[pmg-api.git] / PMG / Ticket.pm

package PMG::Ticket;

use strict;
use warnings;
use Net::SSLeay;
use Digest::SHA;

use PVE::Ticket;

use Crypt::OpenSSL::RSA;

my $min_ticket_lifetime = -60*5; # allow 5 minutes time drift
my $max_ticket_lifetime = 60*60*2; # 2 hours

# fixme
my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);

## fixme:
my $csrf_prevention_secret;
my $get_csrfr_secret = sub {
    if (!$csrf_prevention_secret) {
	#my $input = PVE::Tools::file_get_contents($pve_www_key_fn);
	my $input = "ABCD"; # fixme
	$csrf_prevention_secret = Digest::SHA::sha1_base64($input);
    }
    return $csrf_prevention_secret;
};


sub verify_csrf_prevention_token {
    my ($username, $token, $noerr) = @_;

    my $secret =  &$get_csrfr_secret();

    return PVE::Ticket::verify_csrf_prevention_token(
	$secret, $username, $token, $min_ticket_lifetime, 
	$max_ticket_lifetime, $noerr);
}

sub assemble_csrf_prevention_token {
    my ($username) = @_;

    my $secret =  &$get_csrfr_secret();

    return PVE::Ticket::assemble_csrf_prevention_token ($secret, $username);
}

sub assemble_ticket {
    my ($username) = @_;

    return PVE::Ticket::assemble_rsa_ticket($rsa, 'PMG', $username);
}

sub verify_ticket {
    my ($ticket, $noerr) = @_;

    return PVE::Ticket::verify_rsa_ticket(
	$rsa, 'PMG', $ticket, undef,
	$min_ticket_lifetime, $max_ticket_lifetime, $noerr);
}

# VNC tickets
# - they do not contain the username in plain text
# - they are restricted to a specific resource path (example: '/vms/100')
sub assemble_vnc_ticket {
    my ($username, $path) = @_;

    my $secret_data = "$username:$path";

    return PVE::Ticket::assemble_rsa_ticket(
	$rsa, 'PMGVNC', undef, $secret_data);
}

sub verify_vnc_ticket {
    my ($ticket, $username, $path, $noerr) = @_;

    my $secret_data = "$username:$path";

    return PVE::Ticket::verify_rsa_ticket(
	$rsa, 'PMGVNC', $ticket, $secret_data, -20, 40, $noerr);
}

1;
Commit	Line	Data
1360e6f0 DM	1	package PMG::Ticket;
	2
	3	use strict;
	4	use warnings;
	5	use Net::SSLeay;
	6	use Digest::SHA;
	7
	8	use PVE::Ticket;
	9
	10	use Crypt::OpenSSL::RSA;
	11
	12	my $min_ticket_lifetime = -60*5; # allow 5 minutes time drift
	13	my $max_ticket_lifetime = 60602; # 2 hours
	14
	15	# fixme
	16	my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);
	17
	18	## fixme:
	19	my $csrf_prevention_secret;
	20	my $get_csrfr_secret = sub {
	21	if (!$csrf_prevention_secret) {
	22	#my $input = PVE::Tools::file_get_contents($pve_www_key_fn);
	23	my $input = "ABCD"; # fixme
	24	$csrf_prevention_secret = Digest::SHA::sha1_base64($input);
	25	}
	26	return $csrf_prevention_secret;
	27	};
	28
	29
	30	sub verify_csrf_prevention_token {
	31	my ($username, $token, $noerr) = @_;
	32
	33	my $secret = &$get_csrfr_secret();
	34
	35	return PVE::Ticket::verify_csrf_prevention_token(
	36	$secret, $username, $token, $min_ticket_lifetime,
	37	$max_ticket_lifetime, $noerr);
	38	}
	39
	40	sub assemble_csrf_prevention_token {
	41	my ($username) = @_;
	42
	43	my $secret = &$get_csrfr_secret();
	44
	45	return PVE::Ticket::assemble_csrf_prevention_token ($secret, $username);
	46	}
	47
	48	sub assemble_ticket {
	49	my ($username) = @_;
	50
	51	return PVE::Ticket::assemble_rsa_ticket($rsa, 'PMG', $username);
	52	}
	53
	54	sub verify_ticket {
	55	my ($ticket, $noerr) = @_;
	56
	57	return PVE::Ticket::verify_rsa_ticket(
	58	$rsa, 'PMG', $ticket, undef,
	59	$min_ticket_lifetime, $max_ticket_lifetime, $noerr);
	60	}
	61
	62	# VNC tickets
	63	# - they do not contain the username in plain text
	64	# - they are restricted to a specific resource path (example: '/vms/100')
65	sub assemble_vnc_ticket {
66	my ($username, $path) = @_;
67
68	my $secret_data = "$username:$path";
69
70	return PVE::Ticket::assemble_rsa_ticket(
71	$rsa, 'PMGVNC', undef, $secret_data);
72	}
73
74	sub verify_vnc_ticket {
75	my ($ticket, $username, $path, $noerr) = @_;
76
77	my $secret_data = "$username:$path";
78
79	return PVE::Ticket::verify_rsa_ticket(
80	$rsa, 'PMGVNC', $ticket, $secret_data, -20, 40, $noerr);
81	}
82
83	1;