console: Console access enhancements (#6577)

This PR creates a new API createConsoleAccess to create VM console URL allowing it to connect using other UI implementations. To avoid reply attacks, the console access is enhanced to use a one time token per session

New configuration added:
consoleproxy.extra.security.validation.enabled: Enable/disable extra security validation for console proxy using a token

Documentation PR: apache/cloudstack-documentation#284

Author: nvazquez

agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java

@@ -32,6 +32,7 @@
 
 import javax.naming.ConfigurationException;
 
+import com.cloud.agent.api.proxy.AllowConsoleAccessCommand;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.log4j.Logger;
 
@@ -105,12 +106,28 @@ public Answer executeRequest(final Command cmd) {
         } else if (cmd instanceof CheckHealthCommand) {
             return new CheckHealthAnswer((CheckHealthCommand)cmd, true);
         } else if (cmd instanceof StartConsoleProxyAgentHttpHandlerCommand) {
-            return execute((StartConsoleProxyAgentHttpHandlerCommand)cmd);
+            return execute((StartConsoleProxyAgentHttpHandlerCommand) cmd);
+        } else if (cmd instanceof AllowConsoleAccessCommand) {
+            return execute((AllowConsoleAccessCommand) cmd);
         } else {
             return Answer.createUnsupportedCommandAnswer(cmd);
         }
     }
 
+    private Answer execute(AllowConsoleAccessCommand cmd) {
+        String sessionUuid = cmd.getSessionUuid();
+        try {
+            Class<?> consoleProxyClazz = Class.forName("com.cloud.consoleproxy.ConsoleProxy");
+            Method methodSetup = consoleProxyClazz.getMethod("addAllowedSession", String.class);
+            methodSetup.invoke(null, sessionUuid);
+            return new Answer(cmd);
+        } catch (SecurityException | NoSuchMethodException | ClassNotFoundException | InvocationTargetException | IllegalAccessException e) {
+            String errorMsg = "Unable to add allowed session due to: " + e.getMessage();
+            s_logger.error(errorMsg, e);
+            return new Answer(cmd, false, errorMsg);
+        }
+    }
+
     private Answer execute(StartConsoleProxyAgentHttpHandlerCommand cmd) {
         s_logger.info("Invoke launchConsoleProxy() in responding to StartConsoleProxyAgentHttpHandlerCommand");
         launchConsoleProxy(cmd.getKeystoreBits(), cmd.getKeystorePassword(), cmd.getEncryptorPassword(), cmd.isSourceIpCheckEnabled());
@@ -382,9 +399,10 @@ protected void runInContext() {
         }
     }
 
-    public String authenticateConsoleAccess(String host, String port, String vmId, String sid, String ticket, Boolean isReauthentication) {
+    public String authenticateConsoleAccess(String host, String port, String vmId, String sid, String ticket,
+                                            Boolean isReauthentication, String sessionToken) {
 
-        ConsoleAccessAuthenticationCommand cmd = new ConsoleAccessAuthenticationCommand(host, port, vmId, sid, ticket);
+        ConsoleAccessAuthenticationCommand cmd = new ConsoleAccessAuthenticationCommand(host, port, vmId, sid, ticket, sessionToken);
         cmd.setReauthenticating(isReauthentication);
 
         ConsoleProxyAuthenticationResult result = new ConsoleProxyAuthenticationResult();

api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java

@@ -0,0 +1,103 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.consoleproxy;
+
+public class ConsoleEndpoint {
+
+    private boolean result;
+    private String details;
+    private String url;
+    private String websocketToken;
+    private String websocketPath;
+    private String websocketHost;
+    private String websocketPort;
+    private String websocketExtra;
+
+    public ConsoleEndpoint(boolean result, String url) {
+        this.result = result;
+        this.url = url;
+    }
+
+    public ConsoleEndpoint(boolean result, String url, String details) {
+        this(result, url);
+        this.details = details;
+    }
+
+    public boolean isResult() {
+        return result;
+    }
+
+    public void setResult(boolean result) {
+        this.result = result;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    public void setUrl(String url) {
+        this.url = url;
+    }
+
+    public String getDetails() {
+        return details;
+    }
+
+    public void setDetails(String details) {
+        this.details = details;
+    }
+
+    public String getWebsocketToken() {
+        return websocketToken;
+    }
+
+    public void setWebsocketToken(String websocketToken) {
+        this.websocketToken = websocketToken;
+    }
+
+    public String getWebsocketPath() {
+        return websocketPath;
+    }
+
+    public void setWebsocketPath(String websocketPath) {
+        this.websocketPath = websocketPath;
+    }
+
+    public String getWebsocketHost() {
+        return websocketHost;
+    }
+
+    public void setWebsocketHost(String websocketHost) {
+        this.websocketHost = websocketHost;
+    }
+
+    public String getWebsocketPort() {
+        return websocketPort;
+    }
+
+    public void setWebsocketPort(String websocketPort) {
+        this.websocketPort = websocketPort;
+    }
+
+    public String getWebsocketExtra() {
+        return websocketExtra;
+    }
+
+    public void setWebsocketExtra(String websocketExtra) {
+        this.websocketExtra = websocketExtra;
+    }
+}

api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java

@@ -0,0 +1,120 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.consoleproxy;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.ConsoleEndpointWebsocketResponse;
+import org.apache.cloudstack.api.response.CreateConsoleEndpointResponse;
+import org.apache.cloudstack.api.response.UserVmResponse;
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.utils.consoleproxy.ConsoleAccessUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.log4j.Logger;
+
+import javax.inject.Inject;
+import java.util.Map;
+
+@APICommand(name = CreateConsoleEndpointCmd.APINAME, description = "Create a console endpoint to connect to a VM console",
+        responseObject = CreateConsoleEndpointResponse.class, since = "4.18.0",
+        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false,
+        authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
+public class CreateConsoleEndpointCmd extends BaseCmd {
+
+    public static final String APINAME = "createConsoleEndpoint";
+    public static final Logger s_logger = Logger.getLogger(CreateConsoleEndpointCmd.class.getName());
+
+    @Inject
+    private ConsoleAccessManager consoleManager;
+
+    @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
+            type = CommandType.UUID,
+            entityType = UserVmResponse.class,
+            required = true,
+            description = "ID of the VM")
+    private Long vmId;
+
+    @Parameter(name = ApiConstants.TOKEN,
+            type = CommandType.STRING,
+            required = false,
+            description = "(optional) extra security token, valid when the extra validation is enabled")
+    private String extraSecurityToken;
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
+        String clientAddress = getClientAddress();
+        ConsoleEndpoint endpoint = consoleManager.generateConsoleEndpoint(vmId, extraSecurityToken, clientAddress);
+        if (endpoint != null) {
+            CreateConsoleEndpointResponse response = createResponse(endpoint);
+            setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Unable to generate console endpoint for vm " + vmId);
+        }
+    }
+
+    private CreateConsoleEndpointResponse createResponse(ConsoleEndpoint endpoint) {
+        CreateConsoleEndpointResponse response = new CreateConsoleEndpointResponse();
+        response.setResult(endpoint.isResult());
+        response.setDetails(endpoint.getDetails());
+        response.setUrl(endpoint.getUrl());
+        response.setWebsocketResponse(createWebsocketResponse(endpoint));
+        response.setResponseName(getCommandName());
+        response.setObjectName("consoleendpoint");
+        return response;
+    }
+
+    private ConsoleEndpointWebsocketResponse createWebsocketResponse(ConsoleEndpoint endpoint) {
+        ConsoleEndpointWebsocketResponse wsResponse = new ConsoleEndpointWebsocketResponse();
+        wsResponse.setHost(endpoint.getWebsocketHost());
+        wsResponse.setPort(endpoint.getWebsocketPort());
+        wsResponse.setPath(endpoint.getWebsocketPath());
+        wsResponse.setToken(endpoint.getWebsocketToken());
+        wsResponse.setExtra(endpoint.getWebsocketExtra());
+        wsResponse.setObjectName("websocket");
+        return wsResponse;
+    }
+
+    private String getParameterBase(String paramKey) {
+        Map<String, String> params = getFullUrlParams();
+        return MapUtils.isNotEmpty(params) ? params.get(paramKey) : null;
+    }
+
+    private String getClientAddress() {
+        return getParameterBase(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY);
+    }
+
+    @Override
+    public String getCommandName() {
+        return APINAME.toLowerCase() + BaseCmd.RESPONSE_SUFFIX;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+}

api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java

@@ -0,0 +1,88 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import com.cloud.serializer.Param;
+import com.google.gson.annotations.SerializedName;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+
+public class ConsoleEndpointWebsocketResponse extends BaseResponse {
+
+    public ConsoleEndpointWebsocketResponse() {
+    }
+
+    @SerializedName(ApiConstants.TOKEN)
+    @Param(description = "the console websocket token")
+    private String token;
+
+    @SerializedName("host")
+    @Param(description = "the console websocket host")
+    private String host;
+
+    @SerializedName(ApiConstants.PORT)
+    @Param(description = "the console websocket port")
+    private String port;
+
+    @SerializedName(ApiConstants.PATH)
+    @Param(description = "the console websocket path")
+    private String path;
+
+    @SerializedName("extra")
+    @Param(description = "the console websocket extra field for validation (if enabled)")
+    private String extra;
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public String getHost() {
+        return host;
+    }
+
+    public void setHost(String host) {
+        this.host = host;
+    }
+
+    public String getPort() {
+        return port;
+    }
+
+    public void setPort(String port) {
+        this.port = port;
+    }
+
+    public String getPath() {
+        return path;
+    }
+
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    public String getExtra() {
+        return extra;
+    }
+
+    public void setExtra(String extra) {
+        this.extra = extra;
+    }
+}