From 0fb19ce26360dbf22a358212b798647009370ed8 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Fri, 6 Sep 2024 13:41:50 -0400
Subject: [PATCH] Wire up http sessions to vinzmanager

---
 confluent_server/confluent/httpapi.py     | 14 ++++++++++++++
 confluent_server/confluent/vinzmanager.py | 20 ++++++++++++++++----
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py
index 10ab8b86..cf6a42ee 100644
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@@ -72,6 +72,20 @@ opmap = {
 }
 
 
+def get_user_for_session(sessionid, sessiontok):
+    if not isinstance(sessionid, str):
+        sessionid = sessionid.decode()
+    if not isinstance(sessiontok, str):
+        sessiontok = sessiontok.decode()
+    if not sessiontok or not sessionid:
+        raise Exception("invalid session id or token")
+    if sessiontok != httpsessions.get(sessionid, {}).get('csrftoken', None):
+        raise Exception("Invalid csrf token for session")
+    user = httpsessions[sessionid]['name']
+    if not isinstance(user, str):
+        user = user.decode()
+    return user
+
 def group_creation_resources():
     yield confluent.messages.Attributes(
         kv={'name': None}, desc="Name of the group").html() + '<br>'
diff --git a/confluent_server/confluent/vinzmanager.py b/confluent_server/confluent/vinzmanager.py
index 75b51294..308acb59 100644
--- a/confluent_server/confluent/vinzmanager.py
+++ b/confluent_server/confluent/vinzmanager.py
@@ -11,6 +11,7 @@ import eventlet.green.subprocess as subprocess
 import base64
 import os
 import pwd
+import confluent.httpapi as httpapi
 mountsbyuser = {}
 _vinzfd = None
 _vinztoken = None
@@ -44,7 +45,7 @@ def get_url(nodename, inputdata):
     if method == 'wss':
         return f'/vinz/kvmsession/{nodename}'
     elif method == 'unix':
-        if nodename not in _unix_by_nodename:
+        if nodename not in _unix_by_nodename or not os.path.exists(_unix_by_nodename[nodename]):
             _unix_by_nodename[nodename] = request_session(nodename)
         return _unix_by_nodename[nodename]
 
@@ -132,6 +133,8 @@ def send_grant(conn, nodename):
         conn.send(b'\xff')
 
 def evaluate_request(conn):
+    allow = False
+    authname = None
     try:
         creds = conn.getsockopt(socket.SOL_SOCKET, socket.SO_PEERCRED,
                                 struct.calcsize('iII'))
@@ -160,13 +163,22 @@ def evaluate_request(conn):
                     authname = pwd.getpwuid(usernum).pw_name
                 except Exception:
                     return
-                allow = auth.authorize(authname, f'/nodes/{nodename}/console/ikvm')
-                if not allow:
+            elif idtype == 2:
+                fieldlen = struct.unpack('!I', conn.recv(4))[0]
+                sessionid = conn.recv(fieldlen)
+                fieldlen = struct.unpack('!I', conn.recv(4))[0]
+                sessiontok = conn.recv(fieldlen)
+                try:
+                    authname = httpapi.get_user_for_session(sessionid, sessiontok)
+                except Exception:
                     return
-                send_grant(conn, nodename)
             else:
                 return
             conn.recv(1)  # should be 0xff
+            if authname:
+                allow = auth.authorize(authname, f'/nodes/{nodename}/console/ikvm')
+            if allow:
+                send_grant(conn, nodename)
     finally:
         conn.close()