Adapt agama-live to work with the new architecture #1119
Conversation
live/startup
Outdated
| VALUE=$(cat $TOKEN_FILE) | ||
| EXPIRATION=$(date --date '1 day' +%s) | ||
|
|
||
| sqlite3 $COOKIES_DB "INSERT INTO moz_cookies \ |
There was a problem hiding this comment.
I do not like hacking the internal Firefox cookies database directly. That's very fragile and works only with Firefox.
What about creating a /run/agama/token.html file with root-only permissions with content like
<!DOCTYPE html>
<html>
<body>
<script>
document.location = "http://localhost/login?token=" + <JS-escaped-token-value>;
</script>
</body>
</html>and implement /login endpoint which would set the agamaToken cookie and redirect to /.
And then use that file in the firefox command below like
firefox --kiosk --profile $HOME/.mozilla/firefox/profile /run/agama/token.htmlThat special file would avoid exposing the token in the process list (in contrast when using the token directly in the firefox command).
The advantage would not hacking the SQLite internals and would be generic for all browsers.
Note: Originally I wanted to put something like
document.cookie = "agamaToken=" + tokenValue + ";domain=localhost;path=/api";into that HTML file. But for security reasons it is not possible to set cookie for a different domain and it is not possible to set an httpOnly cookie...
There was a problem hiding this comment.
Of course, I am open to other approaches and I see your point. However bear in mind that we only need to support Firefox and, if something changes, we can detect soon enough in our CI.
To be honest, I would rather prefer some kind of API to import the cookie and do not have to extend the backend (and add a redirection). But I am not against this solution.
There was a problem hiding this comment.
Thinking about your proposal we can get rid of the token.html file. The startup script would be the responsible for reading and injecting the token in the URL.
In the server side, the following code seems to work:
pub async fn get_cookie(
State(state): State<ServiceState>,
Query(params): Query<GetCookieParams>,
) -> impl IntoResponse {
let decoding = DecodingKey::from_secret(state.config.jwt_secret.as_ref());
let mut headers = HeaderMap::new();
if jsonwebtoken::decode::<TokenClaims>(¶ms.token, &decoding, &Validation::default()).is_ok()
{
let cookie = format!("agamaToken={}; HttpOnly", params.token);
headers.insert(
SET_COOKIE,
cookie.parse().expect("could not build a valid cookie"),
);
}
headers.insert(LOCATION, "/".parse().unwrap());
(StatusCode::PERMANENT_REDIRECT, headers)
}If it is OK for you, I will clean-up the code a bit (removing some duplication) and update the PR.
|
I have update the PR to follow @lslezak's approach (thanks!) removing the ugly sqlite3 hack. About automating this process, we already have a card for it: https://trello.com/c/1G6TeRzy/337-agama-put-agama-live-sources-in-a-github-repository. Perhaps it is something to plan for in the following sprint. |
live/startup
Outdated
| TOKEN_FILE=/run/agama/token | ||
| TOKEN=$(cat $TOKEN_FILE) | ||
|
|
||
| firefox --kiosk --profile $HOME/.mozilla/firefox/profile "http://localhost/login?token=$TOKEN" |
There was a problem hiding this comment.
The code is simpler without using a helper token.html file. On the other hand the token is then visible in the ps output. I'm not sure how serious is this problem... 🤔
There was a problem hiding this comment.
Well, you might need to access to the system (as root, as it is the only user in the ISO) and, at that point, you can read the token from the file anyway. Alternatively, we could set the URL as the homepage for the browser (we are doing other tweaks anyway), so we do not need to specify any URL.
There was a problem hiding this comment.
Yes, once you are root you can do everything...
The problem is that for running simple ps you do not need to be root. If e.g. the avahi daemon running as avahi user is vulnerable and allows arbitrary code execution then you could still get the root token if you force it to run ps and get the output although it's not running as root.
There was a problem hiding this comment.
BTW setting the home page looks like a good trick...
There was a problem hiding this comment.
OK, let's give the homepage setting a try.
|
Yes, you are right. Now the next step is to submit all this stuff automatically. But that's another story. 😄 |
After a few months of work, it is time to merge the `architecture_2024` branch into `master`. It is still a work-in-progress, but all the efforts should be go now against that branch. ## Pull requests * #1061 * #1064 * #1073 * #1074 * #1080 * #1089 * #1091 * #1092 * #1094 * #1095 * #1099 * #1100 * #1102 * #1103 * #1112 * #1114 * #1116 * #1117 * #1119 * #1120 * #1123 * #1126 * #1129 * #1130 * #1131 * #1132 * #1133 * #1134 * #1136 * #1139 * #1140 * #1143 * #1146 ## Other commits * 8efa41f * 9e2dec0
Prepare for releasing Agama 8. It includes the following pull requests: * #884 * #886 * #914 * #918 * #956 * #957 * #958 * #959 * #960 * #961 * #962 * #963 * #964 * #965 * #966 * #969 * #970 * #976 * #977 * #978 * #979 * #980 * #981 * #983 * #984 * #985 * #986 * #988 * #991 * #992 * #995 * #996 * #997 * #999 * #1003 * #1004 * #1006 * #1007 * #1008 * #1009 * #1010 * #1011 * #1012 * #1014 * #1015 * #1016 * #1017 * #1020 * #1022 * #1023 * #1024 * #1025 * #1027 * #1028 * #1029 * #1030 * #1031 * #1032 * #1033 * #1034 * #1035 * #1036 * #1038 * #1039 * #1041 * #1042 * #1043 * #1045 * #1046 * #1047 * #1048 * #1052 * #1054 * #1056 * #1057 * #1060 * #1061 * #1062 * #1063 * #1064 * #1066 * #1067 * #1068 * #1069 * #1071 * #1072 * #1073 * #1074 * #1075 * #1079 * #1080 * #1081 * #1082 * #1085 * #1086 * #1087 * #1088 * #1089 * #1090 * #1091 * #1092 * #1093 * #1094 * #1095 * #1096 * #1097 * #1098 * #1099 * #1100 * #1102 * #1103 * #1104 * #1105 * #1106 * #1109 * #1110 * #1111 * #1112 * #1114 * #1116 * #1117 * #1118 * #1119 * #1120 * #1121 * #1122 * #1123 * #1125 * #1126 * #1127 * #1128 * #1129 * #1130 * #1131 * #1132 * #1133 * #1134 * #1135 * #1136 * #1138 * #1139 * #1140 * #1141 * #1142 * #1143 * #1144 * #1145 * #1146 * #1147 * #1148 * #1149 * #1151 * #1152 * #1153 * #1154 * #1155 * #1156 * #1157 * #1158 * #1160 * #1161 * #1162 * #1163 * #1164 * #1165 * #1166 * #1167 * #1168 * #1169 * #1170 * #1171 * #1172 * #1173 * #1174 * #1175 * #1177 * #1178 * #1180 * #1181 * #1182 * #1183 * #1184 * #1185 * #1187 * #1188 * #1189 * #1190 * #1191 * #1192 * #1193 * #1194 * #1195 * #1196 * #1198 * #1199 * #1200 * #1201 * #1203 * #1204 * #1205 * #1206 * #1207 * #1208 * #1209 * #1210 * #1211 * #1212 * #1213 * #1214 * #1215 * #1216 * #1217 * #1219 * #1220 * #1221 * #1222 * #1223 * #1224 * #1225 * #1226 * #1227 * #1229
Changes summary
--generate-tokenoption toagama-web-server. Using such a token you can skip the authentication (given that you have access to the token).agama-web-serversystemd service.no-unused-varslinter.agama-web-ui.spec.To do
agama-live sources in the repo
In the future, we plan to move the source we use to build
agama-liveto this repository.