static void
add_page_to_environment (JsonObject *object)
{
static gint page_login_to = -1;
JsonObject *page;
const gchar *value;
page = json_object_new ();
value = cockpit_conf_string ("WebService", "LoginTitle");
if (value)
json_object_set_string_member (page, "title", value);
if (page_login_to < 0)
{
page_login_to = cockpit_conf_bool ("WebService", "LoginTo",
g_file_test (cockpit_ws_ssh_program,
G_FILE_TEST_IS_EXECUTABLE));
}
json_object_set_boolean_member (page, "connect", page_login_to);
json_object_set_object_member (object, "page", page);
}
int
main (int argc,
char *argv[])
{
gint ret = 1;
CockpitWebServer *server = NULL;
GOptionContext *context;
CockpitHandlerData data;
GTlsCertificate *certificate = NULL;
GError *local_error = NULL;
GError **error = &local_error;
gchar **roots = NULL;
gchar *cert_path = NULL;
GMainLoop *loop = NULL;
gchar *login_html = NULL;
gchar *login_po_html = NULL;
CockpitPipe *pipe = NULL;
int outfd = -1;
signal (SIGPIPE, SIG_IGN);
g_setenv ("GSETTINGS_BACKEND", "memory", TRUE);
g_setenv ("GIO_USE_PROXY_RESOLVER", "dummy", TRUE);
g_setenv ("GIO_USE_VFS", "local", TRUE);
/* Any interaction with a krb5 ccache should be explicit */
g_setenv ("KRB5CCNAME", "FILE:/dev/null", TRUE);
g_setenv ("G_TLS_GNUTLS_PRIORITY", "SECURE128:%LATEST_RECORD_VERSION:-VERS-SSL3.0:-VERS-TLS1.0", FALSE);
memset (&data, 0, sizeof (data));
context = g_option_context_new (NULL);
g_option_context_add_main_entries (context, cmd_entries, NULL);
if (!g_option_context_parse (context, &argc, &argv, error))
{
goto out;
}
if (opt_version)
{
print_version ();
ret = 0;
goto out;
}
/*
* This process talks on stdin/stdout. However lots of stuff wants to write
* to stdout, such as g_debug, and uses fd 1 to do that. Reroute fd 1 so that
* it goes to stderr, and use another fd for stdout.
*/
outfd = dup (1);
if (outfd < 0 || dup2 (2, 1) < 1)
{
g_printerr ("ws couldn't redirect stdout to stderr");
if (outfd > -1)
close (outfd);
goto out;
}
cockpit_set_journal_logging (NULL, !isatty (2));
if (opt_local_session || opt_no_tls)
{
/* no certificate */
}
else
{
cert_path = cockpit_certificate_locate (FALSE, error);
if (cert_path != NULL)
certificate = cockpit_certificate_load (cert_path, error);
if (certificate == NULL)
goto out;
g_info ("Using certificate: %s", cert_path);
}
loop = g_main_loop_new (NULL, FALSE);
data.os_release = cockpit_system_load_os_release ();
data.auth = cockpit_auth_new (opt_local_ssh);
roots = setup_static_roots (data.os_release);
data.branding_roots = (const gchar **)roots;
login_html = g_strdup (DATADIR "/cockpit/static/login.html");
data.login_html = (const gchar *)login_html;
login_po_html = g_strdup (DATADIR "/cockpit/static/login.po.html");
data.login_po_html = (const gchar *)login_po_html;
server = cockpit_web_server_new (opt_address,
opt_port,
certificate,
NULL,
error);
if (server == NULL)
{
g_prefix_error (error, "Error starting web server: ");
goto out;
}
cockpit_web_server_set_redirect_tls (server, !cockpit_conf_bool ("WebService", "AllowUnencrypted", FALSE));
if (cockpit_conf_string ("WebService", "UrlRoot"))
{
g_object_set (server, "url-root",
cockpit_conf_string ("WebService", "UrlRoot"),
NULL);
}
if (cockpit_web_server_get_socket_activated (server))
g_signal_connect_swapped (data.auth, "idling", G_CALLBACK (g_main_loop_quit), loop);
/* Ignores stuff it shouldn't handle */
g_signal_connect (server, "handle-stream",
G_CALLBACK (cockpit_handler_socket), &data);
/* External channels, ignore stuff they shouldn't handle */
g_signal_connect (server, "handle-stream",
G_CALLBACK (cockpit_handler_external), &data);
/* Don't redirect to TLS for /ping */
g_object_set (server, "ssl-exception-prefix", "/ping", NULL);
g_signal_connect (server, "handle-resource::/ping",
G_CALLBACK (cockpit_handler_ping), &data);
/* Files that cannot be cache-forever, because of well known names */
g_signal_connect (server, "handle-resource::/favicon.ico",
G_CALLBACK (cockpit_handler_root), &data);
g_signal_connect (server, "handle-resource::/apple-touch-icon.png",
G_CALLBACK (cockpit_handler_root), &data);
/* The fallback handler for everything else */
g_signal_connect (server, "handle-resource",
G_CALLBACK (cockpit_handler_default), &data);
if (opt_local_session)
{
struct passwd *pwd;
if (g_str_equal (opt_local_session, "-"))
{
pipe = cockpit_pipe_new (opt_local_session, 0, outfd);
outfd = -1;
}
else
{
const gchar *args[] = { opt_local_session, NULL };
pipe = cockpit_pipe_spawn (args, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE);
}
/* Spawn a local session as a bridge */
pwd = getpwuid (geteuid ());
if (!pwd)
{
g_printerr ("Failed to resolve current user id %u\n", geteuid ());
goto out;
}
cockpit_auth_local_async (data.auth, pwd->pw_name, pipe, on_local_ready, g_object_ref (server));
g_object_unref (pipe);
}
else
{
/* When no local bridge, start serving immediately */
cockpit_web_server_start (server);
}
/* Debugging issues during testing */
#if WITH_DEBUG
signal (SIGABRT, cockpit_test_signal_backtrace);
signal (SIGSEGV, cockpit_test_signal_backtrace);
#endif
g_main_loop_run (loop);
ret = 0;
out:
if (outfd >= 0)
close (outfd);
if (loop)
g_main_loop_unref (loop);
if (local_error)
{
g_printerr ("cockpit-ws: %s\n", local_error->message);
g_error_free (local_error);
}
g_clear_object (&server);
g_clear_object (&data.auth);
if (data.os_release)
g_hash_table_unref (data.os_release);
g_clear_object (&certificate);
g_free (cert_path);
g_strfreev (roots);
g_free (login_po_html);
g_free (login_html);
g_free (opt_address);
g_free (opt_local_session);
cockpit_conf_cleanup ();
return ret;
}
static void
cockpit_auth_remote_login_async (CockpitAuth *self,
const gchar *application,
const gchar *type,
GHashTable *headers,
const gchar *remote_peer,
GAsyncReadyCallback callback,
gpointer user_data)
{
GSimpleAsyncResult *task;
AuthData *ad = NULL;
GBytes *input = NULL;
GBytes *auth_bytes = NULL;
gchar *user = NULL;
gchar *password = NULL; /* owned by input */
const gchar *data = NULL;
const gchar *command;
const gchar *host;
const gchar *host_arg;
gint next_arg = 1;
const gchar *argv[] = {
cockpit_ws_ssh_program,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
};
task = g_simple_async_result_new (G_OBJECT (self), callback, user_data,
cockpit_auth_remote_login_async);
if (g_strcmp0 (type, "basic") == 0)
{
input = cockpit_auth_parse_authorization (headers, TRUE);
data = g_bytes_get_data (input, NULL);
password = strchr (data, ':');
if (password != NULL)
{
user = g_strndup (data, password - data);
password++;
auth_bytes = g_bytes_new_static (password, strlen(password));
}
}
else
{
input = cockpit_auth_parse_authorization (headers, FALSE);
if (input)
auth_bytes = g_bytes_ref (input);
}
if (application && auth_bytes && input)
{
command = type_option (SSH_SECTION, "command", cockpit_ws_ssh_program);
argv[0] = command;
host = application_parse_host (application);
if (host)
{
host_arg = host;
if (g_strcmp0 (remote_peer, "127.0.0.1") == 0 ||
g_strcmp0 (remote_peer, "::1") == 0 ||
cockpit_conf_bool (SSH_SECTION, "allowUnknown", FALSE))
{
argv[next_arg++] = "--prompt-unknown-hostkey";
}
}
else
{
argv[next_arg++] = "--ignore-hostkey";
if (cockpit_conf_string (SSH_SECTION, "host"))
host_arg = cockpit_conf_string (SSH_SECTION, "host");
else
host_arg = "localhost";
}
argv[next_arg++] = host_arg;
argv[next_arg++] = user;
ad = create_auth_data (self, host_arg, application,
SSH_SECTION, remote_peer, command, input);
start_auth_process (self, ad, auth_bytes, task,
cockpit_auth_remote_login_async, argv);
}
else
{
g_simple_async_result_set_error (task, COCKPIT_ERROR, COCKPIT_ERROR_AUTHENTICATION_FAILED,
"Basic authentication required");
g_simple_async_result_complete_in_idle (task);
}
if (auth_bytes)
g_bytes_unref (auth_bytes);
if (input)
g_bytes_unref (input);
if (ad)
auth_data_unref (ad);
if (user)
g_free (user);
g_object_unref (task);
}
int
main (int argc,
char *argv[])
{
gint ret = 1;
CockpitWebServer *server = NULL;
GOptionContext *context;
CockpitHandlerData data;
GTlsCertificate *certificate = NULL;
GError *local_error = NULL;
GError **error = &local_error;
gchar **roots = NULL;
gchar *cert_path = NULL;
GMainLoop *loop = NULL;
signal (SIGPIPE, SIG_IGN);
g_setenv ("GSETTINGS_BACKEND", "memory", TRUE);
g_setenv ("GIO_USE_PROXY_RESOLVER", "dummy", TRUE);
g_setenv ("GIO_USE_VFS", "local", TRUE);
/* Any interaction with a krb5 ccache should be explicit */
g_setenv ("KRB5CCNAME", "FILE:/dev/null", TRUE);
g_setenv ("G_TLS_GNUTLS_PRIORITY", "SECURE128:%LATEST_RECORD_VERSION:-VERS-SSL3.0:-VERS-TLS1.0", FALSE);
g_type_init ();
ssh_threads_set_callbacks (ssh_threads_get_pthread());
ssh_init ();
memset (&data, 0, sizeof (data));
context = g_option_context_new (NULL);
g_option_context_add_main_entries (context, cmd_entries, NULL);
if (!g_option_context_parse (context, &argc, &argv, error))
{
goto out;
}
if (opt_version)
{
print_version ();
ret = 0;
goto out;
}
cockpit_set_journal_logging (NULL, !isatty (2));
if (opt_no_tls)
{
/* no certificate */
}
else
{
cert_path = cockpit_certificate_locate (FALSE, error);
if (cert_path != NULL)
certificate = cockpit_certificate_load (cert_path, error);
if (certificate == NULL)
goto out;
g_info ("Using certificate: %s", cert_path);
}
loop = g_main_loop_new (NULL, FALSE);
data.os_release = cockpit_system_load_os_release ();
data.auth = cockpit_auth_new (opt_local_ssh);
roots = calculate_static_roots (data.os_release);
data.static_roots = (const gchar **)roots;
server = cockpit_web_server_new (opt_port,
certificate,
NULL,
NULL,
error);
if (server == NULL)
{
g_prefix_error (error, "Error starting web server: ");
goto out;
}
cockpit_web_server_set_redirect_tls (server, !cockpit_conf_bool ("WebService", "AllowUnencrypted", FALSE));
if (cockpit_web_server_get_socket_activated (server))
g_signal_connect_swapped (data.auth, "idling", G_CALLBACK (g_main_loop_quit), loop);
/* Ignores stuff it shouldn't handle */
g_signal_connect (server, "handle-stream",
G_CALLBACK (cockpit_handler_socket), &data);
/* External channels, ignore stuff they shouldn't handle */
g_signal_connect (server, "handle-stream",
G_CALLBACK (cockpit_handler_external), &data);
/* Don't redirect to TLS for /ping */
g_object_set (server, "ssl-exception-prefix", "/ping", NULL);
g_signal_connect (server, "handle-resource::/ping",
G_CALLBACK (cockpit_handler_ping), &data);
/* Files that cannot be cache-forever, because of well known names */
g_signal_connect (server, "handle-resource::/favicon.ico",
G_CALLBACK (cockpit_handler_root), &data);
g_signal_connect (server, "handle-resource::/apple-touch-icon.png",
G_CALLBACK (cockpit_handler_root), &data);
/* The fallback handler for everything else */
g_signal_connect (server, "handle-resource",
G_CALLBACK (cockpit_handler_default), &data);
/* Debugging issues during testing */
#if WITH_DEBUG
signal (SIGABRT, cockpit_test_signal_backtrace);
signal (SIGSEGV, cockpit_test_signal_backtrace);
#endif
g_main_loop_run (loop);
ret = 0;
out:
if (loop)
g_main_loop_unref (loop);
if (local_error)
{
g_printerr ("cockpit-ws: %s\n", local_error->message);
g_error_free (local_error);
}
g_clear_object (&server);
g_clear_object (&data.auth);
if (data.os_release)
g_hash_table_unref (data.os_release);
g_clear_object (&certificate);
g_free (cert_path);
g_strfreev (roots);
cockpit_conf_cleanup ();
return ret;
}