diff --git a/.gitignore b/.gitignore index e2b58bf80..809e0e509 100644 --- a/.gitignore +++ b/.gitignore @@ -357,7 +357,9 @@ tmp/ *.7z # TLS Certificates (generated by scripts/security/generate-tls-certificates.sh) +# Note: docker/certs/ has tracked scripts — only ignore generated cert files certs/ +!docker/certs/ *.pem *.csr *.key diff --git a/autobot-backend/api/vnc_manager.py b/autobot-backend/api/vnc_manager.py index 46b647d52..e516e5f9c 100644 --- a/autobot-backend/api/vnc_manager.py +++ b/autobot-backend/api/vnc_manager.py @@ -145,10 +145,9 @@ def start_vnc_server() -> Dict[str, str]: "-localhost", "no", "-SecurityTypes", - "None", + "VncAuth,TLSVnc", "-rfbport", "5901", - "--I-KNOW-THIS-IS-INSECURE", "-geometry", "1920x1080", "-depth", diff --git a/autobot-infrastructure/shared/scripts/infrastructure/browser-vnc.service b/autobot-infrastructure/shared/scripts/infrastructure/browser-vnc.service index 2ed53ba00..a8616a18a 100644 --- a/autobot-infrastructure/shared/scripts/infrastructure/browser-vnc.service +++ b/autobot-infrastructure/shared/scripts/infrastructure/browser-vnc.service @@ -1,3 +1,10 @@ +# AutoBot - AI-Powered Automation Platform +# Copyright (c) 2025 mrveiss +# Author: mrveiss +# +# TigerVNC Server for Browser VM — headed Playwright mode (#1939) +# Requires: ~/.vnc/passwd (set with `vncpasswd`) + [Unit] Description=TigerVNC Server for Browser VM After=network.target @@ -7,7 +14,8 @@ Type=forking User=autobot WorkingDirectory=/home/autobot ExecStartPre=-/usr/bin/vncserver -kill :1 -ExecStart=/usr/bin/vncserver :1 -localhost no -SecurityTypes None -rfbport 5901 --I-KNOW-THIS-IS-INSECURE -geometry 1920x1080 -depth 24 +ExecStartPre=/bin/sh -c 'test -f /home/autobot/.vnc/passwd || (echo "VNC password not set — run vncpasswd first" && exit 1)' +ExecStart=/usr/bin/vncserver :1 -localhost no -SecurityTypes VncAuth,TLSVnc -rfbport 5901 -geometry 1920x1080 -depth 24 ExecStop=/usr/bin/vncserver -kill :1 Restart=on-failure RestartSec=10 diff --git a/autobot-infrastructure/shared/scripts/setup_browser_vnc.sh b/autobot-infrastructure/shared/scripts/setup_browser_vnc.sh index b71c66196..e58e8892f 100644 --- a/autobot-infrastructure/shared/scripts/setup_browser_vnc.sh +++ b/autobot-infrastructure/shared/scripts/setup_browser_vnc.sh @@ -1,6 +1,10 @@ #!/bin/bash -# Automated VNC setup for Browser VM (172.16.168.25) -# Provides visual browser viewing for collaborative user/agent interaction +# AutoBot - AI-Powered Automation Platform +# Copyright (c) 2025 mrveiss +# Author: mrveiss +# +# Automated VNC setup for Browser VM — headed Playwright mode (#1939) +# Uses VncAuth (password-protected). Requires vncpasswd to be set. set -e @@ -12,73 +16,82 @@ SSH_KEY="${AUTOBOT_SSH_KEY:-$HOME/.ssh/autobot_key}" BROWSER_USER="${AUTOBOT_SSH_USER:-autobot}" echo "=========================================" -echo "AutoBot Browser VM VNC Setup" +echo "AutoBot Browser VM VNC Setup (Secure)" echo "=========================================" echo "" -# Function to run command on Browser VM run_on_browser_vm() { ssh -i "$SSH_KEY" "$BROWSER_USER@$BROWSER_VM_IP" "$@" } # Step 1: Check if VNC components are installed -echo "[1/6] Checking VNC installation..." +echo "[1/7] Checking VNC installation..." if run_on_browser_vm "dpkg -l | grep -q tigervnc-standalone-server"; then - echo "✓ TigerVNC already installed" + echo " TigerVNC already installed" else - echo "✗ TigerVNC not found - please run installation first" + echo " TigerVNC not found - please run installation first" exit 1 fi -# Step 2: Kill any existing VNC servers -echo "[2/6] Cleaning up existing VNC sessions..." +# Step 2: Verify VNC password is set +echo "[2/7] Verifying VNC password..." +if run_on_browser_vm "test -f /home/autobot/.vnc/passwd"; then + echo " VNC password file exists" +else + echo " VNC password not set. Setting now..." + echo " (You will be prompted to enter a VNC password)" + run_on_browser_vm "mkdir -p /home/autobot/.vnc && vncpasswd /home/autobot/.vnc/passwd" +fi + +# Step 3: Kill any existing VNC servers +echo "[3/7] Cleaning up existing VNC sessions..." run_on_browser_vm "vncserver -kill :1 2>/dev/null || true" run_on_browser_vm "pkill -9 websockify 2>/dev/null || true" -echo "✓ Cleanup complete" +echo " Cleanup complete" -# Step 3: Start VNC server (matches main machine setup) -echo "[3/6] Starting VNC server on display :1..." +# Step 4: Start VNC server with password auth +echo "[4/7] Starting VNC server on display :1 (VncAuth)..." run_on_browser_vm "/usr/bin/vncserver :1 \ -localhost no \ - -SecurityTypes None \ + -SecurityTypes VncAuth,TLSVnc \ -rfbport 5901 \ - --I-KNOW-THIS-IS-INSECURE \ -geometry 1920x1080 \ -depth 24" -echo "✓ VNC server started on :1 (port 5901)" +echo " VNC server started on :1 (port 5901, password-protected)" -# Step 4: Start websockify for noVNC access -echo "[4/6] Starting websockify for noVNC..." +# Step 5: Start websockify for noVNC access +echo "[5/7] Starting websockify for noVNC..." run_on_browser_vm "nohup /usr/bin/websockify \ --web /usr/share/novnc \ 0.0.0.0:6080 \ localhost:5901 \ > /tmp/websockify.log 2>&1 &" sleep 2 -echo "✓ websockify started on port 6080" +echo " websockify started on port 6080" -# Step 5: Configure Playwright for headed mode -echo "[5/6] Configuring Playwright for headed mode..." -run_on_browser_vm "cd /home/autobot && cat > .env << 'EOF' +# Step 6: Configure Playwright for headed mode +echo "[6/7] Configuring Playwright for headed mode..." +run_on_browser_vm "cd /home/autobot && cat > .env << 'ENVEOF' # Playwright configuration - headed mode for VNC visibility HEADLESS=false DISPLAY=:1 -EOF" -echo "✓ Playwright configured for headed mode on DISPLAY :1" +ENVEOF" +echo " Playwright configured for headed mode on DISPLAY :1" -# Step 6: Restart Playwright server -echo "[6/6] Restarting Playwright server..." +# Step 7: Restart Playwright server +echo "[7/7] Restarting Playwright server..." run_on_browser_vm "pkill -f playwright-server.js 2>/dev/null || true" -run_on_browser_vm "cd /home/autobot && mkdir -p logs && nohup node playwright-server.js > logs/playwright.log 2>&1 &" +run_on_browser_vm "cd /home/autobot && mkdir -p logs && \ + nohup node playwright-server.js > logs/playwright.log 2>&1 &" sleep 3 -echo "✓ Playwright server restarted" +echo " Playwright server restarted" echo "" echo "=========================================" -echo "✓ Browser VM VNC Setup Complete!" +echo " Browser VM VNC Setup Complete!" echo "=========================================" echo "" -echo "VNC Access:" +echo "VNC Access (password-protected):" echo " - VNC Server: $BROWSER_VM_IP:5901" echo " - noVNC Web: http://$BROWSER_VM_IP:6080/vnc.html" echo "" @@ -86,8 +99,3 @@ echo "Playwright:" echo " - API Server: http://$BROWSER_VM_IP:3000" echo " - Mode: Headed (visible browser on VNC)" echo "" -echo "Next steps:" -echo " 1. Test VNC connection: http://$BROWSER_VM_IP:6080/vnc.html" -echo " 2. Update frontend VNC URL configuration" -echo " 3. Test collaborative browser viewing" -echo "" diff --git a/autobot-infrastructure/shared/scripts/utilities/fix-vnc-desktop.sh b/autobot-infrastructure/shared/scripts/utilities/fix-vnc-desktop.sh index 1c9de1109..98b018bb4 100644 --- a/autobot-infrastructure/shared/scripts/utilities/fix-vnc-desktop.sh +++ b/autobot-infrastructure/shared/scripts/utilities/fix-vnc-desktop.sh @@ -34,8 +34,10 @@ EOF chmod +x /home/kali/.vnc/xstartup chown kali:kali /home/kali/.vnc/xstartup -# Create VNC password -echo "kali" | vncpasswd -f > /home/kali/.vnc/passwd +# Create VNC password (random, displayed once) +VNC_PASSWORD="${VNC_PASSWORD:-$(openssl rand -base64 12)}" +echo "$VNC_PASSWORD" | vncpasswd -f > /home/kali/.vnc/passwd +echo "Generated VNC password: $VNC_PASSWORD" chmod 600 /home/kali/.vnc/passwd chown kali:kali /home/kali/.vnc/passwd @@ -109,4 +111,4 @@ ss -tlnp | grep -E "5901|6080" || echo "Waiting for ports..." echo "" echo "Done! Access noVNC at http://localhost:6080" -echo "VNC password: kali" +echo "VNC password was displayed during setup (search output above)" diff --git a/autobot-infrastructure/shared/scripts/utilities/fix-vnc-wsl.sh b/autobot-infrastructure/shared/scripts/utilities/fix-vnc-wsl.sh index 9e70e27cc..b59203b46 100644 --- a/autobot-infrastructure/shared/scripts/utilities/fix-vnc-wsl.sh +++ b/autobot-infrastructure/shared/scripts/utilities/fix-vnc-wsl.sh @@ -70,7 +70,9 @@ EOF # Ensure password file exists mkdir -p /home/kali/.vnc if [ ! -f /home/kali/.vnc/passwd ]; then - x11vnc -storepasswd kali /home/kali/.vnc/passwd + VNC_PASSWORD="${VNC_PASSWORD:-$(openssl rand -base64 12)}" + x11vnc -storepasswd "$VNC_PASSWORD" /home/kali/.vnc/passwd + echo "Generated VNC password: $VNC_PASSWORD" fi chown -R kali:kali /home/kali/.vnc @@ -101,4 +103,4 @@ ss -tlnp | grep -E "5900|6080" || echo "Ports not yet listening" echo "" echo "Done! noVNC should be at http://localhost:6080" -echo "VNC password: kali" +echo "VNC password was displayed during setup (search output above)" diff --git a/autobot-infrastructure/shared/scripts/utilities/start-isolated-vnc.sh b/autobot-infrastructure/shared/scripts/utilities/start-isolated-vnc.sh index 50f588faa..2a616af85 100644 --- a/autobot-infrastructure/shared/scripts/utilities/start-isolated-vnc.sh +++ b/autobot-infrastructure/shared/scripts/utilities/start-isolated-vnc.sh @@ -1,12 +1,25 @@ #!/bin/bash -# Start VNC with complete isolation from local display +# AutoBot - AI-Powered Automation Platform +# Copyright (c) 2025 mrveiss +# Author: mrveiss +# +# Start VNC with complete isolation from local display (#1939) +# Uses VncAuth (password-protected). Requires ~/.vnc/passwd. -# Kill any existing VNC sessions -vncserver -kill :2 2>/dev/null +set -e + +# Verify VNC password exists +if [ ! -f "$HOME/.vnc/passwd" ]; then + echo "VNC password not set. Run 'vncpasswd' first." + exit 1 +fi + +# Kill any existing VNC sessions on display :2 +vncserver -kill :2 2>/dev/null || true # Kill any XFCE processes that might be on wrong display -pkill -f xfce4-panel 2>/dev/null -pkill -f xfdesktop 2>/dev/null +pkill -f xfce4-panel 2>/dev/null || true +pkill -f xfdesktop 2>/dev/null || true # Start VNC in completely clean environment - no local display access env -i \ @@ -18,9 +31,8 @@ env -i \ vncserver :2 \ -geometry 1920x1080 \ -depth 24 \ - -SecurityTypes None \ - -localhost no \ - --I-KNOW-THIS-IS-INSECURE + -SecurityTypes VncAuth,TLSVnc \ + -localhost no -echo "VNC server started on display :2" -echo "Access via: http://192.168.168.17:6080/vnc.html" +echo "VNC server started on display :2 (password-protected)" +echo "Connect with a VNC client on port 5902"