Add 'path' query parameter to console access url

Starting in noVNC v1.1.0, the token query parameter is no longer
forwarded via cookie [1]. We must instead use the 'path' query
parameter to pass the token through to the websocketproxy [2].
This means that if someone deploys noVNC v1.1.0, VNC consoles will
break in nova because the code is relying on the cookie functionality
that v1.1.0 removed.

This modifies the ConsoleAuthToken.access_url property to include the
'path' query parameter as part of the returned access_url that the
client will use to call the console proxy service.

This change is backward compatible with noVNC < v1.1.0. The 'path' query
parameter is a long supported feature in noVNC.

Co-Authored-By: melanie witt <[email protected]>

Closes-Bug: #1822676

[1] novnc/noVNC@51f9f00
[2] novnc/noVNC#1220

Change-Id: I2ddf0f4d768b698e980594dd67206464a9cea37b
(cherry picked from commit 9606c80)

Author: mnaser

doc/api_samples/os-remote-consoles/get-rdp-console-post-resp.json

@@ -1,6 +1,6 @@
 {
     "console": {
         "type": "rdp-html5",
-        "url": "http://127.0.0.1:6083/?token=191996c3-7b0f-42f3-95a7-f1839f2da6ed"
+        "url": "http://127.0.0.1:6083/?path=%3Ftoken%3D21efbb20-b84c-4d1f-807d-4e14f6884b7f"
     }
-}
+}

doc/api_samples/os-remote-consoles/get-serial-console-post-resp.json

@@ -1,6 +1,6 @@
 {
     "console": {
         "type": "serial",
-        "url":"ws://127.0.0.1:6083/?token=f9906a48-b71e-4f18-baca-c987da3ebdb3"
+        "url": "ws://127.0.0.1:6083/?path=%3Ftoken%3D6ac46b4c-2705-4d8b-baa3-1b6f1b0c7dd3"
     }
-}
+}

doc/api_samples/os-remote-consoles/get-spice-console-post-resp.json

@@ -1,6 +1,6 @@
 {
     "console": {
         "type": "spice-html5",
-        "url": "http://127.0.0.1:6082/spice_auto.html?token=a30e5d08-6a20-4043-958f-0852440c6af4"
+        "url": "http://127.0.0.1:6082/spice_auto.html?path=%3Ftoken%3Da7bd9607-421c-44b9-8689-18e87ada2f78"
     }
 }

doc/api_samples/os-remote-consoles/get-vnc-console-post-resp.json

@@ -1,6 +1,6 @@
 {
     "console": {
         "type": "novnc",
-        "url": "http://127.0.0.1:6080/vnc_auto.html?token=191996c3-7b0f-42f3-95a7-f1839f2da6ed"
+        "url": "http://127.0.0.1:6080/vnc_auto.html?path=%3Ftoken%3Ddaae261f-474d-4cae-8f6a-1865278ed8c9"
     }
 }

doc/api_samples/os-remote-consoles/v2.6/create-vnc-console-resp.json

@@ -2,6 +2,6 @@
     "remote_console": {
         "protocol": "vnc",
         "type": "novnc",
-        "url": "http://example.com:6080/vnc_auto.html?token=b60bcfc3-5fd4-4d21-986c-e83379107819"
+        "url": "http://example.com:6080/vnc_auto.html?path=%3Ftoken%3Db60bcfc3-5fd4-4d21-986c-e83379107819"
     }
 }

doc/source/admin/figures/SCH_5009_V00_NUAC-VNC_OpenStack.svg

@@ -30,7 +30,7 @@ nova provides services to handle this proxying. Consider a noVNC-based VNC
 console connection for example:
 
 #. A user connects to the API and gets an ``access_url`` such as,
-   ``http://ip:port/?token=xyz``.
+   ``http://ip:port/?path=%3Ftoken%3Dxyz``.
 
 #. The user pastes the URL in a browser or uses it as a client parameter.
 

doc/source/admin/remote-console-access.rst

@@ -84,7 +84,7 @@ Example response::
     "remote_console": {
       "protocol": "vnc",
       "type": "novnc",
-      "url": "http://example.com:6080/vnc_auto.html?token=XYZ"
+      "url": "http://example.com:6080/vnc_auto.html?path=%3Ftoken%3DXYZ"
     }
   }
 

nova/api/openstack/compute/rest_api_version_history.rst

@@ -18,6 +18,7 @@
 from oslo_utils import strutils
 from oslo_utils import timeutils
 from oslo_utils import uuidutils
+import six.moves.urllib.parse as urlparse
 
 from nova.db import api as db
 from nova import exception
@@ -60,7 +61,9 @@ def access_url(self):
         specific to this authorization.
         """
         if self.obj_attr_is_set('id'):
-            return '%s?token=%s' % (self.access_url_base, self.token)
+            qparams = {'path': '?token=%s' % self.token}
+            return '%s?%s' % (self.access_url_base,
+                              urlparse.urlencode(qparams))
 
     @staticmethod
     def _from_db_object(context, obj, db_obj):

nova/objects/console_auth_token.py

@@ -1,6 +1,6 @@
 {
     "console": {
         "type": "rdp-html5",
-        "url": "http://127.0.0.1:6083/?token=%(uuid)s"
+        "url": "http://127.0.0.1:6083/?path=%%3Ftoken%%3D%(uuid)s"
     }
 }

nova/tests/functional/api_sample_tests/api_samples/os-remote-consoles/get-rdp-console-post-resp.json.tpl

@@ -1,6 +1,6 @@
 {
     "console": {
         "type": "serial",
-        "url": "ws://127.0.0.1:6083/?token=%(uuid)s"
+        "url": "ws://127.0.0.1:6083/?path=%%3Ftoken%%3D%(uuid)s"
     }
 }

nova/tests/functional/api_sample_tests/api_samples/os-remote-consoles/get-serial-console-post-resp.json.tpl

@@ -1,6 +1,6 @@
 {
     "console": {
         "type": "spice-html5",
-        "url": "http://127.0.0.1:6082/spice_auto.html?token=%(uuid)s"
+        "url": "http://127.0.0.1:6082/spice_auto.html?path=%%3Ftoken%%3D%(uuid)s"
     }
 }

nova/tests/functional/api_sample_tests/api_samples/os-remote-consoles/get-spice-console-post-resp.json.tpl

@@ -1,6 +1,6 @@
 {
     "console": {
         "type": "novnc",
-        "url": "http://127.0.0.1:6080/vnc_auto.html?token=%(uuid)s"
+        "url": "http://127.0.0.1:6080/vnc_auto.html?path=%%3Ftoken%%3D%(uuid)s"
     }
 }

nova/tests/functional/api_sample_tests/api_samples/os-remote-consoles/get-vnc-console-post-resp.json.tpl

@@ -15,6 +15,7 @@
 import re
 
 from oslo_serialization import jsonutils
+import six.moves.urllib.parse as urlparse
 
 from nova.tests.functional.api_sample_tests import test_servers
 
@@ -32,7 +33,8 @@ def _get_console_token(self, uuid):
                                  {'action': 'os-getRDPConsole'})
 
         url = self._get_console_url(response.content)
-        return re.match('.+?token=([^&]+)', url).groups()[0]
+        path = urlparse.urlencode({'path': '?token='})
+        return re.match('.+?%s([^&]+)' % path, url).groups()[0]
 
     def test_get_console_connect_info(self):
         self.flags(enabled=True, group='rdp')

nova/tests/functional/api_sample_tests/test_console_auth_tokens.py

@@ -19,6 +19,7 @@
 
 import mock
 from oslo_utils.fixture import uuidsentinel as uuids
+import six.moves.urllib.parse as urlparse
 
 import nova.conf
 from nova.console.securityproxy import base
@@ -47,6 +48,7 @@ def setUp(self):
         self.wh.msg = mock.MagicMock()
         self.wh.do_proxy = mock.MagicMock()
         self.wh.headers = mock.MagicMock()
+        self.path = urlparse.urlencode({'path': '?token=123-456-789'})
 
     def _fake_console_db(self, **updates):
         console_db = copy.deepcopy(fake_ca.fake_token_dict)
@@ -96,7 +98,7 @@ def test_new_websocket_client_db(
             tsock.recv.return_value = "HTTP/1.1 200 OK\r\n\r\n"
             self.wh.socket.return_value = tsock
 
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         if instance_not_found:
@@ -143,6 +145,8 @@ def setUp(self):
         self.wh.msg = mock.MagicMock()
         self.wh.do_proxy = mock.MagicMock()
         self.wh.headers = mock.MagicMock()
+        self.path = urlparse.urlencode({'path': '?token=123-456-789'})
+        self.path_invalid = urlparse.urlencode({'path': '?token=XXX'})
 
     fake_header = {
         'cookie': 'token="123-456-789"',
@@ -228,7 +232,7 @@ def test_new_websocket_client_enable_consoleauth(self, check_token):
             'access_url': 'https://example.net:6080'
         }
         self.wh.socket.return_value = '<socket>'
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         self.wh.new_websocket_client()
@@ -261,7 +265,7 @@ def test_new_websocket_client_enable_consoleauth_fallback(self, validate,
         validate.return_value = objects.ConsoleAuthToken(**params)
 
         self.wh.socket.return_value = '<socket>'
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         self.wh.new_websocket_client()
@@ -287,7 +291,7 @@ def test_new_websocket_client(self, validate, check_port):
         validate.return_value = objects.ConsoleAuthToken(**params)
 
         self.wh.socket.return_value = '<socket>'
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         self.wh.new_websocket_client()
@@ -312,7 +316,7 @@ def test_new_websocket_client_ipv6_url(self, validate, check_port):
         validate.return_value = objects.ConsoleAuthToken(**params)
 
         self.wh.socket.return_value = '<socket>'
-        self.wh.path = "http://[2001:db8::1]/?token=123-456-789"
+        self.wh.path = "http://[2001:db8::1]/?%s" % self.path
         self.wh.headers = self.fake_header_ipv6
 
         self.wh.new_websocket_client()
@@ -325,7 +329,7 @@ def test_new_websocket_client_ipv6_url(self, validate, check_port):
     def test_new_websocket_client_token_invalid(self, validate):
         validate.side_effect = exception.InvalidToken(token='XXX')
 
-        self.wh.path = "http://127.0.0.1/?token=XXX"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path_invalid
         self.wh.headers = self.fake_header_bad_token
 
         self.assertRaises(exception.InvalidToken,
@@ -353,7 +357,7 @@ def test_new_websocket_client_internal_access_path(self, validate,
         tsock.recv.return_value = "HTTP/1.1 200 OK\r\n\r\n"
 
         self.wh.socket.return_value = tsock
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         self.wh.new_websocket_client()
@@ -386,7 +390,7 @@ def test_new_websocket_client_internal_access_path_err(self, validate,
         tsock.recv.return_value = "HTTP/1.1 500 Internal Server Error\r\n\r\n"
 
         self.wh.socket.return_value = tsock
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         self.assertRaises(exception.InvalidConnectionInfo,
@@ -418,7 +422,7 @@ def test_new_websocket_client_internal_access_path_rfb(self, validate,
                                   HTTP_RESP]
 
         self.wh.socket.return_value = tsock
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         self.wh.new_websocket_client()
@@ -448,7 +452,7 @@ def test_new_websocket_client_py273_good_scheme(
         validate.return_value = objects.ConsoleAuthToken(**params)
 
         self.wh.socket.return_value = '<socket>'
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        self.wh.path = "http://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         self.wh.new_websocket_client()
@@ -468,7 +472,7 @@ def test_new_websocket_client_py273_special_scheme(
             'console_type': 'novnc'
         }
         self.wh.socket.return_value = '<socket>'
-        self.wh.path = "ws://127.0.0.1/?token=123-456-789"
+        self.wh.path = "ws://127.0.0.1/?%s" % self.path
         self.wh.headers = self.fake_header
 
         self.assertRaises(exception.NovaException,
@@ -477,10 +481,9 @@ def test_new_websocket_client_py273_special_scheme(
     @mock.patch('socket.getfqdn')
     def test_address_string_doesnt_do_reverse_dns_lookup(self, getfqdn):
         request_mock = mock.MagicMock()
-        request_mock.makefile().readline.side_effect = [
-            b'GET /vnc.html?token=123-456-789 HTTP/1.1\r\n',
-            b''
-        ]
+        msg = 'GET /vnc.html?%s HTTP/1.1\r\n' % self.path
+        request_mock.makefile().readline.side_effect = [msg.encode('utf-8'),
+                                                        b'']
         server_mock = mock.MagicMock()
         client_address = ('8.8.8.8', 54321)
 
@@ -734,7 +737,8 @@ def setUp(self):
         with mock.patch('websockify.ProxyRequestHandler'):
             self.wh = websocketproxy.NovaProxyRequestHandler()
         self.wh.server = self.server
-        self.wh.path = "http://127.0.0.1/?token=123-456-789"
+        path = urlparse.urlencode({'path': '?token=123-456-789'})
+        self.wh.path = "http://127.0.0.1/?%s" % path
         self.wh.socket = mock.MagicMock()
         self.wh.msg = mock.MagicMock()
         self.wh.do_proxy = mock.MagicMock()

nova/tests/unit/console/test_websocketproxy.py

@@ -19,6 +19,7 @@
 from oslo_db.exception import DBDuplicateEntry
 from oslo_utils.fixture import uuidsentinel
 from oslo_utils import timeutils
+import six.moves.urllib.parse as urlparse
 
 from nova import exception
 from nova.objects import console_auth_token as token_obj
@@ -70,9 +71,9 @@ def test_authorize(self, mock_create):
         self.compare_obj(obj, expected)
 
         url = obj.access_url
-        expected_url = '%s?token=%s' % (
-            fakes.fake_token_dict['access_url_base'],
-            fakes.fake_token)
+        path = urlparse.urlencode({'path': '?token=%s' % fakes.fake_token})
+        expected_url = '%s?%s' % (
+            fakes.fake_token_dict['access_url_base'], path)
         self.assertEqual(expected_url, url)
 
     @mock.patch('nova.db.api.console_auth_token_create')

nova/tests/unit/objects/test_console_auth_token.py

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Add support for noVNC >= v1.1.0 for VNC consoles. Prior to this fix, VNC
+    console token validation always failed regardless of actual token validity
+    with noVNC >= v1.1.0. See
+    https://bugs.launchpad.net/nova/+bug/1822676 for more details.