In the ticket and CSRF prevention token verification methods we used
a raise_perm exception to tell our caller about a failure of such a
verification. raise_perm uses HTTP_FORBIDDEN (403) as code.
Earlier, all such exceptions or die's where caught when the anyevent
http server called the auth_handler method and transformed to
HTTP_UNAUTHORIZED (401).
With commit d8327719e353198a1dffad88c246fee065054a6b from
pve-http-server we gained the ability to tell a client about a server
internal 5XX error, so that clients do not get wrongly logged out if
we have a internal error.
This resulted also in the effect that the exceptions of the
verify_rsa_ticket and verify_csrf_prevention_token sub methods where
passed to the client.
If an old, now invalid, ticket was sent to the server a client got
403 (FORBIDDEN) instead of the 401 (UNAUTHORIZED) - which he was used
to, and thus meant that he did some wrong doing, instead of knowing
that he just needs to login.
As we are not yet logged in here, and thus cannot possibly know if
the call is forbidden or not, HTTP_FORBIDDEN seems the wrong code.
Change it to HTTP_UNAUTHORIZED, which restores it to the code we told
API clients since ever and is the correct one here.
Also RFC 2068 section 10.4.4 [1] defines that for the afformentioned
verify methods FORBIDDEN was not really correct:
> 403 Forbidden
>
> The server understood the request, but is refusing to fulfill it.
> Authorization will not help and the request SHOULD NOT be
> repeated. [...]
With a invalid ticket or CSRF prevention token we have a
authorization problem for the current call, not a permission problem
(we may have, but we can't tell yet).
[1] https://tools.ietf.org/html/rfc2068#section-10.4.4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
converting from 0.5 gb to mb resulted in 0 mb
with this patch it correctly returns 512
also add tests and catch more errors
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
* Cancel on Ctrl+C (die())
* Finish on Ctrl+D (eof/eot) without appending a newline
* Also finish on \n to be sure.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Most times a port was requested for a specified IP family (v4, v6)
only. Thus also ensure that the port from the respective family got
ready, else we may return on a false positive.
As we had no user setting the $timeout param we can add the $family
param as second one, it'll get used more often, so no need to put it
at the back.
As we do nothing if not defined this does not changes the behavior of
our users yet.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The hash slice did not work as intented here, it only return the keys
from the last elemend defined in the slice, thus not all workers got
a TERM.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reverts a hunk of 0da5a3e43b which removed checking &
untainting of pids from the PVE_DAEMON_WORKER_PIDS env var.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Else this options is not really useful. First, sending a SIGTERM lets
the children exit, not quite what "leave_children_open_on_reload"
promises.
The problem this causes is that we may get a time window where no
worker is active and thus, for example, our API daemon would not
accept connections during a restart (or better said, reload).
So, don't request termination of any child worker, if this option is
set, but rather just restart (re-exec) ourself, startup a new set of
workers and only then request the termination of the old ones,
allowing a fully seamless reload.
This is only done on `$daemon-exe restart` and thus on
`systemctl reload $daemon`, systemctl restart or any other stop start
cycles always exit all other workers first.
This expects that the worker can do a graceful termination on
SIGTERM, which is already the case for anything using our AnyEvent
based class (which is base of our HTTPServer module).
With graceful termination is meant the following: the worker accepts
no new work and exits immediately after the current queued work is
done.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
When we do not instantly get the lock we print a respective message
to stderr. This shows also up in the task logs, and if it's the last
message before a 'Task OK' the UI gets confused an shows the task as
erroneous.
Keep the message as its a good feedback for the user to see why an op
seems to do nothing, so simply add a trailing newline.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Encode the result or the error in JSON. This way complex objects or
exceptions may be passed to the parent in a generic way.
This allows to remove the second pipe 'pipe_err'.
Allow also to return undef without any warnings to our caller.
This avoids a "use of uninitialized variable ..." warning
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This makes our man pages follow the GNU long option recommandations
where non-single character options are prefixed with a double hyphen
(https://www.gnu.org/software/libc/manual/html_node/Argument-Syntax.html)
The benefit for PVE is that our documentation looks more similar to what
a user with previous Linux knowledge is used to.
Our bash autocompletion helper only completes options using double hyphens too.
We often need to convert between file sizes, for formatting output,
but also code-internal. Some methods expect kilobytes, some gigabytes
and sometimes we need bytes.
While conversion from smaller to bigger units can be simply done with
a left-shift, the opposite conversion may need more attention -
depending on the used context.
If we allocate disks this is quite critical. For example, if we need
to allocate a disk with size 1023 bytes using the
PVE::Storage::vdisk_alloc method (which expects kilobytes) a
right shift by 10 (<=> division by 1024) would result in "0", which
obviously fails.
Thus we round up the converted value if a remainder was lost on the
transformation in this new method. This behaviour is opt-out, to be
on the safe side.
The method can be used in a clear way, as it gives information about
the source and target unit size, unlike "$var *= 1024", which doesn't
gives direct information at all, if not commented or derived
somewhere from its context.
For example:
> my $size = convert_unit($value, 'gb' => 'kb');
is more clear than:
> my $size = $value*1024*1024;
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
perls 'local' must be either used in front of each $SIG{...}
assignments or they must be put in a list, else it affects only the
first variable and the rest are *not* in local context.
This may cause weird behaviour where daemons seemingly do not get
terminating signals delivered correctly and thus may not shutdown
gracefully anymore.
As we only send SIGINT to processes if a manual stop action gets
triggered just catch this one here.
As this is a general method which allows to pass an arbitrary code
payload we cannot sanely handle all signals here, so remove trapping
all other besides SIGINT, if those need to be trapped that should be
done by the caller on a case by case basis.
Fixes: #1495
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
25d9bda941 broke this check,
but it is a better idea to check against the actual type
rather then the rendered type text anyway.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Don't die because the tasklist could not be broadcasted, just log the
error.
Else we may hinder all task to run with a quite confusing error (i.e.
"ipcc_send_rec: file to big").
This may happen if there are a lot currently running tasks at once.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we return early from this function if the $rest_env singleton doesn't
evaluates to true yet, so this check is useless here.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
