12 use Crypt
::OpenSSL
::RSA
;
16 my $min_ticket_lifetime = -60*5; # allow 5 minutes time drift
17 my $max_ticket_lifetime = 60*60*2; # 2 hours
19 my $basedir = "/etc/pmg";
21 my $pmg_api_cert_fn = "$basedir/pmg-api.pem";
23 # this is just a secret accessable by all API servers
24 # and is used for CSRF prevention
25 my $pmg_csrf_key_fn = "$basedir/pmg-csrf.key";
27 my $authprivkeyfn = "$basedir/pmg-authkey.key";
28 my $authpubkeyfn = "$basedir/pmg-authkey.pub";
30 sub generate_api_cert
{
33 my $nodename = PVE
::INotify
::nodename
();
35 if (-f
$pmg_api_cert_fn) {
36 return $pmg_api_cert_fn if !$force;
37 unlink $pmg_api_cert_fn;
40 my $gid = getgrnam('www-data') ||
41 die "user www-data not in group file\n";
43 my $tmp_fn = "$pmg_api_cert_fn.tmp$$";
45 my $cmd = ['openssl', 'req', '-batch', '-x509', '-newkey', 'rsa:4096',
46 '-nodes', '-keyout', $tmp_fn, '-out', $tmp_fn,
47 '-subj', "/CN=$nodename/",
51 PMG
::Utils
::run_silent_cmd
($cmd);
52 chown(0, $gid, $tmp_fn) || die "chown failed - $!\n";
53 chmod(0640, $tmp_fn) || die "chmod failed - $!\n";
54 rename($tmp_fn, $pmg_api_cert_fn) || die "rename failed - $!\n";
58 die "unable to generate pmg api cert '$pmg_api_cert_fn':\n$err";
61 return $pmg_api_cert_fn;
64 sub generate_csrf_key
{
66 return if -f
$pmg_csrf_key_fn;
68 my $gid = getgrnam('www-data') ||
69 die "user www-data not in group file\n";
71 my $tmp_fn = "$pmg_csrf_key_fn.tmp$$";
72 my $cmd = ['openssl', 'genrsa', '-out', $tmp_fn, '2048'];
75 PMG
::Utils
::run_silent_cmd
($cmd);
76 chown(0, $gid, $tmp_fn) || die "chown failed - $!\n";
77 chmod(0640, $tmp_fn) || die "chmod failed - $!\n";
78 rename($tmp_fn, $pmg_csrf_key_fn) || die "rename failed - $!\n";
82 die "unable to generate pmg csrf key '$pmg_csrf_key_fn':\n$@";
85 return $pmg_csrf_key_fn;
88 sub generate_auth_key
{
90 return if -f
"$authprivkeyfn";
93 my $cmd = ['openssl', 'genrsa', '-out', $authprivkeyfn, '2048'];
94 PMG
::Utils
::run_silent_cmd
($cmd);
96 $cmd = ['openssl', 'rsa', '-in', $authprivkeyfn, '-pubout',
97 '-out', $authpubkeyfn];
98 PMG
::Utils
::run_silent_cmd
($cmd);
101 die "unable to generate pmg auth key:\n$@" if $@;
104 my $pve_auth_priv_key;
107 return $pve_auth_priv_key if $pve_auth_priv_key;
109 my $input = PVE
::Tools
::file_get_contents
($authprivkeyfn);
111 $pve_auth_priv_key = Crypt
::OpenSSL
::RSA-
>new_private_key($input);
113 return $pve_auth_priv_key;
116 my $pve_auth_pub_key;
119 return $pve_auth_pub_key if $pve_auth_pub_key;
121 my $input = PVE
::Tools
::file_get_contents
($authpubkeyfn);
123 $pve_auth_pub_key = Crypt
::OpenSSL
::RSA-
>new_public_key($input);
125 return $pve_auth_pub_key;
128 my $csrf_prevention_secret;
129 my $get_csrfr_secret = sub {
130 if (!$csrf_prevention_secret) {
131 my $input = PVE
::Tools
::file_get_contents
($pmg_csrf_key_fn);
132 $csrf_prevention_secret = Digest
::SHA
::sha1_base64
($input);
133 print "SECRET:$csrf_prevention_secret\n";
135 return $csrf_prevention_secret;
139 sub verify_csrf_prevention_token
{
140 my ($username, $token, $noerr) = @_;
142 my $secret = &$get_csrfr_secret();
144 return PVE
::Ticket
::verify_csrf_prevention_token
(
145 $secret, $username, $token, $min_ticket_lifetime,
146 $max_ticket_lifetime, $noerr);
149 sub assemble_csrf_prevention_token
{
152 my $secret = &$get_csrfr_secret();
154 return PVE
::Ticket
::assemble_csrf_prevention_token
($secret, $username);
157 sub assemble_ticket
{
160 my $rsa_priv = get_privkey
();
162 return PVE
::Ticket
::assemble_rsa_ticket
($rsa_priv, 'PMG', $username);
166 my ($ticket, $noerr) = @_;
168 my $rsa_pub = get_pubkey
();
170 return PVE
::Ticket
::verify_rsa_ticket
(
171 $rsa_pub, 'PMG', $ticket, undef,
172 $min_ticket_lifetime, $max_ticket_lifetime, $noerr);
176 # - they do not contain the username in plain text
177 # - they are restricted to a specific resource path (example: '/vms/100')
178 sub assemble_vnc_ticket
{
179 my ($username, $path) = @_;
181 my $rsa_priv = get_privkey
();
183 my $secret_data = "$username:$path";
185 return PVE
::Ticket
::assemble_rsa_ticket
(
186 $rsa_priv, 'PMGVNC', undef, $secret_data);
189 sub verify_vnc_ticket
{
190 my ($ticket, $username, $path, $noerr) = @_;
192 my $rsa_pub = get_pubkey
();
194 my $secret_data = "$username:$path";
196 return PVE
::Ticket
::verify_rsa_ticket
(
197 $rsa_pub, 'PMGVNC', $ticket, $secret_data, -20, 40, $noerr);