From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-datacenter-manager 3/4] api: pve: add vncwebsocket endpoint
Date: Wed, 5 Nov 2025 15:13:12 +0100 [thread overview]
Message-ID: <20251105141335.1230493-11-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20251105141335.1230493-1-f.gruenbichler@proxmox.com>
instead of directly forwarding to a running termproxy instance, PDM needs to
authenticate the incoming connection, create a new VNC ticket (and spawn a
termproxy instance) on the remote side, and forward the incoming connection to
the remote.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
some of this code should live in a lower level helper for re-use by the PBS remote..
server/src/api/pve/node.rs | 178 ++++++++++++++++++++++++++++++++++++-
1 file changed, 175 insertions(+), 3 deletions(-)
diff --git a/server/src/api/pve/node.rs b/server/src/api/pve/node.rs
index a1a784e..1937c2a 100644
--- a/server/src/api/pve/node.rs
+++ b/server/src/api/pve/node.rs
@@ -1,12 +1,25 @@
use anyhow::{bail, format_err, Error};
+use futures::{FutureExt, TryFutureExt};
+use http::{
+ header::{SEC_WEBSOCKET_KEY, SEC_WEBSOCKET_VERSION, UPGRADE},
+ request::Parts,
+ Method, Request, StatusCode,
+};
+use hyper::upgrade::Upgraded;
+use hyper_util::rt::TokioIo;
use serde_json::{json, Value};
use proxmox_auth_api::{
ticket::{Empty, Ticket},
Keyring,
};
-use proxmox_router::{list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap};
-use proxmox_schema::api;
+use proxmox_client::ApiPathBuilder;
+use proxmox_http::{websocket::WebSocket, Body};
+use proxmox_router::{
+ list_subdirs_api_method, ApiHandler, ApiMethod, ApiResponseFuture, Permission, Router,
+ RpcEnvironment, SubdirMap,
+};
+use proxmox_schema::{api, IntegerSchema, ObjectSchema, StringSchema};
use proxmox_sortable_macro::sortable;
use pdm_api_types::{
@@ -14,7 +27,7 @@ use pdm_api_types::{
};
use pve_api_types::StorageContent;
-use crate::api::pve::storage;
+use crate::api::{nodes::vncwebsocket::required_string_param, pve::storage};
pub const ROUTER: Router = Router::new()
.get(&list_subdirs_api_method!(SUBDIRS))
@@ -26,6 +39,10 @@ const SUBDIRS: SubdirMap = &sorted!([
("rrddata", &super::rrddata::NODE_RRD_ROUTER),
("network", &Router::new().get(&API_METHOD_GET_NETWORK)),
("termproxy", &Router::new().post(&API_METHOD_SHELL_TICKET)),
+ (
+ "vncwebsocket",
+ &Router::new().upgrade(&API_METHOD_SHELL_WEBSOCKET)
+ ),
("storage", &STORAGE_ROUTER),
("status", &Router::new().get(&API_METHOD_GET_STATUS)),
]);
@@ -206,3 +223,158 @@ async fn shell_ticket(
"port": 0,
}))
}
+
+#[sortable]
+pub const API_METHOD_SHELL_WEBSOCKET: ApiMethod = ApiMethod::new(
+ &ApiHandler::AsyncHttp(&upgrade_to_websocket),
+ &ObjectSchema::new(
+ "Upgraded to websocket",
+ &sorted!([
+ ("remote", false, &REMOTE_ID_SCHEMA),
+ ("node", false, &NODE_SCHEMA),
+ (
+ "vncticket",
+ false,
+ &StringSchema::new("Terminal ticket").schema()
+ ),
+ ("port", false, &IntegerSchema::new("Terminal port").schema()),
+ ]),
+ ),
+)
+.access(
+ Some("The user needs Sys.Console on /resource/{remote}/node/{node}."),
+ &Permission::Privilege(
+ &["resource", "{remote}", "node", "{node}"],
+ PRIV_SYS_CONSOLE,
+ false,
+ ),
+);
+
+fn upgrade_to_websocket(
+ parts: Parts,
+ req_body: hyper::body::Incoming,
+ param: Value,
+ _info: &ApiMethod,
+ rpcenv: Box<dyn RpcEnvironment>,
+) -> ApiResponseFuture {
+ async move {
+ // intentionally user only for now
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ if auth_id.is_token() {
+ bail!("API tokens cannot access this API endpoint");
+ }
+
+ let userid = auth_id.user();
+ let ticket = required_string_param(¶m, "vncticket")?;
+
+ let public_auth_keyring =
+ Keyring::with_public_key(crate::auth::key::public_auth_key().clone());
+
+ let remote = required_string_param(¶m, "remote")?.to_owned();
+ let node = required_string_param(¶m, "node")?.to_owned();
+ let ticket_path = encode_term_ticket_path(&remote, &node);
+
+ Ticket::<Empty>::parse(ticket)?.verify(
+ &public_auth_keyring,
+ crate::auth::TERM_PREFIX,
+ Some(&format!("{}{}", userid, ticket_path)),
+ )?;
+
+ let (mut ws, response) = WebSocket::new(parts.headers.clone())?;
+
+ proxmox_rest_server::spawn_internal_task(async move {
+ let incoming_ws: Upgraded =
+ match hyper::upgrade::on(Request::from_parts(parts, req_body))
+ .map_err(Error::from)
+ .await
+ {
+ Ok(upgraded) => upgraded,
+ _ => bail!("error"),
+ };
+
+ let (remotes, _) = pdm_config::remotes::config()?;
+ let pve = super::connect_to_remote(&remotes, &remote)?;
+ let pve_term_ticket = pve
+ .node_shell_termproxy(
+ &node,
+ pve_api_types::NodeShellTermproxy {
+ cmd: None,
+ cmd_opts: None,
+ },
+ )
+ .await?;
+
+ let remote = super::get_remote(&remotes, &remote)?;
+ let raw_client = crate::connection::make_raw_client(remote)?;
+
+ let ws_key = proxmox_sys::linux::random_data(16)?;
+ let ws_key = proxmox_base64::encode(&ws_key);
+
+ let api_url = raw_client.api_url().clone().into_parts();
+
+ let mut builder = http::uri::Builder::new();
+ if let Some(scheme) = api_url.scheme {
+ builder = builder.scheme(scheme);
+ }
+ if let Some(authority) = api_url.authority {
+ builder = builder.authority(authority)
+ }
+ let api_path = ApiPathBuilder::new(format!("/api2/json/nodes/{node}/vncwebsocket"))
+ .arg("vncticket", pve_term_ticket.ticket.clone())
+ .arg("port", pve_term_ticket.port)
+ .build();
+ let uri = builder
+ .path_and_query(api_path)
+ .build()
+ .map_err(|err| format_err!("failed to build Uri - {err}"))?;
+
+ let auth = raw_client.login_auth()?;
+ let req = Request::builder()
+ .method(Method::GET)
+ .uri(uri)
+ .header(UPGRADE, "websocket")
+ .header(SEC_WEBSOCKET_VERSION, "13")
+ .header(SEC_WEBSOCKET_KEY, ws_key);
+
+ let req = auth.set_auth_headers(req).body(Body::empty())?;
+
+ let res = raw_client.http_client().request(req).await?;
+ if res.status() != StatusCode::SWITCHING_PROTOCOLS {
+ bail!("server didn't upgrade: {}", res.status());
+ }
+
+ let pve_ws = hyper::upgrade::on(res)
+ .await
+ .map_err(|err| format_err!("failed to upgrade - {}", err))?;
+
+ let username = if let proxmox_client::AuthenticationKind::Token(ref token) = *auth {
+ token.userid.clone()
+ } else {
+ bail!("shell not supported with ticket-based authentication")
+ };
+
+ let preamble = format!("{username}:{ticket}\n", ticket = pve_term_ticket.ticket);
+ ws.mask = Some([0, 0, 0, 0]);
+
+ if let Err(err) = ws
+ .proxy_connection(
+ TokioIo::new(incoming_ws),
+ TokioIo::new(pve_ws),
+ preamble.as_bytes(),
+ )
+ .await
+ {
+ log::warn!("error while copying between websockets: {err:?}");
+ }
+
+ Ok(())
+ });
+
+ Ok(response)
+ }
+ .boxed()
+}
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-05 14:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-05 14:13 [pve-devel] [RFC access-control/manager/proxmox{, -yew-comp, -datacenter-manager}/xtermjs 00/11] add remote node shell Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH pve-xtermjs 1/1] xtermjs: add support for remote node shells via PDM Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH access-control 1/1] api: ticket: allow token-owned VNC ticket verification Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH manager 1/2] api: termproxy/vncwebsocket: allow tokens Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH manager 2/2] api: termproxy: add description to return schema Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox 1/2] pve-api-types: add termproxy call and types Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox 2/2] http: websocket: add proxy helper Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-yew-comp 1/1] xtermjs: add remote support Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 1/4] connection: add access to "raw" client Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 2/4] api: pve: add termproxy endpoint Fabian Grünbichler
2025-11-05 14:13 ` Fabian Grünbichler [this message]
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 4/4] ui: pve: node: add shell tab Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251105141335.1230493-11-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.