X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=f41d7ffcdee6221649ea8bd595a4308761732483;hp=44299ce07c634d3f407e8f74cbde2e2bd1d87228;hb=63691fc66a15c2ab3b4c20df35354812ca46aae8;hpb=23b35225d312cb3a168bdcf2696623d2748b0a26 diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 44299ce..f41d7ff 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -1,11 +1,12 @@ package PVE::AccessControl; use strict; +use warnings; use Encode; use Crypt::OpenSSL::Random; use Crypt::OpenSSL::RSA; +use Net::SSLeay; use MIME::Base64; -use MIME::Base32 qw( RFC ); use Digest::SHA; use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print); use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); @@ -215,20 +216,120 @@ sub verify_vnc_ticket { } sub assemble_spice_ticket { - my ($username, $path) = @_; + my ($username, $vmid, $node) = @_; my $rsa_priv = get_privkey(); - my $timestamp = sprintf("%08X", time()); + my $timestamp = sprintf("%08x", time()); - my $plain = "PVESPICE:$timestamp"; + my $randomstr = "PVESPICE:$timestamp:$vmid:$node:" . rand(10); - $path = normalize_path($path); + # this should be uses as one-time password + # max length is 60 chars (spice limit) + # we pass this to qemu set_pasword and limit lifetime there + # keep this secret + my $ticket = Digest::SHA::sha1_hex($rsa_priv->sign($randomstr)); - my $full = "$plain:$path"; + # Note: spice proxy connects with HTTP, so $proxyticket is exposed to public + # we use a signature/timestamp to make sure nobody can fake such ticket + # an attacker can use this $proxyticket, but he will fail because $ticket is + # private. + # The proxy need to be able to extract/verify the ticket + # Note: data needs to be lower case only, because virt-viewer needs that + # Note: RSA signature are too long (>=256 charaters) and makes problems with remote-viewer - my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), ''); - return MIME::Base32::encode($ticket."::".$full); + my $secret = &$get_csrfr_secret(); + my $plain = "pvespiceproxy:$timestamp:$vmid:" . lc($node); + + # produces 40 characters + my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret())); + + #my $sig = unpack("H*", $rsa_priv->sign($plain)); # this produce too long strings (512) + + my $proxyticket = $plain . "::" . $sig; + + return ($ticket, $proxyticket); +} + +sub verify_spice_connect_url { + my ($connect_str) = @_; + + # Note: we pass the spice ticket as 'host', so the + # spice viewer connects with "$ticket:$port" + + return undef if !$connect_str; + + if ($connect_str =~m/^pvespiceproxy:([a-z0-9]{8}):(\d+):(\S+)::([a-z0-9]{40}):(\d+)$/) { + my ($timestamp, $vmid, $node, $hexsig, $port) = ($1, $2, $3, $4, $5, $6); + my $ttime = hex($timestamp); + my $age = time() - $ttime; + + # use very limited lifetime - is this enough? + return undef if !(($age > -20) && ($age < 40)); + + my $plain = "pvespiceproxy:$timestamp:$vmid:$node"; + my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret())); + + if ($sig eq $hexsig) { + return ($vmid, $node, $port); + } + } + + return undef; +} + +sub read_x509_subject_spice { + my ($filename) = @_; + + # read x509 subject + my $bio = Net::SSLeay::BIO_new_file($filename, 'r'); + my $x509 = Net::SSLeay::PEM_read_bio_X509($bio); + Net::SSLeay::BIO_free($bio); + my $nameobj = Net::SSLeay::X509_get_subject_name($x509); + my $subject = Net::SSLeay::X509_NAME_oneline($nameobj); + Net::SSLeay::X509_free($x509); + + # remote-viewer wants comma as seperator (not '/') + $subject =~ s!^/!!; + $subject =~ s!/(\w+=)!,$1!g; + + return $subject; +} + +# helper to generate SPICE remote-viewer configuration +sub remote_viewer_config { + my ($authuser, $vmid, $node, $proxy, $title, $port) = @_; + + if (!$proxy) { + my $host = `hostname -f` || PVE::INotify::nodename(); + chomp $host; + $proxy = $host; + } + + my ($ticket, $proxyticket) = assemble_spice_ticket($authuser, $vmid, $node); + + my $filename = "/etc/pve/local/pve-ssl.pem"; + my $subject = read_x509_subject_spice($filename); + + my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192); + $cacert =~ s/\n/\\n/g; + + my $config = { + 'secure-attention' => "Ctrl+Alt+Ins", + 'toggle-fullscreen' => "Shift+F11", + 'release-cursor' => "Ctrl+Alt+R", + type => 'spice', + title => $title, + host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject' + proxy => "http://$proxy:3128", + 'tls-port' => $port, + 'host-subject' => $subject, + ca => $cacert, + password => $ticket, + 'delete-this-file' => 1, + }; + + return ($ticket, $proxyticket, $config); } sub check_user_exist { @@ -260,6 +361,7 @@ sub check_user_enabled { } # password should be utf8 encoded +# Note: some pluging delay/sleep if auth fails sub authenticate_user { my ($username, $password) = @_; @@ -271,32 +373,19 @@ sub authenticate_user { my $usercfg = cfs_read_file('user.cfg'); - eval { check_user_enabled($usercfg, $username); }; - if (my $err = $@) { - sleep(2); - die $err; - } + check_user_enabled($usercfg, $username); my $ctime = time(); my $expire = $usercfg->{users}->{$username}->{expire}; - if ($expire && ($expire < $ctime)) { - sleep(2); - die "account expired\n" - } + die "account expired\n" if $expire && ($expire < $ctime); my $domain_cfg = cfs_read_file('domains.cfg'); - eval { - my $cfg = $domain_cfg->{ids}->{$realm}; - die "auth domain '$realm' does not exists\n" if !$cfg; - my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); - $plugin->authenticate_user($cfg, $realm, $ruid, $password); - }; - if (my $err = $@) { - sleep(2); # timeout after failed auth - die $err; - } + my $cfg = $domain_cfg->{ids}->{$realm}; + die "auth domain '$realm' does not exists\n" if !$cfg; + my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); + $plugin->authenticate_user($cfg, $realm, $ruid, $password); return $username; } @@ -509,7 +598,7 @@ sub normalize_path { $path = "/$path" if $path !~ m|^/|; - return undef if $path !~ m|^[[:alnum:]\-\_\/]+$|; + return undef if $path !~ m|^[[:alnum:]\.\-\_\/]+$|; return $path; }