--- /dev/null
+use std::cmp::min;
+use std::collections::HashMap;
+use std::ffi::OsString;
+use std::io::{ErrorKind, Write};
+use std::os::unix::io::{AsRawFd, FromRawFd};
+use std::os::unix::process::CommandExt;
+use std::process::Command;
+use std::time::{Duration, Instant};
+
+use anyhow::{bail, format_err, Result};
+use clap::Arg;
+use mio::net::{TcpListener, TcpStream};
+use mio::unix::SourceFd;
+use mio::{Events, Interest, Poll, Token};
+
+use proxmox_io::ByteBuffer;
+use proxmox_lang::error::io_err_other;
+use proxmox_sys::linux::pty::{make_controlling_terminal, PTY};
+
+const MSG_TYPE_DATA: u8 = 0;
+const MSG_TYPE_RESIZE: u8 = 1;
+//const MSG_TYPE_PING: u8 = 2;
+
+fn remove_number(buf: &mut ByteBuffer) -> Option<usize> {
+ loop {
+ if let Some(pos) = &buf.iter().position(|&x| x == b':') {
+ let data = buf.remove_data(*pos);
+ buf.consume(1); // the ':'
+ let len = match std::str::from_utf8(&data) {
+ Ok(lenstring) => match lenstring.parse() {
+ Ok(len) => len,
+ Err(err) => {
+ eprintln!("error parsing number: '{}'", err);
+ break;
+ }
+ },
+ Err(err) => {
+ eprintln!("error parsing number: '{}'", err);
+ break;
+ }
+ };
+ return Some(len);
+ } else if buf.len() > 20 {
+ buf.consume(20);
+ } else {
+ break;
+ }
+ }
+ None
+}
+
+fn process_queue(buf: &mut ByteBuffer, pty: &mut PTY) -> Option<usize> {
+ if buf.is_empty() {
+ return None;
+ }
+
+ loop {
+ if buf.len() < 2 {
+ break;
+ }
+
+ let msgtype = buf[0] - b'0';
+
+ if msgtype == MSG_TYPE_DATA {
+ buf.consume(2);
+ if let Some(len) = remove_number(buf) {
+ return Some(len);
+ }
+ } else if msgtype == MSG_TYPE_RESIZE {
+ buf.consume(2);
+ if let Some(cols) = remove_number(buf) {
+ if let Some(rows) = remove_number(buf) {
+ pty.set_size(cols as u16, rows as u16).ok()?;
+ }
+ }
+ // ignore incomplete messages
+ } else {
+ buf.consume(1);
+ // ignore invalid or ping (msgtype 2)
+ }
+ }
+
+ None
+}
+
+type TicketResult = Result<(Box<[u8]>, Box<[u8]>)>;
+
+/// Reads from the stream and returns the first line and the rest
+fn read_ticket_line(
+ stream: &mut TcpStream,
+ buf: &mut ByteBuffer,
+ timeout: Duration,
+) -> TicketResult {
+ let mut poll = Poll::new()?;
+ poll.registry()
+ .register(stream, Token(0), Interest::READABLE)?;
+ let mut events = Events::with_capacity(1);
+
+ let now = Instant::now();
+ let mut elapsed = Duration::new(0, 0);
+
+ loop {
+ poll.poll(&mut events, Some(timeout - elapsed))?;
+ if !events.is_empty() {
+ match buf.read_from(stream) {
+ Ok(n) => {
+ if n == 0 {
+ bail!("connection closed before authentication");
+ }
+ }
+ Err(err) if err.kind() == ErrorKind::WouldBlock => {}
+ Err(err) => return Err(err.into()),
+ }
+
+ if buf[..].contains(&b'\n') {
+ break;
+ }
+
+ if buf.is_full() {
+ bail!("authentication data is incomplete: {:?}", &buf[..]);
+ }
+ }
+
+ elapsed = now.elapsed();
+ if elapsed > timeout {
+ bail!("timed out");
+ }
+ }
+
+ let newline_idx = &buf[..].iter().position(|&x| x == b'\n').unwrap();
+
+ let line = buf.remove_data(*newline_idx);
+ buf.consume(1); // discard newline
+
+ match line.iter().position(|&b| b == b':') {
+ Some(pos) => {
+ let (username, ticket) = line.split_at(pos);
+ Ok((username.into(), ticket[1..].into()))
+ }
+ None => bail!("authentication data is invalid"),
+ }
+}
+
+fn authenticate(
+ username: &[u8],
+ ticket: &[u8],
+ path: &str,
+ perm: Option<&str>,
+ authport: u16,
+ port: Option<u16>,
+) -> Result<()> {
+ let mut post_fields: Vec<(&str, &str)> = Vec::with_capacity(5);
+ post_fields.push(("username", std::str::from_utf8(username)?));
+ post_fields.push(("password", std::str::from_utf8(ticket)?));
+ post_fields.push(("path", path));
+ if let Some(perm) = perm {
+ post_fields.push(("privs", perm));
+ }
+ let port_str;
+ if let Some(port) = port {
+ port_str = port.to_string();
+ post_fields.push(("port", &port_str));
+ }
+
+ let url = format!("http://localhost:{}/api2/json/access/ticket", authport);
+
+ match ureq::post(&url).send_form(&post_fields[..]) {
+ Ok(res) if res.status() == 200 => Ok(()),
+ Ok(res) | Err(ureq::Error::Status(_, res)) => {
+ let code = res.status();
+ bail!("invalid authentication - {} {}", code, res.status_text())
+ }
+ Err(err) => bail!("authentication request failed - {}", err),
+ }
+}
+
+fn listen_and_accept(
+ hostname: &str,
+ port: u64,
+ port_as_fd: bool,
+ timeout: Duration,
+) -> Result<(TcpStream, u16)> {
+ let listener = if port_as_fd {
+ unsafe { std::net::TcpListener::from_raw_fd(port as i32) }
+ } else {
+ std::net::TcpListener::bind((hostname, port as u16))?
+ };
+ let port = listener.local_addr()?.port();
+ let mut listener = TcpListener::from_std(listener);
+ let mut poll = Poll::new()?;
+
+ poll.registry()
+ .register(&mut listener, Token(0), Interest::READABLE)?;
+
+ let mut events = Events::with_capacity(1);
+
+ let now = Instant::now();
+ let mut elapsed = Duration::new(0, 0);
+
+ loop {
+ poll.poll(&mut events, Some(timeout - elapsed))?;
+ if !events.is_empty() {
+ let (stream, client) = listener.accept()?;
+ println!("client connection: {:?}", client);
+ return Ok((stream, port));
+ }
+
+ elapsed = now.elapsed();
+ if elapsed > timeout {
+ bail!("timed out");
+ }
+ }
+}
+
+fn run_pty<'a>(mut full_cmd: impl Iterator<Item = &'a OsString>) -> Result<PTY> {
+ let cmd_exe = full_cmd.next().unwrap();
+ let params = full_cmd; // rest
+
+ let (mut pty, secondary_name) = PTY::new().map_err(io_err_other)?;
+
+ let mut filtered_env: HashMap<OsString, OsString> = std::env::vars_os()
+ .filter(|&(ref k, _)| {
+ k == "PATH"
+ || k == "USER"
+ || k == "HOME"
+ || k == "LANG"
+ || k == "LANGUAGE"
+ || k.to_string_lossy().starts_with("LC_")
+ })
+ .collect();
+ filtered_env.insert("TERM".into(), "xterm-256color".into());
+
+ let mut command = Command::new(cmd_exe);
+
+ command.args(params).env_clear().envs(&filtered_env);
+
+ unsafe {
+ command.pre_exec(move || {
+ make_controlling_terminal(&secondary_name).map_err(io_err_other)?;
+ Ok(())
+ });
+ }
+
+ command.spawn()?;
+
+ pty.set_size(80, 20)?;
+ Ok(pty)
+}
+
+const TCP: Token = Token(0);
+const PTY: Token = Token(1);
+
+fn do_main() -> Result<()> {
+ let matches = clap::builder::Command::new("termproxy")
+ .trailing_var_arg(true)
+ .arg(
+ Arg::new("port")
+ .num_args(1)
+ .required(true)
+ .value_parser(clap::value_parser!(u64)),
+ )
+ .arg(Arg::new("authport").num_args(1).long("authport"))
+ .arg(Arg::new("use-port-as-fd").long("port-as-fd"))
+ .arg(Arg::new("path").num_args(1).long("path").required(true))
+ .arg(Arg::new("perm").num_args(1).long("perm"))
+ .arg(
+ Arg::new("cmd")
+ .value_parser(clap::value_parser!(OsString))
+ .num_args(1..)
+ .required(true),
+ )
+ .get_matches();
+
+ let port: u64 = *matches.get_one("port").unwrap();
+ let path = matches.get_one::<String>("path").unwrap();
+ let perm = matches.get_one::<String>("perm").map(|x| x.as_str());
+ let full_cmd: clap::parser::ValuesRef<OsString> = matches.get_many("cmd").unwrap();
+ let authport: u16 = *matches.get_one("authport").unwrap_or(&85);
+ let use_port_as_fd = matches.contains_id("use-port-as-fd");
+
+ if use_port_as_fd && port > u16::MAX as u64 {
+ return Err(format_err!("port too big"));
+ } else if port > i32::MAX as u64 {
+ return Err(format_err!("Invalid FD number"));
+ }
+
+ let (mut tcp_handle, port) =
+ listen_and_accept("localhost", port, use_port_as_fd, Duration::new(10, 0))
+ .map_err(|err| format_err!("failed waiting for client: {}", err))?;
+
+ let mut pty_buf = ByteBuffer::new();
+ let mut tcp_buf = ByteBuffer::new();
+
+ let (username, ticket) = read_ticket_line(&mut tcp_handle, &mut pty_buf, Duration::new(10, 0))
+ .map_err(|err| format_err!("failed reading ticket: {}", err))?;
+ let port = if use_port_as_fd { Some(port) } else { None };
+ authenticate(&username, &ticket, &path, perm.as_deref(), authport, port)?;
+ tcp_handle.write_all(b"OK").expect("error writing response");
+
+ let mut poll = Poll::new()?;
+ let mut events = Events::with_capacity(128);
+
+ let mut pty = run_pty(full_cmd)?;
+
+ poll.registry().register(
+ &mut tcp_handle,
+ TCP,
+ Interest::READABLE | Interest::WRITABLE,
+ )?;
+ poll.registry().register(
+ &mut SourceFd(&pty.as_raw_fd()),
+ PTY,
+ Interest::READABLE | Interest::WRITABLE,
+ )?;
+
+ let mut tcp_writable = true;
+ let mut pty_writable = true;
+ let mut tcp_readable = true;
+ let mut pty_readable = true;
+ let mut remaining = 0;
+ let mut finished = false;
+
+ while !finished {
+ if tcp_readable && !pty_buf.is_full() || pty_readable && !tcp_buf.is_full() {
+ poll.poll(&mut events, Some(Duration::new(0, 0)))?;
+ } else {
+ poll.poll(&mut events, None)?;
+ }
+
+ for event in &events {
+ let writable = event.is_writable();
+ let readable = event.is_readable();
+ if event.is_read_closed() {
+ finished = true;
+ }
+ match event.token() {
+ TCP => {
+ if readable {
+ tcp_readable = true;
+ }
+ if writable {
+ tcp_writable = true;
+ }
+ }
+ PTY => {
+ if readable {
+ pty_readable = true;
+ }
+ if writable {
+ pty_writable = true;
+ }
+ }
+ _ => unreachable!(),
+ }
+ }
+
+ while tcp_readable && !pty_buf.is_full() {
+ let bytes = match pty_buf.read_from(&mut tcp_handle) {
+ Ok(bytes) => bytes,
+ Err(err) if err.kind() == ErrorKind::WouldBlock => {
+ tcp_readable = false;
+ break;
+ }
+ Err(err) => {
+ if !finished {
+ return Err(format_err!("error reading from tcp: {}", err));
+ }
+ break;
+ }
+ };
+ if bytes == 0 {
+ finished = true;
+ break;
+ }
+ }
+
+ while pty_readable && !tcp_buf.is_full() {
+ let bytes = match tcp_buf.read_from(&mut pty) {
+ Ok(bytes) => bytes,
+ Err(err) if err.kind() == ErrorKind::WouldBlock => {
+ pty_readable = false;
+ break;
+ }
+ Err(err) => {
+ if !finished {
+ return Err(format_err!("error reading from pty: {}", err));
+ }
+ break;
+ }
+ };
+ if bytes == 0 {
+ finished = true;
+ break;
+ }
+ }
+
+ while !tcp_buf.is_empty() && tcp_writable {
+ let bytes = match tcp_handle.write(&tcp_buf[..]) {
+ Ok(bytes) => bytes,
+ Err(err) if err.kind() == ErrorKind::WouldBlock => {
+ tcp_writable = false;
+ break;
+ }
+ Err(err) => {
+ if !finished {
+ return Err(format_err!("error writing to tcp : {}", err));
+ }
+ break;
+ }
+ };
+ tcp_buf.consume(bytes);
+ }
+
+ while !pty_buf.is_empty() && pty_writable {
+ if remaining == 0 {
+ remaining = match process_queue(&mut pty_buf, &mut pty) {
+ Some(val) => val,
+ None => break,
+ };
+ }
+ let len = min(remaining, pty_buf.len());
+ let bytes = match pty.write(&pty_buf[..len]) {
+ Ok(bytes) => bytes,
+ Err(err) if err.kind() == ErrorKind::WouldBlock => {
+ pty_writable = false;
+ break;
+ }
+ Err(err) => {
+ if !finished {
+ return Err(format_err!("error writing to pty : {}", err));
+ }
+ break;
+ }
+ };
+ remaining -= bytes;
+ pty_buf.consume(bytes);
+ }
+ }
+
+ Ok(())
+}
+
+fn main() {
+ std::process::exit(match do_main() {
+ Ok(_) => 0,
+ Err(err) => {
+ eprintln!("{}", err);
+ 1
+ }
+ });
+}