]>
Commit | Line | Data |
---|---|---|
21ace8d3 DM |
1 | package PVE::API2::Subscription; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use Digest::MD5 qw(md5_hex md5_base64); | |
6 | use MIME::Base64; | |
718427da | 7 | use Net::SSL; |
21ace8d3 DM |
8 | use HTTP::Request; |
9 | use LWP::UserAgent; | |
10 | use JSON; | |
11 | ||
12 | use PVE::Tools; | |
8f9217dc | 13 | use PVE::ProcFSTools; |
21ace8d3 DM |
14 | use PVE::Exception qw(raise_param_exc); |
15 | use PVE::INotify; | |
16 | use PVE::Cluster qw (cfs_read_file cfs_write_file); | |
17 | use PVE::AccessControl; | |
18 | use PVE::Storage; | |
19 | use PVE::JSONSchema qw(get_standard_option); | |
20 | ||
21 | use PVE::SafeSyslog; | |
22 | ||
23 | use PVE::API2Tools; | |
24 | use PVE::RESTHandler; | |
25 | ||
26 | use base qw(PVE::RESTHandler); | |
27 | ||
5f7b7950 | 28 | PVE::INotify::register_file('subscription', "/etc/subscription", |
21ace8d3 DM |
29 | \&read_etc_pve_subscription, |
30 | \&write_etc_pve_subscription); | |
31 | ||
32 | # How long the local key is valid for in between remote checks | |
33 | my $localkeydays = 15; | |
34 | # How many days to allow after local key expiry before blocking | |
35 | # access if connection cannot be made | |
36 | my $allowcheckfaildays = 5; | |
37 | ||
38 | my $shared_key_data = "kjfdlskfhiuewhfk947368"; | |
21ace8d3 | 39 | |
21ace8d3 | 40 | sub get_sockets { |
8f9217dc DM |
41 | my $info = PVE::ProcFSTools::read_cpuinfo(); |
42 | return $info->{sockets}; | |
21ace8d3 DM |
43 | } |
44 | ||
45 | sub parse_key { | |
46 | my ($key) = @_; | |
47 | ||
48 | if ($key =~ m/^pve([124])([cbsp])-[0-9a-f]{10}$/) { | |
16b69b6c | 49 | return wantarray ? ($1, $2) : $1; # number of sockets, level |
21ace8d3 DM |
50 | } |
51 | return undef; | |
52 | } | |
53 | ||
bbb35128 DM |
54 | my $saved_fields = { |
55 | key => 1, | |
56 | checktime => 1, | |
57 | status => 1, | |
00a93a4b | 58 | message => 0, |
bbb35128 DM |
59 | validdirectory => 1, |
60 | productname => 1, | |
61 | regdate => 1, | |
62 | nextduedate => 1, | |
63 | }; | |
64 | ||
21ace8d3 DM |
65 | sub check_fields { |
66 | my ($info, $server_id, $req_sockets) = @_; | |
67 | ||
68 | foreach my $f (qw(status checktime key)) { | |
69 | if (!$info->{$f}) { | |
70 | die "Missing field '$f'\n"; | |
71 | } | |
72 | } | |
73 | ||
74 | my $sockets = parse_key($info->{key}); | |
75 | if (!$sockets) { | |
76 | die "Wrong subscription key format\n"; | |
77 | } | |
78 | if ($sockets < $req_sockets) { | |
79 | die "wrong number of sockets ($sockets < $req_sockets)\n"; | |
80 | } | |
81 | ||
82 | if ($info->{checktime} > time()) { | |
83 | die "Last check time in future.\n"; | |
84 | } | |
85 | ||
86 | return undef if $info->{status} ne 'Active'; | |
87 | ||
bbb35128 | 88 | foreach my $f (keys %$saved_fields) { |
00a93a4b | 89 | next if !$saved_fields->{$f}; |
21ace8d3 DM |
90 | if (!$info->{$f}) { |
91 | die "Missing field '$f'\n"; | |
92 | } | |
93 | } | |
94 | ||
95 | my $found; | |
7a95afb9 DM |
96 | foreach my $hwid (split(/,/, $info->{validdirectory})) { |
97 | if ($hwid eq $server_id) { | |
21ace8d3 DM |
98 | $found = 1; |
99 | last; | |
100 | } | |
101 | } | |
102 | die "Server ID does not match\n" if !$found; | |
103 | ||
104 | return undef; | |
105 | } | |
106 | ||
107 | sub read_etc_pve_subscription { | |
108 | my ($filename, $fh) = @_; | |
109 | ||
110 | my $info = { status => 'Invalid' }; | |
111 | ||
112 | my $key = <$fh>; # first line is the key | |
113 | chomp $key; | |
16b69b6c DM |
114 | my ($sockets, $level) = parse_key($key); |
115 | die "Wrong subscription key format\n" if !$sockets; | |
21ace8d3 DM |
116 | |
117 | my $csum = <$fh>; # second line is a checksum | |
118 | ||
119 | $info->{key} = $key; | |
120 | ||
121 | my $data = ''; | |
122 | while (defined(my $line = <$fh>)) { | |
123 | $data .= $line; | |
124 | } | |
125 | ||
126 | if ($csum && $data) { | |
127 | ||
128 | chomp $csum; | |
129 | ||
130 | my $localinfo = {}; | |
131 | ||
132 | eval { | |
133 | my $json_text = decode_base64($data); | |
134 | $localinfo = decode_json($json_text); | |
135 | my $newcsum = md5_base64($localinfo->{checktime} . $data . $shared_key_data); | |
136 | die "checksum failure\n" if $csum ne $newcsum; | |
137 | ||
138 | my $req_sockets = get_sockets(); | |
2ba6d822 | 139 | my $server_id = PVE::API2Tools::get_hwaddress(); |
21ace8d3 DM |
140 | |
141 | check_fields($localinfo, $server_id, $req_sockets); | |
142 | ||
143 | my $age = time() - $localinfo->{checktime}; | |
144 | ||
145 | my $maxage = ($localkeydays + $allowcheckfaildays)*60*60*24; | |
146 | if ($localinfo->{status} eq 'Active' && $age > $maxage) { | |
147 | $localinfo->{status} = 'Invalid'; | |
148 | $localinfo->{message} = "subscription info too old"; | |
149 | } | |
150 | }; | |
151 | if (my $err = $@) { | |
152 | warn $err; | |
153 | } else { | |
154 | $info = $localinfo; | |
155 | } | |
156 | } | |
157 | ||
16b69b6c DM |
158 | if ($info->{status} eq 'Active') { |
159 | $info->{level} = $level; | |
160 | } | |
161 | ||
21ace8d3 DM |
162 | return $info; |
163 | } | |
164 | ||
7b02d9ec DM |
165 | sub write_apt_auth { |
166 | my $key = shift; | |
167 | ||
2ba6d822 DM |
168 | my $server_id = PVE::API2Tools::get_hwaddress(); |
169 | my $auth = { 'enterprise.proxmox.com' => { login => $key, password => $server_id } }; | |
7b02d9ec DM |
170 | PVE::INotify::update_file('apt-auth', $auth); |
171 | ||
172 | } | |
173 | ||
21ace8d3 DM |
174 | sub write_etc_pve_subscription { |
175 | my ($filename, $fh, $info) = @_; | |
176 | ||
177 | if ($info->{status} eq 'New') { | |
178 | PVE::Tools::safe_print($filename, $fh, "$info->{key}\n"); | |
179 | return; | |
180 | } | |
181 | ||
182 | my $json = encode_json($info); | |
183 | my $data = encode_base64($json); | |
184 | my $csum = md5_base64($info->{checktime} . $data . $shared_key_data); | |
185 | ||
186 | my $raw = "$info->{key}\n$csum\n$data"; | |
187 | ||
188 | PVE::Tools::safe_print($filename, $fh, $raw); | |
7b02d9ec DM |
189 | |
190 | write_apt_auth($info->{key}); | |
21ace8d3 DM |
191 | } |
192 | ||
193 | sub check_subscription { | |
194 | my ($key) = @_; | |
195 | ||
00a93a4b | 196 | my $whmcsurl = "https://shop.maurer-it.com"; |
21ace8d3 DM |
197 | |
198 | my $uri = "$whmcsurl/modules/servers/licensing/verify.php"; | |
199 | ||
2ba6d822 | 200 | my $server_id = PVE::API2Tools::get_hwaddress(); |
21ace8d3 DM |
201 | |
202 | my $req_sockets = get_sockets(); | |
203 | ||
204 | my $check_token = time() . md5_hex(rand(8999999999) + 1000000000) . $key; | |
205 | ||
5f7b7950 DM |
206 | my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg'); |
207 | my $proxy = $dccfg->{http_proxy}; | |
208 | ||
21ace8d3 DM |
209 | my $params = { |
210 | licensekey => $key, | |
7a95afb9 DM |
211 | dir => $server_id, |
212 | domain => 'www.proxmox.com', | |
21ace8d3 DM |
213 | ip => 'localhost', |
214 | check_token => $check_token, | |
215 | }; | |
216 | ||
217 | my $req = HTTP::Request->new('POST' => $uri); | |
218 | $req->header('Content-Type' => 'application/x-www-form-urlencoded'); | |
219 | # We use a temporary URI object to format | |
220 | # the application/x-www-form-urlencoded content. | |
221 | my $url = URI->new('http:'); | |
222 | $url->query_form(%$params); | |
223 | my $content = $url->query; | |
224 | $req->header('Content-Length' => length($content)); | |
225 | $req->content($content); | |
226 | ||
00a93a4b | 227 | my $ua = LWP::UserAgent->new(protocols_allowed => ['https'], timeout => 30); |
446b9669 DM |
228 | $ua->ssl_opts(verify_hostname => 0); # don't care |
229 | ||
230 | # HACK: LWP does not use proxy 'CONNECT' for https | |
231 | local $ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "Net::SSL"; | |
232 | local ($ENV{HTTPS_PROXY}, $ENV{HTTPS_PROXY_USERNAME}, $ENV{HTTPS_PROXY_PASSWORD}); | |
5f7b7950 DM |
233 | |
234 | if ($proxy) { | |
718427da DM |
235 | # some proxies reject connection if UserAgent header is not set |
236 | Net::SSL::send_useragent_to_proxy(1); | |
446b9669 DM |
237 | ($ENV{HTTPS_PROXY}, $ENV{HTTPS_PROXY_USERNAME}, $ENV{HTTPS_PROXY_PASSWORD}) = |
238 | PVE::API2Tools::parse_http_proxy($proxy); | |
239 | $ua->proxy(['http'], $proxy); | |
5f7b7950 DM |
240 | } else { |
241 | $ua->env_proxy; | |
242 | } | |
243 | ||
21ace8d3 DM |
244 | my $response = $ua->request($req); |
245 | my $code = $response->code; | |
246 | ||
247 | if ($code != 200) { | |
248 | my $msg = $response->message || 'unknown'; | |
249 | die "Invalid response from server: $code $msg\n"; | |
250 | } | |
251 | ||
252 | my $raw = $response->decoded_content; | |
253 | ||
254 | my $subinfo = {}; | |
255 | while ($raw =~ m/<(.*?)>([^<]+)<\/\1>/g) { | |
256 | my ($k, $v) = ($1, $2); | |
00a93a4b | 257 | next if !($k eq 'md5hash' || defined($saved_fields->{$k})); |
21ace8d3 DM |
258 | $subinfo->{$k} = $v; |
259 | } | |
260 | $subinfo->{checktime} = time(); | |
261 | $subinfo->{key} = $key; | |
262 | ||
00a93a4b DM |
263 | if ($subinfo->{message}) { |
264 | $subinfo->{message} =~ s/^Directory Invalid$/Invalid Server ID/; | |
265 | } | |
266 | ||
21ace8d3 | 267 | my $emd5sum = md5_hex($shared_key_data . $check_token); |
8ae35312 DM |
268 | if ($subinfo->{status} && $subinfo->{status} eq 'Active') { |
269 | if (!$subinfo->{md5hash} || ($subinfo->{md5hash} ne $emd5sum)) { | |
270 | die "MD5 Checksum Verification Failed\n"; | |
271 | } | |
21ace8d3 DM |
272 | } |
273 | ||
bbb35128 DM |
274 | delete $subinfo->{md5hash}; |
275 | ||
21ace8d3 DM |
276 | check_fields($subinfo, $server_id, $req_sockets); |
277 | ||
278 | return $subinfo; | |
279 | } | |
280 | ||
281 | __PACKAGE__->register_method ({ | |
282 | name => 'get', | |
283 | path => '', | |
284 | method => 'GET', | |
285 | description => "Read subscription info.", | |
286 | proxyto => 'node', | |
e721a829 | 287 | permissions => { user => 'all' }, |
21ace8d3 DM |
288 | parameters => { |
289 | additionalProperties => 0, | |
290 | properties => { | |
291 | node => get_standard_option('pve-node'), | |
292 | }, | |
293 | }, | |
294 | returns => { type => 'object'}, | |
295 | code => sub { | |
296 | my ($param) = @_; | |
297 | ||
2ba6d822 | 298 | my $server_id = PVE::API2Tools::get_hwaddress(); |
00a93a4b | 299 | |
21ace8d3 DM |
300 | my $info = PVE::INotify::read_file('subscription'); |
301 | if (!$info) { | |
302 | return { | |
303 | status => "NotFound", | |
304 | message => "There is no subscription key", | |
00a93a4b | 305 | serverid => $server_id, |
21ace8d3 DM |
306 | } |
307 | } | |
00a93a4b DM |
308 | |
309 | $info->{serverid} = $server_id; | |
310 | $info->{sockets} = get_sockets(); | |
311 | ||
21ace8d3 DM |
312 | return $info |
313 | }}); | |
314 | ||
315 | __PACKAGE__->register_method ({ | |
316 | name => 'update', | |
317 | path => '', | |
318 | method => 'POST', | |
319 | description => "Update subscription info.", | |
320 | proxyto => 'node', | |
321 | protected => 1, | |
322 | parameters => { | |
323 | additionalProperties => 0, | |
324 | properties => { | |
325 | node => get_standard_option('pve-node'), | |
326 | force => { | |
327 | description => "Always connect to server, even if we have up to date info inside local cache.", | |
328 | type => 'boolean', | |
329 | optional => 1, | |
330 | default => 0 | |
331 | } | |
332 | }, | |
333 | }, | |
334 | returns => { type => 'null'}, | |
335 | code => sub { | |
336 | my ($param) = @_; | |
337 | ||
338 | my $info = PVE::INotify::read_file('subscription'); | |
339 | return undef if !$info; | |
340 | ||
7b02d9ec DM |
341 | write_apt_auth($info->{key}) if $info->{key}; |
342 | ||
21ace8d3 DM |
343 | if (!$param->{force} && $info->{status} eq 'Active') { |
344 | my $age = time() - $info->{checktime}; | |
345 | return undef if $age < $localkeydays*60*60*24; | |
346 | } | |
347 | ||
348 | my $key = $info->{key}; | |
349 | ||
350 | $info = check_subscription($key); | |
351 | ||
352 | PVE::INotify::write_file('subscription', $info); | |
353 | ||
354 | return undef; | |
355 | }}); | |
356 | ||
357 | __PACKAGE__->register_method ({ | |
358 | name => 'set', | |
359 | path => '', | |
360 | method => 'PUT', | |
361 | description => "Set subscription key.", | |
362 | proxyto => 'node', | |
363 | protected => 1, | |
364 | parameters => { | |
365 | additionalProperties => 0, | |
366 | properties => { | |
367 | node => get_standard_option('pve-node'), | |
368 | key => { | |
369 | description => "Proxmox VE subscription key", | |
370 | type => 'string', | |
371 | }, | |
372 | }, | |
373 | }, | |
374 | returns => { type => 'null'}, | |
375 | code => sub { | |
376 | my ($param) = @_; | |
377 | ||
378 | my $info = { | |
379 | status => 'New', | |
380 | key => $param->{key}, | |
381 | checktime => time(), | |
382 | }; | |
383 | ||
384 | my $req_sockets = get_sockets(); | |
2ba6d822 | 385 | my $server_id = PVE::API2Tools::get_hwaddress(); |
21ace8d3 DM |
386 | |
387 | check_fields($info, $server_id, $req_sockets); | |
388 | ||
389 | PVE::INotify::write_file('subscription', $info); | |
390 | ||
391 | $info = check_subscription($param->{key}); | |
392 | ||
393 | PVE::INotify::write_file('subscription', $info); | |
394 | ||
395 | return undef; | |
396 | }}); | |
397 | ||
398 | 1; |