You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2023/01/10 07:48:41 UTC
[GitHub] [cloudstack] nvazquez opened a new pull request, #7015: Secure KVM VNC Console Access Using the CA Framework
nvazquez opened a new pull request, #7015:
URL: https://github.com/apache/cloudstack/pull/7015
### Description
This PR allows securing the console access through CloudStack to the virtual machines running on KVM. The secure access is achieved through the generated certificates for the CA Framework in CloudStack, that provides mutual TLS connections between agents. These certificates are used to also secure the connection between the console proxies and the VNC ports for VM console access.
This feature is only supported on the KVM hypervisor
Design Document: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM+VNC+connection+using+the+CA+framework
### Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
### Feature/Enhancement Scale or Bug Severity
#### Feature/Enhancement Scale
- [x] Major
- [ ] Minor
#### Bug Severity
- [ ] BLOCKER
- [ ] Critical
- [x] Major
- [ ] Minor
- [ ] Trivial
### Screenshots (if appropriate):
### How Has This Been Tested?
Tested on KVM environment, enabling TLS on VNC
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364326840
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: el9 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5081
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363443908
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380902969
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1382899034
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387212441
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] borisstoyanov commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
borisstoyanov commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1385372291
@blueorangutan test matrix
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1384678426
<b>Trillian test result (tid-5852)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 44797 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5852-kvm-centos7.zip
Smoke tests completed. 105 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_02_upgrade_kubernetes_cluster | `Failure` | 492.14 | test_kubernetes_clusters.py
test_08_upgrade_kubernetes_ha_cluster | `Failure` | 613.94 | test_kubernetes_clusters.py
test_02_unsecure_vm_migration | `Error` | 218.92 | test_vm_life_cycle.py
test_04_nonsecured_to_secured_vm_migration | `Error` | 141.96 | test_vm_life_cycle.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380580271
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [1 Code Smell](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1381790710
<b>Trillian test result (tid-5826)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 44200 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5826-kvm-centos7.zip
Smoke tests completed. 105 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_02_upgrade_kubernetes_cluster | `Failure` | 512.00 | test_kubernetes_clusters.py
test_02_unsecure_vm_migration | `Error` | 218.92 | test_vm_life_cycle.py
test_04_nonsecured_to_secured_vm_migration | `Error` | 144.17 | test_vm_life_cycle.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1381083169
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1385372910
@borisstoyanov a Trillian-Jenkins matrix job (centos7 mgmt + xenserver71, rocky8 mgmt + vmware67u3, centos7 mgmt + kvmcentos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1386298966
<b>Trillian test result (tid-5876)</b>
Environment: xenserver-71 (x2), Advanced Networking with Mgmt server 7
Total time taken: 41982 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5876-xenserver-71.zip
Smoke tests completed. 106 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_02_cancel_host_maintenace_with_migration_jobs | `Error` | 901.58 | test_host_maintenance.py
test_03_cancel_host_maintenace_with_migration_jobs_failure | `Error` | 0.27 | test_host_maintenance.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] GutoVeronezi commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by "GutoVeronezi (via GitHub)" <gi...@apache.org>.
GutoVeronezi commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1407834091
Just for the record, I have tested both access (encrypted and unencrypted) and it is working fine:
- with:
- without:
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1371703186
<b>Trillian test result (tid-5746)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 46302 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5746-kvm-centos7.zip
Smoke tests completed. 105 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_02_unsecure_vm_migration | `Error` | 218.96 | test_vm_life_cycle.py
test_04_nonsecured_to_secured_vm_migration | `Error` | 143.03 | test_vm_life_cycle.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055639044
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
Review Comment:
I've refactored this a bit, maybe the trace logs could be removed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363490173
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [9 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] slavkap commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
slavkap commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055559615
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/network/NioSocketStream.java:
##########
@@ -78,4 +78,12 @@ protected void placeUnsignedIntegerToBuffer(int bytes, int value) {
buffer[currentPosition++] = (byte) value;
}
}
+
+ protected void checkItemSizeOnBuffer(int itemSize) {
+ if (itemSize > buffer.length) {
+ String msg = "Item size " + itemSize + " exceeds the buffer size " + buffer.length;
Review Comment:
```suggestion
String msg = String.format("Item size %s exceeds the buffer size %s", itemSize, buffer.length);
```
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/network/NioSocketTLSInputStream.java:
##########
@@ -17,34 +17,38 @@
package com.cloud.consoleproxy.vnc.network;
import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.log4j.Logger;
+import java.io.IOException;
import java.nio.ByteBuffer;
public class NioSocketTLSInputStream extends NioSocketInputStream {
- private final SSLEngineManager sslEngineManager;
+ private final NioSocketSSLEngineManager sslEngineManager;
- public NioSocketTLSInputStream(SSLEngineManager sslEngineManager, NioSocket socket) {
+ private static final Logger s_logger = Logger.getLogger(NioSocketTLSInputStream.class);
+
+ public NioSocketTLSInputStream(NioSocketSSLEngineManager sslEngineManager, NioSocket socket) {
super(sslEngineManager.getSession().getApplicationBufferSize(), socket);
this.sslEngineManager = sslEngineManager;
}
- protected int readTLS(byte[] buf, int bufPtr, int len) {
- int n = -1;
+ protected int readFromSSLEngineManager(byte[] buffer, int startPos, int length) {
try {
- n = sslEngineManager.read(ByteBuffer.wrap(buf, bufPtr, len), len);
- } catch (java.io.IOException e) {
- e.printStackTrace();
+ int readBytes = sslEngineManager.read(ByteBuffer.wrap(buffer, startPos, length));
+ if (readBytes < 0) {
+ throw new CloudRuntimeException("Invalid number of read bytes frm SSL engine manager " + readBytes);
Review Comment:
```suggestion
throw new CloudRuntimeException(String.format("Invalid number of read bytes from SSL engine manager %s", readBytes));
```
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/network/NioSocketTLSInputStream.java:
##########
@@ -17,34 +17,38 @@
package com.cloud.consoleproxy.vnc.network;
import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.log4j.Logger;
+import java.io.IOException;
import java.nio.ByteBuffer;
public class NioSocketTLSInputStream extends NioSocketInputStream {
- private final SSLEngineManager sslEngineManager;
+ private final NioSocketSSLEngineManager sslEngineManager;
- public NioSocketTLSInputStream(SSLEngineManager sslEngineManager, NioSocket socket) {
+ private static final Logger s_logger = Logger.getLogger(NioSocketTLSInputStream.class);
+
+ public NioSocketTLSInputStream(NioSocketSSLEngineManager sslEngineManager, NioSocket socket) {
super(sslEngineManager.getSession().getApplicationBufferSize(), socket);
this.sslEngineManager = sslEngineManager;
}
- protected int readTLS(byte[] buf, int bufPtr, int len) {
- int n = -1;
+ protected int readFromSSLEngineManager(byte[] buffer, int startPos, int length) {
try {
- n = sslEngineManager.read(ByteBuffer.wrap(buf, bufPtr, len), len);
- } catch (java.io.IOException e) {
- e.printStackTrace();
+ int readBytes = sslEngineManager.read(ByteBuffer.wrap(buffer, startPos, length));
+ if (readBytes < 0) {
+ throw new CloudRuntimeException("Invalid number of read bytes frm SSL engine manager " + readBytes);
+ }
+ return readBytes;
+ } catch (IOException e) {
+ s_logger.error("Error reading from SSL engine manager: " + e.getMessage(), e);
Review Comment:
```suggestion
s_logger.error(String.format("Error reading from SSL engine manager: %s", e.getMessage()), e);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364290662
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398259737
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398471435
@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362450195
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [2 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [40 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.3% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.4% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055191875
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java:
##########
@@ -137,18 +145,80 @@ public void run() {
/**
* Authenticate to VNC server when not using websockets
+ *
+ * Since we are supporting the 3.8 version of the RFB protocol, there are changes on the stages:
+ * 1. Handshake:
+ * 1.a. Protocol version
+ * 1.b. Security types
+ * 2. Security types
+ * 3. Initialisation
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#7protocol-messages
* @throws IOException
*/
private void authenticateToVNCServer() throws IOException {
- if (!client.isVncOverWebSocketConnection()) {
+ if (client.isVncOverWebSocketConnection()) {
+ return;
+ }
+
+ if (client.isVncOverTunnel()) {
String ver = client.handshake();
session.getRemote().sendBytes(ByteBuffer.wrap(ver.getBytes(), 0, ver.length()));
- byte[] b = client.authenticate(getClientHostPassword());
+ byte[] b = client.authenticateTunnel(getClientHostPassword());
session.getRemote().sendBytes(ByteBuffer.wrap(b, 0, 4));
+ } else {
+ ByteBuffer verStr = client.handshakeProtocolVersion();
+ sendMessageToVNCClient(verStr.array(), 12);
+
+ int secType = client.handshakeSecurityType();
+ byte[] numberTypesToClient = new byte[] { 1, (byte) secType };
+ sendMessageToVNCClient(numberTypesToClient, 2);
+
+ client.processHandshakeSecurityType(secType, getClientHostPassword(),
+ getClientHostAddress(), getClientHostPort());
+
+ byte[] securityResultToClient = new byte[] { 0, 0, 0, 0 };
+ sendMessageToVNCClient(securityResultToClient, 4);
+ client.setWaitForNoVnc(true);
+
+ while (client.isWaitForNoVnc()) {
+ s_logger.debug("Waiting");
+ }
Review Comment:
do we want this repetitive single word message in the log file? It seems that it would not be helpful during debugging by an operator. I would sugest one start message and than keeping track of time for a second message:
```suggestion
s_logger.debug("Waiting for NoVnc");
int cycles = 0;
while (client.isWaitForNoVnc()) {
cycles++
}
if (s_logger.isDebugEnabled()) {
s_logger.debug(String.format("Waited %d cycles for NoVnc", cycles));
}
```
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java:
##########
@@ -137,18 +145,80 @@ public void run() {
/**
* Authenticate to VNC server when not using websockets
+ *
+ * Since we are supporting the 3.8 version of the RFB protocol, there are changes on the stages:
+ * 1. Handshake:
+ * 1.a. Protocol version
+ * 1.b. Security types
+ * 2. Security types
+ * 3. Initialisation
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#7protocol-messages
* @throws IOException
*/
private void authenticateToVNCServer() throws IOException {
- if (!client.isVncOverWebSocketConnection()) {
+ if (client.isVncOverWebSocketConnection()) {
+ return;
+ }
+
+ if (client.isVncOverTunnel()) {
String ver = client.handshake();
session.getRemote().sendBytes(ByteBuffer.wrap(ver.getBytes(), 0, ver.length()));
- byte[] b = client.authenticate(getClientHostPassword());
+ byte[] b = client.authenticateTunnel(getClientHostPassword());
session.getRemote().sendBytes(ByteBuffer.wrap(b, 0, 4));
+ } else {
+ ByteBuffer verStr = client.handshakeProtocolVersion();
+ sendMessageToVNCClient(verStr.array(), 12);
+
+ int secType = client.handshakeSecurityType();
+ byte[] numberTypesToClient = new byte[] { 1, (byte) secType };
+ sendMessageToVNCClient(numberTypesToClient, 2);
+
+ client.processHandshakeSecurityType(secType, getClientHostPassword(),
+ getClientHostAddress(), getClientHostPort());
+
+ byte[] securityResultToClient = new byte[] { 0, 0, 0, 0 };
+ sendMessageToVNCClient(securityResultToClient, 4);
+ client.setWaitForNoVnc(true);
+
+ while (client.isWaitForNoVnc()) {
+ s_logger.debug("Waiting");
+ }
+
+ String serverName = String.format("%s %s", clientParam.getClientDisplayName(),
+ client.isTLSConnectionEstablished() ? "(TLS backend)" : "");
+ byte[] bytesServerInit = rewriteServerNameInServerInit(client.readServerInit(), serverName);
+ s_logger.info(String.format("Server init message is %s (%s)", Arrays.toString(bytesServerInit), new String(bytesServerInit)));
+ session.getRemote().sendBytes(ByteBuffer.wrap(bytesServerInit));
+ client.setWaitForNoVnc(true);
+ while (client.isWaitForNoVnc()) {
+ s_logger.debug("Waiting");
+ }
Review Comment:
see above, but put it in another method
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
+ }
+ int subtype = socketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ selectedSubtype = subtype;
+ break;
+ }
+ }
+
+ s_logger.info("Selected VEncrypt subtype " + selectedSubtype);
+ socketConnection.writeUnsignedInteger(32, selectedSubtype);
+ socketConnection.flushWriteBuffer();
+
+ return selectedSubtype;
+ }
+
+ private int selectFromTheServerOfferedSecurityTypes() throws IOException {
+ int numberOfSecurityTypes = tunnelInputStream.readByte();
+ if (numberOfSecurityTypes == 0) {
+ int reasonLength = tunnelInputStream.readInt();
+ byte[] reasonBuffer = new byte[reasonLength];
+ tunnelInputStream.readFully(reasonBuffer);
+ String reason = new String(reasonBuffer);
+ String errMsg = "No security type provided by the VNC server, reason: " + reason;
+ s_logger.error(errMsg);
+ throw new IOException(errMsg);
+ }
+
+ for (int i = 0; i < numberOfSecurityTypes; i++) {
+ int securityType = tunnelInputStream.readByte();
+ if (securityType != 0 && VncSecurity.supportedSecurityTypes.contains(securityType)) {
+ s_logger.info("Selected the security type: " + securityType);
+ return securityType;
+ }
+ }
+ throw new IOException("Could not select a supported or valid security type from the offered by the server");
+ }
+
+ /**
+ * VNC authentication.
+ */
+ public void processSecurityResult(String password)
+ throws IOException {
+ // Read security result
+ int authResult = this.tunnelInputStream.readInt();
+
+ switch (authResult) {
+ case RfbConstants.VNC_AUTH_OK: {
+ // Nothing to do
+ break;
+ }
+
+ case RfbConstants.VNC_AUTH_TOO_MANY:
+ s_logger.error("Connection to VNC server failed: too many wrong attempts.");
+ throw new RuntimeException("Connection to VNC server failed: too many wrong attempts.");
+
+ case RfbConstants.VNC_AUTH_FAILED:
+ s_logger.error("Connection to VNC server failed: wrong password.");
+ throw new RuntimeException("Connection to VNC server failed: wrong password.");
+
+ default:
+ s_logger.error("Connection to VNC server failed, reason code: " + authResult);
+ throw new RuntimeException("Connection to VNC server failed, reason code: " + authResult);
+ }
+ }
+
public int read(byte[] b) throws IOException {
- return is.read(b);
+ return tunnelInputStream.read(b);
}
public void write(byte[] b) throws IOException {
if (isVncOverWebSocketConnection()) {
proxyMsgOverWebSocketConnection(ByteBuffer.wrap(b));
+ } else if (!isVncOverTunnel()) {
+ this.socketConnection.writeBytes(b, 0, b.length);
+ } else {
+ tunnelOutputStream.write(b);
+ }
+ }
+
+ public void writeFrame(Frame frame) {
+ byte[] data = new byte[frame.getPayloadLength()];
+ frame.getPayload().get(data);
+
+ if (securityPhaseCompleted) {
+ socketConnection.writeBytes(ByteBuffer.wrap(data), data.length);
+ socketConnection.flushWriteBuffer();
+ if (writerLeft == null) {
+ writerLeft = 3;
+ setWaitForNoVnc(false);
+ } else if (writerLeft > 0) {
+ writerLeft--;
+ }
+ } else {
+ socketConnection.writeBytes(data, 0, data.length);
+ if (flushAfterReceivingNoVNCData) {
+ socketConnection.flushWriteBuffer();
+ flushAfterReceivingNoVNCData = false;
+ }
Review Comment:
`writeInsecureFrame()`
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
Review Comment:
is this repetetive trace useful?
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java:
##########
@@ -137,18 +145,80 @@ public void run() {
/**
* Authenticate to VNC server when not using websockets
+ *
+ * Since we are supporting the 3.8 version of the RFB protocol, there are changes on the stages:
+ * 1. Handshake:
+ * 1.a. Protocol version
+ * 1.b. Security types
+ * 2. Security types
+ * 3. Initialisation
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#7protocol-messages
* @throws IOException
*/
private void authenticateToVNCServer() throws IOException {
- if (!client.isVncOverWebSocketConnection()) {
+ if (client.isVncOverWebSocketConnection()) {
+ return;
+ }
+
+ if (client.isVncOverTunnel()) {
String ver = client.handshake();
session.getRemote().sendBytes(ByteBuffer.wrap(ver.getBytes(), 0, ver.length()));
- byte[] b = client.authenticate(getClientHostPassword());
+ byte[] b = client.authenticateTunnel(getClientHostPassword());
session.getRemote().sendBytes(ByteBuffer.wrap(b, 0, 4));
+ } else {
+ ByteBuffer verStr = client.handshakeProtocolVersion();
+ sendMessageToVNCClient(verStr.array(), 12);
+
+ int secType = client.handshakeSecurityType();
+ byte[] numberTypesToClient = new byte[] { 1, (byte) secType };
+ sendMessageToVNCClient(numberTypesToClient, 2);
+
+ client.processHandshakeSecurityType(secType, getClientHostPassword(),
+ getClientHostAddress(), getClientHostPort());
+
+ byte[] securityResultToClient = new byte[] { 0, 0, 0, 0 };
+ sendMessageToVNCClient(securityResultToClient, 4);
+ client.setWaitForNoVnc(true);
+
+ while (client.isWaitForNoVnc()) {
+ s_logger.debug("Waiting");
+ }
+
+ String serverName = String.format("%s %s", clientParam.getClientDisplayName(),
+ client.isTLSConnectionEstablished() ? "(TLS backend)" : "");
+ byte[] bytesServerInit = rewriteServerNameInServerInit(client.readServerInit(), serverName);
+ s_logger.info(String.format("Server init message is %s (%s)", Arrays.toString(bytesServerInit), new String(bytesServerInit)));
+ session.getRemote().sendBytes(ByteBuffer.wrap(bytesServerInit));
+ client.setWaitForNoVnc(true);
+ while (client.isWaitForNoVnc()) {
+ s_logger.debug("Waiting");
+ }
+ s_logger.info("Authenticated successfully");
Review Comment:
can this go in a new method?
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
Review Comment:
this method is too big and too complicated, please disect.
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java:
##########
@@ -71,6 +71,12 @@ public static Map<String, String> getQueryMap(String query) {
} else {
s_logger.error("decode token. tag info is not found!");
}
+ if (param.getClientDisplayName() != null) {
+ s_logger.debug("decode token. displayname: " + param.getClientDisplayName());
Review Comment:
```suggestion
if (s_logger.isDebugEnabled()) {
s_logger.debug(String.format("decode token. displayname: %s", param.getClientDisplayName()));
}
```
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/security/VncTLSSecurity.java:
##########
@@ -0,0 +1,116 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.consoleproxy.vnc.security;
+
+import com.cloud.consoleproxy.util.Logger;
+import com.cloud.consoleproxy.vnc.RfbConstants;
+import com.cloud.consoleproxy.vnc.network.NioSocketHandler;
+import com.cloud.consoleproxy.vnc.network.SSLEngineManager;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.utils.nio.Link;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.util.ArrayList;
+
+public class VncTLSSecurity implements VncSecurity {
+
+ private static final Logger s_logger = Logger.getLogger(VncTLSSecurity.class);
+
+ private SSLContext ctx;
+ private SSLEngine engine;
+ private SSLEngineManager manager;
+
+ private boolean anon;
+ private final String host;
+ private final int port;
+
+ public VncTLSSecurity(String host, int port) {
+ this.host = host;
+ this.port = port;
+ this.anon = false;
+ }
+
+ private void initGlobal() {
+ try {
+ ctx = Link.initClientSSLContext();
+ } catch (GeneralSecurityException | IOException e) {
+ throw new CloudRuntimeException("Unable to initialize SSL context", e);
+ }
+ }
+
+ private void setParam() {
+ engine = ctx.createSSLEngine(this.host, this.port);
+ engine.setUseClientMode(true);
+
+ String[] supported = engine.getSupportedProtocols();
+ ArrayList<String> enabled = new ArrayList<String>();
+ for (int i = 0; i < supported.length; i++)
+ if (supported[i].matches("TLS.*"))
+ enabled.add(supported[i]);
+ engine.setEnabledProtocols(enabled.toArray(new String[0]));
+
+ if (anon) {
+ supported = engine.getSupportedCipherSuites();
+ enabled = new ArrayList<String>();
+ // prefer ECDH over DHE
+ for (int i = 0; i < supported.length; i++)
+ if (supported[i].matches("TLS_ECDH_anon.*"))
+ enabled.add(supported[i]);
+ for (int i = 0; i < supported.length; i++)
+ if (supported[i].matches("TLS_DH_anon.*"))
+ enabled.add(supported[i]);
+ engine.setEnabledCipherSuites(enabled.toArray(new String[0]));
+ } else {
+ engine.setEnabledCipherSuites(engine.getSupportedCipherSuites());
+ }
+ }
+
+ @Override
+ public void process(NioSocketHandler socketHandler) {
+ s_logger.info("Processing VNC TLS security");
+
+ initGlobal();
+
+ if (manager == null) {
+ if (socketHandler.readUnsignedInteger(8) == 0) {
+ int result = socketHandler.readUnsignedInteger(32);
+ String reason;
+ if (result == RfbConstants.VNC_AUTH_FAILED || result == RfbConstants.VNC_AUTH_TOO_MANY) {
+ reason = socketHandler.readString();
+ } else {
+ reason = "Authentication failure (protocol error)";
+ }
+ throw new CloudRuntimeException(reason);
+ }
+ setParam();
+ }
Review Comment:
move to a handleErrorState() type of method?
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
+ }
+ int subtype = socketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ selectedSubtype = subtype;
+ break;
+ }
+ }
+
+ s_logger.info("Selected VEncrypt subtype " + selectedSubtype);
+ socketConnection.writeUnsignedInteger(32, selectedSubtype);
+ socketConnection.flushWriteBuffer();
+
+ return selectedSubtype;
+ }
+
+ private int selectFromTheServerOfferedSecurityTypes() throws IOException {
+ int numberOfSecurityTypes = tunnelInputStream.readByte();
+ if (numberOfSecurityTypes == 0) {
+ int reasonLength = tunnelInputStream.readInt();
+ byte[] reasonBuffer = new byte[reasonLength];
+ tunnelInputStream.readFully(reasonBuffer);
+ String reason = new String(reasonBuffer);
+ String errMsg = "No security type provided by the VNC server, reason: " + reason;
+ s_logger.error(errMsg);
+ throw new IOException(errMsg);
+ }
Review Comment:
separate method
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/network/SSLEngineManager.java:
##########
@@ -0,0 +1,180 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.consoleproxy.vnc.network;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLSession;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.concurrent.Executor;
+import java.util.concurrent.Executors;
+
+public class SSLEngineManager {
+
+ private SSLEngine engine = null;
+
+ private ByteBuffer myNetData;
+ private ByteBuffer peerNetData;
+
+ private Executor executor;
+ private NioSocketInputStream inputStream;
+ private NioSocketOutputStream outputStream;
+
+ public SSLEngineManager(SSLEngine sslEngine, NioSocketHandler socket) throws IOException {
+ this.inputStream = socket.getInputStream();
+ this.outputStream = socket.getOutputStream();
+ engine = sslEngine;
+
+ executor = Executors.newSingleThreadExecutor();
+
+ int pktBufSize = engine.getSession().getPacketBufferSize();
+ myNetData = ByteBuffer.allocate(pktBufSize);
+ peerNetData = ByteBuffer.allocate(pktBufSize);
+ }
+
+ public void doHandshake() throws Exception {
+
+ // Begin handshake
+ engine.beginHandshake();
+ SSLEngineResult.HandshakeStatus hs = engine.getHandshakeStatus();
+
+ // Process handshaking message
+ SSLEngineResult res = null;
+ int appBufSize = engine.getSession().getApplicationBufferSize();
+ ByteBuffer peerAppData = ByteBuffer.allocate(appBufSize);
+ ByteBuffer myAppData = ByteBuffer.allocate(appBufSize);
+ while (hs != SSLEngineResult.HandshakeStatus.FINISHED &&
Review Comment:
a while with double nested switch statements. Can this be restructured somehow?
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
+ }
+ int subtype = socketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ selectedSubtype = subtype;
+ break;
+ }
+ }
+
+ s_logger.info("Selected VEncrypt subtype " + selectedSubtype);
+ socketConnection.writeUnsignedInteger(32, selectedSubtype);
+ socketConnection.flushWriteBuffer();
+
+ return selectedSubtype;
+ }
+
+ private int selectFromTheServerOfferedSecurityTypes() throws IOException {
+ int numberOfSecurityTypes = tunnelInputStream.readByte();
+ if (numberOfSecurityTypes == 0) {
+ int reasonLength = tunnelInputStream.readInt();
+ byte[] reasonBuffer = new byte[reasonLength];
+ tunnelInputStream.readFully(reasonBuffer);
+ String reason = new String(reasonBuffer);
+ String errMsg = "No security type provided by the VNC server, reason: " + reason;
+ s_logger.error(errMsg);
+ throw new IOException(errMsg);
+ }
+
+ for (int i = 0; i < numberOfSecurityTypes; i++) {
+ int securityType = tunnelInputStream.readByte();
+ if (securityType != 0 && VncSecurity.supportedSecurityTypes.contains(securityType)) {
+ s_logger.info("Selected the security type: " + securityType);
+ return securityType;
+ }
+ }
+ throw new IOException("Could not select a supported or valid security type from the offered by the server");
+ }
+
+ /**
+ * VNC authentication.
+ */
+ public void processSecurityResult(String password)
+ throws IOException {
+ // Read security result
+ int authResult = this.tunnelInputStream.readInt();
+
+ switch (authResult) {
+ case RfbConstants.VNC_AUTH_OK: {
+ // Nothing to do
+ break;
+ }
+
+ case RfbConstants.VNC_AUTH_TOO_MANY:
+ s_logger.error("Connection to VNC server failed: too many wrong attempts.");
+ throw new RuntimeException("Connection to VNC server failed: too many wrong attempts.");
+
+ case RfbConstants.VNC_AUTH_FAILED:
+ s_logger.error("Connection to VNC server failed: wrong password.");
+ throw new RuntimeException("Connection to VNC server failed: wrong password.");
+
+ default:
+ s_logger.error("Connection to VNC server failed, reason code: " + authResult);
+ throw new RuntimeException("Connection to VNC server failed, reason code: " + authResult);
+ }
+ }
+
public int read(byte[] b) throws IOException {
- return is.read(b);
+ return tunnelInputStream.read(b);
}
public void write(byte[] b) throws IOException {
if (isVncOverWebSocketConnection()) {
proxyMsgOverWebSocketConnection(ByteBuffer.wrap(b));
+ } else if (!isVncOverTunnel()) {
+ this.socketConnection.writeBytes(b, 0, b.length);
+ } else {
+ tunnelOutputStream.write(b);
+ }
+ }
+
+ public void writeFrame(Frame frame) {
+ byte[] data = new byte[frame.getPayloadLength()];
+ frame.getPayload().get(data);
+
+ if (securityPhaseCompleted) {
+ socketConnection.writeBytes(ByteBuffer.wrap(data), data.length);
+ socketConnection.flushWriteBuffer();
+ if (writerLeft == null) {
+ writerLeft = 3;
+ setWaitForNoVnc(false);
+ } else if (writerLeft > 0) {
+ writerLeft--;
+ }
Review Comment:
`writeSecureFrame()`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362814284
> SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
>
> [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [2 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [38 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
>
> [](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.3% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.4% Duplica
tion](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
@nvazquez please go through these.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362898535
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398260472
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055919649
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
Review Comment:
Done, thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363531608
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364060868
@blueorangutan ui
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1382899076
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380852704
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380969060
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380963615
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: el9 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5252
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380915587
Thanks @GutoVeronezi I've addressed your comments
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1386356511
<b>Trillian test result (tid-5879)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 44969 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5879-kvm-centos7.zip
Smoke tests completed. 106 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_02_unsecure_vm_migration | `Error` | 219.96 | test_vm_life_cycle.py
test_04_nonsecured_to_secured_vm_migration | `Error` | 143.94 | test_vm_life_cycle.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387212065
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055918022
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java:
##########
@@ -137,18 +145,80 @@ public void run() {
/**
* Authenticate to VNC server when not using websockets
+ *
+ * Since we are supporting the 3.8 version of the RFB protocol, there are changes on the stages:
+ * 1. Handshake:
+ * 1.a. Protocol version
+ * 1.b. Security types
+ * 2. Security types
+ * 3. Initialisation
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#7protocol-messages
* @throws IOException
*/
private void authenticateToVNCServer() throws IOException {
- if (!client.isVncOverWebSocketConnection()) {
+ if (client.isVncOverWebSocketConnection()) {
+ return;
+ }
+
+ if (client.isVncOverTunnel()) {
String ver = client.handshake();
session.getRemote().sendBytes(ByteBuffer.wrap(ver.getBytes(), 0, ver.length()));
- byte[] b = client.authenticate(getClientHostPassword());
+ byte[] b = client.authenticateTunnel(getClientHostPassword());
session.getRemote().sendBytes(ByteBuffer.wrap(b, 0, 4));
+ } else {
+ ByteBuffer verStr = client.handshakeProtocolVersion();
+ sendMessageToVNCClient(verStr.array(), 12);
+
+ int secType = client.handshakeSecurityType();
+ byte[] numberTypesToClient = new byte[] { 1, (byte) secType };
+ sendMessageToVNCClient(numberTypesToClient, 2);
+
+ client.processHandshakeSecurityType(secType, getClientHostPassword(),
+ getClientHostAddress(), getClientHostPort());
+
+ byte[] securityResultToClient = new byte[] { 0, 0, 0, 0 };
+ sendMessageToVNCClient(securityResultToClient, 4);
+ client.setWaitForNoVnc(true);
+
+ while (client.isWaitForNoVnc()) {
+ s_logger.debug("Waiting");
+ }
Review Comment:
Done, thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364061217
@nvazquez a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362405405
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363547858
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363853253
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362753727
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [2 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [38 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.3% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.4% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380915978
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1382910935
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: el9 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5274
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1381114396
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1381082633
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1381999157
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] GutoVeronezi commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
GutoVeronezi commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1365878484
@nvazquez, I pointed out some minor improvements. I will reserve some time to make a deeper review and test the feature.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363671877
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5064
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363443411
@DaanHoogland @weizhouapache @slavkap many thanks for your reviews, have addressed them and also the sonarcloud reports. Can you please re-check?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1383370523
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1383868200
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398470127
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398192814
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398354946
@borisstoyanov , you approved based on manual testing, am i right?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362443854
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5053
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362753112
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5057
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363443703
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362696894
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363531390
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363854099
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380916873
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1381117529
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] slavkap commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
slavkap commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055559223
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -80,7 +78,7 @@ public void connectTo(String host, int port, String path, String session, boolea
setTunnelSocketStreams();
}
- public void connectTo(String host, int port) throws UnknownHostException, IOException {
+ public void connectTo(String host, int port) {
// Connect to server
s_logger.info("Connecting to VNC server " + host + ":" + port + "...");
Review Comment:
```suggestion
s_logger.info(String.format("Connecting to VNC server %s:%s", host, port));
```
a few suggestions
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -143,16 +141,15 @@ public String handshake() throws IOException {
// Server should use RFB protocol 3.x
if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
- s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
- throw new RuntimeException(
- "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ String msg = "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".";
Review Comment:
```suggestion
String msg = String.format("Cannot handshake with VNC server. Unsupported protocol version: [%s]" , rfbProtocol);
```
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -219,23 +216,27 @@ private void doVncAuth(DataInputStream in, DataOutputStream out, String password
// Read security result
int authResult = in.readInt();
+ String msg;
switch (authResult) {
case RfbConstants.VNC_AUTH_OK: {
// Nothing to do
break;
}
case RfbConstants.VNC_AUTH_TOO_MANY:
- s_logger.error("Connection to VNC server failed: too many wrong attempts.");
- throw new RuntimeException("Connection to VNC server failed: too many wrong attempts.");
+ msg = "Connection to VNC server failed: too many wrong attempts.";
+ s_logger.error(msg);
+ throw new RuntimeException(msg);
case RfbConstants.VNC_AUTH_FAILED:
- s_logger.error("Connection to VNC server failed: wrong password.");
- throw new RuntimeException("Connection to VNC server failed: wrong password.");
+ msg = "Connection to VNC server failed: wrong password.";
+ s_logger.error(msg);
+ throw new RuntimeException(msg);
default:
- s_logger.error("Connection to VNC server failed, reason code: " + authResult);
- throw new RuntimeException("Connection to VNC server failed, reason code: " + authResult);
+ msg = "Connection to VNC server failed, reason code: " + authResult;
Review Comment:
```suggestion
msg = String.format("Connection to VNC server failed, reason code: %s", authResult);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1383869159
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398257924
Packaging result: :heavy_multiplication_x: el7 :heavy_multiplication_x: el8 :heavy_multiplication_x: el9 :heavy_multiplication_x: debian :heavy_multiplication_x: suse15. SL-JID 5340
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] borisstoyanov commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
borisstoyanov commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1370924477
@blueorangutan test keepEnv
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1406391883
LGTM, tested this in an old env which is upgraded to this feature. The old VM (ssvm, cpvm, VR etc) had unencrypted vnc console; on stop/start they were shown as encrypted. I also tested the provisionCertificate API and read the documentation notes and cross-checked all requirements.
<img width="834" alt="Screenshot 2023-01-27 at 5 21 14 PM" src="https://user-images.githubusercontent.com/95203/215079898-ad5174af-7b74-4401-8215-2de2d1c75275.png">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055658022
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
+ }
+ int subtype = socketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ selectedSubtype = subtype;
+ break;
+ }
+ }
+
+ s_logger.info("Selected VEncrypt subtype " + selectedSubtype);
+ socketConnection.writeUnsignedInteger(32, selectedSubtype);
+ socketConnection.flushWriteBuffer();
+
+ return selectedSubtype;
+ }
+
+ private int selectFromTheServerOfferedSecurityTypes() throws IOException {
+ int numberOfSecurityTypes = tunnelInputStream.readByte();
+ if (numberOfSecurityTypes == 0) {
+ int reasonLength = tunnelInputStream.readInt();
+ byte[] reasonBuffer = new byte[reasonLength];
+ tunnelInputStream.readFully(reasonBuffer);
+ String reason = new String(reasonBuffer);
+ String errMsg = "No security type provided by the VNC server, reason: " + reason;
+ s_logger.error(errMsg);
+ throw new IOException(errMsg);
+ }
+
+ for (int i = 0; i < numberOfSecurityTypes; i++) {
+ int securityType = tunnelInputStream.readByte();
+ if (securityType != 0 && VncSecurity.supportedSecurityTypes.contains(securityType)) {
+ s_logger.info("Selected the security type: " + securityType);
+ return securityType;
+ }
+ }
+ throw new IOException("Could not select a supported or valid security type from the offered by the server");
+ }
+
+ /**
+ * VNC authentication.
+ */
+ public void processSecurityResult(String password)
+ throws IOException {
+ // Read security result
+ int authResult = this.tunnelInputStream.readInt();
+
+ switch (authResult) {
+ case RfbConstants.VNC_AUTH_OK: {
+ // Nothing to do
+ break;
+ }
+
+ case RfbConstants.VNC_AUTH_TOO_MANY:
+ s_logger.error("Connection to VNC server failed: too many wrong attempts.");
+ throw new RuntimeException("Connection to VNC server failed: too many wrong attempts.");
+
+ case RfbConstants.VNC_AUTH_FAILED:
+ s_logger.error("Connection to VNC server failed: wrong password.");
+ throw new RuntimeException("Connection to VNC server failed: wrong password.");
+
+ default:
+ s_logger.error("Connection to VNC server failed, reason code: " + authResult);
+ throw new RuntimeException("Connection to VNC server failed, reason code: " + authResult);
+ }
+ }
+
public int read(byte[] b) throws IOException {
- return is.read(b);
+ return tunnelInputStream.read(b);
}
public void write(byte[] b) throws IOException {
if (isVncOverWebSocketConnection()) {
proxyMsgOverWebSocketConnection(ByteBuffer.wrap(b));
+ } else if (!isVncOverTunnel()) {
+ this.socketConnection.writeBytes(b, 0, b.length);
+ } else {
+ tunnelOutputStream.write(b);
+ }
+ }
+
+ public void writeFrame(Frame frame) {
+ byte[] data = new byte[frame.getPayloadLength()];
+ frame.getPayload().get(data);
+
+ if (securityPhaseCompleted) {
+ socketConnection.writeBytes(ByteBuffer.wrap(data), data.length);
+ socketConnection.flushWriteBuffer();
+ if (writerLeft == null) {
+ writerLeft = 3;
+ setWaitForNoVnc(false);
+ } else if (writerLeft > 0) {
+ writerLeft--;
+ }
Review Comment:
No, insecure or secure use the same nioSocketConnection
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
+ }
+ int subtype = socketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ selectedSubtype = subtype;
+ break;
+ }
+ }
+
+ s_logger.info("Selected VEncrypt subtype " + selectedSubtype);
+ socketConnection.writeUnsignedInteger(32, selectedSubtype);
+ socketConnection.flushWriteBuffer();
+
+ return selectedSubtype;
+ }
+
+ private int selectFromTheServerOfferedSecurityTypes() throws IOException {
+ int numberOfSecurityTypes = tunnelInputStream.readByte();
+ if (numberOfSecurityTypes == 0) {
+ int reasonLength = tunnelInputStream.readInt();
+ byte[] reasonBuffer = new byte[reasonLength];
+ tunnelInputStream.readFully(reasonBuffer);
+ String reason = new String(reasonBuffer);
+ String errMsg = "No security type provided by the VNC server, reason: " + reason;
+ s_logger.error(errMsg);
+ throw new IOException(errMsg);
+ }
+
+ for (int i = 0; i < numberOfSecurityTypes; i++) {
+ int securityType = tunnelInputStream.readByte();
+ if (securityType != 0 && VncSecurity.supportedSecurityTypes.contains(securityType)) {
+ s_logger.info("Selected the security type: " + securityType);
+ return securityType;
+ }
+ }
+ throw new IOException("Could not select a supported or valid security type from the offered by the server");
+ }
+
+ /**
+ * VNC authentication.
+ */
+ public void processSecurityResult(String password)
+ throws IOException {
+ // Read security result
+ int authResult = this.tunnelInputStream.readInt();
+
+ switch (authResult) {
+ case RfbConstants.VNC_AUTH_OK: {
+ // Nothing to do
+ break;
+ }
+
+ case RfbConstants.VNC_AUTH_TOO_MANY:
+ s_logger.error("Connection to VNC server failed: too many wrong attempts.");
+ throw new RuntimeException("Connection to VNC server failed: too many wrong attempts.");
+
+ case RfbConstants.VNC_AUTH_FAILED:
+ s_logger.error("Connection to VNC server failed: wrong password.");
+ throw new RuntimeException("Connection to VNC server failed: wrong password.");
+
+ default:
+ s_logger.error("Connection to VNC server failed, reason code: " + authResult);
+ throw new RuntimeException("Connection to VNC server failed, reason code: " + authResult);
+ }
+ }
+
public int read(byte[] b) throws IOException {
- return is.read(b);
+ return tunnelInputStream.read(b);
}
public void write(byte[] b) throws IOException {
if (isVncOverWebSocketConnection()) {
proxyMsgOverWebSocketConnection(ByteBuffer.wrap(b));
+ } else if (!isVncOverTunnel()) {
+ this.socketConnection.writeBytes(b, 0, b.length);
+ } else {
+ tunnelOutputStream.write(b);
+ }
+ }
+
+ public void writeFrame(Frame frame) {
+ byte[] data = new byte[frame.getPayloadLength()];
+ frame.getPayload().get(data);
+
+ if (securityPhaseCompleted) {
+ socketConnection.writeBytes(ByteBuffer.wrap(data), data.length);
+ socketConnection.flushWriteBuffer();
+ if (writerLeft == null) {
+ writerLeft = 3;
+ setWaitForNoVnc(false);
+ } else if (writerLeft > 0) {
+ writerLeft--;
+ }
+ } else {
+ socketConnection.writeBytes(data, 0, data.length);
+ if (flushAfterReceivingNoVNCData) {
+ socketConnection.flushWriteBuffer();
+ flushAfterReceivingNoVNCData = false;
+ }
Review Comment:
Same as above
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055686997
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java:
##########
@@ -137,18 +145,80 @@ public void run() {
/**
* Authenticate to VNC server when not using websockets
+ *
+ * Since we are supporting the 3.8 version of the RFB protocol, there are changes on the stages:
+ * 1. Handshake:
+ * 1.a. Protocol version
+ * 1.b. Security types
+ * 2. Security types
+ * 3. Initialisation
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#7protocol-messages
* @throws IOException
*/
private void authenticateToVNCServer() throws IOException {
- if (!client.isVncOverWebSocketConnection()) {
+ if (client.isVncOverWebSocketConnection()) {
+ return;
+ }
+
+ if (client.isVncOverTunnel()) {
String ver = client.handshake();
session.getRemote().sendBytes(ByteBuffer.wrap(ver.getBytes(), 0, ver.length()));
- byte[] b = client.authenticate(getClientHostPassword());
+ byte[] b = client.authenticateTunnel(getClientHostPassword());
session.getRemote().sendBytes(ByteBuffer.wrap(b, 0, 4));
+ } else {
+ ByteBuffer verStr = client.handshakeProtocolVersion();
+ sendMessageToVNCClient(verStr.array(), 12);
+
+ int secType = client.handshakeSecurityType();
+ byte[] numberTypesToClient = new byte[] { 1, (byte) secType };
+ sendMessageToVNCClient(numberTypesToClient, 2);
+
+ client.processHandshakeSecurityType(secType, getClientHostPassword(),
+ getClientHostAddress(), getClientHostPort());
+
+ byte[] securityResultToClient = new byte[] { 0, 0, 0, 0 };
+ sendMessageToVNCClient(securityResultToClient, 4);
+ client.setWaitForNoVnc(true);
+
+ while (client.isWaitForNoVnc()) {
+ s_logger.debug("Waiting");
+ }
+
+ String serverName = String.format("%s %s", clientParam.getClientDisplayName(),
+ client.isTLSConnectionEstablished() ? "(TLS backend)" : "");
+ byte[] bytesServerInit = rewriteServerNameInServerInit(client.readServerInit(), serverName);
+ s_logger.info(String.format("Server init message is %s (%s)", Arrays.toString(bytesServerInit), new String(bytesServerInit)));
+ session.getRemote().sendBytes(ByteBuffer.wrap(bytesServerInit));
+ client.setWaitForNoVnc(true);
+ while (client.isWaitForNoVnc()) {
+ s_logger.debug("Waiting");
+ }
+ s_logger.info("Authenticated successfully");
Review Comment:
Sure, thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362697356
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055409023
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
Review Comment:
maybe there is no difference
```suggestion
if (!rfbProtocol.startsWith(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
```
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -75,6 +97,10 @@ public void connectToWebSocket(String websocketUrl, Session session) throws URIS
webSocketReverseProxy.connect();
}
+ public boolean isVncOverTunnel() {
+ return this.tunnelSocket != null;
+ }
+
Review Comment:
@nvazquez
would it be good to add a method like `isVncOverNioSocket ` ?
it can be used to replace `if (!isVncOverTunnel)`
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
+ }
+ int subtype = socketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ selectedSubtype = subtype;
+ break;
+ }
+ }
+
+ s_logger.info("Selected VEncrypt subtype " + selectedSubtype);
+ socketConnection.writeUnsignedInteger(32, selectedSubtype);
+ socketConnection.flushWriteBuffer();
+
+ return selectedSubtype;
+ }
+
+ private int selectFromTheServerOfferedSecurityTypes() throws IOException {
+ int numberOfSecurityTypes = tunnelInputStream.readByte();
+ if (numberOfSecurityTypes == 0) {
+ int reasonLength = tunnelInputStream.readInt();
+ byte[] reasonBuffer = new byte[reasonLength];
+ tunnelInputStream.readFully(reasonBuffer);
+ String reason = new String(reasonBuffer);
+ String errMsg = "No security type provided by the VNC server, reason: " + reason;
+ s_logger.error(errMsg);
+ throw new IOException(errMsg);
+ }
+
+ for (int i = 0; i < numberOfSecurityTypes; i++) {
+ int securityType = tunnelInputStream.readByte();
+ if (securityType != 0 && VncSecurity.supportedSecurityTypes.contains(securityType)) {
+ s_logger.info("Selected the security type: " + securityType);
+ return securityType;
+ }
+ }
+ throw new IOException("Could not select a supported or valid security type from the offered by the server");
+ }
+
+ /**
+ * VNC authentication.
+ */
+ public void processSecurityResult(String password)
Review Comment:
it seems this method is not used in any other class.
##########
systemvm/agent/noVNC/app/ui.js:
##########
@@ -471,22 +474,31 @@ const UI = {
clearTimeout(UI.statusTimeout);
switch (statusType) {
+ case 'encrypted':
Review Comment:
we need to re-apply these changes when upgrade novnc.
not a big issue, just need to pay a bit more attention
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
+ }
+ int subtype = socketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ selectedSubtype = subtype;
+ break;
+ }
+ }
+
+ s_logger.info("Selected VEncrypt subtype " + selectedSubtype);
+ socketConnection.writeUnsignedInteger(32, selectedSubtype);
+ socketConnection.flushWriteBuffer();
+
+ return selectedSubtype;
+ }
+
+ private int selectFromTheServerOfferedSecurityTypes() throws IOException {
+ int numberOfSecurityTypes = tunnelInputStream.readByte();
+ if (numberOfSecurityTypes == 0) {
+ int reasonLength = tunnelInputStream.readInt();
+ byte[] reasonBuffer = new byte[reasonLength];
+ tunnelInputStream.readFully(reasonBuffer);
+ String reason = new String(reasonBuffer);
+ String errMsg = "No security type provided by the VNC server, reason: " + reason;
+ s_logger.error(errMsg);
+ throw new IOException(errMsg);
+ }
+
+ for (int i = 0; i < numberOfSecurityTypes; i++) {
+ int securityType = tunnelInputStream.readByte();
+ if (securityType != 0 && VncSecurity.supportedSecurityTypes.contains(securityType)) {
+ s_logger.info("Selected the security type: " + securityType);
+ return securityType;
+ }
+ }
+ throw new IOException("Could not select a supported or valid security type from the offered by the server");
+ }
+
+ /**
+ * VNC authentication.
+ */
+ public void processSecurityResult(String password)
+ throws IOException {
+ // Read security result
+ int authResult = this.tunnelInputStream.readInt();
+
+ switch (authResult) {
+ case RfbConstants.VNC_AUTH_OK: {
+ // Nothing to do
+ break;
+ }
+
+ case RfbConstants.VNC_AUTH_TOO_MANY:
+ s_logger.error("Connection to VNC server failed: too many wrong attempts.");
+ throw new RuntimeException("Connection to VNC server failed: too many wrong attempts.");
+
+ case RfbConstants.VNC_AUTH_FAILED:
+ s_logger.error("Connection to VNC server failed: wrong password.");
+ throw new RuntimeException("Connection to VNC server failed: wrong password.");
+
+ default:
+ s_logger.error("Connection to VNC server failed, reason code: " + authResult);
+ throw new RuntimeException("Connection to VNC server failed, reason code: " + authResult);
+ }
+ }
+
public int read(byte[] b) throws IOException {
- return is.read(b);
+ return tunnelInputStream.read(b);
}
public void write(byte[] b) throws IOException {
if (isVncOverWebSocketConnection()) {
proxyMsgOverWebSocketConnection(ByteBuffer.wrap(b));
+ } else if (!isVncOverTunnel()) {
+ this.socketConnection.writeBytes(b, 0, b.length);
+ } else {
+ tunnelOutputStream.write(b);
+ }
+ }
+
+ public void writeFrame(Frame frame) {
+ byte[] data = new byte[frame.getPayloadLength()];
+ frame.getPayload().get(data);
+
+ if (securityPhaseCompleted) {
+ socketConnection.writeBytes(ByteBuffer.wrap(data), data.length);
+ socketConnection.flushWriteBuffer();
+ if (writerLeft == null) {
+ writerLeft = 3;
+ setWaitForNoVnc(false);
+ } else if (writerLeft > 0) {
+ writerLeft--;
+ }
+ } else {
+ socketConnection.writeBytes(data, 0, data.length);
+ if (flushAfterReceivingNoVNCData) {
+ socketConnection.flushWriteBuffer();
+ flushAfterReceivingNoVNCData = false;
+ }
+ }
+
+ if (!securityPhaseCompleted || (writerLeft != null && writerLeft == 0)) {
+ setWaitForNoVnc(false);
+ }
+ }
+
+ /**
+ * Starts the handshake with the VNC server - ProtocolVersion
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ public ByteBuffer handshakeProtocolVersion() {
+ ByteBuffer verStr = ByteBuffer.allocate(12);
+ int majorVersion;
+ int minorVersion;
+
+ s_logger.debug("Reading RFB protocol version");
+
+ socketConnection.readBytes(verStr, 12);
+
+ if ((new String(verStr.array())).matches("RFB \\d{3}\\.\\d{3}\\n")) {
+ majorVersion = Integer.parseInt((new String(verStr.array())).substring(4,7));
+ minorVersion = Integer.parseInt((new String(verStr.array())).substring(8,11));
+ } else {
+ throw new CloudRuntimeException("Reading version failed: not an RFB server?");
+ }
+
+ s_logger.info("Server supports RFB protocol version " + majorVersion + "." + minorVersion);
+
+ verStr.clear();
+ verStr.put(String.format("RFB %03d.%03d\n", majorVersion, minorVersion).getBytes()).flip();
+
+ s_logger.info("Using RFB protocol version " + majorVersion + "." + minorVersion);
+ setWaitForNoVnc(true);
+ return verStr;
+ }
+
+ /**
+ * Once the protocol version has been decided, the server and client must agree on the type
+ * of security to be used on the connection.
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ */
+ public int handshakeSecurityType() {
+ while (isWaitForNoVnc()) {
+ s_logger.trace("Waiting for noVNC msg received");
+ }
+ s_logger.debug("Processing security types message");
+
+ int secType = RfbConstants.CONNECTION_FAILED;
+
+ List<Integer> secTypes = Arrays.asList(1, 2, 19, 261);
+
+ while (!socketConnection.checkIfBytesAreAvailableForReading(1)) {
+ s_logger.trace("Waiting for inStream to be ready");
+ }
+ int nServerSecTypes = socketConnection.readUnsignedInteger(8);
+ if (nServerSecTypes == 0) {
+ throw new CloudRuntimeException("No security types provided by the server");
+ }
+
+ Iterator<Integer> j;
+ for (int i = 0; i < nServerSecTypes; i++) {
+ int serverSecType = socketConnection.readUnsignedInteger(8);
+ s_logger.debug("Server offers security type " + serverSecType);
+
+ /*
+ * Use the first type sent by server which matches client's type.
+ * It means server's order specifies priority.
+ */
+ if (secType == RfbConstants.CONNECTION_FAILED) {
+ for (j = secTypes.iterator(); j.hasNext(); ) {
+ int refType = (Integer) j.next();
+ if (refType == serverSecType) {
+ secType = refType;
+ break;
+ }
+ }
+ }
+ }
+ this.flushAfterReceivingNoVNCData = true;
+ setWaitForNoVnc(true);
+ return secType;
+ }
+
+ private final Object lock = new Object();
+ public void setWaitForNoVnc(boolean val) {
+ synchronized (lock) {
+ this.waitForNoVnc = val;
+ }
+ }
+
+ public boolean isWaitForNoVnc() {
+ synchronized (lock) {
+ return this.waitForNoVnc;
+ }
+ }
+
+ private boolean waitForNoVnc = false;
+
+ public void processSecurityResultMsg(int secType) {
+ s_logger.info("Processing security result message");
+ int result;
+
+ if (secType == RfbConstants.NO_AUTH) {
+ result = RfbConstants.VNC_AUTH_OK;
} else {
- os.write(b);
+ while (!socketConnection.checkIfBytesAreAvailableForReading(1)) {
+ s_logger.trace("Waiting for inStream");
+ }
+ result = socketConnection.readUnsignedInteger(32);
+ }
+
+ switch (result) {
+ case RfbConstants.VNC_AUTH_OK:
+ s_logger.info("Security completed");
Review Comment:
these message are a bit simple.
maybe can reuse the message in unused method `processSecurityResult`
```
case RfbConstants.VNC_AUTH_TOO_MANY:
s_logger.error("Connection to VNC server failed: too many wrong attempts.");
throw new RuntimeException("Connection to VNC server failed: too many wrong attempts.");
case RfbConstants.VNC_AUTH_FAILED:
s_logger.error("Connection to VNC server failed: wrong password.");
throw new RuntimeException("Connection to VNC server failed: wrong password.");
default:
s_logger.error("Connection to VNC server failed, reason code: " + authResult);
throw new RuntimeException("Connection to VNC server failed, reason code: " + authResult);
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1406392119
Merging this based on review, testing and smoketests. cc @DaanHoogland
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland closed pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
DaanHoogland closed pull request #7015: Secure KVM VNC Console Access Using the CA Framework
URL: https://github.com/apache/cloudstack/pull/7015
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1376926931
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [1 Code Smell](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387217355
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387207844
Packaging result: :heavy_check_mark: el7 :heavy_multiplication_x: el8 :heavy_multiplication_x: el9 :heavy_multiplication_x: debian :heavy_multiplication_x: suse15. SL-JID 5312
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387307075
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387299042
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: el9 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5314
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1386388350
<b>Trillian test result (tid-5878)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 48427 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5878-kvm-centos7.zip
Smoke tests completed. 104 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_02_upgrade_kubernetes_cluster | `Failure` | 514.51 | test_kubernetes_clusters.py
test_02_unsecure_vm_migration | `Error` | 222.95 | test_vm_life_cycle.py
test_04_nonsecured_to_secured_vm_migration | `Error` | 141.06 | test_vm_life_cycle.py
test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers | `Failure` | 470.76 | test_vpc_redundant.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] codecov[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
codecov[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362485808
# [Codecov](https://codecov.io/gh/apache/cloudstack/pull/7015?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#7015](https://codecov.io/gh/apache/cloudstack/pull/7015?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (9d43897) into [main](https://codecov.io/gh/apache/cloudstack/commit/2dc9f1e32c19021aea895e367110c9d55ba9d033?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (2dc9f1e) will **decrease** coverage by `0.00%`.
> The diff coverage is `0.00%`.
```diff
@@ Coverage Diff @@
## main #7015 +/- ##
============================================
- Coverage 11.29% 11.29% -0.01%
+ Complexity 7310 7308 -2
============================================
Files 2494 2494
Lines 246877 246883 +6
Branches 38577 38578 +1
============================================
- Hits 27888 27884 -4
- Misses 215395 215406 +11
+ Partials 3594 3593 -1
```
| [Impacted Files](https://codecov.io/gh/apache/cloudstack/pull/7015?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...ava/com/cloud/servlet/ConsoleProxyClientParam.java](https://codecov.io/gh/apache/cloudstack/pull/7015/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c2VydmVyL3NyYy9tYWluL2phdmEvY29tL2Nsb3VkL3NlcnZsZXQvQ29uc29sZVByb3h5Q2xpZW50UGFyYW0uamF2YQ==) | `0.00% <0.00%> (ø)` | |
| [...udstack/consoleproxy/ConsoleAccessManagerImpl.java](https://codecov.io/gh/apache/cloudstack/pull/7015/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c2VydmVyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9jbG91ZHN0YWNrL2NvbnNvbGVwcm94eS9Db25zb2xlQWNjZXNzTWFuYWdlckltcGwuamF2YQ==) | `5.45% <0.00%> (-0.11%)` | :arrow_down: |
| [...dstack/network/contrail/model/ModelObjectBase.java](https://codecov.io/gh/apache/cloudstack/pull/7015/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGx1Z2lucy9uZXR3b3JrLWVsZW1lbnRzL2p1bmlwZXItY29udHJhaWwvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2Nsb3Vkc3RhY2svbmV0d29yay9jb250cmFpbC9tb2RlbC9Nb2RlbE9iamVjdEJhc2UuamF2YQ==) | `21.15% <0.00%> (-7.70%)` | :arrow_down: |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] slavkap commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
slavkap commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055559810
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/network/NioSocketTLSOutputStream.java:
##########
@@ -33,33 +36,30 @@ public NioSocketTLSOutputStream(SSLEngineManager sslEngineManager, NioSocket soc
public void flushWriteBuffer() {
int sentUpTo = start;
while (sentUpTo < currentPosition) {
- int n = writeTLS(buffer, sentUpTo, currentPosition - sentUpTo);
+ int n = writeThroughSSLEngineManager(buffer, sentUpTo, currentPosition - sentUpTo);
sentUpTo += n;
offset += n;
}
currentPosition = start;
}
- protected int writeTLS(byte[] data, int dataPtr, int length) {
- int n;
+ protected int writeThroughSSLEngineManager(byte[] data, int startPos, int length) {
try {
- n = sslEngineManager.write(ByteBuffer.wrap(data, dataPtr, length), length);
- } catch (java.io.IOException e) {
- throw new CloudRuntimeException(e.getMessage());
+ return sslEngineManager.write(ByteBuffer.wrap(data, startPos, length));
+ } catch (IOException e) {
+ s_logger.error("Error writing though SSL engine manager: " + e.getMessage(), e);
Review Comment:
```suggestion
s_logger.error(String.format("Error writing though SSL engine manager: %s", e.getMessage()), e);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364409971
<b>Trillian test result (tid-5631)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 43741 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5631-kvm-centos7.zip
Smoke tests completed. 106 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364114285
<b>Trillian test result (tid-5625)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 42048 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5625-kvm-centos7.zip
Smoke tests completed. 105 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_08_upgrade_kubernetes_ha_cluster | `Failure` | 394.07 | test_kubernetes_clusters.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1383372426
<b>Trillian Build Failed (tid-5843)<b/>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1382915833
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1383882315
<b>Trillian Build Failed (tid-5851)<b/>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387131307
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380852373
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1068559924
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -235,8 +262,61 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
Cipher cipher = Cipher.getInstance("DES/ECB/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
- byte[] response = cipher.doFinal(challenge);
- return response;
+ return cipher.doFinal(challenge);
+ }
+
+ private void agreeVEncryptVersion() throws IOException {
+ int majorVEncryptVersion = nioSocketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = nioSocketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("VEncrypt version offered by the server: " + vEncryptVersion);
+ }
+ nioSocketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ nioSocketConnection.writeUnsignedInteger(8, 2);
+ nioSocketConnection.flushWriteBuffer();
+ } else {
+ nioSocketConnection.writeUnsignedInteger(8, 0);
+ nioSocketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = nioSocketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+ }
+
+ private int selectVEncryptSubtype() {
+ int numberOfSubtypes = nioSocketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ nioSocketConnection.waitForBytesAvailableForReading(4);
+ int subtype = nioSocketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.info("Selected VEncrypt subtype " + subtype);
+ }
Review Comment:
Thanks, typo here :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380907776
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: el9 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5251
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by "blueorangutan (via GitHub)" <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1399161267
<b>Trillian test result (tid-5929)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 43845 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5929-kvm-centos7.zip
Smoke tests completed. 106 look OK, 1 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_08_upgrade_kubernetes_ha_cluster | `Failure` | 567.45 | test_kubernetes_clusters.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398253406
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1396944865
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398193266
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1383370277
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1382915753
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362968035
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [16 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362405036
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1055519078
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -239,16 +273,349 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
return response;
}
+ /**
+ * Decide the RFB protocol version with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#711protocolversion
+ */
+ protected String handshakeProtocolVersion(RemoteEndpoint clientRemote) throws IOException {
+ // Read protocol version
+ byte[] buf = new byte[12];
+ tunnelInputStream.readFully(buf);
+ String rfbProtocol = new String(buf);
+
+ // Server should use RFB protocol 3.x
+ if (!rfbProtocol.contains(RfbConstants.RFB_PROTOCOL_VERSION_MAJOR)) {
+ s_logger.error("Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ throw new RuntimeException(
+ "Cannot handshake with VNC server. Unsupported protocol version: \"" + rfbProtocol + "\".");
+ }
+ tunnelOutputStream.write(buf);
+ return RfbConstants.RFB_PROTOCOL_VERSION + "\n";
+ }
+
+ /**
+ * Agree on the security type with the VNC server
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#712security
+ * @return list of the security types to be processed
+ */
+ protected List<VncSecurity> handshakeSecurityTypes(RemoteEndpoint clientRemote, String vmPassword,
+ String host, int port) throws IOException {
+ int securityType = selectFromTheServerOfferedSecurityTypes();
+
+ // Inform the server about our decision
+ this.tunnelOutputStream.writeByte(securityType);
+
+ byte[] numberTypesToClient = new byte[] { 1, (byte) securityType };
+ clientRemote.sendBytes(ByteBuffer.wrap(numberTypesToClient, 0, 2));
+
+ if (securityType == RfbConstants.V_ENCRYPT) {
+ securityType = getVEncryptSecuritySubtype();
+ }
+ return VncSecurity.getSecurityStack(securityType, vmPassword, host, port);
+ }
+
+ /**
+ * Obtain the VEncrypt subtype from the VNC server
+ *
+ * Reference: https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#724vencrypt
+ */
+ protected int getVEncryptSecuritySubtype() throws IOException {
+ int majorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = socketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ s_logger.debug("VEncrypt version: " + vEncryptVersion);
+ socketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ socketConnection.writeUnsignedInteger(8, 2);
+ socketConnection.flushWriteBuffer();
+ } else {
+ socketConnection.writeUnsignedInteger(8, 0);
+ socketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = socketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+
+ int numberOfSubtypes = socketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ int selectedSubtype = 0;
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ while (!socketConnection.checkIfBytesAreAvailableForReading(4)) {
+ s_logger.trace("Waiting for vEncrypt subtype");
+ }
+ int subtype = socketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ selectedSubtype = subtype;
+ break;
+ }
+ }
+
+ s_logger.info("Selected VEncrypt subtype " + selectedSubtype);
+ socketConnection.writeUnsignedInteger(32, selectedSubtype);
+ socketConnection.flushWriteBuffer();
+
+ return selectedSubtype;
+ }
+
+ private int selectFromTheServerOfferedSecurityTypes() throws IOException {
+ int numberOfSecurityTypes = tunnelInputStream.readByte();
+ if (numberOfSecurityTypes == 0) {
+ int reasonLength = tunnelInputStream.readInt();
+ byte[] reasonBuffer = new byte[reasonLength];
+ tunnelInputStream.readFully(reasonBuffer);
+ String reason = new String(reasonBuffer);
+ String errMsg = "No security type provided by the VNC server, reason: " + reason;
+ s_logger.error(errMsg);
+ throw new IOException(errMsg);
+ }
+
+ for (int i = 0; i < numberOfSecurityTypes; i++) {
+ int securityType = tunnelInputStream.readByte();
+ if (securityType != 0 && VncSecurity.supportedSecurityTypes.contains(securityType)) {
+ s_logger.info("Selected the security type: " + securityType);
+ return securityType;
+ }
+ }
+ throw new IOException("Could not select a supported or valid security type from the offered by the server");
+ }
+
+ /**
+ * VNC authentication.
+ */
+ public void processSecurityResult(String password)
Review Comment:
Thanks, removed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362420221
Packaging result: :heavy_multiplication_x: el7 :heavy_multiplication_x: el8 :heavy_multiplication_x: debian :heavy_multiplication_x: suse15. SL-JID 5052
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363890587
<b>Trillian Build Failed (tid-5633)<b/>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363548220
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] GutoVeronezi commented on a diff in pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
GutoVeronezi commented on code in PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#discussion_r1057350343
##########
python/lib/cloudutils/serviceConfig.py:
##########
@@ -630,6 +630,12 @@ def config(self):
cfo.addEntry("user", "\"root\"")
cfo.addEntry("group", "\"root\"")
cfo.addEntry("vnc_listen", "\"0.0.0.0\"")
+ if self.syscfg.env.secure:
+ cfo.addEntry("vnc_tls", "1")
+ cfo.addEntry("vnc_tls_x509_verify", "1")
+ cfo.addEntry("vnc_tls_x509_cert_dir", "\"/etc/pki/libvirt-vnc\"")
+ else:
+ cfo.addEntry("vnc_tls", "0")
Review Comment:
This code is repeated 3 times. We could extract to a function.
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/security/VncSecurity.java:
##########
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.consoleproxy.vnc.security;
+
+import com.cloud.consoleproxy.vnc.RfbConstants;
+import com.cloud.consoleproxy.vnc.network.NioSocketHandler;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+public interface VncSecurity {
+
+ static List<VncSecurity> getSecurityStack(int securityType, String vmPassword, String host, int port) {
+ switch (securityType) {
+ case RfbConstants.NO_AUTH: return Collections.singletonList(new NoneVncSecurity());
+ case RfbConstants.VNC_AUTH: return Collections.singletonList(new VncAuthSecurity(vmPassword));
+
+ // Do not add VEncrypt type = 19 but its supported subtypes
+ case RfbConstants.V_ENCRYPT_X509_VNC:
+ return Arrays.asList(new VncTLSSecurity(host, port), new VncAuthSecurity(vmPassword));
+ default: throw new CloudRuntimeException("Unsupported security type " + securityType);
Review Comment:
```suggestion
default:
throw new CloudRuntimeException("Unsupported security type " + securityType);
```
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -235,8 +262,61 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
Cipher cipher = Cipher.getInstance("DES/ECB/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
- byte[] response = cipher.doFinal(challenge);
- return response;
+ return cipher.doFinal(challenge);
+ }
+
+ private void agreeVEncryptVersion() throws IOException {
+ int majorVEncryptVersion = nioSocketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = nioSocketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("VEncrypt version offered by the server: " + vEncryptVersion);
+ }
+ nioSocketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
Review Comment:
```suggestion
if (vEncryptVersion >= 2) {
```
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/NoVncClient.java:
##########
@@ -235,8 +262,61 @@ public byte[] encodePassword(byte[] challenge, String password) throws Exception
Cipher cipher = Cipher.getInstance("DES/ECB/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
- byte[] response = cipher.doFinal(challenge);
- return response;
+ return cipher.doFinal(challenge);
+ }
+
+ private void agreeVEncryptVersion() throws IOException {
+ int majorVEncryptVersion = nioSocketConnection.readUnsignedInteger(8);
+ int minorVEncryptVersion = nioSocketConnection.readUnsignedInteger(8);
+ int vEncryptVersion = (majorVEncryptVersion << 8) | minorVEncryptVersion;
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("VEncrypt version offered by the server: " + vEncryptVersion);
+ }
+ nioSocketConnection.writeUnsignedInteger(8, majorVEncryptVersion);
+ if (vEncryptVersion >= 0x0002) {
+ nioSocketConnection.writeUnsignedInteger(8, 2);
+ nioSocketConnection.flushWriteBuffer();
+ } else {
+ nioSocketConnection.writeUnsignedInteger(8, 0);
+ nioSocketConnection.flushWriteBuffer();
+ throw new CloudRuntimeException("Server reported an unsupported VeNCrypt version");
+ }
+ int ack = nioSocketConnection.readUnsignedInteger(8);
+ if (ack != 0) {
+ throw new IOException("The VNC server did not agree on the VEncrypt version");
+ }
+ }
+
+ private int selectVEncryptSubtype() {
+ int numberOfSubtypes = nioSocketConnection.readUnsignedInteger(8);
+ if (numberOfSubtypes <= 0) {
+ throw new CloudRuntimeException("The server reported no VeNCrypt sub-types");
+ }
+ for (int i = 0; i < numberOfSubtypes; i++) {
+ nioSocketConnection.waitForBytesAvailableForReading(4);
+ int subtype = nioSocketConnection.readUnsignedInteger(32);
+ if (subtype == RfbConstants.V_ENCRYPT_X509_VNC) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.info("Selected VEncrypt subtype " + subtype);
+ }
Review Comment:
We intend to log it in `info` only if debug is enabled here?
##########
services/console-proxy/server/src/main/java/com/cloud/consoleproxy/vnc/security/VncSecurity.java:
##########
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.consoleproxy.vnc.security;
+
+import com.cloud.consoleproxy.vnc.RfbConstants;
+import com.cloud.consoleproxy.vnc.network.NioSocketHandler;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+public interface VncSecurity {
+
+ static List<VncSecurity> getSecurityStack(int securityType, String vmPassword, String host, int port) {
+ switch (securityType) {
+ case RfbConstants.NO_AUTH: return Collections.singletonList(new NoneVncSecurity());
+ case RfbConstants.VNC_AUTH: return Collections.singletonList(new VncAuthSecurity(vmPassword));
Review Comment:
```suggestion
case RfbConstants.NO_AUTH:
return Collections.singletonList(new NoneVncSecurity());
case RfbConstants.VNC_AUTH:
return Collections.singletonList(new VncAuthSecurity(vmPassword));
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364363016
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364319195
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [1 Code Smell](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud merged pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by "rohityadavcloud (via GitHub)" <gi...@apache.org>.
rohityadavcloud merged PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363583803
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [1 Code Smell](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364066823
UI build: :heavy_check_mark:
Live QA URL: https://qa.cloudstack.cloud/simulator/pr/7015 (QA-JID-21)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363671879
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5067
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1363671873
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5060
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364292480
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1364363119
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1370924845
@borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1362899829
@nvazquez a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1386329029
<b>Trillian test result (tid-5877)</b>
Environment: vmware-67u3 (x2), Advanced Networking with Mgmt server r8
Total time taken: 44025 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5877-vmware-67u3.zip
Smoke tests completed. 107 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1381112690
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: el9 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5253
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1381117073
@blueorangutan test
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1382916301
<b>Trillian Build Failed (tid-5842)<b/>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1398326791
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: el9 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 5347
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1396399969
<b>Trillian test result (tid-5897)</b>
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 40604 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr7015-t5897-kvm-centos7.zip
Smoke tests completed. 107 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] sonarcloud[bot] commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1380711416
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache_cloudstack&pullRequest=7015)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_cloudstack&pullRequest=7015&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_cloudstack&pullRequest=7015&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list) [0.4% Coverage](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list) [0.5% Duplication](https://sonarcloud.io/component_measures?id=apache_cloudstack&pullRequest=7015&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nvazquez commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
nvazquez commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387129758
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #7015: Secure KVM VNC Console Access Using the CA Framework
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on PR #7015:
URL: https://github.com/apache/cloudstack/pull/7015#issuecomment-1387307641
@nvazquez a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org