340 lines
13 KiB
JavaScript
340 lines
13 KiB
JavaScript
import { createHash } from "crypto";
|
|
import path from "path";
|
|
import url from "url";
|
|
import * as fs from "fs";
|
|
import { readFileSync } from "fs";
|
|
import { exit } from "process";
|
|
|
|
/**
|
|
* Check if a user is authorized to access a specified vm, or the cluster in general.
|
|
* @param {Object} cookies user auth cookies.
|
|
* @param {Object} res ProxmoxAAS API response object, used to send auth error responses.
|
|
* @param {string} vmpath vm path to check. Optional, if null then the general /version path is used.
|
|
* @returns {boolean} true if the user is authorized to access the specific vm or cluster in general, false otheriwse.
|
|
*/
|
|
export async function checkAuth (cookies, res, vmpath = null) {
|
|
let auth = false;
|
|
|
|
const userObj = getUserObjFromUsername(cookies.username); // check if username exists and is valid
|
|
if (!userObj) {
|
|
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username was missing or invalid." });
|
|
res.end();
|
|
return false;
|
|
}
|
|
|
|
if (!cookies.PVEAuthCookie) { // check if PVE token exists
|
|
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Token was missing or invalid." });
|
|
res.end();
|
|
return false;
|
|
}
|
|
|
|
const pveTicket = cookies.PVEAuthCookie;
|
|
const result = await global.pve.requestPVE("/access/ticket", "POST", null, { username: cookies.username, password: pveTicket });
|
|
if (result.status !== 200) { // check if PVE token is valid by using /access/ticket to validate ticket with Proxmox
|
|
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username did not match token." });
|
|
res.end();
|
|
return false;
|
|
}
|
|
|
|
if ((await global.userManager.getUser(userObj, cookies)) === null) { // check if user exists in database
|
|
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in database.` });
|
|
res.end();
|
|
return false;
|
|
}
|
|
|
|
if (vmpath) { // if a path is specified, check the permissions on the path
|
|
const result = await global.pve.requestPVE(`/${vmpath}/config`, "GET", { cookies });
|
|
auth = result.status === 200;
|
|
}
|
|
else { // if no path is specified, then do a simple authentication
|
|
const result = await global.pve.requestPVE("/version", "GET", { cookies });
|
|
auth = result.status === 200;
|
|
}
|
|
|
|
if (!auth) {
|
|
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "User token did not pass authentication check." });
|
|
res.end();
|
|
}
|
|
|
|
return auth;
|
|
}
|
|
|
|
/**
|
|
* Get user resource data including used, available, and maximum resources.
|
|
* @param {Object} req ProxmoxAAS API request object.
|
|
* @param {{id: string, realm: string}} user object of user to get resource data.
|
|
* @returns {{used: Object, avail: Object, max: Object, resources: Object}} used, available, maximum, and resource metadata for the specified user.
|
|
*/
|
|
export async function getUserResources (req, user) {
|
|
const dbResources = global.config.resources;
|
|
const userResources = (await global.userManager.getUser(user, req.cookies)).resources;
|
|
|
|
// setup the user resource object with used and avail for each resource and each resource pool
|
|
// also add a total counter for each resource (only used for display, not used to check requests)
|
|
for (const resourceName of Object.keys(userResources)) {
|
|
if (dbResources[resourceName].type === "list") {
|
|
userResources[resourceName].total = [];
|
|
userResources[resourceName].global.forEach((e) => {
|
|
e.used = 0;
|
|
e.avail = e.max;
|
|
const index = userResources[resourceName].total.findIndex((availEelement) => e.match === availEelement.match);
|
|
if (index === -1) {
|
|
userResources[resourceName].total.push(structuredClone(e));
|
|
}
|
|
else {
|
|
userResources[resourceName].total[index].max += e.max;
|
|
userResources[resourceName].total[index].avail += e.avail;
|
|
}
|
|
});
|
|
for (const nodeName of Object.keys(userResources[resourceName].nodes)) {
|
|
userResources[resourceName].nodes[nodeName].forEach((e) => {
|
|
e.used = 0;
|
|
e.avail = e.max;
|
|
const index = userResources[resourceName].total.findIndex((availEelement) => e.match === availEelement.match);
|
|
if (index === -1) {
|
|
userResources[resourceName].total.push(structuredClone(e));
|
|
}
|
|
else {
|
|
userResources[resourceName].total[index].max += e.max;
|
|
userResources[resourceName].total[index].avail += e.avail;
|
|
}
|
|
});
|
|
}
|
|
}
|
|
else {
|
|
const total = {
|
|
max: 0,
|
|
used: 0,
|
|
avail: 0
|
|
};
|
|
userResources[resourceName].global.used = 0;
|
|
userResources[resourceName].global.avail = userResources[resourceName].global.max;
|
|
total.max += userResources[resourceName].global.max;
|
|
total.avail += userResources[resourceName].global.avail;
|
|
for (const nodeName of Object.keys(userResources[resourceName].nodes)) {
|
|
userResources[resourceName].nodes[nodeName].used = 0;
|
|
userResources[resourceName].nodes[nodeName].avail = userResources[resourceName].nodes[nodeName].max;
|
|
total.max += userResources[resourceName].nodes[nodeName].max;
|
|
total.avail += userResources[resourceName].nodes[nodeName].avail;
|
|
}
|
|
userResources[resourceName].total = total;
|
|
}
|
|
}
|
|
|
|
const configs = await global.pve.getUserResources(user, req.cookies);
|
|
|
|
for (const vmid in configs) {
|
|
const config = configs[vmid];
|
|
const nodeName = config.node;
|
|
// count basic numeric resources
|
|
for (const resourceName of Object.keys(config)) {
|
|
// numeric resource type
|
|
if (resourceName in dbResources && dbResources[resourceName].type === "numeric") {
|
|
const val = Number(config[resourceName]);
|
|
// if the instance's node is restricted by this resource, add it to the instance's used value
|
|
if (nodeName in userResources[resourceName].nodes) {
|
|
userResources[resourceName].nodes[nodeName].used += val;
|
|
userResources[resourceName].nodes[nodeName].avail -= val;
|
|
}
|
|
// otherwise add the resource to the global pool
|
|
else {
|
|
userResources[resourceName].global.used += val;
|
|
userResources[resourceName].global.avail -= val;
|
|
}
|
|
userResources[resourceName].total.used += val;
|
|
userResources[resourceName].total.avail -= val;
|
|
}
|
|
}
|
|
// count disk resources in volumes
|
|
for (const diskid in config.volumes) {
|
|
const disk = config.volumes[diskid];
|
|
const storage = disk.storage;
|
|
const size = disk.size;
|
|
// only process disk if its storage is in the user resources to be counted
|
|
if (storage in userResources) {
|
|
// if the instance's node is restricted by this resource, add it to the instance's used value
|
|
if (nodeName in userResources[storage].nodes) {
|
|
userResources[storage].nodes[nodeName].used += size;
|
|
userResources[storage].nodes[nodeName].avail -= size;
|
|
}
|
|
// otherwise add the resource to the global pool
|
|
else {
|
|
userResources[storage].global.used += size;
|
|
userResources[storage].global.avail -= size;
|
|
}
|
|
userResources[storage].total.used += size;
|
|
userResources[storage].total.avail -= size;
|
|
}
|
|
}
|
|
// count net resources in nets
|
|
for (const netid in config.nets) {
|
|
const net = config.nets[netid];
|
|
const rate = net.rate;
|
|
if (userResources.network) {
|
|
// if the instance's node is restricted by this resource, add it to the instance's used value
|
|
if (nodeName in userResources.network.nodes) {
|
|
userResources.network.nodes[nodeName].used += rate;
|
|
userResources.network.nodes[nodeName].avail -= rate;
|
|
}
|
|
// otherwise add the resource to the global pool
|
|
else {
|
|
userResources.network.global.used += rate;
|
|
userResources.network.global.avail -= rate;
|
|
}
|
|
userResources.network.total.used += rate;
|
|
userResources.network.total.avail -= rate;
|
|
}
|
|
}
|
|
// count pci device resources in devices
|
|
for (const deviceid in config.devices) {
|
|
const device = config.devices[deviceid];
|
|
const name = device.device_name;
|
|
// if the node has a node specific rule, add it there
|
|
if (nodeName in userResources.pci.nodes) {
|
|
const index = userResources.pci.nodes[nodeName].findIndex((availEelement) => name.includes(availEelement.match));
|
|
if (index >= 0) {
|
|
userResources.pci.nodes[nodeName][index].used++;
|
|
userResources.pci.nodes[nodeName][index].avail--;
|
|
}
|
|
}
|
|
// otherwise try to add the resource to the global pool
|
|
else {
|
|
const index = userResources.pci.global.findIndex((availEelement) => name.includes(availEelement.match));
|
|
if (index >= 0) { // device resource is in the user's global list then increment it by 1
|
|
userResources.pci.global[index].used++;
|
|
userResources.pci.global[index].avail--;
|
|
}
|
|
}
|
|
// finally, add the device to the total map
|
|
const index = userResources.pci.total.findIndex((availEelement) => name.includes(availEelement.match));
|
|
if (index >= 0) {
|
|
userResources.pci.total[index].used++;
|
|
userResources.pci.total[index].avail--;
|
|
}
|
|
}
|
|
}
|
|
|
|
return userResources;
|
|
}
|
|
|
|
/**
|
|
* Check approval for user requesting additional resources. Generally, subtracts the request from available resources and ensures request can be fulfilled by the available resources.
|
|
* @param {Object} req ProxmoxAAS API request object.
|
|
* @param {{id: string, realm: string}} user object of user requesting additional resources.
|
|
* @param {Object} request k-v pairs of resources and requested amounts
|
|
* @returns {boolean} true if the available resources can fullfill the requested resources, false otherwise.
|
|
*/
|
|
export async function approveResources (req, user, request, node) {
|
|
const dbResources = global.config.resources;
|
|
const userResources = await getUserResources(req, user);
|
|
let approved = true;
|
|
Object.keys(request).every((key) => {
|
|
// if requested resource is not specified in user resources, assume it's not allowed
|
|
if (!(key in userResources)) {
|
|
approved = false;
|
|
return false;
|
|
}
|
|
|
|
const inNode = node in userResources[key].nodes;
|
|
const resourceData = inNode ? userResources[key].nodes[node] : userResources[key].global;
|
|
|
|
// if the resource type is list, check if the requested resource exists in the list
|
|
if (dbResources[key].type === "list") {
|
|
const index = resourceData.findIndex((availElement) => request[key].includes(availElement.match));
|
|
// if no matching resource when index == -1, then remaining is -1 otherwise use the remaining value
|
|
const avail = index === -1 ? false : resourceData[index].avail > 0;
|
|
if (avail !== dbResources[key].whitelist) {
|
|
approved = false;
|
|
return false;
|
|
}
|
|
}
|
|
// if either the requested or avail resource is NaN, block
|
|
else if (isNaN(resourceData.avail) || isNaN(request[key])) {
|
|
approved = false;
|
|
return false;
|
|
}
|
|
// if the avail resources is less than the requested resources, block
|
|
else if (resourceData.avail - request[key] < 0) {
|
|
approved = false;
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
});
|
|
return approved; // if all requested resources pass, allow
|
|
}
|
|
|
|
/**
|
|
* Get the hash value of an object with data values.
|
|
* @param {Object} object to be hashed.
|
|
* @param {string} alg algorithm used to get digest.
|
|
* @param {string} format format of digest.
|
|
* @returns {string} digest of hash function.
|
|
*/
|
|
export function getObjectHash (object, alg = "sha256", format = "hex") {
|
|
const hash = createHash(alg);
|
|
hash.update(JSON.stringify(object, Object.keys(object).sort()));
|
|
return hash.digest(format);
|
|
}
|
|
|
|
/**
|
|
* Get the time remaining of scheduler timeout object.
|
|
* @param {Object} timeout object to get time reamining.
|
|
* @returns {number} milliseconds remaining until next event.
|
|
*/
|
|
export function getTimeLeft (timeout) {
|
|
return Math.ceil((timeout._idleStart + timeout._idleTimeout - (global.process.uptime() * 1000)));
|
|
}
|
|
|
|
/**
|
|
* Recursively import routes from target folder.
|
|
* @param {Object} router or app object.
|
|
* @param {string} baseroute base route of imported modules starting from the current path.
|
|
* @param {string} target folder to import modules.
|
|
* @param {string} from source folder of calling module, optional for imports from the same base directory.
|
|
*/
|
|
export function recursiveImportRoutes (router, baseroute, target, from = import.meta.url) {
|
|
const thisPath = path.dirname(url.fileURLToPath(import.meta.url));
|
|
const fromPath = path.relative(".", path.dirname(url.fileURLToPath(from)));
|
|
const targetPath = path.relative(".", `${fromPath}/${target}`);
|
|
const baseImportPath = path.relative(thisPath, targetPath);
|
|
const files = fs.readdirSync(targetPath);
|
|
files.forEach((file) => {
|
|
if (file.endsWith(".js")) {
|
|
const path = `./${baseImportPath}/${file}`;
|
|
const route = `${baseroute}/${file.replace(".js", "")}`;
|
|
import(path).then((module) => {
|
|
router.use(route, module.router);
|
|
});
|
|
console.log(`routes: loaded ${path} as ${route}`);
|
|
}
|
|
});
|
|
}
|
|
|
|
export function readJSONFile (path) {
|
|
try {
|
|
return JSON.parse(readFileSync(path));
|
|
}
|
|
catch (e) {
|
|
console.log(`error: ${path} was not found.`);
|
|
exit(1);
|
|
}
|
|
};
|
|
|
|
/**
|
|
*
|
|
* @param {*} username
|
|
* @returns {Object | null} user object containing username and realm or null if user does not exist
|
|
*/
|
|
export function getUserObjFromUsername (username) {
|
|
if (username) {
|
|
const userRealm = username.split("@").at(-1);
|
|
const userID = username.replace(`@${userRealm}`, "");
|
|
const userObj = { id: userID, realm: userRealm };
|
|
return userObj;
|
|
}
|
|
else {
|
|
return null;
|
|
}
|
|
}
|