[pve-http-server.git] / src / PVE / APIServer / Utils.pm

package PVE::APIServer::Utils;

use strict;
use warnings;

use Net::IP;

# all settings are used for pveproxy and pmgproxy
# the ALLOW/DENY/POLICY is also used by spiceproxy
sub read_proxy_config {
    my ($proxy_name) = @_;

    my $conffile = "/etc/default/$proxy_name";

    # Note: evaluate with bash
    my $shcmd = ". $conffile;\n";
    $shcmd .= 'echo \"LISTEN_IP:\$LISTEN_IP\";';
    $shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
    $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
    $shcmd .= 'echo \"POLICY:\$POLICY\";';
    $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
    $shcmd .= 'echo \"CIPHERSUITES:\$CIPHERSUITES\";';
    $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
    $shcmd .= 'echo \"TLS_KEY_FILE:\$TLS_KEY_FILE\";';
    $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
    $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
    $shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";';
    $shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";';

    my $data = -f $conffile ? `bash -c "$shcmd"` : '';

    my $res = {};

    my $boolean_options = [
	'HONOR_CIPHER_ORDER',
	'COMPRESSION',
	'DISABLE_TLS_1_2',
	'DISABLE_TLS_1_3',
    ];

    while ($data =~ s/^(.*)\n//) {
	my ($key, $value) = split(/:/, $1, 2);
	next if !defined($value) || $value eq '';
	if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') {
	    my $ips = [];
	    foreach my $ip (split(/,/, $value)) {
		if ($ip eq 'all') {
		    push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n";
		    push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n";
		    next;
		}
		push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n";
	    }
	    $res->{$key} = $ips;
	} elsif ($key eq 'LISTEN_IP') {
	    $res->{$key} = $value;
	} elsif ($key eq 'POLICY') {
	    die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
	    $res->{$key} = $value;
	} elsif ($key eq 'CIPHERS') {
	    $res->{$key} = $value;
	} elsif ($key eq 'CIPHERSUITES') {
	    $res->{$key} = $value;
	} elsif ($key eq 'DHPARAMS') {
	    $res->{$key} = $value;
	} elsif ($key eq 'TLS_KEY_FILE') {
	    $res->{$key} = $value;
	} elsif (grep { $key eq $_ } @$boolean_options) {
	    die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
	    $res->{$key} = $value;
	} else {
	    # silently skip everythin else?
	}
    }

    return $res;
}

sub normalize_v4_in_v6 {
    my ($ip_text) = @_;

    my $ip = Net::IP->new($ip_text) || die Net::IP::Error() . "\n";
    my $v4_mapped_v6_prefix = Net::IP->new('::ffff:0:0/96');
    if ($v4_mapped_v6_prefix->overlaps($ip)) {
	return Net::IP::ip_get_embedded_ipv4($ip_text);
    }
    return $ip_text;
}

1;
Commit	Line	Data
c610c859 SI	1	package PVE::APIServer::Utils;
	2
	3	use strict;
	4	use warnings;
	5
	6	use Net::IP;
	7
7266fc2d SI	8	# all settings are used for pveproxy and pmgproxy
7266fc2d SI	9	# the ALLOW/DENY/POLICY is also used by spiceproxy
c610c859 SI	10	sub read_proxy_config {
	11	my ($proxy_name) = @_;
	12
	13	my $conffile = "/etc/default/$proxy_name";
	14
	15	# Note: evaluate with bash
	16	my $shcmd = ". $conffile;\n";
9afe1e89	17	$shcmd .= 'echo \"LISTEN_IP:\$LISTEN_IP\";';
c610c859 SI	18	$shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
	19	$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
	20	$shcmd .= 'echo \"POLICY:\$POLICY\";';
	21	$shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
95fde1f7	22	$shcmd .= 'echo \"CIPHERSUITES:\$CIPHERSUITES\";';
c610c859	23	$shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
d93700f1	24	$shcmd .= 'echo \"TLS_KEY_FILE:\$TLS_KEY_FILE\";';
c610c859 SI	25	$shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
c610c859 SI	26	$shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
e9022485 FG	27	$shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";';
e9022485 FG	28	$shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";';
c610c859 SI	29
	30	my $data = -f $conffile ? `bash -c "$shcmd"` : '';
	31
	32	my $res = {};
	33
e9022485 FG	34	my $boolean_options = [
	35	'HONOR_CIPHER_ORDER',
	36	'COMPRESSION',
	37	'DISABLE_TLS_1_2',
	38	'DISABLE_TLS_1_3',
	39	];
	40
c610c859 SI	41	while ($data =~ s/^(.*)\n//) {
	42	my ($key, $value) = split(/:/, $1, 2);
	43	next if !defined($value) \|\| $value eq '';
	44	if ($key eq 'ALLOW_FROM' \|\| $key eq 'DENY_FROM') {
	45	my $ips = [];
	46	foreach my $ip (split(/,/, $value)) {
9494318e SI	47	if ($ip eq 'all') {
	48	push @$ips, Net::IP->new('0/0') \|\| die Net::IP::Error() . "\n";
	49	push @$ips, Net::IP->new('::/0') \|\| die Net::IP::Error() . "\n";
	50	next;
	51	}
c6de5b3f	52	push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) \|\| die Net::IP::Error() . "\n";
c610c859 SI	53	}
c610c859 SI	54	$res->{$key} = $ips;
9afe1e89 OB	55	} elsif ($key eq 'LISTEN_IP') {
9afe1e89 OB	56	$res->{$key} = $value;
c610c859 SI	57	} elsif ($key eq 'POLICY') {
	58	die "unknown policy '$value'\n" if $value !~ m/^(allow\|deny)$/;
	59	$res->{$key} = $value;
	60	} elsif ($key eq 'CIPHERS') {
	61	$res->{$key} = $value;
95fde1f7 FG	62	} elsif ($key eq 'CIPHERSUITES') {
95fde1f7 FG	63	$res->{$key} = $value;
c610c859 SI	64	} elsif ($key eq 'DHPARAMS') {
c610c859 SI	65	$res->{$key} = $value;
d93700f1 FG	66	} elsif ($key eq 'TLS_KEY_FILE') {
d93700f1 FG	67	$res->{$key} = $value;
e9022485	68	} elsif (grep { $key eq $_ } @$boolean_options) {
c610c859 SI	69	die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0\|1)$/;
	70	$res->{$key} = $value;
	71	} else {
	72	# silently skip everythin else?
	73	}
	74	}
	75
	76	return $res;
	77	}
	78
c6de5b3f SI	79	sub normalize_v4_in_v6 {
	80	my ($ip_text) = @_;
	81
	82	my $ip = Net::IP->new($ip_text) \|\| die Net::IP::Error() . "\n";
	83	my $v4_mapped_v6_prefix = Net::IP->new('::ffff:0:0/96');
	84	if ($v4_mapped_v6_prefix->overlaps($ip)) {
	85	return Net::IP::ip_get_embedded_ipv4($ip_text);
	86	}
	87	return $ip_text;
	88	}
	89
c610c859	90	1;