[v3] Enable encryption in vm VNC console connection
From: Mark Wu <wudxw@linux.vnet.ibm.com> The current vm VNC console connection is unencrypted. This patch enables encrypted vm VNC console connection. But browsers doesn't support well for the usage self-signed certs in the ssl websocket connection. For details, please see: https://github.com/kanaka/websockify/wiki/Encrypted-Connections For chrome browser, the encrypted console connection should work after you login with ssl connection. But for firefox, it does not show a confirmation page for the user the accept the self-signed cert when the HTTPs connection is started from a websocket. So this patch makes use of the Web server in the websockify. The mini Web server in the websockify can serve static contents like html, css and js. This patch moves all novnc related html, css, font and js files to ui/novnc, and have the websockify serve those files. When the user clicks the VNC icon, Kimchi brings the user to https://host:64667/vnc.html, which is served by websockify. Then firefox would prompt a confirmation page for the self-signed cert. After the user accept the cert, HTTPs connection started from the websocket would succeed. v3: Make use of the mini Web server in the websockify. Signed-off-by: Mark Wu <wudxw@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- configure.ac | 8 ++++---- contrib/kimchi.spec.fedora.in | 13 +++++++------ contrib/kimchi.spec.suse.in | 13 +++++++------ src/kimchi/vnc.py | 11 +++++++++-- ui/Makefile.am | 2 +- ui/css/Makefile.am | 2 +- ui/css/fonts/Makefile.am | 2 -- ui/js/Makefile.am | 2 +- ui/js/src/kimchi.api.js | 7 ++++--- ui/{css => }/novnc/Makefile.am | 8 +++++--- ui/{css/fonts/novnc => novnc/css}/Makefile.am | 4 ++-- ui/{css/fonts/novnc => novnc/css}/Orbitron700.ttf | Bin ui/{css/fonts/novnc => novnc/css}/Orbitron700.woff | Bin ui/{css/novnc => novnc/css}/base.css | 0 ui/{js/novnc => novnc/js}/Makefile.am | 2 +- ui/{js/novnc => novnc/js}/base64.js | 0 ui/{js/novnc => novnc/js}/des.js | 0 ui/{js/novnc => novnc/js}/display.js | 0 ui/{js/novnc => novnc/js}/input.js | 0 ui/{js/novnc => novnc/js}/jsunzip.js | 0 ui/{js/novnc => novnc/js}/main.js | 0 ui/{js/novnc => novnc/js}/rfb.js | 0 ui/{js/novnc => novnc/js}/util.js | 0 ui/{js/novnc => novnc/js}/web-socket-js/Makefile.am | 2 +- ui/{js/novnc => novnc/js}/web-socket-js/README.txt | 0 ui/{js/novnc => novnc/js}/web-socket-js/WebSocketMain.swf | Bin ui/{js/novnc => novnc/js}/web-socket-js/swfobject.js | 0 ui/{js/novnc => novnc/js}/web-socket-js/web_socket.js | 0 ui/{js/novnc => novnc/js}/websock.js | 0 ui/{js/novnc => novnc/js}/webutil.js | 0 ui/{pages/vnc_auto.html.tmpl => novnc/vnc.html} | 9 ++++----- 31 files changed, 47 insertions(+), 38 deletions(-) rename ui/{css => }/novnc/Makefile.am (82%) rename ui/{css/fonts/novnc => novnc/css}/Makefile.am (88%) rename ui/{css/fonts/novnc => novnc/css}/Orbitron700.ttf (100%) rename ui/{css/fonts/novnc => novnc/css}/Orbitron700.woff (100%) rename ui/{css/novnc => novnc/css}/base.css (100%) rename ui/{js/novnc => novnc/js}/Makefile.am (94%) rename ui/{js/novnc => novnc/js}/base64.js (100%) rename ui/{js/novnc => novnc/js}/des.js (100%) rename ui/{js/novnc => novnc/js}/display.js (100%) rename ui/{js/novnc => novnc/js}/input.js (100%) rename ui/{js/novnc => novnc/js}/jsunzip.js (100%) rename ui/{js/novnc => novnc/js}/main.js (100%) rename ui/{js/novnc => novnc/js}/rfb.js (100%) rename ui/{js/novnc => novnc/js}/util.js (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/Makefile.am (91%) rename ui/{js/novnc => novnc/js}/web-socket-js/README.txt (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/WebSocketMain.swf (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/swfobject.js (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/web_socket.js (100%) rename ui/{js/novnc => novnc/js}/websock.js (100%) rename ui/{js/novnc => novnc/js}/webutil.js (100%) rename ui/{pages/vnc_auto.html.tmpl => novnc/vnc.html} (83%) diff --git a/configure.ac b/configure.ac index 7d76f97..bc3f93e 100644 --- a/configure.ac +++ b/configure.ac @@ -66,19 +66,19 @@ AC_CONFIG_FILES([ plugins/sample/ui/config/Makefile ui/Makefile ui/css/Makefile - ui/css/novnc/Makefile ui/css/fonts/Makefile - ui/css/fonts/novnc/Makefile ui/images/Makefile ui/images/theme-default/Makefile ui/js/Makefile - ui/js/novnc/Makefile ui/js/spice/Makefile - ui/js/novnc/web-socket-js/Makefile ui/libs/Makefile ui/libs/themes/Makefile ui/libs/themes/base/Makefile ui/libs/themes/base/images/Makefile + ui/novnc/Makefile + ui/novnc/css/Makefile + ui/novnc/js/Makefile + ui/novnc/js/web-socket-js/Makefile ui/pages/Makefile ui/pages/help/Makefile ui/pages/help/en_US/Makefile diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 104c114..dd2fba7 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -154,8 +154,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/mo/*/LC_MESSAGES/kimchi.mo %{_datadir}/kimchi/config/ui/*.xml %{_datadir}/kimchi/ui/css/fonts/fontawesome-webfont.* -%{_datadir}/kimchi/ui/css/fonts/novnc/Orbitron700.* -%{_datadir}/kimchi/ui/css/novnc/base.css %{_datadir}/kimchi/ui/css/theme-default.min.css %{_datadir}/kimchi/ui/images/*.png %{_datadir}/kimchi/ui/images/*.ico @@ -165,11 +163,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/js/jquery-ui.js %{_datadir}/kimchi/ui/js/jquery.min.js %{_datadir}/kimchi/ui/js/modernizr.custom.2.6.2.min.js -%{_datadir}/kimchi/ui/js/novnc/*.js %{_datadir}/kimchi/ui/js/spice/*.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/WebSocketMain.swf -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/swfobject.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/web_socket.js %{_datadir}/kimchi/ui/libs/jquery-ui-i18n.min.js %{_datadir}/kimchi/ui/libs/jquery-ui.min.js %{_datadir}/kimchi/ui/libs/jquery-1.10.0.min.js @@ -177,6 +171,13 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/libs/themes/base/images/*.png %{_datadir}/kimchi/ui/libs/themes/base/images/*.gif %{_datadir}/kimchi/ui/libs/themes/base/jquery-ui.min.css +%{_datadir}/kimchi/ui/novnc/css/Orbitron700.* +%{_datadir}/kimchi/ui/novnc/css/base.css +%{_datadir}/kimchi/ui/novnc/js/*.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/WebSocketMain.swf +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/swfobject.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/web_socket.js +%{_datadir}/kimchi/ui/novnc/vnc.html %{_datadir}/kimchi/ui/pages/*.html.tmpl %{_datadir}/kimchi/ui/pages/help/*/*.html %{_datadir}/kimchi/ui/pages/tabs/*.html.tmpl diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 7704822..73c59a0 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -76,8 +76,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/mo/*/LC_MESSAGES/kimchi.mo %{_datadir}/kimchi/config/ui/*.xml %{_datadir}/kimchi/ui/css/fonts/fontawesome-webfont.* -%{_datadir}/kimchi/ui/css/fonts/novnc/Orbitron700.* -%{_datadir}/kimchi/ui/css/novnc/base.css %{_datadir}/kimchi/ui/css/theme-default.min.css %{_datadir}/kimchi/ui/images/*.png %{_datadir}/kimchi/ui/images/*.ico @@ -87,11 +85,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/js/jquery-ui.js %{_datadir}/kimchi/ui/js/jquery.min.js %{_datadir}/kimchi/ui/js/modernizr.custom.2.6.2.min.js -%{_datadir}/kimchi/ui/js/novnc/*.js %{_datadir}/kimchi/ui/js/spice/*.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/WebSocketMain.swf -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/swfobject.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/web_socket.js %{_datadir}/kimchi/ui/libs/jquery-ui-i18n.min.js %{_datadir}/kimchi/ui/libs/jquery-ui.min.js %{_datadir}/kimchi/ui/libs/jquery-1.10.0.min.js @@ -99,6 +93,13 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/libs/themes/base/images/*.png %{_datadir}/kimchi/ui/libs/themes/base/images/*.gif %{_datadir}/kimchi/ui/libs/themes/base/jquery-ui.min.css +%{_datadir}/kimchi/ui/novnc/css/Orbitron700.* +%{_datadir}/kimchi/ui/novnc/css/base.css +%{_datadir}/kimchi/ui/novnc/js/*.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/WebSocketMain.swf +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/swfobject.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/web_socket.js +%{_datadir}/kimchi/ui/novnc/vnc.html %{_datadir}/kimchi/ui/pages/*.html.tmpl %{_datadir}/kimchi/ui/pages/help/*/*.html %{_datadir}/kimchi/ui/pages/tabs/*.html.tmpl diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 1f36e9a..61f9c15 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -23,7 +23,7 @@ import os import subprocess -from kimchi.config import config +from kimchi.config import config, paths WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens' @@ -36,9 +36,16 @@ def new_ws_proxy(): if e.errno == errno.EEXIST: pass + cert = config.get('server', 'ssl_cert') + key = config.get('server', 'ssl_key') + if not (cert and key): + cert = '%s/kimchi-cert.pem' % paths.conf_dir + key = '%s/kimchi-key.pem' % paths.conf_dir + cmd = os.path.join(os.path.dirname(__file__), 'websockify.py') args = ['python', cmd, config.get('display', 'display_proxy_port'), - '--target-config', WS_TOKENS_DIR] + '--target-config', WS_TOKENS_DIR, '--cert', cert, '--key', key, + '--web', os.path.join(paths.ui_dir, 'novnc')] p = subprocess.Popen(args, close_fds=True) return p diff --git a/ui/Makefile.am b/ui/Makefile.am index b5366c5..4e0d57a 100644 --- a/ui/Makefile.am +++ b/ui/Makefile.am @@ -15,4 +15,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -SUBDIRS = css images js libs pages +SUBDIRS = css images js libs pages novnc diff --git a/ui/css/Makefile.am b/ui/css/Makefile.am index db65799..0922a9d 100644 --- a/ui/css/Makefile.am +++ b/ui/css/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -SUBDIRS = novnc fonts +SUBDIRS = fonts EXTRA_DIST = theme-default diff --git a/ui/css/fonts/Makefile.am b/ui/css/fonts/Makefile.am index 63df038..d72bb6c 100644 --- a/ui/css/fonts/Makefile.am +++ b/ui/css/fonts/Makefile.am @@ -15,8 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -SUBDIRS = novnc - fontdir = $(datadir)/kimchi/ui/css/fonts dist_font_DATA = fontawesome-webfont.* diff --git a/ui/js/Makefile.am b/ui/js/Makefile.am index f4d1e6b..a29c262 100644 --- a/ui/js/Makefile.am +++ b/ui/js/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -SUBDIRS = novnc spice +SUBDIRS = spice EXTRA_DIST = src widgets diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 1bde45c..c8c422d 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -318,7 +318,6 @@ var kimchi = { type : 'GET', dataType : 'json' }).done(function(data, textStatus, xhr) { - http_port = data['http_port']; proxy_port = data['display_proxy_port']; kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", @@ -329,9 +328,10 @@ var kimchi = { * Due to problems with web sockets and self-signed * certificates, for now we will always redirect to http */ - url = 'http://' + location.hostname + ':' + http_port; - url += "/vnc_auto.html?port=" + proxy_port; + url = 'https://' + location.hostname + ':' + proxy_port; + url += "/vnc.html?port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); + url += '&encrypt=1' window.open(url); }); }).error(function() { @@ -355,6 +355,7 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/spice.html?port=" + proxy_port + "&listen=" + data.graphics.listen + "&token=" + encodeURIComponent(vm); + url += '&encrypt=1' window.open(url); }); }).error(function() { diff --git a/ui/css/novnc/Makefile.am b/ui/novnc/Makefile.am similarity index 82% rename from ui/css/novnc/Makefile.am rename to ui/novnc/Makefile.am index 29703d6..d0aca93 100644 --- a/ui/css/novnc/Makefile.am +++ b/ui/novnc/Makefile.am @@ -1,7 +1,7 @@ # # Kimchi # -# Copyright IBM, Corp. 2013 +# Copyright IBM, Corp. 2014 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,6 +15,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -cssdir = $(datadir)/kimchi/ui/css/novnc +SUBDIRS = css js -dist_css_DATA = base.css +htmldir = $(datadir)/kimchi/ui/novnc + +dist_html_DATA = vnc.html $(NULL) diff --git a/ui/css/fonts/novnc/Makefile.am b/ui/novnc/css/Makefile.am similarity index 88% rename from ui/css/fonts/novnc/Makefile.am rename to ui/novnc/css/Makefile.am index 50f6050..23d178f 100644 --- a/ui/css/fonts/novnc/Makefile.am +++ b/ui/novnc/css/Makefile.am @@ -15,6 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -fontdir = $(datadir)/kimchi/ui/css/fonts/novnc +cssdir = $(datadir)/kimchi/ui/novnc/css -dist_font_DATA = Orbitron700.* +dist_css_DATA = base.css Orbitron700.* diff --git a/ui/css/fonts/novnc/Orbitron700.ttf b/ui/novnc/css/Orbitron700.ttf similarity index 100% rename from ui/css/fonts/novnc/Orbitron700.ttf rename to ui/novnc/css/Orbitron700.ttf diff --git a/ui/css/fonts/novnc/Orbitron700.woff b/ui/novnc/css/Orbitron700.woff similarity index 100% rename from ui/css/fonts/novnc/Orbitron700.woff rename to ui/novnc/css/Orbitron700.woff diff --git a/ui/css/novnc/base.css b/ui/novnc/css/base.css similarity index 100% rename from ui/css/novnc/base.css rename to ui/novnc/css/base.css diff --git a/ui/js/novnc/Makefile.am b/ui/novnc/js/Makefile.am similarity index 94% rename from ui/js/novnc/Makefile.am rename to ui/novnc/js/Makefile.am index fefe6af..0c22fed 100644 --- a/ui/js/novnc/Makefile.am +++ b/ui/novnc/js/Makefile.am @@ -17,6 +17,6 @@ SUBDIRS = web-socket-js -jsdir = $(datadir)/kimchi/ui/js/novnc +jsdir = $(datadir)/kimchi/ui/novnc/js dist_js_DATA = $(wildcard *.js) $(NULL) diff --git a/ui/js/novnc/base64.js b/ui/novnc/js/base64.js similarity index 100% rename from ui/js/novnc/base64.js rename to ui/novnc/js/base64.js diff --git a/ui/js/novnc/des.js b/ui/novnc/js/des.js similarity index 100% rename from ui/js/novnc/des.js rename to ui/novnc/js/des.js diff --git a/ui/js/novnc/display.js b/ui/novnc/js/display.js similarity index 100% rename from ui/js/novnc/display.js rename to ui/novnc/js/display.js diff --git a/ui/js/novnc/input.js b/ui/novnc/js/input.js similarity index 100% rename from ui/js/novnc/input.js rename to ui/novnc/js/input.js diff --git a/ui/js/novnc/jsunzip.js b/ui/novnc/js/jsunzip.js similarity index 100% rename from ui/js/novnc/jsunzip.js rename to ui/novnc/js/jsunzip.js diff --git a/ui/js/novnc/main.js b/ui/novnc/js/main.js similarity index 100% rename from ui/js/novnc/main.js rename to ui/novnc/js/main.js diff --git a/ui/js/novnc/rfb.js b/ui/novnc/js/rfb.js similarity index 100% rename from ui/js/novnc/rfb.js rename to ui/novnc/js/rfb.js diff --git a/ui/js/novnc/util.js b/ui/novnc/js/util.js similarity index 100% rename from ui/js/novnc/util.js rename to ui/novnc/js/util.js diff --git a/ui/js/novnc/web-socket-js/Makefile.am b/ui/novnc/js/web-socket-js/Makefile.am similarity index 91% rename from ui/js/novnc/web-socket-js/Makefile.am rename to ui/novnc/js/web-socket-js/Makefile.am index 7d685f5..26ba1c0 100644 --- a/ui/js/novnc/web-socket-js/Makefile.am +++ b/ui/novnc/js/web-socket-js/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -websocketdir = $(datadir)/kimchi/ui/js/novnc/web-socket-js +websocketdir = $(datadir)/kimchi/ui/novnc/js/web-socket-js dist_websocket_DATA = \ swfobject.js \ diff --git a/ui/js/novnc/web-socket-js/README.txt b/ui/novnc/js/web-socket-js/README.txt similarity index 100% rename from ui/js/novnc/web-socket-js/README.txt rename to ui/novnc/js/web-socket-js/README.txt diff --git a/ui/js/novnc/web-socket-js/WebSocketMain.swf b/ui/novnc/js/web-socket-js/WebSocketMain.swf similarity index 100% rename from ui/js/novnc/web-socket-js/WebSocketMain.swf rename to ui/novnc/js/web-socket-js/WebSocketMain.swf diff --git a/ui/js/novnc/web-socket-js/swfobject.js b/ui/novnc/js/web-socket-js/swfobject.js similarity index 100% rename from ui/js/novnc/web-socket-js/swfobject.js rename to ui/novnc/js/web-socket-js/swfobject.js diff --git a/ui/js/novnc/web-socket-js/web_socket.js b/ui/novnc/js/web-socket-js/web_socket.js similarity index 100% rename from ui/js/novnc/web-socket-js/web_socket.js rename to ui/novnc/js/web-socket-js/web_socket.js diff --git a/ui/js/novnc/websock.js b/ui/novnc/js/websock.js similarity index 100% rename from ui/js/novnc/websock.js rename to ui/novnc/js/websock.js diff --git a/ui/js/novnc/webutil.js b/ui/novnc/js/webutil.js similarity index 100% rename from ui/js/novnc/webutil.js rename to ui/novnc/js/webutil.js diff --git a/ui/pages/vnc_auto.html.tmpl b/ui/novnc/vnc.html similarity index 83% rename from ui/pages/vnc_auto.html.tmpl rename to ui/novnc/vnc.html index 0078190..1f4355c 100644 --- a/ui/pages/vnc_auto.html.tmpl +++ b/ui/novnc/vnc.html @@ -1,4 +1,3 @@ -#from kimchi.cachebust import href <!DOCTYPE html> <html> <!-- @@ -13,15 +12,15 @@ <head> <title>noVNC</title> <meta http-equiv="X-UA-Compatible" content="chrome=1"> - <link rel="stylesheet" href="$href("/css/novnc/base.css")" title="plain"> + <link rel="stylesheet" href="css/base.css" title="plain"> <script type='text/javascript'> - var INCLUDE_URI = "/js/novnc/"; + var INCLUDE_URI = "js/"; </script> <!-- <script type='text/javascript' src='http://getfirebug.com/releases/lite/1.2/firebug-lite-compressed.js'></script> --> - <script src="$href("/js/novnc/util.js")"></script> + <script src="js/util.js"></script> </head> <body style="margin: 0px;"> @@ -39,6 +38,6 @@ Canvas not supported. </canvas> </div> - <script src="$href("/js/novnc/main.js")"></script> + <script src="js/main.js"></script> </body> </html> -- 1.9.0
Tested-By Christy Perez <christy@linux.vnet.ibm.com> Works great for me (Firefox 28 on Fedora 20). Great find, Zheng Sheng! On Wed, 2014-04-30 at 15:38 +0800, Zhou Zheng Sheng wrote:
From: Mark Wu <wudxw@linux.vnet.ibm.com>
The current vm VNC console connection is unencrypted. This patch enables encrypted vm VNC console connection. But browsers doesn't support well for the usage self-signed certs in the ssl websocket connection. For details, please see: https://github.com/kanaka/websockify/wiki/Encrypted-Connections
For chrome browser, the encrypted console connection should work after you login with ssl connection. But for firefox, it does not show a confirmation page for the user the accept the self-signed cert when the HTTPs connection is started from a websocket.
So this patch makes use of the Web server in the websockify. The mini Web server in the websockify can serve static contents like html, css and js. This patch moves all novnc related html, css, font and js files to ui/novnc, and have the websockify serve those files. When the user clicks the VNC icon, Kimchi brings the user to https://host:64667/vnc.html, which is served by websockify. Then firefox would prompt a confirmation page for the self-signed cert. After the user accept the cert, HTTPs connection started from the websocket would succeed.
v3: Make use of the mini Web server in the websockify.
Signed-off-by: Mark Wu <wudxw@linux.vnet.ibm.com> Signed-off-by: Zhou Zheng Sheng <zhshzhou@linux.vnet.ibm.com> --- configure.ac | 8 ++++---- contrib/kimchi.spec.fedora.in | 13 +++++++------ contrib/kimchi.spec.suse.in | 13 +++++++------ src/kimchi/vnc.py | 11 +++++++++-- ui/Makefile.am | 2 +- ui/css/Makefile.am | 2 +- ui/css/fonts/Makefile.am | 2 -- ui/js/Makefile.am | 2 +- ui/js/src/kimchi.api.js | 7 ++++--- ui/{css => }/novnc/Makefile.am | 8 +++++--- ui/{css/fonts/novnc => novnc/css}/Makefile.am | 4 ++-- ui/{css/fonts/novnc => novnc/css}/Orbitron700.ttf | Bin ui/{css/fonts/novnc => novnc/css}/Orbitron700.woff | Bin ui/{css/novnc => novnc/css}/base.css | 0 ui/{js/novnc => novnc/js}/Makefile.am | 2 +- ui/{js/novnc => novnc/js}/base64.js | 0 ui/{js/novnc => novnc/js}/des.js | 0 ui/{js/novnc => novnc/js}/display.js | 0 ui/{js/novnc => novnc/js}/input.js | 0 ui/{js/novnc => novnc/js}/jsunzip.js | 0 ui/{js/novnc => novnc/js}/main.js | 0 ui/{js/novnc => novnc/js}/rfb.js | 0 ui/{js/novnc => novnc/js}/util.js | 0 ui/{js/novnc => novnc/js}/web-socket-js/Makefile.am | 2 +- ui/{js/novnc => novnc/js}/web-socket-js/README.txt | 0 ui/{js/novnc => novnc/js}/web-socket-js/WebSocketMain.swf | Bin ui/{js/novnc => novnc/js}/web-socket-js/swfobject.js | 0 ui/{js/novnc => novnc/js}/web-socket-js/web_socket.js | 0 ui/{js/novnc => novnc/js}/websock.js | 0 ui/{js/novnc => novnc/js}/webutil.js | 0 ui/{pages/vnc_auto.html.tmpl => novnc/vnc.html} | 9 ++++----- 31 files changed, 47 insertions(+), 38 deletions(-) rename ui/{css => }/novnc/Makefile.am (82%) rename ui/{css/fonts/novnc => novnc/css}/Makefile.am (88%) rename ui/{css/fonts/novnc => novnc/css}/Orbitron700.ttf (100%) rename ui/{css/fonts/novnc => novnc/css}/Orbitron700.woff (100%) rename ui/{css/novnc => novnc/css}/base.css (100%) rename ui/{js/novnc => novnc/js}/Makefile.am (94%) rename ui/{js/novnc => novnc/js}/base64.js (100%) rename ui/{js/novnc => novnc/js}/des.js (100%) rename ui/{js/novnc => novnc/js}/display.js (100%) rename ui/{js/novnc => novnc/js}/input.js (100%) rename ui/{js/novnc => novnc/js}/jsunzip.js (100%) rename ui/{js/novnc => novnc/js}/main.js (100%) rename ui/{js/novnc => novnc/js}/rfb.js (100%) rename ui/{js/novnc => novnc/js}/util.js (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/Makefile.am (91%) rename ui/{js/novnc => novnc/js}/web-socket-js/README.txt (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/WebSocketMain.swf (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/swfobject.js (100%) rename ui/{js/novnc => novnc/js}/web-socket-js/web_socket.js (100%) rename ui/{js/novnc => novnc/js}/websock.js (100%) rename ui/{js/novnc => novnc/js}/webutil.js (100%) rename ui/{pages/vnc_auto.html.tmpl => novnc/vnc.html} (83%)
diff --git a/configure.ac b/configure.ac index 7d76f97..bc3f93e 100644 --- a/configure.ac +++ b/configure.ac @@ -66,19 +66,19 @@ AC_CONFIG_FILES([ plugins/sample/ui/config/Makefile ui/Makefile ui/css/Makefile - ui/css/novnc/Makefile ui/css/fonts/Makefile - ui/css/fonts/novnc/Makefile ui/images/Makefile ui/images/theme-default/Makefile ui/js/Makefile - ui/js/novnc/Makefile ui/js/spice/Makefile - ui/js/novnc/web-socket-js/Makefile ui/libs/Makefile ui/libs/themes/Makefile ui/libs/themes/base/Makefile ui/libs/themes/base/images/Makefile + ui/novnc/Makefile + ui/novnc/css/Makefile + ui/novnc/js/Makefile + ui/novnc/js/web-socket-js/Makefile ui/pages/Makefile ui/pages/help/Makefile ui/pages/help/en_US/Makefile diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 104c114..dd2fba7 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -154,8 +154,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/mo/*/LC_MESSAGES/kimchi.mo %{_datadir}/kimchi/config/ui/*.xml %{_datadir}/kimchi/ui/css/fonts/fontawesome-webfont.* -%{_datadir}/kimchi/ui/css/fonts/novnc/Orbitron700.* -%{_datadir}/kimchi/ui/css/novnc/base.css %{_datadir}/kimchi/ui/css/theme-default.min.css %{_datadir}/kimchi/ui/images/*.png %{_datadir}/kimchi/ui/images/*.ico @@ -165,11 +163,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/js/jquery-ui.js %{_datadir}/kimchi/ui/js/jquery.min.js %{_datadir}/kimchi/ui/js/modernizr.custom.2.6.2.min.js -%{_datadir}/kimchi/ui/js/novnc/*.js %{_datadir}/kimchi/ui/js/spice/*.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/WebSocketMain.swf -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/swfobject.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/web_socket.js %{_datadir}/kimchi/ui/libs/jquery-ui-i18n.min.js %{_datadir}/kimchi/ui/libs/jquery-ui.min.js %{_datadir}/kimchi/ui/libs/jquery-1.10.0.min.js @@ -177,6 +171,13 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/libs/themes/base/images/*.png %{_datadir}/kimchi/ui/libs/themes/base/images/*.gif %{_datadir}/kimchi/ui/libs/themes/base/jquery-ui.min.css +%{_datadir}/kimchi/ui/novnc/css/Orbitron700.* +%{_datadir}/kimchi/ui/novnc/css/base.css +%{_datadir}/kimchi/ui/novnc/js/*.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/WebSocketMain.swf +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/swfobject.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/web_socket.js +%{_datadir}/kimchi/ui/novnc/vnc.html %{_datadir}/kimchi/ui/pages/*.html.tmpl %{_datadir}/kimchi/ui/pages/help/*/*.html %{_datadir}/kimchi/ui/pages/tabs/*.html.tmpl diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 7704822..73c59a0 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -76,8 +76,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/mo/*/LC_MESSAGES/kimchi.mo %{_datadir}/kimchi/config/ui/*.xml %{_datadir}/kimchi/ui/css/fonts/fontawesome-webfont.* -%{_datadir}/kimchi/ui/css/fonts/novnc/Orbitron700.* -%{_datadir}/kimchi/ui/css/novnc/base.css %{_datadir}/kimchi/ui/css/theme-default.min.css %{_datadir}/kimchi/ui/images/*.png %{_datadir}/kimchi/ui/images/*.ico @@ -87,11 +85,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/js/jquery-ui.js %{_datadir}/kimchi/ui/js/jquery.min.js %{_datadir}/kimchi/ui/js/modernizr.custom.2.6.2.min.js -%{_datadir}/kimchi/ui/js/novnc/*.js %{_datadir}/kimchi/ui/js/spice/*.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/WebSocketMain.swf -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/swfobject.js -%{_datadir}/kimchi/ui/js/novnc/web-socket-js/web_socket.js %{_datadir}/kimchi/ui/libs/jquery-ui-i18n.min.js %{_datadir}/kimchi/ui/libs/jquery-ui.min.js %{_datadir}/kimchi/ui/libs/jquery-1.10.0.min.js @@ -99,6 +93,13 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/kimchi/ui/libs/themes/base/images/*.png %{_datadir}/kimchi/ui/libs/themes/base/images/*.gif %{_datadir}/kimchi/ui/libs/themes/base/jquery-ui.min.css +%{_datadir}/kimchi/ui/novnc/css/Orbitron700.* +%{_datadir}/kimchi/ui/novnc/css/base.css +%{_datadir}/kimchi/ui/novnc/js/*.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/WebSocketMain.swf +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/swfobject.js +%{_datadir}/kimchi/ui/novnc/js/web-socket-js/web_socket.js +%{_datadir}/kimchi/ui/novnc/vnc.html %{_datadir}/kimchi/ui/pages/*.html.tmpl %{_datadir}/kimchi/ui/pages/help/*/*.html %{_datadir}/kimchi/ui/pages/tabs/*.html.tmpl diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 1f36e9a..61f9c15 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -23,7 +23,7 @@ import os import subprocess
-from kimchi.config import config +from kimchi.config import config, paths
WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens' @@ -36,9 +36,16 @@ def new_ws_proxy(): if e.errno == errno.EEXIST: pass
+ cert = config.get('server', 'ssl_cert') + key = config.get('server', 'ssl_key') + if not (cert and key): + cert = '%s/kimchi-cert.pem' % paths.conf_dir + key = '%s/kimchi-key.pem' % paths.conf_dir + cmd = os.path.join(os.path.dirname(__file__), 'websockify.py') args = ['python', cmd, config.get('display', 'display_proxy_port'), - '--target-config', WS_TOKENS_DIR] + '--target-config', WS_TOKENS_DIR, '--cert', cert, '--key', key, + '--web', os.path.join(paths.ui_dir, 'novnc')] p = subprocess.Popen(args, close_fds=True) return p
diff --git a/ui/Makefile.am b/ui/Makefile.am index b5366c5..4e0d57a 100644 --- a/ui/Makefile.am +++ b/ui/Makefile.am @@ -15,4 +15,4 @@ # See the License for the specific language governing permissions and # limitations under the License.
-SUBDIRS = css images js libs pages +SUBDIRS = css images js libs pages novnc diff --git a/ui/css/Makefile.am b/ui/css/Makefile.am index db65799..0922a9d 100644 --- a/ui/css/Makefile.am +++ b/ui/css/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License.
-SUBDIRS = novnc fonts +SUBDIRS = fonts
EXTRA_DIST = theme-default
diff --git a/ui/css/fonts/Makefile.am b/ui/css/fonts/Makefile.am index 63df038..d72bb6c 100644 --- a/ui/css/fonts/Makefile.am +++ b/ui/css/fonts/Makefile.am @@ -15,8 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License.
-SUBDIRS = novnc - fontdir = $(datadir)/kimchi/ui/css/fonts
dist_font_DATA = fontawesome-webfont.* diff --git a/ui/js/Makefile.am b/ui/js/Makefile.am index f4d1e6b..a29c262 100644 --- a/ui/js/Makefile.am +++ b/ui/js/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License.
-SUBDIRS = novnc spice +SUBDIRS = spice
EXTRA_DIST = src widgets
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 1bde45c..c8c422d 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -318,7 +318,6 @@ var kimchi = { type : 'GET', dataType : 'json' }).done(function(data, textStatus, xhr) { - http_port = data['http_port']; proxy_port = data['display_proxy_port']; kimchi.requestJSON({ url : "/vms/" + encodeURIComponent(vm) + "/connect", @@ -329,9 +328,10 @@ var kimchi = { * Due to problems with web sockets and self-signed * certificates, for now we will always redirect to http */ - url = 'http://' + location.hostname + ':' + http_port; - url += "/vnc_auto.html?port=" + proxy_port; + url = 'https://' + location.hostname + ':' + proxy_port; + url += "/vnc.html?port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); + url += '&encrypt=1' window.open(url); }); }).error(function() { @@ -355,6 +355,7 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/spice.html?port=" + proxy_port + "&listen=" + data.graphics.listen + "&token=" + encodeURIComponent(vm); + url += '&encrypt=1' window.open(url); }); }).error(function() { diff --git a/ui/css/novnc/Makefile.am b/ui/novnc/Makefile.am similarity index 82% rename from ui/css/novnc/Makefile.am rename to ui/novnc/Makefile.am index 29703d6..d0aca93 100644 --- a/ui/css/novnc/Makefile.am +++ b/ui/novnc/Makefile.am @@ -1,7 +1,7 @@ # # Kimchi # -# Copyright IBM, Corp. 2013 +# Copyright IBM, Corp. 2014 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,6 +15,8 @@ # See the License for the specific language governing permissions and # limitations under the License.
-cssdir = $(datadir)/kimchi/ui/css/novnc +SUBDIRS = css js
-dist_css_DATA = base.css +htmldir = $(datadir)/kimchi/ui/novnc + +dist_html_DATA = vnc.html $(NULL) diff --git a/ui/css/fonts/novnc/Makefile.am b/ui/novnc/css/Makefile.am similarity index 88% rename from ui/css/fonts/novnc/Makefile.am rename to ui/novnc/css/Makefile.am index 50f6050..23d178f 100644 --- a/ui/css/fonts/novnc/Makefile.am +++ b/ui/novnc/css/Makefile.am @@ -15,6 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License.
-fontdir = $(datadir)/kimchi/ui/css/fonts/novnc +cssdir = $(datadir)/kimchi/ui/novnc/css
-dist_font_DATA = Orbitron700.* +dist_css_DATA = base.css Orbitron700.* diff --git a/ui/css/fonts/novnc/Orbitron700.ttf b/ui/novnc/css/Orbitron700.ttf similarity index 100% rename from ui/css/fonts/novnc/Orbitron700.ttf rename to ui/novnc/css/Orbitron700.ttf diff --git a/ui/css/fonts/novnc/Orbitron700.woff b/ui/novnc/css/Orbitron700.woff similarity index 100% rename from ui/css/fonts/novnc/Orbitron700.woff rename to ui/novnc/css/Orbitron700.woff diff --git a/ui/css/novnc/base.css b/ui/novnc/css/base.css similarity index 100% rename from ui/css/novnc/base.css rename to ui/novnc/css/base.css diff --git a/ui/js/novnc/Makefile.am b/ui/novnc/js/Makefile.am similarity index 94% rename from ui/js/novnc/Makefile.am rename to ui/novnc/js/Makefile.am index fefe6af..0c22fed 100644 --- a/ui/js/novnc/Makefile.am +++ b/ui/novnc/js/Makefile.am @@ -17,6 +17,6 @@
SUBDIRS = web-socket-js
-jsdir = $(datadir)/kimchi/ui/js/novnc +jsdir = $(datadir)/kimchi/ui/novnc/js
dist_js_DATA = $(wildcard *.js) $(NULL) diff --git a/ui/js/novnc/base64.js b/ui/novnc/js/base64.js similarity index 100% rename from ui/js/novnc/base64.js rename to ui/novnc/js/base64.js diff --git a/ui/js/novnc/des.js b/ui/novnc/js/des.js similarity index 100% rename from ui/js/novnc/des.js rename to ui/novnc/js/des.js diff --git a/ui/js/novnc/display.js b/ui/novnc/js/display.js similarity index 100% rename from ui/js/novnc/display.js rename to ui/novnc/js/display.js diff --git a/ui/js/novnc/input.js b/ui/novnc/js/input.js similarity index 100% rename from ui/js/novnc/input.js rename to ui/novnc/js/input.js diff --git a/ui/js/novnc/jsunzip.js b/ui/novnc/js/jsunzip.js similarity index 100% rename from ui/js/novnc/jsunzip.js rename to ui/novnc/js/jsunzip.js diff --git a/ui/js/novnc/main.js b/ui/novnc/js/main.js similarity index 100% rename from ui/js/novnc/main.js rename to ui/novnc/js/main.js diff --git a/ui/js/novnc/rfb.js b/ui/novnc/js/rfb.js similarity index 100% rename from ui/js/novnc/rfb.js rename to ui/novnc/js/rfb.js diff --git a/ui/js/novnc/util.js b/ui/novnc/js/util.js similarity index 100% rename from ui/js/novnc/util.js rename to ui/novnc/js/util.js diff --git a/ui/js/novnc/web-socket-js/Makefile.am b/ui/novnc/js/web-socket-js/Makefile.am similarity index 91% rename from ui/js/novnc/web-socket-js/Makefile.am rename to ui/novnc/js/web-socket-js/Makefile.am index 7d685f5..26ba1c0 100644 --- a/ui/js/novnc/web-socket-js/Makefile.am +++ b/ui/novnc/js/web-socket-js/Makefile.am @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License.
-websocketdir = $(datadir)/kimchi/ui/js/novnc/web-socket-js +websocketdir = $(datadir)/kimchi/ui/novnc/js/web-socket-js
dist_websocket_DATA = \ swfobject.js \ diff --git a/ui/js/novnc/web-socket-js/README.txt b/ui/novnc/js/web-socket-js/README.txt similarity index 100% rename from ui/js/novnc/web-socket-js/README.txt rename to ui/novnc/js/web-socket-js/README.txt diff --git a/ui/js/novnc/web-socket-js/WebSocketMain.swf b/ui/novnc/js/web-socket-js/WebSocketMain.swf similarity index 100% rename from ui/js/novnc/web-socket-js/WebSocketMain.swf rename to ui/novnc/js/web-socket-js/WebSocketMain.swf diff --git a/ui/js/novnc/web-socket-js/swfobject.js b/ui/novnc/js/web-socket-js/swfobject.js similarity index 100% rename from ui/js/novnc/web-socket-js/swfobject.js rename to ui/novnc/js/web-socket-js/swfobject.js diff --git a/ui/js/novnc/web-socket-js/web_socket.js b/ui/novnc/js/web-socket-js/web_socket.js similarity index 100% rename from ui/js/novnc/web-socket-js/web_socket.js rename to ui/novnc/js/web-socket-js/web_socket.js diff --git a/ui/js/novnc/websock.js b/ui/novnc/js/websock.js similarity index 100% rename from ui/js/novnc/websock.js rename to ui/novnc/js/websock.js diff --git a/ui/js/novnc/webutil.js b/ui/novnc/js/webutil.js similarity index 100% rename from ui/js/novnc/webutil.js rename to ui/novnc/js/webutil.js diff --git a/ui/pages/vnc_auto.html.tmpl b/ui/novnc/vnc.html similarity index 83% rename from ui/pages/vnc_auto.html.tmpl rename to ui/novnc/vnc.html index 0078190..1f4355c 100644 --- a/ui/pages/vnc_auto.html.tmpl +++ b/ui/novnc/vnc.html @@ -1,4 +1,3 @@ -#from kimchi.cachebust import href <!DOCTYPE html> <html> <!-- @@ -13,15 +12,15 @@ <head> <title>noVNC</title> <meta http-equiv="X-UA-Compatible" content="chrome=1"> - <link rel="stylesheet" href="$href("/css/novnc/base.css")" title="plain"> + <link rel="stylesheet" href="css/base.css" title="plain"> <script type='text/javascript'> - var INCLUDE_URI = "/js/novnc/"; + var INCLUDE_URI = "js/"; </script> <!-- <script type='text/javascript' src='http://getfirebug.com/releases/lite/1.2/firebug-lite-compressed.js'></script> --> - <script src="$href("/js/novnc/util.js")"></script> + <script src="js/util.js"></script> </head>
<body style="margin: 0px;"> @@ -39,6 +38,6 @@ Canvas not supported. </canvas> </div> - <script src="$href("/js/novnc/main.js")"></script> + <script src="js/main.js"></script> </body> </html>
On 04/30/2014 03:20 PM, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
After applying this patch and make more tests I noticed we need to improve it. In this way we are exposing all the noVNC files and let websockify web server render the noVNC page. The websockify web server is limited - as far as I know it only exposes and renders content in a directory. So if someone has the URL https://host-ip:64667/vnc.html?port=64667&path=?token=my-vm&encrypt=1 he/she can access the VM console without Kimchi authentication. My idea is very similar to what is being doing today BUT instead of exposing all the noVNC files, we expose just one vnc.html That html will redirect the user to Kimchi vnc.html (so Kimchi will be responsible to render noVNC page) and we can add authentication to it The big picture will be: JS connectToVNC() will redirect to https://host-ip:64667/vnc.html?port=64667&path=?token=my-vm&encrypt=1 https://host-ip:64667/vnc.html will redirect to https://host-ip:8001/vnc.html after loading the page. So if the user haven't accepted the CA yet he/she will be able to do it beforing being redirected to Kimchi page. I am working in a patch to do what I described above and also add Kimchi authentication to vnc.html and spice.html
Thanks Aline. You are right. I didn't notice the authentication problem. I think your approach should work. on 2014/05/01 20:00, Aline Manera wrote:
After applying this patch and make more tests I noticed we need to improve it. In this way we are exposing all the noVNC files and let websockify web server render the noVNC page. The websockify web server is limited - as far as I know it only exposes and renders content in a directory. So if someone has the URL https://host-ip:64667/vnc.html?port=64667&path=?token=my-vm&encrypt=1 he/she can access the VM console without Kimchi authentication.
My idea is very similar to what is being doing today BUT instead of exposing all the noVNC files, we expose just one vnc.html That html will redirect the user to Kimchi vnc.html (so Kimchi will be responsible to render noVNC page) and we can add authentication to it
The big picture will be:
JS connectToVNC() will redirect to https://host-ip:64667/vnc.html?port=64667&path=?token=my-vm&encrypt=1
https://host-ip:64667/vnc.html will redirect to https://host-ip:8001/vnc.html after loading the page.
So if the user haven't accepted the CA yet he/she will be able to do it beforing being redirected to Kimchi page.
I am working in a patch to do what I described above and also add Kimchi authentication to vnc.html and spice.html
participants (3)
-
Aline Manera -
Christy Perez -
Zhou Zheng Sheng