BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 19:06:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
BetterFrame/kiosk/src/main.rs

72 lines
2 KiB
Rust
Raw Normal View History

feat(harden): hardware-bound at-rest encryption of kiosk state files New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
2026-05-21 09:34:29 +00:00
mod at_rest;
feat(kiosk): Axiom log forwarding via tracing layer Kiosk binary now forwards all tracing logs to Axiom when BF_AXIOM_KEY + BF_AXIOM_DATASET are set at compile time via option_env!(). Batches up to 50 entries or flushes every 10s. No-op when keys not baked in (local dev builds). CI build.yml passes secrets as env vars for cargo build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-25 23:23:13 +00:00
mod axiom;
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
mod bundle;
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator
2026-05-10 20:45:56 +00:00
mod cec;
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
mod firmware;
feat: multi-display + snapshot + health + GPIO + nodered embed Multi-display: - Bundle ships displays[] each with own layouts + idle/sleep - Rust kiosk creates one ApplicationWindow per gdk monitor - Per-display state (layout, idle, sleep) via HashMap - WARM_CAMERAS pool shared across displays - Backward-compat top-level display/layouts still emitted System Health (/admin/health): - Online status, CPU temp (color-coded), fan RPM/PWM - Bundle version mismatch detection - 30s auto-refresh Camera snapshot/test: - shared/snapshot.ts: ffmpeg/gst-launch fallback, 5s timeout - /admin/entities/:id/snapshot returns JPEG - EntityEditPage shows live preview with Refresh GPIO (Pi buttons/sensors): - kiosk_gpio_bindings table + CRUD admin UI - Bundle ships gpio_bindings[] - kiosk/src/gpio.rs with gpiod crate, worker thread per pin - Edge events POST to /api/kiosk/event with source_type=gpio Layout switch fixes: - GET aliases added so direct URL hits work - New /admin/displays/:displayId/layout/:layoutId for multi-display - DisplayEditPage gets "Switch Layout Now" section Node-RED embed: - /admin/nodered renders iframe at /nrdp/ - Sandbox attrs allow scripts/forms/popups - Sidebar link now opens embedded view
2026-05-12 23:18:22 +00:00
mod gpio;
feat: Pi fan control + temp monitoring + stream swap on layout change Kiosk: - hwmon.rs reads /sys/class/thermal + /sys/class/hwmon for CPU temp, fan RPM, fan PWM - Heartbeat reports cpu_temp_c, fan_rpm, fan_pwm - WS message "fan" with {pwm: N} or {mode: "auto"} sets pwm1_enable+pwm1 - Picture content_fit Cover → Contain (no more cropping/overlay cuts) - ensure_warm tears down + rebuilds pipeline when desired stream changes (M↔S swap on layout change) Server: - Migration v0.8: add cpu_temp_c, fan_rpm, fan_pwm to kiosks - Heartbeat persists hwmon fields - KioskEditPage shows CPU/fan/PWM + Auto/Off/50%/Full buttons - POST /admin/kiosks/:id/fan dispatches via coordinator WS
2026-05-11 09:47:07 +00:00
mod hwmon;
feat(kiosk): LAN-side local HTTP server (GET layout API + admin proxy) Kiosk now exposes :18090 with two surfaces: - GET /local/layout/:id?key=<kiosk_local_key> Bookmark-friendly layout switch on this kiosk. Auth = kiosk-generated local key (32 random bytes, hex, stored at <state_dir>/local.key). - ANY /proxy/* — forwards to BF server with the request's Authorization header preserved. Lets LAN clients reach a cloud-hosted BF server via the kiosk's local socket; kiosk adds no auth of its own. Heartbeat reports {local_key, local_port}; kiosks table grows local_key/local_port/local_last_ip columns. Admin kiosk edit page now shows the local URLs as a copy-paste block. Override port: BF_KIOSK_LOCAL_PORT. Disable: BF_KIOSK_LOCAL_DISABLE=1.
2026-05-14 05:24:21 +00:00
mod local_server;
feat(onvif-events): PullPoint subscription for all ONVIF cameras New kiosk/src/onvif_events.rs: for each ONVIF camera in the bundle, creates a PullPoint subscription, polls every 3s, parses NotificationMessage XML into structured JSON (topic + source key/values + data key/values + timestamp), and POSTs to /api/kiosk/event with source_type=onvif + camera_id. Forwards ALL event topics: motion, ANPR (LicensePlateRecognition), line crossing, intrusion, digital input, analytics, tamper — everything the camera exposes. Node-RED sorts what matters. Subscription lifecycle: - CreatePullPointSubscription with 60s InitialTerminationTime - Renew every 55s before timeout - Unsubscribe on bundle change / shutdown - Auto-resubscribe on pull/renew failure (30s backoff) - Generation tracking via Weak<()> so old workers self-terminate when start() is called with a new bundle WSSE PasswordDigest auth for SOAP calls — same scheme the server's onvif.ts uses. sha1 crate added. BundleCamera extended with onvif_host/port/username/password_encrypted fields (server already ships them; kiosk just wasn't deserializing). Gated by BF_ENABLE_ONVIF_EVENTS=1. Enabled by default in the pi-gen image env file. TODO: cluster-key-based decryption of onvif_password_encrypted. For now relies on the RTSP URI having plaintext credentials embedded (which the ONVIF import path already ensures via rtspWithCredentials).
2026-05-21 10:03:30 +00:00
mod onvif_events;
feat(os-ota): kiosk-side RAUC bundle consumer Phase 3 of the OS OTA pipeline. New module kiosk/src/os_update.rs polls /api/kiosk/os/check with the kiosk's compatibility string and current OS version (read from /etc/betterframe/os-compatibility + /etc/betterframe/os-version, both written by the image build), downloads the bundle, sha256-verifies the transport, and hands off to `rauc install`. RAUC takes it from there: CMS signature verify against /etc/rauc/keyring.pem, copy into inactive A/B slot, arm tryboot via the custom bootloader backend, return. We then post /api/kiosk/os/applied and `systemctl reboot` into the new slot. Wired into the existing 60s heartbeat loop in ui.rs, gated by BF_ENABLE_OS_OTA=1 (default OFF so dev kiosks on non-A/B images don't keep trying + failing). Runs BEFORE the kiosk-binary check on each tick so an OS bundle that ships an updated kiosk binary doesn't race the firmware path. On clean-boot heartbeat success we now also call `rauc status mark-good` so the boot-attempts counter resets — three bad boots in a row will auto-roll back without us needing a separate rollback path. What's NOT in this commit: - A/B partition layout in the pi-gen image (task #6, blocks actual deployment — bundles can be served + accepted but `rauc install` will refuse without two valid slots). - Admin UI for managing releases + rollouts (task #4).
2026-05-21 08:47:45 +00:00
mod os_update;
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
mod pipeline;
feat(remote-debug): journal streaming + secure terminal via WebSocket Kiosk side (remote_debug.rs + ws_client.rs refactor): - Journal streaming: server sends journal-start → kiosk spawns journalctl -f, pipes lines back as journal-line messages via WS. journal-stop kills the process. On-demand, not always-on. - Terminal: server sends terminal-request → kiosk checks lockout + firmware_channel == "dev" → generates 8-char code displayed on screen as fullscreen overlay (NOT logged) → server relays admin's code via terminal-auth → kiosk validates with constant-time compare → on success spawns bash, relays I/O as base64 terminal-data. - Lockout: 3 failed codes per boot → lockout_count++. 3 lockouts (9 total failures) → permanent (reflash only). Reboot resets attempt counter, not lockout counter. Successful pairing resets all. - ws_client.rs rewritten with split reader/writer + tokio::select! for multiplexing incoming WS messages with outbound journal/terminal data from sync threads. Server side (coordinator-ws + routes-admin): - New admin debug WS endpoint: /ws/admin/debug/:kioskId. Authenticated via admin API key (query param) or session cookie. Relays messages bidirectionally between admin browser ↔ kiosk. - Admin pages: /admin/kiosks/:id/logs (journal viewer with start/ stop/clear) and /admin/kiosks/:id/terminal (code entry + terminal area). Both open in new tabs from the kiosk detail page. - Angie proxy config updated with /ws/admin/debug/ location block. Security: - Terminal only on dev channel - Code displayed physically on screen, never logged or stored server-side - Lockout: 3/boot, 3 lockouts = permanent, pairing resets - Kiosk responds "locked" without specifying which lockout triggered
2026-05-22 18:13:39 +00:00
mod remote_debug;
feat(kiosk): improve display controls and health
2026-05-21 00:03:05 +00:00
mod server;
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
mod ui;
feat: live updates via WebSocket — server pushes, kiosk reloads Server side: - service-coordinator-ws: full WS implementation using ws package - Auth via ?token=<kiosk_key> query param - Coordinator registry for cross-plugin notification - Admin mutations call notifyKiosks() → server pushes reload-bundle - 30s ping/pong heartbeat Kiosk side: - Rust ws_client with tokio runtime + tokio-tungstenite - Auto-reconnect with exponential backoff (1s → 60s cap) - On reload-bundle: re-fetches bundle, re-renders layout - Pong replies to server pings Also fix: auto-suffix kiosk name on UNIQUE collision (re-pair with same hostname no longer fails).
2026-05-10 20:15:58 +00:00
mod ws_client;
fix(kiosk): export WorkerMsg, import DecodePublicKey trait; CI master-push → dev - WorkerMsg made pub + re-exported at crate root so local_server can send through the UI channel. - ed25519_dalek::pkcs8::DecodePublicKey trait import — needed for VerifyingKey::from_public_key_pem call site. - Workflow: pushes to master now auto-trigger a dev-channel build (in addition to tag-pushes for stable/beta). Concurrency group cancels superseded master builds; tag builds never cancel each other.
2026-05-19 02:25:59 +00:00
pub use ui::WorkerMsg;
feat: live updates via WebSocket — server pushes, kiosk reloads Server side: - service-coordinator-ws: full WS implementation using ws package - Auth via ?token=<kiosk_key> query param - Coordinator registry for cross-plugin notification - Admin mutations call notifyKiosks() → server pushes reload-bundle - 30s ping/pong heartbeat Kiosk side: - Rust ws_client with tokio runtime + tokio-tungstenite - Auto-reconnect with exponential backoff (1s → 60s cap) - On reload-bundle: re-fetches bundle, re-renders layout - Pong replies to server pings Also fix: auto-suffix kiosk name on UNIQUE collision (re-pair with same hostname no longer fails).
2026-05-10 20:15:58 +00:00
pub enum ServerMsg {
ReloadBundle,
feat(display): report and control power state
2026-05-21 07:10:30 +00:00
Standby(Option<u32>),
Wake(Option<u32>),
feat: Pi fan control + temp monitoring + stream swap on layout change Kiosk: - hwmon.rs reads /sys/class/thermal + /sys/class/hwmon for CPU temp, fan RPM, fan PWM - Heartbeat reports cpu_temp_c, fan_rpm, fan_pwm - WS message "fan" with {pwm: N} or {mode: "auto"} sets pwm1_enable+pwm1 - Picture content_fit Cover → Contain (no more cropping/overlay cuts) - ensure_warm tears down + rebuilds pipeline when desired stream changes (M↔S swap on layout change) Server: - Migration v0.8: add cpu_temp_c, fan_rpm, fan_pwm to kiosks - Heartbeat persists hwmon fields - KioskEditPage shows CPU/fan/PWM + Auto/Off/50%/Full buttons - POST /admin/kiosks/:id/fan dispatches via coordinator WS
2026-05-11 09:47:07 +00:00
/// Some(0..=255) = manual PWM. None = restore auto.
Fan(Option<u32>),
feat(kiosk): improve display controls and health
2026-05-21 00:03:05 +00:00
/// Switch to a specific layout by ID, optionally scoped to one display.
SwitchLayout {
display_id: Option<u32>,
layout_id: u32,
},
feat(ota): replacement pairing + firmware OTA (admin UI, kiosk client, CI)
2026-05-13 18:56:42 +00:00
/// Server-pushed "go check for a firmware update now".
FirmwareCheck,
feat(os-ota): add Push OS update now button + os_check WS message
2026-05-22 23:07:34 +00:00
/// Server-pushed "go check for an OS update now".
OsCheck,
feat(remote-debug): journal streaming + secure terminal via WebSocket Kiosk side (remote_debug.rs + ws_client.rs refactor): - Journal streaming: server sends journal-start → kiosk spawns journalctl -f, pipes lines back as journal-line messages via WS. journal-stop kills the process. On-demand, not always-on. - Terminal: server sends terminal-request → kiosk checks lockout + firmware_channel == "dev" → generates 8-char code displayed on screen as fullscreen overlay (NOT logged) → server relays admin's code via terminal-auth → kiosk validates with constant-time compare → on success spawns bash, relays I/O as base64 terminal-data. - Lockout: 3 failed codes per boot → lockout_count++. 3 lockouts (9 total failures) → permanent (reflash only). Reboot resets attempt counter, not lockout counter. Successful pairing resets all. - ws_client.rs rewritten with split reader/writer + tokio::select! for multiplexing incoming WS messages with outbound journal/terminal data from sync threads. Server side (coordinator-ws + routes-admin): - New admin debug WS endpoint: /ws/admin/debug/:kioskId. Authenticated via admin API key (query param) or session cookie. Relays messages bidirectionally between admin browser ↔ kiosk. - Admin pages: /admin/kiosks/:id/logs (journal viewer with start/ stop/clear) and /admin/kiosks/:id/terminal (code entry + terminal area). Both open in new tabs from the kiosk detail page. - Angie proxy config updated with /ws/admin/debug/ location block. Security: - Terminal only on dev channel - Code displayed physically on screen, never logged or stored server-side - Lockout: 3/boot, 3 lockouts = permanent, pairing resets - Kiosk responds "locked" without specifying which lockout triggered
2026-05-22 18:13:39 +00:00
/// Show terminal auth code on screen (overlay).
ShowTerminalCode(String),
/// Dismiss the terminal code overlay.
DismissTerminalCode,
feat: live updates via WebSocket — server pushes, kiosk reloads Server side: - service-coordinator-ws: full WS implementation using ws package - Auth via ?token=<kiosk_key> query param - Coordinator registry for cross-plugin notification - Admin mutations call notifyKiosks() → server pushes reload-bundle - 30s ping/pong heartbeat Kiosk side: - Rust ws_client with tokio runtime + tokio-tungstenite - Auto-reconnect with exponential backoff (1s → 60s cap) - On reload-bundle: re-fetches bundle, re-renders layout - Pong replies to server pings Also fix: auto-suffix kiosk name on UNIQUE collision (re-pair with same hostname no longer fails).
2026-05-10 20:15:58 +00:00
}
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
fix: import PluginFeatureExtManual for set_rank
2026-05-10 18:59:23 +00:00
use gstreamer::prelude::PluginFeatureExtManual;
feat(kiosk): improve display controls and health
2026-05-21 00:03:05 +00:00
use gtk4::prelude::{ApplicationExt, ApplicationExtManual};
fix: demote Pi5 hw H265 decoder — sw fallback for non-standard resolutions
2026-05-10 18:52:25 +00:00
use tracing::info;
feat(kiosk): Axiom log forwarding via tracing layer Kiosk binary now forwards all tracing logs to Axiom when BF_AXIOM_KEY + BF_AXIOM_DATASET are set at compile time via option_env!(). Batches up to 50 entries or flushes every 10s. No-op when keys not baked in (local dev builds). CI build.yml passes secrets as env vars for cargo build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-25 23:23:13 +00:00
use tracing_subscriber::{EnvFilter, layer::SubscriberExt, util::SubscriberInitExt};
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
fn main() {
feat(kiosk): Axiom log forwarding via tracing layer Kiosk binary now forwards all tracing logs to Axiom when BF_AXIOM_KEY + BF_AXIOM_DATASET are set at compile time via option_env!(). Batches up to 50 entries or flushes every 10s. No-op when keys not baked in (local dev builds). CI build.yml passes secrets as env vars for cargo build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-25 23:23:13 +00:00
let env_filter = EnvFilter::from_default_env()
.add_directive("betterframe_kiosk=info".parse().unwrap());
let registry = tracing_subscriber::registry()
.with(env_filter)
.with(tracing_subscriber::fmt::layer());
if let Some(axiom_layer) = axiom::AxiomLayer::new() {
info!("axiom logging enabled");
registry.with(axiom_layer).init();
} else {
registry.init();
}
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
gstreamer::init().expect("Failed to init GStreamer");
fix: demote Pi5 hw H265 decoder — sw fallback for non-standard resolutions
2026-05-10 18:52:25 +00:00
// Demote Pi5 hw H265 decoder — rejects non-standard resolutions like 960x1080
if let Some(factory) = gstreamer::ElementFactory::find("v4l2slh265dec") {
factory.set_rank(gstreamer::Rank::NONE);
info!("demoted v4l2slh265dec to NONE (sw fallback)");
}
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
let app = ui::build_app();
fix: suppress GTK file-open warning, read server URL from env
2026-05-10 18:11:31 +00:00
// Pass empty args to GTK — server URL handled via env or argv directly
fix: drop HANDLES_COMMAND_LINE flag
2026-05-10 18:13:01 +00:00
app.set_flags(gtk4::gio::ApplicationFlags::NON_UNIQUE);
fix: suppress GTK file-open warning, read server URL from env
2026-05-10 18:11:31 +00:00
std::process::exit(app.run_with_args::<&str>(&[]).into());
feat: Rust kiosk app — GTK4 + GStreamer multi-camera display - Server discovery (localhost → betterframe.local → cloud) - Pairing flow with fullscreen code display - Bundle fetch and layout rendering - GTK4 Grid layout matching template regions - GStreamer pipelines per camera cell via gtk4paintablesink - Heartbeat loop in background thread - Placeholder widgets for web/html cells
2026-05-10 02:18:40 +00:00
}
Reference in a new issue Copy permalink