PVE/APIClient/LWP.pm

   1 package PVE::APIClient::LWP;
   2
   3 use strict;
   4 use warnings;
   5
   6 use Carp;
   7 use HTTP::Request::Common;
   8 use IO::Socket::SSL; # important for SSL_verify_callback
   9 use JSON;
  10 use LWP::UserAgent;
  11 use Net::SSLeay;
  12 use URI::Escape;
  13 use URI;
  14
  15 use PVE::APIClient::Exception qw(raise);
  16
  17 my $extract_data = sub {
  18     my ($res) = @_;
  19
  20     croak "undefined result" if !defined($res);
  21     croak "undefined result data" if !exists($res->{data});
  22
  23     return $res->{data};
  24 };
  25
  26 sub get_raw {
  27     my ($self, $path, $param) = @_;
  28
  29     return $self->call('GET', $path, $param);
  30 }
  31
  32 sub get {
  33     my ($self, $path, $param) = @_;
  34
  35     return $extract_data->($self->call('GET', $path, $param));
  36 }
  37
  38 sub post_raw {
  39     my ($self, $path, $param) = @_;
  40
  41     return $self->call('POST', $path, $param);
  42 }
  43
  44 sub post {
  45     my ($self, $path, $param) = @_;
  46
  47     return $extract_data->($self->call('POST', $path, $param));
  48 }
  49
  50 sub put_raw {
  51     my ($self, $path, $param) = @_;
  52
  53     return $self->call('PUT', $path, $param);
  54 }
  55
  56 sub put {
  57     my ($self, $path, $param) = @_;
  58
  59     return $extract_data->($self->call('PUT', $path, $param));
  60 }
  61
  62 sub delete_raw {
  63     my ($self, $path, $param) = @_;
  64
  65     return $self->call('DELETE', $path, $param);
  66 }
  67
  68 sub delete {
  69     my ($self, $path, $param) = @_;
  70
  71     return $extract_data->($self->call('DELETE', $path, $param));
  72 }
  73
  74 sub update_csrftoken {
  75     my ($self, $csrftoken) = @_;
  76
  77     $self->{csrftoken} = $csrftoken;
  78
  79     my $agent = $self->{useragent};
  80
  81     $agent->default_header('CSRFPreventionToken', $self->{csrftoken});
  82 }
  83
  84 sub update_ticket {
  85     my ($self, $ticket) = @_;
  86
  87     my $agent = $self->{useragent};
  88
  89     $self->{ticket} = $ticket;
  90
  91     my $encticket = uri_escape($ticket);
  92     my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
  93     $agent->default_header('Cookie', $cookie);
  94 }
  95
  96 sub two_factor_auth_login {
  97     my ($self, $type, $challenge) = @_;
  98
  99     if ($type eq 'PVE:tfa') {
 100         raise("TFA-enabled login currently works only with a TTY.") if !-t STDIN;
 101         print "\nEnter OTP code for user $self->{username}: ";
 102         my $tfa_response = <STDIN>;
 103         chomp $tfa_response;
 104         return $self->post('/api2/json/access/tfa', {response => $tfa_response});
 105     } elsif ($type eq 'PVE:u2f') {
 106         # TODO: implement u2f-enabled join
 107         raise("U2F-enabled login is currently not implemented.");
 108     } else {
 109         raise("Authentication type '$type' not recognized, aborting!");
 110     }
 111 }
 112
 113 sub login {
 114     my ($self) = @_;
 115
 116     my $uri = URI->new();
 117     $uri->scheme($self->{protocol});
 118     $uri->host($self->{host});
 119     $uri->port($self->{port});
 120     $uri->path('/api2/json/access/ticket');
 121
 122     my $ua = $self->{useragent};
 123     my $username = $self->{username} // 'unknown',
 124
 125     delete $self->{fingerprint}->{last_unknown};
 126
 127     my $exec_login = sub {
 128         return $ua->post($uri, {
 129             username => $username,
 130             password => $self->{password} || ''});
 131     };
 132
 133     my $response = $exec_login->();
 134
 135     if (!$response->is_success) {
 136         if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
 137             if ($self->manual_verify_fingerprint($fp)) {
 138                 $response = $exec_login->(); # try again
 139             }
 140         }
 141     }
 142
 143     if (!$response->is_success) {
 144         raise($response->status_line ."\n", code => $response->code)
 145     }
 146
 147     my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
 148
 149     my $data = $extract_data->($res);
 150     $self->update_ticket($data->{ticket});
 151     $self->update_csrftoken($data->{CSRFPreventionToken});
 152
 153     # handle two-factor login
 154     my $tfa_ticket_re = qr/^([^\s!]+)![^!]*(!([0-9a-zA-Z\/.=_\-+]+))?$/;
 155     if ($data->{ticket} =~ m/$tfa_ticket_re/) {
 156         my ($type, $challenge) = ($1, $2);
 157         $data = $self->two_factor_auth_login($type, $challenge);
 158         $self->update_ticket($data->{ticket});
 159     }
 160
 161     return $data;
 162 }
 163
 164 sub manual_verify_fingerprint {
 165     my ($self, $fingerprint) = @_;
 166
 167     if (!$self->{manual_verification}) {
 168         raise("fingerprint '$fingerprint' not verified, abort!\n");
 169     }
 170
 171     print "The authenticity of host '$self->{host}' can't be established.\n" .
 172         "X509 SHA256 key fingerprint is $fingerprint.\n" .
 173         "Are you sure you want to continue connecting (yes/no)? ";
 174
 175     my $answer = <STDIN>;
 176
 177     my $valid = ($answer =~ m/^\s*yes\s*$/i) ? 1 : 0;
 178
 179     $self->{fingerprint}->{cache}->{$fingerprint} = $valid;
 180
 181     raise("Fingerprint not verified, abort!\n") if !$valid;
 182
 183     if (my $cb = $self->{register_fingerprint_cb}) {
 184         $cb->($fingerprint) if $valid;
 185     }
 186
 187     return $valid;
 188 }
 189
 190 sub call {
 191     my ($self, $method, $path, $param) = @_;
 192
 193     delete $self->{fingerprint}->{last_unknown};
 194
 195     my $ticket = $self->{ticket};
 196     my $apitoken = $self->{apitoken};
 197
 198     my $ua = $self->{useragent};
 199
 200     # fixme: check ticket lifetime?
 201
 202     if (!$ticket && !$apitoken && $self->{username} && $self->{password}) {
 203         $self->login();
 204     }
 205
 206     my $uri = URI->new();
 207     $uri->scheme($self->{protocol});
 208     $uri->host($self->{host});
 209     $uri->port($self->{port});
 210
 211     $path =~ s!^/+!!;
 212
 213     if ($path !~ m!^api2/!) {
 214         $uri->path("api2/json/$path");
 215     } else {
 216         $uri->path($path);
 217     }
 218
 219     #print "CALL $method : " .  $uri->as_string() . "\n";
 220
 221     my $exec_method = sub {
 222
 223         my $response;
 224         if ($method eq 'GET') {
 225             $uri->query_form($param);
 226             $response = $ua->request(HTTP::Request::Common::GET($uri));
 227         } elsif ($method eq 'POST') {
 228             $response = $ua->request(HTTP::Request::Common::POST($uri, Content => $param));
 229         } elsif ($method eq 'PUT') {
 230             # We use another temporary URI object to format
 231             # the application/x-www-form-urlencoded content.
 232
 233             my $tmpurl = URI->new('http:');
 234             $tmpurl->query_form(%$param);
 235             my $content = $tmpurl->query;
 236
 237             $response = $ua->request(HTTP::Request::Common::PUT($uri, 'Content-Type' => 'application/x-www-form-urlencoded', Content => $content));
 238
 239         } elsif ($method eq 'DELETE') {
 240             $response = $ua->request(HTTP::Request::Common::DELETE($uri));
 241         } else {
 242             raise("method $method not implemented\n");
 243         }
 244         return $response;
 245     };
 246
 247     my $response = $exec_method->();
 248
 249     if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
 250         if ($self->manual_verify_fingerprint($fp)) {
 251             $response = $exec_method->(); # try again
 252         }
 253     }
 254
 255     my $ct = $response->header('Content-Type') || '';
 256
 257     if ($response->is_success) {
 258
 259         raise("got unexpected content type", code => $response->code)
 260             if $ct !~ m|application/json|;
 261
 262         return from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
 263
 264     } else {
 265
 266         my $msg = $response->message;
 267         my $errors = eval {
 268             return if $ct !~ m|application/json|;
 269             my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
 270             return $res->{errors};
 271         };
 272
 273         raise("$msg\n", code => $response->code, errors => $errors);
 274     }
 275 }
 276
 277 my sub verify_cert_callback {
 278     my ($fingerprint, $cert, $verify_cb) = @_;
 279
 280     # check server certificate against cache of pinned FPs
 281     # get fingerprint of server certificate
 282     my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
 283     return 0 if !defined($fp) || $fp eq ''; # error
 284
 285     my $valid = $fingerprint->{cache}->{$fp};
 286     return $valid if defined($valid); # return cached result
 287
 288     if ($verify_cb) {
 289         $valid = $verify_cb->($cert);
 290         $fingerprint->{cache}->{$fp} = $valid;
 291         return $valid;
 292     }
 293
 294     $fingerprint->{last_unknown} = $fp;
 295
 296     return 0;
 297 };
 298
 299 sub new {
 300     my ($class, %param) = @_;
 301
 302     my $ssl_default_opts = { verify_hostname => 0 };
 303     my $ssl_opts = $param{ssl_opts} || $ssl_default_opts;
 304
 305     my $self = {
 306         username => $param{username},
 307         password => $param{password},
 308         host => $param{host} || 'localhost',
 309         port => $param{port},
 310         protocol => $param{protocol},
 311         cookie_name => $param{cookie_name} // 'PVEAuthCookie',
 312         manual_verification => $param{manual_verification},
 313         fingerprint => {
 314             cache => $param{cached_fingerprints} || {},
 315             last_unknown => undef,
 316         },
 317         register_fingerprint_cb => $param{register_fingerprint_cb},
 318         timeout => $param{timeout} || 60,
 319     };
 320     bless $self;
 321
 322     if (!$ssl_opts->{SSL_verify_callback}) {
 323         $ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER;
 324
 325         my $fingerprint = $self->{fingerprint}; # avoid passing $self, that's a RC cycle!
 326         my $verify_fingerprint_cb = $param{verify_fingerprint_cb};
 327         $ssl_opts->{'SSL_verify_callback'} = sub {
 328             my (undef, undef, undef, undef, $cert, $depth) = @_;
 329
 330             # we don't care about intermediate or root certificates
 331             return 1 if $depth != 0;
 332
 333             return verify_cert_callback($fingerprint, $cert, $verify_fingerprint_cb);
 334         }
 335     }
 336
 337     if (!$self->{port}) {
 338         $self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
 339     }
 340     if (!$self->{protocol}) {
 341         $self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
 342     }
 343
 344     $self->{useragent} = LWP::UserAgent->new(
 345         protocols_allowed => [ 'http', 'https'],
 346         ssl_opts => $ssl_opts,
 347         timeout => $self->{timeout},
 348         keep_alive => $param{keep_alive} // 50,
 349         );
 350
 351     $self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip
 352
 353     if ($param{apitoken} && $param{password}) {
 354         warn "password will be ignored in favor of API token\n";
 355         delete $self->{password};
 356     }
 357     if ($param{ticket}) {
 358         if ($param{apitoken}) {
 359             warn "ticket will be ignored in favor of API token\n";
 360         } else {
 361             $self->update_ticket($param{ticket});
 362         }
 363     }
 364     $self->update_csrftoken($param{csrftoken}) if $param{csrftoken};
 365
 366     if ($param{apitoken}) {
 367         my $agent = $self->{useragent};
 368
 369         $self->{apitoken} = $param{apitoken};
 370
 371         $agent->default_header('Authorization', $param{apitoken});
 372     }
 373
 374     return $self;
 375 }
 376
 377 1;