implement helper to generate SPICE remote-viewer configuration

Moved read_x509_subject_spice() from PVE::QemuServer.
Depend on libnet-ssleay-perl.

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index f03f6b5bba4e67fbb6f2a90d9210d62e344f37be..a745651f762cd21b52776ac2eedbe357daf4c165 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -5,6 +5,7 @@ use warnings;
 use Encode;
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
+use Net::SSLeay;
 use MIME::Base64;
 use Digest::SHA;
 use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print);
@@ -277,6 +278,57 @@ sub verify_spice_connect_url {
     return undef;
 }
 
+sub read_x509_subject_spice {
+    my ($filename) = @_;
+
+    # read x509 subject
+    my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
+    my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
+    Net::SSLeay::BIO_free($bio);
+    my $nameobj = Net::SSLeay::X509_get_subject_name($x509);
+    my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
+    Net::SSLeay::X509_free($x509);
+  
+    # remote-viewer wants comma as seperator (not '/')
+    $subject =~ s!^/!!;
+    $subject =~ s!/(\w+=)!,$1!g;
+
+    return $subject;
+}
+
+# helper to generate SPICE remote-viewer configuration
+sub remote_viewer_config {
+    my ($authuser, $vmid, $node, $proxy, $title, $port) = @_;
+
+    if (!$proxy) {
+       my $host = `hostname -f` || PVE::INotify::nodename();
+       chomp $host;
+       $proxy = $host;
+    }
+
+    my ($ticket, $proxyticket) = assemble_spice_ticket($authuser, $vmid, $node);
+
+    my $filename = "/etc/pve/local/pve-ssl.pem";
+    my $subject = read_x509_subject_spice($filename);
+
+    my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192);
+    $cacert =~ s/\n/\\n/g;
+
+    my $config = {
+       type => 'spice',
+       title => $title,
+       host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject'
+       proxy => "http://$proxy:3128",
+       'tls-port' => $port,
+       'host-subject' => $subject,
+       ca => $cacert,
+       password => $ticket,
+       'delete-this-file' => 1,
+    };
+
+    return ($ticket, $proxyticket, $config);
+}
+
 sub check_user_exist {
     my ($usercfg, $username, $noerr) = @_;
 

diff --git a/control.in b/control.in
index a441ee026ce67e76f48cae0a36bdca2f9e8f1c2f..7cf9e9b283ca8caa7dc9c58055e7ed3f8a538402 100644 (file)
--- a/control.in
+++ b/control.in
@@ -3,7 +3,7 @@ Version: @@VERSION@@-@@PKGRELEASE@@
 Section: perl
 Priority: optional
 Architecture: @@ARCH@@
-Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl
+Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl
 Maintainer: Proxmox Support Team <support@proxmox.com>
 Description: Proxmox VE access control library
  This package contains the role based user management and access