api: termproxy: fix ACL as /nodes is /system

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2020-07-23 12:38:10 +02:00
parent 98b1733760
commit e744de0eb0

View File

@ -83,14 +83,12 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
}, },
access: { access: {
description: "Restricted to users on realm 'pam'", description: "Restricted to users on realm 'pam'",
permission: &Permission::Privilege(&["nodes","{node}"], PRIV_SYS_CONSOLE, false), permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
} }
)] )]
/// Call termproxy and return shell ticket /// Call termproxy and return shell ticket
async fn termproxy( async fn termproxy(
node: String,
cmd: Option<String>, cmd: Option<String>,
_param: Value,
rpcenv: &mut dyn RpcEnvironment, rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> { ) -> Result<Value, Error> {
let userid = rpcenv let userid = rpcenv
@ -102,7 +100,7 @@ async fn termproxy(
bail!("only pam users can use the console"); bail!("only pam users can use the console");
} }
let path = format!("/nodes/{}", node); let path = "/system";
// use port 0 and let the kernel decide which port is free // use port 0 and let the kernel decide which port is free
let listener = TcpListener::bind("localhost:0")?; let listener = TcpListener::bind("localhost:0")?;
@ -229,8 +227,8 @@ pub const API_METHOD_WEBSOCKET: ApiMethod = ApiMethod::new(
), ),
) )
.access( .access(
Some("The user needs Sys.Console on /nodes/{node}."), Some("The user needs Sys.Console on /system."),
&Permission::Privilege(&["nodes", "{node}"], PRIV_SYS_CONSOLE, false), &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
); );
fn upgrade_to_websocket( fn upgrade_to_websocket(
@ -242,8 +240,6 @@ fn upgrade_to_websocket(
) -> ApiResponseFuture { ) -> ApiResponseFuture {
async move { async move {
let username = rpcenv.get_user().unwrap(); let username = rpcenv.get_user().unwrap();
let node = tools::required_string_param(&param, "node")?.to_owned();
let path = format!("/nodes/{}", node);
let ticket = tools::required_string_param(&param, "vncticket")?.to_owned(); let ticket = tools::required_string_param(&param, "vncticket")?.to_owned();
let port: u16 = tools::required_integer_param(&param, "port")? as u16; let port: u16 = tools::required_integer_param(&param, "port")? as u16;
@ -251,7 +247,7 @@ fn upgrade_to_websocket(
tools::ticket::verify_term_ticket( tools::ticket::verify_term_ticket(
crate::auth_helpers::public_auth_key(), crate::auth_helpers::public_auth_key(),
&username, &username,
&path, &"/system",
port, port,
&ticket, &ticket,
)?; )?;