1 package PVE
::APIClient
::LWP
;
6 use IO
::Socket
::SSL
; # important for SSL_verify_callback
11 use Data
::Dumper
; # fixme: remove
12 use HTTP
::Request
::Common
;
14 use PVE
::APIClient
::Exception
qw(raise);
16 my $extract_data = sub {
19 croak
"undefined result" if !defined($res);
20 croak
"undefined result data" if !exists($res->{data
});
26 my ($self, $path, $param) = @_;
28 return $self->call('GET', $path, $param);
32 my ($self, $path, $param) = @_;
34 return $extract_data->($self->call('GET', $path, $param));
38 my ($self, $path, $param) = @_;
40 return $self->call('POST', $path, $param);
44 my ($self, $path, $param) = @_;
46 return $extract_data->($self->call('POST', $path, $param));
50 my ($self, $path, $param) = @_;
52 return $self->call('PUT', $path, $param);
56 my ($self, $path, $param) = @_;
58 return $extract_data->($self->call('PUT', $path, $param));
62 my ($self, $path, $param) = @_;
64 return $self->call('DELETE', $path, $param);
68 my ($self, $path, $param) = @_;
70 return $extract_data->($self->call('DELETE', $path, $param));
73 sub update_csrftoken
{
74 my ($self, $csrftoken) = @_;
76 $self->{csrftoken
} = $csrftoken;
78 my $agent = $self->{useragent
};
80 $agent->default_header('CSRFPreventionToken', $self->{csrftoken
});
84 my ($self, $ticket) = @_;
86 my $agent = $self->{useragent
};
88 $self->{ticket
} = $ticket;
90 my $encticket = uri_escape
($ticket);
91 my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
92 $agent->default_header('Cookie', $cookie);
99 $uri->scheme($self->{protocol
});
100 $uri->host($self->{host
});
101 $uri->port($self->{port
});
102 $uri->path('/api2/json/access/ticket');
104 my $ua = $self->{useragent
};
105 my $username = $self->{username
} // 'unknown',
107 delete $self->{last_unknown_fingerprint
};
109 my $exec_login = sub {
110 return $ua->post($uri, {
111 username
=> $username,
112 password
=> $self->{password
} || ''});
115 my $response = $exec_login->();
117 if (!$response->is_success) {
118 if (my $fp = delete($self->{last_unknown_fingerprint
})) {
119 if ($self->manual_verify_fingerprint($fp)) {
120 $response = $exec_login->(); # try again
125 if (!$response->is_success) {
126 raise
($response->status_line ."\n", code
=> $response->code)
129 my $res = from_json
($response->decoded_content, {utf8
=> 1, allow_nonref
=> 1});
131 my $data = $extract_data->($res);
133 # TODO: make it possible to use tfa
134 if ($data->{ticket
} =~ m/^PVE:tfa!/) {
135 raise
("Two Factor Auth is not yet implemented! Try disabling TFA for the user '$username'.\n");
138 $self->update_ticket($data->{ticket
});
139 $self->update_csrftoken($data->{CSRFPreventionToken
});
144 sub manual_verify_fingerprint
{
145 my ($self, $fingerprint) = @_;
147 if (!$self->{manual_verification
}) {
148 raise
("fingerprint '$fingerprint' not verified, abort!\n");
151 print "The authenticity of host '$self->{host}' can't be established.\n" .
152 "X509 SHA256 key fingerprint is $fingerprint.\n" .
153 "Are you sure you want to continue connecting (yes/no)? ";
155 my $answer = <STDIN
>;
157 my $valid = ($answer =~ m/^\s*yes\s*$/i) ?
1 : 0;
159 $self->{cached_fingerprints
}->{$fingerprint} = $valid;
161 raise
("Fingerprint not verified, abort!\n") if !$valid;
163 if (my $cb = $self->{register_fingerprint_cb
}) {
164 $cb->($fingerprint) if $valid;
171 my ($self, $method, $path, $param) = @_;
173 delete $self->{last_unknown_fingerprint
};
175 my $ticket = $self->{ticket
};
177 my $ua = $self->{useragent
};
179 # fixme: check ticket lifetime?
181 if (!$ticket && $self->{username
} && $self->{password
}) {
185 my $uri = URI-
>new();
186 $uri->scheme($self->{protocol
});
187 $uri->host($self->{host
});
188 $uri->port($self->{port
});
192 if ($path !~ m!^api2/!) {
193 $uri->path("api2/json/$path");
198 #print "CALL $method : " . $uri->as_string() . "\n";
200 my $exec_method = sub {
203 if ($method eq 'GET') {
204 $uri->query_form($param);
205 $response = $ua->request(HTTP
::Request
::Common
::GET
($uri));
206 } elsif ($method eq 'POST') {
207 $response = $ua->request(HTTP
::Request
::Common
::POST
($uri, Content
=> $param));
208 } elsif ($method eq 'PUT') {
209 # We use another temporary URI object to format
210 # the application/x-www-form-urlencoded content.
212 my $tmpurl = URI-
>new('http:');
213 $tmpurl->query_form(%$param);
214 my $content = $tmpurl->query;
216 $response = $ua->request(HTTP
::Request
::Common
::PUT
($uri, 'Content-Type' => 'application/x-www-form-urlencoded', Content
=> $content));
218 } elsif ($method eq 'DELETE') {
219 $response = $ua->request(HTTP
::Request
::Common
::DELETE
($uri));
221 raise
("method $method not implemented\n");
226 my $response = $exec_method->();
228 if (my $fp = delete($self->{last_unknown_fingerprint
})) {
229 if ($self->manual_verify_fingerprint($fp)) {
230 $response = $exec_method->(); # try again
234 #print "RESP: " . Dumper($response) . "\n";
236 my $ct = $response->header('Content-Type') || '';
238 if ($response->is_success) {
240 raise
("got unexpected content type", code
=> $response->code)
241 if $ct !~ m
|application
/json
|;
243 return from_json
($response->decoded_content, {utf8
=> 1, allow_nonref
=> 1});
247 my $msg = $response->message;
249 return if $ct !~ m
|application
/json
|;
250 my $res = from_json
($response->decoded_content, {utf8
=> 1, allow_nonref
=> 1});
251 return $res->{errors
};
254 raise
("$msg\n", code
=> $response->code, errors
=> $errors);
258 my $verify_cert_callback = sub {
259 my ($self, $cert) = @_;
261 # check server certificate against cache of pinned FPs
262 # get fingerprint of server certificate
263 my $fp = Net
::SSLeay
::X509_get_fingerprint
($cert, 'sha256');
264 return 0 if !defined($fp) || $fp eq ''; # error
266 my $valid = $self->{cached_fingerprints
}->{$fp};
267 return $valid if defined($valid); # return cached result
269 if (my $cb = $self->{verify_fingerprint_cb
}) {
270 $valid = $cb->($cert);
271 $self->{cached_fingerprints
}->{$fp} = $valid;
275 $self->{last_unknown_fingerprint
} = $fp;
281 my ($class, %param) = @_;
283 my $ssl_default_opts = { verify_hostname
=> 0 };
284 my $ssl_opts = $param{ssl_opts
} || $ssl_default_opts;
287 username
=> $param{username
},
288 password
=> $param{password
},
289 host
=> $param{host
} || 'localhost',
290 port
=> $param{port
},
291 protocol
=> $param{protocol
},
292 cookie_name
=> $param{cookie_name
} // 'PVEAuthCookie',
293 manual_verification
=> $param{manual_verification
},
294 cached_fingerprints
=> $param{cached_fingerprints
} || {},
295 verify_fingerprint_cb
=> $param{verify_fingerprint_cb
},
296 register_fingerprint_cb
=> $param{register_fingerprint_cb
},
297 ssl_opts
=> $ssl_opts,
298 timeout
=> $param{timeout
} || 60,
302 if (!$ssl_opts->{SSL_verify_callback
}) {
303 $ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER
;
304 $ssl_opts->{'SSL_verify_callback'} = sub {
305 my (undef, undef, undef, undef, $cert, $depth) = @_;
307 # we don't care about intermediate or root certificates
308 return 1 if $depth != 0;
310 return $verify_cert_callback->($self, $cert);
314 if (!$self->{port
}) {
315 $self->{port
} = $self->{host
} eq 'localhost' ?
85 : 8006;
317 if (!$self->{protocol
}) {
318 $self->{protocol
} = $self->{host
} eq 'localhost' ?
'http' : 'https';
321 $self->{useragent
} = LWP
::UserAgent-
>new(
322 protocols_allowed
=> [ 'http', 'https'],
323 ssl_opts
=> $ssl_opts,
324 timeout
=> $self->{timeout
},
325 keep_alive
=> $param{keep_alive
} // 50,
328 $self->{useragent
}->default_header('Accept-Encoding' => 'gzip'); # allow gzip
330 $self->update_ticket($param{ticket
}) if $param{ticket
};
331 $self->update_csrftoken($param{csrftoken
}) if $param{csrftoken
};