[pmg-api.git] / PMG / Cluster.pm

package PMG::Cluster;

use strict;
use warnings;

use Socket;
use PVE::Tools;
use PVE::INotify;

# this is also used to get the IP of the local node
sub remote_node_ip {
    my ($nodename, $noerr) = @_;

    # todo: implement cluster node list

    # fallback: try to get IP by other means
    my ($family, $packed_ip);

    eval {
	my @res = PVE::Tools::getaddrinfo_all($nodename);
	$family = $res[0]->{family};
	$packed_ip = (PVE::Tools::unpack_sockaddr_in46($res[0]->{addr}))[2];
    };

    if ($@) {
	die "hostname lookup failed:\n$@" if !$noerr;
	return undef;
    }

    my $ip = Socket::inet_ntop($family, $packed_ip);
    if ($ip =~ m/^127\.|^::1$/) {
	die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr;
	return undef;
    }

    return wantarray ? ($ip, $family) : $ip;
}

# X509 Certificate cache helper

my $cert_cache_nodes = {};
my $cert_cache_timestamp = time();
my $cert_cache_fingerprints = {};

sub update_cert_cache {
    my ($update_node, $clear) = @_;

    syslog('info', "Clearing outdated entries from certificate cache")
	if $clear;

    $cert_cache_timestamp = time() if !defined($update_node);

    my $node_list = defined($update_node) ?
	[ $update_node ] : [ keys %$cert_cache_nodes ];

    my $clear_node = sub {
	my ($node) = @_;
	if (my $old_fp = $cert_cache_nodes->{$node}) {
	    # distrust old fingerprint
	    delete $cert_cache_fingerprints->{$old_fp};
	    # ensure reload on next proxied request
	    delete $cert_cache_nodes->{$node};
	}
    };

    my $nodename = PVE::INotify::nodename();

    foreach my $node (@$node_list) {

	if ($node ne $nodename) {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $cert_path = "/etc/proxmox/pmg-api.pem";

	my $cert;
	eval {
	    my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r');
	    $cert = Net::SSLeay::PEM_read_bio_X509($bio);
	    Net::SSLeay::BIO_free($bio);
	};
	my $err = $@;
	if ($err || !defined($cert)) {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $fp;
	eval {
	    $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
	};
	$err = $@;
	if ($err || !defined($fp) || $fp eq '') {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $old_fp = $cert_cache_nodes->{$node};
	$cert_cache_fingerprints->{$fp} = 1;
	$cert_cache_nodes->{$node} = $fp;

	if (defined($old_fp) && $fp ne $old_fp) {
	    delete $cert_cache_fingerprints->{$old_fp};
	}
    }
}

# load and cache cert fingerprint once
sub initialize_cert_cache {
    my ($node) = @_;

    update_cert_cache($node)
	if defined($node) && !defined($cert_cache_nodes->{$node});
}

sub check_cert_fingerprint {
    my ($cert) = @_;

    # clear cache every 30 minutes at least
    update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;

    # get fingerprint of server certificate
    my $fp;
    eval {
	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
    };
    return 0 if $@ || !defined($fp) || $fp eq ''; # error

    my $check = sub {
	for my $expected (keys %$cert_cache_fingerprints) {
	    return 1 if $fp eq $expected;
	}
	return 0;
    };

    return 1 if &$check();

    # clear cache and retry at most once every minute
    if (time() - $cert_cache_timestamp >= 60) {
	syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
	update_cert_cache();
	return &$check();
    }

    return 0;
}

1;
Commit	Line	Data
0854fb22 DM	1	package PMG::Cluster;
	2
	3	use strict;
	4	use warnings;
	5
	6	use Socket;
	7	use PVE::Tools;
	8	use PVE::INotify;
	9
	10	# this is also used to get the IP of the local node
	11	sub remote_node_ip {
	12	my ($nodename, $noerr) = @_;
	13
	14	# todo: implement cluster node list
	15
	16	# fallback: try to get IP by other means
	17	my ($family, $packed_ip);
	18
	19	eval {
	20	my @res = PVE::Tools::getaddrinfo_all($nodename);
	21	$family = $res[0]->{family};
	22	$packed_ip = (PVE::Tools::unpack_sockaddr_in46($res[0]->{addr}))[2];
	23	};
	24
	25	if ($@) {
	26	die "hostname lookup failed:\n$@" if !$noerr;
	27	return undef;
	28	}
	29
	30	my $ip = Socket::inet_ntop($family, $packed_ip);
	31	if ($ip =~ m/^127\.\|^::1$/) {
	32	die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr;
	33	return undef;
	34	}
	35
	36	return wantarray ? ($ip, $family) : $ip;
	37	}
	38
	39	# X509 Certificate cache helper
	40
	41	my $cert_cache_nodes = {};
	42	my $cert_cache_timestamp = time();
	43	my $cert_cache_fingerprints = {};
	44
	45	sub update_cert_cache {
	46	my ($update_node, $clear) = @_;
	47
	48	syslog('info', "Clearing outdated entries from certificate cache")
	49	if $clear;
	50
	51	$cert_cache_timestamp = time() if !defined($update_node);
	52
	53	my $node_list = defined($update_node) ?
	54	[ $update_node ] : [ keys %$cert_cache_nodes ];
	55
	56	my $clear_node = sub {
	57	my ($node) = @_;
	58	if (my $old_fp = $cert_cache_nodes->{$node}) {
	59	# distrust old fingerprint
	60	delete $cert_cache_fingerprints->{$old_fp};
	61	# ensure reload on next proxied request
	62	delete $cert_cache_nodes->{$node};
	63	}
	64	};
65
66	my $nodename = PVE::INotify::nodename();
67
68	foreach my $node (@$node_list) {
69
70	if ($node ne $nodename) {
71	&$clear_node($node) if $clear;
72	next;
73	}
74
75	my $cert_path = "/etc/proxmox/pmg-api.pem";
76
77	my $cert;
78	eval {
79	my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r');
80	$cert = Net::SSLeay::PEM_read_bio_X509($bio);
81	Net::SSLeay::BIO_free($bio);
82	};
83	my $err = $@;
84	if ($err \|\| !defined($cert)) {
85	&$clear_node($node) if $clear;
86	next;
87	}
88
89	my $fp;
90	eval {
91	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
92	};
93	$err = $@;
94	if ($err \|\| !defined($fp) \|\| $fp eq '') {
95	&$clear_node($node) if $clear;
96	next;
97	}
98
99	my $old_fp = $cert_cache_nodes->{$node};
100	$cert_cache_fingerprints->{$fp} = 1;
101	$cert_cache_nodes->{$node} = $fp;
102
103	if (defined($old_fp) && $fp ne $old_fp) {
104	delete $cert_cache_fingerprints->{$old_fp};
105	}
106	}
107	}
108
109	# load and cache cert fingerprint once
110	sub initialize_cert_cache {
111	my ($node) = @_;
112
113	update_cert_cache($node)
114	if defined($node) && !defined($cert_cache_nodes->{$node});
115	}
116
117	sub check_cert_fingerprint {
118	my ($cert) = @_;
119
120	# clear cache every 30 minutes at least
121	update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;
122
123	# get fingerprint of server certificate
124	my $fp;
125	eval {
126	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
127	};
128	return 0 if $@ \|\| !defined($fp) \|\| $fp eq ''; # error
129
130	my $check = sub {
131	for my $expected (keys %$cert_cache_fingerprints) {
132	return 1 if $fp eq $expected;
133	}
134	return 0;
135	};
136
137	return 1 if &$check();
138
139	# clear cache and retry at most once every minute
140	if (time() - $cert_cache_timestamp >= 60) {
141	syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
142	update_cert_cache();
143	return &$check();
144	}
145
146	return 0;
147	}
148
149	1;