]>
Commit | Line | Data |
---|---|---|
c2b94534 | 1 | use std::io::Write; |
db0cb9ce | 2 | use std::task::{Context, Poll}; |
d59dbeca | 3 | use std::sync::{Arc, Mutex}; |
597641fd | 4 | |
cf9271e2 | 5 | use chrono::Utc; |
7a57cb77 | 6 | use failure::*; |
82ab7230 | 7 | use futures::*; |
7a57cb77 WB |
8 | use http::Uri; |
9 | use http::header::HeaderValue; | |
10 | use http::{Request, Response}; | |
11 | use hyper::Body; | |
1434f4f8 | 12 | use hyper::client::{Client, HttpConnector}; |
d59dbeca | 13 | use openssl::{ssl::{SslConnector, SslMethod}, x509::X509StoreContextRef}; |
ba3a60b2 | 14 | use serde_json::{json, Value}; |
8a1028e0 | 15 | use percent_encoding::percent_encode; |
7a57cb77 | 16 | use xdg::BaseDirectories; |
1fdb4c6f | 17 | |
501f4fa2 DM |
18 | use proxmox::{ |
19 | sys::linux::tty, | |
20 | tools::{ | |
21 | fs::{file_get_json, replace_file, CreateOptions}, | |
22 | } | |
e18a6c9e DM |
23 | }; |
24 | ||
7a57cb77 | 25 | use super::pipe_to_stream::PipeToSendStream; |
1434f4f8 | 26 | use crate::tools::async_io::EitherStream; |
501f4fa2 | 27 | use crate::tools::{self, BroadcastFuture, DEFAULT_ENCODE_SET}; |
986bef16 | 28 | |
5a2df000 | 29 | #[derive(Clone)] |
e240d8be | 30 | pub struct AuthInfo { |
3743dee6 DM |
31 | pub username: String, |
32 | pub ticket: String, | |
33 | pub token: String, | |
5a2df000 | 34 | } |
56458d97 | 35 | |
d59dbeca | 36 | pub struct HttpClientOptions { |
5030b7ce | 37 | prefix: Option<String>, |
d59dbeca DM |
38 | password: Option<String>, |
39 | fingerprint: Option<String>, | |
40 | interactive: bool, | |
41 | ticket_cache: bool, | |
5a74756c | 42 | fingerprint_cache: bool, |
d59dbeca DM |
43 | verify_cert: bool, |
44 | } | |
45 | ||
46 | impl HttpClientOptions { | |
47 | ||
48 | pub fn new() -> Self { | |
49 | Self { | |
5030b7ce | 50 | prefix: None, |
d59dbeca DM |
51 | password: None, |
52 | fingerprint: None, | |
53 | interactive: false, | |
54 | ticket_cache: false, | |
5a74756c | 55 | fingerprint_cache: false, |
d59dbeca DM |
56 | verify_cert: true, |
57 | } | |
58 | } | |
59 | ||
5030b7ce DM |
60 | pub fn prefix(mut self, prefix: Option<String>) -> Self { |
61 | self.prefix = prefix; | |
62 | self | |
63 | } | |
64 | ||
d59dbeca DM |
65 | pub fn password(mut self, password: Option<String>) -> Self { |
66 | self.password = password; | |
67 | self | |
68 | } | |
69 | ||
70 | pub fn fingerprint(mut self, fingerprint: Option<String>) -> Self { | |
71 | self.fingerprint = fingerprint; | |
72 | self | |
73 | } | |
74 | ||
75 | pub fn interactive(mut self, interactive: bool) -> Self { | |
76 | self.interactive = interactive; | |
77 | self | |
78 | } | |
79 | ||
80 | pub fn ticket_cache(mut self, ticket_cache: bool) -> Self { | |
81 | self.ticket_cache = ticket_cache; | |
82 | self | |
83 | } | |
84 | ||
5a74756c DM |
85 | pub fn fingerprint_cache(mut self, fingerprint_cache: bool) -> Self { |
86 | self.fingerprint_cache = fingerprint_cache; | |
87 | self | |
88 | } | |
89 | ||
d59dbeca DM |
90 | pub fn verify_cert(mut self, verify_cert: bool) -> Self { |
91 | self.verify_cert = verify_cert; | |
92 | self | |
93 | } | |
94 | } | |
95 | ||
151c6ce2 | 96 | /// HTTP(S) API client |
597641fd | 97 | pub struct HttpClient { |
1434f4f8 | 98 | client: Client<HttpsConnector>, |
597641fd | 99 | server: String, |
d59dbeca | 100 | fingerprint: Arc<Mutex<Option<String>>>, |
5a2df000 | 101 | auth: BroadcastFuture<AuthInfo>, |
d59dbeca | 102 | _options: HttpClientOptions, |
597641fd DM |
103 | } |
104 | ||
e240d8be | 105 | /// Delete stored ticket data (logout) |
5030b7ce | 106 | pub fn delete_ticket_info(prefix: &str, server: &str, username: &str) -> Result<(), Error> { |
e240d8be | 107 | |
5030b7ce | 108 | let base = BaseDirectories::with_prefix(prefix)?; |
e240d8be DM |
109 | |
110 | // usually /run/user/<uid>/... | |
111 | let path = base.place_runtime_file("tickets")?; | |
112 | ||
113 | let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600); | |
114 | ||
115 | let mut data = file_get_json(&path, Some(json!({})))?; | |
116 | ||
117 | if let Some(map) = data[server].as_object_mut() { | |
118 | map.remove(username); | |
119 | } | |
120 | ||
feaa1ad3 | 121 | replace_file(path, data.to_string().as_bytes(), CreateOptions::new().perm(mode))?; |
e240d8be DM |
122 | |
123 | Ok(()) | |
124 | } | |
125 | ||
5030b7ce | 126 | fn store_fingerprint(prefix: &str, server: &str, fingerprint: &str) -> Result<(), Error> { |
5a74756c | 127 | |
5030b7ce | 128 | let base = BaseDirectories::with_prefix(prefix)?; |
5a74756c | 129 | |
5030b7ce | 130 | // usually ~/.config/<prefix>/fingerprints |
5a74756c DM |
131 | let path = base.place_config_file("fingerprints")?; |
132 | ||
133 | let raw = match std::fs::read_to_string(&path) { | |
134 | Ok(v) => v, | |
135 | Err(err) => { | |
136 | if err.kind() == std::io::ErrorKind::NotFound { | |
137 | String::new() | |
138 | } else { | |
139 | bail!("unable to read fingerprints from {:?} - {}", path, err); | |
140 | } | |
141 | } | |
142 | }; | |
143 | ||
144 | let mut result = String::new(); | |
145 | ||
146 | raw.split('\n').for_each(|line| { | |
147 | let items: Vec<String> = line.split_whitespace().map(String::from).collect(); | |
148 | if items.len() == 2 { | |
149 | if &items[0] == server { | |
150 | // found, add later with new fingerprint | |
151 | } else { | |
152 | result.push_str(line); | |
153 | result.push('\n'); | |
154 | } | |
155 | } | |
156 | }); | |
157 | ||
158 | result.push_str(server); | |
159 | result.push(' '); | |
160 | result.push_str(fingerprint); | |
161 | result.push('\n'); | |
162 | ||
163 | replace_file(path, result.as_bytes(), CreateOptions::new())?; | |
164 | ||
165 | Ok(()) | |
166 | } | |
167 | ||
5030b7ce | 168 | fn load_fingerprint(prefix: &str, server: &str) -> Option<String> { |
5a74756c | 169 | |
5030b7ce | 170 | let base = BaseDirectories::with_prefix(prefix).ok()?; |
5a74756c | 171 | |
5030b7ce | 172 | // usually ~/.config/<prefix>/fingerprints |
5a74756c DM |
173 | let path = base.place_config_file("fingerprints").ok()?; |
174 | ||
175 | let raw = std::fs::read_to_string(&path).ok()?; | |
176 | ||
177 | for line in raw.split('\n') { | |
178 | let items: Vec<String> = line.split_whitespace().map(String::from).collect(); | |
179 | if items.len() == 2 { | |
180 | if &items[0] == server { | |
181 | return Some(items[1].clone()); | |
182 | } | |
183 | } | |
184 | } | |
185 | ||
186 | None | |
187 | } | |
188 | ||
5030b7ce | 189 | fn store_ticket_info(prefix: &str, server: &str, username: &str, ticket: &str, token: &str) -> Result<(), Error> { |
ba3a60b2 | 190 | |
5030b7ce | 191 | let base = BaseDirectories::with_prefix(prefix)?; |
ba3a60b2 DM |
192 | |
193 | // usually /run/user/<uid>/... | |
194 | let path = base.place_runtime_file("tickets")?; | |
195 | ||
196 | let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600); | |
197 | ||
e18a6c9e | 198 | let mut data = file_get_json(&path, Some(json!({})))?; |
ba3a60b2 DM |
199 | |
200 | let now = Utc::now().timestamp(); | |
201 | ||
202 | data[server][username] = json!({ "timestamp": now, "ticket": ticket, "token": token}); | |
203 | ||
204 | let mut new_data = json!({}); | |
205 | ||
206 | let ticket_lifetime = tools::ticket::TICKET_LIFETIME - 60; | |
207 | ||
208 | let empty = serde_json::map::Map::new(); | |
209 | for (server, info) in data.as_object().unwrap_or(&empty) { | |
210 | for (_user, uinfo) in info.as_object().unwrap_or(&empty) { | |
211 | if let Some(timestamp) = uinfo["timestamp"].as_i64() { | |
212 | let age = now - timestamp; | |
213 | if age < ticket_lifetime { | |
214 | new_data[server][username] = uinfo.clone(); | |
215 | } | |
216 | } | |
217 | } | |
218 | } | |
219 | ||
feaa1ad3 | 220 | replace_file(path, new_data.to_string().as_bytes(), CreateOptions::new().perm(mode))?; |
ba3a60b2 DM |
221 | |
222 | Ok(()) | |
223 | } | |
224 | ||
5030b7ce DM |
225 | fn load_ticket_info(prefix: &str, server: &str, username: &str) -> Option<(String, String)> { |
226 | let base = BaseDirectories::with_prefix(prefix).ok()?; | |
ba3a60b2 DM |
227 | |
228 | // usually /run/user/<uid>/... | |
66c8eb93 CE |
229 | let path = base.place_runtime_file("tickets").ok()?; |
230 | let data = file_get_json(&path, None).ok()?; | |
ba3a60b2 | 231 | let now = Utc::now().timestamp(); |
ba3a60b2 | 232 | let ticket_lifetime = tools::ticket::TICKET_LIFETIME - 60; |
66c8eb93 CE |
233 | let uinfo = data[server][username].as_object()?; |
234 | let timestamp = uinfo["timestamp"].as_i64()?; | |
235 | let age = now - timestamp; | |
236 | ||
237 | if age < ticket_lifetime { | |
238 | let ticket = uinfo["ticket"].as_str()?; | |
239 | let token = uinfo["token"].as_str()?; | |
240 | Some((ticket.to_owned(), token.to_owned())) | |
241 | } else { | |
242 | None | |
ba3a60b2 | 243 | } |
ba3a60b2 DM |
244 | } |
245 | ||
597641fd DM |
246 | impl HttpClient { |
247 | ||
d59dbeca DM |
248 | pub fn new(server: &str, username: &str, mut options: HttpClientOptions) -> Result<Self, Error> { |
249 | ||
250 | let verified_fingerprint = Arc::new(Mutex::new(None)); | |
251 | ||
5a74756c | 252 | let mut fingerprint = options.fingerprint.take(); |
a6e3da98 DM |
253 | |
254 | if fingerprint.is_some() { | |
255 | // do not store fingerprints passed via options in cache | |
256 | options.fingerprint_cache = false; | |
257 | } else if options.fingerprint_cache && options.prefix.is_some() { | |
5030b7ce | 258 | fingerprint = load_fingerprint(options.prefix.as_ref().unwrap(), server); |
5a74756c DM |
259 | } |
260 | ||
5030b7ce DM |
261 | let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls()).unwrap(); |
262 | ||
263 | if options.verify_cert { | |
264 | let server = server.to_string(); | |
265 | let verified_fingerprint = verified_fingerprint.clone(); | |
266 | let interactive = options.interactive; | |
267 | let fingerprint_cache = options.fingerprint_cache; | |
268 | let prefix = options.prefix.clone(); | |
269 | ssl_connector_builder.set_verify_callback(openssl::ssl::SslVerifyMode::PEER, move |valid, ctx| { | |
270 | let (valid, fingerprint) = Self::verify_callback(valid, ctx, fingerprint.clone(), interactive); | |
271 | if valid { | |
272 | if let Some(fingerprint) = fingerprint { | |
273 | if fingerprint_cache && prefix.is_some() { | |
274 | if let Err(err) = store_fingerprint( | |
275 | prefix.as_ref().unwrap(), &server, &fingerprint) { | |
276 | eprintln!("{}", err); | |
277 | } | |
278 | } | |
279 | *verified_fingerprint.lock().unwrap() = Some(fingerprint); | |
280 | } | |
281 | } | |
282 | valid | |
283 | }); | |
284 | } else { | |
285 | ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE); | |
286 | } | |
287 | ||
288 | let mut httpc = hyper::client::HttpConnector::new(); | |
289 | httpc.set_nodelay(true); // important for h2 download performance! | |
290 | httpc.set_recv_buffer_size(Some(1024*1024)); //important for h2 download performance! | |
291 | httpc.enforce_http(false); // we want https... | |
292 | ||
293 | let https = HttpsConnector::with_connector(httpc, ssl_connector_builder.build()); | |
294 | ||
295 | let client = Client::builder() | |
296 | //.http2_initial_stream_window_size( (1 << 31) - 2) | |
297 | //.http2_initial_connection_window_size( (1 << 31) - 2) | |
298 | .build::<_, Body>(https); | |
d59dbeca DM |
299 | |
300 | let password = options.password.take(); | |
5030b7ce | 301 | let use_ticket_cache = options.ticket_cache && options.prefix.is_some(); |
5a2df000 | 302 | |
cc2ce4a9 DM |
303 | let password = if let Some(password) = password { |
304 | password | |
45cdce06 | 305 | } else { |
d59dbeca | 306 | let mut ticket_info = None; |
5030b7ce DM |
307 | if use_ticket_cache { |
308 | ticket_info = load_ticket_info(options.prefix.as_ref().unwrap(), server, username); | |
d59dbeca DM |
309 | } |
310 | if let Some((ticket, _token)) = ticket_info { | |
311 | ticket | |
312 | } else { | |
d1c65727 | 313 | Self::get_password(&username, options.interactive)? |
d59dbeca | 314 | } |
45cdce06 DM |
315 | }; |
316 | ||
d59dbeca DM |
317 | let login_future = Self::credentials( |
318 | client.clone(), | |
319 | server.to_owned(), | |
320 | username.to_owned(), | |
321 | password, | |
5030b7ce DM |
322 | ).map_ok({ |
323 | let server = server.to_string(); | |
324 | let prefix = options.prefix.clone(); | |
325 | ||
326 | move |auth| { | |
327 | if use_ticket_cache & &prefix.is_some() { | |
328 | let _ = store_ticket_info(prefix.as_ref().unwrap(), &server, &auth.username, &auth.ticket, &auth.token); | |
329 | } | |
330 | ||
331 | auth | |
332 | } | |
333 | }); | |
45cdce06 DM |
334 | |
335 | Ok(Self { | |
5a2df000 | 336 | client, |
597641fd | 337 | server: String::from(server), |
d59dbeca | 338 | fingerprint: verified_fingerprint, |
96f5e80a | 339 | auth: BroadcastFuture::new(Box::new(login_future)), |
d59dbeca | 340 | _options: options, |
45cdce06 | 341 | }) |
597641fd DM |
342 | } |
343 | ||
1a7a0e74 | 344 | /// Login |
e240d8be DM |
345 | /// |
346 | /// Login is done on demand, so this is onyl required if you need | |
347 | /// access to authentication data in 'AuthInfo'. | |
96f5e80a DM |
348 | pub async fn login(&self) -> Result<AuthInfo, Error> { |
349 | self.auth.listen().await | |
e240d8be DM |
350 | } |
351 | ||
d59dbeca DM |
352 | /// Returns the optional fingerprint passed to the new() constructor. |
353 | pub fn fingerprint(&self) -> Option<String> { | |
354 | (*self.fingerprint.lock().unwrap()).clone() | |
355 | } | |
356 | ||
d1c65727 | 357 | fn get_password(username: &str, interactive: bool) -> Result<String, Error> { |
56458d97 | 358 | // If we're on a TTY, query the user for a password |
d59dbeca | 359 | if interactive && tty::stdin_isatty() { |
99d863d7 DM |
360 | let msg = format!("Password for \"{}\": ", username); |
361 | return Ok(String::from_utf8(tty::read_password(&msg)?)?); | |
56458d97 WB |
362 | } |
363 | ||
364 | bail!("no password input mechanism available"); | |
365 | } | |
366 | ||
d59dbeca DM |
367 | fn verify_callback( |
368 | valid: bool, ctx: | |
369 | &mut X509StoreContextRef, | |
370 | expected_fingerprint: Option<String>, | |
371 | interactive: bool, | |
5030b7ce DM |
372 | ) -> (bool, Option<String>) { |
373 | if valid { return (true, None); } | |
d59dbeca DM |
374 | |
375 | let cert = match ctx.current_cert() { | |
376 | Some(cert) => cert, | |
5030b7ce | 377 | None => return (false, None), |
d59dbeca DM |
378 | }; |
379 | ||
380 | let depth = ctx.error_depth(); | |
5030b7ce | 381 | if depth != 0 { return (false, None); } |
d59dbeca DM |
382 | |
383 | let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) { | |
384 | Ok(fp) => fp, | |
5030b7ce | 385 | Err(_) => return (false, None), // should not happen |
d59dbeca DM |
386 | }; |
387 | let fp_string = proxmox::tools::digest_to_hex(&fp); | |
388 | let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap()) | |
389 | .collect::<Vec<&str>>().join(":"); | |
390 | ||
391 | if let Some(expected_fingerprint) = expected_fingerprint { | |
1bd6f32b | 392 | if expected_fingerprint.to_lowercase() == fp_string { |
5030b7ce | 393 | return (true, Some(fp_string)); |
d59dbeca | 394 | } else { |
5030b7ce | 395 | return (false, None); |
d59dbeca DM |
396 | } |
397 | } | |
398 | ||
399 | // If we're on a TTY, query the user | |
400 | if interactive && tty::stdin_isatty() { | |
401 | println!("fingerprint: {}", fp_string); | |
402 | loop { | |
403 | print!("Want to trust? (y/n): "); | |
404 | let _ = std::io::stdout().flush(); | |
405 | let mut buf = [0u8; 1]; | |
406 | use std::io::Read; | |
407 | match std::io::stdin().read_exact(&mut buf) { | |
408 | Ok(()) => { | |
409 | if buf[0] == b'y' || buf[0] == b'Y' { | |
5030b7ce | 410 | return (true, Some(fp_string)); |
d59dbeca | 411 | } else if buf[0] == b'n' || buf[0] == b'N' { |
5030b7ce | 412 | return (false, None); |
d59dbeca DM |
413 | } |
414 | } | |
415 | Err(_) => { | |
5030b7ce | 416 | return (false, None); |
d59dbeca DM |
417 | } |
418 | } | |
419 | } | |
420 | } | |
5030b7ce | 421 | (false, None) |
a6b75513 DM |
422 | } |
423 | ||
1a7a0e74 | 424 | pub async fn request(&self, mut req: Request<Body>) -> Result<Value, Error> { |
597641fd | 425 | |
5a2df000 | 426 | let client = self.client.clone(); |
597641fd | 427 | |
1a7a0e74 | 428 | let auth = self.login().await?; |
597641fd | 429 | |
1a7a0e74 DM |
430 | let enc_ticket = format!("PBSAuthCookie={}", percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)); |
431 | req.headers_mut().insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap()); | |
432 | req.headers_mut().insert("CSRFPreventionToken", HeaderValue::from_str(&auth.token).unwrap()); | |
597641fd | 433 | |
1a7a0e74 | 434 | Self::api_request(client, req).await |
1fdb4c6f DM |
435 | } |
436 | ||
1a7a0e74 | 437 | pub async fn get( |
a6782ca1 WB |
438 | &self, |
439 | path: &str, | |
440 | data: Option<Value>, | |
1a7a0e74 | 441 | ) -> Result<Value, Error> { |
9e391bb7 | 442 | let req = Self::request_builder(&self.server, "GET", path, data).unwrap(); |
1a7a0e74 | 443 | self.request(req).await |
a6b75513 DM |
444 | } |
445 | ||
1a7a0e74 | 446 | pub async fn delete( |
a6782ca1 WB |
447 | &mut self, |
448 | path: &str, | |
449 | data: Option<Value>, | |
1a7a0e74 | 450 | ) -> Result<Value, Error> { |
9e391bb7 | 451 | let req = Self::request_builder(&self.server, "DELETE", path, data).unwrap(); |
1a7a0e74 | 452 | self.request(req).await |
a6b75513 DM |
453 | } |
454 | ||
1a7a0e74 | 455 | pub async fn post( |
a6782ca1 WB |
456 | &mut self, |
457 | path: &str, | |
458 | data: Option<Value>, | |
1a7a0e74 | 459 | ) -> Result<Value, Error> { |
5a2df000 | 460 | let req = Self::request_builder(&self.server, "POST", path, data).unwrap(); |
1a7a0e74 | 461 | self.request(req).await |
024f11bb DM |
462 | } |
463 | ||
1a7a0e74 | 464 | pub async fn download( |
a6782ca1 WB |
465 | &mut self, |
466 | path: &str, | |
1a7a0e74 DM |
467 | output: &mut (dyn Write + Send), |
468 | ) -> Result<(), Error> { | |
5a2df000 | 469 | let mut req = Self::request_builder(&self.server, "GET", path, None).unwrap(); |
024f11bb | 470 | |
5a2df000 | 471 | let client = self.client.clone(); |
1fdb4c6f | 472 | |
1a7a0e74 | 473 | let auth = self.login().await?; |
81da38c1 | 474 | |
1a7a0e74 DM |
475 | let enc_ticket = format!("PBSAuthCookie={}", percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)); |
476 | req.headers_mut().insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap()); | |
6f62c924 | 477 | |
1a7a0e74 DM |
478 | let resp = client.request(req).await?; |
479 | let status = resp.status(); | |
480 | if !status.is_success() { | |
481 | HttpClient::api_response(resp) | |
482 | .map(|_| Err(format_err!("unknown error"))) | |
483 | .await? | |
484 | } else { | |
485 | resp.into_body() | |
5a2df000 | 486 | .map_err(Error::from) |
1a7a0e74 DM |
487 | .try_fold(output, move |acc, chunk| async move { |
488 | acc.write_all(&chunk)?; | |
489 | Ok::<_, Error>(acc) | |
5a2df000 | 490 | }) |
1a7a0e74 DM |
491 | .await?; |
492 | } | |
493 | Ok(()) | |
6f62c924 DM |
494 | } |
495 | ||
1a7a0e74 | 496 | pub async fn upload( |
04512d30 DM |
497 | &mut self, |
498 | content_type: &str, | |
499 | body: Body, | |
500 | path: &str, | |
501 | data: Option<Value>, | |
1a7a0e74 | 502 | ) -> Result<Value, Error> { |
81da38c1 DM |
503 | |
504 | let path = path.trim_matches('/'); | |
04512d30 DM |
505 | let mut url = format!("https://{}:8007/{}", &self.server, path); |
506 | ||
507 | if let Some(data) = data { | |
508 | let query = tools::json_object_to_query(data).unwrap(); | |
509 | url.push('?'); | |
510 | url.push_str(&query); | |
511 | } | |
512 | ||
513 | let url: Uri = url.parse().unwrap(); | |
81da38c1 | 514 | |
5a2df000 | 515 | let req = Request::builder() |
81da38c1 DM |
516 | .method("POST") |
517 | .uri(url) | |
518 | .header("User-Agent", "proxmox-backup-client/1.0") | |
5a2df000 DM |
519 | .header("Content-Type", content_type) |
520 | .body(body).unwrap(); | |
81da38c1 | 521 | |
1a7a0e74 | 522 | self.request(req).await |
1fdb4c6f DM |
523 | } |
524 | ||
1a7a0e74 | 525 | pub async fn start_h2_connection( |
fb047083 DM |
526 | &self, |
527 | mut req: Request<Body>, | |
528 | protocol_name: String, | |
dc089345 | 529 | ) -> Result<(H2Client, futures::future::AbortHandle), Error> { |
cf639a47 | 530 | |
1a7a0e74 | 531 | let auth = self.login().await?; |
cf639a47 DM |
532 | let client = self.client.clone(); |
533 | ||
1a7a0e74 DM |
534 | let enc_ticket = format!("PBSAuthCookie={}", percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET)); |
535 | req.headers_mut().insert("Cookie", HeaderValue::from_str(&enc_ticket).unwrap()); | |
536 | req.headers_mut().insert("UPGRADE", HeaderValue::from_str(&protocol_name).unwrap()); | |
cf639a47 | 537 | |
1a7a0e74 DM |
538 | let resp = client.request(req).await?; |
539 | let status = resp.status(); | |
cf639a47 | 540 | |
1a7a0e74 | 541 | if status != http::StatusCode::SWITCHING_PROTOCOLS { |
ca611955 DM |
542 | Self::api_response(resp).await?; |
543 | bail!("unknown error"); | |
1a7a0e74 DM |
544 | } |
545 | ||
546 | let upgraded = resp | |
547 | .into_body() | |
548 | .on_upgrade() | |
549 | .await?; | |
550 | ||
551 | let max_window_size = (1 << 31) - 2; | |
552 | ||
553 | let (h2, connection) = h2::client::Builder::new() | |
554 | .initial_connection_window_size(max_window_size) | |
555 | .initial_window_size(max_window_size) | |
556 | .max_frame_size(4*1024*1024) | |
557 | .handshake(upgraded) | |
558 | .await?; | |
559 | ||
560 | let connection = connection | |
561 | .map_err(|_| panic!("HTTP/2.0 connection failed")); | |
562 | ||
dc089345 | 563 | let (connection, abort) = futures::future::abortable(connection); |
1a7a0e74 DM |
564 | // A cancellable future returns an Option which is None when cancelled and |
565 | // Some when it finished instead, since we don't care about the return type we | |
566 | // need to map it away: | |
567 | let connection = connection.map(|_| ()); | |
568 | ||
569 | // Spawn a new task to drive the connection state | |
db0cb9ce | 570 | tokio::spawn(connection); |
1a7a0e74 DM |
571 | |
572 | // Wait until the `SendRequest` handle has available capacity. | |
573 | let c = h2.ready().await?; | |
dc089345 | 574 | Ok((H2Client::new(c), abort)) |
cf639a47 DM |
575 | } |
576 | ||
9d35dbbb | 577 | async fn credentials( |
1434f4f8 | 578 | client: Client<HttpsConnector>, |
45cdce06 DM |
579 | server: String, |
580 | username: String, | |
581 | password: String, | |
9d35dbbb DM |
582 | ) -> Result<AuthInfo, Error> { |
583 | let data = json!({ "username": username, "password": password }); | |
584 | let req = Self::request_builder(&server, "POST", "/api2/json/access/ticket", Some(data)).unwrap(); | |
585 | let cred = Self::api_request(client, req).await?; | |
586 | let auth = AuthInfo { | |
587 | username: cred["data"]["username"].as_str().unwrap().to_owned(), | |
588 | ticket: cred["data"]["ticket"].as_str().unwrap().to_owned(), | |
589 | token: cred["data"]["CSRFPreventionToken"].as_str().unwrap().to_owned(), | |
590 | }; | |
591 | ||
9d35dbbb | 592 | Ok(auth) |
ba3a60b2 DM |
593 | } |
594 | ||
a6782ca1 | 595 | async fn api_response(response: Response<Body>) -> Result<Value, Error> { |
d2c48afc | 596 | let status = response.status(); |
db0cb9ce | 597 | let data = hyper::body::to_bytes(response.into_body()).await?; |
a6782ca1 WB |
598 | |
599 | let text = String::from_utf8(data.to_vec()).unwrap(); | |
600 | if status.is_success() { | |
11377a47 DM |
601 | if text.is_empty() { |
602 | Ok(Value::Null) | |
603 | } else { | |
a6782ca1 WB |
604 | let value: Value = serde_json::from_str(&text)?; |
605 | Ok(value) | |
a6782ca1 WB |
606 | } |
607 | } else { | |
608 | bail!("HTTP Error {}: {}", status, text); | |
609 | } | |
d2c48afc DM |
610 | } |
611 | ||
1a7a0e74 | 612 | async fn api_request( |
1434f4f8 | 613 | client: Client<HttpsConnector>, |
5a2df000 | 614 | req: Request<Body> |
1a7a0e74 | 615 | ) -> Result<Value, Error> { |
ba3a60b2 | 616 | |
5a2df000 DM |
617 | client.request(req) |
618 | .map_err(Error::from) | |
d2c48afc | 619 | .and_then(Self::api_response) |
1a7a0e74 | 620 | .await |
0dffe3f9 DM |
621 | } |
622 | ||
9e490a74 DM |
623 | // Read-only access to server property |
624 | pub fn server(&self) -> &str { | |
625 | &self.server | |
626 | } | |
627 | ||
5a2df000 | 628 | pub fn request_builder(server: &str, method: &str, path: &str, data: Option<Value>) -> Result<Request<Body>, Error> { |
591f570b | 629 | let path = path.trim_matches('/'); |
5a2df000 DM |
630 | let url: Uri = format!("https://{}:8007/{}", server, path).parse()?; |
631 | ||
632 | if let Some(data) = data { | |
633 | if method == "POST" { | |
634 | let request = Request::builder() | |
635 | .method(method) | |
636 | .uri(url) | |
637 | .header("User-Agent", "proxmox-backup-client/1.0") | |
638 | .header(hyper::header::CONTENT_TYPE, "application/json") | |
639 | .body(Body::from(data.to_string()))?; | |
640 | return Ok(request); | |
641 | } else { | |
9e391bb7 DM |
642 | let query = tools::json_object_to_query(data)?; |
643 | let url: Uri = format!("https://{}:8007/{}?{}", server, path, query).parse()?; | |
644 | let request = Request::builder() | |
645 | .method(method) | |
646 | .uri(url) | |
647 | .header("User-Agent", "proxmox-backup-client/1.0") | |
648 | .header(hyper::header::CONTENT_TYPE, "application/x-www-form-urlencoded") | |
649 | .body(Body::empty())?; | |
650 | return Ok(request); | |
5a2df000 | 651 | } |
5a2df000 | 652 | } |
0dffe3f9 | 653 | |
1fdb4c6f | 654 | let request = Request::builder() |
5a2df000 | 655 | .method(method) |
1fdb4c6f DM |
656 | .uri(url) |
657 | .header("User-Agent", "proxmox-backup-client/1.0") | |
5a2df000 DM |
658 | .header(hyper::header::CONTENT_TYPE, "application/x-www-form-urlencoded") |
659 | .body(Body::empty())?; | |
1fdb4c6f | 660 | |
5a2df000 | 661 | Ok(request) |
597641fd DM |
662 | } |
663 | } | |
b57cb264 | 664 | |
9af37c8f DM |
665 | |
666 | #[derive(Clone)] | |
667 | pub struct H2Client { | |
668 | h2: h2::client::SendRequest<bytes::Bytes>, | |
669 | } | |
670 | ||
671 | impl H2Client { | |
672 | ||
673 | pub fn new(h2: h2::client::SendRequest<bytes::Bytes>) -> Self { | |
674 | Self { h2 } | |
675 | } | |
676 | ||
2a1e6d7d DM |
677 | pub async fn get( |
678 | &self, | |
679 | path: &str, | |
680 | param: Option<Value> | |
681 | ) -> Result<Value, Error> { | |
792a70b9 | 682 | let req = Self::request_builder("localhost", "GET", path, param, None).unwrap(); |
2a1e6d7d | 683 | self.request(req).await |
9af37c8f DM |
684 | } |
685 | ||
2a1e6d7d DM |
686 | pub async fn put( |
687 | &self, | |
688 | path: &str, | |
689 | param: Option<Value> | |
690 | ) -> Result<Value, Error> { | |
792a70b9 | 691 | let req = Self::request_builder("localhost", "PUT", path, param, None).unwrap(); |
2a1e6d7d | 692 | self.request(req).await |
9af37c8f DM |
693 | } |
694 | ||
2a1e6d7d DM |
695 | pub async fn post( |
696 | &self, | |
697 | path: &str, | |
698 | param: Option<Value> | |
699 | ) -> Result<Value, Error> { | |
792a70b9 | 700 | let req = Self::request_builder("localhost", "POST", path, param, None).unwrap(); |
2a1e6d7d | 701 | self.request(req).await |
9af37c8f DM |
702 | } |
703 | ||
d4a085e5 | 704 | pub async fn download<W: Write + Send>( |
a6782ca1 WB |
705 | &self, |
706 | path: &str, | |
707 | param: Option<Value>, | |
2a1e6d7d | 708 | mut output: W, |
d4a085e5 | 709 | ) -> Result<W, Error> { |
792a70b9 | 710 | let request = Self::request_builder("localhost", "GET", path, param, None).unwrap(); |
dd066d28 | 711 | |
2a1e6d7d | 712 | let response_future = self.send_request(request, None).await?; |
984a7c35 | 713 | |
2a1e6d7d DM |
714 | let resp = response_future.await?; |
715 | ||
716 | let status = resp.status(); | |
717 | if !status.is_success() { | |
44f59dc7 DM |
718 | H2Client::h2api_response(resp).await?; // raise error |
719 | unreachable!(); | |
2a1e6d7d DM |
720 | } |
721 | ||
722 | let mut body = resp.into_body(); | |
db0cb9ce WB |
723 | while let Some(chunk) = body.data().await { |
724 | let chunk = chunk?; | |
725 | body.flow_control().release_capacity(chunk.len())?; | |
2a1e6d7d DM |
726 | output.write_all(&chunk)?; |
727 | } | |
728 | ||
729 | Ok(output) | |
dd066d28 DM |
730 | } |
731 | ||
2a1e6d7d | 732 | pub async fn upload( |
a6782ca1 | 733 | &self, |
f011dba0 | 734 | method: &str, // POST or PUT |
a6782ca1 WB |
735 | path: &str, |
736 | param: Option<Value>, | |
792a70b9 | 737 | content_type: &str, |
a6782ca1 | 738 | data: Vec<u8>, |
2a1e6d7d | 739 | ) -> Result<Value, Error> { |
f011dba0 | 740 | let request = Self::request_builder("localhost", method, path, param, Some(content_type)).unwrap(); |
9af37c8f | 741 | |
2a1e6d7d DM |
742 | let mut send_request = self.h2.clone().ready().await?; |
743 | ||
744 | let (response, stream) = send_request.send_request(request, false).unwrap(); | |
2a05048b DM |
745 | |
746 | PipeToSendStream::new(bytes::Bytes::from(data), stream).await?; | |
747 | ||
748 | response | |
749 | .map_err(Error::from) | |
750 | .and_then(Self::h2api_response) | |
2a1e6d7d | 751 | .await |
9af37c8f | 752 | } |
adec8ea2 | 753 | |
2a1e6d7d | 754 | async fn request( |
9af37c8f | 755 | &self, |
b57cb264 | 756 | request: Request<()>, |
2a1e6d7d | 757 | ) -> Result<Value, Error> { |
b57cb264 | 758 | |
9af37c8f | 759 | self.send_request(request, None) |
82ab7230 DM |
760 | .and_then(move |response| { |
761 | response | |
762 | .map_err(Error::from) | |
763 | .and_then(Self::h2api_response) | |
764 | }) | |
2a1e6d7d | 765 | .await |
82ab7230 DM |
766 | } |
767 | ||
cf9271e2 | 768 | pub fn send_request( |
9af37c8f | 769 | &self, |
82ab7230 DM |
770 | request: Request<()>, |
771 | data: Option<bytes::Bytes>, | |
a6782ca1 | 772 | ) -> impl Future<Output = Result<h2::client::ResponseFuture, Error>> { |
82ab7230 | 773 | |
9af37c8f | 774 | self.h2.clone() |
10130cf4 DM |
775 | .ready() |
776 | .map_err(Error::from) | |
2a05048b | 777 | .and_then(move |mut send_request| async move { |
82ab7230 DM |
778 | if let Some(data) = data { |
779 | let (response, stream) = send_request.send_request(request, false).unwrap(); | |
2a05048b DM |
780 | PipeToSendStream::new(data, stream).await?; |
781 | Ok(response) | |
82ab7230 DM |
782 | } else { |
783 | let (response, _stream) = send_request.send_request(request, true).unwrap(); | |
2a05048b | 784 | Ok(response) |
82ab7230 | 785 | } |
b57cb264 DM |
786 | }) |
787 | } | |
788 | ||
f16aea68 | 789 | pub async fn h2api_response( |
a6782ca1 | 790 | response: Response<h2::RecvStream>, |
9edd3bf1 | 791 | ) -> Result<Value, Error> { |
b57cb264 DM |
792 | let status = response.status(); |
793 | ||
794 | let (_head, mut body) = response.into_parts(); | |
795 | ||
9edd3bf1 | 796 | let mut data = Vec::new(); |
db0cb9ce WB |
797 | while let Some(chunk) = body.data().await { |
798 | let chunk = chunk?; | |
799 | // Whenever data is received, the caller is responsible for | |
800 | // releasing capacity back to the server once it has freed | |
801 | // the data from memory. | |
9edd3bf1 | 802 | // Let the server send more data. |
db0cb9ce | 803 | body.flow_control().release_capacity(chunk.len())?; |
9edd3bf1 DM |
804 | data.extend(chunk); |
805 | } | |
806 | ||
807 | let text = String::from_utf8(data.to_vec()).unwrap(); | |
808 | if status.is_success() { | |
11377a47 DM |
809 | if text.is_empty() { |
810 | Ok(Value::Null) | |
811 | } else { | |
9edd3bf1 DM |
812 | let mut value: Value = serde_json::from_str(&text)?; |
813 | if let Some(map) = value.as_object_mut() { | |
814 | if let Some(data) = map.remove("data") { | |
815 | return Ok(data); | |
b57cb264 | 816 | } |
b57cb264 | 817 | } |
9edd3bf1 | 818 | bail!("got result without data property"); |
9edd3bf1 DM |
819 | } |
820 | } else { | |
821 | bail!("HTTP Error {}: {}", status, text); | |
822 | } | |
b57cb264 DM |
823 | } |
824 | ||
eb2bdd1b | 825 | // Note: We always encode parameters with the url |
792a70b9 DM |
826 | pub fn request_builder( |
827 | server: &str, | |
828 | method: &str, | |
829 | path: &str, | |
830 | param: Option<Value>, | |
831 | content_type: Option<&str>, | |
832 | ) -> Result<Request<()>, Error> { | |
b57cb264 | 833 | let path = path.trim_matches('/'); |
b57cb264 | 834 | |
792a70b9 DM |
835 | let content_type = content_type.unwrap_or("application/x-www-form-urlencoded"); |
836 | ||
a55b2975 DM |
837 | if let Some(param) = param { |
838 | let query = tools::json_object_to_query(param)?; | |
eb2bdd1b DM |
839 | // We detected problem with hyper around 6000 characters - seo we try to keep on the safe side |
840 | if query.len() > 4096 { bail!("h2 query data too large ({} bytes) - please encode data inside body", query.len()); } | |
b57cb264 | 841 | let url: Uri = format!("https://{}:8007/{}?{}", server, path, query).parse()?; |
eb2bdd1b | 842 | let request = Request::builder() |
b57cb264 DM |
843 | .method(method) |
844 | .uri(url) | |
845 | .header("User-Agent", "proxmox-backup-client/1.0") | |
792a70b9 | 846 | .header(hyper::header::CONTENT_TYPE, content_type) |
b57cb264 | 847 | .body(())?; |
62ee2eb4 | 848 | Ok(request) |
eb2bdd1b DM |
849 | } else { |
850 | let url: Uri = format!("https://{}:8007/{}", server, path).parse()?; | |
851 | let request = Request::builder() | |
852 | .method(method) | |
853 | .uri(url) | |
854 | .header("User-Agent", "proxmox-backup-client/1.0") | |
792a70b9 | 855 | .header(hyper::header::CONTENT_TYPE, content_type) |
eb2bdd1b | 856 | .body(())?; |
b57cb264 | 857 | |
eb2bdd1b DM |
858 | Ok(request) |
859 | } | |
b57cb264 DM |
860 | } |
861 | } | |
1434f4f8 | 862 | |
db0cb9ce | 863 | #[derive(Clone)] |
1434f4f8 WB |
864 | pub struct HttpsConnector { |
865 | http: HttpConnector, | |
db0cb9ce | 866 | ssl_connector: std::sync::Arc<SslConnector>, |
1434f4f8 WB |
867 | } |
868 | ||
869 | impl HttpsConnector { | |
870 | pub fn with_connector(mut http: HttpConnector, ssl_connector: SslConnector) -> Self { | |
871 | http.enforce_http(false); | |
872 | ||
873 | Self { | |
874 | http, | |
db0cb9ce | 875 | ssl_connector: std::sync::Arc::new(ssl_connector), |
1434f4f8 WB |
876 | } |
877 | } | |
878 | } | |
879 | ||
880 | type MaybeTlsStream = EitherStream< | |
881 | tokio::net::TcpStream, | |
882 | tokio_openssl::SslStream<tokio::net::TcpStream>, | |
883 | >; | |
884 | ||
db0cb9ce WB |
885 | impl hyper::service::Service<Uri> for HttpsConnector { |
886 | type Response = MaybeTlsStream; | |
1434f4f8 | 887 | type Error = Error; |
db0cb9ce WB |
888 | type Future = std::pin::Pin<Box< |
889 | dyn Future<Output = Result<Self::Response, Self::Error>> + Send + 'static | |
890 | >>; | |
1434f4f8 | 891 | |
db0cb9ce WB |
892 | fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> { |
893 | // This connector is always ready, but others might not be. | |
894 | Poll::Ready(Ok(())) | |
895 | } | |
1434f4f8 | 896 | |
db0cb9ce WB |
897 | fn call(&mut self, dst: Uri) -> Self::Future { |
898 | let mut this = self.clone(); | |
899 | async move { | |
900 | let is_https = dst | |
901 | .scheme() | |
902 | .ok_or_else(|| format_err!("missing URL scheme"))? | |
903 | == "https"; | |
904 | let host = dst | |
905 | .host() | |
906 | .ok_or_else(|| format_err!("missing hostname in destination url?"))? | |
907 | .to_string(); | |
908 | ||
909 | let config = this.ssl_connector.configure(); | |
910 | let conn = this.http.call(dst).await?; | |
1434f4f8 WB |
911 | if is_https { |
912 | let conn = tokio_openssl::connect(config?, &host, conn).await?; | |
db0cb9ce | 913 | Ok(MaybeTlsStream::Right(conn)) |
1434f4f8 | 914 | } else { |
db0cb9ce | 915 | Ok(MaybeTlsStream::Left(conn)) |
1434f4f8 | 916 | } |
db0cb9ce | 917 | }.boxed() |
1434f4f8 WB |
918 | } |
919 | } |