X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=f03f6b5bba4e67fbb6f2a90d9210d62e344f37be;hp=768703124594957b6d240fd2e5cb4429dd6b5171;hb=e4f8fc2e7e5f31691629a5361000636f8a2b2398;hpb=7b395f990d138c831589b202df6e61ee0999aab3

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 7687031..f03f6b5 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1,6 +1,7 @@
 package PVE::AccessControl;
 
 use strict;
+use warnings;
 use Encode;
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
@@ -213,6 +214,69 @@ sub verify_vnc_ticket {
     return undef;
 }
 
+sub assemble_spice_ticket {
+    my ($username, $vmid, $node) = @_;
+
+    my $rsa_priv = get_privkey();
+
+    my $timestamp = sprintf("%08x", time());
+
+    my $randomstr = "PVESPICE:$timestamp:$vmid:$node:" . rand(10);
+
+    # this should be uses as one-time password
+    # max length is 60 chars (spice limit)
+    # we pass this to qemu set_pasword and limit lifetime there
+    # keep this secret
+    my $ticket = Digest::SHA::sha1_hex($rsa_priv->sign($randomstr));
+
+    # Note: spice proxy connects with HTTP, so $proxyticket is exposed to public
+    # we use a signature/timestamp to make sure nobody can fake such ticket
+    # an attacker can use this $proxyticket, but he will fail because $ticket is
+    # private.
+    # The proxy need to be able to extract/verify the ticket
+    # Note: data needs to be lower case only, because virt-viewer needs that
+    # Note: RSA signature are too long (>=256 charaters) and makes problems with remote-viewer
+
+    my $secret = &$get_csrfr_secret();
+    my $plain = "pvespiceproxy:$timestamp:$vmid:" . lc($node);
+
+    # produces 40 characters
+    my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret()));
+
+    #my $sig =  unpack("H*", $rsa_priv->sign($plain)); # this produce too long strings (512)
+
+    my $proxyticket = $plain . "::" . $sig;
+
+    return ($ticket, $proxyticket);
+}
+
+sub verify_spice_connect_url {
+    my ($connect_str) = @_;
+
+    # Note: we pass the spice ticket as 'host', so the
+    # spice viewer connects with "$ticket:$port"
+
+    return undef if !$connect_str;
+
+    if ($connect_str =~m/^pvespiceproxy:([a-z0-9]{8}):(\d+):(\S+)::([a-z0-9]{40}):(\d+)$/) {
+	my ($timestamp, $vmid, $node, $hexsig, $port) = ($1, $2, $3, $4, $5, $6);
+	my $ttime = hex($timestamp);
+	my $age = time() - $ttime;
+
+	# use very limited lifetime - is this enough?
+	return undef if !(($age > -20) && ($age < 40));
+
+	my $plain = "pvespiceproxy:$timestamp:$vmid:$node";
+	my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret()));
+
+	if ($sig eq $hexsig) {
+	    return ($vmid, $node, $port);
+	} 
+    }
+
+    return undef;
+}
+
 sub check_user_exist {
     my ($usercfg, $username, $noerr) = @_;
 
@@ -242,6 +306,7 @@ sub check_user_enabled {
 }
 
 # password should be utf8 encoded
+# Note: some pluging delay/sleep if auth fails
 sub authenticate_user {
     my ($username, $password) = @_;
 
@@ -253,32 +318,19 @@ sub authenticate_user {
 
     my $usercfg = cfs_read_file('user.cfg');
 
-    eval { check_user_enabled($usercfg, $username); };
-    if (my $err = $@) {
-	sleep(2);
-	die $err;
-    }
+    check_user_enabled($usercfg, $username);
 
     my $ctime = time();
     my $expire = $usercfg->{users}->{$username}->{expire};
 
-    if ($expire && ($expire < $ctime)) {
-	sleep(2);
-	die "account expired\n"
-    }
+    die "account expired\n" if $expire && ($expire < $ctime);
 
     my $domain_cfg = cfs_read_file('domains.cfg');
 
-    eval {
-	my $cfg = $domain_cfg->{ids}->{$realm};
-	die "auth domain '$realm' does not exists\n" if !$cfg;
-	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
-	$plugin->authenticate_user($cfg, $realm, $ruid, $password);
-    };
-    if (my $err = $@) {
-	sleep(2); # timeout after failed auth
-	die $err;
-    }
+    my $cfg = $domain_cfg->{ids}->{$realm};
+    die "auth domain '$realm' does not exists\n" if !$cfg;
+    my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+    $plugin->authenticate_user($cfg, $realm, $ruid, $password);
 
     return $username;
 }
@@ -491,7 +543,7 @@ sub normalize_path {
 
     $path = "/$path" if $path !~ m|^/|;
 
-    return undef if $path !~ m|^[[:alnum:]\-\_\/]+$|;
+    return undef if $path !~ m|^[[:alnum:]\.\-\_\/]+$|;
 
     return $path;
 } 
@@ -959,4 +1011,36 @@ sub check_permissions {
     return 1;
 }
 
+sub add_vm_to_pool {
+    my ($vmid, $pool) = @_;
+
+    my $addVMtoPoolFn = sub {
+	my $usercfg = cfs_read_file("user.cfg");
+	if (my $data = $usercfg->{pools}->{$pool}) {
+	    $data->{vms}->{$vmid} = 1;
+	    $usercfg->{vms}->{$vmid} = $pool;
+	    cfs_write_file("user.cfg", $usercfg);
+	}
+    };
+
+    lock_user_config($addVMtoPoolFn, "can't add VM $vmid to pool '$pool'");
+}
+
+sub remove_vm_from_pool {
+    my ($vmid) = @_;
+    
+    my $delVMfromPoolFn = sub {
+	my $usercfg = cfs_read_file("user.cfg");
+	if (my $pool = $usercfg->{vms}->{$vmid}) {
+	    if (my $data = $usercfg->{pools}->{$pool}) {
+		delete $data->{vms}->{$vmid};
+		delete $usercfg->{vms}->{$vmid};
+		cfs_write_file("user.cfg", $usercfg);
+	    }
+	}
+    };
+
+    lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed");
+}
+
 1;