From 48e81f1554ce41c3d4f7445421d19f4a8128e98d Mon Sep 17 00:00:00 2001 From: Rafi Khardalian Date: Thu, 7 Mar 2013 00:19:08 +0000 Subject: [PATCH] Fixed broken vncproxy flush tokens patch Bug 1125378 (continued) This review (https://review.openstack.org/22872) attempted to resolve a critical security issue but ended up completely breaking the vncproxy. The wrong dict keys were being used for Essex and the API calls were incomplete. This patch makes the proxy work again. Change-Id: I093d522abd5be20d2792c83792437b1ef580d4c6 --- nova/compute/api.py | 8 +++++--- nova/consoleauth/manager.py | 9 +++++---- nova/tests/test_compute.py | 8 +++++--- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/nova/compute/api.py b/nova/compute/api.py index a317c447fb7..8309fbbb2e4 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -1561,12 +1561,14 @@ def get_vnc_console(self, context, instance, console_type): return {'url': connect_info['access_url']} @wrap_check_policy - def validate_vnc_console(self, context, instance_id, host, port): + def validate_vnc_console(self, context, instance_id, host, port, + console_type): """Validate VNC Console for an instance.""" instance = self.get(context, instance_id) output = self._call_compute_message('get_vnc_console', - context, - instance) + context, + instance, + params={"console_type": console_type}) return (port == output['port'] and host == output['host']) @wrap_check_policy diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py index 5690ef32717..507bdc5491d 100644 --- a/nova/consoleauth/manager.py +++ b/nova/consoleauth/manager.py @@ -84,14 +84,15 @@ def authorize_console(self, context, token, console_type, host, port, LOG.audit(_("Received Token: %(token)s, %(token_dict)s)"), locals()) - def _validate_console(self, token): + def _validate_console(self, context, token): console_valid = False token_dict = self.tokens[token] try: console_valid = self.compute_api.validate_vnc_console(context, - token_dict['instance_uuid'], + token_dict['instance_id'], token_dict['host'], - token_dict['port']) + token_dict['port'], + token_dict['console_type']) except exception.InstanceNotFound: pass return console_valid @@ -99,7 +100,7 @@ def _validate_console(self, token): def check_token(self, context, token): token_valid = token in self.tokens LOG.audit(_("Checking Token: %(token)s, %(token_valid)s)"), locals()) - if token_valid and self._validate_console(token): + if token_valid and self._validate_console(context, token): return self.tokens[token] def delete_tokens_for_instance(self, context, instance_id): diff --git a/nova/tests/test_compute.py b/nova/tests/test_compute.py index 7bd6fcd3a1c..bff08a40d07 100644 --- a/nova/tests/test_compute.py +++ b/nova/tests/test_compute.py @@ -767,7 +767,8 @@ def fake(*args, **kwargs): console_valid = self.compute_api.validate_vnc_console(self.context, instance['uuid'], 'myhost', - '5900') + '5900', + 'novnc') self.assertTrue(console_valid) self.compute.terminate_instance(self.context, instance['uuid']) @@ -783,7 +784,8 @@ def fake(*args, **kwargs): console_valid = self.compute_api.validate_vnc_console(self.context, instance['uuid'], 'myhost', - '5900') + '5900', + 'novnc') self.assertFalse(console_valid) self.compute.terminate_instance(self.context, instance['uuid']) @@ -793,7 +795,7 @@ def test_validate_vnc_console_deleted_instance(self): self.compute.run_instance(self.context, instance['uuid']) self.assertRaises(exception.InstanceNotFound, self.compute_api.validate_vnc_console, - self.context, 5555, 'myhost', '5900') + self.context, 5555, 'myhost', '5900', 'novnc') self.compute.terminate_instance(self.context, instance['uuid']) def test_xvpvnc_vnc_console(self):