apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

remote access vpn from management server side is done

Browse Source
This commit is contained in:
Alex Huang 2010-12-29 11:36:30 -08:00
parent cc428c14c7
commit a10ce22f99
13 changed files with 245 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/com/cloud/api/commands/CreateRemoteAccessVpnCmd.java
View File

@ -28,7 +28,6 @@ import com.cloud.api.ServerApiException;
import com.cloud.api.response.RemoteAccessVpnResponse; import com.cloud.api.response.RemoteAccessVpnResponse;
import com.cloud.domain.Domain; import com.cloud.domain.Domain;
import com.cloud.event.EventTypes; import com.cloud.event.EventTypes;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.NetworkRuleConflictException; import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException; import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.RemoteAccessVpn; import com.cloud.network.RemoteAccessVpn;
@ -162,9 +161,6 @@ public class CreateRemoteAccessVpnCmd extends BaseAsyncCreateCmd {
} catch (ResourceUnavailableException ex) { } catch (ResourceUnavailableException ex) {
s_logger.warn("Exception: ", ex); s_logger.warn("Exception: ", ex);
throw new ServerApiException(BaseCmd.RESOURCE_UNAVAILABLE_ERROR, ex.getMessage()); throw new ServerApiException(BaseCmd.RESOURCE_UNAVAILABLE_ERROR, ex.getMessage());
} catch (ConcurrentOperationException ex) {
s_logger.warn("Exception: ", ex);
throw new ServerApiException(BaseCmd.INTERNAL_ERROR, ex.getMessage());
} }
} }
} }

5
api/src/com/cloud/api/commands/DeleteRemoteAccessVpnCmd.java
View File

@ -25,6 +25,7 @@ import com.cloud.api.Implementation;
import com.cloud.api.Parameter; import com.cloud.api.Parameter;
import com.cloud.api.response.SuccessResponse; import com.cloud.api.response.SuccessResponse;
import com.cloud.event.EventTypes; import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.RemoteAccessVpn; import com.cloud.network.RemoteAccessVpn;
import com.cloud.utils.net.Ip; import com.cloud.utils.net.Ip;
@ -70,8 +71,8 @@ public class DeleteRemoteAccessVpnCmd extends BaseAsyncCmd {
} }
@Override @Override
public void execute(){ public void execute() throws ResourceUnavailableException {
_ravService.destroyRemoteAccessVpn(new Ip(publicIp)); _ravService.destroyRemoteAccessVpn(new Ip(publicIp), getStartEventId());
} }
} }

11
api/src/com/cloud/api/commands/RemoveVpnUserCmd.java
View File

@ -113,11 +113,14 @@ public class RemoveVpnUserCmd extends BaseAsyncCmd {
public void execute(){ public void execute(){
Account owner = getValidOwner(accountName, domainId); Account owner = getValidOwner(accountName, domainId);
boolean result = _ravService.removeVpnUser(owner.getId(), userName); boolean result = _ravService.removeVpnUser(owner.getId(), userName);
if (result) { if (!result) {
SuccessResponse response = new SuccessResponse(getCommandName());
this.setResponseObject(response);
} else {
throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to remove vpn user"); throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to remove vpn user");
} }
if (!_ravService.applyVpnUsers(owner.getId())) {
throw new ServerApiException(BaseCmd.INTERNAL_ERROR, "Failed to apply vpn user removal");
}
SuccessResponse response = new SuccessResponse(getCommandName());
setResponseObject(response);
} }
} }

7
api/src/com/cloud/network/RemoteAccessVpn.java
View File

@ -21,9 +21,16 @@ import com.cloud.acl.ControlledEntity;
import com.cloud.utils.net.Ip; import com.cloud.utils.net.Ip;
public interface RemoteAccessVpn extends ControlledEntity { public interface RemoteAccessVpn extends ControlledEntity {
enum State {
Added,
Running,
Removed
}
Ip getServerAddress(); Ip getServerAddress();
String getIpRange(); String getIpRange();
String getIpsecPresharedKey(); String getIpsecPresharedKey();
String getLocalIp(); String getLocalIp();
long getNetworkId(); long getNetworkId();
State getState();
} }

7
api/src/com/cloud/network/vpn/RemoteAccessVpnElement.java
View File

@ -19,11 +19,16 @@ package com.cloud.network.vpn;
import java.util.List; import java.util.List;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.Network;
import com.cloud.network.RemoteAccessVpn; import com.cloud.network.RemoteAccessVpn;
import com.cloud.network.VpnUser; import com.cloud.network.VpnUser;
import com.cloud.utils.component.Adapter; import com.cloud.utils.component.Adapter;
public interface RemoteAccessVpnElement extends Adapter { public interface RemoteAccessVpnElement extends Adapter {
String[] applyVpnUsers(RemoteAccessVpn vpn, List<? extends VpnUser> users); String[] applyVpnUsers(RemoteAccessVpn vpn, List<? extends VpnUser> users) throws ResourceUnavailableException;
boolean start(Network network, RemoteAccessVpn vpn) throws ResourceUnavailableException;
boolean stop(Network network, RemoteAccessVpn vpn) throws ResourceUnavailableException;
} }

6
api/src/com/cloud/network/vpn/RemoteAccessVpnService.java
View File

@ -22,7 +22,6 @@ import java.util.List;
import com.cloud.api.commands.ListRemoteAccessVpnsCmd; import com.cloud.api.commands.ListRemoteAccessVpnsCmd;
import com.cloud.api.commands.ListVpnUsersCmd; import com.cloud.api.commands.ListVpnUsersCmd;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.NetworkRuleConflictException; import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException; import com.cloud.exception.ResourceUnavailableException;
import com.cloud.network.RemoteAccessVpn; import com.cloud.network.RemoteAccessVpn;
@ -32,9 +31,8 @@ import com.cloud.utils.net.Ip;
public interface RemoteAccessVpnService { public interface RemoteAccessVpnService {
RemoteAccessVpn createRemoteAccessVpn(Ip vpnServerAddress, String ipRange) throws NetworkRuleConflictException; RemoteAccessVpn createRemoteAccessVpn(Ip vpnServerAddress, String ipRange) throws NetworkRuleConflictException;
void destroyRemoteAccessVpn(Ip vpnServerAddress); void destroyRemoteAccessVpn(Ip vpnServerAddress, long startEventId) throws ResourceUnavailableException;
List<? extends RemoteAccessVpn> listRemoteAccessVpns(long vpnOwnerId, Ip publicIp); RemoteAccessVpn startRemoteAccessVpn(Ip vpnServerAddress) throws ResourceUnavailableException;
RemoteAccessVpn startRemoteAccessVpn(Ip vpnServerAddress) throws ConcurrentOperationException, ResourceUnavailableException;
VpnUser addVpnUser(long vpnOwnerId, String userName, String password); VpnUser addVpnUser(long vpnOwnerId, String userName, String password);
boolean removeVpnUser(long vpnOwnerId, String userName); boolean removeVpnUser(long vpnOwnerId, String userName);

13
server/src/com/cloud/network/RemoteAccessVpnVO.java
View File

@ -53,6 +53,9 @@ public class RemoteAccessVpnVO implements RemoteAccessVpn {
@Column(name="ipsec_psk") @Column(name="ipsec_psk")
private String ipsecPresharedKey; private String ipsecPresharedKey;
@Column(name="state")
private State state;
public RemoteAccessVpnVO() { } public RemoteAccessVpnVO() { }
public RemoteAccessVpnVO(long accountId, long domainId, long networkId, Ip publicIp, String localIp, String ipRange, String presharedKey) { public RemoteAccessVpnVO(long accountId, long domainId, long networkId, Ip publicIp, String localIp, String ipRange, String presharedKey) {
@ -63,6 +66,16 @@ public class RemoteAccessVpnVO implements RemoteAccessVpn {
this.localIp = localIp; this.localIp = localIp;
this.domainId = domainId; this.domainId = domainId;
this.networkId = networkId; this.networkId = networkId;
this.state = State.Added;
}
@Override
public State getState() {
return state;
}
public void setState(State state) {
this.state = state;
} }
@Override @Override

3
server/src/com/cloud/network/dao/FirewallRulesDao.java
View File

@ -20,6 +20,7 @@ package com.cloud.network.dao;
import java.util.List; import java.util.List;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRuleVO; import com.cloud.network.rules.FirewallRuleVO;
import com.cloud.utils.db.GenericDao; import com.cloud.utils.db.GenericDao;
import com.cloud.utils.net.Ip; import com.cloud.utils.net.Ip;
@ -34,6 +35,8 @@ public interface FirewallRulesDao extends GenericDao<FirewallRuleVO, Long> {
boolean revoke(FirewallRuleVO rule); boolean revoke(FirewallRuleVO rule);
boolean releasePorts(Ip ip, String protocol, FirewallRule.Purpose purpose, int[] ports);
// public List<PortForwardingRuleVO> listIPForwarding(String publicIPAddress, boolean forwarding); // public List<PortForwardingRuleVO> listIPForwarding(String publicIPAddress, boolean forwarding);
// public List<PortForwardingRuleVO> listIPForwarding(String publicIPAddress, String port, boolean forwarding); // public List<PortForwardingRuleVO> listIPForwarding(String publicIPAddress, String port, boolean forwarding);
// //

21
server/src/com/cloud/network/dao/FirewallRulesDaoImpl.java
View File

@ -24,6 +24,7 @@ import javax.ejb.Local;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import com.cloud.network.rules.FirewallRule;
import com.cloud.network.rules.FirewallRule.State; import com.cloud.network.rules.FirewallRule.State;
import com.cloud.network.rules.FirewallRuleVO; import com.cloud.network.rules.FirewallRuleVO;
import com.cloud.utils.db.DB; import com.cloud.utils.db.DB;
@ -39,6 +40,7 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
protected final SearchBuilder<FirewallRuleVO> AllFieldsSearch; protected final SearchBuilder<FirewallRuleVO> AllFieldsSearch;
protected final SearchBuilder<FirewallRuleVO> IpNotRevokedSearch; protected final SearchBuilder<FirewallRuleVO> IpNotRevokedSearch;
protected final SearchBuilder<FirewallRuleVO> ReleaseSearch;
protected FirewallRulesDaoImpl() { protected FirewallRulesDaoImpl() {
super(); super();
@ -54,12 +56,29 @@ public class FirewallRulesDaoImpl extends GenericDaoBase<FirewallRuleVO, Long> i
AllFieldsSearch.and("networkId", AllFieldsSearch.entity().getNetworkId(), Op.EQ); AllFieldsSearch.and("networkId", AllFieldsSearch.entity().getNetworkId(), Op.EQ);
AllFieldsSearch.done(); AllFieldsSearch.done();
IpNotRevokedSearch = createSearchBuilder(); IpNotRevokedSearch = createSearchBuilder();
IpNotRevokedSearch.and("ip", IpNotRevokedSearch.entity().getSourceIpAddress(), Op.EQ); IpNotRevokedSearch.and("ip", IpNotRevokedSearch.entity().getSourceIpAddress(), Op.EQ);
IpNotRevokedSearch.and("state", IpNotRevokedSearch.entity().getState(), Op.NEQ); IpNotRevokedSearch.and("state", IpNotRevokedSearch.entity().getState(), Op.NEQ);
IpNotRevokedSearch.done(); IpNotRevokedSearch.done();
ReleaseSearch = createSearchBuilder();
ReleaseSearch.and("protocol", ReleaseSearch.entity().getProtocol(), Op.EQ);
ReleaseSearch.and("ip", ReleaseSearch.entity().getSourceIpAddress(), Op.EQ);
ReleaseSearch.and("purpose", ReleaseSearch.entity().getPurpose(), Op.EQ);
ReleaseSearch.and("ports", ReleaseSearch.entity().getSourcePortStart(), Op.IN);
ReleaseSearch.done();
}
@Override
public boolean releasePorts(Ip ip, String protocol, FirewallRule.Purpose purpose, int[] ports) {
SearchCriteria<FirewallRuleVO> sc = ReleaseSearch.create();
sc.setParameters("protocol", protocol);
sc.setParameters("ip", ip);
sc.setParameters("purpose", purpose);
sc.setParameters("ports", ports);
int results = remove(sc);
return results == ports.length;
} }
@Override @Override

1
server/src/com/cloud/network/rules/RulesManager.java
View File

@ -74,4 +74,5 @@ public interface RulesManager extends RulesService {
boolean revokePortForwardingRule(long vmId); boolean revokePortForwardingRule(long vmId);
FirewallRule[] reservePorts(IpAddress ip, String protocol, FirewallRule.Purpose purpose, int... ports) throws NetworkRuleConflictException; FirewallRule[] reservePorts(IpAddress ip, String protocol, FirewallRule.Purpose purpose, int... ports) throws NetworkRuleConflictException;
boolean releasePorts(Ip ip, String protocol, FirewallRule.Purpose purpose, int... ports);
} }

5
server/src/com/cloud/network/rules/RulesManagerImpl.java
View File

@ -456,6 +456,11 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
return null; return null;
} }
@Override
public boolean releasePorts(Ip ip, String protocol, FirewallRule.Purpose purpose, int... ports) {
return _firewallDao.releasePorts(ip, protocol, purpose, ports);
}
@Override @DB @Override @DB
public FirewallRuleVO[] reservePorts(IpAddress ip, String protocol, FirewallRule.Purpose purpose, int... ports) throws NetworkRuleConflictException { public FirewallRuleVO[] reservePorts(IpAddress ip, String protocol, FirewallRule.Purpose purpose, int... ports) throws NetworkRuleConflictException {
FirewallRuleVO[] rules = new FirewallRuleVO[ports.length]; FirewallRuleVO[] rules = new FirewallRuleVO[ports.length];

274
server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java
View File

@ -26,7 +26,6 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import com.cloud.api.commands.DeleteRemoteAccessVpnCmd;
import com.cloud.api.commands.ListRemoteAccessVpnsCmd; import com.cloud.api.commands.ListRemoteAccessVpnsCmd;
import com.cloud.api.commands.ListVpnUsersCmd; import com.cloud.api.commands.ListVpnUsersCmd;
import com.cloud.configuration.Config; import com.cloud.configuration.Config;
@ -35,8 +34,8 @@ import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao; import com.cloud.domain.dao.DomainDao;
import com.cloud.event.EventTypes; import com.cloud.event.EventTypes;
import com.cloud.event.EventUtils; import com.cloud.event.EventUtils;
import com.cloud.event.EventVO;
import com.cloud.exception.AccountLimitException; import com.cloud.exception.AccountLimitException;
import com.cloud.exception.ConcurrentOperationException;
import com.cloud.exception.InvalidParameterValueException; import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.NetworkRuleConflictException; import com.cloud.exception.NetworkRuleConflictException;
import com.cloud.exception.ResourceUnavailableException; import com.cloud.exception.ResourceUnavailableException;
@ -73,20 +72,29 @@ import com.cloud.utils.db.Transaction;
import com.cloud.utils.net.Ip; import com.cloud.utils.net.Ip;
import com.cloud.utils.net.NetUtils; import com.cloud.utils.net.NetUtils;
@Local(value=RemoteAccessVpnService.class) @Local(value = RemoteAccessVpnService.class)
public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manager { public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manager {
private final static Logger s_logger = Logger.getLogger(RemoteAccessVpnManagerImpl.class); private final static Logger s_logger = Logger.getLogger(RemoteAccessVpnManagerImpl.class);
String _name; String _name;
@Inject AccountDao _accountDao; @Inject
@Inject VpnUserDao _vpnUsersDao; AccountDao _accountDao;
@Inject RemoteAccessVpnDao _remoteAccessVpnDao; @Inject
@Inject IPAddressDao _ipAddressDao; VpnUserDao _vpnUsersDao;
@Inject VirtualNetworkApplianceManager _routerMgr; @Inject
@Inject AccountManager _accountMgr; RemoteAccessVpnDao _remoteAccessVpnDao;
@Inject NetworkManager _networkMgr; @Inject
@Inject RulesManager _rulesMgr; IPAddressDao _ipAddressDao;
@Inject DomainDao _domainDao; @Inject
VirtualNetworkApplianceManager _routerMgr;
@Inject
AccountManager _accountMgr;
@Inject
NetworkManager _networkMgr;
@Inject
RulesManager _rulesMgr;
@Inject
DomainDao _domainDao;
int _userLimit; int _userLimit;
int _pskLength; int _pskLength;
@ -138,8 +146,8 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
Network network = _networkMgr.getNetwork(ipAddr.getAssociatedWithNetworkId()); Network network = _networkMgr.getNetwork(ipAddr.getAssociatedWithNetworkId());
Pair<String, Integer> cidr = NetUtils.getCidr(network.getCidr()); Pair<String, Integer> cidr = NetUtils.getCidr(network.getCidr());
// FIXME: This check won't work for the case where the guest ip range
//FIXME: This check won't work for the case where the guest ip range changes depending on the vlan allocated. // changes depending on the vlan allocated.
String[] guestIpRange = NetUtils.getIpRangeFromCidr(cidr.first(), cidr.second()); String[] guestIpRange = NetUtils.getIpRangeFromCidr(cidr.first(), cidr.second());
if (NetUtils.ipRangesOverlap(range[0], range[1], guestIpRange[0], guestIpRange[1])) { if (NetUtils.ipRangesOverlap(range[0], range[1], guestIpRange[0], guestIpRange[1])) {
throw new InvalidParameterValueException("Invalid ip range: " + ipRange + " overlaps with guest ip range " + guestIpRange[0] + "-" throw new InvalidParameterValueException("Invalid ip range: " + ipRange + " overlaps with guest ip range " + guestIpRange[0] + "-"
@ -152,7 +160,8 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
String newIpRange = NetUtils.long2Ip(++startIp) + "-" + range[1]; String newIpRange = NetUtils.long2Ip(++startIp) + "-" + range[1];
String sharedSecret = PasswordGenerator.generatePresharedKey(_pskLength); String sharedSecret = PasswordGenerator.generatePresharedKey(_pskLength);
_rulesMgr.reservePorts(ipAddr, NetUtils.UDP_PROTO, Purpose.Vpn, NetUtils.VPN_PORT, NetUtils.VPN_L2TP_PORT, NetUtils.VPN_NATT_PORT); _rulesMgr.reservePorts(ipAddr, NetUtils.UDP_PROTO, Purpose.Vpn, NetUtils.VPN_PORT, NetUtils.VPN_L2TP_PORT, NetUtils.VPN_NATT_PORT);
vpnVO = new RemoteAccessVpnVO(ipAddr.getAllocatedToAccountId(), ipAddr.getAllocatedInDomainId(), ipAddr.getAssociatedWithNetworkId(), publicIp, range[0], newIpRange, sharedSecret); vpnVO = new RemoteAccessVpnVO(ipAddr.getAllocatedToAccountId(), ipAddr.getAllocatedInDomainId(), ipAddr.getAssociatedWithNetworkId(),
publicIp, range[0], newIpRange, sharedSecret);
return _remoteAccessVpnDao.persist(vpnVO); return _remoteAccessVpnDao.persist(vpnVO);
} }
@ -170,26 +179,69 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
return; return;
} }
String [] range = ipRange.split("-"); String[] range = ipRange.split("-");
if (range.length != 2) { if (range.length != 2) {
throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange); throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange);
} }
if (!NetUtils.isValidIp(range[0]) || !NetUtils.isValidIp(range[1])){ if (!NetUtils.isValidIp(range[0]) || !NetUtils.isValidIp(range[1])) {
throw new ConfigurationException("Remote Access VPN: Invalid ip in range specification " + ipRange); throw new ConfigurationException("Remote Access VPN: Invalid ip in range specification " + ipRange);
} }
if (!NetUtils.validIpRange(range[0], range[1])){ if (!NetUtils.validIpRange(range[0], range[1])) {
throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange); throw new ConfigurationException("Remote Access VPN: Invalid ip range " + ipRange);
} }
} }
@Override @Override @DB
public void destroyRemoteAccessVpn(Ip ip) { public void destroyRemoteAccessVpn(Ip ip, long startEventId) throws ResourceUnavailableException {
} long userId = UserContext.current().getCallerUserId();
Account caller = UserContext.current().getCaller();
@Override RemoteAccessVpnVO vpn = _remoteAccessVpnDao.findById(ip);
public List<? extends RemoteAccessVpn> listRemoteAccessVpns(long vpnOwnerId, Ip publicIp) { if (vpn == null) {
// TODO Auto-generated method stub s_logger.debug("vpn does not exists " + ip);
return null; return;
}
_accountMgr.checkAccess(caller, vpn);
Account owner = _accountDao.findById(vpn.getAccountId());
Network network = _networkMgr.getNetwork(vpn.getNetworkId());
EventUtils.saveStartedEvent(userId, owner.getId(), EventTypes.EVENT_REMOTE_ACCESS_VPN_DESTROY, "Deleting Remote Access VPN for account: "
+ owner.getAccountName() + " in " + ip, startEventId);
vpn.setState(RemoteAccessVpn.State.Removed);
List<? extends RemoteAccessVpnElement> elements = _networkMgr.getRemoteAccessVpnElements();
boolean success = false;
try {
for (RemoteAccessVpnElement element : elements) {
if (element.stop(network, vpn)) {
success = true;
break;
}
}
} finally {
if (!success) {
EventUtils.saveEvent(userId, owner.getId(), EventVO.LEVEL_ERROR, EventTypes.EVENT_REMOTE_ACCESS_VPN_DESTROY,
"Unable to delete Remote Access VPN ", owner.getAccountName());
} else {
Transaction txn = Transaction.currentTxn();
txn.start();
_remoteAccessVpnDao.remove(ip);
if (!_rulesMgr.releasePorts(ip, NetUtils.UDP_PROTO, Purpose.Vpn, NetUtils.VPN_L2TP_PORT, NetUtils.VPN_NATT_PORT, NetUtils.VPN_PORT)) {
s_logger.warn("Unable to release the three vpn ports from the firewall rules");
txn.rollback();
} else {
EventUtils.saveEvent(userId, owner.getId(), EventTypes.EVENT_REMOTE_ACCESS_VPN_DESTROY, "Deleted Remote Access VPN for account: "
+ owner.getAccountName());
}
txn.commit();
}
}
} }
@Override @Override
@ -199,7 +251,8 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
Account caller = UserContext.current().getCaller(); Account caller = UserContext.current().getCaller();
if (!username.matches("^[a-zA-Z0-9][a-zA-Z0-9@._-]{2,63}$")) { if (!username.matches("^[a-zA-Z0-9][a-zA-Z0-9@._-]{2,63}$")) {
throw new InvalidParameterValueException("Username has to be begin with an alphabet have 3-64 characters including alphabets, numbers and the set '@.-_'"); throw new InvalidParameterValueException(
"Username has to be begin with an alphabet have 3-64 characters including alphabets, numbers and the set '@.-_'");
} }
if (!password.matches("^[a-zA-Z0-9][a-zA-Z0-9@#+=._-]{2,31}$")) { if (!password.matches("^[a-zA-Z0-9][a-zA-Z0-9@#+=._-]{2,31}$")) {
throw new InvalidParameterValueException("Password has to be 3-32 characters including alphabets, numbers and the set '@#+=.-_'"); throw new InvalidParameterValueException("Password has to be 3-32 characters including alphabets, numbers and the set '@#+=.-_'");
@ -218,7 +271,8 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
} }
VpnUser user = _vpnUsersDao.persist(new VpnUserVO(vpnOwnerId, username, password)); VpnUser user = _vpnUsersDao.persist(new VpnUserVO(vpnOwnerId, username, password));
EventUtils.saveEvent(callerId, owner.getId(), EventTypes.EVENT_VPN_USER_ADD, "Added a VPN user for account: " + owner.getAccountName() + " username= " + username); EventUtils.saveEvent(callerId, owner.getId(), EventTypes.EVENT_VPN_USER_ADD, "Added a VPN user for account: " + owner.getAccountName()
+ " username= " + username);
txn.commit(); txn.commit();
return user; return user;
} }
@ -249,97 +303,48 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
} }
@Override @Override
@DB public RemoteAccessVpnVO startRemoteAccessVpn(Ip vpnId) throws ResourceUnavailableException {
public RemoteAccessVpnVO startRemoteAccessVpn(Ip vpnServerAddress) throws ConcurrentOperationException, ResourceUnavailableException { long userId = UserContext.current().getCallerUserId();
// long userId = UserContext.current().getCallerUserId(); Account caller = UserContext.current().getCaller();
// Account caller = UserContext.current().getCaller();
// RemoteAccessVpnVO vpn = _remoteAccessVpnDao.findById(vpnId);
// RemoteAccessVpnVO vpn = _remoteAccessVpnDao.findById(vpnId); if (vpn == null) {
// if (vpn == null) { throw new InvalidParameterValueException("Unable to find your vpn: " + vpnId);
// throw new InvalidParameterValueException("Unable to find your vpn: " + vpnId); }
// }
// _accountMgr.checkAccess(caller, vpn);
// _accountMgr.checkAccess(caller, vpn);
// Account owner = _accountDao.findById(vpn.getAccountId());
// Network network = _networkMgr.getNetwork(vpn.getNetworkId());
// Account account = getAccountForApiCommand(cmd.getAccountName(), cmd.getDomainId());
// EventUtils.saveStartedEvent(userId, account.getId(), EventTypes.EVENT_REMOTE_ACCESS_VPN_CREATE, "Creating a Remote Access VPN for account: " + account.getAccountName() + " in zone " + cmd.getZoneId(), cmd.getStartEventId()); EventUtils.saveStartedEvent(userId, owner.getId(), EventTypes.EVENT_REMOTE_ACCESS_VPN_CREATE, "Creating a Remote Access VPN for account: "
// String publicIp = vpn.getServerAddress(); + owner.getAccountName() + " in zone ");
// Long vpnId = vpn.getId();
// Transaction txn = Transaction.currentTxn(); List<? extends RemoteAccessVpnElement> elements = _networkMgr.getRemoteAccessVpnElements();
// txn.start(); boolean started = false;
// boolean locked = false; try {
// boolean created = false; for (RemoteAccessVpnElement element : elements) {
// try { if (element.start(network, vpn)) {
// IPAddressVO ipAddr = _ipAddressDao.acquireInLockTable(publicIp); started = true;
// if (ipAddr == null) { break;
// throw new ConcurrentOperationException("Another operation active, unable to create vpn"); }
// } }
// locked = true; return vpn;
// } finally {
// vpn = _routerMgr.startRemoteAccessVpn(vpn); if (started) {
// created = (vpn != null); EventUtils.saveEvent(userId, owner.getId(), EventTypes.EVENT_REMOTE_ACCESS_VPN_CREATE, "Created a Remote Access VPN for account: "
// + owner.getAccountName());
// return vpn; vpn.setState(RemoteAccessVpn.State.Running);
// } finally { _remoteAccessVpnDao.update(vpn.getServerAddress(), vpn);
// if (created) { } else {
// EventUtils.saveEvent(userId, account.getId(), EventTypes.EVENT_REMOTE_ACCESS_VPN_CREATE, "Created a Remote Access VPN for account: " + account.getAccountName() + " in zone " + cmd.getZoneId()); EventUtils.saveEvent(userId, owner.getId(), EventVO.LEVEL_ERROR, EventTypes.EVENT_REMOTE_ACCESS_VPN_CREATE,
// } else { "Unable to create Remote Access VPN ", owner.getAccountName());
// EventUtils.saveEvent(userId, account.getId(), EventVO.LEVEL_ERROR, EventTypes.EVENT_REMOTE_ACCESS_VPN_CREATE, "Unable to create Remote Access VPN ", account.getAccountName() + " in zone " + cmd.getZoneId()); }
// _remoteAccessVpnDao.remove(vpnId); }
// }
// txn.commit();
// if (locked) {
// _ipAddressDao.releaseFromLockTable(publicIp);
// }
// }
return null;
} }
@DB @DB
public boolean destroyRemoteAccessVpn(DeleteRemoteAccessVpnCmd cmd) throws ConcurrentOperationException { @Override
// Long userId = UserContext.current().getUserId();
// Account account = getAccountForApiCommand(cmd.getAccountName(), cmd.getDomainId());
// //TODO: assumes one virtual network / domr per account per zone
// RemoteAccessVpnVO vpnVO = _remoteAccessVpnDao.findByAccountAndZone(account.getId(), cmd.getZoneId());
// if (vpnVO == null) {
// throw new InvalidParameterValueException("No VPN found for account " + account.getAccountName() + " in zone " + cmd.getZoneId());
// }
// EventUtils.saveStartedEvent(userId, account.getId(), EventTypes.EVENT_REMOTE_ACCESS_VPN_DESTROY, "Deleting Remote Access VPN for account: " + account.getAccountName() + " in zone " + cmd.getZoneId(), cmd.getStartEventId());
// String publicIp = vpnVO.getVpnServerAddress();
// Long vpnId = vpnVO.getId();
// Transaction txn = Transaction.currentTxn();
// txn.start();
// boolean locked = false;
// boolean deleted = false;
// try {
// IPAddressVO ipAddr = _ipAddressDao.acquireInLockTable(publicIp);
// if (ipAddr == null) {
// throw new ConcurrentOperationException("Another operation active, unable to create vpn");
// }
// locked = true;
//
// deleted = _routerMgr.deleteRemoteAccessVpn(vpnVO);
// return deleted;
// } finally {
// if (deleted) {
// _remoteAccessVpnDao.remove(vpnId);
// _rulesDao.deleteIPForwardingByPublicIpAndPort(publicIp, NetUtils.VPN_PORT);
// _rulesDao.deleteIPForwardingByPublicIpAndPort(publicIp, NetUtils.VPN_NATT_PORT);
// _rulesDao.deleteIPForwardingByPublicIpAndPort(publicIp, NetUtils.VPN_L2TP_PORT);
// EventUtils.saveEvent(userId, account.getId(), EventTypes.EVENT_REMOTE_ACCESS_VPN_DESTROY, "Deleted Remote Access VPN for account: " + account.getAccountName() + " in zone " + cmd.getZoneId());
// } else {
// EventUtils.saveEvent(userId, account.getId(), EventVO.LEVEL_ERROR, EventTypes.EVENT_REMOTE_ACCESS_VPN_DESTROY, "Unable to delete Remote Access VPN ", account.getAccountName() + " in zone " + cmd.getZoneId());
// }
// txn.commit();
// if (locked) {
// _ipAddressDao.releaseFromLockTable(publicIp);
// }
// }
return false; // FIXME
}
@DB @Override
public boolean applyVpnUsers(long vpnOwnerId) { public boolean applyVpnUsers(long vpnOwnerId) {
Account caller = UserContext.current().getCaller(); Account caller = UserContext.current().getCaller();
Account owner = _accountDao.findById(vpnOwnerId); Account owner = _accountDao.findById(vpnOwnerId);
@ -350,7 +355,7 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
List<VpnUserVO> users = _vpnUsersDao.listByAccount(vpnOwnerId); List<VpnUserVO> users = _vpnUsersDao.listByAccount(vpnOwnerId);
List<RemoteAccessVpnElement> elements = null; List<? extends RemoteAccessVpnElement> elements = _networkMgr.getRemoteAccessVpnElements();
boolean success = true; boolean success = true;
@ -358,17 +363,27 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
for (RemoteAccessVpnElement element : elements) { for (RemoteAccessVpnElement element : elements) {
s_logger.debug("Applying vpn access to " + element.getName()); s_logger.debug("Applying vpn access to " + element.getName());
for (RemoteAccessVpnVO vpn : vpns) { for (RemoteAccessVpnVO vpn : vpns) {
String[] results = element.applyVpnUsers(vpn, users); try {
String[] results = element.applyVpnUsers(vpn, users);
for (int i = 0; i < results.length; i++) { for (int i = 0; i < results.length; i++) {
s_logger.debug("VPN User " + users.get(i) + (results[i] == null ? " is set on " : (" couldn't be set due to " + results[i]) + " on ") + vpn); s_logger.debug("VPN User " + users.get(i)
if (results[i] == null) { + (results[i] == null ? " is set on " : (" couldn't be set due to " + results[i]) + " on ") + vpn);
if (!finals[i]) { if (results[i] == null) {
finals[i] = true; if (!finals[i]) {
finals[i] = true;
}
} else {
finals[i] = false;
success = false;
} }
} else { }
} catch (ResourceUnavailableException e) {
s_logger.warn("Unable to apply vpn users ", e);
success= false;
for (int i = 0; i < finals.length; i++) {
finals[i] = false; finals[i] = false;
success = false;
} }
} }
} }
@ -401,14 +416,14 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
Object id = cmd.getId(); Object id = cmd.getId();
SearchBuilder<VpnUserVO> sb = _vpnUsersDao.createSearchBuilder(); SearchBuilder<VpnUserVO> sb = _vpnUsersDao.createSearchBuilder();
sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ); sb.and("id", sb.entity().getId(), SearchCriteria.Op.EQ);
sb.and("username", sb.entity().getUsername(), SearchCriteria.Op.EQ); sb.and("username", sb.entity().getUsername(), SearchCriteria.Op.EQ);
sb.and("accountId", sb.entity().getAccountId(), SearchCriteria.Op.EQ); sb.and("accountId", sb.entity().getAccountId(), SearchCriteria.Op.EQ);
if ((accountId == null) && (domainId != null)) { if ((accountId == null) && (domainId != null)) {
// if accountId isn't specified, we can do a domain match for the admin case // if accountId isn't specified, we can do a domain match for the
// admin case
SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder(); SearchBuilder<DomainVO> domainSearch = _domainDao.createSearchBuilder();
domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE); domainSearch.and("path", domainSearch.entity().getPath(), SearchCriteria.Op.LIKE);
sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER); sb.join("domainSearch", domainSearch, sb.entity().getDomainId(), domainSearch.entity().getId(), JoinBuilder.JoinType.INNER);
@ -424,7 +439,6 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
sc.setParameters("username", username); sc.setParameters("username", username);
} }
if (accountId != null) { if (accountId != null) {
sc.setParameters("accountId", accountId); sc.setParameters("accountId", accountId);
} else if (domainId != null) { } else if (domainId != null) {
@ -435,7 +449,6 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
return _vpnUsersDao.search(sc, searchFilter); return _vpnUsersDao.search(sc, searchFilter);
} }
@Override @Override
public List<RemoteAccessVpnVO> searchForRemoteAccessVpns(ListRemoteAccessVpnsCmd cmd) { public List<RemoteAccessVpnVO> searchForRemoteAccessVpns(ListRemoteAccessVpnsCmd cmd) {
// do some parameter validation // do some parameter validation
@ -451,7 +464,8 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
} else { } else {
Long ipAddrAcctId = publicIp.getAllocatedToAccountId(); Long ipAddrAcctId = publicIp.getAllocatedToAccountId();
if (ipAddrAcctId == null) { if (ipAddrAcctId == null) {
throw new InvalidParameterValueException("Unable to list remote access vpns, IP address " + ipAddress + " is not associated with an account."); throw new InvalidParameterValueException("Unable to list remote access vpns, IP address " + ipAddress
+ " is not associated with an account.");
} }
} }
_accountMgr.checkAccess(caller, publicIp); _accountMgr.checkAccess(caller, publicIp);
@ -469,7 +483,6 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
Filter searchFilter = new Filter(RemoteAccessVpnVO.class, "serverAddress", true, cmd.getStartIndex(), cmd.getPageSizeVal()); Filter searchFilter = new Filter(RemoteAccessVpnVO.class, "serverAddress", true, cmd.getStartIndex(), cmd.getPageSizeVal());
SearchCriteria<RemoteAccessVpnVO> sc = VpnSearch.create(); SearchCriteria<RemoteAccessVpnVO> sc = VpnSearch.create();
sc.setParameters("accountId", owner.getId()); sc.setParameters("accountId", owner.getId());
@ -479,7 +492,6 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
return _remoteAccessVpnDao.search(sc, searchFilter); return _remoteAccessVpnDao.search(sc, searchFilter);
} }
@Override @Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException { public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
_name = name; _name = name;

1
setup/db/create-schema.sql
View File

@ -1055,6 +1055,7 @@ CREATE TABLE `cloud`.`remote_access_vpn` (
`local_ip` varchar(15) NOT NULL, `local_ip` varchar(15) NOT NULL,
`ip_range` varchar(32) NOT NULL, `ip_range` varchar(32) NOT NULL,
`ipsec_psk` varchar(256) NOT NULL, `ipsec_psk` varchar(256) NOT NULL,
`state` char(32) NOT NULL,
PRIMARY KEY (`vpn_server_addr`), PRIMARY KEY (`vpn_server_addr`),
CONSTRAINT `fk_remote_access_vpn__account_id` FOREIGN KEY `fk_remote_access_vpn__account_id`(`account_id`) REFERENCES `account` (`id`) ON DELETE CASCADE, CONSTRAINT `fk_remote_access_vpn__account_id` FOREIGN KEY `fk_remote_access_vpn__account_id`(`account_id`) REFERENCES `account` (`id`) ON DELETE CASCADE,
CONSTRAINT `fk_remote_access_vpn__domain_id` FOREIGN KEY `fk_remote_access_vpn__domain_id`(`domain_id`) REFERENCES `domain`(`id`) ON DELETE CASCADE, CONSTRAINT `fk_remote_access_vpn__domain_id` FOREIGN KEY `fk_remote_access_vpn__domain_id`(`domain_id`) REFERENCES `domain`(`id`) ON DELETE CASCADE,