src/PMG/HTTPServer.pm

   1 package PMG::HTTPServer;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::SafeSyslog;
   7 use PVE::INotify;
   8 use PVE::Tools;
   9 use PVE::APIServer::AnyEvent;
  10 use PVE::Exception qw(raise_param_exc);
  11 use PMG::RESTEnvironment;
  12
  13 use PMG::Ticket;
  14 use PMG::Cluster;
  15 use PMG::API2;
  16
  17 use Data::Dumper;
  18
  19 use base('PVE::APIServer::AnyEvent');
  20
  21 use HTTP::Status qw(:constants);
  22
  23
  24 sub new {
  25     my ($this, %args) = @_;
  26
  27     my $class = ref($this) || $this;
  28
  29     my $self = $class->SUPER::new(%args);
  30
  31     $self->{rpcenv} = PMG::RESTEnvironment->init(
  32         $self->{trusted_env} ? 'priv' : 'pub', atfork =>  sub { $self->atfork_handler() });
  33
  34     return $self;
  35 }
  36
  37
  38 sub generate_csrf_prevention_token {
  39     my ($username) = @_;
  40
  41     return PMG::Ticket::assemble_csrf_prevention_token ($username);
  42 }
  43
  44 sub auth_handler {
  45     my ($self, $method, $rel_uri, $ticket, $token, $api_token, $peer_host) = @_;
  46
  47     my $rpcenv = $self->{rpcenv};
  48
  49     # set environment variables
  50     $rpcenv->set_user(undef);
  51     $rpcenv->set_role(undef);
  52     $rpcenv->set_language('C');
  53     $rpcenv->set_client_ip($peer_host);
  54
  55     $rpcenv->init_request();
  56
  57     my $require_auth = 1;
  58
  59     # explicitly allow some calls without auth
  60     if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
  61         ($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
  62         $require_auth = 0;
  63     }
  64
  65     my ($username, $age);
  66
  67     if ($require_auth) {
  68
  69         die "API tokens not implemented\n" if $api_token;
  70
  71         die "No ticket\n" if !$ticket;
  72
  73         if ($ticket =~ m/^PMGQUAR:/) {
  74             ($username, $age) = PMG::Ticket::verify_quarantine_ticket($ticket);
  75             $rpcenv->set_user($username);
  76             $rpcenv->set_role('quser');
  77         } else {
  78             ($username, $age) = PMG::Ticket::verify_ticket($ticket);
  79             my $role = PMG::AccessControl::check_user_enabled($self->{usercfg}, $username);
  80             $rpcenv->set_user($username);
  81             $rpcenv->set_role($role);
  82         }
  83
  84         $rpcenv->set_ticket($ticket);
  85
  86         my $euid = $>;
  87         PMG::Ticket::verify_csrf_prevention_token($username, $token)
  88             if ($euid != 0) && ($method ne 'GET');
  89     }
  90
  91     return {
  92         ticket => $ticket,
  93         token => $token,
  94         userid => $username,
  95         age => $age,
  96         isUpload => 0,
  97     };
  98 }
  99
 100 sub rest_handler {
 101     my ($self, $clientip, $method, $rel_uri, $auth, $params, $format) = @_;
 102
 103     my $rpcenv = $self->{rpcenv};
 104     $rpcenv->set_format($format);
 105
 106     my $resp = {
 107         status => HTTP_NOT_IMPLEMENTED,
 108         message => "Method '$method $rel_uri' not implemented",
 109     };
 110
 111     my ($handler, $info);
 112
 113     eval {
 114         my $uri_param = {};
 115         ($handler, $info) = PMG::API2->find_handler($method, $rel_uri, $uri_param);
 116         return if !$handler || !$info;
 117
 118         foreach my $p (keys %{$params}) {
 119             if (defined($uri_param->{$p})) {
 120                 raise_param_exc({$p =>  "duplicate parameter (already defined in URI)"});
 121             }
 122             $uri_param->{$p} = $params->{$p};
 123         }
 124
 125         # check access permissions
 126         $rpcenv->check_api2_permissions($info->{permissions}, $uri_param);
 127
 128         if (my $pn = $info->{proxyto}) {
 129
 130             my $node;
 131             if ($pn eq 'master') {
 132                 $node = PMG::Cluster::get_master_node();
 133             } else {
 134                 $node = $uri_param->{$pn};
 135                 raise_param_exc({$pn =>  "proxy parameter '$pn' does not exists"}) if !$node;
 136             }
 137
 138             if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
 139                 die "unable to proxy file uploads" if $auth->{isUpload};
 140                 my $remip = $self->remote_node_ip($node);
 141                 $resp = { proxy => $remip, proxynode => $node, proxy_params => $params };
 142                 return;
 143             }
 144         }
 145
 146         my $euid = $>;
 147         if ($info->{protected} && ($euid != 0)) {
 148             $resp = { proxy => 'localhost' , proxy_params => $params };
 149             return;
 150         }
 151
 152         if (my $pn = $info->{proxyto}) {
 153             if ($pn eq 'master') {
 154                 $rpcenv->check_node_is_master();
 155             }
 156         }
 157
 158
 159         my $result = $handler->handle($info, $uri_param);
 160
 161         $resp = {
 162             info => $info, # useful to format output
 163             status => HTTP_OK,
 164         };
 165
 166         if ($info->{download}) {
 167             my $type =  $info->{returns}->{type};
 168             if ($type eq 'string' || $type eq 'object') {
 169                 $resp->{download} = $result;
 170             } else {
 171                 die "API calls which trigger downloads need to have return type 'string' or 'object' - internal error"
 172             }
 173
 174         } else {
 175             $resp->{data} = $result;
 176         }
 177
 178         if (my $count = $rpcenv->get_result_attrib('total')) {
 179             $resp->{total} = $count;
 180         }
 181
 182         if (my $diff = $rpcenv->get_result_attrib('changes')) {
 183             $resp->{changes} = $diff;
 184         }
 185     };
 186     my $err = $@;
 187
 188     $rpcenv->set_user(undef); # clear after request
 189     $rpcenv->set_role(undef); # clear after request
 190     $rpcenv->set_format(undef); # clear after request
 191
 192     if ($err) {
 193         $resp = { info => $info };
 194         if (ref($err) eq "PVE::Exception") {
 195             $resp->{status} = $err->{code} || HTTP_INTERNAL_SERVER_ERROR;
 196             $resp->{errors} = $err->{errors} if $err->{errors};
 197             $resp->{message} = $err->{msg};
 198         } else {
 199             $resp->{status} =  HTTP_INTERNAL_SERVER_ERROR;
 200             $resp->{message} = $err;
 201         }
 202     }
 203
 204     return $resp;
 205 }
 206
 207 sub check_cert_fingerprint {
 208     my ($self, $cert) = @_;
 209
 210     return PMG::Cluster::check_cert_fingerprint($cert);
 211 }
 212
 213 sub initialize_cert_cache {
 214     my ($self, $node) = @_;
 215
 216     PMG::Cluster::initialize_cert_cache($node);
 217 }
 218
 219 sub remote_node_ip {
 220     my ($self, $node) = @_;
 221
 222     my $remip = PMG::Cluster::remote_node_ip($node);
 223
 224     die "unable to get remote IP address for node '$node'\n" if !$remip;
 225
 226     return $remip;
 227 }
 228
 229 1;