package PVE::APIServer::AnyEvent;
+# Note 1: interactions with Crypt::OpenSSL::RSA
+#
+# Some handlers (auth_handler) use Crypt::OpenSSL::RSA, which seems to
+# set the openssl error variable. We need to clear that here, else
+# AnyEvent::TLS aborts the connection.
+# Net::SSLeay::ERR_clear_error();
+
use strict;
use warnings;
use Time::HiRes qw(usleep ualarm gettimeofday tv_interval);
use Fcntl;
use IO::File;
use File::stat qw();
+use File::Find;
use MIME::Base64;
use Digest::MD5;
use Digest::SHA;
use AnyEvent::HTTP;
use Fcntl ();
use Compress::Zlib;
+use Encode;
use PVE::SafeSyslog;
use PVE::INotify;
use PVE::Tools;
my $limit_max_headers = 30;
my $limit_max_header_size = 8*1024;
-my $limit_max_post = 16*1024;
+my $limit_max_post = 64*1024;
my $known_methods = {
GET => 1,
my $content_length = defined($loginfo->{content_length}) ? $loginfo->{content_length} : '-';
my $code = $loginfo->{code} || 500;
my $requestline = $loginfo->{requestline} || '-';
- my $timestr = strftime("%d/%b/%Y:%H:%M:%S %z", localtime());
+ my $timestr = strftime("%d/%m/%Y:%H:%M:%S %z", localtime());
my $msg = "$peerip - $userid [$timestr] \"$requestline\" $code $content_length\n";
sub finish_response {
my ($self, $reqstate) = @_;
- my $hdl = $reqstate->{hdl};
-
cleanup_reqstate($reqstate);
+ my $hdl = $reqstate->{hdl};
+ return if !$hdl; # already disconnected
+
if (!$self->{end_loop} && $reqstate->{keep_alive} > 0) {
# print "KEEPALIVE $reqstate->{keep_alive}\n" if $self->{debug};
$hdl->on_read(sub {
$res .= $content if $content;
$self->log_request($reqstate, $reqstate->{request});
-
+
if ($delay && $delay > 0) {
my $w; $w = AnyEvent->timer(after => $delay, cb => sub {
undef $w; # delete reference
css => { ct => 'text/css' },
html => { ct => 'text/html' },
js => { ct => 'application/javascript' },
+ json => { ct => 'application/json' },
png => { ct => 'image/png' , nocomp => 1 },
ico => { ct => 'image/x-icon', nocomp => 1},
gif => { ct => 'image/gif', nocomp => 1},
+ svg => { ct => 'image/svg+xml' },
jar => { ct => 'application/java-archive', nocomp => 1},
woff => { ct => 'application/font-woff', nocomp => 1},
woff2 => { ct => 'application/font-woff2', nocomp => 1},
ttf => { ct => 'application/font-snft', nocomp => 1},
pdf => { ct => 'application/pdf', nocomp => 1},
epub => { ct => 'application/epub+zip', nocomp => 1},
+ mp3 => { ct => 'audio/mpeg', nocomp => 1},
+ oga => { ct => 'audio/ogg', nocomp => 1},
};
sub send_file_start {
die "$!\n";
my $stat = File::stat::stat($fh) ||
die "$!\n";
-
+
my $mtime = $stat->mtime;
if (my $ifmod = $r->header('if-modified-since')) {
}
tcp_connect $remhost, $remport, sub {
- my ($fh) = @_
+ my ($fh) = @_
or die "connect to '$remhost:$remport' failed: $!";
-
+
print "$$: CONNECTed to '$remhost:$remport'\n" if $self->{debug};
$reqstate->{proxyhdl} = AnyEvent::Handle->new(
my $proxyhdlreader = sub {
my ($hdl) = @_;
-
+
my $len = length($hdl->{rbuf});
my $data = substr($hdl->{rbuf}, 0, $len, '');
if ($payload_len <= 125) {
$string .= pack 'C', $payload_len;
} elsif ($payload_len <= 0xffff) {
- $string .= pack 'C', 126;
+ $string .= pack 'C', 126;
$string .= pack 'n', $payload_len;
} else {
- $string .= pack 'C', 127;
+ $string .= pack 'C', 127;
$string .= pack 'Q>', $payload_len;
}
$string .= $payload;
$offset += 8;
}
- die "received too large websocket frame (len = $payload_len)\n"
+ die "received too large websocket frame (len = $payload_len)\n"
if ($payload_len > $max_payload_size) || ($payload_len < 0);
return if $len < ($offset + 4 + $payload_len);
my $data = substr($hdl->{rbuf}, 0, $len, ''); # now consume data
-
+
my @mask = (unpack('C', substr($data, $offset+0, 1)),
unpack('C', substr($data, $offset+1, 1)),
unpack('C', substr($data, $offset+2, 1)),
}
# return arrays as \0 separated strings (like CGI.pm)
+# assume data is UTF8 encoded
sub decode_urlencoded {
my ($data) = @_;
$v =~s/\+/ /g;
$v =~ s/%([0-9a-fA-F][0-9a-fA-F])/chr(hex($1))/eg;
+ $v = Encode::decode('utf8', $v);
+
if (defined(my $old = $res->{$k})) {
$res->{$k} = "$old\0$v";
} else {
$res->{$k} = $v;
- }
+ }
}
return $res;
}
$params->{$k} = $query_params->{$k};
}
- return PVE::Tools::decode_utf8_parameters($params);
+ return $params;
}
sub handle_api2_request {
my $formatter = PVE::APIServer::Formatter::get_formatter($format, $method, $rel_uri);
if (!defined($formatter)) {
- $self->error($reqstate, HTTP_NOT_IMPLEMENTED, "no such uri $rel_uri, $format");
+ $self->error($reqstate, HTTP_NOT_IMPLEMENTED, "no formatter for uri $rel_uri, $format");
return;
}
#print Dumper($upload_state) if $upload_state;
- my $rpcenv = $self->{rpcenv};
-
my $params;
if ($upload_state) {
my $clientip = $reqstate->{peer_host};
- $rpcenv->init_request();
+ my $res = $self->rest_handler($clientip, $method, $rel_uri, $auth, $params, $format);
- my $res = $self->rest_handler($clientip, $method, $rel_uri, $auth, $params);
+ # HACK: see Note 1
+ Net::SSLeay::ERR_clear_error();
AnyEvent->now_update(); # in case somebody called sleep()
- $rpcenv->set_user(undef); # clear after request
-
my $upgrade = $r->header('upgrade');
$upgrade = lc($upgrade) if $upgrade;
$delay = 0 if $delay < 0;
}
- my $csrfgen_func = $self->can('generate_csrf_prevention_token');
- my ($raw, $ct, $nocomp) = &$formatter($res, $res->{data}, $params, $path, $auth, $csrfgen_func);
+ if (defined(my $filename = $res->{download})) {
+ my $fh = IO::File->new($filename) ||
+ die "unable to open file '$filename' - $!\n";
+ send_file_start($self, $reqstate, $filename);
+ return;
+ }
+
+ my ($raw, $ct, $nocomp) = $formatter->($res, $res->{data}, $params, $path,
+ $auth, $self->{formatter_config});
my $resp;
if (ref($raw) && (ref($raw) eq 'HTTP::Response')) {
die "Port $spiceport is not allowed" if ($spiceport < 61000 || $spiceport > 61099);
- my $rpcenv = $self->{rpcenv};
- $rpcenv->init_request();
-
my $clientip = $reqstate->{peer_host};
my $r = $reqstate->{request};
my $remport = $remip ? 3128 : $spiceport;
tcp_connect $remhost, $remport, sub {
- my ($fh) = @_
+ my ($fh) = @_
or die "connect to '$remhost:$remport' failed: $!";
print "$$: CONNECTed to '$remhost:$remport'\n" if $self->{debug};
$reqstate->{proxyhdl}->push_write($header);
$reqstate->{proxyhdl}->push_read(line => sub {
my ($hdl, $line) = @_;
-
+
if ($line =~ m!^$proto 200 OK$!) {
&$startproxy();
} else {
eval {
my $r = $reqstate->{request};
-
+
# disable timeout on handle (we already have all data we need)
# we re-enable timeout in response()
$reqstate->{hdl}->timeout(0);
if (ref($handler) eq 'CODE') {
my $params = decode_urlencoded($r->url->query());
my ($resp, $userid) = &$handler($self, $reqstate->{request}, $params);
+ # HACK: see Note 1
+ Net::SSLeay::ERR_clear_error();
$self->response($reqstate, $resp);
} elsif (ref($handler) eq 'HASH') {
if (my $filename = $handler->{file}) {
}
}
- die "no such file '$path'";
+ die "no such file '$path'\n";
};
if (my $err = $@) {
$self->error($reqstate, 501, $err);
}
} else {
my $len = length($hdl->{rbuf});
- substr($hdl->{rbuf}, 0, $len - $rstate->{maxheader}, '')
+ substr($hdl->{rbuf}, 0, $len - $rstate->{maxheader}, '')
if $len > $rstate->{maxheader}; # skip garbage
}
} elsif ($rstate->{phase} == 1) { # inside file - dump until end marker
if ($hdl->{rbuf} =~ s/^(.*?)\015?\012(--\Q$boundary\E(--)? \015?\012(.*))$/$2/xs) {
my ($rest, $eof) = ($1, $3);
my $len = length($rest);
- die "write to temporary file failed - $!"
+ die "write to temporary file failed - $!"
if syswrite($rstate->{outfh}, $rest) != $len;
$rstate->{ctx}->add($rest);
$rstate->{params}->{filename} = $rstate->{filename};
my $wlen = $len - $rstate->{boundlen};
if ($wlen > 0) {
my $data = substr($hdl->{rbuf}, 0, $wlen, '');
- die "write to temporary file failed - $!"
+ die "write to temporary file failed - $!"
if syswrite($rstate->{outfh}, $data) != $wlen;
$rstate->{bytes} += $wlen;
$rstate->{ctx}->add($data);
$rstate->{phase} = -1; # skip
}
}
- } else { # skip
+ } else { # skip
my $len = length($hdl->{rbuf});
substr($hdl->{rbuf}, 0, $len, ''); # empty rbuf
}
$rstate->{read} += ($startlen - length($hdl->{rbuf}));
if (!$rstate->{done} && ($rstate->{read} + length($hdl->{rbuf})) >= $rstate->{size}) {
- $rstate->{done} = 1; # make sure we dont get called twice
+ $rstate->{done} = 1; # make sure we dont get called twice
if ($rstate->{phase} < 0 || !$rstate->{md5sum}) {
- die "upload failed\n";
+ die "upload failed\n";
} else {
my $elapsed = tv_interval($rstate->{starttime});
my $rate = int($rstate->{bytes}/($elapsed*1024*1024));
- syslog('info', "multipart upload complete " .
- "(size: %d time: %ds rate: %.2fMiB/s md5sum: $rstate->{md5sum})",
+ syslog('info', "multipart upload complete " .
+ "(size: %d time: %ds rate: %.2fMiB/s md5sum: $rstate->{md5sum})",
$rstate->{bytes}, $elapsed, $rate);
$self->handle_api2_request($reqstate, $auth, $method, $path, $rstate);
}
my ($ctype) = @_;
my ($ct, @params) = split(/\s*[;,]\s*/o, $ctype);
-
+
foreach my $v (@params) {
if ($v =~ m/^\s*boundary\s*=\s*(\S+?)\s*$/o) {
return wantarray ? ($ct, $1) : $ct;
}
}
-
+
return wantarray ? ($ct) : $ct;
}
$filename =~ s/^"(.*)"$/$1/;
}
}
-
+
return wantarray ? ($disp, $name, $filename) : $disp;
}
sub get_upload_filename {
# choose unpredictable tmpfile name
-
+
$tmpfile_seq_no++;
return "/var/tmp/pveupload-" . Digest::MD5::md5_hex($tmpfile_seq_no . time() . $$);
}
return;
}
- my $rpcenv = $self->{rpcenv};
- # set environment variables
- $rpcenv->set_user(undef);
- $rpcenv->set_language('C');
- $rpcenv->set_client_ip($reqstate->{peer_host});
-
eval {
- $auth = $self->auth_handler($method, $rel_uri, $ticket, $token);
+ $auth = $self->auth_handler($method, $rel_uri, $ticket, $token,
+ $reqstate->{peer_host});
};
if (my $err = $@) {
+ # HACK: see Note 1
+ Net::SSLeay::ERR_clear_error();
# always delay unauthorized calls by 3 seconds
my $delay = 3;
if (my $formatter = PVE::APIServer::Formatter::get_login_formatter($format)) {
- my ($raw, $ct, $nocomp) = &$formatter($path, $auth);
+ my ($raw, $ct, $nocomp) =
+ $formatter->($path, $auth, $self->{formatter_config});
my $resp;
if (ref($raw) && (ref($raw) eq 'HTTP::Response')) {
$resp = $raw;
$resp->header("Content-Type" => $ct);
$resp->content($raw);
}
- $self->response($reqstate, $resp, undef, $nocomp, 3);
+ $self->response($reqstate, $resp, undef, $nocomp, $delay);
} else {
my $resp = HTTP::Response->new(HTTP_UNAUTHORIZED, $err);
$self->response($reqstate, $resp, undef, 0, $delay);
my ($ct, $boundary) = parse_content_type($ctype) if $ctype;
if ($auth->{isUpload} && !$self->{trusted_env}) {
- die "upload 'Content-Type '$ctype' not implemented\n"
+ die "upload 'Content-Type '$ctype' not implemented\n"
if !($boundary && $ct && ($ct eq 'multipart/form-data'));
die "upload without content length header not supported" if !$len;
sub check_host_access {
my ($self, $clientip) = @_;
-
+
my $cip = Net::IP->new($clientip);
my $match_allow = 0;
my $class = ref($this) || $this;
- foreach my $req (qw(base_handler_class socket lockfh lockfile)) {
+ foreach my $req (qw(socket lockfh lockfile)) {
die "misssing required argument '$req'" if !defined($args{$req});
}
$self->{cookie_name} //= 'PVEAuthCookie';
$self->{base_uri} //= "/api2";
+ $self->{dirs} //= {};
+ $self->{title} //= 'API Inspector';
+
+ # formatter_config: we pass some configuration values to the Formatter
+ $self->{formatter_config} = {};
+ foreach my $p (qw(cookie_name base_uri title)) {
+ $self->{formatter_config}->{$p} = $self->{$p};
+ }
+ $self->{formatter_config}->{csrfgen_func} =
+ $self->can('generate_csrf_prevention_token');
+
+ # add default dirs which includes jquery and bootstrap
+ my $base = '/usr/share/libpve-http-server-perl';
+ add_dirs($self->{dirs}, '/css/' => "$base/css/");
+ add_dirs($self->{dirs}, '/js/' => "$base/js/");
+ add_dirs($self->{dirs}, '/fonts/' => "$base/fonts/");
# init inotify
PVE::INotify::inotify_init();
if ($self->{ssl}) {
$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
- # TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a curve depending on
- # server and client availability from SSL_CTX_set1_curves.
- # that way other curves like 25519 can be used.
- # openssl 1.0.1 can only support 1 curve at a time.
- my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1');
- my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve);
Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
- Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh);
- Net::SSLeay::EC_KEY_free($ecdh);
}
if ($self->{spiceproxy}) {
return $self;
}
+# static helper to add directory including all subdirs
+# This can be used to setup $self->{dirs}
+sub add_dirs {
+ my ($result_hash, $alias, $subdir) = @_;
+
+ $result_hash->{$alias} = $subdir;
+
+ my $wanted = sub {
+ my $dir = $File::Find::dir;
+ if ($dir =~m!^$subdir(.*)$!) {
+ my $name = "$alias$1/";
+ $result_hash->{$name} = "$dir/";
+ }
+ };
+
+ find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
+}
+
# abstract functions - subclass should overwrite/implement them
sub verify_spice_connect_url {
}
sub auth_handler {
- my ($self, $method, $rel_uri, $ticket, $token) = @_;
+ my ($self, $method, $rel_uri, $ticket, $token, $peer_host) = @_;
die "implement me";
# userid => $username,
# age => $age,
# isUpload => $isUpload,
- # cookie_name => $self->{cookie_name},
#};
}
sub rest_handler {
- my ($self, $clientip, $method, $rel_uri, $auth, $params) = @_;
+ my ($self, $clientip, $method, $rel_uri, $auth, $params, $format) = @_;
+
+ # please do not raise exceptions here (always return a result).
return {
status => HTTP_NOT_IMPLEMENTED,
message => "Method '$method $rel_uri' not implemented",
};
+
+ # this should return the following properties, which
+ # are then passed to the Formatter
+
+ # status: HTTP status code
+ # message: Error message
+ # errors: more detailed error hash (per parameter)
+ # info: reference to JSON schema definition - useful to format output
+ # data: result data
+
+ # total: additional info passed to output
+ # changes: additional info passed to output
+
+ # if you want to proxy the request to another node return this
+ # { proxy => $remip, proxynode => $node, proxy_params => $params };
+
+ # to pass the request to the local priviledged daemon use:
+ # { proxy => 'localhost' , proxy_params => $params };
+
+ # to download aspecific file use:
+ # { download => "/path/to/file" };
}
sub check_cert_fingerprint {