[pve-devel] [PATCH v2 manager 01/10] takeover CertCache from pve-cluster
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Nov 11 11:28:33 CET 2019
same code, same semantics, different file/module
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
PVE/Makefile | 1 +
PVE/CertCache.pm | 92 +++++++++++++++++++++++++++++++++++++++++++++++
PVE/HTTPServer.pm | 5 +--
3 files changed, 96 insertions(+), 2 deletions(-)
create mode 100644 PVE/CertCache.pm
diff --git a/PVE/Makefile b/PVE/Makefile
index ad21d383..3a422bda 100644
--- a/PVE/Makefile
+++ b/PVE/Makefile
@@ -4,6 +4,7 @@ SUBDIRS=API2 Status CLI Service Ceph
PERLSOURCE = \
CertHelpers.pm \
+ CertCache.pm \
API2.pm \
API2Tools.pm \
HTTPServer.pm \
diff --git a/PVE/CertCache.pm b/PVE/CertCache.pm
new file mode 100644
index 00000000..4eadab29
--- /dev/null
+++ b/PVE/CertCache.pm
@@ -0,0 +1,92 @@
+package PVE::CertCache;
+
+use strict;
+use warnings;
+
+use Net::SSLeay;
+
+use PVE::Cluster;
+use PVE::SafeSyslog;
+
+# X509 Certificate cache helper
+
+my $cert_cache_nodes = {};
+my $cert_cache_timestamp = time();
+my $cert_cache_fingerprints = {};
+
+sub update_cert_cache {
+ my ($update_node, $clear) = @_;
+
+ syslog('info', "Clearing outdated entries from certificate cache")
+ if $clear;
+
+ $cert_cache_timestamp = time() if !defined($update_node);
+
+ my $node_list = defined($update_node) ?
+ [ $update_node ] : [ keys %$cert_cache_nodes ];
+
+ foreach my $node (@$node_list) {
+ my $clear_old = sub {
+ if (my $old_fp = $cert_cache_nodes->{$node}) {
+ # distrust old fingerprint
+ delete $cert_cache_fingerprints->{$old_fp};
+ # ensure reload on next proxied request
+ delete $cert_cache_nodes->{$node};
+ }
+ };
+
+ my $fp = eval { PVE::Cluster::get_node_fingerprint($node) };
+ if (my $err = $@) {
+ warn "$err\n";
+ &$clear_old() if $clear;
+ next;
+ }
+
+ my $old_fp = $cert_cache_nodes->{$node};
+ $cert_cache_fingerprints->{$fp} = 1;
+ $cert_cache_nodes->{$node} = $fp;
+
+ if (defined($old_fp) && $fp ne $old_fp) {
+ delete $cert_cache_fingerprints->{$old_fp};
+ }
+ }
+}
+
+# load and cache cert fingerprint once
+sub initialize_cert_cache {
+ my ($node) = @_;
+
+ update_cert_cache($node)
+ if defined($node) && !defined($cert_cache_nodes->{$node});
+}
+
+sub check_cert_fingerprint {
+ my ($cert) = @_;
+
+ # clear cache every 30 minutes at least
+ update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;
+
+ # get fingerprint of server certificate
+ my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
+ return 0 if !defined($fp) || $fp eq ''; # error
+
+ my $check = sub {
+ for my $expected (keys %$cert_cache_fingerprints) {
+ return 1 if $fp eq $expected;
+ }
+ return 0;
+ };
+
+ return 1 if &$check();
+
+ # clear cache and retry at most once every minute
+ if (time() - $cert_cache_timestamp >= 60) {
+ syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
+ update_cert_cache();
+ return &$check();
+ }
+
+ return 0;
+}
+
+1;
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index ce895725..e9572c71 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -11,6 +11,7 @@ use PVE::Exception qw(raise_param_exc raise);
use PVE::RPCEnvironment;
use PVE::AccessControl;
+use PVE::CertCache;
use PVE::Cluster;
use PVE::API2Tools;
@@ -199,13 +200,13 @@ sub rest_handler {
sub check_cert_fingerprint {
my ($self, $cert) = @_;
- return PVE::Cluster::check_cert_fingerprint($cert);
+ return PVE::CertCache::check_cert_fingerprint($cert);
}
sub initialize_cert_cache {
my ($self, $node) = @_;
- PVE::Cluster::initialize_cert_cache($node);
+ PVE::CertCache::initialize_cert_cache($node);
}
sub remote_node_ip {
--
2.20.1
More information about the pve-devel
mailing list