From 414c08fbf5a494d318bc99c99b6dab9f34b477f0 Mon Sep 17 00:00:00 2001 From: Arthur Lu Date: Wed, 17 May 2023 21:30:36 +0000 Subject: [PATCH] fix authentication checks for routes involving specific instances --- main.js | 65 +++++++++++++++++++++++++++++++++------------------------ pve.js | 2 +- 2 files changed, 39 insertions(+), 28 deletions(-) diff --git a/main.js b/main.js index d81289a..699e46c 100644 --- a/main.js +++ b/main.js @@ -95,8 +95,9 @@ app.get("/api/user/nodes", async (req, res) => { }) app.post("/api/instance/disk/detach", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } if (req.body.disk.includes("unused")) { res.status(500).send({ error: `Requested disk ${req.body.disk} cannot be unused. Use /disk/delete to permanently delete unused disks.` }); @@ -105,25 +106,27 @@ app.post("/api/instance/disk/detach", async (req, res) => { } let action = JSON.stringify({ delete: req.body.disk }); let method = req.body.type === "qemu" ? "POST" : "PUT"; - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken); + let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken); await handleResponse(req.body.node, result, res); }); app.post("/api/instance/disk/attach", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } let action = {}; action[req.body.disk] = req.body.data; action = JSON.stringify(action); let method = req.body.type === "qemu" ? "POST" : "PUT"; - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken); + let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken); await handleResponse(req.body.node, result, res); }); app.post("/api/instance/disk/resize", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } // check disk existence let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk @@ -144,13 +147,14 @@ app.post("/api/instance/disk/resize", async (req, res) => { } // action approved, commit to action let action = JSON.stringify({ disk: req.body.disk, size: `+${req.body.size}G` }); - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/resize`, "PUT", req.cookies, action, pveAPIToken); + let result = await requestPVE(`${vmpath}/resize`, "PUT", req.cookies, action, pveAPIToken); await handleResponse(req.body.node, result, res); }); app.post("/api/instance/disk/move", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } // check disk existence let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk @@ -185,13 +189,14 @@ app.post("/api/instance/disk/move", async (req, res) => { } action = JSON.stringify(action); let route = req.body.type === "qemu" ? "move_disk" : "move_volume"; - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/${route}`, "POST", req.cookies, action, pveAPIToken); + let result = await requestPVE(`${vmpath}/${route}`, "POST", req.cookies, action, pveAPIToken); await handleResponse(req.body.node, result, res); }); app.post("/api/instance/disk/delete", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } // only ide or unused are allowed to be deleted if (!req.body.disk.includes("unused") && !req.body.disk.includes("ide")) { // must be ide or unused @@ -202,13 +207,14 @@ app.post("/api/instance/disk/delete", async (req, res) => { let action = JSON.stringify({ delete: req.body.disk }); let method = req.body.type === "qemu" ? "POST" : "PUT"; // commit action - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken); + let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken); await handleResponse(req.body.node, result, res); }); app.post("/api/instance/disk/create", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } // setup request let request = {}; @@ -234,13 +240,14 @@ app.post("/api/instance/disk/create", async (req, res) => { action = JSON.stringify(action); let method = req.body.type === "qemu" ? "POST" : "PUT"; // commit action - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken); + let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken); await handleResponse(req.body.node, result, res); }); app.post("/api/instance/network", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } // get current config let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken); @@ -260,13 +267,14 @@ app.post("/api/instance/network", async (req, res) => { action[`net${req.body.netid}`] = currentNetworkConfig.replace(`rate=${currentNetworkRate}`, `rate=${req.body.rate}`); action = JSON.stringify(action); let method = req.body.type === "qemu" ? "POST" : "PUT"; - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken); + let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken); await handleResponse(req.body.node, result, res); }); app.post("/api/instance/resources", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } // get current config let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken); @@ -283,7 +291,7 @@ app.post("/api/instance/resources", async (req, res) => { // commit action let action = JSON.stringify({ cores: req.body.cores, memory: req.body.memory }); let method = req.body.type === "qemu" ? "POST" : "PUT"; - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken); + let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken); await handleResponse(req.body.node, result, res); }); @@ -301,11 +309,13 @@ app.post("/api/instance", async (req, res) => { let vmid = Number.parseInt(req.body.vmid); let vmid_min = user.instances.vmid.min; let vmid_max = user.instances.vmid.max; + // check vmid is within allowed range if (vmid < vmid_min || vmid > vmid_max) { res.status(500).send({ error: `Requested vmid ${vmid} is out of allowed range [${vmid_min},${vmid_max}]` }); res.end(); return; } + // check node is within allowed list if (!user.nodes.includes(req.body.node)) { res.status(500).send({ error: `Requested node ${req.body.node} is not in allowed nodes [${user.nodes}]` }); res.end(); @@ -346,11 +356,12 @@ app.post("/api/instance", async (req, res) => { }); app.delete("/api/instance", async (req, res) => { - // check auth - let auth = await checkAuth(req.cookies, res); + // check auth for specific instance + let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; + let auth = await checkAuth(req.cookies, res, vmpath); if (!auth) { return; } // commit action - let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`, "DELETE", req.cookies, null, pveAPIToken); + let result = await requestPVE(vmpath, "DELETE", req.cookies, null, pveAPIToken); await handleResponse(req.body.node, result, res); }); diff --git a/pve.js b/pve.js index 572d6f4..f31d877 100644 --- a/pve.js +++ b/pve.js @@ -12,7 +12,7 @@ export async function checkAuth(cookies, res, vmpath = null) { auth = result.status === 200; } if (!auth) { - res.status(401).send({ auth: auth }); + res.status(401).send({ auth: auth, path: vmpath ? `${vmpath}/config` : "/version" }); res.end(); } return auth;