]> git.proxmox.com Git - pve-apiclient.git/blob - PVE/APIClient/LWP.pm
projects / pve-apiclient.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
login TFA exception: also print username and use raise
[pve-apiclient.git] / PVE / APIClient / LWP.pm
1 package PVE::APIClient::LWP;
2
3 use strict;
4 use warnings;
5 use URI;
6 use IO::Socket::SSL; # important for SSL_verify_callback
7 use LWP::UserAgent;
8 use URI::Escape;
9 use Net::SSLeay;
10 use JSON;
11 use Data::Dumper; # fixme: remove
12 use HTTP::Request::Common;
13 use Carp;
14 use PVE::APIClient::Exception qw(raise);
15
16 my $extract_data = sub {
17 my ($res) = @_;
18
19 croak "undefined result" if !defined($res);
20 croak "undefined result data" if !exists($res->{data});
21
22 return $res->{data};
23 };
24
25 sub get_raw {
26 my ($self, $path, $param) = @_;
27
28 return $self->call('GET', $path, $param);
29 }
30
31 sub get {
32 my ($self, $path, $param) = @_;
33
34 return $extract_data->($self->call('GET', $path, $param));
35 }
36
37 sub post_raw {
38 my ($self, $path, $param) = @_;
39
40 return $self->call('POST', $path, $param);
41 }
42
43 sub post {
44 my ($self, $path, $param) = @_;
45
46 return $extract_data->($self->call('POST', $path, $param));
47 }
48
49 sub put_raw {
50 my ($self, $path, $param) = @_;
51
52 return $self->call('PUT', $path, $param);
53 }
54
55 sub put {
56 my ($self, $path, $param) = @_;
57
58 return $extract_data->($self->call('PUT', $path, $param));
59 }
60
61 sub delete_raw {
62 my ($self, $path, $param) = @_;
63
64 return $self->call('DELETE', $path, $param);
65 }
66
67 sub delete {
68 my ($self, $path, $param) = @_;
69
70 return $extract_data->($self->call('DELETE', $path, $param));
71 }
72
73 sub update_csrftoken {
74 my ($self, $csrftoken) = @_;
75
76 $self->{csrftoken} = $csrftoken;
77
78 my $agent = $self->{useragent};
79
80 $agent->default_header('CSRFPreventionToken', $self->{csrftoken});
81 }
82
83 sub update_ticket {
84 my ($self, $ticket) = @_;
85
86 my $agent = $self->{useragent};
87
88 $self->{ticket} = $ticket;
89
90 my $encticket = uri_escape($ticket);
91 my $cookie = "$self->{cookie_name}=$encticket; path=/; secure;";
92 $agent->default_header('Cookie', $cookie);
93 }
94
95 sub login {
96 my ($self) = @_;
97
98 my $uri = URI->new();
99 $uri->scheme($self->{protocol});
100 $uri->host($self->{host});
101 $uri->port($self->{port});
102 $uri->path('/api2/json/access/ticket');
103
104 my $ua = $self->{useragent};
105 my $username = $self->{username} // 'unknown',
106
107 delete $self->{last_unknown_fingerprint};
108
109 my $exec_login = sub {
110 return $ua->post($uri, {
111 username => $username,
112 password => $self->{password} || ''});
113 };
114
115 my $response = $exec_login->();
116
117 if (!$response->is_success) {
118 if (my $fp = delete($self->{last_unknown_fingerprint})) {
119 if ($self->manual_verify_fingerprint($fp)) {
120 $response = $exec_login->(); # try again
121 }
122 }
123 }
124
125 if (!$response->is_success) {
126 raise($response->status_line ."\n", code => $response->code)
127 }
128
129 my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
130
131 my $data = $extract_data->($res);
132
133 # TODO: make it possible to use tfa
134 if ($data->{ticket} =~ m/^PVE:tfa!/) {
135 raise("Two Factor Auth is not yet implemented! Try disabling TFA for the user '$username'.\n");
136 }
137
138 $self->update_ticket($data->{ticket});
139 $self->update_csrftoken($data->{CSRFPreventionToken});
140
141 return $data;
142 }
143
144 sub manual_verify_fingerprint {
145 my ($self, $fingerprint) = @_;
146
147 if (!$self->{manual_verification}) {
148 raise("fingerprint '$fingerprint' not verified, abort!\n");
149 }
150
151 print "The authenticity of host '$self->{host}' can't be established.\n" .
152 "X509 SHA256 key fingerprint is $fingerprint.\n" .
153 "Are you sure you want to continue connecting (yes/no)? ";
154
155 my $answer = <STDIN>;
156
157 my $valid = ($answer =~ m/^\s*yes\s*$/i) ? 1 : 0;
158
159 $self->{cached_fingerprints}->{$fingerprint} = $valid;
160
161 raise("Fingerprint not verified, abort!\n") if !$valid;
162
163 if (my $cb = $self->{register_fingerprint_cb}) {
164 $cb->($fingerprint) if $valid;
165 }
166
167 return $valid;
168 }
169
170 sub call {
171 my ($self, $method, $path, $param) = @_;
172
173 delete $self->{last_unknown_fingerprint};
174
175 my $ticket = $self->{ticket};
176
177 my $ua = $self->{useragent};
178
179 # fixme: check ticket lifetime?
180
181 if (!$ticket && $self->{username} && $self->{password}) {
182 $self->login();
183 }
184
185 my $uri = URI->new();
186 $uri->scheme($self->{protocol});
187 $uri->host($self->{host});
188 $uri->port($self->{port});
189
190 $path =~ s!^/+!!;
191
192 if ($path !~ m!^api2/!) {
193 $uri->path("api2/json/$path");
194 } else {
195 $uri->path($path);
196 }
197
198 #print "CALL $method : " . $uri->as_string() . "\n";
199
200 my $exec_method = sub {
201
202 my $response;
203 if ($method eq 'GET') {
204 $uri->query_form($param);
205 $response = $ua->request(HTTP::Request::Common::GET($uri));
206 } elsif ($method eq 'POST') {
207 $response = $ua->request(HTTP::Request::Common::POST($uri, Content => $param));
208 } elsif ($method eq 'PUT') {
209 # We use another temporary URI object to format
210 # the application/x-www-form-urlencoded content.
211
212 my $tmpurl = URI->new('http:');
213 $tmpurl->query_form(%$param);
214 my $content = $tmpurl->query;
215
216 $response = $ua->request(HTTP::Request::Common::PUT($uri, 'Content-Type' => 'application/x-www-form-urlencoded', Content => $content));
217
218 } elsif ($method eq 'DELETE') {
219 $response = $ua->request(HTTP::Request::Common::DELETE($uri));
220 } else {
221 raise("method $method not implemented\n");
222 }
223 return $response;
224 };
225
226 my $response = $exec_method->();
227
228 if (my $fp = delete($self->{last_unknown_fingerprint})) {
229 if ($self->manual_verify_fingerprint($fp)) {
230 $response = $exec_method->(); # try again
231 }
232 }
233
234 #print "RESP: " . Dumper($response) . "\n";
235
236 my $ct = $response->header('Content-Type') || '';
237
238 if ($response->is_success) {
239
240 raise("got unexpected content type", code => $response->code)
241 if $ct !~ m|application/json|;
242
243 return from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
244
245 } else {
246
247 my $msg = $response->message;
248 my $errors = eval {
249 return if $ct !~ m|application/json|;
250 my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
251 return $res->{errors};
252 };
253
254 raise("$msg\n", code => $response->code, errors => $errors);
255 }
256 }
257
258 my $verify_cert_callback = sub {
259 my ($self, $cert) = @_;
260
261 # check server certificate against cache of pinned FPs
262 # get fingerprint of server certificate
263 my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
264 return 0 if !defined($fp) || $fp eq ''; # error
265
266 my $valid = $self->{cached_fingerprints}->{$fp};
267 return $valid if defined($valid); # return cached result
268
269 if (my $cb = $self->{verify_fingerprint_cb}) {
270 $valid = $cb->($cert);
271 $self->{cached_fingerprints}->{$fp} = $valid;
272 return $valid;
273 }
274
275 $self->{last_unknown_fingerprint} = $fp;
276
277 return 0;
278 };
279
280 sub new {
281 my ($class, %param) = @_;
282
283 my $ssl_default_opts = { verify_hostname => 0 };
284 my $ssl_opts = $param{ssl_opts} || $ssl_default_opts;
285
286 my $self = {
287 username => $param{username},
288 password => $param{password},
289 host => $param{host} || 'localhost',
290 port => $param{port},
291 protocol => $param{protocol},
292 cookie_name => $param{cookie_name} // 'PVEAuthCookie',
293 manual_verification => $param{manual_verification},
294 cached_fingerprints => $param{cached_fingerprints} || {},
295 verify_fingerprint_cb => $param{verify_fingerprint_cb},
296 register_fingerprint_cb => $param{register_fingerprint_cb},
297 ssl_opts => $ssl_opts,
298 timeout => $param{timeout} || 60,
299 };
300 bless $self;
301
302 if (!$ssl_opts->{SSL_verify_callback}) {
303 $ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER;
304 $ssl_opts->{'SSL_verify_callback'} = sub {
305 my (undef, undef, undef, undef, $cert, $depth) = @_;
306
307 # we don't care about intermediate or root certificates
308 return 1 if $depth != 0;
309
310 return $verify_cert_callback->($self, $cert);
311 }
312 }
313
314 if (!$self->{port}) {
315 $self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
316 }
317 if (!$self->{protocol}) {
318 $self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
319 }
320
321 $self->{useragent} = LWP::UserAgent->new(
322 protocols_allowed => [ 'http', 'https'],
323 ssl_opts => $ssl_opts,
324 timeout => $self->{timeout},
325 keep_alive => $param{keep_alive} // 50,
326 );
327
328 $self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip
329
330 $self->update_ticket($param{ticket}) if $param{ticket};
331 $self->update_csrftoken($param{csrftoken}) if $param{csrftoken};
332
333
334 return $self;
335 }
336
337 1;
perl API client library