check ticket via api instead of verify_vnc_ticket

since we do not want to depend on libpve-accesscontrol,
we check the ticket via the api on http://localhost:85

this means we have to pass the path and permission via the commandline

diff --git a/debian/control b/debian/control
index 79b3ec929c59c0b7dd6c2b3e18c3257412fd86a4..c9215880e7f7591b9cb7a30d72016e74aa3afb4e 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -7,8 +7,8 @@ Standards-Version: 3.8.3
 
 Package: pve-xtermjs
 Architecture: any
-Depends: libpve-access-control (>= 5.0-7),
-         libpve-common-perl (>= 5.0-23),
+Depends: libpve-common-perl (>= 5.0-23),
+         libwww-perl,
          ${misc:Depends}
 Description: HTML/JS Shell client
  This is an xterm.js client for PVE Host, Container and Qemu Serial Terminal

diff --git a/src/PVE/CLI/termproxy.pm b/src/PVE/CLI/termproxy.pm
index c45eb509fe7a9bb23cc2186cd921a5c540e55b99..3932f55e945859f4dda4d04ae41458fc371c08c0 100644 (file)
--- a/src/PVE/CLI/termproxy.pm
+++ b/src/PVE/CLI/termproxy.pm
@@ -6,21 +6,39 @@ use warnings;
 use PVE::RPCEnvironment;
 use PVE::CLIHandler;
 use PVE::JSONSchema qw(get_standard_option);
-use PVE::AccessControl;
 use PVE::PTY;
+use LWP::UserAgent;
 use IO::Select;
 use IO::Socket::IP;
 
 use base qw(PVE::CLIHandler);
 
 use constant MAX_QUEUE_LEN => 16*1024;
+use constant DEFAULT_PATH => '/';
+use constant DEFAULT_PERM => 'Sys.Console';
 
 sub setup_environment {
     PVE::RPCEnvironment->setup_default_cli_env();
 }
 
+sub verify_ticket {
+    my ($ticket, $user, $path, $perm) = @_;
+
+    my $ua = LWP::UserAgent->new();
+
+    my $res = $ua->post ('http://localhost:85/api2/json/access/ticket', Content => {
+                        username => $user,
+                        password => $ticket,
+                        path => $path,
+                        privs => $perm, });
+
+    if (!$res->is_success) {
+       die "Authentication failed: '$res->status_line'\n";
+    }
+}
+
 sub listen_and_authenticate {
-    my ($port, $timeout) = @_;
+    my ($port, $timeout, $path, $perm) = @_;
 
     my $params = {
        Listen => 1,
@@ -42,13 +60,11 @@ sub listen_and_authenticate {
 
     my $queue;
     my $n = sysread($client, $queue, 4096);
-    if ($n && $queue =~ s/^([^:]+):([^:]+):(.+)\n//) {
+    if ($n && $queue =~ s/^([^:]+):(.+)\n//) {
        my $user = $1;
-       my $path = $2;
-       my $ticket = $3;
+       my $ticket = $2;
 
-       die "authentication failed\n"
-           if !PVE::AccessControl::verify_vnc_ticket($ticket, $user, $path);
+       verify_ticket($ticket, $user, $path, $perm);
 
        die "aknowledge failed\n"
            if !syswrite($client, "OK");
@@ -194,6 +210,16 @@ __PACKAGE__->register_method ({
                type => 'integer',
                description => "The port to listen on."
            },
+           path => {
+               type => 'string',
+               description => "The Authentication path. (default: '".DEFAULT_PATH."')",
+               default => DEFAULT_PATH,
+           },
+           perm => {
+               type => 'string',
+               description => "The Authentication Permission. (default: '".DEFAULT_PERM."')",
+               default => DEFAULT_PERM,
+           },
            'extra-args' => get_standard_option('extra-args'),
        },
     },
@@ -208,7 +234,9 @@ __PACKAGE__->register_method ({
            die "No command given\n";
        }
 
-       my ($queue, $handle) = listen_and_authenticate($param->{port}, 10);
+       my $path = $param->{path} // DEFAULT_PATH;
+       my $perm = $param->{perm} // DEFAULT_PERM;
+       my ($queue, $handle) = listen_and_authenticate($param->{port}, 10, $path, $perm);
 
        run_pty($cmd, $handle, $queue);
 

diff --git a/src/www/main.js b/src/www/main.js
index a489937354f81af503fdc635278a1aee01ef2322..62ec1c1846dc2cccd39ae3cbe5f7345ac74e58ed 100644 (file)
--- a/src/www/main.js
+++ b/src/www/main.js
@@ -13,7 +13,6 @@ var term,
     socketURL,
     socket,
     ticket,
-    path,
     resize,
     ping,
     state = states.start;
@@ -89,18 +88,12 @@ function createTerminal() {
     switch (type) {
        case 'kvm':
            url += '/qemu/' + vmid;
-           path = '/vms/' + vmid;
            break;
        case 'lxc':
            url += '/lxc/' + vmid;
-           path = '/vms/' + vmid;
-           break;
-       case 'shell': 
-           path = '/nodes/' + nodename;
            break;
        case 'upgrade':
            params.upgrade = 1;
-           path = '/nodes/' + nodename;
            break;
     }
     API2Request({
@@ -161,7 +154,7 @@ function runTerminal() {
        }, 250);
     });
 
-    socket.send(PVE.UserName + ':' + path + ':' + ticket + "\n");
+    socket.send(PVE.UserName + ':' + ticket + "\n");
 
     setTimeout(function() {term.fit();}, 250);
 }