publicWagsHome
/
KasmVNC
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vncserver: don't require group memebership for cert readability check

Browse Source
release/1.0.0
Dmitry Maksyoma 3 years ago committed by Matthew McClaskey
parent bef16c5b34
commit 34ca7595e8
2 changed files with 98 additions and 50 deletions
Show Stats Download Patch File Download Diff File

59
spec/vncserver_spec.py
Unescape Escape View File

@ -0,0 +1,59 @@
import os
import stat
import tempfile
from mamba import description, context, fcontext, it, fit, before, after
from expects import expect, equal, contain, match
from helper.spec_helper import start_xvnc, kill_xvnc, run_cmd, clean_env, \
add_kasmvnc_user_docker, clean_kasm_users, start_xvnc_pexpect, \
write_config, config_filename
def run_vncserver():
return start_xvnc(f'-config {config_filename}')
def temp_file_name():
return f'/tmp/vncserver.{next(tempfile._get_candidate_names())}'
with description('vncserver') as self:
with before.each:
clean_env()
with after.each:
kill_xvnc()
with context("SSL certs"):
with before.each:
add_kasmvnc_user_docker()
with it("complains if SSL certs don't exist"):
non_existent_file_name = temp_file_name()
write_config(f'''
network:
ssl:
pem_certificate: {non_existent_file_name}
''')
completed_process = run_vncserver()
expect(completed_process.returncode).to(equal(1))
expect(completed_process.stderr).to(
match(r'certificate file doesn\'t exist'))
with it("complains if SSL cert not available"):
cert_file_name = temp_file_name()
with open(cert_file_name, 'w') as f:
f.write('test')
os.chmod(cert_file_name, stat.S_IXUSR)
write_config(f'''
network:
ssl:
pem_certificate: {cert_file_name}
''')
completed_process = run_vncserver()
expect(completed_process.returncode).to(equal(1))
expect(completed_process.stderr).to(
match(r'certificate isn\'t readable'))
expect(completed_process.stderr).to(
match(r'addgroup \$USER'))

85
unix/vncserver
Unescape Escape View File

@ -534,77 +534,66 @@ sub CheckRequiredDependenciesArePresent
sub CheckSslCertReadable { sub CheckSslCertReadable {
return if IsDryRun(); return if IsDryRun();
CheckUserHasAccessToSslCertOnDebian(); RequireSslCertsToBeReadable();
CheckUserHasAccessToSslCertOnCentOS();
} }
sub IsDebian { sub IsDebian {
return -f "/etc/debian_version"; return -f "/etc/debian_version";
} }
sub CheckUserHasAccessToSslCertOnDebian {
if (!IsDebian()) {
return;
}
if (DoesCertKeyRequireSslCertGroup()) {
RequireUserToHaveSslCertGroup();
} else {
RequireSslCertsToBeReadable();
}
}
sub RequireSslCertsToBeReadable { sub RequireSslCertsToBeReadable {
my $certFilename = DerivedValue("network.ssl.pem_certificate"); my $certFilename = DerivedValue("network.ssl.pem_certificate");
my $certKeyFilename = DerivedValue("network.ssl.pem_key"); my $certKeyFilename = DerivedValue("network.ssl.pem_key");
my @unreadableCertFiles = map { -r $_ ? () : $_ } @certs = ($certFilename, $certKeyFilename);
uniq($certFilename, $certKeyFilename); @certs = grep defined, @certs;
@certs = uniq @certs;
my @unreadableCertFiles = map { -r $_ ? () : $_ } @certs;
return if (scalar @unreadableCertFiles == 0); return if (scalar @unreadableCertFiles == 0);
$unreadableCertFiles = join "\n", @unreadableCertFiles; foreach my $unreadableCert (@unreadableCertFiles) {
$logger->warn(<<TEXT); GuideUserToMakeCertFileReadable($unreadableCert);
Please ensure SSL certificate files are readable by you: }
$unreadableCertFiles
TEXT
exit 1; exit 1;
} }
sub DoesCertKeyRequireSslCertGroup { sub FileGroupName {
my $certKeyFilename = ConfigValue("network.ssl.pem_key"); my $file = shift;
$certKeyFilename =~ m!^/etc/ssl/private!; my $grpId = (stat($file))[5];
}
sub DoesCertKeyRequireKasmvncCertGroup { getgrgid($grpId);
my $certKeyFilename = ConfigValue("network.ssl.pem_key");
$certKeyFilename =~ m!^/etc/pki/tls/private!;
} }
sub RequireUserToHaveSslCertGroup { sub AddUserToGroupCmd {
my $certGroup = 'ssl-cert'; my $certGroup = shift;
if (system("groups | grep -qw $certGroup") != 0) {
$logger->warn(<<EOF);
Can't access TLS certificate.
Please add your user to $certGroup via 'addgroup \$USER $certGroup'
EOF
exit(1);
}
}
sub IsRpmSystem { if (IsRpmSystem()) {
system("command -v rpm >/dev/null 2>&1") == 0; "usermod -a -G $certGroup \$USER"
} else {
"addgroup \$USER $certGroup"
}
} }
sub CheckUserHasAccessToSslCertOnCentOS { sub GuideUserToMakeCertFileReadable {
if (!IsRpmSystem()) { my $certFile = shift;
if (! -f $certFile) {
$logger->warn("$certFile: certificate file doesn't exist or isn't a file");
return; return;
} }
if (DoesCertKeyRequireKasmvncCertGroup()) { my $certGroup = FileGroupName $certFile;
RequireUserToHaveKasmvncCertGroup(); my $addUserToGroupCmd = AddUserToGroupCmd $certGroup;
} else {
RequireSslCertsToBeReadable(); $logger->warn(<<EOF);
$certFile: certificate isn't readable.
Make the certificate readable by adding your user to group "$certGroup":
'$addUserToGroupCmd'
EOF
} }
sub IsRpmSystem {
system("command -v rpm >/dev/null 2>&1") == 0;
} }
sub RequireUserToHaveKasmvncCertGroup { sub RequireUserToHaveKasmvncCertGroup {
@ -843,12 +832,12 @@ sub ConfigureDeToRun {
} }
sub AskUserToChooseDeOrManualXstartup { sub AskUserToChooseDeOrManualXstartup {
return if IsDryRun();
if (PromptingDisabled()) { if (PromptingDisabled()) {
WarnIfShouldPromptForDe(); WarnIfShouldPromptForDe();
return; return;
} }
return if IsDryRun();
return unless shouldPromptUserToSelectDe(); return unless shouldPromptUserToSelectDe();
ForgetSelectedDe(); ForgetSelectedDe();

Write Preview
Loading…
Cancel
Save