From ddb2f64e0f88ab852eec1b3deb19606ae4d83345 Mon Sep 17 00:00:00 2001 From: Marius Vollmer Date: Thu, 1 Aug 2024 11:16:01 +0300 Subject: [PATCH] shell: Don't allow connections to remote machines via URLs... ...when the host switcher is disabled. Instead, redirect them to localhost. This requires us to really delay the initial navigation until after host_switcher_enabled has been initialized. The tests that use multiple machines add those machines by navigating to their URL and then logging into them via the trouble shooting dialog. Those tests have to explicitly enable the host switcher for this to continue to work. --- pkg/shell/indexes.jsx | 48 +++++++++++++++-------- test/common/testlib.py | 5 +++ test/verify/check-shell-host-switching | 5 --- test/verify/check-shell-multi-machine | 2 + test/verify/check-shell-multi-os | 1 + test/verify/check-superuser | 1 + test/verify/check-system-realms | 2 + test/verify/check-system-shutdown-restart | 2 + 8 files changed, 44 insertions(+), 22 deletions(-) diff --git a/pkg/shell/indexes.jsx b/pkg/shell/indexes.jsx index 00addab6d12f..8554cfe199f1 100644 --- a/pkg/shell/indexes.jsx +++ b/pkg/shell/indexes.jsx @@ -102,24 +102,17 @@ function MachinesIndex(index_options, machines, loader) { }).catch(exc => console.log(exc)); /* Host switcher enabled? */ - let host_switcher_enabled = false; + let host_switcher_enabled = null; read_os_release().then(os_release => { - const enabled = os_release && get_manifest_config_matchlist( - "shell", "host_switcher", false, - [os_release.PLATFORM_ID, os_release.VERSION_CODENAME]); - if (enabled) { - host_switcher_enabled = true; - update_machines(); - } + if (!os_release) + host_switcher_enabled = false; + else + host_switcher_enabled = get_manifest_config_matchlist( + "shell", "host_switcher", false, + [os_release.PLATFORM_ID, os_release.VERSION_CODENAME]); + on_ready(); }); - /* Navigation */ - let ready = false; - function on_ready() { - ready = true; - index.ready(); - } - function preload_frames () { for (const m of machines.list) index.preload_frames(m, m.manifests); @@ -145,8 +138,18 @@ function MachinesIndex(index_options, machines, loader) { }); }); - if (machines.ready) - on_ready(); + /* Navigation */ + let ready = false; + function on_ready() { + console.log("READY?", JSON.stringify({ machines: machines.ready, host_switcher_enabled })); + if (machines.ready && host_switcher_enabled !== null) { + console.log("READY"); + ready = true; + index.ready(); + } + } + + on_ready(); function show_disconnected() { if (!ready) { @@ -185,8 +188,19 @@ function MachinesIndex(index_options, machines, loader) { if (watchdog_problem || troubleshooting_opened) return; + if (!ready) + return; + if (!state) state = index.retrieve_state(); + + // Force a redirect to localhost when the host switcher is + // disabled. That way, people won't accidentally connect to + // remote machines via URL bookmarks or similar that point to + // them. + if (!host_switcher_enabled) + state.host = "localhost"; + let machine = machines.lookup(state.host); /* No such machine */ diff --git a/test/common/testlib.py b/test/common/testlib.py index 2ae6ef6bbe71..c1e4010e0e2d 100644 --- a/test/common/testlib.py +++ b/test/common/testlib.py @@ -1776,6 +1776,11 @@ def tearDown(self) -> None: shutil.rmtree(self.tmpdir, ignore_errors=True) + def enable_multihost(self, machine: testvm.Machine) -> None: + if not self.multihost_enabled: + machine.write("/etc/cockpit/shell.override.json", + '{ "config": { "host_switcher": true } }') + def login_and_go( self, path: str | None = None, diff --git a/test/verify/check-shell-host-switching b/test/verify/check-shell-host-switching index e005b7ba2c44..b4a10244b391 100755 --- a/test/verify/check-shell-host-switching +++ b/test/verify/check-shell-host-switching @@ -115,11 +115,6 @@ class TestHostSwitching(testlib.MachineCase, HostSwitcherHelpers): self.allow_restart_journal_messages() self.allow_hostkey_messages() - def enable_multihost(self, machine): - if not self.multihost_enabled: - machine.write("/etc/cockpit/shell.override.json", - '{ "config": { "host_switcher": true } }') - def testBasic(self): b = self.browser m1 = self.machines["machine1"] diff --git a/test/verify/check-shell-multi-machine b/test/verify/check-shell-multi-machine index f92fa6244c51..b28feeedccd5 100755 --- a/test/verify/check-shell-multi-machine +++ b/test/verify/check-shell-multi-machine @@ -134,6 +134,7 @@ class TestMultiMachineAdd(testlib.MachineCase): # and failing to load sofware updates breaks pixel tests in release builds self.setup_provisioned_hosts(disable_preload=True) self.setup_ssh_auth() + self.enable_multihost(self.machine) def testBasic(self): b = self.browser @@ -250,6 +251,7 @@ class TestMultiMachine(testlib.MachineCase): self.allow_journal_messages("sudo: unable to resolve host machine1: .*") self.setup_provisioned_hosts(disable_preload=True) + self.enable_multihost(self.machine) def checkDirectLogin(self, root='/', known_host=False): b = self.browser diff --git a/test/verify/check-shell-multi-os b/test/verify/check-shell-multi-os index 3da6fc7da47a..06890cd2c750 100755 --- a/test/verify/check-shell-multi-os +++ b/test/verify/check-shell-multi-os @@ -33,6 +33,7 @@ class TestRHEL8(testlib.MachineCase): stock_m = self.machines['stock'] stock_m.execute("hostnamectl set-hostname stock") + self.enable_multihost(dev_m) # Wait for connectivity between the two stock_m.execute("ping -q -w5 -c5 10.111.113.1") diff --git a/test/verify/check-superuser b/test/verify/check-superuser index 933029c6a582..e5cfe7892caf 100755 --- a/test/verify/check-superuser +++ b/test/verify/check-superuser @@ -405,6 +405,7 @@ class TestSuperuserDashboard(testlib.MachineCase): def test(self): b = self.browser self.setup_provisioned_hosts() + self.enable_multihost(self.machine) self.login_and_go() b.go("/@10.111.113.2") diff --git a/test/verify/check-system-realms b/test/verify/check-system-realms index 151ff23f8052..c44aa419d903 100755 --- a/test/verify/check-system-realms +++ b/test/verify/check-system-realms @@ -495,6 +495,7 @@ class TestRealms(testlib.MachineCase): self.op_admin_password = "#realms-op-admin-password" self.domain_sel = "#system_information_domain_button" self.machine.execute("hostnamectl set-hostname x0.cockpit.lan") + self.enable_multihost(self.machine) # realmd times out on inactivity, which occasionally races with the proxy self.allow_journal_messages("couldn't get all properties of org.freedesktop.realmd.Service.*org.freedesktop.DBus.Error.NoReply: Remote peer disconnected") @@ -989,6 +990,7 @@ class TestKerberos(testlib.MachineCase): def setUp(self): super().setUp() maybe_setup_fake_chrony(self.machine) + self.enable_multihost(self.machine) def configure_kerberos(self, keytab): self.machines["services"].execute("/root/run-freeipa") diff --git a/test/verify/check-system-shutdown-restart b/test/verify/check-system-shutdown-restart index 5d276162153a..8ac48dc3fb88 100755 --- a/test/verify/check-system-shutdown-restart +++ b/test/verify/check-system-shutdown-restart @@ -38,6 +38,8 @@ class TestShutdownRestart(testlib.MachineCase): m2 = self.machines['machine2'] b2 = self.new_browser(m2) + self.enable_multihost(m2) + m.start_cockpit() self.login_and_go("/system")