[pve-devel] [PATCH access-control 1/1] api: ticket: allow token-owned VNC ticket verification

[Fabian Grünbichler]

our termproxy will issue a call to this endpoint on pvedaemon to verify the VNC
ticket passed by a client. with PDM, the shell client is actually using a PVE
token to authenticate, and the VNC ticket is owned by this token as well.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    best viewed with -w

    alternatively, we could change termproxy to do this directly in
    Rust instead of doing an API call..

 src/PVE/API2/AccessControl.pm | 40 +++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 13 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 457a0a6..a22c700 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -274,31 +274,45 @@ __PACKAGE__->register_method({
         my $username = $param->{username};
         $username .= "\@$param->{realm}" if $param->{realm};
 
-        $username = PVE::AccessControl::lookup_username($username);
+        my $token_vnc_ticket_only = PVE::AccessControl::pve_verify_tokenid($username, 1) && $param->{path} && $param->{privs};
+
+        $username = PVE::AccessControl::lookup_username($username) if !$token_vnc_ticket_only;
         my $rpcenv = PVE::RPCEnvironment::get();
 
         my $res;
         eval {
-            # test if user exists and is enabled
-            $rpcenv->check_user_enabled($username);
-
-            if ($param->{path} && $param->{privs}) {
+            # special case VNC ticket check by termproxy
+            if ($token_vnc_ticket_only) {
                 $res = verify_auth(
                     $rpcenv,
                     $username,
                     $param->{password},
-                    $param->{otp},
+                    undef,
                     $param->{path},
                     $param->{privs},
                 );
             } else {
-                $res = create_ticket_do(
-                    $rpcenv,
-                    $username,
-                    $param->{password},
-                    $param->{otp},
-                    $param->{'tfa-challenge'},
-                );
+                # test if user exists and is enabled
+                $rpcenv->check_user_enabled($username);
+
+                if ($param->{path} && $param->{privs}) {
+                    $res = verify_auth(
+                        $rpcenv,
+                        $username,
+                        $param->{password},
+                        $param->{otp},
+                        $param->{path},
+                        $param->{privs},
+                    );
+                } else {
+                    $res = create_ticket_do(
+                        $rpcenv,
+                        $username,
+                        $param->{password},
+                        $param->{otp},
+                        $param->{'tfa-challenge'},
+                    );
+                }
             }
         };
         if (my $err = $@) {
-- 
2.47.3