From cee5583b3dfff0b68dbb42a93ec90f4d4f1bd7b3 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 10 Dec 2013 10:38:42 +0100
Subject: [PATCH] implement helper to generate SPICE remote-viewer
 configuration

Moved read_x509_subject_spice() from PVE::QemuServer.
Depend on libnet-ssleay-perl.
---
 PVE/AccessControl.pm | 52 ++++++++++++++++++++++++++++++++++++++++++++
 control.in           |  2 +-
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index f03f6b5..a745651 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -5,6 +5,7 @@ use warnings;
 use Encode;
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
+use Net::SSLeay;
 use MIME::Base64;
 use Digest::SHA;
 use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print);
@@ -277,6 +278,57 @@ sub verify_spice_connect_url {
     return undef;
 }
 
+sub read_x509_subject_spice {
+    my ($filename) = @_;
+
+    # read x509 subject
+    my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
+    my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
+    Net::SSLeay::BIO_free($bio);
+    my $nameobj = Net::SSLeay::X509_get_subject_name($x509);
+    my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
+    Net::SSLeay::X509_free($x509);
+  
+    # remote-viewer wants comma as seperator (not '/')
+    $subject =~ s!^/!!;
+    $subject =~ s!/(\w+=)!,$1!g;
+
+    return $subject;
+}
+
+# helper to generate SPICE remote-viewer configuration
+sub remote_viewer_config {
+    my ($authuser, $vmid, $node, $proxy, $title, $port) = @_;
+
+    if (!$proxy) {
+	my $host = `hostname -f` || PVE::INotify::nodename();
+	chomp $host;
+	$proxy = $host;
+    }
+
+    my ($ticket, $proxyticket) = assemble_spice_ticket($authuser, $vmid, $node);
+
+    my $filename = "/etc/pve/local/pve-ssl.pem";
+    my $subject = read_x509_subject_spice($filename);
+
+    my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192);
+    $cacert =~ s/\n/\\n/g;
+
+    my $config = {
+	type => 'spice',
+	title => $title,
+	host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject'
+	proxy => "http://$proxy:3128",
+	'tls-port' => $port,
+	'host-subject' => $subject,
+	ca => $cacert,
+	password => $ticket,
+	'delete-this-file' => 1,
+    };
+
+    return ($ticket, $proxyticket, $config);
+}
+
 sub check_user_exist {
     my ($usercfg, $username, $noerr) = @_;
 
diff --git a/control.in b/control.in
index a441ee0..7cf9e9b 100644
--- a/control.in
+++ b/control.in
@@ -3,7 +3,7 @@ Version: @@VERSION@@-@@PKGRELEASE@@
 Section: perl
 Priority: optional
 Architecture: @@ARCH@@
-Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl
+Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl
 Maintainer: Proxmox Support Team <support@proxmox.com>
 Description: Proxmox VE access control library
  This package contains the role based user management and access
-- 
2.39.2