Use Token over User/PW

This commit is contained in:
Joe Abbate 2022-10-19 23:04:44 -04:00
parent 05fe1bec8e
commit 19f0437a40
No known key found for this signature in database
GPG key ID: 7F1CC23828058430
5 changed files with 10 additions and 20 deletions

View file

@ -23,7 +23,8 @@ PROXSTAR_REDIRECT_URI=https://proxstar.csh.rit.edu/logout
# Proxmox # Proxmox
PROXSTAR_PROXMOX_HOSTS= # Host list that Proxstar can use (proxstar01, etc...) PROXSTAR_PROXMOX_HOSTS= # Host list that Proxstar can use (proxstar01, etc...)
PROXSTAR_PROXMOX_USER=api@pve PROXSTAR_PROXMOX_USER=api@pve
PROXSTAR_PROXMOX_PASS= # Password for proxstar user PROXSTAR_PROXMOX_TOKEN_NAME= # Token name for user
PROXSTAR_PROXMOX_TOKEN_VALUE= # Token value for user
PROXSTAR_PROXMOX_ISO_STORAGE=nfs-iso PROXSTAR_PROXMOX_ISO_STORAGE=nfs-iso
PROXSTAR_PROXMOX_VM_STORAGE=ceph PROXSTAR_PROXMOX_VM_STORAGE=ceph

View file

@ -34,7 +34,8 @@ OIDC_CLIENT_CONFIG = {
# Proxmox # Proxmox
PROXMOX_HOSTS = [host.strip() for host in environ.get('PROXSTAR_PROXMOX_HOSTS', '').split(',')] PROXMOX_HOSTS = [host.strip() for host in environ.get('PROXSTAR_PROXMOX_HOSTS', '').split(',')]
PROXMOX_USER = environ.get('PROXSTAR_PROXMOX_USER', '') PROXMOX_USER = environ.get('PROXSTAR_PROXMOX_USER', '')
PROXMOX_PASS = environ.get('PROXSTAR_PROXMOX_PASS', '') PROXMOX_TOKEN_NAME = environ.get('PROXSTAR_PROXMOX_NAME', '')
PROXMOX_TOKEN_VALUE = environ.get('PROXSTAR_PROXMOX_VALUE', '')
PROXMOX_ISO_STORAGE = environ.get('PROXSTAR_PROXMOX_ISO_STORAGE', 'nfs-iso') PROXMOX_ISO_STORAGE = environ.get('PROXSTAR_PROXMOX_ISO_STORAGE', 'nfs-iso')
PROXMOX_VM_STORAGE = environ.get('PROXSTAR_PROXMOX_VM_STORAGE', 'ceph') PROXMOX_VM_STORAGE = environ.get('PROXSTAR_PROXMOX_VM_STORAGE', 'ceph')
# STARRS # STARRS

View file

@ -336,7 +336,7 @@ def vm_console(vmid):
# import pdb; pdb.set_trace() # import pdb; pdb.set_trace()
vm = VM(vmid) vm = VM(vmid)
vnc_ticket, vnc_port = open_vnc_session( vnc_ticket, vnc_port = open_vnc_session(
vmid, vm.node, app.config['PROXMOX_USER'], app.config['PROXMOX_PASS'] vmid, vm.node, app.config['PROXMOX_USER'], app.config['PROXMOX_TOKEN_NAME'], app.config['PROXMOX_TOKEN_VALUE']
) )
node = f'{vm.node}.csh.rit.edu' node = f'{vm.node}.csh.rit.edu'
token = add_vnc_target(node, vnc_port) token = add_vnc_target(node, vnc_port)

View file

@ -12,7 +12,8 @@ def connect_proxmox():
proxmox = ProxmoxAPI( proxmox = ProxmoxAPI(
host, host,
user=app.config['PROXMOX_USER'], user=app.config['PROXMOX_USER'],
password=app.config['PROXMOX_PASS'], token_name=app.config['PROXMOX_TOKEN_NAME'],
token_value=app.config['PROXMOX_TOKEN_VALUE'],
verify_ssl=False, verify_ssl=False,
) )
proxmox.version.get() proxmox.version.get()

View file

@ -74,9 +74,9 @@ def delete_vnc_target(node=None, port=None, token=None):
raise LookupError('Target does not exist') raise LookupError('Target does not exist')
def open_vnc_session(vmid, node, proxmox_user, proxmox_pass): def open_vnc_session(vmid, node, proxmox_user, proxmox_token_name, proxmox_token_value):
"""Pings the Proxmox API to request a VNC Proxy connection. Authenticates """Pings the Proxmox API to request a VNC Proxy connection. Authenticates
against the API using a Uname/Pass, gets a few tokens back, then uses those against the API using a Uname/Token, gets a few tokens back, then uses those
tokens to open the VNC Proxy. Use these to connect to the VM's host with tokens to open the VNC Proxy. Use these to connect to the VM's host with
websockify proxy. websockify proxy.
Returns: Ticket to use as the noVNC password, and a port. Returns: Ticket to use as the noVNC password, and a port.
@ -84,26 +84,13 @@ def open_vnc_session(vmid, node, proxmox_user, proxmox_pass):
# Get Proxmox API ticket and CSRF_Prevention_Token # Get Proxmox API ticket and CSRF_Prevention_Token
# TODO (willnilges): Use Proxmoxer to get this information # TODO (willnilges): Use Proxmoxer to get this information
# TODO (willnilges): Report errors # TODO (willnilges): Report errors
data = {'username': proxmox_user, 'password': proxmox_pass}
response_data = requests.post(
f'https://{node}.csh.rit.edu:8006/api2/json/access/ticket',
verify=False,
data=data,
).json()['data']
if response_data is None:
raise requests.AuthenticationError(
'Could not authenticate against `ticket` endpoint! Check uname/password'
)
csrf_prevention_token = response_data['CSRFPreventionToken']
ticket = response_data['ticket']
proxy_params = {'node': node, 'vmid': str(vmid), 'websocket': '1', 'generate-password': '0'} proxy_params = {'node': node, 'vmid': str(vmid), 'websocket': '1', 'generate-password': '0'}
vncproxy_response_data = requests.post( vncproxy_response_data = requests.post(
f'https://{node}.csh.rit.edu:8006/api2/json/nodes/{node}/qemu/{vmid}/vncproxy', f'https://{node}.csh.rit.edu:8006/api2/json/nodes/{node}/qemu/{vmid}/vncproxy',
verify=False, verify=False,
timeout=5, timeout=5,
params=proxy_params, params=proxy_params,
headers={'CSRFPreventionToken': csrf_prevention_token}, headers={'Authorization': f"PVEAPIToken={proxmox_user}!{proxmox_token_name}={proxmox_token_value}"},
cookies={'PVEAuthCookie': ticket},
).json()['data'] ).json()['data']
return urllib.parse.quote_plus(vncproxy_response_data['ticket']), vncproxy_response_data['port'] return urllib.parse.quote_plus(vncproxy_response_data['ticket']), vncproxy_response_data['port']