[pve-devel] [PATCH xtermjs] check ticket via api instead of verify_vnc_ticket
Dominik Csapak
d.csapak at proxmox.com
Thu Dec 7 10:52:34 CET 2017
since we do not want to depend on libpve-accesscontrol,
we check the ticket via the api on http://localhost:85
this means we have to pass the path and permission via the commandline
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
debian/control | 2 +-
src/PVE/CLI/termproxy.pm | 44 ++++++++++++++++++++++++++++++++++++--------
src/www/main.js | 9 +--------
3 files changed, 38 insertions(+), 17 deletions(-)
diff --git a/debian/control b/debian/control
index 79b3ec9..419f7e2 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Standards-Version: 3.8.3
Package: pve-xtermjs
Architecture: any
-Depends: libpve-access-control (>= 5.0-7),
+Depends: liblwp-protocol-https-perl,
libpve-common-perl (>= 5.0-23),
${misc:Depends}
Description: HTML/JS Shell client
diff --git a/src/PVE/CLI/termproxy.pm b/src/PVE/CLI/termproxy.pm
index c45eb50..3932f55 100644
--- a/src/PVE/CLI/termproxy.pm
+++ b/src/PVE/CLI/termproxy.pm
@@ -6,21 +6,39 @@ use warnings;
use PVE::RPCEnvironment;
use PVE::CLIHandler;
use PVE::JSONSchema qw(get_standard_option);
-use PVE::AccessControl;
use PVE::PTY;
+use LWP::UserAgent;
use IO::Select;
use IO::Socket::IP;
use base qw(PVE::CLIHandler);
use constant MAX_QUEUE_LEN => 16*1024;
+use constant DEFAULT_PATH => '/';
+use constant DEFAULT_PERM => 'Sys.Console';
sub setup_environment {
PVE::RPCEnvironment->setup_default_cli_env();
}
+sub verify_ticket {
+ my ($ticket, $user, $path, $perm) = @_;
+
+ my $ua = LWP::UserAgent->new();
+
+ my $res = $ua->post ('http://localhost:85/api2/json/access/ticket', Content => {
+ username => $user,
+ password => $ticket,
+ path => $path,
+ privs => $perm, });
+
+ if (!$res->is_success) {
+ die "Authentication failed: '$res->status_line'\n";
+ }
+}
+
sub listen_and_authenticate {
- my ($port, $timeout) = @_;
+ my ($port, $timeout, $path, $perm) = @_;
my $params = {
Listen => 1,
@@ -42,13 +60,11 @@ sub listen_and_authenticate {
my $queue;
my $n = sysread($client, $queue, 4096);
- if ($n && $queue =~ s/^([^:]+):([^:]+):(.+)\n//) {
+ if ($n && $queue =~ s/^([^:]+):(.+)\n//) {
my $user = $1;
- my $path = $2;
- my $ticket = $3;
+ my $ticket = $2;
- die "authentication failed\n"
- if !PVE::AccessControl::verify_vnc_ticket($ticket, $user, $path);
+ verify_ticket($ticket, $user, $path, $perm);
die "aknowledge failed\n"
if !syswrite($client, "OK");
@@ -194,6 +210,16 @@ __PACKAGE__->register_method ({
type => 'integer',
description => "The port to listen on."
},
+ path => {
+ type => 'string',
+ description => "The Authentication path. (default: '".DEFAULT_PATH."')",
+ default => DEFAULT_PATH,
+ },
+ perm => {
+ type => 'string',
+ description => "The Authentication Permission. (default: '".DEFAULT_PERM."')",
+ default => DEFAULT_PERM,
+ },
'extra-args' => get_standard_option('extra-args'),
},
},
@@ -208,7 +234,9 @@ __PACKAGE__->register_method ({
die "No command given\n";
}
- my ($queue, $handle) = listen_and_authenticate($param->{port}, 10);
+ my $path = $param->{path} // DEFAULT_PATH;
+ my $perm = $param->{perm} // DEFAULT_PERM;
+ my ($queue, $handle) = listen_and_authenticate($param->{port}, 10, $path, $perm);
run_pty($cmd, $handle, $queue);
diff --git a/src/www/main.js b/src/www/main.js
index a489937..62ec1c1 100644
--- a/src/www/main.js
+++ b/src/www/main.js
@@ -13,7 +13,6 @@ var term,
socketURL,
socket,
ticket,
- path,
resize,
ping,
state = states.start;
@@ -89,18 +88,12 @@ function createTerminal() {
switch (type) {
case 'kvm':
url += '/qemu/' + vmid;
- path = '/vms/' + vmid;
break;
case 'lxc':
url += '/lxc/' + vmid;
- path = '/vms/' + vmid;
- break;
- case 'shell':
- path = '/nodes/' + nodename;
break;
case 'upgrade':
params.upgrade = 1;
- path = '/nodes/' + nodename;
break;
}
API2Request({
@@ -161,7 +154,7 @@ function runTerminal() {
}, 250);
});
- socket.send(PVE.UserName + ':' + path + ':' + ticket + "\n");
+ socket.send(PVE.UserName + ':' + ticket + "\n");
setTimeout(function() {term.fit();}, 250);
}
--
2.11.0
More information about the pve-devel
mailing list