fix authentication checks for routes involving specific instances

This commit is contained in:
Arthur Lu 2023-05-17 21:30:36 +00:00
parent 8c71ceafcf
commit b12d84d4be
2 changed files with 39 additions and 28 deletions

65
main.js
View File

@ -95,8 +95,9 @@ app.get("/api/user/nodes", async (req, res) => {
})
app.post("/api/instance/disk/detach", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
if (req.body.disk.includes("unused")) {
res.status(500).send({ error: `Requested disk ${req.body.disk} cannot be unused. Use /disk/delete to permanently delete unused disks.` });
@ -105,25 +106,27 @@ app.post("/api/instance/disk/detach", async (req, res) => {
}
let action = JSON.stringify({ delete: req.body.disk });
let method = req.body.type === "qemu" ? "POST" : "PUT";
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
await handleResponse(req.body.node, result, res);
});
app.post("/api/instance/disk/attach", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
let action = {};
action[req.body.disk] = req.body.data;
action = JSON.stringify(action);
let method = req.body.type === "qemu" ? "POST" : "PUT";
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
await handleResponse(req.body.node, result, res);
});
app.post("/api/instance/disk/resize", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
// check disk existence
let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk
@ -144,13 +147,14 @@ app.post("/api/instance/disk/resize", async (req, res) => {
}
// action approved, commit to action
let action = JSON.stringify({ disk: req.body.disk, size: `+${req.body.size}G` });
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/resize`, "PUT", req.cookies, action, pveAPIToken);
let result = await requestPVE(`${vmpath}/resize`, "PUT", req.cookies, action, pveAPIToken);
await handleResponse(req.body.node, result, res);
});
app.post("/api/instance/disk/move", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
// check disk existence
let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, req.body.disk); // get target disk
@ -185,13 +189,14 @@ app.post("/api/instance/disk/move", async (req, res) => {
}
action = JSON.stringify(action);
let route = req.body.type === "qemu" ? "move_disk" : "move_volume";
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/${route}`, "POST", req.cookies, action, pveAPIToken);
let result = await requestPVE(`${vmpath}/${route}`, "POST", req.cookies, action, pveAPIToken);
await handleResponse(req.body.node, result, res);
});
app.post("/api/instance/disk/delete", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
// only ide or unused are allowed to be deleted
if (!req.body.disk.includes("unused") && !req.body.disk.includes("ide")) { // must be ide or unused
@ -202,13 +207,14 @@ app.post("/api/instance/disk/delete", async (req, res) => {
let action = JSON.stringify({ delete: req.body.disk });
let method = req.body.type === "qemu" ? "POST" : "PUT";
// commit action
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
await handleResponse(req.body.node, result, res);
});
app.post("/api/instance/disk/create", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
// setup request
let request = {};
@ -234,13 +240,14 @@ app.post("/api/instance/disk/create", async (req, res) => {
action = JSON.stringify(action);
let method = req.body.type === "qemu" ? "POST" : "PUT";
// commit action
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
await handleResponse(req.body.node, result, res);
});
app.post("/api/instance/network", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
// get current config
let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
@ -260,13 +267,14 @@ app.post("/api/instance/network", async (req, res) => {
action[`net${req.body.netid}`] = currentNetworkConfig.replace(`rate=${currentNetworkRate}`, `rate=${req.body.rate}`);
action = JSON.stringify(action);
let method = req.body.type === "qemu" ? "POST" : "PUT";
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
await handleResponse(req.body.node, result, res);
});
app.post("/api/instance/resources", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
// get current config
let currentConfig = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, "GET", null, null, pveAPIToken);
@ -283,7 +291,7 @@ app.post("/api/instance/resources", async (req, res) => {
// commit action
let action = JSON.stringify({ cores: req.body.cores, memory: req.body.memory });
let method = req.body.type === "qemu" ? "POST" : "PUT";
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}/config`, method, req.cookies, action, pveAPIToken);
let result = await requestPVE(`${vmpath}/config`, method, req.cookies, action, pveAPIToken);
await handleResponse(req.body.node, result, res);
});
@ -301,11 +309,13 @@ app.post("/api/instance", async (req, res) => {
let vmid = Number.parseInt(req.body.vmid);
let vmid_min = user.instances.vmid.min;
let vmid_max = user.instances.vmid.max;
// check vmid is within allowed range
if (vmid < vmid_min || vmid > vmid_max) {
res.status(500).send({ error: `Requested vmid ${vmid} is out of allowed range [${vmid_min},${vmid_max}]` });
res.end();
return;
}
// check node is within allowed list
if (!user.nodes.includes(req.body.node)) {
res.status(500).send({ error: `Requested node ${req.body.node} is not in allowed nodes [${user.nodes}]` });
res.end();
@ -346,11 +356,12 @@ app.post("/api/instance", async (req, res) => {
});
app.delete("/api/instance", async (req, res) => {
// check auth
let auth = await checkAuth(req.cookies, res);
// check auth for specific instance
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let auth = await checkAuth(req.cookies, res, vmpath);
if (!auth) { return; }
// commit action
let result = await requestPVE(`/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`, "DELETE", req.cookies, null, pveAPIToken);
let result = await requestPVE(vmpath, "DELETE", req.cookies, null, pveAPIToken);
await handleResponse(req.body.node, result, res);
});

2
pve.js
View File

@ -12,7 +12,7 @@ export async function checkAuth(cookies, res, vmpath = null) {
auth = result.status === 200;
}
if (!auth) {
res.status(401).send({ auth: auth });
res.status(401).send({ auth: auth, path: vmpath ? `${vmpath}/config` : "/version" });
res.end();
}
return auth;