Use Token over User/PW

HACKING/.env.template

@@ -23,7 +23,8 @@ PROXSTAR_REDIRECT_URI=https://proxstar.csh.rit.edu/logout
 # Proxmox
 PROXSTAR_PROXMOX_HOSTS= # Host list that Proxstar can use (proxstar01, etc...)
 PROXSTAR_PROXMOX_USER=api@pve
-PROXSTAR_PROXMOX_PASS= # Password for proxstar user
+PROXSTAR_PROXMOX_TOKEN_NAME= # Token name for user
+PROXSTAR_PROXMOX_TOKEN_VALUE= # Token value for user
 PROXSTAR_PROXMOX_ISO_STORAGE=nfs-iso
 PROXSTAR_PROXMOX_VM_STORAGE=ceph
 

config.py

@@ -34,7 +34,8 @@ OIDC_CLIENT_CONFIG = {
 # Proxmox
 PROXMOX_HOSTS = [host.strip() for host in environ.get('PROXSTAR_PROXMOX_HOSTS', '').split(',')]
 PROXMOX_USER = environ.get('PROXSTAR_PROXMOX_USER', '')
-PROXMOX_PASS = environ.get('PROXSTAR_PROXMOX_PASS', '')
+PROXMOX_TOKEN_NAME = environ.get('PROXSTAR_PROXMOX_NAME', '')
+PROXMOX_TOKEN_VALUE = environ.get('PROXSTAR_PROXMOX_VALUE', '')
 PROXMOX_ISO_STORAGE = environ.get('PROXSTAR_PROXMOX_ISO_STORAGE', 'nfs-iso')
 PROXMOX_VM_STORAGE = environ.get('PROXSTAR_PROXMOX_VM_STORAGE', 'ceph')
 # STARRS

proxstar/__init__.py

@@ -336,7 +336,7 @@ def vm_console(vmid):
         # import pdb; pdb.set_trace()
         vm = VM(vmid)
         vnc_ticket, vnc_port = open_vnc_session(
-            vmid, vm.node, app.config['PROXMOX_USER'], app.config['PROXMOX_PASS']
+            vmid, vm.node, app.config['PROXMOX_USER'], app.config['PROXMOX_TOKEN_NAME'], app.config['PROXMOX_TOKEN_VALUE']
         )
         node = f'{vm.node}.csh.rit.edu'
         token = add_vnc_target(node, vnc_port)

proxstar/proxmox.py

@@ -12,7 +12,8 @@ def connect_proxmox():
             proxmox = ProxmoxAPI(
                 host,
                 user=app.config['PROXMOX_USER'],
-                password=app.config['PROXMOX_PASS'],
+                token_name=app.config['PROXMOX_TOKEN_NAME'],
+                token_value=app.config['PROXMOX_TOKEN_VALUE'],
                 verify_ssl=False,
             )
             proxmox.version.get()

proxstar/vnc.py

@@ -74,9 +74,9 @@ def delete_vnc_target(node=None, port=None, token=None):
         raise LookupError('Target does not exist')
 
 
-def open_vnc_session(vmid, node, proxmox_user, proxmox_pass):
+def open_vnc_session(vmid, node, proxmox_user, proxmox_token_name, proxmox_token_value):
     """Pings the Proxmox API to request a VNC Proxy connection. Authenticates
-    against the API using a Uname/Pass, gets a few tokens back, then uses those
+    against the API using a Uname/Token, gets a few tokens back, then uses those
     tokens to  open the VNC Proxy. Use these to connect to the VM's host with
     websockify proxy.
     Returns: Ticket to use as the noVNC password, and a port.
@@ -84,26 +84,13 @@ def open_vnc_session(vmid, node, proxmox_user, proxmox_pass):
     # Get Proxmox API ticket and CSRF_Prevention_Token
     # TODO (willnilges): Use Proxmoxer to get this information
     # TODO (willnilges): Report errors
-    data = {'username': proxmox_user, 'password': proxmox_pass}
-    response_data = requests.post(
-        f'https://{node}.csh.rit.edu:8006/api2/json/access/ticket',
-        verify=False,
-        data=data,
-    ).json()['data']
-    if response_data is None:
-        raise requests.AuthenticationError(
-            'Could not authenticate against `ticket` endpoint! Check uname/password'
-        )
-    csrf_prevention_token = response_data['CSRFPreventionToken']
-    ticket = response_data['ticket']
     proxy_params = {'node': node, 'vmid': str(vmid), 'websocket': '1', 'generate-password': '0'}
     vncproxy_response_data = requests.post(
         f'https://{node}.csh.rit.edu:8006/api2/json/nodes/{node}/qemu/{vmid}/vncproxy',
         verify=False,
         timeout=5,
         params=proxy_params,
-        headers={'CSRFPreventionToken': csrf_prevention_token},
-        cookies={'PVEAuthCookie': ticket},
+        headers={'Authorization': f"PVEAPIToken={proxmox_user}!{proxmox_token_name}={proxmox_token_value}"},
     ).json()['data']
 
     return urllib.parse.quote_plus(vncproxy_response_data['ticket']), vncproxy_response_data['port']