RDP console was only for HyperV driver so removing the
API. As API url stay same (because same used for other
console types API), RDP console API will return 400.
Cleaning up the related config options as well as moving its
API ref to obsolete seciton.
Keeping RPC method to avoid error when old controller is used
with new compute. It can be removed in next RPC version bump.
Change-Id: I8f5755009da4af0d12bda096d7a8e85fd41e1a8c
Hacking has bumped the version of flake8 that it's using to 5.0 in its
6.0.1 release. This turns up quite a few pep8 errors lurking in our
code. Fix them.
Needed-by: https://review.opendev.org/c/openstack/hacking/+/874516
Change-Id: I3b9c7f9f5de757f818ec358c992ffb0e5f3e310f
Ie36401c782f023d1d5f2623732619105dc2cfa24 was intended
to address OSSA-2021-002 (CVE-2021-3654) however after its
release it was discovered that the fix only worked
for urls with 2 leading slashes or more then 4.
This change adresses the missing edgecase for 3 leading slashes
and also maintian support for rejecting 2+.
Change-Id: I95f68be76330ff09e5eabb5ef8dd9a18f5547866
co-authored-by: Matteo Pozza
Closes-Bug: #1927677
Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:
http://vncproxy.my.domain.com//example.com/%2F..
which if visited, will redirect a user to example.com.
We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.
This code is copied from a patch suggested in one of the issue comments
[2].
Closes-Bug: #1927677
[1] https://bugs.python.org/issue32084
[2] https://bugs.python.org/issue32084#msg306545
Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
We support Python 3.6 as a minimum now, making these checks no-ops.
Change-Id: I5ca2439c948687022f8d88df978bc7ee77199fcc
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The logs emitted when VeNCrypt is enabled are rather unhelpful and have
some broken formatting:
Got version string 'b'RFB 003.008'' from compute node
Got version string 'b'RFB 003.008'' from tenant
The server sent security types [19]
Using security type 19 with server, None with client
Server sent VeNCrypt version 0.2
Server supports VeNCrypt sub-types (260,)
Attempting to use the x509None (AuthVeNCryptSubtype.X509NONE) auth sub-type
Server accepted the requested sub-auth type
There are a couple of issues here:
- We're not decoding bytestrings resulting in 'b' prefixes
- We're emitting the integer code for type information but not the names
- We're calling 'str' on an enum value which returns the name of the
enum rather than the value
Resolve all of these, resulting in a far more pleasant log:
Got version string 'RFB 003.008' from compute node
Got version string 'RFB 003.008' from tenant
Server sent security types: 19 (VENCRYPT)
Using security type 19 (VENCRYPT) with server, 1 (NONE) with client
Server sent VeNCrypt version 0.2
Server supports VeNCrypt subtypes: 260 (X509NONE)
Attempting to use the 260 (X509NONE) VeNCrypt auth subtype
Server accepted the requested VeNCrypt auth subtype
Change-Id: I3e19e4765afdcb427dea1cd4beada2871239928a
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Replace six.text_type with str.
A subsequent patch will replace other six.text_type.
Change-Id: I23bb9e539d08f5c6202909054c2dd49b6c7a7a0e
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>
Remove six.PY2 and six.PY3.
Subsequent patches will replace other six usages.
Change-Id: Iccce0ab50eee515e533ab36c8e7adc10cb3f7019
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>
The console proxies (VNC, SPICE, etc) currently don't allow the
allowed TLS ciphers and protocol versions to be configurable. This
results in the defaults being used from the underlying system,
which may not be secure enough for many deployments. This patch
allows for the ciphers and minimum SSL/TLS protocol version for
each console proxy to be configured in nova's config.
We utilize websockify underneath our console proxies, which added
support for allowed ciphers and the SSL/TLS version to be
configurable as of version 0.9.0. This change updates the lower
constraint for this dependency.
Closes-Bug: #1842149
Related-Bug: #1771773
Change-Id: I23ac1cc79482d0fabb359486a4b934463854cae5
Change I05dd6edba00264f22d868b4318ad7a4fb621c996 removed the need to
have this base class, which was first introduced in change
I7858dbb49bee8de3fe725beb6793eac3ecba71b6.
Change-Id: I851c5ead8721b2819b15c47bc1734883fa849732
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This includes a couple of fixes and removes the need for custom
workarounds, like the removal of the 'address_string' helper at [1].
[1] https://github.com/novnc/websockify/commit/be9823bf
Change-Id: I9b1d57fd513386e552afbbc8a59cf3a4c54b6908
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This legacy service is no longer used and was deprecated during the
Stein cycle [1]. It's time to say adios and remove them in their
entirety. This is pretty straightforward, with the sole exception of
schema for the 'remote-consoles' API, which has to continue supporting
requests for type 'xvpvnc' even if we can't fulfil those requests now.
[1] https://review.opendev.org/#/c/610076/
Part of blueprint remove-xvpvncproxy
Depends-On: https://review.opendev.org/695853
Change-Id: I2f7f2379d0cd54e4d0a91008ddb44858cfc5a4cf
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Hide the novncproxy token from the logs.
When backported this patch needs to be extended to handle the same issue
in the consoleauth service.
Co-Authored-By:paul-carlton2 <paul.carlton2@hp.com>
Co-Authored-By:Tristan Cacqueray <tdecacqu@redhat.com>
Change-Id: I5b8fa4233d297722c3af08176901d12887bae3de
Closes-Bug: #1492140
This legacy service was only compatible with the XenServer driver and
has effectively been replaced by the noVNC console proxy service. Remove
the service. The API that provided remote access to this service,
'os-consoles', was removed in a previous change. Note that
'os-remote-consoles' is unrelated and therefore is not removed, though
it will now reject requests for XVP VNC consoles.
This was previously discussed and agreed on openstack-dev [1] and
openstack-discuss [1].
Part of blueprint remove-xvpvncproxy
[1] http://lists.openstack.org/pipermail/openstack-dev/2018-October/135413.html
[2] http://lists.openstack.org/pipermail/openstack-discuss/2019-April/005369.html
Change-Id: Ib1ff32f04b16af7981471f67c8e0bf04e6ecb6be
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
In websockify v0.9.0, the 'socket' staticmethod moved from the
websockfiy.websocket.WebSocketServer class to the
websockify.websockifyserver.WebSockifyServer class [1][2], so our
import of the top-level module is no longer sufficient for accessing
the 'socket' method [3] when using v0.9.0:
AttributeError: module 'websockify' has no attribute 'WebSocketServer'
This adds a try_import from the v0.9.0 location and uses
WebSockifyServer.socket if the module is present. Otherwise, it
will fall back on the old location. This way, we are able to run with
websockify v0.9.0 and earlier versions with the same code.
Partial-Bug: #1840788
[1] 8a69762249
[2] e47591f4aa
[3] https://github.com/novnc/websockify/blob/v0.9.0/websockify/__init__.py
Change-Id: I4a50e2f772101315140df43910be2e3f69a63b73
Obliterate all references to the aforementioned service. This mostly
consists of removing the core service and any references to the now
removed '[workarounds] enable_consoleauth' configuration option.
Part of blueprint remove-consoleauth
Change-Id: I0498599fd636aa9e30df932f0d893db5efa23260
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Depends-On: Icfc175c49a1fc650d1c9ad06b77209a70c6386db
There were a lot of workarounds here to ensure we didn't switch to the
new model (vs. the old 'nova-consoleauth' service) if users were on
cells v1. These can go now, along with the old 'nova-consoleauth'
service (though that's a later, separate change).
Part of blueprint remove-cells-v1
Change-Id: I1b8f411b050d34e4e77e9a4f1e613135eb5f74b7
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
This is only used in three places now, each of which can be removed.
Part of blueprint remove-consoleauth
Change-Id: I89df8f8fa111b730ddd0aa73ae09a8cd5d152dad
Signed-off-by: Stephen Finucane <sfinucan@redhat.com>
Currently, we create a compute.rpcapi.ComputeAPI object during
NovaProxyRequestHandler.__init__ in order to make calls to nova-compute
for console token authorizations (port validation). This is problematic
in the event that we receive a TCP RST as it results in constructing a
ComputeAPI object only to throw it away and a large number of TCP RST
sent can cause excessive resource consumption.
This moves the creation of the ComputeAPI object from __init__ to being
lazily instantiated upon first use by access of a property, thus
avoiding creation of ComputeAPI objects when we receive TCP RST
messages.
Closes-Bug: #1816727
Change-Id: I3fe5540ea460fb32767b5e681295fdaf89ce17c5
When using a haproxy with SSL termination to provide secure console
connections, haproxy will change the Origin header scheme to 'http'
and add the 'X-Forwarded-Proto: https' header. This causes a failure
in the Nova console proxy code which verifies that the Origin header
scheme matches the access_url scheme for the connection, because the
Origin header coming from haproxy is 'http' while the access_url
scheme is 'https' or 'wss'.
This looks for the X-Forwarded-Proto header and uses its scheme for
the verification instead, if it is present.
Closes-Bug: #1788180
Change-Id: I43401dc8368853654bf443273a0a1b5b9b63e3f0
In Rocky, we deprecated the nova-consoleauth service but there were
unconditional calls to nova-consoleauth in the compute/api, which
made it impossible to avoid running the nova-consoleauth service.
This adds conditional checks to call nova-consoleauth only if the
[workarounds]enable_consoleauth configuration option is True. The
option defaults to False because the default console token auth TTL
is 10 minutes and only operators who have configured much longer TTL
or otherwise wish to avoid resetting all consoles at upgrade time
need to use the option.
This also updates the /os-console-auth-tokens/{console_token} API to
use nova-consoleauth only if the [workarounds] option is enabled. This
had to be done in the same change because the conditional checks in
the compute/api code caused the /os-console-auth-tokens API functional
tests to fail to find token authorizations in nova-consoleauth.
Closes-Bug: #1788470
Closes-Bug: #1795982
Change-Id: Iff6020f1a10afc476864f979faf251ef5a1a6184
nova/db/__init__.py was importing * from nova.db.api. This meant that
any time any code anywhere within the nova.db package was imported
then nova.db.api was too, leading to a cascade of imports that may
not have been desired. Also, in general, code in __init__.py is a pain.
Therefore, this change adjusts code that so that either:
* nova.db.api is used directly
* nova.db.api is imported as 'db'
In either case, the functionality remains the same.
The primary goal of this change was to make it possible to import the
model files without having to import the db api. Moving the model files
to a different place in the directory hierarchy was considered, but
given that "code in __init__.py is a pain" this mode was chosen.
This looks like a very large change, but it is essentially adjusting
package names, many in mocks.
Change-Id: Ic1fd7c87ceda05eeb96735da2a415ef37060bb1a
Now we can use the ConsoleAuthToken object to do token
validation. This change converts websocketproxy to use
the ConsoleAuthToken object for token validation.
Tha ConsoleAuthToken object is prepared to work with cells
v2. We use consoleauth if using cells v1.
A new config option: [workarounds]/enable_consoleauth has been
added to aid in transitioning to the database backend if
resetting already existing consoles would be problematic for an
operator.
Co-Authored-By: melanie witt <melwittt@gmail.com>
partially-implements: blueprint convert-consoles-to-objects
Depends-On: I67894a31b887a93de26f3d2d8a1fa84be5b9ea89
Change-Id: If1b6e5f20d2ea82d94f5f0550f13189fc9bc16c4
There are a bunch of files that define CONF but don't ever reference
it. This cleans that up, removing unnecessary imports.
In order to get flake8 to pass I also had to remove some (unrelated)
unused imports from touched files.
Change-Id: Ib96ebeeb5e4bfedb20afb02c56da1521df9fac4f
Instead of doing straight passthrough of the RFB protocol from the
tenant sock to the compute socket, insert an RFB security proxy. This
will MITM the initial RFB protocol handshake in order to negotiate an
authentication scheme with the compute node that is distinct from that
used by the tenant.
Based on earlier work by Solly Ross <sross@redhat.com>
Change-Id: I9cc9a380500715e60bd05aa5c29ee46bc6f8d6c2
Co-authored-by: Stephen Finucane <sfinucan@redhat.com>
Implements: bp websocket-proxy-to-host-security
Provide an implementation for the VeNCrypt RFB authentication
scheme, which uses TLS and x509 certificates to provide both
encryption and mutual authentication / authorization.
Based on earlier work by Solly Ross <sross@redhat.com>
Change-Id: I6a63d2535e86faf369ed1c0eeba6cb5a52252b80
Co-authored-by: Stephen Finucane <sfinucan@redhat.com>
Implements: bp websocket-proxy-to-host-security
Introduce a framework for providing RFB authentication scheme
implementations. This will be later used by the websocket RFB security
proxy code.
Change-Id: I98403ca922b83a460a4e7baa12bd5f596a79c940
Co-authored-by: Stephen Finucane <sfinucan@redhat.com>
Implements: bp websocket-proxy-to-host-security
Sockets expect byte strings. The default string type in Python 3 is
unicode, meaning calls to socket functions with unencoded strings will
fail. Fix two paths where we were potentially sending unicode, thus
resolving this issue. One of these paths is tested here. The other in
currently unexercised code and will be tested in a future change.
Change-Id: If8fb291ae672a01af4bde96d55b487c450fb2564
Implements: bp websocket-proxy-to-host-security
Introduce a framework to the websocketproxy to allow a security
negotiation to take place between the proxy and the target service,
prior to connecting the client tenant to the target service.
Based on earlier work by Solly Ross <sross@redhat.com>
Change-Id: Ifb9360be73864ab45129c758bd1323a9bab8e48c
Co-authored-by: Stephen Finucane <sfinucan@redhat.com>
Implements: bp websocket-proxy-to-host-security
The i18n team has decided not to translate the logs because it
seems like it not very useful; operators prefer to have them in
English so that they can search for those strings on the internet.
Partially fix on nova/conductor, nova/console, nova/consoleauth,
nova/db and nova/image other paths will be fixed on next commits
Change-Id: I132f60cb4743f85c96ec5231d6f860cfb0815758
All RPC topic opts were deprecated in Ocata.
This patch removes all *_topic opts from the code.
Change-Id: I41a6be48380999c49d6db3ee5221174a41014002
Implements: blueprint centralize-config-options-pike
When Bandit scans nova/console/xvp.py and nova/virt/netutils.py, the
high severity issue ("B701:jinja2_autoescape_false") are triggered. By
adding #nosec to above code, this alarm will be surpressed.
"When autoescaping is enabled, Jinja2 will filter input strings to
escape any HTML content submitted via template variables. Without
escaping HTML input the application becomes vulnerable to Cross Site
Scripting (XSS) attacks."[1] However, the "injected_network_template" is
a template with text format and different rules, and is not intended to
be executable. Hence, the security concern is not applicable here.
[1] https://docs.openstack.org/developer/bandit/plugins/jinja2_autoescape_false.html
Closes-Bug: #1701712
Change-Id: Ie819d90492af1e5c3b3d64403495d7355dc2cd91
The first RFP negotiation message potentially arrived
earlier, in which case the message will be swallowed
by the recv() which receive response for the http
request. This commit is to ensure only the response
is removed from the socket buffer, so it won't impact
the following RFP negotiation.
Change-Id: I100e140acbc2d981f7b98e12b3e9ae02844f41fd
Closes-Bug: #1695844
The getheader() function isn't available in python3 [1]. Instead one can
simply use get() similar to what is done in the websockify module that
this code is using.
[1] https://bugs.python.org/issue4773
Change-Id: I349742d80e0abeb7866eeeb647ce18948eff81f8
Partial-Bug: 1663593
Amit Uniyal