PMG/HTTPServer.pm

   1 package PMG::HTTPServer;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::SafeSyslog;
   7 use PVE::INotify;
   8 use PVE::Tools;
   9 use PVE::APIServer::AnyEvent;
  10 use PVE::Exception qw(raise_param_exc);
  11 use PVE::RESTEnvironment;
  12
  13 use PMG::Ticket;
  14 use PMG::Cluster;
  15 use PMG::API2;
  16
  17 use Data::Dumper;
  18
  19 use base('PVE::APIServer::AnyEvent');
  20
  21 use HTTP::Status qw(:constants);
  22
  23
  24 sub new {
  25     my ($this, %args) = @_;
  26
  27     my $class = ref($this) || $this;
  28
  29     my $self = $class->SUPER::new(%args);
  30
  31     $self->{rpcenv} = PVE::RESTEnvironment->init(
  32         $self->{trusted_env} ? 'priv' : 'pub', atfork =>  sub { $self->atfork_handler() });
  33
  34     return $self;
  35 }
  36
  37
  38 sub generate_csrf_prevention_token {
  39     my ($username) = @_;
  40
  41     return PMG::Ticket::assemble_csrf_prevention_token ($username);
  42 }
  43
  44 sub auth_handler {
  45     my ($self, $method, $rel_uri, $ticket, $token, $peer_host) = @_;
  46
  47     my $rpcenv = $self->{rpcenv};
  48
  49     # set environment variables
  50     $rpcenv->set_user(undef);
  51     $rpcenv->set_language('C');
  52     $rpcenv->set_client_ip($peer_host);
  53
  54     $rpcenv->init_request();
  55
  56     my $require_auth = 1;
  57
  58     # explicitly allow some calls without auth
  59     if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
  60         ($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
  61         $require_auth = 0;
  62     }
  63
  64     my ($username, $age);
  65
  66     if ($require_auth) {
  67
  68         die "No ticket\n" if !$ticket;
  69
  70         ($username, $age) = PMG::Ticket::verify_ticket($ticket);
  71
  72         $rpcenv->set_user($username);
  73
  74         my $euid = $>;
  75         PMG::Ticket::verify_csrf_prevention_token($username, $token)
  76             if ($euid != 0) && ($method ne 'GET');
  77     }
  78
  79     return {
  80         ticket => $ticket,
  81         token => $token,
  82         userid => $username,
  83         age => $age,
  84         isUpload => 0,
  85     };
  86 }
  87
  88 sub rest_handler {
  89     my ($self, $clientip, $method, $rel_uri, $auth, $params) = @_;
  90
  91     my $rpcenv = $self->{rpcenv};
  92
  93     my $resp = {
  94         status => HTTP_NOT_IMPLEMENTED,
  95         message => "Method '$method $rel_uri' not implemented",
  96     };
  97
  98     my ($handler, $info);
  99
 100     eval {
 101         my $uri_param = {};
 102         ($handler, $info) = PMG::API2->find_handler($method, $rel_uri, $uri_param);
 103         return if !$handler || !$info;
 104
 105         foreach my $p (keys %{$params}) {
 106             if (defined($uri_param->{$p})) {
 107                 raise_param_exc({$p =>  "duplicate parameter (already defined in URI)"});
 108             }
 109             $uri_param->{$p} = $params->{$p};
 110         }
 111
 112         # check access permissions
 113         $rpcenv->check_api2_permissions($info->{permissions}, $auth->{userid}, $uri_param);
 114
 115         if ($info->{proxyto}) {
 116             my $pn = $info->{proxyto};
 117
 118             my $node;
 119             if ($pn eq 'master') {
 120                 $node = PMG::Cluster::get_master_node();
 121             } else {
 122                 $node = $uri_param->{$pn};
 123                 raise_param_exc({$pn =>  "proxy parameter '$pn' does not exists"}) if !$node;
 124             }
 125
 126             if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
 127                 die "unable to proxy file uploads" if $auth->{isUpload};
 128                 my $remip = $self->remote_node_ip($node);
 129                 $resp = { proxy => $remip, proxynode => $node, proxy_params => $params };
 130                 return;
 131             }
 132         }
 133
 134         my $euid = $>;
 135         if ($info->{protected} && ($euid != 0)) {
 136             $resp = { proxy => 'localhost' , proxy_params => $params };
 137             return;
 138         }
 139
 140         $resp = {
 141             data => $handler->handle($info, $uri_param),
 142             info => $info, # useful to format output
 143             status => HTTP_OK,
 144         };
 145
 146         if (my $count = $rpcenv->get_result_attrib('total')) {
 147             $resp->{total} = $count;
 148         }
 149
 150         if (my $diff = $rpcenv->get_result_attrib('changes')) {
 151             $resp->{changes} = $diff;
 152         }
 153     };
 154     my $err = $@;
 155
 156     $rpcenv->set_user(undef); # clear after request
 157
 158     if ($err) {
 159         $resp = { info => $info };
 160         if (ref($err) eq "PVE::Exception") {
 161             $resp->{status} = $err->{code} || HTTP_INTERNAL_SERVER_ERROR;
 162             $resp->{errors} = $err->{errors} if $err->{errors};
 163             $resp->{message} = $err->{msg};
 164         } else {
 165             $resp->{status} =  HTTP_INTERNAL_SERVER_ERROR;
 166             $resp->{message} = $err;
 167         }
 168     }
 169
 170     return $resp;
 171 }
 172
 173 sub check_cert_fingerprint {
 174     my ($self, $cert) = @_;
 175
 176     return PMG::Cluster::check_cert_fingerprint($cert);
 177 }
 178
 179 sub initialize_cert_cache {
 180     my ($self, $node) = @_;
 181
 182     PMG::Cluster::initialize_cert_cache($node);
 183 }
 184
 185 sub remote_node_ip {
 186     my ($self, $node) = @_;
 187
 188     my $remip = PMG::Cluster::remote_node_ip($node);
 189
 190     die "unable to get remote IP address for node '$node'\n" if !$remip;
 191
 192     return $remip;
 193 }
 194
 195 1;