src/PMG/HTTPServer.pm

   1 package PMG::HTTPServer;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::SafeSyslog;
   7 use PVE::INotify;
   8 use PVE::Tools;
   9 use PVE::APIServer::AnyEvent;
  10 use PVE::Exception qw(raise_param_exc);
  11 use PMG::RESTEnvironment;
  12
  13 use PMG::Ticket;
  14 use PMG::Cluster;
  15 use PMG::API2;
  16
  17 use Data::Dumper;
  18
  19 use base('PVE::APIServer::AnyEvent');
  20
  21 use HTTP::Status qw(:constants);
  22
  23
  24 sub new {
  25     my ($this, %args) = @_;
  26
  27     my $class = ref($this) || $this;
  28
  29     my $self = $class->SUPER::new(%args);
  30
  31     $self->{rpcenv} = PMG::RESTEnvironment->init(
  32         $self->{trusted_env} ? 'priv' : 'pub', atfork =>  sub { $self->atfork_handler() });
  33
  34     return $self;
  35 }
  36
  37
  38 sub generate_csrf_prevention_token {
  39     my ($username) = @_;
  40
  41     return PMG::Ticket::assemble_csrf_prevention_token ($username);
  42 }
  43
  44 sub auth_handler {
  45     my ($self, $method, $rel_uri, $ticket, $token, $api_token, $peer_host) = @_;
  46
  47     my $rpcenv = $self->{rpcenv};
  48
  49     # set environment variables
  50     $rpcenv->set_user(undef);
  51     $rpcenv->set_role(undef);
  52     $rpcenv->set_language('C');
  53     $rpcenv->set_client_ip($peer_host);
  54
  55     $rpcenv->init_request();
  56
  57     my $require_auth = 1;
  58
  59     # explicitly allow some calls without auth
  60     if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
  61         ($rel_uri eq '/quarantine/sendlink' && ($method eq 'GET' || $method eq 'POST')) ||
  62         ($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
  63         $require_auth = 0;
  64     }
  65
  66     my ($username, $age);
  67
  68     if ($require_auth) {
  69
  70         die "API tokens not implemented\n" if $api_token;
  71
  72         die "No ticket\n" if !$ticket;
  73
  74         if ($ticket =~ m/^PMGQUAR:/) {
  75             ($username, $age) = PMG::Ticket::verify_quarantine_ticket($ticket);
  76             $rpcenv->set_user($username);
  77             $rpcenv->set_role('quser');
  78         } else {
  79             ($username, $age, my $tfa) = PMG::Ticket::verify_ticket($ticket, undef, 0);
  80             # TFA tickets don't return a username, and return a tfa challenge, either is enough to
  81             # fail here:
  82             die "No ticket\n" if !$username || $tfa;
  83             my $role = PMG::AccessControl::check_user_enabled($self->{usercfg}, $username);
  84             $rpcenv->set_user($username);
  85             $rpcenv->set_role($role);
  86         }
  87
  88         $rpcenv->set_ticket($ticket);
  89
  90         my $euid = $>;
  91         PMG::Ticket::verify_csrf_prevention_token($username, $token)
  92             if ($euid != 0) && ($method ne 'GET');
  93     }
  94
  95     return {
  96         ticket => $ticket,
  97         token => $token,
  98         userid => $username,
  99         age => $age,
 100         isUpload => 0,
 101     };
 102 }
 103
 104 sub rest_handler {
 105     my ($self, $clientip, $method, $rel_uri, $auth, $params, $format) = @_;
 106
 107     my $rpcenv = $self->{rpcenv};
 108     $rpcenv->set_format($format);
 109
 110     my $resp = {
 111         status => HTTP_NOT_IMPLEMENTED,
 112         message => "Method '$method $rel_uri' not implemented",
 113     };
 114
 115     my ($handler, $info);
 116
 117     eval {
 118         my $uri_param = {};
 119         ($handler, $info) = PMG::API2->find_handler($method, $rel_uri, $uri_param);
 120         return if !$handler || !$info;
 121
 122         foreach my $p (keys %{$params}) {
 123             if (defined($uri_param->{$p})) {
 124                 raise_param_exc({$p =>  "duplicate parameter (already defined in URI)"});
 125             }
 126             $uri_param->{$p} = $params->{$p};
 127         }
 128
 129         # check access permissions
 130         $rpcenv->check_api2_permissions($info->{permissions}, $uri_param);
 131
 132         if (my $pn = $info->{proxyto}) {
 133
 134             my $node;
 135             if ($pn eq 'master') {
 136                 $node = PMG::Cluster::get_master_node();
 137             } else {
 138                 $node = $uri_param->{$pn};
 139                 raise_param_exc({$pn =>  "proxy parameter '$pn' does not exists"}) if !$node;
 140             }
 141
 142             if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
 143                 die "unable to proxy file uploads" if $auth->{isUpload};
 144                 my $remip = $self->remote_node_ip($node);
 145                 $resp = { proxy => $remip, proxynode => $node, proxy_params => $params };
 146                 return;
 147             }
 148         }
 149
 150         my $euid = $>;
 151         if ($info->{protected} && ($euid != 0)) {
 152             $resp = { proxy => 'localhost' , proxy_params => $params };
 153             return;
 154         }
 155
 156         if (my $pn = $info->{proxyto}) {
 157             if ($pn eq 'master') {
 158                 $rpcenv->check_node_is_master();
 159             }
 160         }
 161
 162
 163         my $result = $handler->handle($info, $uri_param);
 164
 165         $resp = {
 166             info => $info, # useful to format output
 167             status => HTTP_OK,
 168         };
 169
 170         if ($info->{download}) {
 171             my $type =  $info->{returns}->{type};
 172             if ($type eq 'string' || $type eq 'object') {
 173                 $resp->{download} = $result;
 174             } else {
 175                 die "API calls which trigger downloads need to have return type 'string' or 'object' - internal error"
 176             }
 177
 178         } else {
 179             $resp->{data} = $result;
 180         }
 181
 182         if (my $count = $rpcenv->get_result_attrib('total')) {
 183             $resp->{total} = $count;
 184         }
 185
 186         if (my $diff = $rpcenv->get_result_attrib('changes')) {
 187             $resp->{changes} = $diff;
 188         }
 189     };
 190     my $err = $@;
 191
 192     $rpcenv->set_user(undef); # clear after request
 193     $rpcenv->set_role(undef); # clear after request
 194     $rpcenv->set_format(undef); # clear after request
 195
 196     if ($err) {
 197         $resp = { info => $info };
 198         if (ref($err) eq "PVE::Exception") {
 199             $resp->{status} = $err->{code} || HTTP_INTERNAL_SERVER_ERROR;
 200             $resp->{errors} = $err->{errors} if $err->{errors};
 201             $resp->{message} = $err->{msg};
 202         } else {
 203             $resp->{status} =  HTTP_INTERNAL_SERVER_ERROR;
 204             $resp->{message} = $err;
 205         }
 206     }
 207
 208     return $resp;
 209 }
 210
 211 sub check_cert_fingerprint {
 212     my ($self, $cert) = @_;
 213
 214     return PMG::Cluster::check_cert_fingerprint($cert);
 215 }
 216
 217 sub initialize_cert_cache {
 218     my ($self, $node) = @_;
 219
 220     PMG::Cluster::initialize_cert_cache($node);
 221 }
 222
 223 sub remote_node_ip {
 224     my ($self, $node) = @_;
 225
 226     my $remip = PMG::Cluster::remote_node_ip($node);
 227
 228     die "unable to get remote IP address for node '$node'\n" if !$remip;
 229
 230     return $remip;
 231 }
 232
 233 1;