[pve-apiclient.git] / PVE / APIClient / LWP.pm

package PVE::APIClient::LWP;

use strict;
use warnings;

use Carp;
use HTTP::Request::Common;
use IO::Socket::SSL; # important for SSL_verify_callback
use JSON;
use LWP::UserAgent;
use Net::SSLeay;
use URI::Escape;
use URI;

use PVE::APIClient::Exception qw(raise);

my $extract_data = sub {
    my ($res) = @_;

    croak "undefined result" if !defined($res);
    croak "undefined result data" if !exists($res->{data});

    return $res->{data};
};

sub get_raw {
    my ($self, $path, $param) = @_;

    return $self->call('GET', $path, $param);
}

sub get {
    my ($self, $path, $param) = @_;

    return $extract_data->($self->call('GET', $path, $param));
}

sub post_raw {
    my ($self, $path, $param) = @_;

    return $self->call('POST', $path, $param);
}

sub post {
    my ($self, $path, $param) = @_;

    return $extract_data->($self->call('POST', $path, $param));
}

sub put_raw {
    my ($self, $path, $param) = @_;

    return $self->call('PUT', $path, $param);
}

sub put {
    my ($self, $path, $param) = @_;

    return $extract_data->($self->call('PUT', $path, $param));
}

sub delete_raw {
    my ($self, $path, $param) = @_;

    return $self->call('DELETE', $path, $param);
}

sub delete {
    my ($self, $path, $param) = @_;

    return $extract_data->($self->call('DELETE', $path, $param));
}

sub update_csrftoken {
    my ($self, $csrftoken) = @_;

    $self->{csrftoken} = $csrftoken;

    my $agent = $self->{useragent};

    $agent->default_header('CSRFPreventionToken', $self->{csrftoken});
}

sub update_ticket {
    my ($self, $ticket) = @_;

    my $agent = $self->{useragent};

    $self->{ticket} = $ticket;

    my $encticket = uri_escape($ticket);
    my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
    $agent->default_header('Cookie', $cookie);
}

sub two_factor_auth_login {
    my ($self, $type, $challenge) = @_;

    if ($type eq 'PVE:tfa') {
	raise("TFA-enabled login currently works only with a TTY.") if !-t STDIN;
	print "\nEnter OTP code for user $self->{username}: ";
	my $tfa_response = <STDIN>;
	chomp $tfa_response;
	return $self->post('/api2/json/access/tfa', {response => $tfa_response});
    } elsif ($type eq 'PVE:u2f') {
	# TODO: implement u2f-enabled join
	raise("U2F-enabled login is currently not implemented.");
    } else {
	raise("Authentication type '$type' not recognized, aborting!");
    }
}

sub login {
    my ($self) = @_;

    my $uri = URI->new();
    $uri->scheme($self->{protocol});
    $uri->host($self->{host});
    $uri->port($self->{port});
    $uri->path('/api2/json/access/ticket');

    my $ua = $self->{useragent};
    my $username = $self->{username} // 'unknown',

    delete $self->{fingerprint}->{last_unknown};

    my $exec_login = sub {
	return $ua->post($uri, {
	    username => $username,
	    password => $self->{password} || ''
	});
    };

    my $response = $exec_login->();

    if (!$response->is_success) {
	if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
	    if ($self->manual_verify_fingerprint($fp)) {
		$response = $exec_login->(); # try again
	    }
	}
    }

    if (!$response->is_success) {
	raise($response->status_line ."\n", code => $response->code)
    }

    my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});

    my $data = $extract_data->($res);
    $self->update_ticket($data->{ticket});
    $self->update_csrftoken($data->{CSRFPreventionToken});

    # handle two-factor login
    my $tfa_ticket_re = qr/^([^\s!]+)![^!]*(!([0-9a-zA-Z\/.=_\-+]+))?$/;
    if ($data->{ticket} =~ m/$tfa_ticket_re/) {
	my ($type, $challenge) = ($1, $2);
	$data = $self->two_factor_auth_login($type, $challenge);
	$self->update_ticket($data->{ticket});
    }

    return $data;
}

sub manual_verify_fingerprint {
    my ($self, $fingerprint) = @_;

    if (!$self->{manual_verification}) {
	raise("fingerprint '$fingerprint' not verified, abort!\n");
    }

    print "The authenticity of host '$self->{host}' can't be established.\n" .
	"X509 SHA256 key fingerprint is $fingerprint.\n" .
	"Are you sure you want to continue connecting (yes/no)? ";

    my $answer = <STDIN>;

    my $valid = ($answer =~ m/^\s*yes\s*$/i) ? 1 : 0;

    $self->{fingerprint}->{cache}->{$fingerprint} = $valid;

    raise("Fingerprint not verified, abort!\n") if !$valid;

    if (my $cb = $self->{register_fingerprint_cb}) {
	$cb->($fingerprint) if $valid;
    }

    return $valid;
}

sub call {
    my ($self, $method, $path, $param) = @_;

    delete $self->{fingerprint}->{last_unknown};

    my $ticket = $self->{ticket};
    my $apitoken = $self->{apitoken};

    my $ua = $self->{useragent};

    # fixme: check ticket lifetime?

    if (!$ticket && !$apitoken && $self->{username} && $self->{password}) {
	$self->login();
    }

    my $uri = URI->new();
    $uri->scheme($self->{protocol});
    $uri->host($self->{host});
    $uri->port($self->{port});

    $path =~ s!^/+!!;

    if ($path !~ m!^api2/!) {
	$uri->path("api2/json/$path");
    } else {
	$uri->path($path);
    }

    #print "CALL $method : " .  $uri->as_string() . "\n";

    my $exec_method = sub {

	my $response;
	if ($method eq 'GET') {
	    $uri->query_form($param);
	    $response = $ua->request(HTTP::Request::Common::GET($uri));
	} elsif ($method eq 'POST') {
	    $response = $ua->request(HTTP::Request::Common::POST($uri, Content => $param));
	} elsif ($method eq 'PUT') {
	    # We use another temporary URI object to format
	    # the application/x-www-form-urlencoded content.

	    my $tmpurl = URI->new('http:');
	    $tmpurl->query_form(%$param);
	    my $content = $tmpurl->query;

	    $response = $ua->request(HTTP::Request::Common::PUT($uri, 'Content-Type' => 'application/x-www-form-urlencoded', Content => $content));

	} elsif ($method eq 'DELETE') {
	    $response = $ua->request(HTTP::Request::Common::DELETE($uri));
	} else {
	    raise("method $method not implemented\n");
	}
	return $response;
    };

    my $response = $exec_method->();

    if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
	if ($self->manual_verify_fingerprint($fp)) {
	    $response = $exec_method->(); # try again
	}
    }

    my $ct = $response->header('Content-Type') || '';

    if ($response->is_success) {

	raise("got unexpected content type", code => $response->code)
	    if $ct !~ m|application/json|;

	return from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});

    } else {

	my $msg = $response->message;
	my $errors = eval {
	    return if $ct !~ m|application/json|;
	    my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
	    return $res->{errors};
	};

	raise("$msg\n", code => $response->code, errors => $errors);
    }
}

my sub verify_cert_callback {
    my ($fingerprint, $cert, $verify_cb) = @_;

    # check server certificate against cache of pinned FPs
    # get fingerprint of server certificate
    my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
    return 0 if !defined($fp) || $fp eq ''; # error

    my $valid = $fingerprint->{cache}->{$fp};
    return $valid if defined($valid); # return cached result

    if ($verify_cb) {
	$valid = $verify_cb->($cert);
	$fingerprint->{cache}->{$fp} = $valid;
	return $valid;
    }

    $fingerprint->{last_unknown} = $fp;

    return 0;
};

sub new {
    my ($class, %param) = @_;

    my $ssl_default_opts = { verify_hostname => 0 };
    my $ssl_opts = $param{ssl_opts} || $ssl_default_opts;

    # we can only really trust openssl result if it also verifies the hostname,
    # else it's easy to intercept (MITM using valid Lets Encrypt)
    my $trust_openssl = $ssl_opts->{verify_hostname} ? 1 : 0;

    my $self = {
	username => $param{username},
	password => $param{password},
	host => $param{host} || 'localhost',
	port => $param{port},
	protocol => $param{protocol},
	cookie_name => $param{cookie_name} // 'PVEAuthCookie',
	manual_verification => $param{manual_verification},
	fingerprint => {
	    cache => $param{cached_fingerprints} || {},
	    last_unknown => undef,
	},
	register_fingerprint_cb => $param{register_fingerprint_cb},
	timeout => $param{timeout} || 60,
    };
    bless $self, $class;

    if (!$ssl_opts->{SSL_verify_callback}) {
	$ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER;

	my $fingerprints = $self->{fingerprint}; # avoid passing $self, that's a RC cycle!
	my $verify_fingerprint_cb = $param{verify_fingerprint_cb};
	$ssl_opts->{'SSL_verify_callback'} = sub {
	    my ($openssl_valid, undef, undef, undef, $cert, $depth) = @_;

	    # we don't care about intermediate or root certificates
	    return 1 if $depth != 0;

	    return 1 if $trust_openssl && $openssl_valid;

	    return verify_cert_callback($fingerprints, $cert, $verify_fingerprint_cb);
	}
    }

    if (!$self->{port}) {
	$self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
    }
    if (!$self->{protocol}) {
	$self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
    }

    $self->{useragent} = LWP::UserAgent->new(
	protocols_allowed => [ 'http', 'https'],
	ssl_opts => $ssl_opts,
	timeout => $self->{timeout},
	keep_alive => $param{keep_alive} // 50,
	);

    $self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip

    if ($param{apitoken} && $param{password}) {
	warn "password will be ignored in favor of API token\n";
	delete $self->{password};
    }
    if ($param{ticket}) {
	if ($param{apitoken}) {
	    warn "ticket will be ignored in favor of API token\n";
	} else {
	    $self->update_ticket($param{ticket});
	}
    }
    $self->update_csrftoken($param{csrftoken}) if $param{csrftoken};

    if ($param{apitoken}) {
	my $agent = $self->{useragent};

	$self->{apitoken} = $param{apitoken};

	$agent->default_header('Authorization', $param{apitoken});
    }

    return $self;
}

1;
Commit	Line	Data
9ae947dd DM	1	package PVE::APIClient::LWP;
	2
	3	use strict;
	4	use warnings;
44f9aae4 TL	5
	6	use Carp;
	7	use HTTP::Request::Common;
9ae947dd	8	use IO::Socket::SSL; # important for SSL_verify_callback
44f9aae4	9	use JSON;
9ae947dd	10	use LWP::UserAgent;
9ae947dd	11	use Net::SSLeay;
44f9aae4 TL	12	use URI::Escape;
	13	use URI;
	14
097484f4	15	use PVE::APIClient::Exception qw(raise);
9ae947dd DM	16
	17	my $extract_data = sub {
	18	my ($res) = @_;
	19
	20	croak "undefined result" if !defined($res);
	21	croak "undefined result data" if !exists($res->{data});
	22
	23	return $res->{data};
	24	};
	25
	26	sub get_raw {
	27	my ($self, $path, $param) = @_;
	28
	29	return $self->call('GET', $path, $param);
	30	}
	31
	32	sub get {
	33	my ($self, $path, $param) = @_;
	34
	35	return $extract_data->($self->call('GET', $path, $param));
	36	}
	37
	38	sub post_raw {
	39	my ($self, $path, $param) = @_;
	40
	41	return $self->call('POST', $path, $param);
	42	}
	43
	44	sub post {
	45	my ($self, $path, $param) = @_;
	46
	47	return $extract_data->($self->call('POST', $path, $param));
	48	}
	49
	50	sub put_raw {
	51	my ($self, $path, $param) = @_;
	52
	53	return $self->call('PUT', $path, $param);
	54	}
	55
	56	sub put {
	57	my ($self, $path, $param) = @_;
	58
	59	return $extract_data->($self->call('PUT', $path, $param));
	60	}
	61
	62	sub delete_raw {
	63	my ($self, $path, $param) = @_;
	64
	65	return $self->call('DELETE', $path, $param);
	66	}
	67
	68	sub delete {
	69	my ($self, $path, $param) = @_;
	70
	71	return $extract_data->($self->call('DELETE', $path, $param));
	72	}
	73
	74	sub update_csrftoken {
	75	my ($self, $csrftoken) = @_;
	76
	77	$self->{csrftoken} = $csrftoken;
	78
	79	my $agent = $self->{useragent};
80
81	$agent->default_header('CSRFPreventionToken', $self->{csrftoken});
82	}
83
84	sub update_ticket {
85	my ($self, $ticket) = @_;
86
87	my $agent = $self->{useragent};
88
89	$self->{ticket} = $ticket;
90
91	my $encticket = uri_escape($ticket);
444d6419	92	my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
9ae947dd DM	93	$agent->default_header('Cookie', $cookie);
	94	}
	95
f1956672 OB	96	sub two_factor_auth_login {
	97	my ($self, $type, $challenge) = @_;
	98
	99	if ($type eq 'PVE:tfa') {
	100	raise("TFA-enabled login currently works only with a TTY.") if !-t STDIN;
	101	print "\nEnter OTP code for user $self->{username}: ";
	102	my $tfa_response = <STDIN>;
	103	chomp $tfa_response;
	104	return $self->post('/api2/json/access/tfa', {response => $tfa_response});
	105	} elsif ($type eq 'PVE:u2f') {
	106	# TODO: implement u2f-enabled join
	107	raise("U2F-enabled login is currently not implemented.");
	108	} else {
	109	raise("Authentication type '$type' not recognized, aborting!");
	110	}
	111	}
	112
9ae947dd DM	113	sub login {
	114	my ($self) = @_;
	115
	116	my $uri = URI->new();
	117	$uri->scheme($self->{protocol});
	118	$uri->host($self->{host});
	119	$uri->port($self->{port});
	120	$uri->path('/api2/json/access/ticket');
	121
	122	my $ua = $self->{useragent};
8bc98506	123	my $username = $self->{username} // 'unknown',
9ae947dd	124
588a2ba6	125	delete $self->{fingerprint}->{last_unknown};
9ae947dd DM	126
	127	my $exec_login = sub {
	128	return $ua->post($uri, {
8bc98506	129	username => $username,
e02e35fd TL	130	password => $self->{password} \|\| ''
e02e35fd TL	131	});
9ae947dd DM	132	};
	133
	134	my $response = $exec_login->();
	135
	136	if (!$response->is_success) {
588a2ba6	137	if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
9ae947dd DM	138	if ($self->manual_verify_fingerprint($fp)) {
	139	$response = $exec_login->(); # try again
	140	}
	141	}
	142	}
	143
	144	if (!$response->is_success) {
097484f4	145	raise($response->status_line ."\n", code => $response->code)
9ae947dd DM	146	}
	147
	148	my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
	149
	150	my $data = $extract_data->($res);
9ae947dd DM	151	$self->update_ticket($data->{ticket});
	152	$self->update_csrftoken($data->{CSRFPreventionToken});
	153
f1956672 OB	154	# handle two-factor login
	155	my $tfa_ticket_re = qr/^([^\s!]+)![^!]*(!([0-9a-zA-Z\/.=_\-+]+))?$/;
	156	if ($data->{ticket} =~ m/$tfa_ticket_re/) {
	157	my ($type, $challenge) = ($1, $2);
	158	$data = $self->two_factor_auth_login($type, $challenge);
	159	$self->update_ticket($data->{ticket});
	160	}
	161
9ae947dd DM	162	return $data;
	163	}
	164
	165	sub manual_verify_fingerprint {
	166	my ($self, $fingerprint) = @_;
	167
	168	if (!$self->{manual_verification}) {
8153e671	169	raise("fingerprint '$fingerprint' not verified, abort!\n");
9ae947dd DM	170	}
	171
	172	print "The authenticity of host '$self->{host}' can't be established.\n" .
	173	"X509 SHA256 key fingerprint is $fingerprint.\n" .
	174	"Are you sure you want to continue connecting (yes/no)? ";
	175
ff8ba9c9	176	my $answer = <STDIN>;
9ae947dd DM	177
	178	my $valid = ($answer =~ m/^\syes\s$/i) ? 1 : 0;
	179
588a2ba6	180	$self->{fingerprint}->{cache}->{$fingerprint} = $valid;
9ae947dd	181
8153e671 TL	182	raise("Fingerprint not verified, abort!\n") if !$valid;
8153e671 TL	183
9ae947dd DM	184	if (my $cb = $self->{register_fingerprint_cb}) {
	185	$cb->($fingerprint) if $valid;
	186	}
	187
	188	return $valid;
	189	}
	190
	191	sub call {
	192	my ($self, $method, $path, $param) = @_;
	193
588a2ba6	194	delete $self->{fingerprint}->{last_unknown};
9ae947dd DM	195
9ae947dd DM	196	my $ticket = $self->{ticket};
7b6f8f1d	197	my $apitoken = $self->{apitoken};
9ae947dd DM	198
	199	my $ua = $self->{useragent};
	200
	201	# fixme: check ticket lifetime?
	202
7b6f8f1d	203	if (!$ticket && !$apitoken && $self->{username} && $self->{password}) {
9ae947dd DM	204	$self->login();
	205	}
	206
	207	my $uri = URI->new();
	208	$uri->scheme($self->{protocol});
	209	$uri->host($self->{host});
	210	$uri->port($self->{port});
	211
	212	$path =~ s!^/+!!;
	213
	214	if ($path !~ m!^api2/!) {
	215	$uri->path("api2/json/$path");
	216	} else {
	217	$uri->path($path);
	218	}
	219
	220	#print "CALL $method : " . $uri->as_string() . "\n";
	221
	222	my $exec_method = sub {
	223
	224	my $response;
	225	if ($method eq 'GET') {
	226	$uri->query_form($param);
	227	$response = $ua->request(HTTP::Request::Common::GET($uri));
	228	} elsif ($method eq 'POST') {
	229	$response = $ua->request(HTTP::Request::Common::POST($uri, Content => $param));
	230	} elsif ($method eq 'PUT') {
	231	# We use another temporary URI object to format
	232	# the application/x-www-form-urlencoded content.
	233
	234	my $tmpurl = URI->new('http:');
	235	$tmpurl->query_form(%$param);
	236	my $content = $tmpurl->query;
	237
	238	$response = $ua->request(HTTP::Request::Common::PUT($uri, 'Content-Type' => 'application/x-www-form-urlencoded', Content => $content));
	239
	240	} elsif ($method eq 'DELETE') {
	241	$response = $ua->request(HTTP::Request::Common::DELETE($uri));
	242	} else {
097484f4	243	raise("method $method not implemented\n");
9ae947dd DM	244	}
	245	return $response;
	246	};
	247
	248	my $response = $exec_method->();
	249
588a2ba6	250	if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
9ae947dd DM	251	if ($self->manual_verify_fingerprint($fp)) {
	252	$response = $exec_method->(); # try again
	253	}
	254	}
	255
9ae947dd DM	256	my $ct = $response->header('Content-Type') \|\| '';
	257
	258	if ($response->is_success) {
	259
097484f4 TL	260	raise("got unexpected content type", code => $response->code)
097484f4 TL	261	if $ct !~ m\|application/json\|;
9ae947dd DM	262
	263	return from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
	264
	265	} else {
	266
097484f4 TL	267	my $msg = $response->message;
097484f4 TL	268	my $errors = eval {
9ae947dd DM	269	return if $ct !~ m\|application/json\|;
9ae947dd DM	270	my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
097484f4	271	return $res->{errors};
9ae947dd	272	};
9ae947dd	273
097484f4	274	raise("$msg\n", code => $response->code, errors => $errors);
9ae947dd DM	275	}
	276	}
	277
588a2ba6 TL	278	my sub verify_cert_callback {
588a2ba6 TL	279	my ($fingerprint, $cert, $verify_cb) = @_;
9ae947dd DM	280
	281	# check server certificate against cache of pinned FPs
	282	# get fingerprint of server certificate
1d40f3c3	283	my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
38eb3479	284	return 0 if !defined($fp) \|\| $fp eq ''; # error
9ae947dd	285
588a2ba6	286	my $valid = $fingerprint->{cache}->{$fp};
9ae947dd DM	287	return $valid if defined($valid); # return cached result
9ae947dd DM	288
588a2ba6 TL	289	if ($verify_cb) {
	290	$valid = $verify_cb->($cert);
	291	$fingerprint->{cache}->{$fp} = $valid;
9ae947dd DM	292	return $valid;
	293	}
	294
588a2ba6	295	$fingerprint->{last_unknown} = $fp;
9ae947dd DM	296
	297	return 0;
	298	};
	299
	300	sub new {
	301	my ($class, %param) = @_;
	302
	303	my $ssl_default_opts = { verify_hostname => 0 };
	304	my $ssl_opts = $param{ssl_opts} \|\| $ssl_default_opts;
	305
a1298cc2 TL	306	# we can only really trust openssl result if it also verifies the hostname,
	307	# else it's easy to intercept (MITM using valid Lets Encrypt)
	308	my $trust_openssl = $ssl_opts->{verify_hostname} ? 1 : 0;
	309
9ae947dd DM	310	my $self = {
	311	username => $param{username},
	312	password => $param{password},
	313	host => $param{host} \|\| 'localhost',
	314	port => $param{port},
	315	protocol => $param{protocol},
444d6419	316	cookie_name => $param{cookie_name} // 'PVEAuthCookie',
9ae947dd	317	manual_verification => $param{manual_verification},
588a2ba6 TL	318	fingerprint => {
	319	cache => $param{cached_fingerprints} \|\| {},
	320	last_unknown => undef,
	321	},
9ae947dd	322	register_fingerprint_cb => $param{register_fingerprint_cb},
9ae947dd DM	323	timeout => $param{timeout} \|\| 60,
9ae947dd DM	324	};
38fbee3c	325	bless $self, $class;
9ae947dd DM	326
	327	if (!$ssl_opts->{SSL_verify_callback}) {
	328	$ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER;
588a2ba6	329
e02e35fd	330	my $fingerprints = $self->{fingerprint}; # avoid passing $self, that's a RC cycle!
588a2ba6	331	my $verify_fingerprint_cb = $param{verify_fingerprint_cb};
9ae947dd	332	$ssl_opts->{'SSL_verify_callback'} = sub {
a1298cc2	333	my ($openssl_valid, undef, undef, undef, $cert, $depth) = @_;
9ae947dd DM	334
	335	# we don't care about intermediate or root certificates
	336	return 1 if $depth != 0;
	337
a1298cc2 TL	338	return 1 if $trust_openssl && $openssl_valid;
a1298cc2 TL	339
e02e35fd	340	return verify_cert_callback($fingerprints, $cert, $verify_fingerprint_cb);
9ae947dd DM	341	}
	342	}
	343
	344	if (!$self->{port}) {
	345	$self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
	346	}
	347	if (!$self->{protocol}) {
	348	$self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
	349	}
	350
	351	$self->{useragent} = LWP::UserAgent->new(
	352	protocols_allowed => [ 'http', 'https'],
	353	ssl_opts => $ssl_opts,
	354	timeout => $self->{timeout},
	355	keep_alive => $param{keep_alive} // 50,
	356	);
	357
	358	$self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip
	359
7b6f8f1d FG	360	if ($param{apitoken} && $param{password}) {
	361	warn "password will be ignored in favor of API token\n";
	362	delete $self->{password};
	363	}
	364	if ($param{ticket}) {
	365	if ($param{apitoken}) {
	366	warn "ticket will be ignored in favor of API token\n";
	367	} else {
	368	$self->update_ticket($param{ticket});
	369	}
	370	}
9ae947dd DM	371	$self->update_csrftoken($param{csrftoken}) if $param{csrftoken};
9ae947dd DM	372
7b6f8f1d FG	373	if ($param{apitoken}) {
	374	my $agent = $self->{useragent};
	375
	376	$self->{apitoken} = $param{apitoken};
	377
	378	$agent->default_header('Authorization', $param{apitoken});
	379	}
9ae947dd DM	380
	381	return $self;
	382	}
	383
	384	1;