since we do not want to depend on libpve-accesscontrol,
we check the ticket via the api on http://localhost:85
this means we have to pass the path and permission via the commandline
Package: pve-xtermjs
Architecture: any
Package: pve-xtermjs
Architecture: any
-Depends: libpve-access-control (>= 5.0-7),
- libpve-common-perl (>= 5.0-23),
+Depends: libpve-common-perl (>= 5.0-23),
+ libwww-perl,
${misc:Depends}
Description: HTML/JS Shell client
This is an xterm.js client for PVE Host, Container and Qemu Serial Terminal
${misc:Depends}
Description: HTML/JS Shell client
This is an xterm.js client for PVE Host, Container and Qemu Serial Terminal
use PVE::RPCEnvironment;
use PVE::CLIHandler;
use PVE::JSONSchema qw(get_standard_option);
use PVE::RPCEnvironment;
use PVE::CLIHandler;
use PVE::JSONSchema qw(get_standard_option);
use IO::Select;
use IO::Socket::IP;
use base qw(PVE::CLIHandler);
use constant MAX_QUEUE_LEN => 16*1024;
use IO::Select;
use IO::Socket::IP;
use base qw(PVE::CLIHandler);
use constant MAX_QUEUE_LEN => 16*1024;
+use constant DEFAULT_PATH => '/';
+use constant DEFAULT_PERM => 'Sys.Console';
sub setup_environment {
PVE::RPCEnvironment->setup_default_cli_env();
}
sub setup_environment {
PVE::RPCEnvironment->setup_default_cli_env();
}
+sub verify_ticket {
+ my ($ticket, $user, $path, $perm) = @_;
+
+ my $ua = LWP::UserAgent->new();
+
+ my $res = $ua->post ('http://localhost:85/api2/json/access/ticket', Content => {
+ username => $user,
+ password => $ticket,
+ path => $path,
+ privs => $perm, });
+
+ if (!$res->is_success) {
+ die "Authentication failed: '$res->status_line'\n";
+ }
+}
+
sub listen_and_authenticate {
sub listen_and_authenticate {
- my ($port, $timeout) = @_;
+ my ($port, $timeout, $path, $perm) = @_;
my $params = {
Listen => 1,
my $params = {
Listen => 1,
my $queue;
my $n = sysread($client, $queue, 4096);
my $queue;
my $n = sysread($client, $queue, 4096);
- if ($n && $queue =~ s/^([^:]+):([^:]+):(.+)\n//) {
+ if ($n && $queue =~ s/^([^:]+):(.+)\n//) {
- my $path = $2;
- my $ticket = $3;
- die "authentication failed\n"
- if !PVE::AccessControl::verify_vnc_ticket($ticket, $user, $path);
+ verify_ticket($ticket, $user, $path, $perm);
die "aknowledge failed\n"
if !syswrite($client, "OK");
die "aknowledge failed\n"
if !syswrite($client, "OK");
type => 'integer',
description => "The port to listen on."
},
type => 'integer',
description => "The port to listen on."
},
+ path => {
+ type => 'string',
+ description => "The Authentication path. (default: '".DEFAULT_PATH."')",
+ default => DEFAULT_PATH,
+ },
+ perm => {
+ type => 'string',
+ description => "The Authentication Permission. (default: '".DEFAULT_PERM."')",
+ default => DEFAULT_PERM,
+ },
'extra-args' => get_standard_option('extra-args'),
},
},
'extra-args' => get_standard_option('extra-args'),
},
},
die "No command given\n";
}
die "No command given\n";
}
- my ($queue, $handle) = listen_and_authenticate($param->{port}, 10);
+ my $path = $param->{path} // DEFAULT_PATH;
+ my $perm = $param->{perm} // DEFAULT_PERM;
+ my ($queue, $handle) = listen_and_authenticate($param->{port}, 10, $path, $perm);
run_pty($cmd, $handle, $queue);
run_pty($cmd, $handle, $queue);
socketURL,
socket,
ticket,
socketURL,
socket,
ticket,
resize,
ping,
state = states.start;
resize,
ping,
state = states.start;
switch (type) {
case 'kvm':
url += '/qemu/' + vmid;
switch (type) {
case 'kvm':
url += '/qemu/' + vmid;
break;
case 'lxc':
url += '/lxc/' + vmid;
break;
case 'lxc':
url += '/lxc/' + vmid;
- path = '/vms/' + vmid;
- break;
- case 'shell':
- path = '/nodes/' + nodename;
break;
case 'upgrade':
params.upgrade = 1;
break;
case 'upgrade':
params.upgrade = 1;
- path = '/nodes/' + nodename;
- socket.send(PVE.UserName + ':' + path + ':' + ticket + "\n");
+ socket.send(PVE.UserName + ':' + ticket + "\n");
setTimeout(function() {term.fit();}, 250);
}
setTimeout(function() {term.fit();}, 250);
}