[pmg-devel] [PATCH pmg-api - stable-5] improve CSRF compat with newer PMG

[Stoiko Ivanov]

This patch follows (rather copies) 00c8c8fe0d3eefcca015f39c3e4967c70543e36e
from pve-access-control for its stable-5 branch.

Tested by creating a PMG-cluster with a PMG 5.2 as master, and a PMG 6.0 BETA
as node, connecting to the PMG 6.0 and adding a Who object (which gets
proxied to the master-node).
Without the patch (and libpve-common-perl 5.0-52) -> 401 - invalid csrf token
With the patch (and libpve-common-perl 5.0-54) -> 200 - invalid csrf token

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
Thanks @Thomas for the hint - should have done this initially myself!

 PMG/Ticket.pm | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/PMG/Ticket.pm b/PMG/Ticket.pm
index c9cf096..344a984 100644
--- a/PMG/Ticket.pm
+++ b/PMG/Ticket.pm
@@ -132,6 +132,8 @@ PVE::INotify::register_file('auth_pub_key', $authpubkeyfn,
 			    $read_rsa_pub_key, undef, undef,
 			    noclone => 1);
 
+my $csrf_prevention_secret_pmg6;
+
 my $read_csrf_secret = sub {
    my ($filename, $fh) = @_;
 
@@ -139,6 +141,8 @@ my $read_csrf_secret = sub {
 
    my $input = <$fh>;
 
+   $csrf_prevention_secret_pmg6 = Digest::SHA::hmac_sha256_base64($input);
+
    return Digest::SHA::sha1_base64($input);
 };
 
@@ -151,6 +155,14 @@ sub verify_csrf_prevention_token {
 
     my $secret = PVE::INotify::read_file('csrf_secret');
 
+    if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) {
+	my $sig = $2;
+	if (length($sig) > 27) {
+	    # the pmg6 secret got populated by read_file above
+	    $secret = $csrf_prevention_secret_pmg6;
+	}
+    }
+
     return PVE::Ticket::verify_csrf_prevention_token(
 	$secret, $username, $token, $min_ticket_lifetime,
 	$max_ticket_lifetime, $noerr);
-- 
2.20.1