PVE/APIClient/LWP.pm

   1 package PVE::APIClient::LWP;
   2
   3 use strict;
   4 use warnings;
   5 use URI;
   6 use IO::Socket::SSL; # important for SSL_verify_callback
   7 use LWP::UserAgent;
   8 use URI::Escape;
   9 use Net::SSLeay;
  10 use JSON;
  11 use Data::Dumper; # fixme: remove
  12 use HTTP::Request::Common;
  13 use Carp;
  14 use PVE::APIClient::Exception qw(raise);
  15
  16 my $extract_data = sub {
  17     my ($res) = @_;
  18
  19     croak "undefined result" if !defined($res);
  20     croak "undefined result data" if !exists($res->{data});
  21
  22     return $res->{data};
  23 };
  24
  25 sub get_raw {
  26     my ($self, $path, $param) = @_;
  27
  28     return $self->call('GET', $path, $param);
  29 }
  30
  31 sub get {
  32     my ($self, $path, $param) = @_;
  33
  34     return $extract_data->($self->call('GET', $path, $param));
  35 }
  36
  37 sub post_raw {
  38     my ($self, $path, $param) = @_;
  39
  40     return $self->call('POST', $path, $param);
  41 }
  42
  43 sub post {
  44     my ($self, $path, $param) = @_;
  45
  46     return $extract_data->($self->call('POST', $path, $param));
  47 }
  48
  49 sub put_raw {
  50     my ($self, $path, $param) = @_;
  51
  52     return $self->call('PUT', $path, $param);
  53 }
  54
  55 sub put {
  56     my ($self, $path, $param) = @_;
  57
  58     return $extract_data->($self->call('PUT', $path, $param));
  59 }
  60
  61 sub delete_raw {
  62     my ($self, $path, $param) = @_;
  63
  64     return $self->call('DELETE', $path, $param);
  65 }
  66
  67 sub delete {
  68     my ($self, $path, $param) = @_;
  69
  70     return $extract_data->($self->call('DELETE', $path, $param));
  71 }
  72
  73 sub update_csrftoken {
  74     my ($self, $csrftoken) = @_;
  75
  76     $self->{csrftoken} = $csrftoken;
  77
  78     my $agent = $self->{useragent};
  79
  80     $agent->default_header('CSRFPreventionToken', $self->{csrftoken});
  81 }
  82
  83 sub update_ticket {
  84     my ($self, $ticket) = @_;
  85
  86     my $agent = $self->{useragent};
  87
  88     $self->{ticket} = $ticket;
  89
  90     my $encticket = uri_escape($ticket);
  91     my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
  92     $agent->default_header('Cookie', $cookie);
  93 }
  94
  95 sub login {
  96     my ($self) = @_;
  97
  98     my $uri = URI->new();
  99     $uri->scheme($self->{protocol});
 100     $uri->host($self->{host});
 101     $uri->port($self->{port});
 102     $uri->path('/api2/json/access/ticket');
 103
 104     my $ua = $self->{useragent};
 105
 106     delete $self->{last_unknown_fingerprint};
 107
 108     my $exec_login = sub {
 109         return $ua->post($uri, {
 110             username => $self->{username} || 'unknown',
 111             password => $self->{password} || ''});
 112     };
 113
 114     my $response = $exec_login->();
 115
 116     if (!$response->is_success) {
 117         if (my $fp = delete($self->{last_unknown_fingerprint})) {
 118             if ($self->manual_verify_fingerprint($fp)) {
 119                 $response = $exec_login->(); # try again
 120             }
 121         }
 122     }
 123
 124     if (!$response->is_success) {
 125         raise($response->status_line ."\n", code => $response->code)
 126     }
 127
 128     my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
 129
 130     my $data = $extract_data->($res);
 131
 132     $self->update_ticket($data->{ticket});
 133     $self->update_csrftoken($data->{CSRFPreventionToken});
 134
 135     return $data;
 136 }
 137
 138 sub manual_verify_fingerprint {
 139     my ($self, $fingerprint) = @_;
 140
 141     if (!$self->{manual_verification}) {
 142         raise("fingerprint '$fingerprint' not verified, abort!\n");
 143     }
 144
 145     print "The authenticity of host '$self->{host}' can't be established.\n" .
 146         "X509 SHA256 key fingerprint is $fingerprint.\n" .
 147         "Are you sure you want to continue connecting (yes/no)? ";
 148
 149     my $answer = <>;
 150
 151     my $valid = ($answer =~ m/^\s*yes\s*$/i) ? 1 : 0;
 152
 153     $self->{cached_fingerprints}->{$fingerprint} = $valid;
 154
 155     raise("Fingerprint not verified, abort!\n") if !$valid;
 156
 157     if (my $cb = $self->{register_fingerprint_cb}) {
 158         $cb->($fingerprint) if $valid;
 159     }
 160
 161     return $valid;
 162 }
 163
 164 sub call {
 165     my ($self, $method, $path, $param) = @_;
 166
 167     delete $self->{last_unknown_fingerprint};
 168
 169     my $ticket = $self->{ticket};
 170
 171     my $ua = $self->{useragent};
 172
 173     # fixme: check ticket lifetime?
 174
 175     if (!$ticket && $self->{username} && $self->{password}) {
 176         $self->login();
 177     }
 178
 179     my $uri = URI->new();
 180     $uri->scheme($self->{protocol});
 181     $uri->host($self->{host});
 182     $uri->port($self->{port});
 183
 184     $path =~ s!^/+!!;
 185
 186     if ($path !~ m!^api2/!) {
 187         $uri->path("api2/json/$path");
 188     } else {
 189         $uri->path($path);
 190     }
 191
 192     #print "CALL $method : " .  $uri->as_string() . "\n";
 193
 194     my $exec_method = sub {
 195
 196         my $response;
 197         if ($method eq 'GET') {
 198             $uri->query_form($param);
 199             $response = $ua->request(HTTP::Request::Common::GET($uri));
 200         } elsif ($method eq 'POST') {
 201             $response = $ua->request(HTTP::Request::Common::POST($uri, Content => $param));
 202         } elsif ($method eq 'PUT') {
 203             # We use another temporary URI object to format
 204             # the application/x-www-form-urlencoded content.
 205
 206             my $tmpurl = URI->new('http:');
 207             $tmpurl->query_form(%$param);
 208             my $content = $tmpurl->query;
 209
 210             $response = $ua->request(HTTP::Request::Common::PUT($uri, 'Content-Type' => 'application/x-www-form-urlencoded', Content => $content));
 211
 212         } elsif ($method eq 'DELETE') {
 213             $response = $ua->request(HTTP::Request::Common::DELETE($uri));
 214         } else {
 215             raise("method $method not implemented\n");
 216         }
 217         return $response;
 218     };
 219
 220     my $response = $exec_method->();
 221
 222     if (my $fp = delete($self->{last_unknown_fingerprint})) {
 223         if ($self->manual_verify_fingerprint($fp)) {
 224             $response = $exec_method->(); # try again
 225         }
 226     }
 227
 228     #print "RESP: " . Dumper($response) . "\n";
 229
 230     my $ct = $response->header('Content-Type') || '';
 231
 232     if ($response->is_success) {
 233
 234         raise("got unexpected content type", code => $response->code)
 235             if $ct !~ m|application/json|;
 236
 237         return from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
 238
 239     } else {
 240
 241         my $msg = $response->message;
 242         my $errors = eval {
 243             return if $ct !~ m|application/json|;
 244             my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
 245             return $res->{errors};
 246         };
 247
 248         raise("$msg\n", code => $response->code, errors => $errors);
 249     }
 250 }
 251
 252 my $verify_cert_callback = sub {
 253     my ($self, $cert) = @_;
 254
 255     # check server certificate against cache of pinned FPs
 256     # get fingerprint of server certificate
 257     my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
 258     return 0 if !defined($fp) || $fp eq ''; # error
 259
 260     my $valid = $self->{cached_fingerprints}->{$fp};
 261     return $valid if defined($valid); # return cached result
 262
 263     if (my $cb = $self->{verify_fingerprint_cb}) {
 264         $valid = $cb->($cert);
 265         $self->{cached_fingerprints}->{$fp} = $valid;
 266         return $valid;
 267     }
 268
 269     $self->{last_unknown_fingerprint} = $fp;
 270
 271     return 0;
 272 };
 273
 274 sub new {
 275     my ($class, %param) = @_;
 276
 277     my $ssl_default_opts = { verify_hostname => 0 };
 278     my $ssl_opts = $param{ssl_opts} || $ssl_default_opts;
 279
 280     my $self = {
 281         username => $param{username},
 282         password => $param{password},
 283         host => $param{host} || 'localhost',
 284         port => $param{port},
 285         protocol => $param{protocol},
 286         cookie_name => $param{cookie_name} // 'PVEAuthCookie',
 287         manual_verification => $param{manual_verification},
 288         cached_fingerprints => $param{cached_fingerprints} || {},
 289         verify_fingerprint_cb => $param{verify_fingerprint_cb},
 290         register_fingerprint_cb => $param{register_fingerprint_cb},
 291         ssl_opts => $ssl_opts,
 292         timeout => $param{timeout} || 60,
 293     };
 294     bless $self;
 295
 296     if (!$ssl_opts->{SSL_verify_callback}) {
 297         $ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER;
 298         $ssl_opts->{'SSL_verify_callback'} = sub {
 299             my (undef, undef, undef, undef, $cert, $depth) = @_;
 300
 301             # we don't care about intermediate or root certificates
 302             return 1 if $depth != 0;
 303
 304             return $verify_cert_callback->($self, $cert);
 305         }
 306     }
 307
 308     if (!$self->{port}) {
 309         $self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
 310     }
 311     if (!$self->{protocol}) {
 312         $self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
 313     }
 314
 315     $self->{useragent} = LWP::UserAgent->new(
 316         protocols_allowed => [ 'http', 'https'],
 317         ssl_opts => $ssl_opts,
 318         timeout => $self->{timeout},
 319         keep_alive => $param{keep_alive} // 50,
 320         );
 321
 322     $self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip
 323
 324     $self->update_ticket($param{ticket}) if $param{ticket};
 325     $self->update_csrftoken($param{csrftoken}) if $param{csrftoken};
 326
 327
 328     return $self;
 329 }
 330
 331 1;