_file("cluster.conf");
d2e43f9e DM	35
	36	return $cinfo->{master}->{name} if defined($cinfo->{master});
	37
	38	return 'localhost';
	39	}
	40
0854fb22 DM	41	# X509 Certificate cache helper
	42
	43	my $cert_cache_nodes = {};
	44	my $cert_cache_timestamp = time();
	45	my $cert_cache_fingerprints = {};
	46
	47	sub update_cert_cache {
	48	my ($update_node, $clear) = @_;
	49
	50	syslog('info', "Clearing outdated entries from certificate cache")
	51	if $clear;
	52
	53	$cert_cache_timestamp = time() if !defined($update_node);
	54
	55	my $node_list = defined($update_node) ?
	56	[ $update_node ] : [ keys %$cert_cache_nodes ];
	57
	58	my $clear_node = sub {
	59	my ($node) = @_;
	60	if (my $old_fp = $cert_cache_nodes->{$node}) {
	61	# distrust old fingerprint
	62	delete $cert_cache_fingerprints->{$old_fp};
	63	# ensure reload on next proxied request
	64	delete $cert_cache_nodes->{$node};
	65	}
	66	};
	67
	68	my $nodename = PVE::INotify::nodename();
	69
	70	foreach my $node (@$node_list) {
	71
	72	if ($node ne $nodename) {
	73	&$clear_node($node) if $clear;
	74	next;
	75	}
	76
3278b571	77	my $cert_path = "/etc/pmg/pmg-api.pem";
0854fb22 DM	78
	79	my $cert;
	80	eval {
	81	my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r');
	82	$cert = Net::SSLeay::PEM_read_bio_X509($bio);
	83	Net::SSLeay::BIO_free($bio);
	84	};
	85	my $err = $@;
	86	if ($err \|\| !defined($cert)) {
	87	&$clear_node($node) if $clear;
	88	next;
	89	}
	90
	91	my $fp;
	92	eval {
	93	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
	94	};
	95	$err = $@;
	96	if ($err \|\| !defined($fp) \|\| $fp eq '') {
	97	&$clear_node($node) if $clear;
	98	next;
	99	}
	100
	101	my $old_fp = $cert_cache_nodes->{$node};
	102	$cert_cache_fingerprints->{$fp} = 1;
	103	$cert_cache_nodes->{$node} = $fp;
	104
	105	if (defined($old_fp) && $fp ne $old_fp) {
	106	delete $cert_cache_fingerprints->{$old_fp};
	107	}
	108	}
	109	}
	110
	111	# load and cache cert fingerprint once
	112	sub initialize_cert_cache {
	113	my ($node) = @_;
	114
	115	update_cert_cache($node)
	116	if defined($node) && !defined($cert_cache_nodes->{$node});
	117	}
	118
	119	sub check_cert_fingerprint {
	120	my ($cert) = @_;
	121
	122	# clear cache every 30 minutes at least
	123	update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;
	124
	125	# get fingerprint of server certificate
	126	my $fp;
	127	eval {
	128	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
	129	};
	130	return 0 if $@ \|\| !defined($fp) \|\| $fp eq ''; # error
	131
	132	my $check = sub {
	133	for my $expected (keys %$cert_cache_fingerprints) {
	134	return 1 if $fp eq $expected;
	135	}
	136	return 0;
	137	};
	138
	139	return 1 if &$check();
	140
	141	# clear cache and retry at most once every minute
142	if (time() - $cert_cache_timestamp >= 60) {
143	syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
144	update_cert_cache();
145	return &$check();
146	}
147
148	return 0;
149	}
150
151	1;