use strict;
use warnings;
-use URI;
+
+use Carp;
+use HTTP::Request::Common;
use IO::Socket::SSL; # important for SSL_verify_callback
+use JSON;
use LWP::UserAgent;
-use URI::Escape;
use Net::SSLeay;
-use JSON;
-use Data::Dumper; # fixme: remove
-use HTTP::Request::Common;
-use Carp;
+use URI::Escape;
+use URI;
+
+use PVE::APIClient::Exception qw(raise);
my $extract_data = sub {
my ($res) = @_;
$agent->default_header('Cookie', $cookie);
}
+sub two_factor_auth_login {
+ my ($self, $type, $challenge) = @_;
+
+ if ($type eq 'PVE:tfa') {
+ raise("TFA-enabled login currently works only with a TTY.") if !-t STDIN;
+ print "\nEnter OTP code for user $self->{username}: ";
+ my $tfa_response = <STDIN>;
+ chomp $tfa_response;
+ return $self->post('/api2/json/access/tfa', {response => $tfa_response});
+ } elsif ($type eq 'PVE:u2f') {
+ # TODO: implement u2f-enabled join
+ raise("U2F-enabled login is currently not implemented.");
+ } else {
+ raise("Authentication type '$type' not recognized, aborting!");
+ }
+}
+
sub login {
my ($self) = @_;
$uri->path('/api2/json/access/ticket');
my $ua = $self->{useragent};
+ my $username = $self->{username} // 'unknown',
- delete $self->{last_unknown_fingerprint};
+ delete $self->{fingerprint}->{last_unknown};
my $exec_login = sub {
return $ua->post($uri, {
- username => $self->{username} || 'unknown',
- password => $self->{password} || ''});
+ username => $username,
+ password => $self->{password} || ''
+ });
};
my $response = $exec_login->();
if (!$response->is_success) {
- if (my $fp = delete($self->{last_unknown_fingerprint})) {
+ if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
if ($self->manual_verify_fingerprint($fp)) {
$response = $exec_login->(); # try again
}
}
if (!$response->is_success) {
- die $response->status_line . "\n";
+ raise($response->status_line ."\n", code => $response->code)
}
my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
my $data = $extract_data->($res);
-
$self->update_ticket($data->{ticket});
$self->update_csrftoken($data->{CSRFPreventionToken});
+ # handle two-factor login
+ my $tfa_ticket_re = qr/^([^\s!]+)![^!]*(!([0-9a-zA-Z\/.=_\-+]+))?$/;
+ if ($data->{ticket} =~ m/$tfa_ticket_re/) {
+ my ($type, $challenge) = ($1, $2);
+ $data = $self->two_factor_auth_login($type, $challenge);
+ $self->update_ticket($data->{ticket});
+ }
+
return $data;
}
my ($self, $fingerprint) = @_;
if (!$self->{manual_verification}) {
- warn "fingerprint: $fingerprint\n";
- return 0;
+ raise("fingerprint '$fingerprint' not verified, abort!\n");
}
print "The authenticity of host '$self->{host}' can't be established.\n" .
"X509 SHA256 key fingerprint is $fingerprint.\n" .
"Are you sure you want to continue connecting (yes/no)? ";
- my $answer = <>;
+ my $answer = <STDIN>;
my $valid = ($answer =~ m/^\s*yes\s*$/i) ? 1 : 0;
- $self->{cached_fingerprints}->{$fingerprint} = $valid;
+ $self->{fingerprint}->{cache}->{$fingerprint} = $valid;
+
+ raise("Fingerprint not verified, abort!\n") if !$valid;
if (my $cb = $self->{register_fingerprint_cb}) {
$cb->($fingerprint) if $valid;
sub call {
my ($self, $method, $path, $param) = @_;
- delete $self->{last_unknown_fingerprint};
+ delete $self->{fingerprint}->{last_unknown};
my $ticket = $self->{ticket};
+ my $apitoken = $self->{apitoken};
my $ua = $self->{useragent};
# fixme: check ticket lifetime?
- if (!$ticket && $self->{username} && $self->{password}) {
+ if (!$ticket && !$apitoken && $self->{username} && $self->{password}) {
$self->login();
}
} elsif ($method eq 'DELETE') {
$response = $ua->request(HTTP::Request::Common::DELETE($uri));
} else {
- die "method $method not implemented\n";
+ raise("method $method not implemented\n");
}
return $response;
};
my $response = $exec_method->();
- if (my $fp = delete($self->{last_unknown_fingerprint})) {
+ if (my $fp = delete($self->{fingerprint}->{last_unknown})) {
if ($self->manual_verify_fingerprint($fp)) {
$response = $exec_method->(); # try again
}
}
- #print "RESP: " . Dumper($response) . "\n";
-
my $ct = $response->header('Content-Type') || '';
if ($response->is_success) {
- die "got unexpected content type" if $ct !~ m|application/json|;
+ raise("got unexpected content type", code => $response->code)
+ if $ct !~ m|application/json|;
return from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
} else {
- my $msg = $response->status_line . "\n";
- eval {
+ my $msg = $response->message;
+ my $errors = eval {
return if $ct !~ m|application/json|;
my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
- if (my $errors = $res->{errors}) {
- foreach my $key (keys %$errors) {
- my $m = $errors->{$key};
- chomp($m);
- $m =~s/\n/ -- /g;
- $msg .= " $key: $m\n";
- }
- }
+ return $res->{errors};
};
- die $msg;
+ raise("$msg\n", code => $response->code, errors => $errors);
}
}
-my $verify_cert_callback = sub {
- my ($self, $cert) = @_;
+my sub verify_cert_callback {
+ my ($fingerprint, $cert, $verify_cb) = @_;
# check server certificate against cache of pinned FPs
# get fingerprint of server certificate
my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
return 0 if !defined($fp) || $fp eq ''; # error
- my $valid = $self->{cached_fingerprints}->{$fp};
+ my $valid = $fingerprint->{cache}->{$fp};
return $valid if defined($valid); # return cached result
- if (my $cb = $self->{verify_fingerprint_cb}) {
- $valid = $cb->($cert);
- $self->{cached_fingerprints}->{$fp} = $valid;
+ if ($verify_cb) {
+ $valid = $verify_cb->($cert);
+ $fingerprint->{cache}->{$fp} = $valid;
return $valid;
}
- $self->{last_unknown_fingerprint} = $fp;
+ $fingerprint->{last_unknown} = $fp;
return 0;
};
sub new {
my ($class, %param) = @_;
- my $ssl_default_opts = { verify_hostname => 0 };
- my $ssl_opts = $param{ssl_opts} || $ssl_default_opts;
+ my $ssl_opts = $param{ssl_opts} || {};
+
+ if (!defined($ssl_opts->{verify_hostname})) {
+ if (scalar(keys $param{cached_fingerprints}->%*) > 0) {
+ # purely trust the configured fingerprints, by default
+ $ssl_opts->{verify_hostname} = 0;
+ } else {
+ # no fingerprints passed, enforce hostname verification, by default
+ $ssl_opts->{verify_hostname} = 1;
+ }
+ }
+ # we can only really trust openssl result if it also verifies the hostname,
+ # else it's easy to intercept (MITM using valid Lets Encrypt)
+ my $trust_openssl = $ssl_opts->{verify_hostname} ? 1 : 0;
my $self = {
username => $param{username},
protocol => $param{protocol},
cookie_name => $param{cookie_name} // 'PVEAuthCookie',
manual_verification => $param{manual_verification},
- cached_fingerprints => $param{cached_fingerprints} || {},
- verify_fingerprint_cb => $param{verify_fingerprint_cb},
+ fingerprint => {
+ cache => $param{cached_fingerprints} || {},
+ last_unknown => undef,
+ },
register_fingerprint_cb => $param{register_fingerprint_cb},
- ssl_opts => $ssl_opts,
timeout => $param{timeout} || 60,
};
- bless $self;
+ bless $self, $class;
if (!$ssl_opts->{SSL_verify_callback}) {
$ssl_opts->{'SSL_verify_mode'} = SSL_VERIFY_PEER;
+
+ my $fingerprints = $self->{fingerprint}; # avoid passing $self, that's a RC cycle!
+ my $verify_fingerprint_cb = $param{verify_fingerprint_cb};
$ssl_opts->{'SSL_verify_callback'} = sub {
- my (undef, undef, undef, undef, $cert, $depth) = @_;
+ my ($openssl_valid, undef, undef, undef, $cert, $depth) = @_;
# we don't care about intermediate or root certificates
return 1 if $depth != 0;
- return $verify_cert_callback->($self, $cert);
+ return 1 if $trust_openssl && $openssl_valid;
+
+ return verify_cert_callback($fingerprints, $cert, $verify_fingerprint_cb);
}
}
$self->{port} = $self->{host} eq 'localhost' ? 85 : 8006;
}
if (!$self->{protocol}) {
- $self->{protocol} = $self->{host} eq 'localhost' ? 'http' : 'https';
+ # cope that PBS and PVE can be installed on the same host, and one may thus use
+ # 'localhost' then - so only default to http for privileged ports, in that case,
+ # as the HTTP daemons normally run with those (e.g., 85 or 87)
+ $self->{protocol} = $self->{host} eq 'localhost' && $self->{port} < 1024
+ ? 'http'
+ : 'https'
+ ;
}
$self->{useragent} = LWP::UserAgent->new(
$self->{useragent}->default_header('Accept-Encoding' => 'gzip'); # allow gzip
- $self->update_ticket($param{ticket}) if $param{ticket};
+ if ($param{apitoken} && $param{password}) {
+ warn "password will be ignored in favor of API token\n";
+ delete $self->{password};
+ }
+ if ($param{ticket}) {
+ if ($param{apitoken}) {
+ warn "ticket will be ignored in favor of API token\n";
+ } else {
+ $self->update_ticket($param{ticket});
+ }
+ }
$self->update_csrftoken($param{csrftoken}) if $param{csrftoken};
+ if ($param{apitoken}) {
+ my $agent = $self->{useragent};
+
+ $self->{apitoken} = $param{apitoken};
+
+ $agent->default_header('Authorization', $param{apitoken});
+ }
return $self;
}