From 3ffb722d3c52477f8936427a5ad88bc2aa490093 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 27 Jun 2013 07:55:11 +0200
Subject: [PATCH] reuse host based access control code for spiceproxy

---
 PVE/APIDaemon.pm      | 35 +++++++++++++++++++++++++++++++
 bin/init.d/pveproxy   | 17 ---------------
 bin/init.d/spiceproxy | 17 ---------------
 bin/pveproxy          | 48 ++++++++-----------------------------------
 bin/spiceproxy        | 15 ++++++++++++++
 5 files changed, 59 insertions(+), 73 deletions(-)

diff --git a/PVE/APIDaemon.pm b/PVE/APIDaemon.pm
index 8435004a..8ed6568a 100755
--- a/PVE/APIDaemon.pm
+++ b/PVE/APIDaemon.pm
@@ -5,6 +5,7 @@ use warnings;
 use POSIX ":sys_wait_h";
 use Socket qw(IPPROTO_TCP TCP_NODELAY SOMAXCONN);
 use IO::Socket::INET;
+use Net::IP;
 
 use PVE::SafeSyslog;
 use PVE::HTTPServer;
@@ -191,4 +192,38 @@ sub start_server {
     }
 }
 
+sub read_proxy_config {
+
+    my $conffile = "/etc/default/pveproxy";
+
+    # Note: evaluate with bash 
+    my $shcmd = ". $conffile;\n";
+    $shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
+    $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
+    $shcmd .= 'echo \"POLICY:\$POLICY\";';
+
+    my $data = `bash -c "$shcmd"`;
+
+    my $res = {};
+
+    while ($data =~ s/^(.*)\n//) {
+	my ($key, $value) = split(/:/, $1, 2);
+	if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') {
+	    my $ips = [];
+	    foreach my $ip (split(/,/, $value)) {
+		$ip = "0/0" if $ip eq 'all';
+		push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
+	    }
+	    $res->{$key} = $ips;
+	} elsif ($key eq 'POLICY') {
+	    die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
+	    $res->{$key} = $value;
+	} else {
+	    # silently skip everythin else?
+	}
+    }
+
+    return $res;
+}
+
 1;
diff --git a/bin/init.d/pveproxy b/bin/init.d/pveproxy
index 3565027c..c4954551 100755
--- a/bin/init.d/pveproxy
+++ b/bin/init.d/pveproxy
@@ -31,25 +31,8 @@ DAEMON_OPTS=""
 
 # Include defaults if available
 if [ -f /etc/default/$NAME ] ; then
-    ALLOW_FROM=""
-    DENY_FROM=""
-    POLICY=""
-
     . /etc/default/$NAME
-
-    if [ -n "$ALLOW_FROM" ] ; then
-	DAEMON_OPTS="${DAEMON_OPTS} --allow-from ${ALLOW_FROM}"
-    fi
-
-    if [ -n "$DENY_FROM" ] ; then
-	DAEMON_OPTS="${DAEMON_OPTS} --deny-from ${DENY_FROM}"
-    fi
-
-    if [ -n "$POLICY" ] ; then
-	DAEMON_OPTS="${DAEMON_OPTS} --policy $POLICY"
-    fi
 fi
-
  
 case "$1" in
 	start)
diff --git a/bin/init.d/spiceproxy b/bin/init.d/spiceproxy
index 160311a2..0747cdd3 100755
--- a/bin/init.d/spiceproxy
+++ b/bin/init.d/spiceproxy
@@ -31,25 +31,8 @@ DAEMON_OPTS=""
 
 # Include defaults if available
 if [ -f /etc/default/$NAME ] ; then
-    ALLOW_FROM=""
-    DENY_FROM=""
-    POLICY=""
-
     . /etc/default/$NAME
-
-    if [ -n "$ALLOW_FROM" ] ; then
-	DAEMON_OPTS="${DAEMON_OPTS} --allow-from ${ALLOW_FROM}"
-    fi
-
-    if [ -n "$DENY_FROM" ] ; then
-	DAEMON_OPTS="${DAEMON_OPTS} --deny-from ${DENY_FROM}"
-    fi
-
-    if [ -n "$POLICY" ] ; then
-	DAEMON_OPTS="${DAEMON_OPTS} --policy $POLICY"
-    fi
 fi
-
  
 case "$1" in
 	start)
diff --git a/bin/pveproxy b/bin/pveproxy
index 8238721d..a03c70e9 100755
--- a/bin/pveproxy
+++ b/bin/pveproxy
@@ -18,47 +18,16 @@ use URI;
 use URI::QueryParam;
 use File::Find;
 use Data::Dumper;
-use Net::IP;
 
 my $pidfile = "/var/run/pveproxy/pveproxy.pid";
 my $lockfile = "/var/lock/pveproxy.lck";
 
 my $opt_debug;
-my $opt_allow_from;
-my $opt_deny_from;
-my $opt_policy;
 
 initlog ('pveproxy');
 
-if (!GetOptions ('allow-from=s@' => \$opt_allow_from, 
-		 'deny-from=s@' => \$opt_deny_from,
-		 'policy=s' => \$opt_policy,
-		 'debug' => \$opt_debug)) {
-    die "usage: $0 [--allow-from CIDR{,CIRD}] [--deny-from CIDR{,CIRD}] [--policy (allow|deny)] [--debug]\n";
-}
-
-$opt_deny_from  = [ split(/,/, join(',', @$opt_deny_from)) ] if $opt_deny_from;
-$opt_allow_from  = [ split(/,/, join(',', @$opt_allow_from)) ] if $opt_allow_from;
-
-die "unknown policy '$opt_policy'\n" if $opt_policy && $opt_policy !~ m/^(allow|deny)$/;
-
-if ($opt_deny_from) {
-    my $ips = [];
-    foreach my $ip (@$opt_deny_from) {
-	$ip = "0/0" if $ip eq 'all';
-	push @$ips,  Net::IP->new($ip) || die Net::IP::Error() . "\n";
-    }
-
-    $opt_deny_from = $ips;
-}
-
-if ($opt_allow_from) {
-    my $ips = [];
-    foreach my $ip (@$opt_allow_from) {
-	$ip = "0/0" if $ip eq 'all';
-	push @$ips,  Net::IP->new($ip) || die Net::IP::Error() . "\n";
-    }
-    $opt_allow_from = $ips;
+if (!GetOptions ('debug' => \$opt_debug)) {
+    die "usage: $0 [--debug]\n";
 }
 
 $SIG{'__WARN__'} = sub {
@@ -81,6 +50,8 @@ POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
 # just to be sure
 die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
 
+my $proxyconf = PVE::APIDaemon::read_proxy_config();
+
 sub add_dirs {
     my ($result_hash, $alias, $subdir) = @_;
 
@@ -114,9 +85,9 @@ eval {
 	max_conn => 500,
 	max_requests => 1000,
 	debug => $opt_debug,
-	allow_from => $opt_allow_from,
-	deny_from => $opt_deny_from,
-	policy => $opt_policy,
+	allow_from => $proxyconf->{ALLOW_FROM},
+	deny_from => $proxyconf->{DENY_FROM},
+	policy => $proxyconf->{POLICY},
 	trusted_env => 0, # not trusted, anyone can connect
 	logfile => '/var/log/pveproxy/access.log',
 	lockfile => $lockfile,
@@ -286,7 +257,7 @@ pveproxy - the PVE API proxy server
 
 =head1 SYNOPSIS
 
-pveproxy [--allow-from CIDR{,CIRD}] [--deny-from CIDR{,CIRD}] [--policy (allow|deny)] [--debug]
+pveproxy [--debug]
 
 =head1 DESCRIPTION
 
@@ -297,8 +268,7 @@ as service using:
 
 =head1 Host based access control
 
-Options '--allow-from', '--deny-from' and '--policy' can be used to set up
-apache2 like access control. If started as service, those values are read 
+It is possible to configure apache2 like access control lists. Values are read 
 from file /etc/default/pveproxy. For example:
 
  ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
diff --git a/bin/spiceproxy b/bin/spiceproxy
index 4fec09b7..70af73b2 100755
--- a/bin/spiceproxy
+++ b/bin/spiceproxy
@@ -44,6 +44,9 @@ POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
 # just to be sure
 die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
 
+# we use same ALLOW/DENY/POLICY as pveproxy
+my $proxyconf = PVE::APIDaemon::read_proxy_config();
+
 my $cpid;
 my $daemon;
 eval {
@@ -56,6 +59,9 @@ eval {
 	debug => $opt_debug,
 	spiceproxy => 1,
 	logfile => '/var/log/pveproxy/access.log',
+	allow_from => $proxyconf->{ALLOW_FROM},
+	deny_from => $proxyconf->{DENY_FROM},
+	policy => $proxyconf->{POLICY},
     );
 };
 
@@ -129,6 +135,15 @@ spiceproxy [--debug]
 
 SPICE proxy server for Proxmox VE. Listens on port 3128.
 
+=head1 Host based access control
+
+It is possible to configure apache2 like access control lists. Values are read 
+from file /etc/default/pveproxy (see 'pveproxy' for details).
+
+=head1 FILES
+
+ /etc/default/pveproxy
+
 =head1 COPYRIGHT AND DISCLAIMER
 
  Copyright (C) 2007-2013 Proxmox Server Solutions GmbH
-- 
2.39.5