reuse host based access control code for spiceproxy

diff --git a/PVE/APIDaemon.pm b/PVE/APIDaemon.pm
index 8435004a2f5f60219f61bf195450b9fd360bdacb..8ed6568a309ad2bcd4fd428cf41a069121b57391 100755 (executable)
--- a/PVE/APIDaemon.pm
+++ b/PVE/APIDaemon.pm
@@ -5,6 +5,7 @@ use warnings;
 use POSIX ":sys_wait_h";
 use Socket qw(IPPROTO_TCP TCP_NODELAY SOMAXCONN);
 use IO::Socket::INET;
+use Net::IP;
 
 use PVE::SafeSyslog;
 use PVE::HTTPServer;
@@ -191,4 +192,38 @@ sub start_server {
     }
 }
 
+sub read_proxy_config {
+
+    my $conffile = "/etc/default/pveproxy";
+
+    # Note: evaluate with bash 
+    my $shcmd = ". $conffile;\n";
+    $shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
+    $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
+    $shcmd .= 'echo \"POLICY:\$POLICY\";';
+
+    my $data = `bash -c "$shcmd"`;
+
+    my $res = {};
+
+    while ($data =~ s/^(.*)\n//) {
+       my ($key, $value) = split(/:/, $1, 2);
+       if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') {
+           my $ips = [];
+           foreach my $ip (split(/,/, $value)) {
+               $ip = "0/0" if $ip eq 'all';
+               push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
+           }
+           $res->{$key} = $ips;
+       } elsif ($key eq 'POLICY') {
+           die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
+           $res->{$key} = $value;
+       } else {
+           # silently skip everythin else?
+       }
+    }
+
+    return $res;
+}
+
 1;

diff --git a/bin/init.d/pveproxy b/bin/init.d/pveproxy
index 3565027cb5d523fa25058f4f52ac204639e70b67..c4954551154c862c643883f1f5f28939cc4b121d 100755 (executable)
--- a/bin/init.d/pveproxy
+++ b/bin/init.d/pveproxy
@@ -31,25 +31,8 @@ DAEMON_OPTS=""
 
 # Include defaults if available
 if [ -f /etc/default/$NAME ] ; then
-    ALLOW_FROM=""
-    DENY_FROM=""
-    POLICY=""
-
     . /etc/default/$NAME
-
-    if [ -n "$ALLOW_FROM" ] ; then
-       DAEMON_OPTS="${DAEMON_OPTS} --allow-from ${ALLOW_FROM}"
-    fi
-
-    if [ -n "$DENY_FROM" ] ; then
-       DAEMON_OPTS="${DAEMON_OPTS} --deny-from ${DENY_FROM}"
-    fi
-
-    if [ -n "$POLICY" ] ; then
-       DAEMON_OPTS="${DAEMON_OPTS} --policy $POLICY"
-    fi
 fi
-
  
 case "$1" in
        start)

diff --git a/bin/init.d/spiceproxy b/bin/init.d/spiceproxy
index 160311a2bcf610c424c02883a5fa88cdcefff519..0747cdd3fa12aa6df003d1dcc6014c89784b06bd 100755 (executable)
--- a/bin/init.d/spiceproxy
+++ b/bin/init.d/spiceproxy
@@ -31,25 +31,8 @@ DAEMON_OPTS=""
 
 # Include defaults if available
 if [ -f /etc/default/$NAME ] ; then
-    ALLOW_FROM=""
-    DENY_FROM=""
-    POLICY=""
-
     . /etc/default/$NAME
-
-    if [ -n "$ALLOW_FROM" ] ; then
-       DAEMON_OPTS="${DAEMON_OPTS} --allow-from ${ALLOW_FROM}"
-    fi
-
-    if [ -n "$DENY_FROM" ] ; then
-       DAEMON_OPTS="${DAEMON_OPTS} --deny-from ${DENY_FROM}"
-    fi
-
-    if [ -n "$POLICY" ] ; then
-       DAEMON_OPTS="${DAEMON_OPTS} --policy $POLICY"
-    fi
 fi
-
  
 case "$1" in
        start)

diff --git a/bin/pveproxy b/bin/pveproxy
index 8238721dade8eceefbe3c8269db71b510ced72dc..a03c70e912c7d023995182dc6f2cdf0925d4f7cc 100755 (executable)
--- a/bin/pveproxy
+++ b/bin/pveproxy
@@ -18,47 +18,16 @@ use URI;
 use URI::QueryParam;
 use File::Find;
 use Data::Dumper;
-use Net::IP;
 
 my $pidfile = "/var/run/pveproxy/pveproxy.pid";
 my $lockfile = "/var/lock/pveproxy.lck";
 
 my $opt_debug;
-my $opt_allow_from;
-my $opt_deny_from;
-my $opt_policy;
 
 initlog ('pveproxy');
 
-if (!GetOptions ('allow-from=s@' => \$opt_allow_from, 
-                'deny-from=s@' => \$opt_deny_from,
-                'policy=s' => \$opt_policy,
-                'debug' => \$opt_debug)) {
-    die "usage: $0 [--allow-from CIDR{,CIRD}] [--deny-from CIDR{,CIRD}] [--policy (allow|deny)] [--debug]\n";
-}
-
-$opt_deny_from  = [ split(/,/, join(',', @$opt_deny_from)) ] if $opt_deny_from;
-$opt_allow_from  = [ split(/,/, join(',', @$opt_allow_from)) ] if $opt_allow_from;
-
-die "unknown policy '$opt_policy'\n" if $opt_policy && $opt_policy !~ m/^(allow|deny)$/;
-
-if ($opt_deny_from) {
-    my $ips = [];
-    foreach my $ip (@$opt_deny_from) {
-       $ip = "0/0" if $ip eq 'all';
-       push @$ips,  Net::IP->new($ip) || die Net::IP::Error() . "\n";
-    }
-
-    $opt_deny_from = $ips;
-}
-
-if ($opt_allow_from) {
-    my $ips = [];
-    foreach my $ip (@$opt_allow_from) {
-       $ip = "0/0" if $ip eq 'all';
-       push @$ips,  Net::IP->new($ip) || die Net::IP::Error() . "\n";
-    }
-    $opt_allow_from = $ips;
+if (!GetOptions ('debug' => \$opt_debug)) {
+    die "usage: $0 [--debug]\n";
 }
 
 $SIG{'__WARN__'} = sub {
@@ -81,6 +50,8 @@ POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
 # just to be sure
 die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
 
+my $proxyconf = PVE::APIDaemon::read_proxy_config();
+
 sub add_dirs {
     my ($result_hash, $alias, $subdir) = @_;
 
@@ -114,9 +85,9 @@ eval {
        max_conn => 500,
        max_requests => 1000,
        debug => $opt_debug,
-       allow_from => $opt_allow_from,
-       deny_from => $opt_deny_from,
-       policy => $opt_policy,
+       allow_from => $proxyconf->{ALLOW_FROM},
+       deny_from => $proxyconf->{DENY_FROM},
+       policy => $proxyconf->{POLICY},
        trusted_env => 0, # not trusted, anyone can connect
        logfile => '/var/log/pveproxy/access.log',
        lockfile => $lockfile,
@@ -286,7 +257,7 @@ pveproxy - the PVE API proxy server
 
 =head1 SYNOPSIS
 
-pveproxy [--allow-from CIDR{,CIRD}] [--deny-from CIDR{,CIRD}] [--policy (allow|deny)] [--debug]
+pveproxy [--debug]
 
 =head1 DESCRIPTION
 
@@ -297,8 +268,7 @@ as service using:
 
 =head1 Host based access control
 
-Options '--allow-from', '--deny-from' and '--policy' can be used to set up
-apache2 like access control. If started as service, those values are read 
+It is possible to configure apache2 like access control lists. Values are read 
 from file /etc/default/pveproxy. For example:
 
  ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"

diff --git a/bin/spiceproxy b/bin/spiceproxy
index 4fec09b7ed8802eae9f94eb84bee68dcc00bed15..70af73b2beaaaaa2bf0bab6c6043ee3820d57694 100755 (executable)
--- a/bin/spiceproxy
+++ b/bin/spiceproxy
@@ -44,6 +44,9 @@ POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
 # just to be sure
 die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
 
+# we use same ALLOW/DENY/POLICY as pveproxy
+my $proxyconf = PVE::APIDaemon::read_proxy_config();
+
 my $cpid;
 my $daemon;
 eval {
@@ -56,6 +59,9 @@ eval {
        debug => $opt_debug,
        spiceproxy => 1,
        logfile => '/var/log/pveproxy/access.log',
+       allow_from => $proxyconf->{ALLOW_FROM},
+       deny_from => $proxyconf->{DENY_FROM},
+       policy => $proxyconf->{POLICY},
     );
 };
 
@@ -129,6 +135,15 @@ spiceproxy [--debug]
 
 SPICE proxy server for Proxmox VE. Listens on port 3128.
 
+=head1 Host based access control
+
+It is possible to configure apache2 like access control lists. Values are read 
+from file /etc/default/pveproxy (see 'pveproxy' for details).
+
+=head1 FILES
+
+ /etc/default/pveproxy
+
 =head1 COPYRIGHT AND DISCLAIMER
 
  Copyright (C) 2007-2013 Proxmox Server Solutions GmbH