]>
Commit | Line | Data |
---|---|---|
1360e6f0 DM |
1 | package PMG::Ticket; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use Net::SSLeay; | |
6 | use Digest::SHA; | |
7 | ||
8 | use PVE::Ticket; | |
9 | ||
10 | use Crypt::OpenSSL::RSA; | |
11 | ||
12 | my $min_ticket_lifetime = -60*5; # allow 5 minutes time drift | |
13 | my $max_ticket_lifetime = 60*60*2; # 2 hours | |
14 | ||
15 | # fixme | |
16 | my $rsa = Crypt::OpenSSL::RSA->generate_key(2048); | |
17 | ||
18 | ## fixme: | |
19 | my $csrf_prevention_secret; | |
20 | my $get_csrfr_secret = sub { | |
21 | if (!$csrf_prevention_secret) { | |
22 | #my $input = PVE::Tools::file_get_contents($pve_www_key_fn); | |
23 | my $input = "ABCD"; # fixme | |
24 | $csrf_prevention_secret = Digest::SHA::sha1_base64($input); | |
25 | } | |
26 | return $csrf_prevention_secret; | |
27 | }; | |
28 | ||
29 | ||
30 | sub verify_csrf_prevention_token { | |
31 | my ($username, $token, $noerr) = @_; | |
32 | ||
33 | my $secret = &$get_csrfr_secret(); | |
34 | ||
35 | return PVE::Ticket::verify_csrf_prevention_token( | |
36 | $secret, $username, $token, $min_ticket_lifetime, | |
37 | $max_ticket_lifetime, $noerr); | |
38 | } | |
39 | ||
40 | sub assemble_csrf_prevention_token { | |
41 | my ($username) = @_; | |
42 | ||
43 | my $secret = &$get_csrfr_secret(); | |
44 | ||
45 | return PVE::Ticket::assemble_csrf_prevention_token ($secret, $username); | |
46 | } | |
47 | ||
48 | sub assemble_ticket { | |
49 | my ($username) = @_; | |
50 | ||
51 | return PVE::Ticket::assemble_rsa_ticket($rsa, 'PMG', $username); | |
52 | } | |
53 | ||
54 | sub verify_ticket { | |
55 | my ($ticket, $noerr) = @_; | |
56 | ||
57 | return PVE::Ticket::verify_rsa_ticket( | |
58 | $rsa, 'PMG', $ticket, undef, | |
59 | $min_ticket_lifetime, $max_ticket_lifetime, $noerr); | |
60 | } | |
61 | ||
62 | # VNC tickets | |
63 | # - they do not contain the username in plain text | |
64 | # - they are restricted to a specific resource path (example: '/vms/100') | |
65 | sub assemble_vnc_ticket { | |
66 | my ($username, $path) = @_; | |
67 | ||
68 | my $secret_data = "$username:$path"; | |
69 | ||
70 | return PVE::Ticket::assemble_rsa_ticket( | |
71 | $rsa, 'PMGVNC', undef, $secret_data); | |
72 | } | |
73 | ||
74 | sub verify_vnc_ticket { | |
75 | my ($ticket, $username, $path, $noerr) = @_; | |
76 | ||
77 | my $secret_data = "$username:$path"; | |
78 | ||
79 | return PVE::Ticket::verify_rsa_ticket( | |
80 | $rsa, 'PMGVNC', $ticket, $secret_data, -20, 40, $noerr); | |
81 | } | |
82 | ||
83 | 1; |