[pve-apiclient.git] / PVE / APIClient / LWP.pm

package PVE::APIClient::LWP;

use strict;
use warnings;

use Carp;
use HTTP::Request::Common;
use IO::Socket::SSL; # important for SSL_verify_callback
use JSON;
use LWP::UserAgent;
use Net::SSLeay;
use URI::Escape;
use URI;

use PVE::APIClient::Exception qw(raise);

my $extract_data = sub {
    my ($res) = @_;

    croak "undefined result" if !defined($res);
    croak "undefined result data" if !exists($res->{data});

    return $res->{data};
};

sub get_raw {
    my ($self, $path, $param) = @_;

    return $self->call('GET', $path, $param);
}

sub get {
    my ($self, $path, $param) = @_;

    return $extract_data->($self->call('GET', $path, $param));
}

sub post_raw {
    my ($self, $path, $param) = @_;

    return $self->call('POST', $path, $param);
}

sub post {
    my ($self, $path, $param) = @_;

    return $extract_data->($self->call('POST', $path, $param));
}

sub put_raw {
    my ($self, $path, $param) = @_;

    return $self->call('PUT', $path, $param);
}

sub put {
    my ($self, $path, $param) = @_;

    return $extract_data->($self->call('PUT', $path, $param));
}

sub delete_raw {
    my ($self, $path, $param) = @_;

    return $self->call('DELETE', $path, $param);
}

sub delete {
    my ($self, $path, $param) = @_;

    return $extract_data->($self->call('DELETE', $path, $param));
}

sub update_csrftoken {
    my ($self, $csrftoken) = @_;

    $self->{csrftoken} = $csrftoken;

    my $agent = $self->{useragent};

    $agent->default_header('CSRFPreventionToken', $self->{csrftoken});
}

sub update_ticket {
    my ($self, $ticket) = @_;

    my $agent = $self->{useragent};

    $self->{ticket} = $ticket;

    my $encticket = uri_escape($ticket);
    my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
    $agent->default_header('Cookie', $cookie);
}

sub two_factor_auth_login {
    my ($self, $type, $challenge) = @_;

    if ($type eq 'PVE:tfa') {
	raise("TFA-enabled login currently works only with a TTY.") if !-t STDIN;
	print "\nEnter OTP code for user $self->{username}: ";
	my $tfa_response = <STDIN>;
	chomp $tfa_response;
	return $self->post('/api2/json/access/tfa', {response => $tfa_response});
    } elsif ($type eq 'PVE:u2f') {
	# TODO: implement u2f-enabled join
	raise("U2F-enabled login is currently not implemented.");
    } else {
	raise("Authentication type '$type' not recognized, aborting!");
    }
}

sub login {
    my ($self) = @_;

    my $uri = URI->new();
    $uri->scheme($self->{protocol});
    $uri->host($self->{host});
    $uri->port($self->{port});
    $uri->path('/api2/json/access/ticket');

    my $ua = $self->{useragent};
    my $username = $self->{username} // 'unknown',

    delete $self->{fingerprint}->{last_unknown};

    my $exec_login = sub {
	return $ua->post($uri, {
	    username => $username,
	    password => $self->{password} || ''});
    };

    my $response = $exec_login->();

    if (!$response->is_success) {
	if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
	    if ($self->manual_verify_fingerprint($fp)) {
		$response = $exec_login->(); # try again
	    }
	}
    }

    if (!$response->is_success) {
	raise($response->status_line ."\n", code => $response->code)
    }

    my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});

    my $data = $extract_data->($res);
    $self->update_ticket($data->{ticket});
    $self->update_csrftoken($data->{CSRFPreventionToken});

    # handle two-factor login
    my $tfa_ticket_re = qr/^([^\s!]+)![^!]*(!([0-9a-zA-Z\/.=_\-+]+))?$/;
    if ($data->{ticket} =~ m/$tfa_ticket_re/) {
	my ($type, $challenge) = ($1, $2);
	$data = $self->two_factor_auth_login($type, $challenge);
	$self->update_ticket($data->{ticket});
    }

    return $data;
}

sub manual_verify_fingerprint {
    my ($self, $fingerprint) = @_;

    if (!$self->{manual_verification}) {
	raise("fingerprint '$fingerprint' not verified, abort!\n");
    }

    print "The authenticity of host '$self->{host}' can't be established.\n" .
	"X509 SHA256 key fingerprint is $fingerprint.\n" .
	"Are you sure you want to continue connecting (yes/no)? ";

    my $answer = <STDIN>;

    my $valid = ($answer =~ m/^\s*yes\s*$/i) ? 1 : 0;

    $self->{fingerprint}->{cache}->{$fingerprint} = $valid;

    raise("Fingerprint not verified, abort!\n") if !$valid;

    if (my $cb = $self->{register_fingerprint_cb}) {
	$cb->($fingerprint) if $valid;
    }

    return $valid;
}

sub call {
    my ($self, $method, $path, $param) = @_;

    delete $self->{fingerprint}->{last_unknown};

    my $ticket = $self->{ticket};
    my $apitoken = $self->{apitoken};

    my $ua = $self->{useragent};

    # fixme: check ticket lifetime?

    if (!$ticket && !$apitoken && $self->{username} && $self->{password}) {
	$self->login();
    }

    my $uri = URI->new();
    $uri->scheme($self->{protocol});
    $uri->host($self->{host});
    $uri->port($self->{port});

    $path =~ s!^/+!!;

    if ($path !~ m!^api2/!) {
	$uri->path("api2/json/$path");
    } else {
	$uri->path($path);
    }

    #print "CALL $method : " .  $uri->as_string() . "\n";

    my $exec_method = sub {

	my $response;
	if ($method eq 'GET') {
	    $uri->query_form($param);
	    $response = $ua->request(HTTP::Request::Common::GET($uri));
	} elsif ($method eq 'POST') {
	    $response = $ua->request(HTTP::Request::Common::POST($uri, Content => $param));
	} elsif ($method eq 'PUT') {
	    # We use another temporary URI object to format
	    # the application/x-www-form-urlencoded content.

	    my $tmpurl = URI->new('http:');
	    $tmpurl->query_form(%$param);
	    my $content = $tmpurl->query;

	    $response = $ua->request(HTTP::Request::Common::PUT($uri, 'Content-Type' => 'application/x-www-form-urlencoded', Content => $content));

	} elsif ($method eq 'DELETE') {
	    $response = $ua->request(HTTP::Request::Common::DELETE($uri));
	} else {
	    raise("method $method not implemented\n");
	}
	return $response;
    };

    my $response = $exec_method->();

    if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
	if ($self->manual_verify_fingerprint($fp)) {
	    $response = $exec_method->(); # try again
	}
    }

    my $ct = $response->header('Content-Type') || '';

    if ($response->is_success) {

	raise("got unexpected content type", code => $response->code)
	    if $ct !~ m|application/json|;

	return from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});

    } else {

	my $msg = $response->message;
	my $errors = eval {
	    return if $ct !~ m|application/json|;
	    my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
	    return $res->{errors};
	};

	raise("$msg\n", code => $response->code, errors => $errors);
    }
}

my sub verify_cert_callback {
    my ($fingerprint, $cert, $verify_cb) = @_;

    # check server certificate against cache of pinned FPs
    # get fingerprint of server certificate
    my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
    return 0 if !defined($fp) || $fp eq ''; # error

    my $valid = $fingerprint->{cache}->{$fp};
    return $valid if defined($valid); # return cached result

    if ($verify_cb) {
	$valid = $verify_cb->($cert);
	$fingerprint->{cache}->{$fp} = $valid;
	return $valid;
    }

    $fingerprint->{last_unknown} = $fp;

    return 0;
};

sub new {
    my ($class, %param) = @_;

    my $ssl_default_opts = { verify_hostname => 0 };
    my $ssl_opts = $param{ssl_opts} || $ssl_default_opts;

    my $self = {
	username => $param{username},
	password => $param{password},
	host => $param{host} || 'localhost',
	port => $param{port},
	protocol => $param{protocol},
	cookie_name => $param{cookie_name} // 'PVEAuthCookie',
	manual_verification => $param{manual_verification},
	fingerprint => {
	    cache => $param{cached_fingerprints} || {},
	    last_unknown => undef,
	},
	register_fingerprint_cb => $param{register_fingerprint_cb},
	timeout => $param{timeout} || 60,
    };
    bless $self, $class;

    if (!$ssl_opts->{SSL_verify_callback}) {
	$ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER;

	my $fingerprint = $self->{fingerprint}; # avoid passing $self, that's a RC cycle!
	my $verify_fingerprint_cb = $param{verify_fingerprint_cb};
	$ssl_opts->{'SSL_verify_callback'} = sub {
	    my (undef, undef, undef, undef, $cert, $depth) = @_;

	    # we don't care about intermediate or root certificates
	    return 1 if $depth != 0;

	    return verify_cert_callback($fingerprint, $cert, $verify_fingerprint_cb);
	}
    }

    if (!$self->{port}) {
	$self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
    }
    if (!$self->{protocol}) {
	$self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
    }

    $self->{useragent} = LWP::UserAgent->new(
	protocols_allowed => [ 'http', 'https'],
	ssl_opts => $ssl_opts,
	timeout => $self->{timeout},
	keep_alive => $param{keep_alive} // 50,
	);

    $self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip

    if ($param{apitoken} && $param{password}) {
	warn "password will be ignored in favor of API token\n";
	delete $self->{password};
    }
    if ($param{ticket}) {
	if ($param{apitoken}) {
	    warn "ticket will be ignored in favor of API token\n";
	} else {
	    $self->update_ticket($param{ticket});
	}
    }
    $self->update_csrftoken($param{csrftoken}) if $param{csrftoken};

    if ($param{apitoken}) {
	my $agent = $self->{useragent};

	$self->{apitoken} = $param{apitoken};

	$agent->default_header('Authorization', $param{apitoken});
    }

    return $self;
}

1;
Commit	Line	Data
9ae947dd DM	1	package PVE::APIClient::LWP;
	2
	3	use strict;
	4	use warnings;
44f9aae4 TL	5
	6	use Carp;
	7	use HTTP::Request::Common;
9ae947dd	8	use IO::Socket::SSL; # important for SSL_verify_callback
44f9aae4	9	use JSON;
9ae947dd	10	use LWP::UserAgent;
9ae947dd	11	use Net::SSLeay;
44f9aae4 TL	12	use URI::Escape;
	13	use URI;
	14
097484f4	15	use PVE::APIClient::Exception qw(raise);
9ae947dd DM	16
	17	my $extract_data = sub {
	18	my ($res) = @_;
	19
	20	croak "undefined result" if !defined($res);
	21	croak "undefined result data" if !exists($res->{data});
	22
	23	return $res->{data};
	24	};
	25
	26	sub get_raw {
	27	my ($self, $path, $param) = @_;
	28
	29	return $self->call('GET', $path, $param);
	30	}
	31
	32	sub get {
	33	my ($self, $path, $param) = @_;
	34
	35	return $extract_data->($self->call('GET', $path, $param));
	36	}
	37
	38	sub post_raw {
	39	my ($self, $path, $param) = @_;
	40
	41	return $self->call('POST', $path, $param);
	42	}
	43
	44	sub post {
	45	my ($self, $path, $param) = @_;
	46
	47	return $extract_data->($self->call('POST', $path, $param));
	48	}
	49
	50	sub put_raw {
	51	my ($self, $path, $param) = @_;
	52
	53	return $self->call('PUT', $path, $param);
	54	}
	55
	56	sub put {
	57	my ($self, $path, $param) = @_;
	58
	59	return $extract_data->($self->call('PUT', $path, $param));
	60	}
	61
	62	sub delete_raw {
	63	my ($self, $path, $param) = @_;
	64
	65	return $self->call('DELETE', $path, $param);
	66	}
	67
	68	sub delete {
	69	my ($self, $path, $param) = @_;
	70
	71	return $extract_data->($self->call('DELETE', $path, $param));
	72	}
	73
	74	sub update_csrftoken {
	75	my ($self, $csrftoken) = @_;
	76
	77	$self->{csrftoken} = $csrftoken;
	78
	79	my $agent = $self->{useragent};
80
81	$agent->default_header('CSRFPreventionToken', $self->{csrftoken});
82	}
83
84	sub update_ticket {
85	my ($self, $ticket) = @_;
86
87	my $agent = $self->{useragent};
88
89	$self->{ticket} = $ticket;
90
91	my $encticket = uri_escape($ticket);
444d6419	92	my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
9ae947dd DM	93	$agent->default_header('Cookie', $cookie);
	94	}
	95
f1956672 OB	96	sub two_factor_auth_login {
	97	my ($self, $type, $challenge) = @_;
	98
	99	if ($type eq 'PVE:tfa') {
	100	raise("TFA-enabled login currently works only with a TTY.") if !-t STDIN;
	101	print "\nEnter OTP code for user $self->{username}: ";
	102	my $tfa_response = <STDIN>;
	103	chomp $tfa_response;
	104	return $self->post('/api2/json/access/tfa', {response => $tfa_response});
	105	} elsif ($type eq 'PVE:u2f') {
	106	# TODO: implement u2f-enabled join
	107	raise("U2F-enabled login is currently not implemented.");
	108	} else {
	109	raise("Authentication type '$type' not recognized, aborting!");
	110	}
	111	}
	112
9ae947dd DM	113	sub login {
	114	my ($self) = @_;
	115
	116	my $uri = URI->new();
	117	$uri->scheme($self->{protocol});
	118	$uri->host($self->{host});
	119	$uri->port($self->{port});
	120	$uri->path('/api2/json/access/ticket');
	121
	122	my $ua = $self->{useragent};
8bc98506	123	my $username = $self->{username} // 'unknown',
9ae947dd	124
588a2ba6	125	delete $self->{fingerprint}->{last_unknown};
9ae947dd DM	126
	127	my $exec_login = sub {
	128	return $ua->post($uri, {
8bc98506	129	username => $username,
9ae947dd DM	130	password => $self->{password} \|\| ''});
	131	};
	132
	133	my $response = $exec_login->();
	134
	135	if (!$response->is_success) {
588a2ba6	136	if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
9ae947dd DM	137	if ($self->manual_verify_fingerprint($fp)) {
	138	$response = $exec_login->(); # try again
	139	}
	140	}
	141	}
	142
	143	if (!$response->is_success) {
097484f4	144	raise($response->status_line ."\n", code => $response->code)
9ae947dd DM	145	}
	146
	147	my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
	148
	149	my $data = $extract_data->($res);
9ae947dd DM	150	$self->update_ticket($data->{ticket});
	151	$self->update_csrftoken($data->{CSRFPreventionToken});
	152
f1956672 OB	153	# handle two-factor login
	154	my $tfa_ticket_re = qr/^([^\s!]+)![^!]*(!([0-9a-zA-Z\/.=_\-+]+))?$/;
	155	if ($data->{ticket} =~ m/$tfa_ticket_re/) {
	156	my ($type, $challenge) = ($1, $2);
	157	$data = $self->two_factor_auth_login($type, $challenge);
	158	$self->update_ticket($data->{ticket});
	159	}
	160
9ae947dd DM	161	return $data;
	162	}
	163
	164	sub manual_verify_fingerprint {
	165	my ($self, $fingerprint) = @_;
	166
	167	if (!$self->{manual_verification}) {
8153e671	168	raise("fingerprint '$fingerprint' not verified, abort!\n");
9ae947dd DM	169	}
	170
	171	print "The authenticity of host '$self->{host}' can't be established.\n" .
	172	"X509 SHA256 key fingerprint is $fingerprint.\n" .
	173	"Are you sure you want to continue connecting (yes/no)? ";
	174
ff8ba9c9	175	my $answer = <STDIN>;
9ae947dd DM	176
	177	my $valid = ($answer =~ m/^\syes\s$/i) ? 1 : 0;
	178
588a2ba6	179	$self->{fingerprint}->{cache}->{$fingerprint} = $valid;
9ae947dd	180
8153e671 TL	181	raise("Fingerprint not verified, abort!\n") if !$valid;
8153e671 TL	182
9ae947dd DM	183	if (my $cb = $self->{register_fingerprint_cb}) {
	184	$cb->($fingerprint) if $valid;
	185	}
	186
	187	return $valid;
	188	}
	189
	190	sub call {
	191	my ($self, $method, $path, $param) = @_;
	192
588a2ba6	193	delete $self->{fingerprint}->{last_unknown};
9ae947dd DM	194
9ae947dd DM	195	my $ticket = $self->{ticket};
7b6f8f1d	196	my $apitoken = $self->{apitoken};
9ae947dd DM	197
	198	my $ua = $self->{useragent};
	199
	200	# fixme: check ticket lifetime?
	201
7b6f8f1d	202	if (!$ticket && !$apitoken && $self->{username} && $self->{password}) {
9ae947dd DM	203	$self->login();
	204	}
	205
	206	my $uri = URI->new();
	207	$uri->scheme($self->{protocol});
	208	$uri->host($self->{host});
	209	$uri->port($self->{port});
	210
	211	$path =~ s!^/+!!;
	212
	213	if ($path !~ m!^api2/!) {
	214	$uri->path("api2/json/$path");
	215	} else {
	216	$uri->path($path);
	217	}
	218
	219	#print "CALL $method : " . $uri->as_string() . "\n";
	220
	221	my $exec_method = sub {
	222
	223	my $response;
	224	if ($method eq 'GET') {
	225	$uri->query_form($param);
	226	$response = $ua->request(HTTP::Request::Common::GET($uri));
	227	} elsif ($method eq 'POST') {
	228	$response = $ua->request(HTTP::Request::Common::POST($uri, Content => $param));
	229	} elsif ($method eq 'PUT') {
	230	# We use another temporary URI object to format
	231	# the application/x-www-form-urlencoded content.
	232
	233	my $tmpurl = URI->new('http:');
	234	$tmpurl->query_form(%$param);
	235	my $content = $tmpurl->query;
	236
	237	$response = $ua->request(HTTP::Request::Common::PUT($uri, 'Content-Type' => 'application/x-www-form-urlencoded', Content => $content));
	238
	239	} elsif ($method eq 'DELETE') {
	240	$response = $ua->request(HTTP::Request::Common::DELETE($uri));
	241	} else {
097484f4	242	raise("method $method not implemented\n");
9ae947dd DM	243	}
	244	return $response;
	245	};
	246
	247	my $response = $exec_method->();
	248
588a2ba6	249	if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
9ae947dd DM	250	if ($self->manual_verify_fingerprint($fp)) {
	251	$response = $exec_method->(); # try again
	252	}
	253	}
	254
9ae947dd DM	255	my $ct = $response->header('Content-Type') \|\| '';
	256
	257	if ($response->is_success) {
	258
097484f4 TL	259	raise("got unexpected content type", code => $response->code)
097484f4 TL	260	if $ct !~ m\|application/json\|;
9ae947dd DM	261
	262	return from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
	263
	264	} else {
	265
097484f4 TL	266	my $msg = $response->message;
097484f4 TL	267	my $errors = eval {
9ae947dd DM	268	return if $ct !~ m\|application/json\|;
9ae947dd DM	269	my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
097484f4	270	return $res->{errors};
9ae947dd	271	};
9ae947dd	272
097484f4	273	raise("$msg\n", code => $response->code, errors => $errors);
9ae947dd DM	274	}
	275	}
	276
588a2ba6 TL	277	my sub verify_cert_callback {
588a2ba6 TL	278	my ($fingerprint, $cert, $verify_cb) = @_;
9ae947dd DM	279
	280	# check server certificate against cache of pinned FPs
	281	# get fingerprint of server certificate
1d40f3c3	282	my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
38eb3479	283	return 0 if !defined($fp) \|\| $fp eq ''; # error
9ae947dd	284
588a2ba6	285	my $valid = $fingerprint->{cache}->{$fp};
9ae947dd DM	286	return $valid if defined($valid); # return cached result
9ae947dd DM	287
588a2ba6 TL	288	if ($verify_cb) {
	289	$valid = $verify_cb->($cert);
	290	$fingerprint->{cache}->{$fp} = $valid;
9ae947dd DM	291	return $valid;
	292	}
	293
588a2ba6	294	$fingerprint->{last_unknown} = $fp;
9ae947dd DM	295
	296	return 0;
	297	};
	298
	299	sub new {
	300	my ($class, %param) = @_;
	301
	302	my $ssl_default_opts = { verify_hostname => 0 };
	303	my $ssl_opts = $param{ssl_opts} \|\| $ssl_default_opts;
	304
	305	my $self = {
	306	username => $param{username},
	307	password => $param{password},
	308	host => $param{host} \|\| 'localhost',
	309	port => $param{port},
	310	protocol => $param{protocol},
444d6419	311	cookie_name => $param{cookie_name} // 'PVEAuthCookie',
9ae947dd	312	manual_verification => $param{manual_verification},
588a2ba6 TL	313	fingerprint => {
	314	cache => $param{cached_fingerprints} \|\| {},
	315	last_unknown => undef,
	316	},
9ae947dd	317	register_fingerprint_cb => $param{register_fingerprint_cb},
9ae947dd DM	318	timeout => $param{timeout} \|\| 60,
9ae947dd DM	319	};
38fbee3c	320	bless $self, $class;
9ae947dd DM	321
	322	if (!$ssl_opts->{SSL_verify_callback}) {
	323	$ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER;
588a2ba6 TL	324
	325	my $fingerprint = $self->{fingerprint}; # avoid passing $self, that's a RC cycle!
	326	my $verify_fingerprint_cb = $param{verify_fingerprint_cb};
9ae947dd DM	327	$ssl_opts->{'SSL_verify_callback'} = sub {
	328	my (undef, undef, undef, undef, $cert, $depth) = @_;
	329
	330	# we don't care about intermediate or root certificates
	331	return 1 if $depth != 0;
	332
588a2ba6	333	return verify_cert_callback($fingerprint, $cert, $verify_fingerprint_cb);
9ae947dd DM	334	}
	335	}
	336
	337	if (!$self->{port}) {
	338	$self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
	339	}
	340	if (!$self->{protocol}) {
	341	$self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
	342	}
	343
	344	$self->{useragent} = LWP::UserAgent->new(
	345	protocols_allowed => [ 'http', 'https'],
	346	ssl_opts => $ssl_opts,
	347	timeout => $self->{timeout},
	348	keep_alive => $param{keep_alive} // 50,
	349	);
	350
	351	$self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip
	352
7b6f8f1d FG	353	if ($param{apitoken} && $param{password}) {
	354	warn "password will be ignored in favor of API token\n";
	355	delete $self->{password};
	356	}
	357	if ($param{ticket}) {
	358	if ($param{apitoken}) {
	359	warn "ticket will be ignored in favor of API token\n";
	360	} else {
	361	$self->update_ticket($param{ticket});
	362	}
	363	}
9ae947dd DM	364	$self->update_csrftoken($param{csrftoken}) if $param{csrftoken};
9ae947dd DM	365
7b6f8f1d FG	366	if ($param{apitoken}) {
	367	my $agent = $self->{useragent};
	368
	369	$self->{apitoken} = $param{apitoken};
	370
	371	$agent->default_header('Authorization', $param{apitoken});
	372	}
9ae947dd DM	373
	374	return $self;
	375	}
	376
	377	1;