[pdm-devel] [PATCH access-control 1/1] api: ticket: allow token-owned VNC ticket verification

[Fabian Grünbichler]

our termproxy will issue a call to this endpoint on pvedaemon to verify the VNC
ticket passed by a client. with PDM, the shell client is actually using a PVE
token to authenticate, and the VNC ticket is owned by this token as well.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    v1: replaces modifying the existing ticket call, since that is not really an
    option for PBS/PDM

 src/PVE/API2/AccessControl.pm | 60 +++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 457a0a6..23d03cd 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -322,6 +322,66 @@ __PACKAGE__->register_method({
     },
 });
 
+__PACKAGE__->register_method({
+    name => 'verify_vnc_ticket',
+    path => 'vncticket',
+    method => 'POST',
+    permissions => {
+        description => "You need to pass valid credientials.",
+        user => 'world',
+    },
+    protected => 1, # else we can't access authkey files
+    description => "verify VNC authentication ticket.",
+    parameters => {
+        additionalProperties => 0,
+        properties => {
+            authid => {
+                description => "UserId or token",
+                type => 'string',
+                maxLength => 64,
+            },
+            vncticket => {
+                description => "The VNC ticket.",
+                type => 'string',
+            },
+            path => {
+                description => "Verify ticket, and check if user have access 'privs' on 'path'",
+                type => 'string',
+                maxLength => 64,
+            },
+            privs => {
+                description => "Verify ticket, and check if user have access 'privs' on 'path'",
+                type => 'string',
+                format => 'pve-priv-list',
+                maxLength => 64,
+            },
+        },
+    },
+    returns => { type => "null" },
+    code => sub {
+        my ($param) = @_;
+
+        my $auth_id = $param->{authid};
+
+        my $rpcenv = PVE::RPCEnvironment::get();
+
+        my $res = eval {
+            my $normpath = PVE::AccessControl::normalize_path($param->{path});
+            PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $auth_id, $normpath);
+        };
+        if (my $err = $@) {
+            my $clientip = $rpcenv->get_client_ip() || '';
+            syslog('err', "authentication failure; rhost=$clientip user=$auth_id msg=$err");
+            # do not return any info to prevent user enumeration attacks
+            die PVE::Exception->new("authentication failure\n", code => 401);
+        }
+
+        PVE::Cluster::log_msg('info', 'root at pam', "successful auth for user '$auth_id'");
+
+        return undef;
+    },
+});
+
 __PACKAGE__->register_method({
     name => 'change_password',
     path => 'password',
-- 
2.47.3