From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-datacenter-manager 3/4] api: pve: add vncwebsocket endpoint
Date: Wed, 5 Nov 2025 15:13:12 +0100 [thread overview]
Message-ID: <20251105141335.1230493-11-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20251105141335.1230493-1-f.gruenbichler@proxmox.com>
instead of directly forwarding to a running termproxy instance, PDM needs to
authenticate the incoming connection, create a new VNC ticket (and spawn a
termproxy instance) on the remote side, and forward the incoming connection to
the remote.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
some of this code should live in a lower level helper for re-use by the PBS remote..
server/src/api/pve/node.rs | 178 ++++++++++++++++++++++++++++++++++++-
1 file changed, 175 insertions(+), 3 deletions(-)
diff --git a/server/src/api/pve/node.rs b/server/src/api/pve/node.rs
index a1a784e..1937c2a 100644
--- a/server/src/api/pve/node.rs
+++ b/server/src/api/pve/node.rs
@@ -1,12 +1,25 @@
use anyhow::{bail, format_err, Error};
+use futures::{FutureExt, TryFutureExt};
+use http::{
+ header::{SEC_WEBSOCKET_KEY, SEC_WEBSOCKET_VERSION, UPGRADE},
+ request::Parts,
+ Method, Request, StatusCode,
+};
+use hyper::upgrade::Upgraded;
+use hyper_util::rt::TokioIo;
use serde_json::{json, Value};
use proxmox_auth_api::{
ticket::{Empty, Ticket},
Keyring,
};
-use proxmox_router::{list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap};
-use proxmox_schema::api;
+use proxmox_client::ApiPathBuilder;
+use proxmox_http::{websocket::WebSocket, Body};
+use proxmox_router::{
+ list_subdirs_api_method, ApiHandler, ApiMethod, ApiResponseFuture, Permission, Router,
+ RpcEnvironment, SubdirMap,
+};
+use proxmox_schema::{api, IntegerSchema, ObjectSchema, StringSchema};
use proxmox_sortable_macro::sortable;
use pdm_api_types::{
@@ -14,7 +27,7 @@ use pdm_api_types::{
};
use pve_api_types::StorageContent;
-use crate::api::pve::storage;
+use crate::api::{nodes::vncwebsocket::required_string_param, pve::storage};
pub const ROUTER: Router = Router::new()
.get(&list_subdirs_api_method!(SUBDIRS))
@@ -26,6 +39,10 @@ const SUBDIRS: SubdirMap = &sorted!([
("rrddata", &super::rrddata::NODE_RRD_ROUTER),
("network", &Router::new().get(&API_METHOD_GET_NETWORK)),
("termproxy", &Router::new().post(&API_METHOD_SHELL_TICKET)),
+ (
+ "vncwebsocket",
+ &Router::new().upgrade(&API_METHOD_SHELL_WEBSOCKET)
+ ),
("storage", &STORAGE_ROUTER),
("status", &Router::new().get(&API_METHOD_GET_STATUS)),
]);
@@ -206,3 +223,158 @@ async fn shell_ticket(
"port": 0,
}))
}
+
+#[sortable]
+pub const API_METHOD_SHELL_WEBSOCKET: ApiMethod = ApiMethod::new(
+ &ApiHandler::AsyncHttp(&upgrade_to_websocket),
+ &ObjectSchema::new(
+ "Upgraded to websocket",
+ &sorted!([
+ ("remote", false, &REMOTE_ID_SCHEMA),
+ ("node", false, &NODE_SCHEMA),
+ (
+ "vncticket",
+ false,
+ &StringSchema::new("Terminal ticket").schema()
+ ),
+ ("port", false, &IntegerSchema::new("Terminal port").schema()),
+ ]),
+ ),
+)
+.access(
+ Some("The user needs Sys.Console on /resource/{remote}/node/{node}."),
+ &Permission::Privilege(
+ &["resource", "{remote}", "node", "{node}"],
+ PRIV_SYS_CONSOLE,
+ false,
+ ),
+);
+
+fn upgrade_to_websocket(
+ parts: Parts,
+ req_body: hyper::body::Incoming,
+ param: Value,
+ _info: &ApiMethod,
+ rpcenv: Box<dyn RpcEnvironment>,
+) -> ApiResponseFuture {
+ async move {
+ // intentionally user only for now
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ if auth_id.is_token() {
+ bail!("API tokens cannot access this API endpoint");
+ }
+
+ let userid = auth_id.user();
+ let ticket = required_string_param(¶m, "vncticket")?;
+
+ let public_auth_keyring =
+ Keyring::with_public_key(crate::auth::key::public_auth_key().clone());
+
+ let remote = required_string_param(¶m, "remote")?.to_owned();
+ let node = required_string_param(¶m, "node")?.to_owned();
+ let ticket_path = encode_term_ticket_path(&remote, &node);
+
+ Ticket::<Empty>::parse(ticket)?.verify(
+ &public_auth_keyring,
+ crate::auth::TERM_PREFIX,
+ Some(&format!("{}{}", userid, ticket_path)),
+ )?;
+
+ let (mut ws, response) = WebSocket::new(parts.headers.clone())?;
+
+ proxmox_rest_server::spawn_internal_task(async move {
+ let incoming_ws: Upgraded =
+ match hyper::upgrade::on(Request::from_parts(parts, req_body))
+ .map_err(Error::from)
+ .await
+ {
+ Ok(upgraded) => upgraded,
+ _ => bail!("error"),
+ };
+
+ let (remotes, _) = pdm_config::remotes::config()?;
+ let pve = super::connect_to_remote(&remotes, &remote)?;
+ let pve_term_ticket = pve
+ .node_shell_termproxy(
+ &node,
+ pve_api_types::NodeShellTermproxy {
+ cmd: None,
+ cmd_opts: None,
+ },
+ )
+ .await?;
+
+ let remote = super::get_remote(&remotes, &remote)?;
+ let raw_client = crate::connection::make_raw_client(remote)?;
+
+ let ws_key = proxmox_sys::linux::random_data(16)?;
+ let ws_key = proxmox_base64::encode(&ws_key);
+
+ let api_url = raw_client.api_url().clone().into_parts();
+
+ let mut builder = http::uri::Builder::new();
+ if let Some(scheme) = api_url.scheme {
+ builder = builder.scheme(scheme);
+ }
+ if let Some(authority) = api_url.authority {
+ builder = builder.authority(authority)
+ }
+ let api_path = ApiPathBuilder::new(format!("/api2/json/nodes/{node}/vncwebsocket"))
+ .arg("vncticket", pve_term_ticket.ticket.clone())
+ .arg("port", pve_term_ticket.port)
+ .build();
+ let uri = builder
+ .path_and_query(api_path)
+ .build()
+ .map_err(|err| format_err!("failed to build Uri - {err}"))?;
+
+ let auth = raw_client.login_auth()?;
+ let req = Request::builder()
+ .method(Method::GET)
+ .uri(uri)
+ .header(UPGRADE, "websocket")
+ .header(SEC_WEBSOCKET_VERSION, "13")
+ .header(SEC_WEBSOCKET_KEY, ws_key);
+
+ let req = auth.set_auth_headers(req).body(Body::empty())?;
+
+ let res = raw_client.http_client().request(req).await?;
+ if res.status() != StatusCode::SWITCHING_PROTOCOLS {
+ bail!("server didn't upgrade: {}", res.status());
+ }
+
+ let pve_ws = hyper::upgrade::on(res)
+ .await
+ .map_err(|err| format_err!("failed to upgrade - {}", err))?;
+
+ let username = if let proxmox_client::AuthenticationKind::Token(ref token) = *auth {
+ token.userid.clone()
+ } else {
+ bail!("shell not supported with ticket-based authentication")
+ };
+
+ let preamble = format!("{username}:{ticket}\n", ticket = pve_term_ticket.ticket);
+ ws.mask = Some([0, 0, 0, 0]);
+
+ if let Err(err) = ws
+ .proxy_connection(
+ TokioIo::new(incoming_ws),
+ TokioIo::new(pve_ws),
+ preamble.as_bytes(),
+ )
+ .await
+ {
+ log::warn!("error while copying between websockets: {err:?}");
+ }
+
+ Ok(())
+ });
+
+ Ok(response)
+ }
+ .boxed()
+}
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-05 14:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-05 14:13 [pve-devel] [RFC access-control/manager/proxmox{, -yew-comp, -datacenter-manager}/xtermjs 00/11] add remote node shell Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH pve-xtermjs 1/1] xtermjs: add support for remote node shells via PDM Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH access-control 1/1] api: ticket: allow token-owned VNC ticket verification Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH manager 1/2] api: termproxy/vncwebsocket: allow tokens Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH manager 2/2] api: termproxy: add description to return schema Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox 1/2] pve-api-types: add termproxy call and types Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox 2/2] http: websocket: add proxy helper Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-yew-comp 1/1] xtermjs: add remote support Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 1/4] connection: add access to "raw" client Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 2/4] api: pve: add termproxy endpoint Fabian Grünbichler
2025-11-05 14:13 ` Fabian Grünbichler [this message]
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 4/4] ui: pve: node: add shell tab Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251105141335.1230493-11-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox