X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=a745651f762cd21b52776ac2eedbe357daf4c165;hp=f0c37c7651a6eda6d51ced1bda18022d9ff63068;hb=cee5583b3dfff0b68dbb42a93ec90f4d4f1bd7b3;hpb=3f62bdbea65c55ad6465a512b624ecea2dddee9e diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index f0c37c7..a745651 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -1,9 +1,11 @@ package PVE::AccessControl; use strict; +use warnings; use Encode; use Crypt::OpenSSL::Random; use Crypt::OpenSSL::RSA; +use Net::SSLeay; use MIME::Base64; use Digest::SHA; use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print); @@ -237,7 +239,7 @@ sub assemble_spice_ticket { # Note: RSA signature are too long (>=256 charaters) and makes problems with remote-viewer my $secret = &$get_csrfr_secret(); - my $plain = "pvespiceproxy:$timestamp:$vmid:$node"; + my $plain = "pvespiceproxy:$timestamp:$vmid:" . lc($node); # produces 40 characters my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret())); @@ -276,6 +278,57 @@ sub verify_spice_connect_url { return undef; } +sub read_x509_subject_spice { + my ($filename) = @_; + + # read x509 subject + my $bio = Net::SSLeay::BIO_new_file($filename, 'r'); + my $x509 = Net::SSLeay::PEM_read_bio_X509($bio); + Net::SSLeay::BIO_free($bio); + my $nameobj = Net::SSLeay::X509_get_subject_name($x509); + my $subject = Net::SSLeay::X509_NAME_oneline($nameobj); + Net::SSLeay::X509_free($x509); + + # remote-viewer wants comma as seperator (not '/') + $subject =~ s!^/!!; + $subject =~ s!/(\w+=)!,$1!g; + + return $subject; +} + +# helper to generate SPICE remote-viewer configuration +sub remote_viewer_config { + my ($authuser, $vmid, $node, $proxy, $title, $port) = @_; + + if (!$proxy) { + my $host = `hostname -f` || PVE::INotify::nodename(); + chomp $host; + $proxy = $host; + } + + my ($ticket, $proxyticket) = assemble_spice_ticket($authuser, $vmid, $node); + + my $filename = "/etc/pve/local/pve-ssl.pem"; + my $subject = read_x509_subject_spice($filename); + + my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192); + $cacert =~ s/\n/\\n/g; + + my $config = { + type => 'spice', + title => $title, + host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject' + proxy => "http://$proxy:3128", + 'tls-port' => $port, + 'host-subject' => $subject, + ca => $cacert, + password => $ticket, + 'delete-this-file' => 1, + }; + + return ($ticket, $proxyticket, $config); +} + sub check_user_exist { my ($usercfg, $username, $noerr) = @_; @@ -305,6 +358,7 @@ sub check_user_enabled { } # password should be utf8 encoded +# Note: some pluging delay/sleep if auth fails sub authenticate_user { my ($username, $password) = @_; @@ -316,32 +370,19 @@ sub authenticate_user { my $usercfg = cfs_read_file('user.cfg'); - eval { check_user_enabled($usercfg, $username); }; - if (my $err = $@) { - sleep(2); - die $err; - } + check_user_enabled($usercfg, $username); my $ctime = time(); my $expire = $usercfg->{users}->{$username}->{expire}; - if ($expire && ($expire < $ctime)) { - sleep(2); - die "account expired\n" - } + die "account expired\n" if $expire && ($expire < $ctime); my $domain_cfg = cfs_read_file('domains.cfg'); - eval { - my $cfg = $domain_cfg->{ids}->{$realm}; - die "auth domain '$realm' does not exists\n" if !$cfg; - my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); - $plugin->authenticate_user($cfg, $realm, $ruid, $password); - }; - if (my $err = $@) { - sleep(2); # timeout after failed auth - die $err; - } + my $cfg = $domain_cfg->{ids}->{$realm}; + die "auth domain '$realm' does not exists\n" if !$cfg; + my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); + $plugin->authenticate_user($cfg, $realm, $ruid, $password); return $username; } @@ -554,7 +595,7 @@ sub normalize_path { $path = "/$path" if $path !~ m|^/|; - return undef if $path !~ m|^[[:alnum:]\-\_\/]+$|; + return undef if $path !~ m|^[[:alnum:]\.\-\_\/]+$|; return $path; }