X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=e3c5fa9ed84ead591333a989c599ac8624346863;hp=bb109e38a660af2bb088861f275ccca25fd481bf;hb=dc7573bf85d074c091e9cc193d0e1ff6cb776585;hpb=7c410d63017604c5889ceb1ee00f7993b3b7c130 diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index bb109e3..e3c5fa9 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -5,6 +5,7 @@ use warnings; use Encode; use Crypt::OpenSSL::Random; use Crypt::OpenSSL::RSA; +use Net::SSLeay; use MIME::Base64; use Digest::SHA; use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print); @@ -238,7 +239,7 @@ sub assemble_spice_ticket { # Note: RSA signature are too long (>=256 charaters) and makes problems with remote-viewer my $secret = &$get_csrfr_secret(); - my $plain = "pvespiceproxy:$timestamp:$vmid:$node"; + my $plain = "pvespiceproxy:$timestamp:$vmid:" . lc($node); # produces 40 characters my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret())); @@ -277,6 +278,60 @@ sub verify_spice_connect_url { return undef; } +sub read_x509_subject_spice { + my ($filename) = @_; + + # read x509 subject + my $bio = Net::SSLeay::BIO_new_file($filename, 'r'); + my $x509 = Net::SSLeay::PEM_read_bio_X509($bio); + Net::SSLeay::BIO_free($bio); + my $nameobj = Net::SSLeay::X509_get_subject_name($x509); + my $subject = Net::SSLeay::X509_NAME_oneline($nameobj); + Net::SSLeay::X509_free($x509); + + # remote-viewer wants comma as seperator (not '/') + $subject =~ s!^/!!; + $subject =~ s!/(\w+=)!,$1!g; + + return $subject; +} + +# helper to generate SPICE remote-viewer configuration +sub remote_viewer_config { + my ($authuser, $vmid, $node, $proxy, $title, $port) = @_; + + if (!$proxy) { + my $host = `hostname -f` || PVE::INotify::nodename(); + chomp $host; + $proxy = $host; + } + + my ($ticket, $proxyticket) = assemble_spice_ticket($authuser, $vmid, $node); + + my $filename = "/etc/pve/local/pve-ssl.pem"; + my $subject = read_x509_subject_spice($filename); + + my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192); + $cacert =~ s/\n/\\n/g; + + my $config = { + 'secure-attention' => "Ctrl+Alt+Ins", + 'toggle-fullscreen' => "Shift+F11", + 'release-cursor' => "Ctrl+Alt+R", + type => 'spice', + title => $title, + host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject' + proxy => "http://$proxy:3128", + 'tls-port' => $port, + 'host-subject' => $subject, + ca => $cacert, + password => $ticket, + 'delete-this-file' => 1, + }; + + return ($ticket, $proxyticket, $config); +} + sub check_user_exist { my ($usercfg, $username, $noerr) = @_; @@ -306,6 +361,7 @@ sub check_user_enabled { } # password should be utf8 encoded +# Note: some pluging delay/sleep if auth fails sub authenticate_user { my ($username, $password) = @_; @@ -317,32 +373,19 @@ sub authenticate_user { my $usercfg = cfs_read_file('user.cfg'); - eval { check_user_enabled($usercfg, $username); }; - if (my $err = $@) { - sleep(2); - die $err; - } + check_user_enabled($usercfg, $username); my $ctime = time(); my $expire = $usercfg->{users}->{$username}->{expire}; - if ($expire && ($expire < $ctime)) { - sleep(2); - die "account expired\n" - } + die "account expired\n" if $expire && ($expire < $ctime); my $domain_cfg = cfs_read_file('domains.cfg'); - eval { - my $cfg = $domain_cfg->{ids}->{$realm}; - die "auth domain '$realm' does not exists\n" if !$cfg; - my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); - $plugin->authenticate_user($cfg, $realm, $ruid, $password); - }; - if (my $err = $@) { - sleep(2); # timeout after failed auth - die $err; - } + my $cfg = $domain_cfg->{ids}->{$realm}; + die "auth domain '$realm' does not exists\n" if !$cfg; + my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); + $plugin->authenticate_user($cfg, $realm, $ruid, $password); return $username; } @@ -555,7 +598,7 @@ sub normalize_path { $path = "/$path" if $path !~ m|^/|; - return undef if $path !~ m|^[[:alnum:]\-\_\/]+$|; + return undef if $path !~ m|^[[:alnum:]\.\-\_\/]+$|; return $path; }