From 5e91985c9029cba252330c15eb3903c8c3c0eb3b Mon Sep 17 00:00:00 2001 From: Dominik Csapak Date: Thu, 7 Dec 2017 10:50:36 +0100 Subject: [PATCH] check ticket via api instead of verify_vnc_ticket since we do not want to depend on libpve-accesscontrol, we check the ticket via the api on http://localhost:85 this means we have to pass the path and permission via the commandline --- debian/control | 4 ++-- src/PVE/CLI/termproxy.pm | 44 ++++++++++++++++++++++++++++++++-------- src/www/main.js | 9 +------- 3 files changed, 39 insertions(+), 18 deletions(-) diff --git a/debian/control b/debian/control index 79b3ec9..c921588 100644 --- a/debian/control +++ b/debian/control @@ -7,8 +7,8 @@ Standards-Version: 3.8.3 Package: pve-xtermjs Architecture: any -Depends: libpve-access-control (>= 5.0-7), - libpve-common-perl (>= 5.0-23), +Depends: libpve-common-perl (>= 5.0-23), + libwww-perl, ${misc:Depends} Description: HTML/JS Shell client This is an xterm.js client for PVE Host, Container and Qemu Serial Terminal diff --git a/src/PVE/CLI/termproxy.pm b/src/PVE/CLI/termproxy.pm index c45eb50..3932f55 100644 --- a/src/PVE/CLI/termproxy.pm +++ b/src/PVE/CLI/termproxy.pm @@ -6,21 +6,39 @@ use warnings; use PVE::RPCEnvironment; use PVE::CLIHandler; use PVE::JSONSchema qw(get_standard_option); -use PVE::AccessControl; use PVE::PTY; +use LWP::UserAgent; use IO::Select; use IO::Socket::IP; use base qw(PVE::CLIHandler); use constant MAX_QUEUE_LEN => 16*1024; +use constant DEFAULT_PATH => '/'; +use constant DEFAULT_PERM => 'Sys.Console'; sub setup_environment { PVE::RPCEnvironment->setup_default_cli_env(); } +sub verify_ticket { + my ($ticket, $user, $path, $perm) = @_; + + my $ua = LWP::UserAgent->new(); + + my $res = $ua->post ('http://localhost:85/api2/json/access/ticket', Content => { + username => $user, + password => $ticket, + path => $path, + privs => $perm, }); + + if (!$res->is_success) { + die "Authentication failed: '$res->status_line'\n"; + } +} + sub listen_and_authenticate { - my ($port, $timeout) = @_; + my ($port, $timeout, $path, $perm) = @_; my $params = { Listen => 1, @@ -42,13 +60,11 @@ sub listen_and_authenticate { my $queue; my $n = sysread($client, $queue, 4096); - if ($n && $queue =~ s/^([^:]+):([^:]+):(.+)\n//) { + if ($n && $queue =~ s/^([^:]+):(.+)\n//) { my $user = $1; - my $path = $2; - my $ticket = $3; + my $ticket = $2; - die "authentication failed\n" - if !PVE::AccessControl::verify_vnc_ticket($ticket, $user, $path); + verify_ticket($ticket, $user, $path, $perm); die "aknowledge failed\n" if !syswrite($client, "OK"); @@ -194,6 +210,16 @@ __PACKAGE__->register_method ({ type => 'integer', description => "The port to listen on." }, + path => { + type => 'string', + description => "The Authentication path. (default: '".DEFAULT_PATH."')", + default => DEFAULT_PATH, + }, + perm => { + type => 'string', + description => "The Authentication Permission. (default: '".DEFAULT_PERM."')", + default => DEFAULT_PERM, + }, 'extra-args' => get_standard_option('extra-args'), }, }, @@ -208,7 +234,9 @@ __PACKAGE__->register_method ({ die "No command given\n"; } - my ($queue, $handle) = listen_and_authenticate($param->{port}, 10); + my $path = $param->{path} // DEFAULT_PATH; + my $perm = $param->{perm} // DEFAULT_PERM; + my ($queue, $handle) = listen_and_authenticate($param->{port}, 10, $path, $perm); run_pty($cmd, $handle, $queue); diff --git a/src/www/main.js b/src/www/main.js index a489937..62ec1c1 100644 --- a/src/www/main.js +++ b/src/www/main.js @@ -13,7 +13,6 @@ var term, socketURL, socket, ticket, - path, resize, ping, state = states.start; @@ -89,18 +88,12 @@ function createTerminal() { switch (type) { case 'kvm': url += '/qemu/' + vmid; - path = '/vms/' + vmid; break; case 'lxc': url += '/lxc/' + vmid; - path = '/vms/' + vmid; - break; - case 'shell': - path = '/nodes/' + nodename; break; case 'upgrade': params.upgrade = 1; - path = '/nodes/' + nodename; break; } API2Request({ @@ -161,7 +154,7 @@ function runTerminal() { }, 250); }); - socket.send(PVE.UserName + ':' + path + ':' + ticket + "\n"); + socket.send(PVE.UserName + ':' + ticket + "\n"); setTimeout(function() {term.fit();}, 250); } -- 2.39.2