fix authentication checks for routes involving specific instances
This commit is contained in:
parent
8c71ceafcf
commit
b12d84d4be
65
main.js
65
main.js
@ -95,8 +95,9 @@ app.get("/api/user/nodes", async (req, res) => {
|
|||||||
})
|
})
|
||||||
|
|
||||||
app.post("/api/instance/disk/detach", async (req, res) => {
|
app.post("/api/instance/disk/detach", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
if (req.body.disk.includes("unused")) {
|
if (req.body.disk.includes("unused")) {
|
||||||
res.status(500).send({ error: `Requested disk ${req.body.disk} cannot be unused. Use /disk/delete to permanently delete unused disks.` });
|
res.status(500).send({ error: `Requested disk ${req.body.disk} cannot be unused. Use /disk/delete to permanently delete unused disks.` });
|
||||||
@ -105,25 +106,27 @@ app.post("/api/instance/disk/detach", async (req, res) => {
|
|||||||
}
|
}
|
||||||
let action = JSON.stringify({ delete: req.body.disk });
|
let action = JSON.stringify({ delete: req.body.disk });
|
||||||
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
|
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
app.post("/api/instance/disk/attach", async (req, res) => {
|
app.post("/api/instance/disk/attach", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
let action = {};
|
let action = {};
|
||||||
action[req.body.disk] = req.body.data;
|
action[req.body.disk] = req.body.data;
|
||||||
action = JSON.stringify(action);
|
action = JSON.stringify(action);
|
||||||
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
|
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
app.post("/api/instance/disk/resize", async (req, res) => {
|
app.post("/api/instance/disk/resize", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
// check disk existence
|
// check disk existence
|
||||||
let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk
|
let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk
|
||||||
@ -144,13 +147,14 @@ app.post("/api/instance/disk/resize", async (req, res) => {
|
|||||||
}
|
}
|
||||||
// action approved, commit to action
|
// action approved, commit to action
|
||||||
let action = JSON.stringify({ disk: req.body.disk, size: `+${req.body.size}G` });
|
let action = JSON.stringify({ disk: req.body.disk, size: `+${req.body.size}G` });
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/resize`, "PUT", req.cookies, action, pveAPIToken);
|
let result = await requestPVE(`${vmpath}/resize`, "PUT", req.cookies, action, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
app.post("/api/instance/disk/move", async (req, res) => {
|
app.post("/api/instance/disk/move", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
// check disk existence
|
// check disk existence
|
||||||
let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk
|
let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk
|
||||||
@ -185,13 +189,14 @@ app.post("/api/instance/disk/move", async (req, res) => {
|
|||||||
}
|
}
|
||||||
action = JSON.stringify(action);
|
action = JSON.stringify(action);
|
||||||
let route = req.body.type === "qemu" ? "move_disk" : "move_volume";
|
let route = req.body.type === "qemu" ? "move_disk" : "move_volume";
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/${route}`, "POST", req.cookies, action, pveAPIToken);
|
let result = await requestPVE(`${vmpath}/${route}`, "POST", req.cookies, action, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
app.post("/api/instance/disk/delete", async (req, res) => {
|
app.post("/api/instance/disk/delete", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
// only ide or unused are allowed to be deleted
|
// only ide or unused are allowed to be deleted
|
||||||
if (!req.body.disk.includes("unused") && !req.body.disk.includes("ide")) { // must be ide or unused
|
if (!req.body.disk.includes("unused") && !req.body.disk.includes("ide")) { // must be ide or unused
|
||||||
@ -202,13 +207,14 @@ app.post("/api/instance/disk/delete", async (req, res) => {
|
|||||||
let action = JSON.stringify({ delete: req.body.disk });
|
let action = JSON.stringify({ delete: req.body.disk });
|
||||||
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
||||||
// commit action
|
// commit action
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
|
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
app.post("/api/instance/disk/create", async (req, res) => {
|
app.post("/api/instance/disk/create", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
// setup request
|
// setup request
|
||||||
let request = {};
|
let request = {};
|
||||||
@ -234,13 +240,14 @@ app.post("/api/instance/disk/create", async (req, res) => {
|
|||||||
action = JSON.stringify(action);
|
action = JSON.stringify(action);
|
||||||
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
||||||
// commit action
|
// commit action
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
|
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
app.post("/api/instance/network", async (req, res) => {
|
app.post("/api/instance/network", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
// get current config
|
// get current config
|
||||||
let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
|
let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
|
||||||
@ -260,13 +267,14 @@ app.post("/api/instance/network", async (req, res) => {
|
|||||||
action[`net${req.body.netid}`] = currentNetworkConfig.replace(`rate=${currentNetworkRate}`, `rate=${req.body.rate}`);
|
action[`net${req.body.netid}`] = currentNetworkConfig.replace(`rate=${currentNetworkRate}`, `rate=${req.body.rate}`);
|
||||||
action = JSON.stringify(action);
|
action = JSON.stringify(action);
|
||||||
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
|
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
app.post("/api/instance/resources", async (req, res) => {
|
app.post("/api/instance/resources", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
// get current config
|
// get current config
|
||||||
let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
|
let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
|
||||||
@ -283,7 +291,7 @@ app.post("/api/instance/resources", async (req, res) => {
|
|||||||
// commit action
|
// commit action
|
||||||
let action = JSON.stringify({ cores: req.body.cores, memory: req.body.memory });
|
let action = JSON.stringify({ cores: req.body.cores, memory: req.body.memory });
|
||||||
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
let method = req.body.type === "qemu" ? "POST" : "PUT";
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
|
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
@ -301,11 +309,13 @@ app.post("/api/instance", async (req, res) => {
|
|||||||
let vmid = Number.parseInt(req.body.vmid);
|
let vmid = Number.parseInt(req.body.vmid);
|
||||||
let vmid_min = user.instances.vmid.min;
|
let vmid_min = user.instances.vmid.min;
|
||||||
let vmid_max = user.instances.vmid.max;
|
let vmid_max = user.instances.vmid.max;
|
||||||
|
// check vmid is within allowed range
|
||||||
if (vmid < vmid_min || vmid > vmid_max) {
|
if (vmid < vmid_min || vmid > vmid_max) {
|
||||||
res.status(500).send({ error: `Requested vmid ${vmid} is out of allowed range [${vmid_min},${vmid_max}]` });
|
res.status(500).send({ error: `Requested vmid ${vmid} is out of allowed range [${vmid_min},${vmid_max}]` });
|
||||||
res.end();
|
res.end();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
// check node is within allowed list
|
||||||
if (!user.nodes.includes(req.body.node)) {
|
if (!user.nodes.includes(req.body.node)) {
|
||||||
res.status(500).send({ error: `Requested node ${req.body.node} is not in allowed nodes [${user.nodes}]` });
|
res.status(500).send({ error: `Requested node ${req.body.node} is not in allowed nodes [${user.nodes}]` });
|
||||||
res.end();
|
res.end();
|
||||||
@ -346,11 +356,12 @@ app.post("/api/instance", async (req, res) => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
app.delete("/api/instance", async (req, res) => {
|
app.delete("/api/instance", async (req, res) => {
|
||||||
// check auth
|
// check auth for specific instance
|
||||||
let auth = await checkAuth(req.cookies, res);
|
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
|
||||||
|
let auth = await checkAuth(req.cookies, res, vmpath);
|
||||||
if (!auth) { return; }
|
if (!auth) { return; }
|
||||||
// commit action
|
// commit action
|
||||||
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`, "DELETE", req.cookies, null, pveAPIToken);
|
let result = await requestPVE(vmpath, "DELETE", req.cookies, null, pveAPIToken);
|
||||||
await handleResponse(req.body.node, result, res);
|
await handleResponse(req.body.node, result, res);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
2
pve.js
2
pve.js
@ -12,7 +12,7 @@ export async function checkAuth(cookies, res, vmpath = null) {
|
|||||||
auth = result.status === 200;
|
auth = result.status === 200;
|
||||||
}
|
}
|
||||||
if (!auth) {
|
if (!auth) {
|
||||||
res.status(401).send({ auth: auth });
|
res.status(401).send({ auth: auth, path: vmpath ? `${vmpath}/config` : "/version" });
|
||||||
res.end();
|
res.end();
|
||||||
}
|
}
|
||||||
return auth;
|
return auth;
|
||||||
|
Loading…
Reference in New Issue
Block a user