izackp/Apollo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'permission-system'

Browse Source
This commit is contained in:
Yukino Song
2024-09-16 23:14:15 +08:00
parent 80ea11b815 db5790b374
commit a482029d4d
23 changed files with 1075 additions and 245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitmodules vendored
View File

@@ -32,7 +32,7 @@
branch = sdk
[submodule "third-party/Simple-Web-Server"]
path = third-party/Simple-Web-Server
url = https://gitlab.com/eidheim/Simple-Web-Server.git
url = https://github.com/ClassicOldSong/Simple-Web-Server
branch = master
[submodule "third-party/TPCircularBuffer"]
path = third-party/TPCircularBuffer

63
src/confighttp.cpp
View File

@@ -866,6 +866,38 @@ namespace confighttp {
outputTree.put("status", true);
}
void
updateClient(resp_https_t response, req_https_t request) {
if (!authenticate(response, request)) return;
print_req(request);
std::stringstream ss;
ss << request->content.rdbuf();
pt::ptree inputTree, outputTree;
auto g = util::fail_guard([&]() {
std::ostringstream data;
pt::write_json(data, outputTree);
response->write(data.str());
});
try {
pt::read_json(ss, inputTree);
std::string uuid = inputTree.get<std::string>("uuid");
std::string name = inputTree.get<std::string>("name");
auto perm = (crypto::PERM)inputTree.get<uint32_t>("perm") & crypto::PERM::_all;
outputTree.put("status", nvhttp::update_device_info(uuid, name, perm));
}
catch (std::exception &e) {
BOOST_LOG(warning) << "Update Client: "sv << e.what();
outputTree.put("status", false);
outputTree.put("error", e.what());
return;
}
}
void
unpair(resp_https_t response, req_https_t request) {
if (!authenticate(response, request)) return;
@@ -897,6 +929,35 @@ namespace confighttp {
}
}
void
disconnect(resp_https_t response, req_https_t request) {
if (!authenticate(response, request)) return;
print_req(request);
std::stringstream ss;
ss << request->content.rdbuf();
pt::ptree inputTree, outputTree;
auto g = util::fail_guard([&]() {
std::ostringstream data;
pt::write_json(data, outputTree);
response->write(data.str());
});
try {
pt::read_json(ss, inputTree);
std::string uuid = inputTree.get<std::string>("uuid");
outputTree.put("status", nvhttp::find_and_stop_session(uuid, true));
}
catch (std::exception &e) {
BOOST_LOG(warning) << "Disconnect: "sv << e.what();
outputTree.put("status", false);
outputTree.put("error", e.what());
}
}
void
listClients(resp_https_t response, req_https_t request) {
if (!authenticate(response, request)) return;
@@ -969,7 +1030,9 @@ namespace confighttp {
server.resource["^/api/apps/([0-9]+)$"]["DELETE"] = deleteApp;
server.resource["^/api/clients/unpair-all$"]["POST"] = unpairAll;
server.resource["^/api/clients/list$"]["GET"] = listClients;
server.resource["^/api/clients/update$"]["POST"] = updateClient;
server.resource["^/api/clients/unpair$"]["POST"] = unpair;
server.resource["^/api/clients/disconnect$"]["POST"] = disconnect;
server.resource["^/api/apps/close$"]["POST"] = closeApp;
server.resource["^/api/covers/upload$"]["POST"] = uploadCover;
server.resource["^/images/apollo.ico$"]["GET"] = getFaviconImage;

11
src/crypto.cpp
View File

@@ -11,11 +11,11 @@ namespace crypto {
cert_chain_t::cert_chain_t():
_certs {}, _cert_ctx { X509_STORE_CTX_new() } {}
void
cert_chain_t::add(x509_t &&cert) {
cert_chain_t::add(p_named_cert_t& named_cert_p) {
x509_store_t x509_store { X509_STORE_new() };
X509_STORE_add_cert(x509_store.get(), cert.get());
_certs.emplace_back(std::make_pair(std::move(cert), std::move(x509_store)));
X509_STORE_add_cert(x509_store.get(), x509(named_cert_p->cert).get());
_certs.emplace_back(std::make_pair(named_cert_p, std::move(x509_store)));
}
void
cert_chain_t::clear() {
@@ -52,9 +52,9 @@ namespace crypto {
* @return nullptr if the certificate is valid, otherwise an error string.
*/
const char *
cert_chain_t::verify(x509_t::element_type *cert) {
cert_chain_t::verify(x509_t::element_type *cert, p_named_cert_t& named_cert_out) {
int err_code = 0;
for (auto &[_, x509_store] : _certs) {
for (auto &[named_cert_p, x509_store] : _certs) {
auto fg = util::fail_guard([this]() {
X509_STORE_CTX_cleanup(_cert_ctx.get());
});
@@ -70,6 +70,7 @@ namespace crypto {
auto err = X509_verify_cert(_cert_ctx.get());
if (err == 1) {
named_cert_out = named_cert_p;
return nullptr;
}

58
src/crypto.h
View File

@@ -34,6 +34,58 @@ namespace crypto {
using pkey_ctx_t = util::safe_ptr<EVP_PKEY_CTX, EVP_PKEY_CTX_free>;
using bignum_t = util::safe_ptr<BIGNUM, BN_free>;
/**
* @brief The permissions of a client.
*/
enum class PERM: uint32_t {
_reserved = 1,
_input = _reserved << 8, // Input permission group
input_controller = _input << 0, // Allow controller input
input_touch = _input << 1, // Allow touch input
input_pen = _input << 2, // Allow pen input
input_kbdm = _input << 3, // Allow kbd/mouse input
_all_inputs = input_controller | input_touch | input_pen | input_kbdm,
_operation = _input << 8, // Operation permission group
clipboard_set = _operation << 0, // Allow set clipboard from client
clipboard_read = _operation << 1, // Allow read clipboard from host
file_upload = _operation << 2, // Allow upload files to host
file_dwnload = _operation << 3, // Allow download files from host
server_cmd = _operation << 4, // Allow execute server cmd
_all_opeiations = clipboard_set | clipboard_read | file_upload | file_dwnload | server_cmd,
_action = _operation << 8, // Action permission group
list = _action << 0, // Allow list apps
view = _action << 1, // Allow view streams
launch = _action << 2, // Allow launch apps
_allow_view = view | launch, // If no view permission is granted, disconnect the device upon permission update
_all_actions = list | view | launch,
_default = view | list, // Default permissions for new clients
_no = 0, // No permissions are granted
_all = _all_inputs | _all_opeiations | _all_actions, // All current permissions
};
inline constexpr PERM
operator&(PERM x, PERM y) {
return static_cast<PERM>(static_cast<uint32_t>(x) & static_cast<uint32_t>(y));
}
inline constexpr bool
operator!(PERM p) {
return static_cast<uint32_t>(p) == 0;
}
struct named_cert_t {
std::string name;
std::string uuid;
std::string cert;
PERM perm;
};
using p_named_cert_t = std::shared_ptr<named_cert_t>;
/**
* @brief Hashes the given plaintext using SHA-256.
* @param plaintext
@@ -76,16 +128,16 @@ namespace crypto {
KITTY_DECL_CONSTR(cert_chain_t)
void
add(x509_t &&cert);
add(p_named_cert_t& named_cert_p);
void
clear();
const char *
verify(x509_t::element_type *cert);
verify(x509_t::element_type *cert, p_named_cert_t& named_cert_out);
private:
std::vector<std::pair<x509_t, x509_store_t>> _certs;
std::vector<std::pair<p_named_cert_t, x509_store_t>> _certs;
x509_store_ctx_t _cert_ctx;
};

56
src/input.cpp
View File

@@ -1628,7 +1628,61 @@ namespace input {
* @param input_data The input message.
*/
void
passthrough(std::shared_ptr<input_t> &input, std::vector<std::uint8_t> &&input_data) {
passthrough(std::shared_ptr<input_t> &input, std::vector<std::uint8_t> &&input_data, const crypto::PERM& permission) {
// No input permissions at all
if (!(permission & crypto::PERM::_all_inputs)) {
return;
}
// Have some input permission
// Otherwise have all input permission
if ((permission & crypto::PERM::_all_inputs) != crypto::PERM::_all_inputs) {
PNV_INPUT_HEADER payload = (PNV_INPUT_HEADER)input_data.data();
// Check permission
switch (util::endian::little(payload->magic)) {
case MULTI_CONTROLLER_MAGIC_GEN5:
case SS_CONTROLLER_ARRIVAL_MAGIC:
case SS_CONTROLLER_TOUCH_MAGIC:
case SS_CONTROLLER_MOTION_MAGIC:
case SS_CONTROLLER_BATTERY_MAGIC:
if (!(permission & crypto::PERM::input_controller)) {
return;
} else {
break;
}
case MOUSE_MOVE_REL_MAGIC_GEN5:
case MOUSE_MOVE_ABS_MAGIC:
case MOUSE_BUTTON_DOWN_EVENT_MAGIC_GEN5:
case MOUSE_BUTTON_UP_EVENT_MAGIC_GEN5:
case SCROLL_MAGIC_GEN5:
case SS_HSCROLL_MAGIC:
case KEY_DOWN_EVENT_MAGIC:
case KEY_UP_EVENT_MAGIC:
case UTF8_TEXT_EVENT_MAGIC:
if (!(permission & crypto::PERM::input_kbdm)) {
return;
} else {
break;
}
case SS_TOUCH_MAGIC:
if (!(permission & crypto::PERM::input_touch)) {
return;
} else {
break;
}
case SS_PEN_MAGIC:
if (!(permission & crypto::PERM::input_pen)) {
return;
} else {
break;
}
default:
// Unknown input event
return;
}
}
{
std::lock_guard<std::mutex> lg(input->input_queue_lock);
input->input_queue.push_back(std::move(input_data));

3
src/input.h
View File

@@ -8,6 +8,7 @@
#include "platform/common.h"
#include "thread_safe.h"
#include "crypto.h"
namespace input {
struct input_t;
@@ -17,7 +18,7 @@ namespace input {
void
reset(std::shared_ptr<input_t> &input);
void
passthrough(std::shared_ptr<input_t> &input, std::vector<std::uint8_t> &&input_data);
passthrough(std::shared_ptr<input_t> &input, std::vector<std::uint8_t> &&input_data, const crypto::PERM& permission);
[[nodiscard]] std::unique_ptr<platf::deinit_t>
init();

380
src/nvhttp.cpp
View File

@@ -31,6 +31,7 @@
#include "platform/common.h"
#include "process.h"
#include "rtsp.h"
#include "stream.h"
#include "system_tray.h"
#include "utility.h"
#include "uuid.h"
@@ -46,6 +47,15 @@ namespace nvhttp {
namespace fs = std::filesystem;
namespace pt = boost::property_tree;
using p_named_cert_t = crypto::p_named_cert_t;
using PERM = crypto::PERM;
struct client_t {
std::vector<p_named_cert_t> named_devices;
};
struct pair_session_t;
crypto::cert_chain_t cert_chain;
static std::string one_time_pin;
static std::string otp_passphrase;
@@ -76,7 +86,7 @@ namespace nvhttp {
context.use_private_key_file(private_key_file, boost::asio::ssl::context::pem);
}
std::function<int(SSL *)> verify;
std::function<bool(std::shared_ptr<Request>, SSL*)> verify;
std::function<void(std::shared_ptr<Response>, std::shared_ptr<Request>)> on_verify_failed;
protected:
@@ -120,7 +130,7 @@ namespace nvhttp {
if (!lock)
return;
if (!ec) {
if (verify && !verify(session->connection->socket->native_handle()))
if (verify && !verify(session->request, session->connection->socket->native_handle()))
this->write(session, on_verify_failed);
else
this->read(session);
@@ -143,16 +153,6 @@ namespace nvhttp {
std::string pkey;
} conf_intern;
struct named_cert_t {
std::string name;
std::string uuid;
std::string cert;
};
struct client_t {
std::vector<named_cert_t> named_devices;
};
struct pair_session_t {
struct {
std::string uniqueID;
@@ -225,12 +225,28 @@ namespace nvhttp {
pt::ptree node;
pt::ptree named_cert_nodes;
for (auto &named_cert : client.named_devices) {
pt::ptree named_cert_node;
named_cert_node.put("name"s, named_cert.name);
named_cert_node.put("cert"s, named_cert.cert);
named_cert_node.put("uuid"s, named_cert.uuid);
named_cert_nodes.push_back(std::make_pair(""s, named_cert_node));
std::unordered_set<std::string> unique_certs;
std::unordered_map<std::string, int> name_counts;
for (auto &named_cert_p : client.named_devices) {
if (unique_certs.insert(named_cert_p->cert).second) {
pt::ptree named_cert_node;
std::string base_name = named_cert_p->name;
// Remove existing pending id if present
size_t pos = base_name.find(" (");
if (pos != std::string::npos) {
base_name = base_name.substr(0, pos);
}
int count = name_counts[base_name]++;
std::string final_name = base_name;
if (count > 0) {
final_name += " (" + std::to_string(count + 1) + ")";
}
named_cert_node.put("name"s, final_name);
named_cert_node.put("cert"s, named_cert_p->cert);
named_cert_node.put("uuid"s, named_cert_p->uuid);
named_cert_node.put("perm"s, (uint32_t)named_cert_p->perm);
named_cert_nodes.push_back(std::make_pair(""s, named_cert_node));
}
}
root.add_child("root.named_devices"s, named_cert_nodes);
@@ -282,11 +298,12 @@ namespace nvhttp {
if (device_node.count("certs")) {
for (auto &[_, el] : device_node.get_child("certs")) {
named_cert_t named_cert;
named_cert.name = ""s;
named_cert.cert = el.get_value<std::string>();
named_cert.uuid = uuid_util::uuid_t::generate().string();
client.named_devices.emplace_back(named_cert);
auto named_cert_p = std::make_shared<crypto::named_cert_t>();
named_cert_p->name = ""s;
named_cert_p->cert = el.get_value<std::string>();
named_cert_p->uuid = uuid_util::uuid_t::generate().string();
named_cert_p->perm = PERM::_all;
client.named_devices.emplace_back(named_cert_p);
}
}
}
@@ -294,39 +311,42 @@ namespace nvhttp {
if (root.count("named_devices")) {
for (auto &[_, el] : root.get_child("named_devices")) {
named_cert_t named_cert;
named_cert.name = el.get_child("name").get_value<std::string>();
named_cert.cert = el.get_child("cert").get_value<std::string>();
named_cert.uuid = el.get_child("uuid").get_value<std::string>();
client.named_devices.emplace_back(named_cert);
auto named_cert_p = std::make_shared<crypto::named_cert_t>();
named_cert_p->name = el.get<std::string>("name");
named_cert_p->cert = el.get<std::string>("cert");
named_cert_p->uuid = el.get<std::string>("uuid");
named_cert_p->perm = (PERM)el.get("perm", (uint32_t)PERM::_all) & PERM::_all;
client.named_devices.emplace_back(named_cert_p);
}
}
// Empty certificate chain and import certs from file
cert_chain.clear();
for (auto &named_cert : client.named_devices) {
cert_chain.add(crypto::x509(named_cert.cert));
cert_chain.add(named_cert);
}
client_root = client;
}
void
add_authorized_client(const std::string &name, std::string &&cert) {
add_authorized_client(const p_named_cert_t& named_cert_p) {
client_t &client = client_root;
named_cert_t named_cert;
named_cert.name = name;
named_cert.cert = std::move(cert);
named_cert.uuid = uuid_util::uuid_t::generate().string();
client.named_devices.emplace_back(named_cert);
client.named_devices.push_back(named_cert_p);
#if defined SUNSHINE_TRAY && SUNSHINE_TRAY >= 1
system_tray::update_tray_paired(named_cert_p->name);
#endif
if (!config::sunshine.flags[config::flag::FRESH_STATE]) {
save_state();
load_state();
}
}
std::shared_ptr<rtsp_stream::launch_session_t>
make_launch_session(bool host_audio, const args_t &args) {
make_launch_session(bool host_audio, const args_t &args, const crypto::named_cert_t* named_cert_p) {
auto launch_session = std::make_shared<rtsp_stream::launch_session_t>();
launch_session->id = ++session_id_counter;
@@ -345,8 +365,10 @@ namespace nvhttp {
if (x == 2) launch_session->fps = atoi(segment.c_str());
x++;
}
launch_session->device_name = (get_arg(args, "devicename", "unknown"));
launch_session->unique_id = (get_arg(args, "uniqueid", "unknown"));
launch_session->device_name = named_cert_p->name.empty() ? "ApolloDisplay"s : named_cert_p->name;
launch_session->unique_id = named_cert_p->uuid;
launch_session->perm = named_cert_p->perm;
launch_session->appid = util::from_view(get_arg(args, "appid", "unknown"));
launch_session->enable_sops = util::from_view(get_arg(args, "sops", "0"));
launch_session->surround_info = util::from_view(get_arg(args, "surroundAudioInfo", "196610"));
@@ -458,7 +480,7 @@ namespace nvhttp {
}
void
clientpairingsecret(std::shared_ptr<safe::queue_t<crypto::x509_t>> &add_cert, pair_session_t &sess, pt::ptree &tree, const args_t &args) {
clientpairingsecret(pair_session_t &sess, pt::ptree &tree, const args_t &args) {
auto &client = sess.client;
auto pairingsecret = util::from_hex_vec(get_arg(args, "clientpairingsecret"), true);
@@ -487,11 +509,26 @@ namespace nvhttp {
// if hash not correct, probably MITM
if (!std::memcmp(hash.data(), sess.clienthash.data(), hash.size()) && crypto::verify256(crypto::x509(client.cert), secret, sign)) {
tree.put("root.paired", 1);
add_cert->raise(crypto::x509(client.cert));
auto named_cert_p = std::make_shared<crypto::named_cert_t>();
named_cert_p->name = client.name;
for (char& c : named_cert_p->name) {
if (c == '(') c = '[';
else if (c == ')') c = ']';
}
named_cert_p->cert = std::move(client.cert);
named_cert_p->uuid = uuid_util::uuid_t::generate().string();
// If the device is the first one paired with the server, assign full permission.
if (client_root.named_devices.empty()) {
named_cert_p->perm = PERM::_all;
} else {
named_cert_p->perm = PERM::_default;
}
auto it = map_id_sess.find(client.uniqueID);
add_authorized_client(client.name, std::move(client.cert));
map_id_sess.erase(it);
add_authorized_client(named_cert_p);
}
else {
map_id_sess.erase(client.uniqueID);
@@ -514,6 +551,11 @@ namespace nvhttp {
static auto constexpr to_string = "NONE"sv;
};
inline crypto::named_cert_t*
get_verified_cert(req_https_t request) {
return (crypto::named_cert_t*)request->userp.get();
}
template <class T>
void
print_req(std::shared_ptr<typename SimpleWeb::ServerBase<T>::Request> request) {
@@ -557,7 +599,7 @@ namespace nvhttp {
template <class T>
void
pair(std::shared_ptr<safe::queue_t<crypto::x509_t>> &add_cert, std::shared_ptr<typename SimpleWeb::ServerBase<T>::Response> response, std::shared_ptr<typename SimpleWeb::ServerBase<T>::Request> request) {
pair(std::shared_ptr<typename SimpleWeb::ServerBase<T>::Response> response, std::shared_ptr<typename SimpleWeb::ServerBase<T>::Request> request) {
print_req<T>(request);
pt::ptree tree;
@@ -621,10 +663,6 @@ namespace nvhttp {
if (hash.to_string_view() == it->second) {
#if defined SUNSHINE_TRAY && SUNSHINE_TRAY >= 1
system_tray::update_tray_otp_pair(ptr->second.client.name);
#endif
if (!otp_device_name.empty()) {
ptr->second.client.name = std::move(otp_device_name);
}
@@ -673,7 +711,7 @@ namespace nvhttp {
serverchallengeresp(sess_it->second, tree, args);
}
else if (it = args.find("clientpairingsecret"); it != std::end(args)) {
clientpairingsecret(add_cert, sess_it->second, tree, args);
clientpairingsecret(sess_it->second, tree, args);
}
else {
tree.put("root.<xmlattr>.status_code", 404);
@@ -767,20 +805,31 @@ namespace nvhttp {
if constexpr (std::is_same_v<SunshineHTTPS, T>) {
tree.put("root.mac", platf::get_mac_address(net::addr_to_normalized_string(local_endpoint.address())));
pt::ptree& root_node = tree.get_child("root");
auto named_cert_p = get_verified_cert(request);
if (!!(named_cert_p->perm & PERM::server_cmd)) {
pt::ptree& root_node = tree.get_child("root");
if (config::sunshine.server_cmds.size() > 0) {
// Broadcast server_cmds
for (const auto& cmd : config::sunshine.server_cmds) {
pt::ptree cmd_node;
cmd_node.put_value(cmd.cmd_name);
root_node.push_back(std::make_pair("ServerCommand", cmd_node));
if (config::sunshine.server_cmds.size() > 0) {
// Broadcast server_cmds
for (const auto& cmd : config::sunshine.server_cmds) {
pt::ptree cmd_node;
cmd_node.put_value(cmd.cmd_name);
root_node.push_back(std::make_pair("ServerCommand", cmd_node));
}
}
} else {
BOOST_LOG(debug) << "Permission Get ServerCommand denied for [" << named_cert_p->name << "] (" << (uint32_t)named_cert_p->perm << ")";
}
tree.put("root.Permission", std::to_string((uint32_t)named_cert_p->perm));
#ifdef _WIN32
tree.put("root.VirtualDisplayCapable", true);
tree.put("root.VirtualDisplayDriverReady", proc::vDisplayDriverStatus == VDISPLAY::DRIVER_STATUS::OK);
if (!!(named_cert_p->perm & PERM::_all_actions)) {
tree.put("root.VirtualDisplayDriverReady", proc::vDisplayDriverStatus == VDISPLAY::DRIVER_STATUS::OK);
} else {
tree.put("root.VirtualDisplayDriverReady", true);
}
#endif
}
else {
@@ -833,10 +882,16 @@ namespace nvhttp {
}
tree.put("root.ServerCodecModeSupport", codec_mode_flags);
auto current_appid = proc::proc.running();
tree.put("root.PairStatus", pair_status);
tree.put("root.currentgame", current_appid);
tree.put("root.state", current_appid > 0 ? "SUNSHINE_SERVER_BUSY" : "SUNSHINE_SERVER_FREE");
if constexpr (std::is_same_v<SunshineHTTPS, T>) {
auto current_appid = proc::proc.running();
tree.put("root.currentgame", current_appid);
tree.put("root.state", current_appid > 0 ? "SUNSHINE_SERVER_BUSY" : "SUNSHINE_SERVER_FREE");
} else {
tree.put("root.currentgame", 0);
tree.put("root.state", "SUNSHINE_SERVER_FREE");
}
std::ostringstream data;
@@ -849,10 +904,29 @@ namespace nvhttp {
get_all_clients() {
pt::ptree named_cert_nodes;
client_t &client = client_root;
for (auto &named_cert : client.named_devices) {
std::list<std::string> connected_uuids = rtsp_stream::get_all_session_uuids();
for (auto &named_cert_p : client.named_devices) {
pt::ptree named_cert_node;
named_cert_node.put("name"s, named_cert.name);
named_cert_node.put("uuid"s, named_cert.uuid);
named_cert_node.put("name"s, named_cert_p->name);
named_cert_node.put("uuid"s, named_cert_p->uuid);
named_cert_node.put("perm", (uint32_t)named_cert_p->perm);
if (connected_uuids.empty()) {
named_cert_node.put("connected"s, false);
} else {
bool connected = false;
for (auto it = connected_uuids.begin(); it != connected_uuids.end(); ++it) {
if (*it == named_cert_p->uuid) {
connected = true;
connected_uuids.erase(it);
break;
}
}
named_cert_node.put("connected"s, connected);
}
named_cert_nodes.push_back(std::make_pair(""s, named_cert_node));
}
@@ -877,15 +951,31 @@ namespace nvhttp {
apps.put("<xmlattr>.status_code", 200);
for (auto &proc : proc::proc.get_apps()) {
auto named_cert_p = get_verified_cert(request);
if (!!(named_cert_p->perm & PERM::_all_actions)) {
for (auto &proc : proc::proc.get_apps()) {
pt::ptree app;
app.put("IsHdrSupported"s, video::active_hevc_mode == 3 ? 1 : 0);
app.put("AppTitle"s, proc.name);
app.put("ID", proc.id);
apps.push_back(std::make_pair("App", std::move(app)));
}
} else {
BOOST_LOG(debug) << "Permission ListApp denied for [" << named_cert_p->name << "] (" << (uint32_t)named_cert_p->perm << ")";
pt::ptree app;
app.put("IsHdrSupported"s, video::active_hevc_mode == 3 ? 1 : 0);
app.put("AppTitle"s, proc.name);
app.put("ID", proc.id);
app.put("IsHdrSupported"s, 0);
app.put("AppTitle"s, "Permission Denied");
app.put("ID", "1145141919810");
apps.push_back(std::make_pair("App", std::move(app)));
return;
}
}
void
@@ -901,6 +991,17 @@ namespace nvhttp {
response->close_connection_after_response = true;
});
auto named_cert_p = get_verified_cert(request);
if (!(named_cert_p->perm & PERM::launch)) {
BOOST_LOG(debug) << "Permission LaunchApp denied for [" << named_cert_p->name << "] (" << (uint32_t)named_cert_p->perm << ")";
tree.put("root.resume", 0);
tree.put("root.<xmlattr>.status_code", 503);
tree.put("root.<xmlattr>.status_message", "Permission denied");
return;
}
if (rtsp_stream::session_count() == config::stream.channels) {
tree.put("root.resume", 0);
tree.put("root.<xmlattr>.status_code", 503);
@@ -932,7 +1033,7 @@ namespace nvhttp {
}
host_audio = util::from_view(get_arg(args, "localAudioPlayMode"));
auto launch_session = make_launch_session(host_audio, args);
auto launch_session = make_launch_session(host_audio, args, named_cert_p);
auto encryption_mode = net::encryption_mode_for_address(request->remote_endpoint().address());
if (!launch_session->rtsp_cipher && encryption_mode == config::ENCRYPTION_MODE_MANDATORY) {
@@ -998,6 +1099,17 @@ namespace nvhttp {
response->close_connection_after_response = true;
});
auto named_cert_p = get_verified_cert(request);
if (!(named_cert_p->perm & PERM::_allow_view)) {
BOOST_LOG(debug) << "Permission ViewApp denied for [" << named_cert_p->name << "] (" << (uint32_t)named_cert_p->perm << ")";
tree.put("root.resume", 0);
tree.put("root.<xmlattr>.status_code", 503);
tree.put("root.<xmlattr>.status_message", "Permission denied");
return;
}
// It is possible that due a race condition that this if-statement gives a false negative,
// that is automatically resolved in rtsp_server_t
if (rtsp_stream::session_count() == config::stream.channels) {
@@ -1049,7 +1161,7 @@ namespace nvhttp {
}
}
auto launch_session = make_launch_session(host_audio, args);
auto launch_session = make_launch_session(host_audio, args, named_cert_p);
auto encryption_mode = net::encryption_mode_for_address(request->remote_endpoint().address());
if (!launch_session->rtsp_cipher && encryption_mode == config::ENCRYPTION_MODE_MANDATORY) {
@@ -1069,6 +1181,10 @@ namespace nvhttp {
tree.put("root.resume", 1);
rtsp_stream::launch_session_raise(launch_session);
#if defined SUNSHINE_TRAY && SUNSHINE_TRAY >= 1
system_tray::update_tray_client_connected(named_cert_p->name);
#endif
}
void
@@ -1084,6 +1200,17 @@ namespace nvhttp {
response->close_connection_after_response = true;
});
auto named_cert_p = get_verified_cert(request);
if (!(named_cert_p->perm & PERM::launch)) {
BOOST_LOG(debug) << "Permission CancelApp denied for [" << named_cert_p->name << "] (" << (uint32_t)named_cert_p->perm << ")";
tree.put("root.resume", 0);
tree.put("root.<xmlattr>.status_code", 503);
tree.put("root.<xmlattr>.status_message", "Permission denied");
return;
}
// It is possible that due a race condition that this if-statement gives a false positive,
// the client should try again
if (rtsp_stream::session_count() != 0) {
@@ -1106,9 +1233,27 @@ namespace nvhttp {
appasset(resp_https_t response, req_https_t request) {
print_req<SunshineHTTPS>(request);
auto fg = util::fail_guard([&]() {
response->write(SimpleWeb::StatusCode::server_error_internal_server_error);
response->close_connection_after_response = true;
});
auto named_cert_p = get_verified_cert(request);
if (!(named_cert_p->perm & PERM::_all_actions)) {
BOOST_LOG(debug) << "Permission Get AppAsset denied for [" << named_cert_p->name << "] (" << (uint32_t)named_cert_p->perm << ")";
fg.disable();
response->write(SimpleWeb::StatusCode::client_error_unauthorized);
response->close_connection_after_response = true;
return;
}
auto args = request->parse_query_string();
auto app_image = proc::proc.get_app_image(util::from_view(get_arg(args, "appid")));
fg.disable();
std::ifstream in(app_image, std::ios::binary);
SimpleWeb::CaseInsensitiveMultimap headers;
headers.emplace("Content-Type", "image/png");
@@ -1133,8 +1278,6 @@ namespace nvhttp {
conf_intern.pkey = file_handler::read_file(config::nvhttp.pkey.c_str());
conf_intern.servercert = file_handler::read_file(config::nvhttp.cert.c_str());
auto add_cert = std::make_shared<safe::queue_t<crypto::x509_t>>(30);
// resume doesn't always get the parameter "localAudioPlayMode"
// launch will store it in host_audio
bool host_audio {};
@@ -1143,43 +1286,39 @@ namespace nvhttp {
http_server_t http_server;
// Verify certificates after establishing connection
https_server.verify = [add_cert](SSL *ssl) {
https_server.verify = [](req_https_t req, SSL *ssl) {
crypto::x509_t x509 { SSL_get_peer_certificate(ssl) };
if (!x509) {
BOOST_LOG(info) << "unknown -- denied"sv;
return 0;
return false;
}
int verified = 0;
bool verified = false;
p_named_cert_t named_cert_p;
auto fg = util::fail_guard([&]() {
char subject_name[256];
X509_NAME_oneline(X509_get_subject_name(x509.get()), subject_name, sizeof(subject_name));
BOOST_LOG(debug) << subject_name << " -- "sv << (verified ? "verified"sv : "denied"sv);
if (verified) {
BOOST_LOG(debug) << subject_name << " -- "sv << "verified, device name: "sv << named_cert_p->name;
} else {
BOOST_LOG(debug) << subject_name << " -- "sv << "denied"sv;
}
});
while (add_cert->peek()) {
char subject_name[256];
auto cert = add_cert->pop();
X509_NAME_oneline(X509_get_subject_name(cert.get()), subject_name, sizeof(subject_name));
BOOST_LOG(debug) << "Added cert ["sv << subject_name << ']';
cert_chain.add(std::move(cert));
}
auto err_str = cert_chain.verify(x509.get());
auto err_str = cert_chain.verify(x509.get(), named_cert_p);
if (err_str) {
BOOST_LOG(warning) << "SSL Verification error :: "sv << err_str;
return verified;
}
verified = 1;
verified = true;
req->userp = named_cert_p;
return verified;
return true;
};
https_server.on_verify_failed = [](resp_https_t resp, req_https_t req) {
@@ -1199,7 +1338,7 @@ namespace nvhttp {
https_server.default_resource["GET"] = not_found<SunshineHTTPS>;
https_server.resource["^/serverinfo$"]["GET"] = serverinfo<SunshineHTTPS>;
https_server.resource["^/pair$"]["GET"] = [&add_cert](auto resp, auto req) { pair<SunshineHTTPS>(add_cert, resp, req); };
https_server.resource["^/pair$"]["GET"] = pair<SunshineHTTPS>;
https_server.resource["^/applist$"]["GET"] = applist;
https_server.resource["^/appasset$"]["GET"] = appasset;
https_server.resource["^/launch$"]["GET"] = [&host_audio](auto resp, auto req) { launch(host_audio, resp, req); };
@@ -1212,7 +1351,7 @@ namespace nvhttp {
http_server.default_resource["GET"] = not_found<SimpleWeb::HTTP>;
http_server.resource["^/serverinfo$"]["GET"] = serverinfo<SimpleWeb::HTTP>;
http_server.resource["^/pair$"]["GET"] = [&add_cert](auto resp, auto req) { pair<SimpleWeb::HTTP>(add_cert, resp, req); };
http_server.resource["^/pair$"]["GET"] = pair<SimpleWeb::HTTP>;
http_server.config.reuse_address = true;
http_server.config.address = net::af_to_any_address_string(address_family);
@@ -1265,6 +1404,55 @@ namespace nvhttp {
client_root = client;
cert_chain.clear();
save_state();
load_state();
}
void stop_session(stream::session_t& session, bool graceful) {
if (graceful) {
stream::session::graceful_stop(session);
} else {
stream::session::stop(session);
}
}
bool find_and_stop_session(const std::string& uuid, bool graceful) {
auto session = rtsp_stream::find_session(uuid);
if (session) {
stop_session(*session, graceful);
return true;
}
return false;
}
void update_session_info(stream::session_t& session, const std::string& name, const crypto::PERM newPerm) {
stream::session::update_device_info(session, name, newPerm);
}
bool find_and_udpate_session_info(const std::string& uuid, const std::string& name, const crypto::PERM newPerm) {
auto session = rtsp_stream::find_session(uuid);
if (session) {
update_session_info(*session, name, newPerm);
return true;
}
return false;
}
bool update_device_info(const std::string& uuid, const std::string& name, const crypto::PERM newPerm) {
find_and_udpate_session_info(uuid, name, newPerm);
client_t &client = client_root;
auto it = client.named_devices.begin();
for (; it != client.named_devices.end(); ++it) {
auto named_cert_p = *it;
if (named_cert_p->uuid == uuid) {
named_cert_p->name = name;
named_cert_p->perm = newPerm;
save_state();
return true;
}
}
return false;
}
int
@@ -1272,7 +1460,7 @@ namespace nvhttp {
int removed = 0;
client_t &client = client_root;
for (auto it = client.named_devices.begin(); it != client.named_devices.end();) {
if ((*it).uuid == uuid) {
if ((*it)->uuid == uuid) {
it = client.named_devices.erase(it);
removed++;
}
@@ -1283,6 +1471,18 @@ namespace nvhttp {
save_state();
load_state();
if (removed) {
auto session = rtsp_stream::find_session(uuid);
if (session) {
stop_session(*session, true);
}
if (client.named_devices.empty()) {
proc::proc.terminate();
}
}
return removed;
}
} // namespace nvhttp

45
src/nvhttp.h
View File

@@ -13,6 +13,8 @@
#include <boost/property_tree/ptree.hpp>
// local includes
#include "crypto.h"
#include "rtsp.h"
#include "thread_safe.h"
using namespace std::chrono_literals;
@@ -96,4 +98,47 @@ namespace nvhttp {
*/
void
erase_all_clients();
/**
* @brief Stops a session.
*
* @param session The session
* @param[in] graceful Whether to stop gracefully
*/
void stop_session(stream::session_t& session, bool graceful);
/**
* @brief Finds and stop session.
*
* @param[in] uuid The uuid string
* @param[in] graceful Whether to stop gracefully
*/
bool find_and_stop_session(const std::string& uuid, bool graceful);
/**
* @brief Update device info associated to the session
*
* @param session The session
* @param[in] name New name
* @param[in] newPerm New permission
*/
void update_session_info(stream::session_t& session, const std::string& name, const crypto::PERM newPerm);
/**
* @brief Finds and udpate session information.
*
* @param[in] uuid The uuid string
* @param[in] name New name
* @param[in] newPerm New permission
*/
bool find_and_udpate_session_info(const std::string& uuid, const std::string& name, const crypto::PERM newPerm);
/**
* @brief Update device info
*
* @param[in] uuid The uuid string
* @param[in] name New name
* @param[in] newPerm New permission
*/
bool update_device_info(const std::string& uuid, const std::string& name, const crypto::PERM newPerm);
} // namespace nvhttp

21
src/platform/windows/virtual_display.cpp
View File

@@ -290,34 +290,15 @@ bool setRenderAdapterByName(const std::wstring& adapterName) {
std::wstring createVirtualDisplay(
const char* s_client_uid,
const char* s_client_name,
const char* s_app_name,
uint32_t width,
uint32_t height,
uint32_t fps,
GUID& guid
const GUID& guid
) {
if (SUDOVDA_DRIVER_HANDLE == INVALID_HANDLE_VALUE) {
return std::wstring();
}
if (!s_app_name || !strlen(s_app_name) || !strcmp(s_app_name, "unknown")) {
s_app_name = "ApolloVDisp";
}
if (!s_client_name || !strlen(s_client_name) || !strcmp(s_client_name, "unknown")) {
s_client_name = s_app_name;
}
if (s_client_uid && strcmp(s_client_uid, "unknown")) {
size_t len = strlen(s_client_uid);
if (len > sizeof(GUID)) {
len = sizeof(GUID);
}
memcpy((void*)&guid, (void*)s_client_uid, len);
} else {
s_client_uid = "unknown";
}
VIRTUAL_DISPLAY_ADD_OUT output;
if (!AddVirtualDisplay(SUDOVDA_DRIVER_HANDLE, width, height, fps, guid, s_client_name, s_client_uid, output)) {
printf("[SUDOVDA] Failed to add virtual display.\n");

3
src/platform/windows/virtual_display.h
View File

@@ -35,11 +35,10 @@ namespace VDISPLAY {
std::wstring createVirtualDisplay(
const char* s_client_uid,
const char* s_client_name,
const char* s_app_name,
uint32_t width,
uint32_t height,
uint32_t fps,
GUID& guid
const GUID& guid
);
bool removeVirtualDisplay(const GUID& guid);
}

6
src/process.cpp
View File

@@ -29,6 +29,7 @@
#include "system_tray.h"
#include "utility.h"
#include "video.h"
#include "uuid.h"
#ifdef _WIN32
// from_utf8() string conversion function
@@ -205,12 +206,13 @@ namespace proc {
VDISPLAY::setRenderAdapterByName(platf::from_utf8(config::video.adapter_name));
}
memcpy(&launch_session->display_guid, &http::uuid, sizeof(GUID));
auto device_uuid = uuid_util::uuid_t::parse(launch_session->unique_id);
memcpy(&launch_session->display_guid, &device_uuid, sizeof(GUID));
std::wstring vdisplayName = VDISPLAY::createVirtualDisplay(
launch_session->unique_id.c_str(),
launch_session->device_name.c_str(),
_app.name.c_str(),
render_width,
render_height,
launch_session->fps,

35
src/rtsp.cpp
View File

@@ -618,6 +618,31 @@ namespace rtsp_stream {
return nullptr;
}
std::shared_ptr<stream::session_t>
find_session(const std::string& uuid) {
auto lg = _session_slots.lock();
for (auto &slot : *_session_slots) {
if (slot && stream::session::uuid_match(*slot, uuid)) {
return slot;
}
}
return nullptr;
}
std::list<std::string>
get_all_session_uuids() {
std::list<std::string> uuids;
auto lg = _session_slots.lock();
for (auto &slot : *_session_slots) {
if (slot) {
uuids.push_back(stream::session::uuid(*slot));
}
}
return uuids;
}
private:
std::unordered_map<std::string_view, cmd_func_t> _map_cmd_cb;
@@ -652,6 +677,16 @@ namespace rtsp_stream {
return server.session_count();
}
std::shared_ptr<stream::session_t>
find_session(const std::string& uuid) {
return server.find_session(uuid);
}
std::list<std::string>
get_all_session_uuids() {
return server.get_all_session_uuids();
}
int
send(tcp::socket &sock, const std::string_view &sv) {
std::size_t bytes_send = 0;

16
src/rtsp.h
View File

@@ -5,10 +5,16 @@
#pragma once
#include <atomic>
#include <memory>
#include "crypto.h"
#include "thread_safe.h"
// Resolve circular dependencies
namespace stream {
struct session_t;
}
namespace rtsp_stream {
constexpr auto RTSP_SETUP_PORT = 21;
@@ -21,9 +27,11 @@ namespace rtsp_stream {
std::string av_ping_payload;
uint32_t control_connect_data;
bool host_audio;
std::string device_name;
std::string unique_id;
crypto::PERM perm;
bool host_audio;
int width;
int height;
int fps;
@@ -58,6 +66,12 @@ namespace rtsp_stream {
int
session_count();
std::shared_ptr<stream::session_t>
find_session(const std::string& uuid);
std::list<std::string>
get_all_session_uuids();
void
rtpThread();

95
src/stream.cpp
View File

@@ -20,6 +20,7 @@ extern "C" {
}
#include "config.h"
#include "crypto.h"
#include "globals.h"
#include "input.h"
#include "logging.h"
@@ -403,6 +404,9 @@ namespace stream {
} control;
std::uint32_t launch_session_id;
std::string device_name;
std::string device_uuid;
crypto::PERM permission;
safe::mail_raw_t::event_t<bool> shutdown_event;
safe::signal_t controlEnd;
@@ -992,11 +996,17 @@ namespace stream {
std::copy(payload.end() - 16, payload.end(), std::begin(iv));
}
input::passthrough(session->input, std::move(plaintext));
input::passthrough(session->input, std::move(plaintext), session->permission);
});
server->map(packetTypes[IDX_EXEC_SERVER_CMD], [server](session_t *session, const std::string_view &payload) {
BOOST_LOG(debug) << "type [IDX_EXEC_SERVER_CMD]"sv;
if (!(session->permission & crypto::PERM::server_cmd)) {
BOOST_LOG(debug) << "Permission Exec Server Cmd deined for [" << session->device_name << "]";
return;
}
uint8_t cmdIndex = *(uint8_t*)payload.data();
if (cmdIndex < config::sunshine.server_cmds.size()) {
@@ -1024,10 +1034,20 @@ namespace stream {
server->map(packetTypes[IDX_SET_CLIPBOARD], [server](session_t *session, const std::string_view &payload) {
BOOST_LOG(info) << "type [IDX_SET_CLIPBOARD]: "sv << payload << " size: " << payload.size();
if (!(session->permission & crypto::PERM::clipboard_set)) {
BOOST_LOG(debug) << "Permission Clipboard Set deined for [" << session->device_name << "]";
return;
}
});
server->map(packetTypes[IDX_FILE_TRANSFER_NONCE_REQUEST], [server](session_t *session, const std::string_view &payload) {
BOOST_LOG(info) << "type [IDX_FILE_TRANSFER_NONCE_REQUEST]: "sv << payload << " size: " << payload.size();
if (!(session->permission & crypto::PERM::file_upload)) {
BOOST_LOG(debug) << "Permission File Upload deined for [" << session->device_name << "]";
return;
}
});
server->map(packetTypes[IDX_ENCRYPTED], [server](session_t *session, const std::string_view &payload) {
@@ -1091,7 +1111,7 @@ namespace stream {
// IDX_INPUT_DATA callback will attempt to decrypt unencrypted data, therefore we need pass it directly
if (type == packetTypes[IDX_INPUT_DATA]) {
plaintext.erase(std::begin(plaintext), std::begin(plaintext) + 4);
input::passthrough(session->input, std::move(plaintext));
input::passthrough(session->input, std::move(plaintext), session->permission);
}
else {
server->call(type, session, next_payload, true);
@@ -1949,6 +1969,40 @@ namespace stream {
return session.state.load(std::memory_order_relaxed);
}
inline bool
send(session_t& session, const std::string_view &payload) {
return session.broadcast_ref->control_server.send(payload, session.control.peer);
}
std::string
uuid(const session_t& session) {
return session.device_uuid;
}
bool
uuid_match(const session_t &session, const std::string& uuid) {
return session.device_uuid == uuid;
}
bool
update_device_info(session_t& session, const std::string& name, const crypto::PERM& newPerm) {
session.permission = newPerm;
if (!(newPerm & crypto::PERM::_allow_view)) {
BOOST_LOG(debug) << "Session: View permission revoked for [" << session.device_name << "], disconnecting...";
graceful_stop(session);
return true;
}
BOOST_LOG(debug) << "Session: Permission updated for [" << session.device_name << "]";
if (session.device_name != name) {
BOOST_LOG(debug) << "Session: Device name changed from [" << session.device_name << "] to [" << name << "]";
session.device_name = name;
}
return false;
}
void
stop(session_t &session) {
while_starting_do_nothing(session.state);
@@ -1961,6 +2015,40 @@ namespace stream {
session.shutdown_event->raise(true);
}
void
graceful_stop(session_t& session) {
while_starting_do_nothing(session.state);
auto expected = state_e::RUNNING;
auto already_stopping = !session.state.compare_exchange_strong(expected, state_e::STOPPING);
if (already_stopping) {
return;
}
// reason: graceful termination
std::uint32_t reason = 0x80030023;
control_terminate_t plaintext;
plaintext.header.type = packetTypes[IDX_TERMINATION];
plaintext.header.payloadLength = sizeof(plaintext.ec);
plaintext.ec = util::endian::big<uint32_t>(reason);
// We may not have gotten far enough to have an ENet connection yet
if (session.control.peer) {
std::array<std::uint8_t,
sizeof(control_encrypted_t) + crypto::cipher::round_to_pkcs7_padded(sizeof(plaintext)) + crypto::cipher::tag_size>
encrypted_payload;
auto payload = stream::encode_control(&session, util::view(plaintext), encrypted_payload);
if (send(session, payload)) {
TUPLE_2D(port, addr, platf::from_sockaddr_ex((sockaddr *) &session.control.peer->address.address));
BOOST_LOG(warning) << "Couldn't send termination code to ["sv << addr << ':' << port << ']';
}
}
session.shutdown_event->raise(true);
session.controlEnd.raise(true);
}
void
join(session_t &session) {
// Current Nvidia drivers have a bug where NVENC can deadlock the encoder thread with hardware-accelerated
@@ -2051,6 +2139,9 @@ namespace stream {
session->shutdown_event = mail->event<bool>(mail::shutdown);
session->launch_session_id = launch_session.id;
session->device_name = launch_session.device_name;
session->device_uuid = launch_session.unique_id;
session->permission = launch_session.perm;
session->config = config;

10
src/stream.h
View File

@@ -43,13 +43,23 @@ namespace stream {
std::shared_ptr<session_t>
alloc(config_t &config, rtsp_stream::launch_session_t &launch_session);
std::string
uuid(const session_t& session);
bool
uuid_match(const session_t& session, const std::string& uuid);
bool
update_device_info(session_t& session, const std::string& name, const crypto::PERM& newPerm);
int
start(session_t &session, const std::string &addr_string);
void
stop(session_t &session);
void
graceful_stop(session_t& session);
void
join(session_t &session);
state_e
state(session_t &session);
inline bool
send(session_t& session);
} // namespace session
} // namespace stream

44
src/system_tray.cpp
View File

@@ -268,8 +268,8 @@ namespace system_tray {
snprintf(msg, std::size(msg), "Streaming started for %s", app_name.c_str());
snprintf(force_close_msg, std::size(force_close_msg), "Force close [%s]", app_name.c_str());
#ifdef _WIN32
strcpy(msg, convertUtf8ToCurrentCodepage(msg).c_str());
strcpy(force_close_msg, convertUtf8ToCurrentCodepage(force_close_msg).c_str());
strncpy(msg, convertUtf8ToCurrentCodepage(msg).c_str(), std::size(msg) - 1);
strncpy(force_close_msg, convertUtf8ToCurrentCodepage(force_close_msg).c_str(), std::size(force_close_msg) - 1);
#endif
tray.notification_text = msg;
tray.notification_icon = TRAY_ICON_PLAYING;
@@ -293,7 +293,7 @@ namespace system_tray {
char msg[256];
snprintf(msg, std::size(msg), "Streaming paused for %s", app_name.c_str());
#ifdef _WIN32
strcpy(msg, convertUtf8ToCurrentCodepage(msg).c_str());
strncpy(msg, convertUtf8ToCurrentCodepage(msg).c_str(), std::size(msg) - 1);
#endif
tray.icon = TRAY_ICON_PAUSING;
tray.notification_title = "Stream Paused";
@@ -318,7 +318,7 @@ namespace system_tray {
char msg[256];
snprintf(msg, std::size(msg), "Streaming stopped for %s", app_name.c_str());
#ifdef _WIN32
strcpy(msg, convertUtf8ToCurrentCodepage(msg).c_str());
strncpy(msg, convertUtf8ToCurrentCodepage(msg).c_str(), std::size(msg) - 1);
#endif
tray.icon = TRAY_ICON;
tray.notification_icon = TRAY_ICON;
@@ -344,7 +344,7 @@ namespace system_tray {
char msg[256];
snprintf(msg, std::size(msg), "Application %s exited too fast with code %d. Click here to terminate the stream.", app_name.c_str(), exit_code);
#ifdef _WIN32
strcpy(msg, convertUtf8ToCurrentCodepage(msg).c_str());
strncpy(msg, convertUtf8ToCurrentCodepage(msg).c_str(), std::size(msg) - 1);
#endif
tray.icon = TRAY_ICON;
tray.notification_icon = TRAY_ICON;
@@ -382,7 +382,30 @@ namespace system_tray {
}
void
update_tray_otp_pair(std::string device_name) {
update_tray_paired(std::string device_name) {
if (!tray_initialized) {
return;
}
tray.notification_title = NULL;
tray.notification_text = NULL;
tray.notification_cb = NULL;
tray.notification_icon = NULL;
tray_update(&tray);
char msg[256];
snprintf(msg, std::size(msg), "Device %s paired Succesfully. Please make sure you have access to the device.", device_name.c_str());
#ifdef _WIN32
strncpy(msg, convertUtf8ToCurrentCodepage(msg).c_str(), std::size(msg) - 1 - 1);
#endif
tray.notification_title = "Device Paired Succesfully";
tray.notification_text = msg;
tray.notification_icon = TRAY_ICON;
tray.tooltip = PROJECT_NAME;
tray_update(&tray);
}
void
update_tray_client_connected(std::string client_name) {
if (!tray_initialized) {
return;
}
@@ -394,14 +417,13 @@ namespace system_tray {
tray.icon = TRAY_ICON;
tray_update(&tray);
char msg[256];
snprintf(msg, std::size(msg), "OTP Pairing started for device \"%s\". Please make sure you have access to the device initiating the pairing request.", device_name.c_str());
snprintf(msg, std::size(msg), "%s has connected to the session.", client_name.c_str());
#ifdef _WIN32
strcpy(msg, convertUtf8ToCurrentCodepage(msg).c_str());
strncpy(msg, convertUtf8ToCurrentCodepage(msg).c_str(), std::size(msg) - 1);
#endif
tray.icon = TRAY_ICON;
tray.notification_title = "Incoming OTP Pairing Request";
tray.notification_title = "Client Connected";
tray.notification_text = msg;
tray.notification_icon = TRAY_ICON_LOCKED;
tray.notification_icon = TRAY_ICON;
tray.tooltip = PROJECT_NAME;
tray_update(&tray);
}

5
src/system_tray.h
View File

@@ -86,5 +86,8 @@ namespace system_tray {
update_tray_require_pin();
void
update_tray_otp_pair(std::string device_name);
update_tray_paired(std::string device_name);
void
update_tray_client_connected(std::string client_name);
} // namespace system_tray

11
src_assets/common/assets/web/config.html
View File

@@ -405,6 +405,17 @@
}, 5000);
fetch("/api/restart", {
method: "POST"
})
.then((resp) => {
if (resp.status !== 200) {
location.href = './login'
return
}
})
.catch((e) => {
location.href = './login'
console.error(e)
return
});
}
});

303
src_assets/common/assets/web/pin.html
View File

@@ -57,6 +57,71 @@
<div class="alert alert-warning">
<b>{{ $t('_common.warning') }}</b> {{ $t('pin.warning_msg') }}
</div>
<!-- Unpair Clients -->
<div class="card my-4 align-self-stretch">
<div class="card-body">
<div class="p-2">
<div class="d-flex justify-content-end align-items-center">
<h2 id="unpair" class="me-auto">{{ $t('pin.device_management') }}</h2>
<button class="btn btn-danger" :disabled="unpairAllPressed" @click="unpairAll">
{{ $t('pin.unpair_all') }}
</button>
</div>
<br />
<p class="mb-0">{{ $t('pin.device_management_desc') }}</p>
<div id="apply-alert" class="alert alert-success d-flex align-items-center mt-3" :style="{ 'display': (showApplyMessage ? 'flex !important': 'none !important') }">
<div class="me-2"><b>{{ $t('_common.success') }}</b> {{ $t('pin.unpair_single_success') }}</div>
<button class="btn btn-success ms-auto apply" @click="clickedApplyBanner">{{ $t('_common.dismiss') }}</button>
</div>
<div class="alert alert-success mt-3" v-if="unpairAllStatus === true">
{{ $t('pin.unpair_all_success') }}
</div>
<div class="alert alert-danger mt-3" v-if="unpairAllStatus === false">
{{ $t('pin.unpair_all_error') }}
</div>
</div>
</div>
<ul id="client-list" class="list-group list-group-flush list-group-item-light" v-if="clients && clients.length > 0">
<template v-for="client in clients" class="list-group-item d-flex align-items-center">
<div v-if="client.editing" class="list-group-item d-flex align-items-stretch flex-column">
<div class="d-flex align-items-center">
<div class="p-2 flex-grow-1 d-flex align-items-center">
<span class="badge" :class="client.editPerm >= 0x04000000 ? 'bg-danger' : 'bg-primary'">
[ {{permToStr(client.editPerm)}} ]
</span>
&nbsp;
<input v-model="client.editName" @keyup.enter="saveClient(client)" class="form-control flex-grow-1" type="text" :placeholder="$t('pin.device_name')">
</div>
<div class="me-2 btn btn-success" @click="saveClient(client)"><i class="fas fa-check"></i></div>
<div class="me-2 btn btn-secondary" @click="cancelEdit(client)"><i class="fas fa-times"></i></div>
</div>
<div class="align-items-top d-flex flex-row justify-content-center">
<div v-for="group in permissionGroups" class="d-flex flex-column mx-2">
<div class="mx-2">{{ group.name }}:</div>
<button v-for="perm in group.permissions" class="my-1 btn btn-sm" :disabled="isSupressed(client.editPerm, perm.name, perm.supressed_by)" :class="(isSupressed(client.editPerm, perm.name, perm.supressed_by) || checkPermission(client.editPerm, perm.name)) ? 'btn-success' : 'btn-outline-secondary'" @click="togglePermission(client, perm.name)">
{{ $t(`permissions.${perm.name}`) }}
</button>
</div>
</div>
</div>
<div v-else class="list-group-item d-flex align-items-center">
<div class="p-2 flex-grow-1 d-flex align-items-center">
<span class="badge" :class="client.perm >= 0x04000000 ? 'bg-danger' : 'bg-primary'">
[ {{permToStr(client.perm)}} ]
</span>
&nbsp;
<span class="me-2">{{client.name != "" ? client.name : $t('pin.unpair_single_unknown')}}</span>
</div>
<div v-if="client.connected" class="me-2 btn btn-warning" @click="disconnectClient(client.uuid)"><i class="fas fa-link-slash"></i></div>
<div class="me-2 btn btn-primary" @click="editClient(client)"><i class="fas fa-edit"></i></div>
<div class="me-2 btn btn-danger" @click="unpairSingle(client.uuid)"><i class="fas fa-trash"></i></div>
</div>
</template>
</ul>
<ul v-else class="list-group list-group-flush list-group-item-light">
<div class="list-group-item p-3 text-center"><em>{{ $t('pin.unpair_single_no_devices') }}</em></div>
</ul>
</div>
</div>
</body>
@@ -91,6 +156,106 @@
}
}
/**
* Permissions:
enum class PERM: uint32_t {
_reserved = 1,
_input = _reserved << 8, // Input permission group
input_controller = _input << 0, // Allow controller input
input_touch = _input << 1, // Allow touch input
input_pen = _input << 2, // Allow pen input
input_kbdm = _input << 3, // Allow kbd/mouse input
_all_inputs = input_controller | input_touch | input_pen | input_kbdm,
_operation = _input << 8, // Operation permission group
clipboard_set = _operation << 0, // Allow set clipboard from client
clipboard_read = _operation << 1, // Allow read clipboard from host
file_upload = _operation << 2, // Allow upload files to host
file_dwnload = _operation << 3, // Allow download files from host
server_cmd = _operation << 4, // Allow execute server cmd
_all_opeiations = clipboard_set | clipboard_read | file_upload | file_dwnload | server_cmd,
_action = _operation << 8, // Action permission group
list = _action << 0, // Allow list apps
view = _action << 1, // Allow view streams
launch = _action << 2, // Allow launch apps
_allow_view = view | launch, // Launch contains view permission
_all_actions = list | view | launch,
_default = view | list, // Default permissions for new clients
_no = 0, // No permissions are granted
_all = _all_inputs | _all_opeiations | _all_actions, // All current permissions
};
*/
const permissionMapping = {
// Input permission group
input_controller: 0x00000100,
input_touch: 0x00000200,
input_pen: 0x00000400,
input_kbdm: 0x00000800,
_all_inputs: 0x00000F00,
// Operation permission group
clipboard_set: 0x00010000,
clipboard_read: 0x00020000,
file_upload: 0x00040000,
file_dwnload: 0x00080000,
server_cmd: 0x00100000,
_all_operations: 0x001F0000,
// Action permission group
list: 0x01000000,
view: 0x02000000,
launch: 0x04000000,
_allow_view: 0x06000000,
_all_actions: 0x07000000,
// Special permissions
_default: 0x03000000,
_no: 0x00000000,
_all: 0x071F0F00
};
const permissionGroups = [
{ name: 'Action', permissions: [
{
name: 'list',
supressed_by: ['view', 'launch']
}, {
name: 'view',
supressed_by: ['launch']
}, {
name: 'launch',
supressed_by: []
}
] },
{ name: 'Operation', permissions: [
{
name: 'server_cmd',
supressed_by: []
}
] },
{ name: 'Input', permissions: [
{
name: 'input_controller',
supressed_by: []
}, {
name: 'input_touch',
supressed_by: []
}, {
name: 'input_pen',
supressed_by: []
}, {
name: 'input_kbdm',
supressed_by: []
}
] },
];
let currentEditingClient = null;
const data = () => {
return {
editingHost: false,
@@ -102,7 +267,12 @@
deviceName: '',
hostAddr: '',
hostPort: '',
hostName: ''
hostName: '',
permissionGroups,
clients: [],
showApplyMessage: false,
unpairAllPressed: false,
unpairAllStatus: null
}
}
@@ -120,10 +290,14 @@
return !!(this.hostAddr && this.hostPort);
}
},
created() {
this.refreshClients();
},
methods: {
switchTab(currentTab) {
location.hash = currentTab;
Object.assign(this, data());
const clients = this.clients;
Object.assign(this, data(), { clients });
hostInfoCache = null;
clearTimeout(resetOTPTimeout);
},
@@ -155,6 +329,8 @@
).innerHTML = `<div class="alert alert-success" role="alert">${this.i18n.t('pin.pair_success')}</div>`;
document.querySelector("#pin-input").value = "";
document.querySelector("#name-input").value = "";
setTimeout(() => this.refreshClients(), 1000);
} else {
document.querySelector(
"#status"
@@ -217,7 +393,128 @@
}
}
})
}
},
clickedApplyBanner() {
this.showApplyMessage = false;
},
editClient(client) {
if (currentEditingClient) {
this.cancelEdit(currentEditingClient);
}
currentEditingClient = client;
client.editing = true;
client.editPerm = client.perm;
client.editName = client.name;
},
cancelEdit(client) {
client.editing = false;
client.editPerm = client.perm;
client.editName = client.name;
currentEditingClient = null;
},
saveClient(client) {
client.editing = false;
currentEditingClient = null;
const editedClient = {
uuid: client.uuid,
name: client.editName,
perm: client.editPerm & permissionMapping._all
}
fetch("/api/clients/update", {
credentials: 'include',
method: "POST",
body: JSON.stringify(editedClient)
}).finally(() => {
setTimeout(() => {
this.refreshClients();
}, 1000);
});
},
permToStr(perm) {
const permSegments = [];
permSegments.push((perm >> 24) & 0xFF);
permSegments.push((perm >> 16) & 0xFF);
permSegments.push((perm >> 8) & 0xFF);
return permSegments.map(seg => seg.toString(16).toUpperCase().padStart(2, '0')).join(' ');
},
checkPermission(perm, permission) {
return (perm & permissionMapping[permission]) !== 0;
},
isSupressed(perm, permission, supressed_by) {
for (const supressed of supressed_by) {
if (this.checkPermission(perm, supressed)) {
return true;
}
}
return false;
},
togglePermission(client, permission) {
client.editPerm ^= permissionMapping[permission];
},
disconnectClient(uuid) {
fetch("/api/clients/disconnect", {
credentials: 'include',
method: "POST",
body: JSON.stringify({ uuid })
}).finally(() => {
setTimeout(() => {
this.refreshClients();
}, 1000);
});
},
unpairAll() {
this.unpairAllPressed = true;
fetch("/api/clients/unpair-all", {
credentials: 'include',
method: "POST"
})
.then((r) => r.json())
.then((r) => {
this.unpairAllPressed = false;
this.unpairAllStatus = r.status.toString() === "true";
setTimeout(() => {
this.unpairAllStatus = null;
}, 5000);
this.refreshClients();
});
},
unpairSingle(uuid) {
fetch("/api/clients/unpair", {
credentials: 'include',
method: "POST",
body: JSON.stringify({ uuid })
}).then(() => {
this.showApplyMessage = true;
this.refreshClients();
});
},
refreshClients() {
if (currentEditingClient) {
this.cancelEdit(currentEditingClient);
}
fetch("/api/clients/list", { credentials: 'include' })
.then((response) => response.json())
.then((response) => {
const clientList = document.querySelector("#client-list");
if (response.status === 'true' && response.named_certs && response.named_certs.length) {
this.clients = response.named_certs.map(({name, uuid, perm, connected}) => {
const permInt = parseInt(perm, 10);
return {
name,
uuid,
perm: permInt,
connected: connected === 'true',
editing: false,
editPerm: permInt,
editName: name
}
})
currentEditingClient = null;
} else {
this.clients = [];
}
});
},
}
});

36
src_assets/common/assets/web/public/assets/locale/en.json
View File

@@ -93,7 +93,7 @@
"client_card": {
"clients": "Clients",
"clients_desc": "Clients that are specifically tuned to work the best with Apollo",
"generic_moonlight_clients_desc": "Gereric Moonlight clients are still usable with Apollo."
"generic_moonlight_clients_desc": "Generic Moonlight clients are still usable with Apollo."
},
"config": {
"adapter_name": "Adapter Name",
@@ -388,6 +388,20 @@
"password_change": "Password Change",
"success_msg": "Password has been changed successfully! This page will reload soon, your browser will ask you for the new credentials."
},
"permissions": {
"input_controller": "Controller Input",
"input_touch": "Touch Input",
"input_pen": "Pen Input",
"input_kbdm": "Keyboard & Mouse Input",
"clipboard_set": "Clipboard Set",
"clipboard_read": "Clipboard Read",
"file_upload": "File Upload",
"file_dwnload": "File Download",
"server_cmd": "Server Command",
"list": "List Apps",
"view": "View Streams",
"launch": "Launch Apps"
},
"pin": {
"device_name": "Optional: Device Name",
"pair_failure": "Pairing Failed: Check if the PIN is typed correctly",
@@ -402,7 +416,15 @@
"otp_expired_msg": "OTP expired. Please request a new one.",
"otp_success": "PIN request success, the PIN is available within 3 minutes.",
"otp_msg": "OTP pairing is only available for the latest Artemis clients. Please use legacy pairing method for other clients.",
"otp_pair_now": "PIN generated successfully, do you want to pair now?"
"otp_pair_now": "PIN generated successfully, do you want to pair now?",
"device_management": "Device Management",
"device_management_desc": "Manage your paired devices.",
"unpair_all": "Unpair All",
"unpair_all_success": "All devices unpaired.",
"unpair_all_error": "Error while unpairing",
"unpair_single_no_devices": "There are no paired devices.",
"unpair_single_success": "However, the device(s) may still be in an active session. Use the 'Force Close' button above to end any open sessions.",
"unpair_single_unknown": "Unknown Client"
},
"resource_card": {
"github_discussions": "GitHub Discussions",
@@ -430,15 +452,7 @@
"quit_apollo_success": "Apollo has exited.",
"quit_apollo_success_ongoing": "Apollo is quitting...",
"quit_apollo_confirm": "Do you really want to quit Apollo? You'll not be able to start Apollo again if you have no other methods to operate your computer.",
"troubleshooting": "Troubleshooting",
"unpair_all": "Unpair All",
"unpair_all_error": "Error while unpairing",
"unpair_all_success": "All devices unpaired.",
"unpair_desc": "Remove your paired devices. Individually unpaired devices with an active session will remain connected, but cannot start or resume a session.",
"unpair_single_no_devices": "There are no paired devices.",
"unpair_single_success": "However, the device(s) may still be in an active session. Use the 'Force Close' button above to end any open sessions.",
"unpair_single_unknown": "Unknown Client",
"unpair_title": "Unpair Devices"
"troubleshooting": "Troubleshooting"
},
"welcome": {
"confirm_password": "Confirm password",

34
src_assets/common/assets/web/public/assets/locale/zh.json
View File

@@ -388,6 +388,20 @@
"password_change": "更改密码",
"success_msg": "密码已成功更改!此页面即将重新加载,您的浏览器将要求您输入新的账户信息。"
},
"permissions": {
"input_controller": "手柄输入",
"input_touch": "触摸输入",
"input_pen": "笔输入",
"input_kbdm": "键鼠输入",
"clipboard_set": "上传剪贴板",
"clipboard_read": "获取剪贴板",
"file_upload": "上传文件",
"file_dwnload": "下载文件",
"server_cmd": "服务端命令",
"list": "列出APP",
"view": "查看串流",
"launch": "启动APP"
},
"pin": {
"device_name": "设备名称",
"pair_failure": "配对失败:请检查 PIN 码是否正确输入",
@@ -402,7 +416,15 @@
"otp_expired_msg": "口令已过期,请重新请求。",
"otp_success": "一次性 PIN 请求成功3分钟内有效。",
"otp_msg": "一次性口令目前仅支持最新的 Artemis 客户端使用。其他客户端请使用传统配对方式。",
"otp_pair_now": "PIN 请求成功,是否一键配对?"
"otp_pair_now": "PIN 请求成功,是否一键配对?",
"device_management": "设备管理",
"device_management_desc": "管理已配对的设备。",
"unpair_all": "全部取消配对",
"unpair_all_success": "全部取消配对成功!",
"unpair_all_error": "取消配对时出错",
"unpair_single_no_devices": "没有配对的设备。",
"unpair_single_success": "然而,设备可能仍然处于活动会话中,使用上面的“强制关闭”按钮结束任何打开的会话。",
"unpair_single_unknown": "未知客户端"
},
"resource_card": {
"github_discussions": "Github 讨论区",
@@ -430,15 +452,7 @@
"quit_apollo_success": "Apollo 已成功退出。",
"quit_apollo_success_ongoing": "Apollo 正在退出...",
"quit_apollo_confirm": "确定要退出 Apollo 吗?如果没有其他操作方式,你将无法再次启动 Apollo。",
"troubleshooting": "故障排除",
"unpair_all": "全部取消配对",
"unpair_all_error": "取消配对时出错",
"unpair_all_success": "取消配对成功!",
"unpair_desc": "删除您已配对的设备。未配对的单独设备与活动会话将保持连接,但不能启动或继续会话。",
"unpair_single_no_devices": "没有配对的设备。",
"unpair_single_success": "然而,设备可能仍然处于活动会话中,使用上面的“强制关闭”按钮结束任何打开的会话。",
"unpair_single_unknown": "未知客户端",
"unpair_title": "取消配对设备"
"troubleshooting": "故障排除"
},
"welcome": {
"confirm_password": "确认密码",

81
src_assets/common/assets/web/troubleshooting.html
View File

@@ -94,40 +94,6 @@
</div>
</div>
</div>
<!-- Unpair Clients -->
<div class="card my-4">
<div class="card-body">
<div class="p-2">
<div class="d-flex justify-content-end align-items-center">
<h2 id="unpair" class="text-center me-auto">{{ $t('troubleshooting.unpair_title') }}</h2>
<button class="btn btn-danger" :disabled="unpairAllPressed" @click="unpairAll">
{{ $t('troubleshooting.unpair_all') }}
</button>
</div>
<br />
<p class="mb-0">{{ $t('troubleshooting.unpair_desc') }}</p>
<div id="apply-alert" class="alert alert-success d-flex align-items-center mt-3" :style="{ 'display': (showApplyMessage ? 'flex !important': 'none !important') }">
<div class="me-2"><b>{{ $t('_common.success') }}</b> {{ $t('troubleshooting.unpair_single_success') }}</div>
<button class="btn btn-success ms-auto apply" @click="clickedApplyBanner">{{ $t('_common.dismiss') }}</button>
</div>
<div class="alert alert-success mt-3" v-if="unpairAllStatus === true">
{{ $t('troubleshooting.unpair_all_success') }}
</div>
<div class="alert alert-danger mt-3" v-if="unpairAllStatus === false">
{{ $t('troubleshooting.unpair_all_error') }}
</div>
</div>
</div>
<ul id="client-list" class="list-group list-group-flush list-group-item-light" v-if="clients && clients.length > 0">
<div v-for="client in clients" class="list-group-item d-flex">
<div class="p-2 flex-grow-1">{{client.name != "" ? client.name : $t('troubleshooting.unpair_single_unknown')}}</div><div class="me-2 ms-auto btn btn-danger" @click="unpairSingle(client.uuid)"><i class="fas fa-trash"></i></div>
</div>
</ul>
<ul v-else class="list-group list-group-flush list-group-item-light">
<div class="list-group-item p-3 text-center"><em>{{ $t('troubleshooting.unpair_single_no_devices') }}</em></div>
</ul>
</div>
<!-- Logs -->
<div class="card p-2 my-4">
<div class="card-body">
@@ -166,10 +132,7 @@
logInterval: null,
serverRestarting: false,
serverQuitting: false,
serverQuit: false,
showApplyMessage: false,
unpairAllPressed: false,
unpairAllStatus: null,
serverQuit: false
};
},
computed: {
@@ -213,48 +176,6 @@
}, 5000);
});
},
unpairAll() {
this.unpairAllPressed = true;
fetch("/api/clients/unpair-all", {
credentials: 'include',
method: "POST"
})
.then((r) => r.json())
.then((r) => {
this.unpairAllPressed = false;
this.unpairAllStatus = r.status.toString() === "true";
setTimeout(() => {
this.unpairAllStatus = null;
}, 5000);
this.refreshClients();
});
},
unpairSingle(uuid) {
fetch("/api/clients/unpair", { credentials: 'include',
method: "POST",
body: JSON.stringify({ uuid })
}).then(() => {
this.showApplyMessage = true;
this.refreshClients();
});
},
refreshClients() {
fetch("/api/clients/list", { credentials: 'include' })
.then((response) => response.json())
.then((response) => {
const clientList = document.querySelector("#client-list");
if (response.status === 'true' && response.named_certs && response.named_certs.length) {
this.clients = response.named_certs.sort((a, b) => {
return (a.name.toLowerCase() > b.name.toLowerCase() || a.name == "" ? 1 : -1)
});
} else {
this.clients = [];
}
});
},
clickedApplyBanner() {
this.showApplyMessage = false;
},
copyLogs() {
navigator.clipboard.writeText(this.actualLogs);
},

2
third-party/Simple-Web-Server vendored

Submodule third-party/Simple-Web-Server updated: 4abe349158...ab36f1576b