From 77fb93c5136df722b4efcd7baededad20449494c Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Fri, 29 Oct 2021 22:12:44 +0530
Subject: [PATCH] core: use the URL scheme same as iframe for non-SSL enabled
 consoles (#5624)

* core: use the URL scheme same as iframe for non-SSL enabled consoles

For environments where SSL is not enabled for console, this forces the
URL scheme (http/https) in iframe to match the iframe URL scheme.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

* consoleproxy: enable SSL on CPVM when both console proxy url/domain and
ssl setting are configured

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

* fix unit test

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

* address code review comments

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---
 .../java/com/cloud/info/ConsoleProxyInfo.java |  2 +-
 .../com/cloud/info/ConsoleProxyInfoTest.java  | 10 +++++-----
 .../com/cloud/consoleproxy/AgentHookBase.java | 20 ++++++++++---------
 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/core/src/main/java/com/cloud/info/ConsoleProxyInfo.java b/core/src/main/java/com/cloud/info/ConsoleProxyInfo.java
index 7e1be6a9cad..f92b93a3979 100644
--- a/core/src/main/java/com/cloud/info/ConsoleProxyInfo.java
+++ b/core/src/main/java/com/cloud/info/ConsoleProxyInfo.java
@@ -46,7 +46,7 @@ public class ConsoleProxyInfo {
             }
 
         } else {
-            proxyImageUrl = "http://" + proxyAddress;
+            proxyImageUrl = "//" + proxyAddress;
             if (proxyUrlPort != 80) {
                 proxyImageUrl += ":" + proxyUrlPort;
             }
diff --git a/core/src/test/java/com/cloud/info/ConsoleProxyInfoTest.java b/core/src/test/java/com/cloud/info/ConsoleProxyInfoTest.java
index 62a4b764c7a..e1b264c4f97 100644
--- a/core/src/test/java/com/cloud/info/ConsoleProxyInfoTest.java
+++ b/core/src/test/java/com/cloud/info/ConsoleProxyInfoTest.java
@@ -19,10 +19,10 @@
 
 package com.cloud.info;
 
-import org.junit.Test;
-
 import static org.junit.Assert.assertEquals;
 
+import org.junit.Test;
+
 public class ConsoleProxyInfoTest {
 
     @Test
@@ -35,7 +35,7 @@ public class ConsoleProxyInfoTest {
     public void testGetProxyImageUrlHttp() {
         ConsoleProxyInfo cpi = new ConsoleProxyInfo(false, "10.10.10.10", 80, 80 , "console.example.com");
         String url = cpi.getProxyImageUrl();
-        assertEquals("http://console.example.com", url);
+        assertEquals("//console.example.com", url);
     }
     @Test
     public void testGetProxyImageUrlWildcardHttps() {
@@ -47,13 +47,13 @@ public class ConsoleProxyInfoTest {
     public void testGetProxyImageUrlWildcardHttp() {
         ConsoleProxyInfo cpi = new ConsoleProxyInfo(false, "1.2.3.4", 80, 8888 , "*.example.com");
         String url = cpi.getProxyImageUrl();
-        assertEquals("http://1-2-3-4.example.com:8888", url);
+        assertEquals("//1-2-3-4.example.com:8888", url);
     }
     @Test
     public void testGetProxyImageUrlIpHttp() {
         ConsoleProxyInfo cpi = new ConsoleProxyInfo(false, "1.2.3.4", 80, 8888, "");
         String url = cpi.getProxyImageUrl();
-        assertEquals("http://1.2.3.4:8888", url);
+        assertEquals("//1.2.3.4:8888", url);
     }
     @Test
     public void testGetProxyImageUrlIpHttps() {
diff --git a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
index 6a06774f3b1..2bc092e056b 100644
--- a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
+++ b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
@@ -21,15 +21,12 @@ import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Date;
 
-import org.apache.commons.codec.binary.Base64;
-import org.apache.log4j.Logger;
-
-import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
-
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.framework.security.keys.KeysManager;
 import org.apache.cloudstack.framework.security.keystore.KeystoreManager;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.log4j.Logger;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.AgentControlAnswer;
@@ -54,6 +51,8 @@ import com.cloud.servlet.ConsoleProxyServlet;
 import com.cloud.utils.Ternary;
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.dao.VMInstanceDao;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
 
 /**
  * Utility class to manage interactions with agent-based console access
@@ -198,12 +197,15 @@ public abstract class AgentHookBase implements AgentHook {
             String storePassword = Base64.encodeBase64String(randomBytes);
 
             byte[] ksBits = null;
+
             String consoleProxyUrlDomain = _configDao.getValue(Config.ConsoleProxyUrlDomain.key());
-            if (consoleProxyUrlDomain == null || consoleProxyUrlDomain.isEmpty()) {
-                s_logger.debug("SSL is disabled for console proxy based on global config, skip loading certificates");
-            } else {
+            String consoleProxySslEnabled = _configDao.getValue("consoleproxy.sslEnabled");
+            if (!StringUtils.isEmpty(consoleProxyUrlDomain) && !StringUtils.isEmpty(consoleProxySslEnabled)
+                    && consoleProxySslEnabled.equalsIgnoreCase("true")) {
                 ksBits = _ksMgr.getKeystoreBits(ConsoleProxyManager.CERTIFICATE_NAME, ConsoleProxyManager.CERTIFICATE_NAME, storePassword);
                 //ks manager raises exception if ksBits are null, hence no need to explicltly handle the condition
+            } else {
+                s_logger.debug("SSL is disabled for console proxy. To enable SSL, please configure consoleproxy.sslEnabled and consoleproxy.url.domain global settings.");
             }
 
             cmd = new StartConsoleProxyAgentHttpHandlerCommand(ksBits, storePassword);