instead of directly forwarding to a running termproxy instance, PDM needs to authenticate the incoming connection, create a new VNC ticket (and spawn a termproxy instance) on the remote side, and forward the incoming connection to the remote.
Signed-off-by: Fabian Grünbichler <[email protected]> --- Notes: some of this code should live in a lower level helper for re-use by the PBS remote.. server/src/api/pve/node.rs | 178 ++++++++++++++++++++++++++++++++++++- 1 file changed, 175 insertions(+), 3 deletions(-) diff --git a/server/src/api/pve/node.rs b/server/src/api/pve/node.rs index a1a784e..1937c2a 100644 --- a/server/src/api/pve/node.rs +++ b/server/src/api/pve/node.rs @@ -1,12 +1,25 @@ use anyhow::{bail, format_err, Error}; +use futures::{FutureExt, TryFutureExt}; +use http::{ + header::{SEC_WEBSOCKET_KEY, SEC_WEBSOCKET_VERSION, UPGRADE}, + request::Parts, + Method, Request, StatusCode, +}; +use hyper::upgrade::Upgraded; +use hyper_util::rt::TokioIo; use serde_json::{json, Value}; use proxmox_auth_api::{ ticket::{Empty, Ticket}, Keyring, }; -use proxmox_router::{list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap}; -use proxmox_schema::api; +use proxmox_client::ApiPathBuilder; +use proxmox_http::{websocket::WebSocket, Body}; +use proxmox_router::{ + list_subdirs_api_method, ApiHandler, ApiMethod, ApiResponseFuture, Permission, Router, + RpcEnvironment, SubdirMap, +}; +use proxmox_schema::{api, IntegerSchema, ObjectSchema, StringSchema}; use proxmox_sortable_macro::sortable; use pdm_api_types::{ @@ -14,7 +27,7 @@ use pdm_api_types::{ }; use pve_api_types::StorageContent; -use crate::api::pve::storage; +use crate::api::{nodes::vncwebsocket::required_string_param, pve::storage}; pub const ROUTER: Router = Router::new() .get(&list_subdirs_api_method!(SUBDIRS)) @@ -26,6 +39,10 @@ const SUBDIRS: SubdirMap = &sorted!([ ("rrddata", &super::rrddata::NODE_RRD_ROUTER), ("network", &Router::new().get(&API_METHOD_GET_NETWORK)), ("termproxy", &Router::new().post(&API_METHOD_SHELL_TICKET)), + ( + "vncwebsocket", + &Router::new().upgrade(&API_METHOD_SHELL_WEBSOCKET) + ), ("storage", &STORAGE_ROUTER), ("status", &Router::new().get(&API_METHOD_GET_STATUS)), ]); @@ -206,3 +223,158 @@ async fn shell_ticket( "port": 0, })) } + +#[sortable] +pub const API_METHOD_SHELL_WEBSOCKET: ApiMethod = ApiMethod::new( + &ApiHandler::AsyncHttp(&upgrade_to_websocket), + &ObjectSchema::new( + "Upgraded to websocket", + &sorted!([ + ("remote", false, &REMOTE_ID_SCHEMA), + ("node", false, &NODE_SCHEMA), + ( + "vncticket", + false, + &StringSchema::new("Terminal ticket").schema() + ), + ("port", false, &IntegerSchema::new("Terminal port").schema()), + ]), + ), +) +.access( + Some("The user needs Sys.Console on /resource/{remote}/node/{node}."), + &Permission::Privilege( + &["resource", "{remote}", "node", "{node}"], + PRIV_SYS_CONSOLE, + false, + ), +); + +fn upgrade_to_websocket( + parts: Parts, + req_body: hyper::body::Incoming, + param: Value, + _info: &ApiMethod, + rpcenv: Box<dyn RpcEnvironment>, +) -> ApiResponseFuture { + async move { + // intentionally user only for now + let auth_id: Authid = rpcenv + .get_auth_id() + .ok_or_else(|| format_err!("no authid available"))? + .parse()?; + + if auth_id.is_token() { + bail!("API tokens cannot access this API endpoint"); + } + + let userid = auth_id.user(); + let ticket = required_string_param(¶m, "vncticket")?; + + let public_auth_keyring = + Keyring::with_public_key(crate::auth::key::public_auth_key().clone()); + + let remote = required_string_param(¶m, "remote")?.to_owned(); + let node = required_string_param(¶m, "node")?.to_owned(); + let ticket_path = encode_term_ticket_path(&remote, &node); + + Ticket::<Empty>::parse(ticket)?.verify( + &public_auth_keyring, + crate::auth::TERM_PREFIX, + Some(&format!("{}{}", userid, ticket_path)), + )?; + + let (mut ws, response) = WebSocket::new(parts.headers.clone())?; + + proxmox_rest_server::spawn_internal_task(async move { + let incoming_ws: Upgraded = + match hyper::upgrade::on(Request::from_parts(parts, req_body)) + .map_err(Error::from) + .await + { + Ok(upgraded) => upgraded, + _ => bail!("error"), + }; + + let (remotes, _) = pdm_config::remotes::config()?; + let pve = super::connect_to_remote(&remotes, &remote)?; + let pve_term_ticket = pve + .node_shell_termproxy( + &node, + pve_api_types::NodeShellTermproxy { + cmd: None, + cmd_opts: None, + }, + ) + .await?; + + let remote = super::get_remote(&remotes, &remote)?; + let raw_client = crate::connection::make_raw_client(remote)?; + + let ws_key = proxmox_sys::linux::random_data(16)?; + let ws_key = proxmox_base64::encode(&ws_key); + + let api_url = raw_client.api_url().clone().into_parts(); + + let mut builder = http::uri::Builder::new(); + if let Some(scheme) = api_url.scheme { + builder = builder.scheme(scheme); + } + if let Some(authority) = api_url.authority { + builder = builder.authority(authority) + } + let api_path = ApiPathBuilder::new(format!("/api2/json/nodes/{node}/vncwebsocket")) + .arg("vncticket", pve_term_ticket.ticket.clone()) + .arg("port", pve_term_ticket.port) + .build(); + let uri = builder + .path_and_query(api_path) + .build() + .map_err(|err| format_err!("failed to build Uri - {err}"))?; + + let auth = raw_client.login_auth()?; + let req = Request::builder() + .method(Method::GET) + .uri(uri) + .header(UPGRADE, "websocket") + .header(SEC_WEBSOCKET_VERSION, "13") + .header(SEC_WEBSOCKET_KEY, ws_key); + + let req = auth.set_auth_headers(req).body(Body::empty())?; + + let res = raw_client.http_client().request(req).await?; + if res.status() != StatusCode::SWITCHING_PROTOCOLS { + bail!("server didn't upgrade: {}", res.status()); + } + + let pve_ws = hyper::upgrade::on(res) + .await + .map_err(|err| format_err!("failed to upgrade - {}", err))?; + + let username = if let proxmox_client::AuthenticationKind::Token(ref token) = *auth { + token.userid.clone() + } else { + bail!("shell not supported with ticket-based authentication") + }; + + let preamble = format!("{username}:{ticket}\n", ticket = pve_term_ticket.ticket); + ws.mask = Some([0, 0, 0, 0]); + + if let Err(err) = ws + .proxy_connection( + TokioIo::new(incoming_ws), + TokioIo::new(pve_ws), + preamble.as_bytes(), + ) + .await + { + log::warn!("error while copying between websockets: {err:?}"); + } + + Ok(()) + }); + + Ok(response) + } + .boxed() +} -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
