Merge remote-tracking branch 'origin/4.15'

yadvr · yadvr · commit a1be9b02a6cc · 2021-03-06T16:02:09.000+05:30
diff --git a/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java b/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
@@ -113,7 +113,7 @@ public Answer executeRequest(final Command cmd) {
 
     private Answer execute(StartConsoleProxyAgentHttpHandlerCommand cmd) {
         s_logger.info("Invoke launchConsoleProxy() in responding to StartConsoleProxyAgentHttpHandlerCommand");
-        launchConsoleProxy(cmd.getKeystoreBits(), cmd.getKeystorePassword(), cmd.getEncryptorPassword());
+        launchConsoleProxy(cmd.getKeystoreBits(), cmd.getKeystorePassword(), cmd.getEncryptorPassword(), cmd.isSourceIpCheckEnabled());
         return new Answer(cmd);
     }
 
@@ -313,7 +313,7 @@ public String getName() {
         return _name;
     }
 
-    private void launchConsoleProxy(final byte[] ksBits, final String ksPassword, final String encryptorPassword) {
+    private void launchConsoleProxy(final byte[] ksBits, final String ksPassword, final String encryptorPassword, final Boolean isSourceIpCheckEnabled) {
         final Object resource = this;
         s_logger.info("Building class loader for com.cloud.consoleproxy.ConsoleProxy");
         if (_consoleProxyMain == null) {
@@ -325,8 +325,8 @@ protected void runInContext() {
                         Class<?> consoleProxyClazz = Class.forName("com.cloud.consoleproxy.ConsoleProxy");
                         try {
                             s_logger.info("Invoke startWithContext()");
-                            Method method = consoleProxyClazz.getMethod("startWithContext", Properties.class, Object.class, byte[].class, String.class, String.class);
-                            method.invoke(null, _properties, resource, ksBits, ksPassword, encryptorPassword);
+                            Method method = consoleProxyClazz.getMethod("startWithContext", Properties.class, Object.class, byte[].class, String.class, String.class, Boolean.class);
+                            method.invoke(null, _properties, resource, ksBits, ksPassword, encryptorPassword, isSourceIpCheckEnabled);
                         } catch (SecurityException e) {
                             s_logger.error("Unable to launch console proxy due to SecurityException", e);
                             System.exit(ExitStatus.Error.value());
@@ -358,6 +358,8 @@ protected void runInContext() {
                 Class<?> consoleProxyClazz = Class.forName("com.cloud.consoleproxy.ConsoleProxy");
                 Method methodSetup = consoleProxyClazz.getMethod("setEncryptorPassword", String.class);
                 methodSetup.invoke(null, encryptorPassword);
+                methodSetup = consoleProxyClazz.getMethod("setIsSourceIpCheckEnabled", Boolean.class);
+                methodSetup.invoke(null, isSourceIpCheckEnabled);
             } catch (SecurityException e) {
                 s_logger.error("Unable to launch console proxy due to SecurityException", e);
                 System.exit(ExitStatus.Error.value());
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/ProjectResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/ProjectResponse.java
@@ -51,10 +51,6 @@ public class ProjectResponse extends BaseResponse implements ResourceLimitAndCou
     @Param(description = "the domain name where the project belongs to")
     private String domain;
 
-    @SerializedName(ApiConstants.ACCOUNT)
-    @Param(description = "the account name of the project's owner")
-    private String ownerName;
-
     @SerializedName(ApiConstants.OWNER)
     @Param(description = "the account name of the project's owners")
     private List<Map<String, String>> owners;
@@ -231,10 +227,6 @@ public void setDomain(String domain) {
         this.domain = domain;
     }
 
-    public void setOwner(String owner) {
-        ownerName = owner;
-    }
-
     public void setProjectAccountName(String projectAccountName) {
         this.projectAccountName = projectAccountName;
     }
diff --git a/core/src/main/java/com/cloud/agent/api/proxy/StartConsoleProxyAgentHttpHandlerCommand.java b/core/src/main/java/com/cloud/agent/api/proxy/StartConsoleProxyAgentHttpHandlerCommand.java
@@ -31,6 +31,8 @@ public class StartConsoleProxyAgentHttpHandlerCommand extends Command {
     @LogLevel(Log4jLevel.Off)
     private String encryptorPassword;
 
+    private Boolean isSourceIpCheckEnabled;
+
     public StartConsoleProxyAgentHttpHandlerCommand() {
         super();
     }
@@ -68,4 +70,12 @@ public String getEncryptorPassword() {
     public void setEncryptorPassword(String encryptorPassword) {
         this.encryptorPassword = encryptorPassword;
     }
+
+    public Boolean isSourceIpCheckEnabled() {
+        return isSourceIpCheckEnabled;
+    }
+
+    public void setIsSourceIpCheckEnabled(Boolean isSourceIpCheckEnabled) {
+        this.isSourceIpCheckEnabled = isSourceIpCheckEnabled;
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -389,7 +389,7 @@ private boolean isSpecificAPI(String commandName) {
     }
 
     //This method will try to get login IP of user even if servlet is behind reverseProxy or loadBalancer
-    static InetAddress getClientAddress(final HttpServletRequest request) throws UnknownHostException {
+    public static InetAddress getClientAddress(final HttpServletRequest request) throws UnknownHostException {
         for(final String header : s_clientAddressHeaders) {
             final String ip = getCorrectIPAddress(request.getHeader(header));
             if (ip != null) {
diff --git a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
@@ -208,6 +208,7 @@ public void startAgentHttpHandlerInVM(StartupProxyCommand startupCmd) {
 
             cmd = new StartConsoleProxyAgentHttpHandlerCommand(ksBits, storePassword);
             cmd.setEncryptorPassword(getEncryptorPassword());
+            cmd.setIsSourceIpCheckEnabled(Boolean.parseBoolean(_configDao.getValue(ConsoleProxyManager.NoVncConsoleSourceIpCheckEnabled.key())));
 
             HostVO consoleProxyHost = findConsoleProxyHost(startupCmd);
 
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
@@ -41,6 +41,9 @@ public interface ConsoleProxyManager extends Manager, ConsoleProxyService {
     public static final ConfigKey<Boolean> NoVncConsoleDefault = new ConfigKey<Boolean>("Advanced", Boolean.class, "novnc.console.default", "true",
         "If true, noVNC console will be default console for virtual machines", true);
 
+    public static final ConfigKey<Boolean> NoVncConsoleSourceIpCheckEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class, "novnc.console.sourceip.check.enabled", "false",
+        "If true, The source IP to access novnc console must be same as the IP in request to management server for console URL. Needs to reconnect CPVM to management server when this changes (via restart CPVM, or management server, or cloud service in CPVM)", false);
+
     public void setManagementState(ConsoleProxyManagementState state);
 
     public ConsoleProxyManagementState getManagementState();
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -1755,7 +1755,7 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] { NoVncConsoleDefault };
+        return new ConfigKey<?>[] { NoVncConsoleDefault, NoVncConsoleSourceIpCheckEnabled };
     }
 
 }
diff --git a/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java b/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
@@ -33,6 +33,8 @@ public class ConsoleProxyClientParam {
     private String username;
     private String password;
 
+    private String sourceIP;
+
     public ConsoleProxyClientParam() {
         clientHostPort = 0;
     }
@@ -140,4 +142,12 @@ public void setPassword(String password) {
     public String getPassword() {
         return password;
     }
+
+    public String getSourceIP() {
+        return sourceIP;
+    }
+
+    public void setSourceIP(String sourceIP) {
+        this.sourceIP = sourceIP;
+    }
 }
diff --git a/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
@@ -17,7 +17,9 @@
 package com.cloud.servlet;
 
 import java.io.IOException;
+import java.net.InetAddress;
 import java.net.URLEncoder;
+import java.net.UnknownHostException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Date;
@@ -46,6 +48,7 @@
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 
+import com.cloud.api.ApiServlet;
 import com.cloud.consoleproxy.ConsoleProxyManager;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.host.HostVO;
@@ -289,8 +292,15 @@ private void handleAccessRequest(HttpServletRequest req, HttpServletResponse res
             }
         }
 
+        InetAddress remoteAddress = null;
+        try {
+            remoteAddress = ApiServlet.getClientAddress(req);
+        } catch (UnknownHostException e) {
+            s_logger.warn("UnknownHostException when trying to lookup remote IP-Address. This should never happen. Blocking request.", e);
+        }
+
         StringBuffer sb = new StringBuffer();
-        sb.append("<html><title>").append(escapeHTML(vmName)).append("</title><frameset><frame src=\"").append(composeConsoleAccessUrl(rootUrl, vm, host));
+        sb.append("<html><title>").append(escapeHTML(vmName)).append("</title><frameset><frame src=\"").append(composeConsoleAccessUrl(rootUrl, vm, host, remoteAddress));
         sb.append("\"></frame></frameset></html>");
         s_logger.debug("the console url is :: " + sb.toString());
         sendResponse(resp, sb.toString());
@@ -417,7 +427,7 @@ private String composeThumbnailUrl(String rootUrl, VirtualMachine vm, HostVO hos
         return sb.toString();
     }
 
-    private String composeConsoleAccessUrl(String rootUrl, VirtualMachine vm, HostVO hostVo) {
+    private String composeConsoleAccessUrl(String rootUrl, VirtualMachine vm, HostVO hostVo, InetAddress addr) {
         StringBuffer sb = new StringBuffer(rootUrl);
         String host = hostVo.getPrivateIpAddress();
 
@@ -465,6 +475,7 @@ private String composeConsoleAccessUrl(String rootUrl, VirtualMachine vm, HostVO
         param.setClientHostPassword(sid);
         param.setClientTag(tag);
         param.setTicket(ticket);
+        param.setSourceIP(addr != null ? addr.getHostAddress(): null);
 
         if (details != null) {
             param.setLocale(details.getValue());
diff --git a/server/src/main/java/com/cloud/template/TemplateAdapterBase.java b/server/src/main/java/com/cloud/template/TemplateAdapterBase.java
@@ -487,6 +487,10 @@ public TemplateProfile prepareDelete(DeleteTemplateCmd cmd) {
             throw new InvalidParameterValueException("Please specify a valid template.");
         }
 
+        if (template.getState() == VirtualMachineTemplate.State.NotUploaded || template.getState() == VirtualMachineTemplate.State.UploadInProgress) {
+            throw new InvalidParameterValueException("The template is either getting uploaded or it may be initiated shortly, please wait for it to be completed");
+        }
+
         return new TemplateProfile(userId, template, zoneId);
     }
 
@@ -526,6 +530,10 @@ public TemplateProfile prepareDelete(DeleteIsoCmd cmd) {
             throw new InvalidParameterValueException("Please specify a valid iso.");
         }
 
+        if (template.getState() == VirtualMachineTemplate.State.NotUploaded || template.getState() == VirtualMachineTemplate.State.UploadInProgress) {
+            throw new InvalidParameterValueException("The iso is either getting uploaded or it may be initiated shortly, please wait for it to be completed");
+        }
+
         return new TemplateProfile(userId, template, zoneId);
     }
 
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
@@ -57,6 +57,7 @@ public class ConsoleProxy {
     // dynamically changing to customer supplied certificate)
     public static byte[] ksBits;
     public static String ksPassword;
+    public static Boolean isSourceIpCheckEnabled;
 
     public static Method authMethod;
     public static Method reportMethod;
@@ -232,7 +233,7 @@ public static void ensureRoute(String address) {
         }
     }
 
-    public static void startWithContext(Properties conf, Object context, byte[] ksBits, String ksPassword, String password) {
+    public static void startWithContext(Properties conf, Object context, byte[] ksBits, String ksPassword, String password, Boolean isSourceIpCheckEnabled) {
         setEncryptorPassword(password);
         configLog4j();
         Logger.setFactory(new ConsoleProxyLoggerFactory());
@@ -248,6 +249,7 @@ public static void startWithContext(Properties conf, Object context, byte[] ksBi
         ConsoleProxy.context = context;
         ConsoleProxy.ksBits = ksBits;
         ConsoleProxy.ksPassword = ksPassword;
+        ConsoleProxy.isSourceIpCheckEnabled = isSourceIpCheckEnabled;
         try {
             final ClassLoader loader = Thread.currentThread().getContextClassLoader();
             Class<?> contextClazz = loader.loadClass("com.cloud.agent.resource.consoleproxy.ConsoleProxyResource");
@@ -526,6 +528,10 @@ public static void setEncryptorPassword(String password) {
         encryptorPassword = password;
     }
 
+    public static void setIsSourceIpCheckEnabled(Boolean isEnabled) {
+        isSourceIpCheckEnabled = isEnabled;
+    }
+
     static class ThreadExecutor implements Executor {
         @Override
         public void execute(Runnable r) {
@@ -551,11 +557,23 @@ public static ConsoleProxyNoVncClient getNoVncViewer(ConsoleProxyClientParam par
                         !param.getClientHostPassword().equals(viewer.getClientHostPassword()))
                     throw new AuthenticationException("Cannot use the existing viewer " + viewer + ": bad sid");
 
-                if (!viewer.isFrontEndAlive()) {
+                try {
                     authenticationExternally(param);
-                    viewer.initClient(param);
-                    reportLoadChange = true;
+                } catch (Exception e) {
+                    s_logger.error("Authencation failed for param: " + param);
+                    return null;
                 }
+                s_logger.info("Initializing new novnc client and disconnecting existing session");
+                try {
+                    ((ConsoleProxyNoVncClient)viewer).getSession().disconnect();
+                } catch (IOException e) {
+                    s_logger.error("Exception while disconnect session of novnc viewer object: " + viewer, e);
+                }
+                removeViewer(viewer);
+                viewer = new ConsoleProxyNoVncClient(session);
+                viewer.initClient(param);
+                connectionMap.put(clientKey, viewer);
+                reportLoadChange = true;
             }
 
             if (reportLoadChange) {
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
@@ -37,6 +37,8 @@ public class ConsoleProxyClientParam {
     private String username;
     private String password;
 
+    private String sourceIP;
+
     public ConsoleProxyClientParam() {
         clientHostPort = 0;
     }
@@ -143,4 +145,12 @@ public void setPassword(String password) {
     public String getPassword() {
         return password;
     }
+
+    public String getSourceIP() {
+        return sourceIP;
+    }
+
+    public void setSourceIP(String sourceIP) {
+        this.sourceIP = sourceIP;
+    }
 }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
@@ -91,6 +91,8 @@ public static Map<String, String> getQueryMap(String query) {
                     map.put("username", param.getUsername());
                 if (param.getPassword() != null)
                     map.put("password", param.getPassword());
+                if (param.getSourceIP() != null)
+                    map.put("sourceIP", param.getSourceIP());
             } else {
                 s_logger.error("Unable to decode token");
             }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java
@@ -38,7 +38,7 @@
 @WebSocket
 public class ConsoleProxyNoVNCHandler extends WebSocketHandler {
 
-    private ConsoleProxyNoVncClient viewer;
+    private ConsoleProxyNoVncClient viewer = null;
     private static final Logger s_logger = Logger.getLogger(ConsoleProxyNoVNCHandler.class);
 
     public ConsoleProxyNoVNCHandler() {
@@ -87,6 +87,7 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
         String hypervHost = queryMap.get("hypervHost");
         String username = queryMap.get("username");
         String password = queryMap.get("password");
+        String sourceIP = queryMap.get("sourceIP");
 
         if (tag == null)
             tag = "";
@@ -113,6 +114,10 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
             }
         }
 
+        if (! checkSessionSourceIp(session, sourceIP)) {
+            return;
+        }
+
         try {
             ConsoleProxyClientParam param = new ConsoleProxyClientParam();
             param.setClientHostAddress(host);
@@ -130,12 +135,30 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
         } catch (Exception e) {
             s_logger.warn("Failed to create viewer due to " + e.getMessage(), e);
             return;
+        } finally {
+            if (viewer == null) {
+                session.disconnect();
+            }
         }
     }
 
+    private boolean checkSessionSourceIp(final Session session, final String sourceIP) throws IOException {
+        // Verify source IP
+        String sessionSourceIP = session.getRemoteAddress().getAddress().getHostAddress();
+        s_logger.info("Get websocket connection request from remote IP : " + sessionSourceIP);
+        if (ConsoleProxy.isSourceIpCheckEnabled && (sessionSourceIP == null || ! sessionSourceIP.equals(sourceIP))) {
+            s_logger.warn("Failed to access console as the source IP to request the console is " + sourceIP);
+            session.disconnect();
+            return false;
+        }
+        return true;
+    }
+
     @OnWebSocketClose
     public void onClose(Session session, int statusCode, String reason) throws IOException, InterruptedException {
-        ConsoleProxy.removeViewer(viewer);
+        if (viewer != null) {
+            ConsoleProxy.removeViewer(viewer);
+        }
     }
 
     @OnWebSocketFrame
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java
@@ -235,4 +235,8 @@ public String getClientTag() {
         return "";
     }
 
+    public Session getSession() {
+        return session;
+    }
+
 }
diff --git a/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java b/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java
@@ -2350,6 +2350,9 @@ protected Answer deleteTemplate(DeleteCommand cmd) {
             File tmpltParent = null;
             if (tmpltPath.exists() && tmpltPath.isDirectory()) {
                 tmpltParent = tmpltPath;
+            } else if (absoluteTemplatePath.endsWith(File.separator + obj.getId())) {
+                // the path ends with <account id>/<template id>, if upload fails
+                tmpltParent = tmpltPath;
             } else {
                 tmpltParent = tmpltPath.getParentFile();
             }
@@ -2454,6 +2457,9 @@ protected Answer deleteVolume(final DeleteCommand cmd) {
             if (volPath.exists() && volPath.isDirectory()) {
                 // for vmware, absoluteVolumePath represents a directory where volume files are located.
                 tmpltParent = volPath;
+            } else if (absoluteVolumePath.endsWith(File.separator + obj.getId())) {
+                // the path ends with <account id>/<volume id>, if upload fails
+                tmpltParent = volPath;
             } else {
                 // for other hypervisors, the volume .vhd or .qcow2 file path is passed
                 tmpltParent = new File(absoluteVolumePath).getParentFile();
diff --git a/ui/src/config/section/network.js b/ui/src/config/section/network.js
diff --git a/ui/src/core/lazy_lib/components_use.js b/ui/src/core/lazy_lib/components_use.js
diff --git a/ui/src/views/network/LoadBalancing.vue b/ui/src/views/network/LoadBalancing.vue
diff --git a/ui/src/views/network/PortForwarding.vue b/ui/src/views/network/PortForwarding.vue
diff --git a/ui/src/views/network/VpcTiersTab.vue b/ui/src/views/network/VpcTiersTab.vue

Original file line number	Diff line number	Diff line change
`@@ -389,7 +389,7 @@ private boolean isSpecificAPI(String commandName) {`
`389`	`389`	`}`
`390`	`390`
`391`	`391`	`//This method will try to get login IP of user even if servlet is behind reverseProxy or loadBalancer`
`392`		`- static InetAddress getClientAddress(final HttpServletRequest request) throws UnknownHostException {`
	`392`	`+ public static InetAddress getClientAddress(final HttpServletRequest request) throws UnknownHostException {`
`393`	`393`	`for(final String header : s_clientAddressHeaders) {`
`394`	`394`	`final String ip = getCorrectIPAddress(request.getHeader(header));`
`395`	`395`	`if (ip != null) {`
Original file line number	Diff line number	Diff line change
`@@ -1755,7 +1755,7 @@ public String getConfigComponentName() {`
`1755`	`1755`
`1756`	`1756`	`@Override`
`1757`	`1757`	`public ConfigKey<?>[] getConfigKeys() {`
`1758`		`- return new ConfigKey<?>[] { NoVncConsoleDefault };`
	`1758`	`+ return new ConfigKey<?>[] { NoVncConsoleDefault, NoVncConsoleSourceIpCheckEnabled };`
`1759`	`1759`	`}`
`1760`	`1760`
`1761`	`1761`	`}`
Original file line number	Diff line number	Diff line change
`@@ -487,6 +487,10 @@ public TemplateProfile prepareDelete(DeleteTemplateCmd cmd) {`
`487`	`487`	`throw new InvalidParameterValueException("Please specify a valid template.");`
`488`	`488`	`}`
`489`	`489`
	`490`	`+ if (template.getState() == VirtualMachineTemplate.State.NotUploaded \|\| template.getState() == VirtualMachineTemplate.State.UploadInProgress) {`
	`491`	`+ throw new InvalidParameterValueException("The template is either getting uploaded or it may be initiated shortly, please wait for it to be completed");`
	`492`	`+ }`
	`493`	`+`
`490`	`494`	`return new TemplateProfile(userId, template, zoneId);`
`491`	`495`	`}`
`492`	`496`
`@@ -526,6 +530,10 @@ public TemplateProfile prepareDelete(DeleteIsoCmd cmd) {`
`526`	`530`	`throw new InvalidParameterValueException("Please specify a valid iso.");`
`527`	`531`	`}`
`528`	`532`
	`533`	`+ if (template.getState() == VirtualMachineTemplate.State.NotUploaded \|\| template.getState() == VirtualMachineTemplate.State.UploadInProgress) {`
	`534`	`+ throw new InvalidParameterValueException("The iso is either getting uploaded or it may be initiated shortly, please wait for it to be completed");`
	`535`	`+ }`
	`536`	`+`
`529`	`537`	`return new TemplateProfile(userId, template, zoneId);`
`530`	`538`	`}`
`531`	`539`