From dc3dc1df05103a27466ce90b6222b36f83b57d2d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Mon, 11 Nov 2019 11:28:00 +0100
Subject: [PATCH] move CertCache to pve-manager
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Fabian GrÃ¼nbichler <f.gruenbichler@proxmox.com>
---
 data/PVE/Cluster/CertCache.pm | 92 -----------------------------------
 data/PVE/Cluster/Makefile     |  2 +-
 2 files changed, 1 insertion(+), 93 deletions(-)
 delete mode 100644 data/PVE/Cluster/CertCache.pm

diff --git a/data/PVE/Cluster/CertCache.pm b/data/PVE/Cluster/CertCache.pm
deleted file mode 100644
index 98d0ed3..0000000
--- a/data/PVE/Cluster/CertCache.pm
+++ /dev/null
@@ -1,92 +0,0 @@
-package PVE::Cluster::CertCache;
-
-use strict;
-use warnings;
-
-use Net::SSLeay;
-
-use PVE::Cluster;
-use PVE::SafeSyslog;
-
-# X509 Certificate cache helper
-
-my $cert_cache_nodes = {};
-my $cert_cache_timestamp = time();
-my $cert_cache_fingerprints = {};
-
-sub update_cert_cache {
-    my ($update_node, $clear) = @_;
-
-    syslog('info', "Clearing outdated entries from certificate cache")
-	if $clear;
-
-    $cert_cache_timestamp = time() if !defined($update_node);
-
-    my $node_list = defined($update_node) ?
-	[ $update_node ] : [ keys %$cert_cache_nodes ];
-
-    foreach my $node (@$node_list) {
-	my $clear_old = sub {
-	    if (my $old_fp = $cert_cache_nodes->{$node}) {
-		# distrust old fingerprint
-		delete $cert_cache_fingerprints->{$old_fp};
-		# ensure reload on next proxied request
-		delete $cert_cache_nodes->{$node};
-	    }
-	};
-
-	my $fp = eval { PVE::Cluster::get_node_fingerprint($node) };
-	if (my $err = $@) {
-	    warn "$err\n";
-	    &$clear_old() if $clear;
-	    next;
-	}
-
-	my $old_fp = $cert_cache_nodes->{$node};
-	$cert_cache_fingerprints->{$fp} = 1;
-	$cert_cache_nodes->{$node} = $fp;
-
-	if (defined($old_fp) && $fp ne $old_fp) {
-	    delete $cert_cache_fingerprints->{$old_fp};
-	}
-    }
-}
-
-# load and cache cert fingerprint once
-sub initialize_cert_cache {
-    my ($node) = @_;
-
-    update_cert_cache($node)
-	if defined($node) && !defined($cert_cache_nodes->{$node});
-}
-
-sub check_cert_fingerprint {
-    my ($cert) = @_;
-
-    # clear cache every 30 minutes at least
-    update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;
-
-    # get fingerprint of server certificate
-    my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
-    return 0 if !defined($fp) || $fp eq ''; # error
-
-    my $check = sub {
-	for my $expected (keys %$cert_cache_fingerprints) {
-	    return 1 if $fp eq $expected;
-	}
-	return 0;
-    };
-
-    return 1 if &$check();
-
-    # clear cache and retry at most once every minute
-    if (time() - $cert_cache_timestamp >= 60) {
-	syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
-	update_cert_cache();
-	return &$check();
-    }
-
-    return 0;
-}
-
-1;
diff --git a/data/PVE/Cluster/Makefile b/data/PVE/Cluster/Makefile
index ec267a6..0b25cfc 100644
--- a/data/PVE/Cluster/Makefile
+++ b/data/PVE/Cluster/Makefile
@@ -1,6 +1,6 @@
 PVEDIR=${DESTDIR}/usr/share/perl5/PVE
 
-SOURCES=IPCConst.pm Setup.pm CertCache.pm
+SOURCES=IPCConst.pm Setup.pm
 
 .PHONY: install
 install: ${SOURCES}
-- 
2.39.2