src/PMG/Ticket.pm

   1 package PMG::Ticket;
   2
   3 use strict;
   4 use warnings;
   5 use Net::SSLeay;
   6 use Digest::SHA;
   7
   8 use PVE::SafeSyslog;
   9 use PVE::Tools;
  10 use PVE::Ticket;
  11 use PVE::INotify;
  12
  13 use Crypt::OpenSSL::RSA;
  14
  15 use PMG::Utils;
  16 use PMG::Config;
  17
  18 my $min_ticket_lifetime = -60*5; # allow 5 minutes time drift
  19 my $max_ticket_lifetime = 60*60*2; # 2 hours
  20
  21 my $basedir = "/etc/pmg";
  22
  23 my $pmg_api_cert_fn = "$basedir/pmg-api.pem";
  24
  25 # this is just a secret accessible by all API servers
  26 # and is used for CSRF prevention
  27 my $pmg_csrf_key_fn = "$basedir/pmg-csrf.key";
  28
  29 my $authprivkeyfn = "$basedir/pmg-authkey.key";
  30 my $authpubkeyfn = "$basedir/pmg-authkey.pub";
  31
  32 sub generate_api_cert {
  33     my ($force) = @_;
  34
  35     my $nodename = PVE::INotify::nodename();
  36
  37     if (-f $pmg_api_cert_fn) {
  38         return $pmg_api_cert_fn if !$force;
  39         unlink $pmg_api_cert_fn;
  40     }
  41
  42     my $gid = getgrnam('www-data') ||
  43         die "user www-data not in group file\n";
  44
  45     my $tmp_fn = "$pmg_api_cert_fn.tmp$$";
  46
  47     my $cmd = ['openssl', 'req', '-batch', '-x509', '-newkey', 'rsa:4096',
  48                '-nodes', '-keyout', $tmp_fn, '-out', $tmp_fn,
  49                '-subj', "/CN=$nodename/",
  50                '-days', '3650'];
  51
  52     eval {
  53         PMG::Utils::run_silent_cmd($cmd);
  54         chown(0, $gid, $tmp_fn) || die "chown failed - $!\n";
  55         chmod(0640, $tmp_fn) || die "chmod failed - $!\n";
  56         rename($tmp_fn, $pmg_api_cert_fn) || die "rename failed - $!\n";
  57     };
  58     if (my $err = $@) {
  59         unlink $tmp_fn;
  60         die "unable to generate pmg api cert '$pmg_api_cert_fn':\n$err";
  61     }
  62
  63     return $pmg_api_cert_fn;
  64 }
  65
  66 sub generate_csrf_key {
  67
  68     return if -f $pmg_csrf_key_fn;
  69
  70     my $gid = getgrnam('www-data') ||
  71         die "user www-data not in group file\n";
  72
  73     my $tmp_fn = "$pmg_csrf_key_fn.tmp$$";
  74     my $cmd = ['openssl', 'genrsa', '-out', $tmp_fn, '2048'];
  75
  76     eval {
  77         PMG::Utils::run_silent_cmd($cmd);
  78         chown(0, $gid, $tmp_fn) || die "chown failed - $!\n";
  79         chmod(0640, $tmp_fn) || die "chmod failed - $!\n";
  80         rename($tmp_fn, $pmg_csrf_key_fn) || die "rename failed - $!\n";
  81     };
  82     if (my $err = $@) {
  83         unlink $tmp_fn;
  84         die "unable to generate pmg csrf key '$pmg_csrf_key_fn':\n$@";
  85     }
  86
  87     return $pmg_csrf_key_fn;
  88 }
  89
  90 sub generate_auth_key {
  91
  92     return if -f "$authprivkeyfn";
  93
  94     eval {
  95         my $cmd = ['openssl', 'genrsa', '-out', $authprivkeyfn, '2048'];
  96         PMG::Utils::run_silent_cmd($cmd);
  97
  98         $cmd = ['openssl', 'rsa', '-in', $authprivkeyfn, '-pubout',
  99                 '-out', $authpubkeyfn];
 100         PMG::Utils::run_silent_cmd($cmd);
 101     };
 102
 103     die "unable to generate pmg auth key:\n$@" if $@;
 104 }
 105
 106 my $read_rsa_priv_key = sub {
 107    my ($filename, $fh) = @_;
 108
 109    my $input = do { local $/ = undef; <$fh> };
 110
 111    return Crypt::OpenSSL::RSA->new_private_key($input);
 112
 113 };
 114
 115 PVE::INotify::register_file('auth_priv_key', $authprivkeyfn,
 116                             $read_rsa_priv_key, undef, undef,
 117                             noclone => 1);
 118
 119 my $read_rsa_pub_key = sub {
 120    my ($filename, $fh) = @_;
 121
 122    my $input = do { local $/ = undef; <$fh> };
 123
 124    return Crypt::OpenSSL::RSA->new_public_key($input);
 125 };
 126
 127 PVE::INotify::register_file('auth_pub_key', $authpubkeyfn,
 128                             $read_rsa_pub_key, undef, undef,
 129                             noclone => 1);
 130
 131 my $read_csrf_secret = sub {
 132    my ($filename, $fh) = @_;
 133
 134    my $input = do { local $/ = undef; <$fh> };
 135
 136    return Digest::SHA::hmac_sha256_base64($input);
 137 };
 138
 139 PVE::INotify::register_file('csrf_secret', $pmg_csrf_key_fn,
 140                             $read_csrf_secret, undef, undef,
 141                             noclone => 1);
 142
 143 sub verify_csrf_prevention_token {
 144     my ($username, $token, $noerr) = @_;
 145
 146     my $secret = PVE::INotify::read_file('csrf_secret');
 147
 148     return PVE::Ticket::verify_csrf_prevention_token(
 149         $secret, $username, $token, $min_ticket_lifetime,
 150         $max_ticket_lifetime, $noerr);
 151 }
 152
 153 sub assemble_csrf_prevention_token {
 154     my ($username) = @_;
 155
 156     my $secret = PVE::INotify::read_file('csrf_secret');
 157
 158     return PVE::Ticket::assemble_csrf_prevention_token ($secret, $username);
 159 }
 160
 161 sub assemble_ticket : prototype($;$) {
 162     my ($data, $aad) = @_;
 163
 164     my $rsa_priv = PVE::INotify::read_file('auth_priv_key');
 165
 166     return PVE::Ticket::assemble_rsa_ticket($rsa_priv, 'PMG', $data, $aad);
 167 }
 168
 169 # Returns (username, age, tfa-challenge) or just the username in scalar context.
 170 # Note that in scalar context, tfa tickets return `undef`.
 171 sub verify_ticket : prototype($$$) {
 172     my ($ticket, $aad, $noerr) = @_;
 173
 174     my $rsa_pub = PVE::INotify::read_file('auth_pub_key');
 175
 176     my $tfa_challenge;
 177     my ($data, $age) = PVE::Ticket::verify_rsa_ticket(
 178         $rsa_pub, 'PMG', $ticket, $aad,
 179         $min_ticket_lifetime, $max_ticket_lifetime, $noerr);
 180
 181     if ($noerr && !$data) {
 182         # if $noerr was set $data can be undef:
 183         return wantarray ? (undef, undef, undef) : undef;
 184     }
 185
 186
 187     if ($data =~ /^!tfa!(.*)$/) {
 188         return (undef, $age, $1) if wantarray;
 189         return undef if $noerr;
 190         die "second factor required\n";
 191     }
 192     return wantarray ? ($data, $age, undef) : $data;
 193 }
 194
 195 # VNC tickets
 196 # - they do not contain the username in plain text
 197 # - they are restricted to a specific resource path (example: '/vms/100')
 198 sub assemble_vnc_ticket {
 199     my ($username, $path) = @_;
 200
 201     my $rsa_priv = PVE::INotify::read_file('auth_priv_key');
 202
 203     my $secret_data = "$username:$path";
 204
 205     return PVE::Ticket::assemble_rsa_ticket(
 206         $rsa_priv, 'PMGVNC', undef, $secret_data);
 207 }
 208
 209 sub verify_vnc_ticket {
 210     my ($ticket, $username, $path, $noerr) = @_;
 211
 212     my $rsa_pub = PVE::INotify::read_file('auth_pub_key');
 213
 214     my $secret_data = "$username:$path";
 215
 216     return PVE::Ticket::verify_rsa_ticket(
 217         $rsa_pub, 'PMGVNC', $ticket, $secret_data, -20, 40, $noerr);
 218 }
 219
 220 # Note: we only encode $pmail into the ticket,
 221 # and add '@quarantine' in verify_quarantine_ticket()
 222 sub assemble_quarantine_ticket {
 223     my ($pmail) = @_;
 224
 225     my $rsa_priv = PVE::INotify::read_file('auth_priv_key');
 226
 227     return PVE::Ticket::assemble_rsa_ticket($rsa_priv, 'PMGQUAR', $pmail);
 228 }
 229
 230 my $quarantine_lifetime;
 231
 232 my $get_quarantine_lifetime = sub {
 233
 234     return $quarantine_lifetime if defined($quarantine_lifetime);
 235
 236     my $cfg = PMG::Config->new();
 237
 238     $quarantine_lifetime = $cfg->get('spamquar', 'lifetime');
 239
 240     return $quarantine_lifetime;
 241 };
 242
 243 sub verify_quarantine_ticket {
 244     my ($ticket, $noerr) = @_;
 245
 246     my $rsa_pub = PVE::INotify::read_file('auth_pub_key');
 247
 248     my $lifetime = $get_quarantine_lifetime->();
 249
 250     my ($username, $age) = PVE::Ticket::verify_rsa_ticket(
 251         $rsa_pub, 'PMGQUAR', $ticket, undef, -20, $lifetime*86400, $noerr);
 252
 253     $username = "$username\@quarantine" if defined($username);
 254
 255     return wantarray ? ($username, $age) : $username;
 256 }
 257
 258 1;