From 5e67febf57f1a637e53242484743c63ca3c9c413 Mon Sep 17 00:00:00 2001 From: Viktor Liu Date: Thu, 21 May 2026 17:55:27 +0200 Subject: [PATCH] Address Sonar findings and move noise to direct dependency --- client/vnc/server/input_darwin.go | 31 ++++++++++--------- client/vnc/server/server.go | 2 +- go.mod | 2 +- .../server/types/policy_authorized_users.go | 27 +++++++++------- 4 files changed, 35 insertions(+), 27 deletions(-) diff --git a/client/vnc/server/input_darwin.go b/client/vnc/server/input_darwin.go index a144ae4e2..b1b4e9926 100644 --- a/client/vnc/server/input_darwin.go +++ b/client/vnc/server/input_darwin.go @@ -465,23 +465,26 @@ func postFnFlagsChanged(src uintptr, fnOn bool) { cfRelease(event) } +// fnShiftedKeycodes are the Apple navigation/edit keys that hardware produces +// with the Fn modifier held. +var fnShiftedKeycodes = map[uint16]struct{}{ + 0x72: {}, // Help / Insert + 0x73: {}, // Home + 0x74: {}, // PageUp + 0x75: {}, // ForwardDelete + 0x77: {}, // End + 0x79: {}, // PageDown + 0x7B: {}, // Left + 0x7C: {}, // Right + 0x7D: {}, // Down + 0x7E: {}, // Up +} + // isFnShiftedKeycode reports whether keycode is one of the Apple // navigation/edit keys that hardware produces with the Fn modifier held. func isFnShiftedKeycode(keycode uint16) bool { - switch keycode { - case 0x72, // Help / Insert - 0x73, // Home - 0x74, // PageUp - 0x75, // ForwardDelete - 0x77, // End - 0x79, // PageDown - 0x7B, // Left - 0x7C, // Right - 0x7D, // Down - 0x7E: // Up - return true - } - return false + _, ok := fnShiftedKeycodes[keycode] + return ok } // InjectPointer simulates mouse movement and button events. diff --git a/client/vnc/server/server.go b/client/vnc/server/server.go index 08e8f8cbe..09112ce57 100644 --- a/client/vnc/server/server.go +++ b/client/vnc/server/server.go @@ -1038,7 +1038,7 @@ func (s *Server) acquireAttachSession() (ScreenCapturer, func()) { cc.ClientConnect() return s.capturer, cc.ClientDisconnect } - return s.capturer, func() {} + return s.capturer, func() { /* capturer has no per-client disconnect hook */ } } // modeString returns a human-readable session mode name. diff --git a/go.mod b/go.mod index a9bd785e3..dab8623d9 100644 --- a/go.mod +++ b/go.mod @@ -51,6 +51,7 @@ require ( github.com/eko/gocache/lib/v4 v4.2.0 github.com/eko/gocache/store/go_cache/v4 v4.2.2 github.com/eko/gocache/store/redis/v4 v4.2.2 + github.com/flynn/noise v1.1.0 github.com/fsnotify/fsnotify v1.9.0 github.com/gliderlabs/ssh v0.3.8 github.com/go-jose/go-jose/v4 v4.1.4 @@ -185,7 +186,6 @@ require ( github.com/docker/go-connections v0.6.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/flynn/noise v1.1.0 // indirect github.com/fredbi/uri v1.1.1 // indirect github.com/fxamacker/cbor/v2 v2.9.1 // indirect github.com/fyne-io/gl-js v0.2.0 // indirect diff --git a/management/server/types/policy_authorized_users.go b/management/server/types/policy_authorized_users.go index 0c9dd1e4e..16337590f 100644 --- a/management/server/types/policy_authorized_users.go +++ b/management/server/types/policy_authorized_users.go @@ -64,17 +64,7 @@ func applyResolvedRuleToState( state.sshEnabled = true cb.collectSSHUsers(rule, state.authorizedUsers) case rule.Protocol == PolicyRuleProtocolNetbirdVNC: - // VNC bidirectional rules grant access in both directions. - if !peerInDestinations && !(rule.Bidirectional && peerInSources) { - return - } - cb.collectVNCUsers(rule, state.vncAuthorizedUsers) - if rule.SessionPubKey != "" && rule.AuthorizedUser != "" { - state.vncSessionPubKeys = append(state.vncSessionPubKeys, VNCSessionPubKey{ - PubKey: rule.SessionPubKey, - UserID: rule.AuthorizedUser, - }) - } + cb.handleVNCRule(rule, peerInSources, peerInDestinations, state) case policyRuleImpliesLegacySSH(rule) && targetPeerSSHEnabled: if !peerInDestinations { return @@ -84,6 +74,21 @@ func applyResolvedRuleToState( } } +// handleVNCRule collects VNC authorized users and session pubkeys for a VNC +// policy rule. Bidirectional rules grant access in both directions. +func (cb ruleAuthCallbacks) handleVNCRule(rule *PolicyRule, peerInSources, peerInDestinations bool, state *peerConnResolveState) { + if !peerInDestinations && !(rule.Bidirectional && peerInSources) { + return + } + cb.collectVNCUsers(rule, state.vncAuthorizedUsers) + if rule.SessionPubKey != "" && rule.AuthorizedUser != "" { + state.vncSessionPubKeys = append(state.vncSessionPubKeys, VNCSessionPubKey{ + PubKey: rule.SessionPubKey, + UserID: rule.AuthorizedUser, + }) + } +} + func mergeWildcardUsers(dst map[string]map[string]struct{}, users map[string]struct{}) { if dst[auth.Wildcard] == nil { dst[auth.Wildcard] = make(map[string]struct{})