[pmg-api.git] / PMG / Cluster.pm

package PMG::Cluster;

use strict;
use warnings;

use Socket;
use PVE::Tools;
use PVE::INotify;

use PMG::ClusterConfig;

sub remote_node_ip {
    my ($nodename, $noerr) = @_;

    my $cinfo = PVE::INotify::read_file("cluster.conf");

    foreach my $entry (@{$cinfo->{ids}}) {
	if ($entry->{name} eq $nodename) {
	    my $ip = $entry->{ip};
	    return $ip if !wantarray;
	    my $family = PVE::Tools::get_host_address_family($ip);
	    return ($ip, $family);
	}
    }

    # fallback: try to get IP by other means
    return PMG::Utils::lookup_node_ip($nodename, $noerr);
}

sub get_master_node {
    my ($cinfo) = @_;

    $cinfo = PVE::INotify::read_file("cluster.conf");

    return $cinfo->{master}->{name} if defined($cinfo->{master});

    return 'localhost';
}

# X509 Certificate cache helper

my $cert_cache_nodes = {};
my $cert_cache_timestamp = time();
my $cert_cache_fingerprints = {};

sub update_cert_cache {
    my ($update_node, $clear) = @_;

    syslog('info', "Clearing outdated entries from certificate cache")
	if $clear;

    $cert_cache_timestamp = time() if !defined($update_node);

    my $node_list = defined($update_node) ?
	[ $update_node ] : [ keys %$cert_cache_nodes ];

    my $clear_node = sub {
	my ($node) = @_;
	if (my $old_fp = $cert_cache_nodes->{$node}) {
	    # distrust old fingerprint
	    delete $cert_cache_fingerprints->{$old_fp};
	    # ensure reload on next proxied request
	    delete $cert_cache_nodes->{$node};
	}
    };

    my $nodename = PVE::INotify::nodename();

    foreach my $node (@$node_list) {

	if ($node ne $nodename) {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $cert_path = "/etc/proxmox/pmg-api.pem";

	my $cert;
	eval {
	    my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r');
	    $cert = Net::SSLeay::PEM_read_bio_X509($bio);
	    Net::SSLeay::BIO_free($bio);
	};
	my $err = $@;
	if ($err || !defined($cert)) {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $fp;
	eval {
	    $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
	};
	$err = $@;
	if ($err || !defined($fp) || $fp eq '') {
	    &$clear_node($node) if $clear;
	    next;
	}

	my $old_fp = $cert_cache_nodes->{$node};
	$cert_cache_fingerprints->{$fp} = 1;
	$cert_cache_nodes->{$node} = $fp;

	if (defined($old_fp) && $fp ne $old_fp) {
	    delete $cert_cache_fingerprints->{$old_fp};
	}
    }
}

# load and cache cert fingerprint once
sub initialize_cert_cache {
    my ($node) = @_;

    update_cert_cache($node)
	if defined($node) && !defined($cert_cache_nodes->{$node});
}

sub check_cert_fingerprint {
    my ($cert) = @_;

    # clear cache every 30 minutes at least
    update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;

    # get fingerprint of server certificate
    my $fp;
    eval {
	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
    };
    return 0 if $@ || !defined($fp) || $fp eq ''; # error

    my $check = sub {
	for my $expected (keys %$cert_cache_fingerprints) {
	    return 1 if $fp eq $expected;
	}
	return 0;
    };

    return 1 if &$check();

    # clear cache and retry at most once every minute
    if (time() - $cert_cache_timestamp >= 60) {
	syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
	update_cert_cache();
	return &$check();
    }

    return 0;
}

1;
Commit	Line	Data
0854fb22 DM	1	package PMG::Cluster;
	2
	3	use strict;
	4	use warnings;
	5
	6	use Socket;
	7	use PVE::Tools;
	8	use PVE::INotify;
	9
9f67f5b3	10	use PMG::ClusterConfig;
0854fb22	11
8737f93a DM	12	sub remote_node_ip {
	13	my ($nodename, $noerr) = @_;
	14
	15	my $cinfo = PVE::INotify::read_file("cluster.conf");
	16
9f67f5b3	17	foreach my $entry (@{$cinfo->{ids}}) {
8737f93a DM	18	if ($entry->{name} eq $nodename) {
	19	my $ip = $entry->{ip};
	20	return $ip if !wantarray;
	21	my $family = PVE::Tools::get_host_address_family($ip);
	22	return ($ip, $family);
	23	}
	24	}
	25
	26	# fallback: try to get IP by other means
9f67f5b3	27	return PMG::Utils::lookup_node_ip($nodename, $noerr);
8737f93a DM	28	}
8737f93a DM	29
d2e43f9e DM	30	sub get_master_node {
	31	my ($cinfo) = @_;
	32
9f67f5b3	33	$cinfo = PVE::INotify::read_file("cluster.conf");
d2e43f9e DM	34
	35	return $cinfo->{master}->{name} if defined($cinfo->{master});
	36
	37	return 'localhost';
	38	}
	39
0854fb22 DM	40	# X509 Certificate cache helper
	41
	42	my $cert_cache_nodes = {};
	43	my $cert_cache_timestamp = time();
	44	my $cert_cache_fingerprints = {};
	45
	46	sub update_cert_cache {
	47	my ($update_node, $clear) = @_;
	48
	49	syslog('info', "Clearing outdated entries from certificate cache")
	50	if $clear;
	51
	52	$cert_cache_timestamp = time() if !defined($update_node);
	53
	54	my $node_list = defined($update_node) ?
	55	[ $update_node ] : [ keys %$cert_cache_nodes ];
	56
	57	my $clear_node = sub {
	58	my ($node) = @_;
	59	if (my $old_fp = $cert_cache_nodes->{$node}) {
	60	# distrust old fingerprint
	61	delete $cert_cache_fingerprints->{$old_fp};
	62	# ensure reload on next proxied request
	63	delete $cert_cache_nodes->{$node};
	64	}
	65	};
	66
	67	my $nodename = PVE::INotify::nodename();
	68
	69	foreach my $node (@$node_list) {
	70
	71	if ($node ne $nodename) {
	72	&$clear_node($node) if $clear;
	73	next;
	74	}
	75
	76	my $cert_path = "/etc/proxmox/pmg-api.pem";
	77
	78	my $cert;
	79	eval {
	80	my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r');
	81	$cert = Net::SSLeay::PEM_read_bio_X509($bio);
	82	Net::SSLeay::BIO_free($bio);
	83	};
	84	my $err = $@;
	85	if ($err \|\| !defined($cert)) {
	86	&$clear_node($node) if $clear;
	87	next;
	88	}
	89
	90	my $fp;
	91	eval {
	92	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
	93	};
	94	$err = $@;
	95	if ($err \|\| !defined($fp) \|\| $fp eq '') {
	96	&$clear_node($node) if $clear;
	97	next;
	98	}
	99
	100	my $old_fp = $cert_cache_nodes->{$node};
	101	$cert_cache_fingerprints->{$fp} = 1;
	102	$cert_cache_nodes->{$node} = $fp;
	103
104	if (defined($old_fp) && $fp ne $old_fp) {
105	delete $cert_cache_fingerprints->{$old_fp};
106	}
107	}
108	}
109
110	# load and cache cert fingerprint once
111	sub initialize_cert_cache {
112	my ($node) = @_;
113
114	update_cert_cache($node)
115	if defined($node) && !defined($cert_cache_nodes->{$node});
116	}
117
118	sub check_cert_fingerprint {
119	my ($cert) = @_;
120
121	# clear cache every 30 minutes at least
122	update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;
123
124	# get fingerprint of server certificate
125	my $fp;
126	eval {
127	$fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
128	};
129	return 0 if $@ \|\| !defined($fp) \|\| $fp eq ''; # error
130
131	my $check = sub {
132	for my $expected (keys %$cert_cache_fingerprints) {
133	return 1 if $fp eq $expected;
134	}
135	return 0;
136	};
137
138	return 1 if &$check();
139
140	# clear cache and retry at most once every minute
141	if (time() - $cert_cache_timestamp >= 60) {
142	syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
143	update_cert_cache();
144	return &$check();
145	}
146
147	return 0;
148	}
149
150	1;