Merge "console: Improve logging"
This commit is contained in:
Zuul
Gerrit Code Review
commit
b124ceab04
@ -22,6 +22,7 @@ AUTH_STATUS_FAIL = b"\x00"
|
||||
AUTH_STATUS_PASS = b"\x01"
|
||||
|
||||
|
||||
@enum.unique
|
||||
class AuthType(enum.IntEnum):
|
||||
|
||||
INVALID = 0
|
||||
|
||||
@ -91,25 +91,35 @@ class RFBAuthSchemeVeNCrypt(auth.RFBAuthScheme):
|
||||
reason = _("Server could not use VeNCrypt version 0.2")
|
||||
raise exception.RFBAuthHandshakeFailed(reason=reason)
|
||||
|
||||
# get the supported sub-auth types
|
||||
# get the supported auth subtypes
|
||||
sub_types_cnt = ord(recv(1))
|
||||
sub_types_raw = recv(sub_types_cnt * auth.SUBTYPE_LENGTH)
|
||||
sub_types = struct.unpack('!' + str(sub_types_cnt) + 'I',
|
||||
sub_types_raw)
|
||||
|
||||
LOG.debug("Server supports VeNCrypt sub-types %s", sub_types)
|
||||
LOG.debug(
|
||||
"Server supports VeNCrypt subtypes: %s",
|
||||
', '.join(
|
||||
'%d (%s)' % (
|
||||
AuthVeNCryptSubtype(t).value, AuthVeNCryptSubtype(t).name,
|
||||
) for t in sub_types
|
||||
))
|
||||
|
||||
# We use X509None as we're only seeking to encrypt the channel (ruling
|
||||
# out PLAIN) and prevent MITM (ruling out TLS*, which uses trivially
|
||||
# MITM'd Anonymous Diffie Hellmann (DH) cyphers)
|
||||
if AuthVeNCryptSubtype.X509NONE not in sub_types:
|
||||
reason = _("Server does not support the x509None (%s) VeNCrypt"
|
||||
" sub-auth type") % \
|
||||
AuthVeNCryptSubtype.X509NONE
|
||||
reason = _(
|
||||
"Server does not support the %d (%s) VeNCrypt auth subtype"
|
||||
) % (
|
||||
AuthVeNCryptSubtype.X509NONE.value,
|
||||
AuthVeNCryptSubtype.X509NONE.name)
|
||||
raise exception.RFBAuthHandshakeFailed(reason=reason)
|
||||
|
||||
LOG.debug("Attempting to use the x509None (%s) auth sub-type",
|
||||
AuthVeNCryptSubtype.X509NONE)
|
||||
LOG.debug(
|
||||
"Attempting to use the %d (%s) VeNCrypt auth subtype",
|
||||
AuthVeNCryptSubtype.X509NONE.value,
|
||||
AuthVeNCryptSubtype.X509NONE.name)
|
||||
|
||||
compute_sock.sendall(struct.pack(
|
||||
'!I', AuthVeNCryptSubtype.X509NONE))
|
||||
@ -119,13 +129,13 @@ class RFBAuthSchemeVeNCrypt(auth.RFBAuthScheme):
|
||||
# acceptance, 0 means failure (unlike the rest of RFB)
|
||||
auth_accepted = ord(recv(1))
|
||||
if auth_accepted == 0:
|
||||
reason = _("Server didn't accept the requested auth sub-type")
|
||||
reason = _(
|
||||
"Server didn't accept the requested VeNCrypt auth subtype")
|
||||
raise exception.RFBAuthHandshakeFailed(reason=reason)
|
||||
|
||||
LOG.debug("Server accepted the requested sub-auth type")
|
||||
LOG.debug("Server accepted the requested VeNCrypt auth subtype")
|
||||
|
||||
if (CONF.vnc.vencrypt_client_key and
|
||||
CONF.vnc.vencrypt_client_cert):
|
||||
if CONF.vnc.vencrypt_client_key and CONF.vnc.vencrypt_client_cert:
|
||||
client_key = CONF.vnc.vencrypt_client_key
|
||||
client_cert = CONF.vnc.vencrypt_client_cert
|
||||
else:
|
||||
@ -145,6 +155,5 @@ class RFBAuthSchemeVeNCrypt(auth.RFBAuthScheme):
|
||||
return wrapped_sock
|
||||
|
||||
except ssl.SSLError as e:
|
||||
reason = _("Error establishing TLS connection to server: %s") % (
|
||||
str(e))
|
||||
raise exception.RFBAuthHandshakeFailed(reason=reason)
|
||||
reason = _("Error establishing TLS connection to server: %s")
|
||||
raise exception.RFBAuthHandshakeFailed(reason=reason % str(e))
|
||||
|
||||
@ -101,25 +101,31 @@ class RFBSecurityProxy(base.SecurityProxy):
|
||||
|
||||
# Negotiate version with compute server
|
||||
compute_version = recv(compute_sock, auth.VERSION_LENGTH)
|
||||
LOG.debug("Got version string '%s' from compute node",
|
||||
compute_version[:-1])
|
||||
LOG.debug(
|
||||
"Got version string '%s' from compute node",
|
||||
compute_version[:-1].decode('utf-8'))
|
||||
|
||||
if self._parse_version(compute_version) != 3.8:
|
||||
reason = _("Security proxying requires RFB protocol "
|
||||
"version 3.8, but server sent %s"), compute_version[:-1]
|
||||
raise exception.SecurityProxyNegotiationFailed(reason=reason)
|
||||
reason = _(
|
||||
"Security proxying requires RFB protocol version 3.8, "
|
||||
"but server sent %s")
|
||||
raise exception.SecurityProxyNegotiationFailed(
|
||||
reason=reason % compute_version[:-1].decode('utf-8'))
|
||||
compute_sock.sendall(compute_version)
|
||||
|
||||
# Negotiate version with tenant
|
||||
tenant_sock.sendall(compute_version)
|
||||
tenant_version = recv(tenant_sock, auth.VERSION_LENGTH)
|
||||
LOG.debug("Got version string '%s' from tenant",
|
||||
tenant_version[:-1])
|
||||
LOG.debug(
|
||||
"Got version string '%s' from tenant",
|
||||
tenant_version[:-1].decode('utf-8'))
|
||||
|
||||
if self._parse_version(tenant_version) != 3.8:
|
||||
reason = _("Security proxying requires RFB protocol version "
|
||||
"3.8, but tenant asked for %s"), tenant_version[:-1]
|
||||
raise exception.SecurityProxyNegotiationFailed(reason=reason)
|
||||
reason = _(
|
||||
"Security proxying requires RFB protocol version 3.8, "
|
||||
"but tenant asked for %s")
|
||||
raise exception.SecurityProxyNegotiationFailed(
|
||||
reason=reason % tenant_version[:-1].decode('utf-8'))
|
||||
|
||||
# Negotiate security with server
|
||||
permitted_auth_types_cnt = recv(compute_sock, 1)[0]
|
||||
@ -142,7 +148,12 @@ class RFBSecurityProxy(base.SecurityProxy):
|
||||
auth_type = ord(auth_type)
|
||||
permitted_auth_types.append(auth_type)
|
||||
|
||||
LOG.debug("The server sent security types %s", permitted_auth_types)
|
||||
LOG.debug(
|
||||
"Server sent security types: %s",
|
||||
", ".join(
|
||||
'%d (%s)' % (auth.AuthType(t).value, auth.AuthType(t).name)
|
||||
for t in permitted_auth_types
|
||||
))
|
||||
|
||||
# Negotiate security with client before we say "ok" to the server
|
||||
# send 1:[None]
|
||||
@ -151,14 +162,21 @@ class RFBSecurityProxy(base.SecurityProxy):
|
||||
client_auth = recv(tenant_sock, 1)[0]
|
||||
|
||||
if client_auth != auth.AuthType.NONE:
|
||||
self._fail(tenant_sock, compute_sock,
|
||||
_("Only the security type None (%d) is supported") %
|
||||
auth.AuthType.NONE)
|
||||
self._fail(
|
||||
tenant_sock, compute_sock,
|
||||
_("Only the security type %d (%s) is supported") % (
|
||||
auth.AuthType.NONE.value, auth.AuthType.NONE.name,
|
||||
))
|
||||
|
||||
reason = _("Client requested a security type other than None "
|
||||
"(%(none_code)d): %(auth_type)s") % {
|
||||
'auth_type': client_auth,
|
||||
'none_code': auth.AuthType.NONE}
|
||||
reason = _(
|
||||
"Client requested a security type other than %d (%s): "
|
||||
"%d (%s)"
|
||||
) % (
|
||||
auth.AuthType.NONE.value,
|
||||
auth.AuthType.NONE.name,
|
||||
auth.AuthType(client_auth).value,
|
||||
auth.AuthType(client_auth).name,
|
||||
)
|
||||
raise exception.SecurityProxyNegotiationFailed(reason=reason)
|
||||
|
||||
try:
|
||||
@ -173,8 +191,10 @@ class RFBSecurityProxy(base.SecurityProxy):
|
||||
|
||||
compute_sock.sendall(bytes((scheme.security_type(),)))
|
||||
|
||||
LOG.debug("Using security type %d with server, None with client",
|
||||
scheme.security_type())
|
||||
LOG.debug(
|
||||
"Using security type %d (%s) with server, %d (%s) with client",
|
||||
scheme.security_type().value, scheme.security_type().name,
|
||||
auth.AuthType.NONE.value, auth.AuthType.NONE.name)
|
||||
|
||||
try:
|
||||
compute_sock = scheme.security_handshake(compute_sock)
|
||||
|
||||
@ -210,10 +210,11 @@ class RFBSecurityProxyTestCase(test.NoDBTestCase):
|
||||
self._expect_tenant_recv(1, "\x02")
|
||||
|
||||
self.expected_manager_calls.append(
|
||||
mock.call.proxy._fail(self.tenant_sock,
|
||||
self.compute_sock,
|
||||
"Only the security type "
|
||||
"None (1) is supported"))
|
||||
mock.call.proxy._fail(
|
||||
self.tenant_sock, self.compute_sock,
|
||||
"Only the security type 1 (NONE) is supported",
|
||||
)
|
||||
)
|
||||
|
||||
self.assertRaises(exception.SecurityProxyNegotiationFailed,
|
||||
self.proxy.connect,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user