X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=e3c5fa9ed84ead591333a989c599ac8624346863;hp=768703124594957b6d240fd2e5cb4429dd6b5171;hb=dc7573bf85d074c091e9cc193d0e1ff6cb776585;hpb=7b395f990d138c831589b202df6e61ee0999aab3

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 7687031..e3c5fa9 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1,9 +1,11 @@
 package PVE::AccessControl;
 
 use strict;
+use warnings;
 use Encode;
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
+use Net::SSLeay;
 use MIME::Base64;
 use Digest::SHA;
 use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print);
@@ -213,6 +215,123 @@ sub verify_vnc_ticket {
     return undef;
 }
 
+sub assemble_spice_ticket {
+    my ($username, $vmid, $node) = @_;
+
+    my $rsa_priv = get_privkey();
+
+    my $timestamp = sprintf("%08x", time());
+
+    my $randomstr = "PVESPICE:$timestamp:$vmid:$node:" . rand(10);
+
+    # this should be uses as one-time password
+    # max length is 60 chars (spice limit)
+    # we pass this to qemu set_pasword and limit lifetime there
+    # keep this secret
+    my $ticket = Digest::SHA::sha1_hex($rsa_priv->sign($randomstr));
+
+    # Note: spice proxy connects with HTTP, so $proxyticket is exposed to public
+    # we use a signature/timestamp to make sure nobody can fake such ticket
+    # an attacker can use this $proxyticket, but he will fail because $ticket is
+    # private.
+    # The proxy need to be able to extract/verify the ticket
+    # Note: data needs to be lower case only, because virt-viewer needs that
+    # Note: RSA signature are too long (>=256 charaters) and makes problems with remote-viewer
+
+    my $secret = &$get_csrfr_secret();
+    my $plain = "pvespiceproxy:$timestamp:$vmid:" . lc($node);
+
+    # produces 40 characters
+    my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret()));
+
+    #my $sig =  unpack("H*", $rsa_priv->sign($plain)); # this produce too long strings (512)
+
+    my $proxyticket = $plain . "::" . $sig;
+
+    return ($ticket, $proxyticket);
+}
+
+sub verify_spice_connect_url {
+    my ($connect_str) = @_;
+
+    # Note: we pass the spice ticket as 'host', so the
+    # spice viewer connects with "$ticket:$port"
+
+    return undef if !$connect_str;
+
+    if ($connect_str =~m/^pvespiceproxy:([a-z0-9]{8}):(\d+):(\S+)::([a-z0-9]{40}):(\d+)$/) {
+	my ($timestamp, $vmid, $node, $hexsig, $port) = ($1, $2, $3, $4, $5, $6);
+	my $ttime = hex($timestamp);
+	my $age = time() - $ttime;
+
+	# use very limited lifetime - is this enough?
+	return undef if !(($age > -20) && ($age < 40));
+
+	my $plain = "pvespiceproxy:$timestamp:$vmid:$node";
+	my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret()));
+
+	if ($sig eq $hexsig) {
+	    return ($vmid, $node, $port);
+	} 
+    }
+
+    return undef;
+}
+
+sub read_x509_subject_spice {
+    my ($filename) = @_;
+
+    # read x509 subject
+    my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
+    my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
+    Net::SSLeay::BIO_free($bio);
+    my $nameobj = Net::SSLeay::X509_get_subject_name($x509);
+    my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
+    Net::SSLeay::X509_free($x509);
+  
+    # remote-viewer wants comma as seperator (not '/')
+    $subject =~ s!^/!!;
+    $subject =~ s!/(\w+=)!,$1!g;
+
+    return $subject;
+}
+
+# helper to generate SPICE remote-viewer configuration
+sub remote_viewer_config {
+    my ($authuser, $vmid, $node, $proxy, $title, $port) = @_;
+
+    if (!$proxy) {
+	my $host = `hostname -f` || PVE::INotify::nodename();
+	chomp $host;
+	$proxy = $host;
+    }
+
+    my ($ticket, $proxyticket) = assemble_spice_ticket($authuser, $vmid, $node);
+
+    my $filename = "/etc/pve/local/pve-ssl.pem";
+    my $subject = read_x509_subject_spice($filename);
+
+    my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192);
+    $cacert =~ s/\n/\\n/g;
+    
+    my $config = {
+    'secure-attention' => "Ctrl+Alt+Ins",
+    'toggle-fullscreen' => "Shift+F11",
+    'release-cursor' => "Ctrl+Alt+R",
+	type => 'spice',
+	title => $title,
+	host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject'
+	proxy => "http://$proxy:3128",
+	'tls-port' => $port,
+	'host-subject' => $subject,
+	ca => $cacert,
+	password => $ticket,
+	'delete-this-file' => 1,
+    };
+
+    return ($ticket, $proxyticket, $config);
+}
+
 sub check_user_exist {
     my ($usercfg, $username, $noerr) = @_;
 
@@ -242,6 +361,7 @@ sub check_user_enabled {
 }
 
 # password should be utf8 encoded
+# Note: some pluging delay/sleep if auth fails
 sub authenticate_user {
     my ($username, $password) = @_;
 
@@ -253,32 +373,19 @@ sub authenticate_user {
 
     my $usercfg = cfs_read_file('user.cfg');
 
-    eval { check_user_enabled($usercfg, $username); };
-    if (my $err = $@) {
-	sleep(2);
-	die $err;
-    }
+    check_user_enabled($usercfg, $username);
 
     my $ctime = time();
     my $expire = $usercfg->{users}->{$username}->{expire};
 
-    if ($expire && ($expire < $ctime)) {
-	sleep(2);
-	die "account expired\n"
-    }
+    die "account expired\n" if $expire && ($expire < $ctime);
 
     my $domain_cfg = cfs_read_file('domains.cfg');
 
-    eval {
-	my $cfg = $domain_cfg->{ids}->{$realm};
-	die "auth domain '$realm' does not exists\n" if !$cfg;
-	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
-	$plugin->authenticate_user($cfg, $realm, $ruid, $password);
-    };
-    if (my $err = $@) {
-	sleep(2); # timeout after failed auth
-	die $err;
-    }
+    my $cfg = $domain_cfg->{ids}->{$realm};
+    die "auth domain '$realm' does not exists\n" if !$cfg;
+    my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+    $plugin->authenticate_user($cfg, $realm, $ruid, $password);
 
     return $username;
 }
@@ -491,7 +598,7 @@ sub normalize_path {
 
     $path = "/$path" if $path !~ m|^/|;
 
-    return undef if $path !~ m|^[[:alnum:]\-\_\/]+$|;
+    return undef if $path !~ m|^[[:alnum:]\.\-\_\/]+$|;
 
     return $path;
 } 
@@ -959,4 +1066,36 @@ sub check_permissions {
     return 1;
 }
 
+sub add_vm_to_pool {
+    my ($vmid, $pool) = @_;
+
+    my $addVMtoPoolFn = sub {
+	my $usercfg = cfs_read_file("user.cfg");
+	if (my $data = $usercfg->{pools}->{$pool}) {
+	    $data->{vms}->{$vmid} = 1;
+	    $usercfg->{vms}->{$vmid} = $pool;
+	    cfs_write_file("user.cfg", $usercfg);
+	}
+    };
+
+    lock_user_config($addVMtoPoolFn, "can't add VM $vmid to pool '$pool'");
+}
+
+sub remove_vm_from_pool {
+    my ($vmid) = @_;
+    
+    my $delVMfromPoolFn = sub {
+	my $usercfg = cfs_read_file("user.cfg");
+	if (my $pool = $usercfg->{vms}->{$vmid}) {
+	    if (my $data = $usercfg->{pools}->{$pool}) {
+		delete $data->{vms}->{$vmid};
+		delete $usercfg->{vms}->{$vmid};
+		cfs_write_file("user.cfg", $usercfg);
+	    }
+	}
+    };
+
+    lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed");
+}
+
 1;