a7c054c551
The first RFP negotiation message potentially arrived earlier, in which case the message will be swallowed by the recv() which receive response for the http request. This commit is to ensure only the response is removed from the socket buffer, so it won't impact the following RFP negotiation. Change-Id: I100e140acbc2d981f7b98e12b3e9ae02844f41fd Closes-Bug: #1695844
187 lines
7.4 KiB
Python
187 lines
7.4 KiB
Python
# Copyright (c) 2012 OpenStack Foundation
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
'''
|
|
Websocket proxy that is compatible with OpenStack Nova.
|
|
Leverages websockify.py by Joel Martin
|
|
'''
|
|
|
|
import socket
|
|
import sys
|
|
|
|
from oslo_log import log as logging
|
|
from six.moves import http_cookies as Cookie
|
|
import six.moves.urllib.parse as urlparse
|
|
import websockify
|
|
|
|
import nova.conf
|
|
from nova.consoleauth import rpcapi as consoleauth_rpcapi
|
|
from nova import context
|
|
from nova import exception
|
|
from nova.i18n import _
|
|
from nova.i18n import _LW
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
CONF = nova.conf.CONF
|
|
|
|
|
|
class NovaProxyRequestHandlerBase(object):
|
|
def address_string(self):
|
|
# NOTE(rpodolyaka): override the superclass implementation here and
|
|
# explicitly disable the reverse DNS lookup, which might fail on some
|
|
# deployments due to DNS configuration and break VNC access completely
|
|
return str(self.client_address[0])
|
|
|
|
def verify_origin_proto(self, connection_info, origin_proto):
|
|
access_url = connection_info.get('access_url')
|
|
if not access_url:
|
|
detail = _("No access_url in connection_info. "
|
|
"Cannot validate protocol")
|
|
raise exception.ValidationError(detail=detail)
|
|
expected_protos = [urlparse.urlparse(access_url).scheme]
|
|
# NOTE: For serial consoles the expected protocol could be ws or
|
|
# wss which correspond to http and https respectively in terms of
|
|
# security.
|
|
if 'ws' in expected_protos:
|
|
expected_protos.append('http')
|
|
if 'wss' in expected_protos:
|
|
expected_protos.append('https')
|
|
|
|
return origin_proto in expected_protos
|
|
|
|
def new_websocket_client(self):
|
|
"""Called after a new WebSocket connection has been established."""
|
|
# Reopen the eventlet hub to make sure we don't share an epoll
|
|
# fd with parent and/or siblings, which would be bad
|
|
from eventlet import hubs
|
|
hubs.use_hub()
|
|
|
|
# The nova expected behavior is to have token
|
|
# passed to the method GET of the request
|
|
parse = urlparse.urlparse(self.path)
|
|
if parse.scheme not in ('http', 'https'):
|
|
# From a bug in urlparse in Python < 2.7.4 we cannot support
|
|
# special schemes (cf: http://bugs.python.org/issue9374)
|
|
if sys.version_info < (2, 7, 4):
|
|
raise exception.NovaException(
|
|
_("We do not support scheme '%s' under Python < 2.7.4, "
|
|
"please use http or https") % parse.scheme)
|
|
|
|
query = parse.query
|
|
token = urlparse.parse_qs(query).get("token", [""]).pop()
|
|
if not token:
|
|
# NoVNC uses it's own convention that forward token
|
|
# from the request to a cookie header, we should check
|
|
# also for this behavior
|
|
hcookie = self.headers.get('cookie')
|
|
if hcookie:
|
|
cookie = Cookie.SimpleCookie()
|
|
for hcookie_part in hcookie.split(';'):
|
|
hcookie_part = hcookie_part.lstrip()
|
|
try:
|
|
cookie.load(hcookie_part)
|
|
except Cookie.CookieError:
|
|
# NOTE(stgleb): Do not print out cookie content
|
|
# for security reasons.
|
|
LOG.warning(_LW('Found malformed cookie'))
|
|
else:
|
|
if 'token' in cookie:
|
|
token = cookie['token'].value
|
|
|
|
ctxt = context.get_admin_context()
|
|
rpcapi = consoleauth_rpcapi.ConsoleAuthAPI()
|
|
connect_info = rpcapi.check_token(ctxt, token=token)
|
|
|
|
if not connect_info:
|
|
raise exception.InvalidToken(token=token)
|
|
|
|
# Verify Origin
|
|
expected_origin_hostname = self.headers.get('Host')
|
|
if ':' in expected_origin_hostname:
|
|
e = expected_origin_hostname
|
|
if '[' in e and ']' in e:
|
|
expected_origin_hostname = e.split(']')[0][1:]
|
|
else:
|
|
expected_origin_hostname = e.split(':')[0]
|
|
expected_origin_hostnames = CONF.console.allowed_origins
|
|
expected_origin_hostnames.append(expected_origin_hostname)
|
|
origin_url = self.headers.get('Origin')
|
|
# missing origin header indicates non-browser client which is OK
|
|
if origin_url is not None:
|
|
origin = urlparse.urlparse(origin_url)
|
|
origin_hostname = origin.hostname
|
|
origin_scheme = origin.scheme
|
|
if origin_hostname == '' or origin_scheme == '':
|
|
detail = _("Origin header not valid.")
|
|
raise exception.ValidationError(detail=detail)
|
|
if origin_hostname not in expected_origin_hostnames:
|
|
detail = _("Origin header does not match this host.")
|
|
raise exception.ValidationError(detail=detail)
|
|
if not self.verify_origin_proto(connect_info, origin_scheme):
|
|
detail = _("Origin header protocol does not match this host.")
|
|
raise exception.ValidationError(detail=detail)
|
|
|
|
self.msg(_('connect info: %s'), str(connect_info))
|
|
host = connect_info['host']
|
|
port = int(connect_info['port'])
|
|
|
|
# Connect to the target
|
|
self.msg(_("connecting to: %(host)s:%(port)s") % {'host': host,
|
|
'port': port})
|
|
tsock = self.socket(host, port, connect=True)
|
|
|
|
# Handshake as necessary
|
|
if connect_info.get('internal_access_path'):
|
|
tsock.send("CONNECT %s HTTP/1.1\r\n\r\n" %
|
|
connect_info['internal_access_path'])
|
|
end_token = "\r\n\r\n"
|
|
while True:
|
|
data = tsock.recv(4096, socket.MSG_PEEK)
|
|
token_loc = data.find(end_token)
|
|
if token_loc != -1:
|
|
if data.split("\r\n")[0].find("200") == -1:
|
|
raise exception.InvalidConnectionInfo()
|
|
# remove the response from recv buffer
|
|
tsock.recv(token_loc + len(end_token))
|
|
break
|
|
|
|
# Start proxying
|
|
try:
|
|
self.do_proxy(tsock)
|
|
except Exception:
|
|
if tsock:
|
|
tsock.shutdown(socket.SHUT_RDWR)
|
|
tsock.close()
|
|
self.vmsg(_("%(host)s:%(port)s: "
|
|
"Websocket client or target closed") %
|
|
{'host': host, 'port': port})
|
|
raise
|
|
|
|
|
|
class NovaProxyRequestHandler(NovaProxyRequestHandlerBase,
|
|
websockify.ProxyRequestHandler):
|
|
def __init__(self, *args, **kwargs):
|
|
websockify.ProxyRequestHandler.__init__(self, *args, **kwargs)
|
|
|
|
def socket(self, *args, **kwargs):
|
|
return websockify.WebSocketServer.socket(*args, **kwargs)
|
|
|
|
|
|
class NovaWebSocketProxy(websockify.WebSocketProxy):
|
|
@staticmethod
|
|
def get_logger():
|
|
return LOG
|