mirror of
https://github.com/kasmtech/KasmVNC.git
synced 2025-06-25 04:01:30 +02:00
vncserver: don't require group memebership for cert readability check
This commit is contained in:
Dmitry Maksyoma
Matthew McClaskey
parent
bef16c5b34
commit
34ca7595e8
59
spec/vncserver_spec.py
Normal file
59
spec/vncserver_spec.py
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
import os
|
||||||
|
import stat
|
||||||
|
import tempfile
|
||||||
|
from mamba import description, context, fcontext, it, fit, before, after
|
||||||
|
from expects import expect, equal, contain, match
|
||||||
|
|
||||||
|
from helper.spec_helper import start_xvnc, kill_xvnc, run_cmd, clean_env, \
|
||||||
|
add_kasmvnc_user_docker, clean_kasm_users, start_xvnc_pexpect, \
|
||||||
|
write_config, config_filename
|
||||||
|
|
||||||
|
|
||||||
|
def run_vncserver():
|
||||||
|
return start_xvnc(f'-config {config_filename}')
|
||||||
|
|
||||||
|
|
||||||
|
def temp_file_name():
|
||||||
|
return f'/tmp/vncserver.{next(tempfile._get_candidate_names())}'
|
||||||
|
|
||||||
|
|
||||||
|
with description('vncserver') as self:
|
||||||
|
with before.each:
|
||||||
|
clean_env()
|
||||||
|
with after.each:
|
||||||
|
kill_xvnc()
|
||||||
|
|
||||||
|
with context("SSL certs"):
|
||||||
|
with before.each:
|
||||||
|
add_kasmvnc_user_docker()
|
||||||
|
|
||||||
|
with it("complains if SSL certs don't exist"):
|
||||||
|
non_existent_file_name = temp_file_name()
|
||||||
|
|
||||||
|
write_config(f'''
|
||||||
|
network:
|
||||||
|
ssl:
|
||||||
|
pem_certificate: {non_existent_file_name}
|
||||||
|
''')
|
||||||
|
completed_process = run_vncserver()
|
||||||
|
expect(completed_process.returncode).to(equal(1))
|
||||||
|
expect(completed_process.stderr).to(
|
||||||
|
match(r'certificate file doesn\'t exist'))
|
||||||
|
|
||||||
|
with it("complains if SSL cert not available"):
|
||||||
|
cert_file_name = temp_file_name()
|
||||||
|
with open(cert_file_name, 'w') as f:
|
||||||
|
f.write('test')
|
||||||
|
os.chmod(cert_file_name, stat.S_IXUSR)
|
||||||
|
|
||||||
|
write_config(f'''
|
||||||
|
network:
|
||||||
|
ssl:
|
||||||
|
pem_certificate: {cert_file_name}
|
||||||
|
''')
|
||||||
|
completed_process = run_vncserver()
|
||||||
|
expect(completed_process.returncode).to(equal(1))
|
||||||
|
expect(completed_process.stderr).to(
|
||||||
|
match(r'certificate isn\'t readable'))
|
||||||
|
expect(completed_process.stderr).to(
|
||||||
|
match(r'addgroup \$USER'))
|
||||||
@ -534,79 +534,68 @@ sub CheckRequiredDependenciesArePresent
|
|||||||
sub CheckSslCertReadable {
|
sub CheckSslCertReadable {
|
||||||
return if IsDryRun();
|
return if IsDryRun();
|
||||||
|
|
||||||
CheckUserHasAccessToSslCertOnDebian();
|
RequireSslCertsToBeReadable();
|
||||||
CheckUserHasAccessToSslCertOnCentOS();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
sub IsDebian {
|
sub IsDebian {
|
||||||
return -f "/etc/debian_version";
|
return -f "/etc/debian_version";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub CheckUserHasAccessToSslCertOnDebian {
|
|
||||||
if (!IsDebian()) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (DoesCertKeyRequireSslCertGroup()) {
|
|
||||||
RequireUserToHaveSslCertGroup();
|
|
||||||
} else {
|
|
||||||
RequireSslCertsToBeReadable();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sub RequireSslCertsToBeReadable {
|
sub RequireSslCertsToBeReadable {
|
||||||
my $certFilename = DerivedValue("network.ssl.pem_certificate");
|
my $certFilename = DerivedValue("network.ssl.pem_certificate");
|
||||||
my $certKeyFilename = DerivedValue("network.ssl.pem_key");
|
my $certKeyFilename = DerivedValue("network.ssl.pem_key");
|
||||||
|
|
||||||
my @unreadableCertFiles = map { -r $_ ? () : $_ }
|
@certs = ($certFilename, $certKeyFilename);
|
||||||
uniq($certFilename, $certKeyFilename);
|
@certs = grep defined, @certs;
|
||||||
|
@certs = uniq @certs;
|
||||||
|
|
||||||
|
my @unreadableCertFiles = map { -r $_ ? () : $_ } @certs;
|
||||||
return if (scalar @unreadableCertFiles == 0);
|
return if (scalar @unreadableCertFiles == 0);
|
||||||
|
|
||||||
$unreadableCertFiles = join "\n", @unreadableCertFiles;
|
foreach my $unreadableCert (@unreadableCertFiles) {
|
||||||
$logger->warn(<<TEXT);
|
GuideUserToMakeCertFileReadable($unreadableCert);
|
||||||
Please ensure SSL certificate files are readable by you:
|
}
|
||||||
$unreadableCertFiles
|
|
||||||
TEXT
|
|
||||||
exit 1;
|
exit 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub DoesCertKeyRequireSslCertGroup {
|
sub FileGroupName {
|
||||||
my $certKeyFilename = ConfigValue("network.ssl.pem_key");
|
my $file = shift;
|
||||||
$certKeyFilename =~ m!^/etc/ssl/private!;
|
my $grpId = (stat($file))[5];
|
||||||
|
|
||||||
|
getgrgid($grpId);
|
||||||
}
|
}
|
||||||
|
|
||||||
sub DoesCertKeyRequireKasmvncCertGroup {
|
sub AddUserToGroupCmd {
|
||||||
my $certKeyFilename = ConfigValue("network.ssl.pem_key");
|
my $certGroup = shift;
|
||||||
$certKeyFilename =~ m!^/etc/pki/tls/private!;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub RequireUserToHaveSslCertGroup {
|
if (IsRpmSystem()) {
|
||||||
my $certGroup = 'ssl-cert';
|
"usermod -a -G $certGroup \$USER"
|
||||||
if (system("groups | grep -qw $certGroup") != 0) {
|
} else {
|
||||||
$logger->warn(<<EOF);
|
"addgroup \$USER $certGroup"
|
||||||
Can't access TLS certificate.
|
|
||||||
Please add your user to $certGroup via 'addgroup \$USER $certGroup'
|
|
||||||
EOF
|
|
||||||
exit(1);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub GuideUserToMakeCertFileReadable {
|
||||||
|
my $certFile = shift;
|
||||||
|
if (! -f $certFile) {
|
||||||
|
$logger->warn("$certFile: certificate file doesn't exist or isn't a file");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
my $certGroup = FileGroupName $certFile;
|
||||||
|
my $addUserToGroupCmd = AddUserToGroupCmd $certGroup;
|
||||||
|
|
||||||
|
$logger->warn(<<EOF);
|
||||||
|
$certFile: certificate isn't readable.
|
||||||
|
Make the certificate readable by adding your user to group "$certGroup":
|
||||||
|
'$addUserToGroupCmd'
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
sub IsRpmSystem {
|
sub IsRpmSystem {
|
||||||
system("command -v rpm >/dev/null 2>&1") == 0;
|
system("command -v rpm >/dev/null 2>&1") == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub CheckUserHasAccessToSslCertOnCentOS {
|
|
||||||
if (!IsRpmSystem()) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (DoesCertKeyRequireKasmvncCertGroup()) {
|
|
||||||
RequireUserToHaveKasmvncCertGroup();
|
|
||||||
} else {
|
|
||||||
RequireSslCertsToBeReadable();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sub RequireUserToHaveKasmvncCertGroup {
|
sub RequireUserToHaveKasmvncCertGroup {
|
||||||
my $certGroup = 'kasmvnc-cert';
|
my $certGroup = 'kasmvnc-cert';
|
||||||
if (system("groups | grep -qw $certGroup") != 0) {
|
if (system("groups | grep -qw $certGroup") != 0) {
|
||||||
@ -843,12 +832,12 @@ sub ConfigureDeToRun {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub AskUserToChooseDeOrManualXstartup {
|
sub AskUserToChooseDeOrManualXstartup {
|
||||||
|
return if IsDryRun();
|
||||||
|
|
||||||
if (PromptingDisabled()) {
|
if (PromptingDisabled()) {
|
||||||
WarnIfShouldPromptForDe();
|
WarnIfShouldPromptForDe();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
return if IsDryRun();
|
|
||||||
return unless shouldPromptUserToSelectDe();
|
return unless shouldPromptUserToSelectDe();
|
||||||
|
|
||||||
ForgetSelectedDe();
|
ForgetSelectedDe();
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user