From 3fb99a5e8c229885602198bea4dce26bcf0fcc4f Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 10 Jun 2020 17:12:02 +0200
Subject: [serversetup-bwlp-ipxe] Start refactoring ipxe script generator

This is WIP. Mostly restored all the old functionality.
Boot entries are fetched when selected, not embedded in the main script,
so password protection is a bit stronger.
Hopefully allows for other script generators in the future.
---
 .../inc/scriptbuilderipxe.inc.php                  | 522 +++++++++++++++++++++
 1 file changed, 522 insertions(+)
 create mode 100644 modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php

(limited to 'modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php')

diff --git a/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php b/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php
new file mode 100644
index 00000000..23c4bd70
--- /dev/null
+++ b/modules-available/serversetup-bwlp-ipxe/inc/scriptbuilderipxe.inc.php
@@ -0,0 +1,522 @@
+<?php
+
+class ScriptBuilderIpxe extends ScriptBuilderBase
+{
+
+	private function getUrlBase()
+	{
+		if (isset($_SERVER['REQUEST_URI'])) {
+			$url = parse_url($_SERVER['REQUEST_URI']);
+			if (isset($_SERVER['SCRIPT_URI']) && preg_match('#^(\w+://[^/]+)#', $_SERVER['SCRIPT_URI'], $out)) {
+				$urlbase = $out[1];
+			} elseif (isset($_SERVER['REQUEST_SCHEME']) && isset($_SERVER['SERVER_NAME'])) {
+				$urlbase = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['SERVER_NAME'];
+			} elseif (isset($_SERVER['REQUEST_SCHEME']) && isset($_SERVER['SERVER_ADDR'])) {
+				$urlbase = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['SERVER_ADDR'];
+			} else {
+				$urlbase = 'http://' . $this->serverIp;
+			}
+			return $urlbase . $url['path'];
+		}
+		// Static fallback
+		return 'http://' . $this->serverIp . '/boot/ipxe';
+
+	}
+
+	private function getUrlFull(&$hasExt, $key = null, $value = null)
+	{
+		$url = parse_url($_SERVER['REQUEST_URI']);
+		$urlbase = $this->getUrlBase();
+		if (empty($url['query'])) {
+			$fromQuery = [];
+		} else {
+			parse_str($url['query'], $fromQuery);
+			foreach ($fromQuery as &$v) {
+				$v = urlencode($v);
+			}
+			unset($v);
+		}
+		unset($fromQuery['menuid'], $fromQuery['entryid'], $fromQuery['special']);
+		if ($key !== null) {
+			$fromQuery[$key] = $value;
+		}
+		$hasExt = isset($fromQuery['slx-extensions']);
+		$required = [
+			'uuid' => '${uuid}',
+			'mac' => '${mac}',
+			'manuf' => '${manufacturer:uristring}',
+			'product' => '${product:uristring}',
+			'platform' => '${platform:uristring}',
+		];
+		$fullQuery = '?';
+		foreach ($required + $fromQuery as $k => $v) { // Loop instead of http_build_query since we don't want escaping for the varnames!
+			$fullQuery .= $k . '=' . $v . '&';
+		}
+		return $urlbase . $fullQuery;
+	}
+
+	/**
+	 * Redirect to same URL, but add our extended params
+	 */
+	private function redirect($key = null, $value = null)
+	{
+		// Redirect to self with added parameters
+		$urlfull = $this->getUrlFull($hasExt, $key, $value);
+		if ($hasExt) {
+			$output = "#!ipxe\nset self {$urlfull} ||\n";
+		} else {
+			$output = <<<HERE
+#!ipxe
+set slxtest:string something ||
+iseq \${slxtest:md5} \${} && set slxext 0 || set slxext 1 ||
+clear slxtest ||
+set self {$urlfull}slx-extensions=\${slxext} ||
+
+HERE;
+		}
+		$output .= <<<HERE
+:retry
+echo Chaining to \${self}
+chain -ar \${self} ||
+echo Chaining to self failed with \${errno}, retrying in a bit...
+sleep 5
+goto retry
+
+HERE;
+		return $output;
+	}
+
+	public function fallback()
+	{
+		// Check if required arguments are given; if not, spit out according script and chain to self
+		$uuid = Request::any('uuid', false, 'string');
+		error_log("Got UUID='$uuid' PLATF='" . $this->platform . "'");
+		if ($uuid === false || $this->platform === '') {
+			// REQUIRED so we can hide incompatible entries
+			return $this->redirect();
+		}
+
+		$menu = IPxeMenu::forClient($this->clientIp, $uuid);
+		$out = $this->menuCheckAutostart($menu);
+		if (!empty($out))
+			return "#!ipxe\nimgfree ||\n" . $out;
+
+		return "#!ipxe\nimgfree ||\n" . $this->menuToScript($menu);
+	}
+
+	public function getMenu($menuId)
+	{
+		$menu = IPxeMenu::get($menuId, true);
+		$base = $this->getUrlFull($he);
+		return "#!ipxe\nset self {$base} ||\n" . $this->menuToScript($menu);
+	}
+
+
+	/**
+	 * @param IPxeMenu $menu
+	 */
+	public function menuToScript($menu)
+	{
+		if ($this->hasExtension) {
+			$slxConsoleUpdate = '--update';
+			$slxPasswordOnly = '--nouser';
+		} else {
+			$slxConsoleUpdate = '';
+			$slxPasswordOnly = '';
+		}
+
+		$serverIp = $this->serverIp;
+		$output = <<<HERE
+:start
+
+imgstat bg-menu || imgfetch --name bg-menu /tftp/pxe-menu.png ||
+console --left 55 --top 88 --right 63 --bottom 64 --keep --picture bg-menu ||
+
+colour --rgb 0xffffff 7
+colour --rgb 0xcccccc 5
+colour --rgb 0x000000 0
+colour --rgb 0xdddddd 6
+cpair --foreground 0 --background 4 1
+cpair --foreground 0 --background 5 2
+cpair --foreground 7 --background 9 0
+
+:slx_menu
+
+console --left 55 --top 88 --right 63 --bottom 64 $slxConsoleUpdate --keep --picture bg-menu ||
+
+menu -- {$menu->title} || prompt Error creating menu ||
+
+HERE;
+		foreach ($menu->items as $item) {
+			$output .= $this->getMenuItemScript($menu->defaultEntryId, $item);
+		}
+		if ($menu->defaultEntryId === null) {
+			$default = "poweroff || exit 1 ||";
+		} else {
+			$default = "chain -a \${self}&entryid={$menu->defaultEntryId} ||";
+		}
+		$output .= "choose";
+		if ($menu->timeoutMs > 0) {
+			$output .= " --timeout {$menu->timeoutMs}";
+		}
+		$output .= " selection || goto default || goto fail\n";
+		$output .= <<<HERE
+console --left 60 --top 130 --right 67 --bottom 86 $slxConsoleUpdate ||
+chain -a \${self}&entryid=\${selection} ||
+goto fail || goto start
+goto \${target} ||
+echo Could not find menu entry in script.
+prompt Press any key to continue.
+goto start
+:default
+$default
+:fail
+prompt Boot failed. Press any key to start.
+goto start
+
+HERE;
+
+		/*
+
+		:i5
+		chain -a /tftp/memtest.0 passes=1 onepass || goto membad
+		prompt Memory OK. Press a key.
+		goto init
+
+		:i8
+		set x:int32 0
+		:again
+		console --left 60 --top 130 --right 67 --bottom 96 --picture bg-load --keep ||
+		console --left 55 --top 88 --right 63 --bottom 64 --picture bg-menu --keep ||
+		inc x
+		iseq \${x} 20 || goto again
+		prompt DONE. Press dein Knie.
+		goto slx_menu
+
+		:membad
+		iseq \${errno} 0x1 || goto memaborted
+		params
+		param scrot \${vram}
+		imgfetch -a http://132.230.8.113/screen.php##params ||
+		prompt Memory is bad. Press a key.
+		goto init
+
+		:memaborted
+		params
+		param scrot \${vram}
+		imgfetch -a http://132.230.8.113/screen.php##params ||
+		prompt Memory test aborted. Press a key.
+		goto init
+
+		*/
+		return $output;
+	}
+
+	/**
+	 * @param $requestedDefaultId
+	 * @param MenuEntry $entry
+	 * @return string
+	 */
+	private function getMenuItemScript($requestedDefaultId, $entry)
+	{
+		if ($entry->bootEntry === null || (!empty($this->platform) && !$entry->bootEntry->supportsMode($this->platform)))
+			return '';
+		$str = 'item ';
+		if ($entry->gap) {
+			$str .= '--gap -- ';
+		} else {
+			if ($entry->hidden && $this->hasExtension) {
+				if ($entry->hotkey === false)
+					return ''; // Hidden entries without hotkey are illegal
+				$str .= '--hidden ';
+			}
+			if ($entry->hotkey !== false) {
+				$str .= '--key ' . $entry->hotkey . ' ';
+			}
+			if ($entry->menuentryid == $requestedDefaultId) {
+				$str .= '--default ';
+			}
+			$str .= "-- {$entry->menuentryid} ";
+		}
+		if (empty($entry->title)) {
+			$str .= '${}';
+		} else {
+			$str .= $entry->title;
+		}
+		return $str . " || prompt Could not create menu item for {$entry->menuentryid}\n";
+	}
+
+	public function getSpecial($special)
+	{
+		if ($special === 'localboot') {
+			// Get preferred localboot method, depending on system model
+			// Check if required arguments are given; if not, spit out according script and chain to self
+			$uuid = Request::any('uuid', false, 'string');
+			// Get platform - EFI or PCBIOS
+			$manuf = Request::any('manuf', false, 'string');
+			$product = Request::any('product', false, 'string');
+			if ($uuid === false && $manuf === false && $product === false) {
+				return $this->redirect('special', 'localboot');
+			}
+			$BOOT_METHODS = Localboot::BOOT_METHODS[$this->platform];
+			$localboot = false;
+			$model = false;
+			if ($uuid !== false && Module::get('statistics') !== false) {
+				// If we have the machine table, we rather try to look up the system model from there, using the UUID
+				$row = Database::queryFirst('SELECT systemmodel FROM machine WHERE machineuuid = :uuid', ['uuid' => $uuid]);
+				if ($row !== false && !empty($row['systemmodel'])) {
+					$model = $row['systemmodel'];
+				}
+			}
+			if ($model === false) {
+				// Otherwise use what iPXE sent us
+				$manuf = $this->modfilt($manuf);
+				$product = $this->modfilt($product);
+				if (!empty($product)) {
+					$model = $product;
+					if (!empty($manuf)) {
+						$model .= " ($manuf)";
+					}
+				}
+			}
+			// Query
+			if ($model !== false) {
+				$e = strtolower($this->platform); // We made sure $this->platform is either PCBIOS or EFI, so no injection possible
+				$row = Database::queryFirst("SELECT $e AS bootmethod FROM serversetup_localboot WHERE systemmodel = :model LIMIT 1",
+					['model' => $model]);
+				if ($row !== false) {
+					$localboot = $row['bootmethod'];
+				}
+			}
+			if ($localboot === false || !isset($BOOT_METHODS[$localboot])) {
+				$localboot = Localboot::getDefault()[$this->platform];
+				if (!isset($BOOT_METHODS[$localboot])) {
+					$localboot = array_keys($BOOT_METHODS)[0];
+				}
+			}
+			// Convert to actual ipxe code
+			if (isset($BOOT_METHODS[$localboot])) {
+				$localboot = $BOOT_METHODS[$localboot];
+			} else {
+				$localboot = 'prompt Localboot not possible';
+			}
+			$output = <<<BLA
+imgfree ||
+console ||
+$localboot || goto fail
+
+BLA;
+
+			//
+		} else {
+			$output = "prompt --timeout 5000 Unknown special command '$special' ||\nchain -ar \${self}\n";
+		}
+		return $output;
+	}
+
+	public function output($string)
+	{
+		setlocale(LC_ALL, 'de_DE.UTF-8', 'de_DE.utf-8', 'de_DE.utf8', 'de_DE', 'de', 'German', 'ge', 'en_US.UTF-8', 'en_US.utf-8');
+		if ($this->platform === 'EFI') {
+			$cs = 'ASCII';
+		} else {
+			$cs = 'IBM437';
+		}
+		Header('Content-Type: text/plain; charset=' . $cs);
+
+		echo iconv('UTF-8', $cs . '//TRANSLIT//IGNORE', $string);
+	}
+
+	public function modfilt($str)
+	{
+		if (empty($str) || preg_match('/product\s+name|be\s+filled|unknown|default\s+string|system\s+model|manufacturer/i', $str))
+			return false;
+		return trim(preg_replace('/\s+/', ' ', $str));
+	}
+
+	/**
+	 * @param IPxeMenu $menu
+	 */
+	private function menuCheckAutostart($menu)
+	{
+		// If this is a menu with a single item, treat a timeout of 0 as "boot immediately" instead of "infinite"
+		if ($menu->itemCount() === 1 && $menu->timeoutMs() === 0 && ($tmp = $menu->getDefaultEntryId()) !== null) {
+			if (empty($menu->items[0]->md5pass)) {
+				return $menu->items[0]->getBootEntryScript($this);
+			} else {
+				return $this->passwordDialog($menu->items[0]);
+			}
+		}
+		return '';
+	}
+
+	const PROP_PW_SALT = 'ipxe.salt.';
+
+	/**
+	 * @param MenuEntry $menuEntryId
+	 */
+	private function passwordDialog($entry)
+	{
+		if ($this->hasExtension) {
+			$salt = dechex(mt_rand(0x100000, 0xFFFFFF));
+			Property::addToList(self::PROP_PW_SALT . $this->clientIp, $salt, 5);
+			return <<<HERE
+set password \${} ||
+login --nouser ||
+set password \${password:md5}-{$entry->menuentryid}
+set password \${password:md5}$salt
+params
+param pwhash \${password:md5}
+chain -a \${self}&entryid={$entry->menuentryid}##params || goto fail ||
+
+HERE;
+		}
+		return <<<HERE
+set username PASSWORD ONLY ||
+login ||
+params
+param pwplain \${password}
+chain -a \${self}&entryid={$entry->menuentryid}##params || goto fail ||
+
+HERE;
+	}
+
+	public function getMenuEntry($menuEntryId)
+	{
+		$entry = MenuEntry::get($menuEntryId);
+		if ($entry === null)
+			return "#!ipxe\nprompt --timeout 10000 Invalid menu entry id: $menuEntryId\n";
+		$base = $this->getUrlBase();
+		// Make sure legacy variables are set; they might get used
+		$output = <<<HERE
+#!ipxe
+set ipappend1 ip=\${ip}:{$this->serverIp}:\${gateway}:\${netmask}
+set ipappend2 BOOTIF=01-\${mac:hexhyp}
+set serverip {$this->serverIp} ||
+iseq \${idx} \${} && set idx:string X ||
+iseq \${self} \${} && set self {$base}? ||
+
+HERE;
+		// Check for password
+		if (!empty($entry->md5pass)) { // TODO: This should be split out so we can unconditionally get entry code
+			$pwh = Request::post('pwhash', false, 'string');
+			$pwp = Request::post('pwplain', false, 'string');
+			if ($pwh === false && $pwp === false) {
+				return $output . $this->passwordDialog($entry);
+			}
+			$ok = false;
+			if ($pwh !== false) {
+				$list = Property::getList(self::PROP_PW_SALT . $this->clientIp);
+				foreach ($list as $salt) {
+					if ($pwh === md5($entry->md5pass . $salt)) {
+						$ok = true;
+						break;
+					}
+				}
+			}
+			if (!$ok && $pwp !== false && !empty($entry->plainpass)) {
+				$ok = ($pwp === $entry->plainpass);
+			}
+			if (!$ok) {
+				return $output . "prompt --timeout 10000 Wrong password ||\n";
+			}
+		}
+		// Output actual entry
+		$output .= str_replace('%fail%', 'fail', $entry->getBootEntryScript($this));
+		$output .= <<<HERE
+
+goto end
+:fail
+prompt --timeout 5000 Error launching selected boot entry ||
+:end
+
+HERE;
+		return $output;
+	}
+
+	public function execDataToScript($agnostic, $bios, $efi) : string
+	{
+		if ($agnostic !== null)
+			return $this->execDataToScriptInternal($agnostic) . "\ngoto fail\n";
+
+		if (empty($this->platform)) {
+			// output dynamic code that decides client-side
+			$biosLabel = $this->getLabel();
+			$output = 'iseq ${platform} efi || goto ' . $biosLabel . "\n";
+			// EFI
+			if ($efi !== null) {
+				$output .= $this->execDataToScriptInternal($efi) . "\n";
+			} else {
+				$output .= "echo EFI not supported\n";
+			}
+			$output .=  "goto fail\n"
+				. ':' . $biosLabel . "\n";
+			if ($bios !== null) {
+				$output .= $this->execDataToScriptInternal($bios) . "\n";
+			} else {
+				$output .= "echo BIOS not supported\n";
+			}
+			return $output . "goto fail\n";
+		}
+		// static, we know in advance
+		return $this->execDataToScriptInternal($bios ?? $efi ?? new ExecData()) . "\ngoto fail\n";
+	}
+
+	private function execDataToScriptInternal(ExecData $entry) : string
+	{
+		$entry->sanitize();
+		$script = '';
+		if ($entry->resetConsole) {
+			$script .= "console ||\n";
+		}
+		if ($entry->imageFree) {
+			$script .= "imgfree ||\n";
+		}
+		foreach ($entry->dhcpOptions as $opt) {
+			if (empty($opt['value'])) {
+				$val = '${}';
+			} else {
+				if (empty($opt['hex'])) {
+					$val = bin2hex($opt['value']);
+				} else {
+					$val = $opt['value'];
+				}
+				preg_match_all('/[0-9a-f]{2}/', $val, $out);
+				$val = implode(':', $out[0]);
+			}
+			$script .= 'set net${idx}/' . $opt['opt'] . ':hex ' . $val
+				. ' || prompt Cannot override DHCP server option ' . $opt['opt'] . ". Press any key to continue anyways.\n";
+		}
+		$initrds = [];
+		if (!empty($entry->initRd)) {
+			foreach (array_values($entry->initRd) as $i => $initrd) {
+				if (empty($initrd))
+					continue;
+				$script .= "initrd --name initrd$i $initrd || goto fail\n";
+				$initrds[] = "initrd$i";
+			}
+		}
+		$script .= "boot ";
+		if ($entry->autoUnload) {
+			$script .= "-a ";
+		}
+		if ($entry->replace) {
+			$script .= "-r ";
+		}
+		$script .= $entry->executable;
+		if (!empty($initrds)) {
+			foreach ($initrds as $initrd) {
+				$script .= " initrd=$initrd";
+			}
+		}
+		if (!empty($entry->commandLine)) {
+			$script .= ' ' . $entry->commandLine;
+		}
+		$script .= " || goto fail\n";
+		if ($entry->resetConsole) {
+			$script .= "goto start ||\n";
+		}
+		return $script;
+	}
+
+}
-- 
cgit v1.2.3-55-g7522