X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=a745651f762cd21b52776ac2eedbe357daf4c165;hb=cee5583b3dfff0b68dbb42a93ec90f4d4f1bd7b3;hp=f03f6b5bba4e67fbb6f2a90d9210d62e344f37be;hpb=e4f8fc2e7e5f31691629a5361000636f8a2b2398;p=pve-access-control.git

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index f03f6b5..a745651 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -5,6 +5,7 @@ use warnings;
 use Encode;
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
+use Net::SSLeay;
 use MIME::Base64;
 use Digest::SHA;
 use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print);
@@ -277,6 +278,57 @@ sub verify_spice_connect_url {
     return undef;
 }
 
+sub read_x509_subject_spice {
+    my ($filename) = @_;
+
+    # read x509 subject
+    my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
+    my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
+    Net::SSLeay::BIO_free($bio);
+    my $nameobj = Net::SSLeay::X509_get_subject_name($x509);
+    my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
+    Net::SSLeay::X509_free($x509);
+  
+    # remote-viewer wants comma as seperator (not '/')
+    $subject =~ s!^/!!;
+    $subject =~ s!/(\w+=)!,$1!g;
+
+    return $subject;
+}
+
+# helper to generate SPICE remote-viewer configuration
+sub remote_viewer_config {
+    my ($authuser, $vmid, $node, $proxy, $title, $port) = @_;
+
+    if (!$proxy) {
+	my $host = `hostname -f` || PVE::INotify::nodename();
+	chomp $host;
+	$proxy = $host;
+    }
+
+    my ($ticket, $proxyticket) = assemble_spice_ticket($authuser, $vmid, $node);
+
+    my $filename = "/etc/pve/local/pve-ssl.pem";
+    my $subject = read_x509_subject_spice($filename);
+
+    my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192);
+    $cacert =~ s/\n/\\n/g;
+
+    my $config = {
+	type => 'spice',
+	title => $title,
+	host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject'
+	proxy => "http://$proxy:3128",
+	'tls-port' => $port,
+	'host-subject' => $subject,
+	ca => $cacert,
+	password => $ticket,
+	'delete-this-file' => 1,
+    };
+
+    return ($ticket, $proxyticket, $config);
+}
+
 sub check_user_exist {
     my ($usercfg, $username, $noerr) = @_;