novnc: add encrypt parameter

Add encrypt parameter to novnc adapter class, so that it can
be configured in the url params.

This allows the VNC driver to set --encrypt/--no-encrypt
parameter through command line (default False) for more
flexibility on the type of connection the user needs.

Signed-off-by: Albert Esteve <aesteve@redhat.com>

Author: aesteve-rh

packages/jumpstarter-driver-network/jumpstarter_driver_network/adapters/novnc.py

@@ -10,7 +10,7 @@
 
 @blocking
 @asynccontextmanager
-async def NovncAdapter(*, client: DriverClient, method: str = "connect"):
+async def NovncAdapter(*, client: DriverClient, method: str = "connect", encrypt: bool = True):
     async def handler(conn):
         async with conn:
             async with client.stream_async(method) as stream:
@@ -19,13 +19,21 @@ async def handler(conn):
                         pass
 
     async with TemporaryTcpListener(handler) as addr:
+        params = {
+            "encrypt": 1 if encrypt else 0,
+            "autoconnect": 1,
+            "reconnect": 1,
+            "host": addr[0],
+            "port": addr[1],
+        }
+
         yield urlunparse(
             (
                 "https",
                 "novnc.com",
                 "/noVNC/vnc.html",
                 "",
-                urlencode({"autoconnect": 1, "reconnect": 1, "host": addr[0], "port": addr[1]}),
+                urlencode(params),
                 "",
             )
         )

packages/jumpstarter-driver-vnc/README.md

@@ -18,6 +18,9 @@ Example `exporter.yaml` configuration:
 export:
   vnc:
     type: jumpstarter_driver_vnc.driver.Vnc
+    # You can set the default encryption behavior for the `j vnc session` command.
+    # If not set, it defaults to False (unencrypted).
+    default_encrypt: false
     children:
       tcp:
         type: jumpstarter_driver_network.driver.TcpNetwork
@@ -55,4 +58,11 @@ j vnc session
 
 # To prevent it from opening a browser automatically:
 j vnc session --no-browser
+
+# To force an encrypted (wss://) or unencrypted (ws://) connection, overriding
+# the default set in the exporter configuration:
+j vnc session --encrypt
+j vnc session --no-encrypt
 ```
+
+> **Note:** Using an encrypted connection is intended for advanced scenarios where the local proxy can be configured with a TLS certificate that your browser trusts. For standard local development, modern browsers will likely reject the self-signed certificate and the connection will fail.

packages/jumpstarter-driver-vnc/examples/exporter.yaml

@@ -8,6 +8,9 @@ token: "<token>"
 export:
   vnc:
     type: jumpstarter_driver_vnc.driver.Vnc
+    # You can set the default encryption behavior for the `j vnc session` command.
+    # If not set, it defaults to False (unencrypted).
+    default_encrypt: false
     children:
       tcp:
         type: jumpstarter_driver_network.driver.TcpNetwork

packages/jumpstarter-driver-vnc/jumpstarter_driver_vnc/client.py

@@ -9,6 +9,7 @@
 from jumpstarter_driver_composite.client import CompositeClient
 from jumpstarter_driver_network.adapters.novnc import NovncAdapter
 
+from jumpstarter.client import DriverClient
 from jumpstarter.client.decorators import driver_click_group
 
 if typing.TYPE_CHECKING:
@@ -32,11 +33,15 @@ async def stream_async(self, method="connect"):
         return await self.tcp.stream_async(method)
 
     @contextlib.contextmanager
-    def session(self) -> typing.Iterator[str]:
+    def session(self, *, encrypt: bool = True) -> typing.Iterator[str]:
         """Create a new VNC session."""
-        with NovncAdapter(client=self.tcp, method="connect") as adapter:
+        with NovncAdapter(client=self.tcp, method="connect", encrypt=encrypt) as adapter:
             yield adapter
 
+    def get_default_encrypt(self) -> bool:
+        """Fetch the default encryption setting from the remote driver."""
+        return self.portal.call(DriverClient.call_async, self, "get_default_encrypt")
+
     def cli(self) -> click.Command:
         """Return a click command handler for this driver."""
 
@@ -46,12 +51,26 @@ def vnc():
 
         @vnc.command()
         @click.option("--browser/--no-browser", default=True, help="Open the session in a web browser.")
-        def session(browser: bool):
+        @click.option(
+            "--encrypt",
+            "encrypt_override",
+            flag_value=True,
+            default=None,
+            help="Force an encrypted connection (wss://). Overrides the driver default.",
+        )
+        @click.option(
+            "--no-encrypt",
+            "encrypt_override",
+            flag_value=False,
+            help="Force an unencrypted connection (ws://). Overrides the driver default.",
+        )
+        def session(browser: bool, encrypt_override: bool | None):
             """Open a VNC session."""
+            encrypt = encrypt_override if encrypt_override is not None else self.get_default_encrypt()
             # The NovncAdapter is a blocking context manager that runs in a thread.
             # We can enter it, open the browser, and then just wait for the user
             # to press Ctrl+C to exit. The adapter handles the background work.
-            with self.session() as url:
+            with self.session(encrypt=encrypt) as url:
                 click.echo(f"To connect, please visit: {url}")
                 if browser:
                     webbrowser.open(url)

packages/jumpstarter-driver-vnc/jumpstarter_driver_vnc/driver.py

@@ -1,18 +1,34 @@
 from __future__ import annotations
 
+from dataclasses import dataclass
+
+from jumpstarter_driver_composite.driver import Composite
+
 from jumpstarter.common.exceptions import ConfigurationError
-from jumpstarter.driver import Driver
+from jumpstarter.driver import export
+
 
+@dataclass
+class Vnc(Composite):
+    """A VNC driver.
 
-class Vnc(Driver):
-    """A driver for VNC."""
+    Members:
+        default_encrypt: Whether to default to an encrypted client connection.
+    """
+
+    default_encrypt: bool = False
 
     def __post_init__(self):
         """Initialize the VNC driver."""
         super().__post_init__()
         if "tcp" not in self.children:
             raise ConfigurationError("A tcp child is required for Vnc")
 
+    @export
+    async def get_default_encrypt(self) -> bool:
+        """Return the default encryption setting."""
+        return self.default_encrypt
+
     @classmethod
     def client(cls) -> str:
         """Return the client class path for this driver."""

packages/jumpstarter-driver-vnc/jumpstarter_driver_vnc/driver_test.py

@@ -32,3 +32,11 @@ def test_vnc_driver_raises_error_without_tcp_child():
     """Test that the Vnc driver raises a ConfigurationError if the tcp child is missing."""
     with pytest.raises(ConfigurationError, match="A tcp child is required for Vnc"):
         Vnc(children={})
+
+
+@pytest.mark.parametrize("expected", [True, False])
+def test_vnc_driver_default_encrypt(expected):
+    """Test that the default_encrypt parameter is correctly handled."""
+    instance = Vnc(children={"tcp": FakeTcpDriver()}, default_encrypt=expected)
+    with serve(instance) as client:
+        assert client.get_default_encrypt() is expected