WIP

QubesOS · Nov 29, 2024 · 3de5847 · 3de5847
1 parent 2206310
commit 3de5847
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 0 deletions.
diff --git a/qrexec/policy/parser.py b/qrexec/policy/parser.py
@@ -766,6 +766,7 @@ async def execute(self) -> str:
 target=@adminvm
 autostart={self.autostart}
 requested_target={request.target}"""
+
         if target.startswith("@dispvm:"):
             target_info = request.system_info["domains"][target[8:]]
             return f"""\
@@ -775,7 +776,24 @@ async def execute(self) -> str:
 target_uuid=@dispvm:uuid:{target_info['uuid']}
 autostart={self.autostart}
 requested_target={request.target}"""
+
         target_info = request.system_info["domains"][target]
+        if target_info.get("relayvm", None):
+            relayvm_name = target_info["relayvm"]
+            relayvm_info = request.system_info["domains"][relayvm_name]
+            for tag in relayvm_info["tags"]:
+                if tag.startswith("transport-rpc-"):
+                    transport_rpc = tag[14:]
+                    return f"""\
+user={self.user or 'DEFAULT'}
+result=allow
+target={relayvm_name}
+target_uuid=uuid:{relayvm_info['uuid']}
+autostart={self.autostart}
+requested_target={request.target}
+service={transport_rpc}
+arg=@remote:{request.target}:{request.service}{request.argument}"""
+
         return f"""\
 user={self.user or 'DEFAULT'}
 result=allow

diff --git a/qrexec/tests/policy_parser.py b/qrexec/tests/policy_parser.py
@@ -105,6 +105,21 @@
             "power_state": "Halted",
             "uuid": "6d7a02b5-532b-467f-b9fb-6596bae03c33",
         },
+        "test-remotevm1": {
+            "tags": ["relayvm-test-local-relay"],
+            "relayvm": "test-local-relay",
+            "type": "RemoteVM",
+            "power_state": "Running",
+            "uuid": "3d225b39-88e9-4696-8978-b27c1360e041",
+        },
+        "test-local-relay": {
+            "tags": ["transport-rpc-qubesair.SSHProxy"],
+            "type": "AppVM",
+            "default_dispvm": None,
+            "template_for_dispvms": False,
+            "power_state": "Running",
+            "uuid": "355304b8-bd5e-4699-9a2b-b6864fc26f6b",
+        }
     },
 }
 
@@ -2017,6 +2032,36 @@ async def _test_123_execute_already_running(self):
 target_uuid=uuid:b3eb69d0-f9d9-4c3c-ad5c-454500303ea4
 autostart=True
 requested_target=test-vm2\
+""",
+        )
+
+    def test_124_execute(self):
+        asyncio.run(self._test_124_execute())
+
+    async def _test_124_execute(self):
+        rule = parser.Rule.from_line(
+            None, "* * test-vm1 test-remotevm1 allow", filepath="filename", lineno=12
+        )
+        request = _req("test-vm1", "test-remotevm1")
+        resolution = parser.AllowResolution(
+            rule,
+            request,
+            user=None,
+            target="test-remotevm1",
+            autostart=True,
+        )
+        result = await resolution.execute()
+        self.assertEqual(
+            result,
+            """\
+user=DEFAULT
+result=allow
+target=test-local-relay
+target_uuid=uuid:355304b8-bd5e-4699-9a2b-b6864fc26f6b
+autostart=True
+requested_target=test-remotevm1
+service=qubesair.SSHProxy
+arg=@remote:test-remotevm1:test.Service+argument\
 """,
         )